@nest-boot/row-level-security 7.0.0 → 7.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/enums/row-level-security-role.enum.d.ts +7 -0
- package/dist/enums/row-level-security-role.enum.js +12 -0
- package/dist/enums/row-level-security-role.enum.js.map +1 -0
- package/dist/index.d.ts +3 -2
- package/dist/index.js +3 -2
- package/dist/index.js.map +1 -1
- package/dist/index.spec.js +6 -14
- package/dist/index.spec.js.map +1 -1
- package/dist/interfaces/index.d.ts +0 -1
- package/dist/interfaces/index.js +0 -1
- package/dist/interfaces/index.js.map +1 -1
- package/dist/interfaces/policy-options.interface.d.ts +2 -2
- package/dist/interfaces/policy-sql-options.interface.d.ts +2 -2
- package/dist/row-level-security-driver.d.ts +15 -0
- package/dist/row-level-security-driver.js +136 -0
- package/dist/row-level-security-driver.js.map +1 -0
- package/dist/row-level-security-driver.spec.js +267 -0
- package/dist/row-level-security-driver.spec.js.map +1 -0
- package/dist/row-level-security-migration-generator.d.ts +1 -0
- package/dist/row-level-security-migration-generator.js +39 -8
- package/dist/row-level-security-migration-generator.js.map +1 -1
- package/dist/row-level-security-migration-generator.spec.js +181 -10
- package/dist/row-level-security-migration-generator.spec.js.map +1 -1
- package/dist/row-level-security-migration.d.ts +2 -4
- package/dist/row-level-security-migration.js +9 -7
- package/dist/row-level-security-migration.js.map +1 -1
- package/dist/row-level-security-migration.spec.js +7 -16
- package/dist/row-level-security-migration.spec.js.map +1 -1
- package/dist/row-level-security.d.ts +29 -0
- package/dist/row-level-security.js +69 -0
- package/dist/row-level-security.js.map +1 -0
- package/dist/row-level-security.spec.js +52 -0
- package/dist/row-level-security.spec.js.map +1 -0
- package/dist/tsconfig.build.tsbuildinfo +1 -1
- package/dist/utils/create-policy-bootstrap-sql-statements.d.ts +1 -1
- package/dist/utils/create-policy-bootstrap-sql-statements.js +1 -7
- package/dist/utils/create-policy-bootstrap-sql-statements.js.map +1 -1
- package/dist/utils/create-policy-privilege-down-sql-statements.d.ts +8 -0
- package/dist/utils/create-policy-privilege-down-sql-statements.js +93 -0
- package/dist/utils/create-policy-privilege-down-sql-statements.js.map +1 -0
- package/dist/utils/create-policy-role-sql-statements.d.ts +6 -0
- package/dist/utils/create-policy-role-sql-statements.js +48 -0
- package/dist/utils/create-policy-role-sql-statements.js.map +1 -0
- package/dist/utils/create-policy-up-sql-statements.js +8 -2
- package/dist/utils/create-policy-up-sql-statements.js.map +1 -1
- package/dist/utils/create-row-level-security-transaction-setup.d.ts +20 -0
- package/dist/utils/create-row-level-security-transaction-setup.js +53 -0
- package/dist/utils/create-row-level-security-transaction-setup.js.map +1 -0
- package/dist/utils/index.d.ts +2 -3
- package/dist/utils/index.js +2 -3
- package/dist/utils/index.js.map +1 -1
- package/dist/utils/policy-migration-sql.spec.js +125 -7
- package/dist/utils/policy-migration-sql.spec.js.map +1 -1
- package/package.json +4 -4
- package/dist/interfaces/row-level-security-options.interface.d.ts +0 -18
- package/dist/interfaces/row-level-security-options.interface.js +0 -3
- package/dist/interfaces/row-level-security-options.interface.js.map +0 -1
- package/dist/row-level-security-context.d.ts +0 -14
- package/dist/row-level-security-context.js +0 -38
- package/dist/row-level-security-context.js.map +0 -1
- package/dist/row-level-security-context.spec.js +0 -29
- package/dist/row-level-security-context.spec.js.map +0 -1
- package/dist/row-level-security-entity-manager.d.ts +0 -22
- package/dist/row-level-security-entity-manager.js +0 -135
- package/dist/row-level-security-entity-manager.js.map +0 -1
- package/dist/row-level-security-entity-manager.spec.js +0 -200
- package/dist/row-level-security-entity-manager.spec.js.map +0 -1
- package/dist/tsconfig.tsbuildinfo +0 -1
- package/dist/utils/default-row-level-security-options.d.ts +0 -3
- package/dist/utils/default-row-level-security-options.js +0 -9
- package/dist/utils/default-row-level-security-options.js.map +0 -1
- package/dist/utils/get-row-level-security-options.d.ts +0 -8
- package/dist/utils/get-row-level-security-options.js +0 -9
- package/dist/utils/get-row-level-security-options.js.map +0 -1
- package/dist/utils/policy-sql-options.d.ts +0 -12
- package/dist/utils/policy-sql-options.js +0 -3
- package/dist/utils/policy-sql-options.js.map +0 -1
- package/dist/utils/row-level-security-options-state.d.ts +0 -4
- package/dist/utils/row-level-security-options-state.js +0 -8
- package/dist/utils/row-level-security-options-state.js.map +0 -1
- package/dist/utils/set-row-level-security-options.d.ts +0 -3
- package/dist/utils/set-row-level-security-options.js +0 -13
- package/dist/utils/set-row-level-security-options.js.map +0 -1
- /package/dist/{row-level-security-context.spec.d.ts → row-level-security-driver.spec.d.ts} +0 -0
- /package/dist/{row-level-security-entity-manager.spec.d.ts → row-level-security.spec.d.ts} +0 -0
|
@@ -1,2 +1,2 @@
|
|
|
1
|
-
/** Creates SQL statements for shared RLS
|
|
1
|
+
/** Creates SQL statements for the shared RLS schema and `app.get_context` helper. */
|
|
2
2
|
export declare function createPolicyBootstrapSqlStatements(): string[];
|
|
@@ -1,16 +1,10 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.createPolicyBootstrapSqlStatements = createPolicyBootstrapSqlStatements;
|
|
4
|
-
/** Creates SQL statements for shared RLS
|
|
4
|
+
/** Creates SQL statements for the shared RLS schema and `app.get_context` helper. */
|
|
5
5
|
function createPolicyBootstrapSqlStatements() {
|
|
6
6
|
return [
|
|
7
|
-
"do $$ begin if not exists (select 1 from pg_roles where rolname = 'authenticated') then create role authenticated nologin; end if; end $$;",
|
|
8
|
-
"do $$ begin if not exists (select 1 from pg_roles where rolname = 'anonymous') then create role anonymous nologin; end if; end $$;",
|
|
9
|
-
"grant authenticated to current_user;",
|
|
10
|
-
"grant anonymous to current_user;",
|
|
11
7
|
"create schema if not exists app;",
|
|
12
|
-
"grant usage on schema app to authenticated;",
|
|
13
|
-
"grant usage on schema app to anonymous;",
|
|
14
8
|
"create or replace function app.get_context(context_key text, context_type anyelement) returns anyelement as $$ declare context_value text; begin context_value := current_setting('app.' || context_key, true); if context_value is null or context_value = '' then return null; end if; execute format('select $1::%s', pg_typeof(context_type)::text) using context_value into context_type; return context_type; end; $$ language plpgsql stable;",
|
|
15
9
|
];
|
|
16
10
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"create-policy-bootstrap-sql-statements.js","sourceRoot":"","sources":["../../src/utils/create-policy-bootstrap-sql-statements.ts"],"names":[],"mappings":";;AACA,
|
|
1
|
+
{"version":3,"file":"create-policy-bootstrap-sql-statements.js","sourceRoot":"","sources":["../../src/utils/create-policy-bootstrap-sql-statements.ts"],"names":[],"mappings":";;AACA,gFAKC;AAND,qFAAqF;AACrF,SAAgB,kCAAkC;IAChD,OAAO;QACL,kCAAkC;QAClC,sbAAsb;KACvb,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
import type { PolicySqlOptions } from "../interfaces/policy-sql-options.interface";
|
|
2
|
+
/**
|
|
3
|
+
* Creates SQL that revokes table and sequence privileges emitted for a policy.
|
|
4
|
+
*
|
|
5
|
+
* Preserved policies keep overlapping privileges for the same schema, table,
|
|
6
|
+
* and role from being revoked during rollback.
|
|
7
|
+
*/
|
|
8
|
+
export declare function createPolicyPrivilegeDownSqlStatements(options: PolicySqlOptions, preservedPolicies?: PolicySqlOptions[]): string[];
|
|
@@ -0,0 +1,93 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.createPolicyPrivilegeDownSqlStatements = createPolicyPrivilegeDownSqlStatements;
|
|
4
|
+
const policy_command_enum_1 = require("../enums/policy-command.enum");
|
|
5
|
+
const assert_identifier_1 = require("./assert-identifier");
|
|
6
|
+
const escape_sql_literal_1 = require("./escape-sql-literal");
|
|
7
|
+
const quote_qualified_identifier_1 = require("./quote-qualified-identifier");
|
|
8
|
+
/**
|
|
9
|
+
* Creates SQL that revokes table and sequence privileges emitted for a policy.
|
|
10
|
+
*
|
|
11
|
+
* Preserved policies keep overlapping privileges for the same schema, table,
|
|
12
|
+
* and role from being revoked during rollback.
|
|
13
|
+
*/
|
|
14
|
+
function createPolicyPrivilegeDownSqlStatements(options, preservedPolicies = []) {
|
|
15
|
+
const roles = getPolicySqlRoleNames(options.roles);
|
|
16
|
+
if (roles.length === 0) {
|
|
17
|
+
return [];
|
|
18
|
+
}
|
|
19
|
+
const tableIdentifier = (0, quote_qualified_identifier_1.quoteQualifiedIdentifier)(options.schemaName, options.tableName);
|
|
20
|
+
const command = options.command ?? policy_command_enum_1.PolicyCommand.ALL;
|
|
21
|
+
const statements = createTablePrivilegeRevokeSqlStatements(options, tableIdentifier, roles, preservedPolicies);
|
|
22
|
+
if (requiresSequencePrivileges(command)) {
|
|
23
|
+
const sequenceRevokeRoles = roles.filter((role) => !hasPreservedSequencePrivileges(options, role, preservedPolicies));
|
|
24
|
+
if (sequenceRevokeRoles.length > 0) {
|
|
25
|
+
statements.push(createSequenceRevokeSql(options, tableIdentifier, sequenceRevokeRoles.join(", ")));
|
|
26
|
+
}
|
|
27
|
+
}
|
|
28
|
+
return statements;
|
|
29
|
+
}
|
|
30
|
+
function createTablePrivilegeRevokeSqlStatements(options, tableIdentifier, roles, preservedPolicies) {
|
|
31
|
+
const command = options.command ?? policy_command_enum_1.PolicyCommand.ALL;
|
|
32
|
+
const privileges = getTablePrivileges(command);
|
|
33
|
+
const rolesByPrivileges = new Map();
|
|
34
|
+
for (const role of roles) {
|
|
35
|
+
const preservedPrivileges = getPreservedTablePrivileges(options, role, preservedPolicies);
|
|
36
|
+
const revocablePrivileges = privileges.filter((privilege) => !preservedPrivileges.has(privilege));
|
|
37
|
+
if (revocablePrivileges.length === 0) {
|
|
38
|
+
continue;
|
|
39
|
+
}
|
|
40
|
+
const privilegeSql = revocablePrivileges.join(", ");
|
|
41
|
+
const groupedRoles = rolesByPrivileges.get(privilegeSql) ?? [];
|
|
42
|
+
groupedRoles.push(role);
|
|
43
|
+
rolesByPrivileges.set(privilegeSql, groupedRoles);
|
|
44
|
+
}
|
|
45
|
+
return [...rolesByPrivileges].map(([privilegeSql, groupedRoles]) => `revoke ${privilegeSql} on table ${tableIdentifier} from ${groupedRoles.join(", ")};`);
|
|
46
|
+
}
|
|
47
|
+
function getTablePrivileges(command) {
|
|
48
|
+
if (command === policy_command_enum_1.PolicyCommand.SELECT) {
|
|
49
|
+
return ["select"];
|
|
50
|
+
}
|
|
51
|
+
if (command === policy_command_enum_1.PolicyCommand.INSERT) {
|
|
52
|
+
return ["insert"];
|
|
53
|
+
}
|
|
54
|
+
if (command === policy_command_enum_1.PolicyCommand.UPDATE) {
|
|
55
|
+
return ["select", "update"];
|
|
56
|
+
}
|
|
57
|
+
if (command === policy_command_enum_1.PolicyCommand.DELETE) {
|
|
58
|
+
return ["select", "delete"];
|
|
59
|
+
}
|
|
60
|
+
return ["select", "insert", "update", "delete"];
|
|
61
|
+
}
|
|
62
|
+
function requiresSequencePrivileges(command) {
|
|
63
|
+
return command === policy_command_enum_1.PolicyCommand.INSERT || command === policy_command_enum_1.PolicyCommand.ALL;
|
|
64
|
+
}
|
|
65
|
+
function getPreservedTablePrivileges(options, role, preservedPolicies) {
|
|
66
|
+
const privileges = new Set();
|
|
67
|
+
for (const preservedPolicy of getPreservedPoliciesForRole(options, role, preservedPolicies)) {
|
|
68
|
+
for (const privilege of getTablePrivileges(preservedPolicy.command ?? policy_command_enum_1.PolicyCommand.ALL)) {
|
|
69
|
+
privileges.add(privilege);
|
|
70
|
+
}
|
|
71
|
+
}
|
|
72
|
+
return privileges;
|
|
73
|
+
}
|
|
74
|
+
function hasPreservedSequencePrivileges(options, role, preservedPolicies) {
|
|
75
|
+
return getPreservedPoliciesForRole(options, role, preservedPolicies).some((preservedPolicy) => requiresSequencePrivileges(preservedPolicy.command ?? policy_command_enum_1.PolicyCommand.ALL));
|
|
76
|
+
}
|
|
77
|
+
function getPreservedPoliciesForRole(options, role, preservedPolicies) {
|
|
78
|
+
return preservedPolicies.filter((preservedPolicy) => isSamePolicyTarget(options, preservedPolicy) &&
|
|
79
|
+
getPolicySqlRoleNames(preservedPolicy.roles).includes(role));
|
|
80
|
+
}
|
|
81
|
+
function getPolicySqlRoleNames(roles) {
|
|
82
|
+
return [...new Set((roles ?? []).map((role) => (0, assert_identifier_1.assertIdentifier)(role)))];
|
|
83
|
+
}
|
|
84
|
+
function isSamePolicyTarget(left, right) {
|
|
85
|
+
return (left.schemaName === right.schemaName && left.tableName === right.tableName);
|
|
86
|
+
}
|
|
87
|
+
function createSequenceRevokeSql(options, tableIdentifier, roleSql) {
|
|
88
|
+
const tableLiteral = (0, escape_sql_literal_1.escapeSqlLiteral)(tableIdentifier);
|
|
89
|
+
const schemaName = (0, escape_sql_literal_1.escapeSqlLiteral)(options.schemaName);
|
|
90
|
+
const tableName = (0, escape_sql_literal_1.escapeSqlLiteral)(options.tableName);
|
|
91
|
+
return /* SQL */ `do $$ declare sequence_identifier text; begin for sequence_identifier in select pg_get_serial_sequence('${tableLiteral}', columns.column_name) from information_schema.columns where columns.table_schema = '${schemaName}' and columns.table_name = '${tableName}' and pg_get_serial_sequence('${tableLiteral}', columns.column_name) is not null loop execute format('revoke usage, select on sequence %s from ${roleSql}', sequence_identifier); end loop; end $$;`;
|
|
92
|
+
}
|
|
93
|
+
//# sourceMappingURL=create-policy-privilege-down-sql-statements.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"create-policy-privilege-down-sql-statements.js","sourceRoot":"","sources":["../../src/utils/create-policy-privilege-down-sql-statements.ts"],"names":[],"mappings":";;AAYA,wFAwCC;AApDD,sEAA6D;AAE7D,2DAAuD;AACvD,6DAAwD;AACxD,6EAAwE;AAExE;;;;;GAKG;AACH,SAAgB,sCAAsC,CACpD,OAAyB,EACzB,oBAAwC,EAAE;IAE1C,MAAM,KAAK,GAAG,qBAAqB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAEnD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,eAAe,GAAG,IAAA,qDAAwB,EAC9C,OAAO,CAAC,UAAU,EAClB,OAAO,CAAC,SAAS,CAClB,CAAC;IACF,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,mCAAa,CAAC,GAAG,CAAC;IACrD,MAAM,UAAU,GAAG,uCAAuC,CACxD,OAAO,EACP,eAAe,EACf,KAAK,EACL,iBAAiB,CAClB,CAAC;IAEF,IAAI,0BAA0B,CAAC,OAAO,CAAC,EAAE,CAAC;QACxC,MAAM,mBAAmB,GAAG,KAAK,CAAC,MAAM,CACtC,CAAC,IAAI,EAAE,EAAE,CACP,CAAC,8BAA8B,CAAC,OAAO,EAAE,IAAI,EAAE,iBAAiB,CAAC,CACpE,CAAC;QAEF,IAAI,mBAAmB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnC,UAAU,CAAC,IAAI,CACb,uBAAuB,CACrB,OAAO,EACP,eAAe,EACf,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAC/B,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,uCAAuC,CAC9C,OAAyB,EACzB,eAAuB,EACvB,KAAe,EACf,iBAAqC;IAErC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,mCAAa,CAAC,GAAG,CAAC;IACrD,MAAM,UAAU,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAC/C,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAoB,CAAC;IAEtD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,mBAAmB,GAAG,2BAA2B,CACrD,OAAO,EACP,IAAI,EACJ,iBAAiB,CAClB,CAAC;QACF,MAAM,mBAAmB,GAAG,UAAU,CAAC,MAAM,CAC3C,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,mBAAmB,CAAC,GAAG,CAAC,SAAS,CAAC,CACnD,CAAC;QAEF,IAAI,mBAAmB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrC,SAAS;QACX,CAAC;QAED,MAAM,YAAY,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpD,MAAM,YAAY,GAAG,iBAAiB,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;QAE/D,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxB,iBAAiB,CAAC,GAAG,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;IACpD,CAAC;IAED,OAAO,CAAC,GAAG,iBAAiB,CAAC,CAAC,GAAG,CAC/B,CAAC,CAAC,YAAY,EAAE,YAAY,CAAC,EAAE,EAAE,CAC/B,UAAU,YAAY,aAAa,eAAe,SAAS,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACxF,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAsB;IAChD,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACpB,CAAC;IAED,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACpB,CAAC;IAED,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC9B,CAAC;IAED,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,0BAA0B,CAAC,OAAsB;IACxD,OAAO,OAAO,KAAK,mCAAa,CAAC,MAAM,IAAI,OAAO,KAAK,mCAAa,CAAC,GAAG,CAAC;AAC3E,CAAC;AAED,SAAS,2BAA2B,CAClC,OAAyB,EACzB,IAAY,EACZ,iBAAqC;IAErC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IAErC,KAAK,MAAM,eAAe,IAAI,2BAA2B,CACvD,OAAO,EACP,IAAI,EACJ,iBAAiB,CAClB,EAAE,CAAC;QACF,KAAK,MAAM,SAAS,IAAI,kBAAkB,CACxC,eAAe,CAAC,OAAO,IAAI,mCAAa,CAAC,GAAG,CAC7C,EAAE,CAAC;YACF,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,8BAA8B,CACrC,OAAyB,EACzB,IAAY,EACZ,iBAAqC;IAErC,OAAO,2BAA2B,CAAC,OAAO,EAAE,IAAI,EAAE,iBAAiB,CAAC,CAAC,IAAI,CACvE,CAAC,eAAe,EAAE,EAAE,CAClB,0BAA0B,CAAC,eAAe,CAAC,OAAO,IAAI,mCAAa,CAAC,GAAG,CAAC,CAC3E,CAAC;AACJ,CAAC;AAED,SAAS,2BAA2B,CAClC,OAAyB,EACzB,IAAY,EACZ,iBAAqC;IAErC,OAAO,iBAAiB,CAAC,MAAM,CAC7B,CAAC,eAAe,EAAE,EAAE,CAClB,kBAAkB,CAAC,OAAO,EAAE,eAAe,CAAC;QAC5C,qBAAqB,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAC9D,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,KAA2B;IACxD,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAA,oCAAgB,EAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;AAC3E,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAsB,EAAE,KAAuB;IACzE,OAAO,CACL,IAAI,CAAC,UAAU,KAAK,KAAK,CAAC,UAAU,IAAI,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,SAAS,CAC3E,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAC9B,OAAyB,EACzB,eAAuB,EACvB,OAAe;IAEf,MAAM,YAAY,GAAG,IAAA,qCAAgB,EAAC,eAAe,CAAC,CAAC;IACvD,MAAM,UAAU,GAAG,IAAA,qCAAgB,EAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,IAAA,qCAAgB,EAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEtD,OAAO,SAAS,CAAC,2GAA2G,YAAY,yFAAyF,UAAU,+BAA+B,SAAS,iCAAiC,YAAY,qGAAqG,OAAO,4CAA4C,CAAC;AAC3d,CAAC"}
|
|
@@ -0,0 +1,6 @@
|
|
|
1
|
+
/** Creates SQL that ensures RLS roles and grants required runtime privileges. */
|
|
2
|
+
export declare function createPolicyRoleUpSqlStatements(roles?: Iterable<string>): string[];
|
|
3
|
+
/** Creates SQL that revokes schema and membership grants for the supplied roles. */
|
|
4
|
+
export declare function createPolicyRoleDownSqlStatements(roles?: Iterable<string>): string[];
|
|
5
|
+
/** Returns unique policy roles, always including the anonymous fallback role. */
|
|
6
|
+
export declare function getPolicyRoleNames(roles?: Iterable<string>): string[];
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.createPolicyRoleUpSqlStatements = createPolicyRoleUpSqlStatements;
|
|
4
|
+
exports.createPolicyRoleDownSqlStatements = createPolicyRoleDownSqlStatements;
|
|
5
|
+
exports.getPolicyRoleNames = getPolicyRoleNames;
|
|
6
|
+
const row_level_security_role_enum_1 = require("../enums/row-level-security-role.enum");
|
|
7
|
+
const assert_identifier_1 = require("./assert-identifier");
|
|
8
|
+
const escape_sql_literal_1 = require("./escape-sql-literal");
|
|
9
|
+
/** Creates SQL that ensures RLS roles and grants required runtime privileges. */
|
|
10
|
+
function createPolicyRoleUpSqlStatements(roles = []) {
|
|
11
|
+
return getPolicyRoleNames(roles).flatMap((role) => {
|
|
12
|
+
const roleName = (0, assert_identifier_1.assertIdentifier)(role);
|
|
13
|
+
const roleLiteral = (0, escape_sql_literal_1.escapeSqlLiteral)(roleName);
|
|
14
|
+
return [
|
|
15
|
+
`do $$ begin if not exists (select 1 from pg_roles where rolname = '${roleLiteral}') then create role ${roleName} nologin; end if; end $$;`,
|
|
16
|
+
`grant ${roleName} to current_user;`,
|
|
17
|
+
`grant usage on schema app to ${roleName};`,
|
|
18
|
+
];
|
|
19
|
+
});
|
|
20
|
+
}
|
|
21
|
+
/** Creates SQL that revokes schema and membership grants for the supplied roles. */
|
|
22
|
+
function createPolicyRoleDownSqlStatements(roles = []) {
|
|
23
|
+
return [...getExplicitPolicyRoleNames(roles)].sort().flatMap((role) => {
|
|
24
|
+
const roleName = (0, assert_identifier_1.assertIdentifier)(role);
|
|
25
|
+
return [
|
|
26
|
+
`revoke usage on schema app from ${roleName};`,
|
|
27
|
+
`revoke ${roleName} from current_user;`,
|
|
28
|
+
];
|
|
29
|
+
});
|
|
30
|
+
}
|
|
31
|
+
/** Returns unique policy roles, always including the anonymous fallback role. */
|
|
32
|
+
function getPolicyRoleNames(roles = []) {
|
|
33
|
+
const roleNames = getExplicitPolicyRoleNames(roles);
|
|
34
|
+
roleNames.delete(row_level_security_role_enum_1.RowLevelSecurityRole.ANONYMOUS);
|
|
35
|
+
return [row_level_security_role_enum_1.RowLevelSecurityRole.ANONYMOUS, ...[...roleNames].sort()];
|
|
36
|
+
}
|
|
37
|
+
/** Returns unique explicit policy roles without adding fallback roles. */
|
|
38
|
+
function getExplicitPolicyRoleNames(roles) {
|
|
39
|
+
const roleNames = new Set();
|
|
40
|
+
for (const role of roles) {
|
|
41
|
+
if (role.toLowerCase() === "public") {
|
|
42
|
+
continue;
|
|
43
|
+
}
|
|
44
|
+
roleNames.add((0, assert_identifier_1.assertIdentifier)(role));
|
|
45
|
+
}
|
|
46
|
+
return roleNames;
|
|
47
|
+
}
|
|
48
|
+
//# sourceMappingURL=create-policy-role-sql-statements.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"create-policy-role-sql-statements.js","sourceRoot":"","sources":["../../src/utils/create-policy-role-sql-statements.ts"],"names":[],"mappings":";;AAKA,0EAWC;AAGD,8EAWC;AAGD,gDAMC;AAvCD,wFAA6E;AAC7E,2DAAuD;AACvD,6DAAwD;AAExD,iFAAiF;AACjF,SAAgB,+BAA+B,CAAC,QAA0B,EAAE;IAC1E,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;QAChD,MAAM,QAAQ,GAAG,IAAA,oCAAgB,EAAC,IAAI,CAAC,CAAC;QACxC,MAAM,WAAW,GAAG,IAAA,qCAAgB,EAAC,QAAQ,CAAC,CAAC;QAE/C,OAAO;YACL,sEAAsE,WAAW,uBAAuB,QAAQ,2BAA2B;YAC3I,SAAS,QAAQ,mBAAmB;YACpC,gCAAgC,QAAQ,GAAG;SAC5C,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,oFAAoF;AACpF,SAAgB,iCAAiC,CAC/C,QAA0B,EAAE;IAE5B,OAAO,CAAC,GAAG,0BAA0B,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;QACpE,MAAM,QAAQ,GAAG,IAAA,oCAAgB,EAAC,IAAI,CAAC,CAAC;QAExC,OAAO;YACL,mCAAmC,QAAQ,GAAG;YAC9C,UAAU,QAAQ,qBAAqB;SACxC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,iFAAiF;AACjF,SAAgB,kBAAkB,CAAC,QAA0B,EAAE;IAC7D,MAAM,SAAS,GAAG,0BAA0B,CAAC,KAAK,CAAC,CAAC;IAEpD,SAAS,CAAC,MAAM,CAAC,mDAAoB,CAAC,SAAS,CAAC,CAAC;IAEjD,OAAO,CAAC,mDAAoB,CAAC,SAAS,EAAE,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;AACpE,CAAC;AAED,0EAA0E;AAC1E,SAAS,0BAA0B,CAAC,KAAuB;IACzD,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;YACpC,SAAS;QACX,CAAC;QAED,SAAS,CAAC,GAAG,CAAC,IAAA,oCAAgB,EAAC,IAAI,CAAC,CAAC,CAAC;IACxC,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC"}
|
|
@@ -102,13 +102,19 @@ function assertPolicyPredicates(command, predicates) {
|
|
|
102
102
|
function getPolicyPredicateSql(command, predicates) {
|
|
103
103
|
const fragments = [];
|
|
104
104
|
if (command !== policy_command_enum_1.PolicyCommand.INSERT && predicates.using) {
|
|
105
|
-
fragments.push(`using ${predicates.using}`);
|
|
105
|
+
fragments.push(`using ${createPredicateExpressionSql(predicates.using)}`);
|
|
106
106
|
}
|
|
107
107
|
if (command !== policy_command_enum_1.PolicyCommand.SELECT &&
|
|
108
108
|
command !== policy_command_enum_1.PolicyCommand.DELETE &&
|
|
109
109
|
predicates.withCheck) {
|
|
110
|
-
fragments.push(`with check ${predicates.withCheck}`);
|
|
110
|
+
fragments.push(`with check ${createPredicateExpressionSql(predicates.withCheck)}`);
|
|
111
111
|
}
|
|
112
112
|
return fragments.join(" ");
|
|
113
113
|
}
|
|
114
|
+
function createPredicateExpressionSql(expression) {
|
|
115
|
+
return isParenthesizedExpression(expression) ? expression : `(${expression})`;
|
|
116
|
+
}
|
|
117
|
+
function isParenthesizedExpression(expression) {
|
|
118
|
+
return expression.startsWith("(") && expression.endsWith(")");
|
|
119
|
+
}
|
|
114
120
|
//# sourceMappingURL=create-policy-up-sql-statements.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"create-policy-up-sql-statements.js","sourceRoot":"","sources":["../../src/utils/create-policy-up-sql-statements.ts"],"names":[],"mappings":";;AAQA,kEAkBC;AA1BD,sEAA6D;AAC7D,gEAAuD;AAEvD,2DAAuD;AACvD,6DAAwD;AACxD,6EAAwE;AAExE,+EAA+E;AAC/E,SAAgB,2BAA2B,CAAC,OAAyB;IACnE,MAAM,eAAe,GAAG,IAAA,qDAAwB,EAC9C,OAAO,CAAC,UAAU,EAClB,OAAO,CAAC,SAAS,CAClB,CAAC;IACF,MAAM,UAAU,GAAG,IAAA,oCAAgB,EAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACxD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,6BAAU,CAAC,UAAU,CAAC;IACnD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,mCAAa,CAAC,GAAG,CAAC;IACrD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAA,oCAAgB,EAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvE,MAAM,UAAU,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAEhD,OAAO;QACL,eAAe,eAAe,6BAA6B;QAC3D,GAAG,iCAAiC,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,CAAC;QACvE,yBAAyB,UAAU,OAAO,eAAe,GAAG;QAC5D,iBAAiB,UAAU,OAAO,eAAe,OAAO,IAAI,QAAQ,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,qBAAqB,CAAC,OAAO,EAAE,UAAU,CAAC,GAAG;KAC/J,CAAC;AACJ,CAAC;AAED,SAAS,iCAAiC,CACxC,OAAyB,EACzB,eAAuB,EACvB,OAAe;IAEf,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,mCAAa,CAAC,GAAG,CAAC;IACrD,MAAM,UAAU,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG;QACjB,SAAS,UAAU,aAAa,eAAe,OAAO,OAAO,GAAG;KACjE,CAAC;IAEF,IAAI,0BAA0B,CAAC,OAAO,CAAC,EAAE,CAAC;QACxC,UAAU,CAAC,IAAI,CAAC,sBAAsB,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC,CAAC;IAC7E,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAsB;IAChD,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACpB,CAAC;IAED,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACpB,CAAC;IAED,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC9B,CAAC;IAED,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,0BAA0B,CAAC,OAAsB;IACxD,OAAO,OAAO,KAAK,mCAAa,CAAC,MAAM,IAAI,OAAO,KAAK,mCAAa,CAAC,GAAG,CAAC;AAC3E,CAAC;AAED,SAAS,sBAAsB,CAC7B,OAAyB,EACzB,eAAuB,EACvB,OAAe;IAEf,MAAM,YAAY,GAAG,IAAA,qCAAgB,EAAC,eAAe,CAAC,CAAC;IACvD,MAAM,UAAU,GAAG,IAAA,qCAAgB,EAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,IAAA,qCAAgB,EAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEtD,OAAO,SAAS,CAAC,2GAA2G,YAAY,yFAAyF,UAAU,+BAA+B,SAAS,iCAAiC,YAAY,kGAAkG,OAAO,4CAA4C,CAAC;AACxd,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAyB;IACpD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,mCAAa,CAAC,GAAG,CAAC;IACrD,MAAM,UAAU,GAAG;QACjB,KAAK,EAAE,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC;QACzC,SAAS,EAAE,mBAAmB,CAAC,OAAO,CAAC,SAAS,CAAC;KAClD,CAAC;IAEF,sBAAsB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAE5C,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,mBAAmB,CAAC,UAA8B;IACzD,MAAM,UAAU,GAAG,UAAU,EAAE,IAAI,EAAE,CAAC;IAEtC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,sBAAsB,CAC7B,OAAsB,EACtB,UAAkD;IAElD,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACzE,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QAED,IAAI,UAAU,CAAC,SAAS,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,uCAAuC,OAAO,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,OAAO;IACT,CAAC;IAED,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QAED,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QAED,OAAO;IACT,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAC5B,OAAsB,EACtB,UAAkD;IAElD,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;QACzD,SAAS,CAAC,IAAI,CAAC,SAAS,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"create-policy-up-sql-statements.js","sourceRoot":"","sources":["../../src/utils/create-policy-up-sql-statements.ts"],"names":[],"mappings":";;AAQA,kEAkBC;AA1BD,sEAA6D;AAC7D,gEAAuD;AAEvD,2DAAuD;AACvD,6DAAwD;AACxD,6EAAwE;AAExE,+EAA+E;AAC/E,SAAgB,2BAA2B,CAAC,OAAyB;IACnE,MAAM,eAAe,GAAG,IAAA,qDAAwB,EAC9C,OAAO,CAAC,UAAU,EAClB,OAAO,CAAC,SAAS,CAClB,CAAC;IACF,MAAM,UAAU,GAAG,IAAA,oCAAgB,EAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACxD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,6BAAU,CAAC,UAAU,CAAC;IACnD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,mCAAa,CAAC,GAAG,CAAC;IACrD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAA,oCAAgB,EAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvE,MAAM,UAAU,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAEhD,OAAO;QACL,eAAe,eAAe,6BAA6B;QAC3D,GAAG,iCAAiC,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,CAAC;QACvE,yBAAyB,UAAU,OAAO,eAAe,GAAG;QAC5D,iBAAiB,UAAU,OAAO,eAAe,OAAO,IAAI,QAAQ,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,qBAAqB,CAAC,OAAO,EAAE,UAAU,CAAC,GAAG;KAC/J,CAAC;AACJ,CAAC;AAED,SAAS,iCAAiC,CACxC,OAAyB,EACzB,eAAuB,EACvB,OAAe;IAEf,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,mCAAa,CAAC,GAAG,CAAC;IACrD,MAAM,UAAU,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG;QACjB,SAAS,UAAU,aAAa,eAAe,OAAO,OAAO,GAAG;KACjE,CAAC;IAEF,IAAI,0BAA0B,CAAC,OAAO,CAAC,EAAE,CAAC;QACxC,UAAU,CAAC,IAAI,CAAC,sBAAsB,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC,CAAC;IAC7E,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAsB;IAChD,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACpB,CAAC;IAED,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACpB,CAAC;IAED,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC9B,CAAC;IAED,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,0BAA0B,CAAC,OAAsB;IACxD,OAAO,OAAO,KAAK,mCAAa,CAAC,MAAM,IAAI,OAAO,KAAK,mCAAa,CAAC,GAAG,CAAC;AAC3E,CAAC;AAED,SAAS,sBAAsB,CAC7B,OAAyB,EACzB,eAAuB,EACvB,OAAe;IAEf,MAAM,YAAY,GAAG,IAAA,qCAAgB,EAAC,eAAe,CAAC,CAAC;IACvD,MAAM,UAAU,GAAG,IAAA,qCAAgB,EAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,IAAA,qCAAgB,EAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEtD,OAAO,SAAS,CAAC,2GAA2G,YAAY,yFAAyF,UAAU,+BAA+B,SAAS,iCAAiC,YAAY,kGAAkG,OAAO,4CAA4C,CAAC;AACxd,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAyB;IACpD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,mCAAa,CAAC,GAAG,CAAC;IACrD,MAAM,UAAU,GAAG;QACjB,KAAK,EAAE,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC;QACzC,SAAS,EAAE,mBAAmB,CAAC,OAAO,CAAC,SAAS,CAAC;KAClD,CAAC;IAEF,sBAAsB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAE5C,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,mBAAmB,CAAC,UAA8B;IACzD,MAAM,UAAU,GAAG,UAAU,EAAE,IAAI,EAAE,CAAC;IAEtC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,sBAAsB,CAC7B,OAAsB,EACtB,UAAkD;IAElD,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACzE,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QAED,IAAI,UAAU,CAAC,SAAS,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,uCAAuC,OAAO,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,OAAO;IACT,CAAC;IAED,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QAED,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QAED,OAAO;IACT,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAC5B,OAAsB,EACtB,UAAkD;IAElD,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;QACzD,SAAS,CAAC,IAAI,CAAC,SAAS,4BAA4B,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC5E,CAAC;IAED,IACE,OAAO,KAAK,mCAAa,CAAC,MAAM;QAChC,OAAO,KAAK,mCAAa,CAAC,MAAM;QAChC,UAAU,CAAC,SAAS,EACpB,CAAC;QACD,SAAS,CAAC,IAAI,CACZ,cAAc,4BAA4B,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CACnE,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,4BAA4B,CAAC,UAAkB;IACtD,OAAO,yBAAyB,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,UAAU,GAAG,CAAC;AAChF,CAAC;AAED,SAAS,yBAAyB,CAAC,UAAkB;IACnD,OAAO,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAChE,CAAC"}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
/** Instruction for row level security transaction setup. */
|
|
2
|
+
export type RowLevelSecurityTransactionSetup = RowLevelSecurityApplyTransactionSetup | RowLevelSecurityClearTransactionSetup;
|
|
3
|
+
/** SQL and cache key for applying row level security on a transaction. */
|
|
4
|
+
export interface RowLevelSecurityApplyTransactionSetup {
|
|
5
|
+
/** Applies row level security state to the transaction. */
|
|
6
|
+
action: "apply";
|
|
7
|
+
/** Transaction-local SQL that applies the PostgreSQL role and context settings. */
|
|
8
|
+
sql: string;
|
|
9
|
+
/** Stable cache key used to skip repeated setup on the same transaction. */
|
|
10
|
+
signature: string;
|
|
11
|
+
/** Context setting keys emitted by this setup. */
|
|
12
|
+
contextKeys: string[];
|
|
13
|
+
}
|
|
14
|
+
/** Instruction to clear previously applied row level security state. */
|
|
15
|
+
export interface RowLevelSecurityClearTransactionSetup {
|
|
16
|
+
/** Clears row level security state previously applied to the transaction. */
|
|
17
|
+
action: "clear";
|
|
18
|
+
}
|
|
19
|
+
/** Creates transaction-local SQL for the current row level security context. */
|
|
20
|
+
export declare function createRowLevelSecurityTransactionSetup(): RowLevelSecurityTransactionSetup | undefined;
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.createRowLevelSecurityTransactionSetup = createRowLevelSecurityTransactionSetup;
|
|
4
|
+
const request_context_1 = require("@nest-boot/request-context");
|
|
5
|
+
const row_level_security_role_enum_1 = require("../enums/row-level-security-role.enum");
|
|
6
|
+
const row_level_security_1 = require("../row-level-security");
|
|
7
|
+
const assert_snake_case_1 = require("./assert-snake-case");
|
|
8
|
+
const row_level_security_context_builder_1 = require("./row-level-security-context-builder");
|
|
9
|
+
/** Creates transaction-local SQL for the current row level security context. */
|
|
10
|
+
function createRowLevelSecurityTransactionSetup() {
|
|
11
|
+
if (!request_context_1.RequestContext.isActive()) {
|
|
12
|
+
return;
|
|
13
|
+
}
|
|
14
|
+
const builder = new row_level_security_context_builder_1.RowLevelSecurityContextBuilder();
|
|
15
|
+
const mode = row_level_security_1.RowLevelSecurity.getMode();
|
|
16
|
+
const contextEntries = row_level_security_1.RowLevelSecurity.entries();
|
|
17
|
+
const role = row_level_security_1.RowLevelSecurity.getRole();
|
|
18
|
+
if (mode === row_level_security_1.RowLevelSecurityMode.DISABLED) {
|
|
19
|
+
return {
|
|
20
|
+
action: "clear",
|
|
21
|
+
};
|
|
22
|
+
}
|
|
23
|
+
if (mode === row_level_security_1.RowLevelSecurityMode.AUTO &&
|
|
24
|
+
!role &&
|
|
25
|
+
contextEntries.length === 0) {
|
|
26
|
+
return {
|
|
27
|
+
action: "clear",
|
|
28
|
+
};
|
|
29
|
+
}
|
|
30
|
+
appendContext(builder, contextEntries);
|
|
31
|
+
const databaseRole = role ?? row_level_security_role_enum_1.RowLevelSecurityRole.ANONYMOUS;
|
|
32
|
+
(0, assert_snake_case_1.assertSnakeCase)(databaseRole, "Row level security database role");
|
|
33
|
+
const contextSql = builder.entries().length > 0 ? builder.toSQL() : "";
|
|
34
|
+
const sql = [/* SQL */ `SET LOCAL ROLE ${databaseRole};`, contextSql]
|
|
35
|
+
.filter(Boolean)
|
|
36
|
+
.join("\n");
|
|
37
|
+
const signature = JSON.stringify({
|
|
38
|
+
context: builder.entries(),
|
|
39
|
+
role: databaseRole,
|
|
40
|
+
});
|
|
41
|
+
return {
|
|
42
|
+
action: "apply",
|
|
43
|
+
contextKeys: builder.entries().map(([key]) => key),
|
|
44
|
+
signature,
|
|
45
|
+
sql,
|
|
46
|
+
};
|
|
47
|
+
}
|
|
48
|
+
function appendContext(builder, context) {
|
|
49
|
+
for (const [key, value] of context ?? []) {
|
|
50
|
+
builder.set(key, value);
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
//# sourceMappingURL=create-row-level-security-transaction-setup.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"create-row-level-security-transaction-setup.js","sourceRoot":"","sources":["../../src/utils/create-row-level-security-transaction-setup.ts"],"names":[],"mappings":";;AAgCA,wFA+CC;AA/ED,gEAA4D;AAE5D,wFAA6E;AAC7E,8DAA+E;AAC/E,2DAAsD;AACtD,6FAAsF;AA0BtF,gFAAgF;AAChF,SAAgB,sCAAsC;IAGpD,IAAI,CAAC,gCAAc,CAAC,QAAQ,EAAE,EAAE,CAAC;QAC/B,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,mEAA8B,EAAE,CAAC;IACrD,MAAM,IAAI,GAAG,qCAAgB,CAAC,OAAO,EAAE,CAAC;IACxC,MAAM,cAAc,GAAG,qCAAgB,CAAC,OAAO,EAAE,CAAC;IAClD,MAAM,IAAI,GAAG,qCAAgB,CAAC,OAAO,EAAE,CAAC;IAExC,IAAI,IAAI,KAAK,yCAAoB,CAAC,QAAQ,EAAE,CAAC;QAC3C,OAAO;YACL,MAAM,EAAE,OAAO;SAChB,CAAC;IACJ,CAAC;IAED,IACE,IAAI,KAAK,yCAAoB,CAAC,IAAI;QAClC,CAAC,IAAI;QACL,cAAc,CAAC,MAAM,KAAK,CAAC,EAC3B,CAAC;QACD,OAAO;YACL,MAAM,EAAE,OAAO;SAChB,CAAC;IACJ,CAAC;IAED,aAAa,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;IACvC,MAAM,YAAY,GAAG,IAAI,IAAI,mDAAoB,CAAC,SAAS,CAAC;IAC5D,IAAA,mCAAe,EAAC,YAAY,EAAE,kCAAkC,CAAC,CAAC;IAElE,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACvE,MAAM,GAAG,GAAG,CAAC,SAAS,CAAC,kBAAkB,YAAY,GAAG,EAAE,UAAU,CAAC;SAClE,MAAM,CAAC,OAAO,CAAC;SACf,IAAI,CAAC,IAAI,CAAC,CAAC;IACd,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAC/B,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE;QAC1B,IAAI,EAAE,YAAY;KACnB,CAAC,CAAC;IAEH,OAAO;QACL,MAAM,EAAE,OAAO;QACf,WAAW,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC;QAClD,SAAS;QACT,GAAG;KACJ,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CACpB,OAAuC,EACvC,OAEa;IAEb,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,OAAO,IAAI,EAAE,EAAE,CAAC;QACzC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC1B,CAAC;AACH,CAAC"}
|
package/dist/utils/index.d.ts
CHANGED
|
@@ -2,12 +2,11 @@ export * from "./assert-identifier";
|
|
|
2
2
|
export * from "./assert-snake-case";
|
|
3
3
|
export * from "./create-policy-bootstrap-sql-statements";
|
|
4
4
|
export * from "./create-policy-down-sql";
|
|
5
|
+
export * from "./create-policy-privilege-down-sql-statements";
|
|
6
|
+
export * from "./create-policy-role-sql-statements";
|
|
5
7
|
export * from "./create-policy-up-sql-statements";
|
|
6
|
-
export * from "./default-row-level-security-options";
|
|
7
8
|
export * from "./escape-sql-literal";
|
|
8
|
-
export * from "./get-row-level-security-options";
|
|
9
9
|
export * from "./quote-identifier";
|
|
10
10
|
export * from "./quote-qualified-identifier";
|
|
11
11
|
export * from "./row-level-security-context-builder";
|
|
12
12
|
export type * from "./row-level-security-context-builder.types";
|
|
13
|
-
export * from "./set-row-level-security-options";
|
package/dist/utils/index.js
CHANGED
|
@@ -18,12 +18,11 @@ __exportStar(require("./assert-identifier"), exports);
|
|
|
18
18
|
__exportStar(require("./assert-snake-case"), exports);
|
|
19
19
|
__exportStar(require("./create-policy-bootstrap-sql-statements"), exports);
|
|
20
20
|
__exportStar(require("./create-policy-down-sql"), exports);
|
|
21
|
+
__exportStar(require("./create-policy-privilege-down-sql-statements"), exports);
|
|
22
|
+
__exportStar(require("./create-policy-role-sql-statements"), exports);
|
|
21
23
|
__exportStar(require("./create-policy-up-sql-statements"), exports);
|
|
22
|
-
__exportStar(require("./default-row-level-security-options"), exports);
|
|
23
24
|
__exportStar(require("./escape-sql-literal"), exports);
|
|
24
|
-
__exportStar(require("./get-row-level-security-options"), exports);
|
|
25
25
|
__exportStar(require("./quote-identifier"), exports);
|
|
26
26
|
__exportStar(require("./quote-qualified-identifier"), exports);
|
|
27
27
|
__exportStar(require("./row-level-security-context-builder"), exports);
|
|
28
|
-
__exportStar(require("./set-row-level-security-options"), exports);
|
|
29
28
|
//# sourceMappingURL=index.js.map
|
package/dist/utils/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,sDAAoC;AACpC,sDAAoC;AACpC,2EAAyD;AACzD,2DAAyC;AACzC,oEAAkD;AAClD,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,sDAAoC;AACpC,sDAAoC;AACpC,2EAAyD;AACzD,2DAAyC;AACzC,gFAA8D;AAC9D,sEAAoD;AACpD,oEAAkD;AAClD,uDAAqC;AACrC,qDAAmC;AACnC,+DAA6C;AAC7C,uEAAqD"}
|
|
@@ -4,23 +4,60 @@ const policy_command_enum_1 = require("../enums/policy-command.enum");
|
|
|
4
4
|
const policy_mode_enum_1 = require("../enums/policy-mode.enum");
|
|
5
5
|
const create_policy_bootstrap_sql_statements_1 = require("./create-policy-bootstrap-sql-statements");
|
|
6
6
|
const create_policy_down_sql_1 = require("./create-policy-down-sql");
|
|
7
|
+
const create_policy_privilege_down_sql_statements_1 = require("./create-policy-privilege-down-sql-statements");
|
|
8
|
+
const create_policy_role_sql_statements_1 = require("./create-policy-role-sql-statements");
|
|
7
9
|
const create_policy_up_sql_statements_1 = require("./create-policy-up-sql-statements");
|
|
8
10
|
describe("policy migration SQL", () => {
|
|
9
11
|
it("generates row level security bootstrap SQL", () => {
|
|
10
12
|
const statements = (0, create_policy_bootstrap_sql_statements_1.createPolicyBootstrapSqlStatements)();
|
|
11
13
|
expect(statements).toEqual([
|
|
12
|
-
"do $$ begin if not exists (select 1 from pg_roles where rolname = 'authenticated') then create role authenticated nologin; end if; end $$;",
|
|
13
|
-
"do $$ begin if not exists (select 1 from pg_roles where rolname = 'anonymous') then create role anonymous nologin; end if; end $$;",
|
|
14
|
-
"grant authenticated to current_user;",
|
|
15
|
-
"grant anonymous to current_user;",
|
|
16
14
|
"create schema if not exists app;",
|
|
17
|
-
"grant usage on schema app to authenticated;",
|
|
18
|
-
"grant usage on schema app to anonymous;",
|
|
19
15
|
"create or replace function app.get_context(context_key text, context_type anyelement) returns anyelement as $$ declare context_value text; begin context_value := current_setting('app.' || context_key, true); if context_value is null or context_value = '' then return null; end if; execute format('select $1::%s', pg_typeof(context_type)::text) using context_value into context_type; return context_type; end; $$ language plpgsql stable;",
|
|
20
16
|
]);
|
|
21
17
|
expect(statements.join("\n")).not.toContain("grant all on all tables");
|
|
22
18
|
expect(statements.join("\n")).not.toContain("get_policy_context");
|
|
23
19
|
});
|
|
20
|
+
it("generates up-only role SQL for anonymous and custom policy roles", () => {
|
|
21
|
+
const statements = (0, create_policy_role_sql_statements_1.createPolicyRoleUpSqlStatements)([
|
|
22
|
+
"authenticated",
|
|
23
|
+
"workspace_admin",
|
|
24
|
+
]);
|
|
25
|
+
expect(statements).toEqual([
|
|
26
|
+
"do $$ begin if not exists (select 1 from pg_roles where rolname = 'anonymous') then create role anonymous nologin; end if; end $$;",
|
|
27
|
+
"grant anonymous to current_user;",
|
|
28
|
+
"grant usage on schema app to anonymous;",
|
|
29
|
+
"do $$ begin if not exists (select 1 from pg_roles where rolname = 'authenticated') then create role authenticated nologin; end if; end $$;",
|
|
30
|
+
"grant authenticated to current_user;",
|
|
31
|
+
"grant usage on schema app to authenticated;",
|
|
32
|
+
"do $$ begin if not exists (select 1 from pg_roles where rolname = 'workspace_admin') then create role workspace_admin nologin; end if; end $$;",
|
|
33
|
+
"grant workspace_admin to current_user;",
|
|
34
|
+
"grant usage on schema app to workspace_admin;",
|
|
35
|
+
]);
|
|
36
|
+
});
|
|
37
|
+
it("generates role down SQL that revokes grants without dropping roles", () => {
|
|
38
|
+
const statements = (0, create_policy_role_sql_statements_1.createPolicyRoleDownSqlStatements)(["workspace_admin"]);
|
|
39
|
+
expect(statements).toEqual([
|
|
40
|
+
"revoke usage on schema app from workspace_admin;",
|
|
41
|
+
"revoke workspace_admin from current_user;",
|
|
42
|
+
]);
|
|
43
|
+
expect(statements.join("\n")).not.toContain("drop role");
|
|
44
|
+
});
|
|
45
|
+
it("generates role down SQL for an explicit anonymous role", () => {
|
|
46
|
+
const statements = (0, create_policy_role_sql_statements_1.createPolicyRoleDownSqlStatements)(["anonymous"]);
|
|
47
|
+
expect(statements).toEqual([
|
|
48
|
+
"revoke usage on schema app from anonymous;",
|
|
49
|
+
"revoke anonymous from current_user;",
|
|
50
|
+
]);
|
|
51
|
+
});
|
|
52
|
+
it("normalizes policy role names with anonymous first and public skipped", () => {
|
|
53
|
+
expect((0, create_policy_role_sql_statements_1.getPolicyRoleNames)()).toEqual(["anonymous"]);
|
|
54
|
+
expect((0, create_policy_role_sql_statements_1.getPolicyRoleNames)([
|
|
55
|
+
"workspace_admin",
|
|
56
|
+
"public",
|
|
57
|
+
"authenticated",
|
|
58
|
+
"workspace_admin",
|
|
59
|
+
])).toEqual(["anonymous", "authenticated", "workspace_admin"]);
|
|
60
|
+
});
|
|
24
61
|
it("generates policy up SQL", () => {
|
|
25
62
|
const statements = (0, create_policy_up_sql_statements_1.createPolicyUpSqlStatements)({
|
|
26
63
|
schemaName: "public",
|
|
@@ -46,6 +83,17 @@ describe("policy migration SQL", () => {
|
|
|
46
83
|
});
|
|
47
84
|
expect(statements[2]).toBe('drop policy if exists workspace_member_user_select_policy on "public"."workspace_member";');
|
|
48
85
|
});
|
|
86
|
+
it("wraps raw using predicates in parentheses", () => {
|
|
87
|
+
const statements = (0, create_policy_up_sql_statements_1.createPolicyUpSqlStatements)({
|
|
88
|
+
schemaName: "public",
|
|
89
|
+
tableName: "user",
|
|
90
|
+
policyName: "user_select_authenticated_policy",
|
|
91
|
+
command: policy_command_enum_1.PolicyCommand.SELECT,
|
|
92
|
+
using: "true",
|
|
93
|
+
roles: ["authenticated"],
|
|
94
|
+
});
|
|
95
|
+
expect(statements).toContain('create policy user_select_authenticated_policy on "public"."user" as permissive for select to authenticated using (true);');
|
|
96
|
+
});
|
|
49
97
|
it("generates table grants for explicit policy roles", () => {
|
|
50
98
|
const statements = (0, create_policy_up_sql_statements_1.createPolicyUpSqlStatements)({
|
|
51
99
|
schemaName: "public",
|
|
@@ -77,6 +125,76 @@ describe("policy migration SQL", () => {
|
|
|
77
125
|
expect.stringContaining("grant usage, select on sequence %s to authenticated"),
|
|
78
126
|
]));
|
|
79
127
|
});
|
|
128
|
+
it.each([
|
|
129
|
+
[policy_command_enum_1.PolicyCommand.SELECT, "revoke select on table"],
|
|
130
|
+
[policy_command_enum_1.PolicyCommand.INSERT, "revoke insert on table"],
|
|
131
|
+
[policy_command_enum_1.PolicyCommand.UPDATE, "revoke select, update on table"],
|
|
132
|
+
[policy_command_enum_1.PolicyCommand.DELETE, "revoke select, delete on table"],
|
|
133
|
+
[policy_command_enum_1.PolicyCommand.ALL, "revoke select, insert, update, delete on table"],
|
|
134
|
+
])("generates policy privilege revoke SQL for %s", (command, expected) => {
|
|
135
|
+
const statements = (0, create_policy_privilege_down_sql_statements_1.createPolicyPrivilegeDownSqlStatements)({
|
|
136
|
+
schemaName: "public",
|
|
137
|
+
tableName: "workspace_member",
|
|
138
|
+
policyName: "workspace_member_policy",
|
|
139
|
+
command,
|
|
140
|
+
roles: ["authenticated"],
|
|
141
|
+
});
|
|
142
|
+
expect(statements[0]).toContain(expected);
|
|
143
|
+
if (command === policy_command_enum_1.PolicyCommand.INSERT || command === policy_command_enum_1.PolicyCommand.ALL) {
|
|
144
|
+
expect(statements).toEqual(expect.arrayContaining([
|
|
145
|
+
expect.stringContaining("revoke usage, select on sequence %s from authenticated"),
|
|
146
|
+
]));
|
|
147
|
+
}
|
|
148
|
+
else {
|
|
149
|
+
expect(statements).toHaveLength(1);
|
|
150
|
+
}
|
|
151
|
+
});
|
|
152
|
+
it("does not generate policy privilege revoke SQL without explicit roles", () => {
|
|
153
|
+
expect((0, create_policy_privilege_down_sql_statements_1.createPolicyPrivilegeDownSqlStatements)({
|
|
154
|
+
schemaName: "public",
|
|
155
|
+
tableName: "workspace_member",
|
|
156
|
+
policyName: "workspace_member_policy",
|
|
157
|
+
})).toEqual([]);
|
|
158
|
+
});
|
|
159
|
+
it("defaults policy privilege revoke SQL to all command privileges", () => {
|
|
160
|
+
expect((0, create_policy_privilege_down_sql_statements_1.createPolicyPrivilegeDownSqlStatements)({
|
|
161
|
+
schemaName: "public",
|
|
162
|
+
tableName: "workspace_member",
|
|
163
|
+
policyName: "workspace_member_policy",
|
|
164
|
+
roles: ["authenticated"],
|
|
165
|
+
})).toEqual(expect.arrayContaining([
|
|
166
|
+
expect.stringContaining('revoke select, insert, update, delete on table "public"."workspace_member" from authenticated;'),
|
|
167
|
+
expect.stringContaining("revoke usage, select on sequence %s from authenticated"),
|
|
168
|
+
]));
|
|
169
|
+
});
|
|
170
|
+
it("keeps policy privilege grants required by preserved policies", () => {
|
|
171
|
+
const statements = (0, create_policy_privilege_down_sql_statements_1.createPolicyPrivilegeDownSqlStatements)({
|
|
172
|
+
schemaName: "public",
|
|
173
|
+
tableName: "workspace_member",
|
|
174
|
+
policyName: "workspace_member_all_policy",
|
|
175
|
+
command: policy_command_enum_1.PolicyCommand.ALL,
|
|
176
|
+
roles: ["authenticated", "workspace_admin"],
|
|
177
|
+
}, [
|
|
178
|
+
{
|
|
179
|
+
schemaName: "public",
|
|
180
|
+
tableName: "workspace_member",
|
|
181
|
+
policyName: "workspace_member_insert_policy",
|
|
182
|
+
command: policy_command_enum_1.PolicyCommand.INSERT,
|
|
183
|
+
withCheck: "true",
|
|
184
|
+
roles: ["authenticated"],
|
|
185
|
+
},
|
|
186
|
+
]);
|
|
187
|
+
expect(statements).toEqual(expect.arrayContaining([
|
|
188
|
+
'revoke select, update, delete on table "public"."workspace_member" from authenticated;',
|
|
189
|
+
'revoke select, insert, update, delete on table "public"."workspace_member" from workspace_admin;',
|
|
190
|
+
]));
|
|
191
|
+
expect(statements).toEqual(expect.arrayContaining([
|
|
192
|
+
expect.stringContaining("revoke usage, select on sequence %s from workspace_admin"),
|
|
193
|
+
]));
|
|
194
|
+
expect(statements).toEqual(expect.not.arrayContaining([
|
|
195
|
+
expect.stringContaining("revoke usage, select on sequence %s from authenticated"),
|
|
196
|
+
]));
|
|
197
|
+
});
|
|
80
198
|
it("generates restrictive policy SQL", () => {
|
|
81
199
|
const statements = (0, create_policy_up_sql_statements_1.createPolicyUpSqlStatements)({
|
|
82
200
|
schemaName: "public",
|
|
@@ -95,7 +213,7 @@ describe("policy migration SQL", () => {
|
|
|
95
213
|
command: policy_command_enum_1.PolicyCommand.INSERT,
|
|
96
214
|
withCheck: ` true `,
|
|
97
215
|
});
|
|
98
|
-
expect(statements[2]).toBe('create policy workspace_member_insert_policy on "public"."workspace_member" as permissive for insert with check true;');
|
|
216
|
+
expect(statements[2]).toBe('create policy workspace_member_insert_policy on "public"."workspace_member" as permissive for insert with check (true);');
|
|
99
217
|
});
|
|
100
218
|
it.each([
|
|
101
219
|
[
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy-migration-sql.spec.js","sourceRoot":"","sources":["../../src/utils/policy-migration-sql.spec.ts"],"names":[],"mappings":";;AAAA,sEAA6D;AAC7D,gEAAuD;AACvD,qGAA8F;AAC9F,qEAA+D;AAC/D,uFAAgF;AAEhF,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,UAAU,GAAG,IAAA,2EAAkC,GAAE,CAAC;QAExD,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC;YACzB,
|
|
1
|
+
{"version":3,"file":"policy-migration-sql.spec.js","sourceRoot":"","sources":["../../src/utils/policy-migration-sql.spec.ts"],"names":[],"mappings":";;AAAA,sEAA6D;AAC7D,gEAAuD;AACvD,qGAA8F;AAC9F,qEAA+D;AAC/D,+GAAuG;AACvG,2FAI6C;AAC7C,uFAAgF;AAEhF,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,UAAU,GAAG,IAAA,2EAAkC,GAAE,CAAC;QAExD,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC;YACzB,kCAAkC;YAClC,sbAAsb;SACvb,CAAC,CAAC;QACH,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,yBAAyB,CAAC,CAAC;QACvE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,GAAG,EAAE;QAC1E,MAAM,UAAU,GAAG,IAAA,mEAA+B,EAAC;YACjD,eAAe;YACf,iBAAiB;SAClB,CAAC,CAAC;QAEH,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC;YACzB,oIAAoI;YACpI,kCAAkC;YAClC,yCAAyC;YACzC,4IAA4I;YAC5I,sCAAsC;YACtC,6CAA6C;YAC7C,gJAAgJ;YAChJ,wCAAwC;YACxC,+CAA+C;SAChD,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,GAAG,EAAE;QAC5E,MAAM,UAAU,GAAG,IAAA,qEAAiC,EAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC;QAE1E,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC;YACzB,kDAAkD;YAClD,2CAA2C;SAC5C,CAAC,CAAC;QACH,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,UAAU,GAAG,IAAA,qEAAiC,EAAC,CAAC,WAAW,CAAC,CAAC,CAAC;QAEpE,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC;YACzB,4CAA4C;YAC5C,qCAAqC;SACtC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,GAAG,EAAE;QAC9E,MAAM,CAAC,IAAA,sDAAkB,GAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC;QACpD,MAAM,CACJ,IAAA,sDAAkB,EAAC;YACjB,iBAAiB;YACjB,QAAQ;YACR,eAAe;YACf,iBAAiB;SAClB,CAAC,CACH,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,eAAe,EAAE,iBAAiB,CAAC,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,UAAU,GAAG,IAAA,6DAA2B,EAAC;YAC7C,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,qCAAqC;YACjD,OAAO,EAAE,mCAAa,CAAC,MAAM;YAC7B,KAAK,EAAE,iEAAiE;SACzE,CAAC,CAAC;QAEH,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC;YACzB,oEAAoE;YACpE,2FAA2F;YAC3F,oLAAoL;SACrL,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,UAAU,GAAG,IAAA,6DAA2B,EAAC;YAC7C,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,qCAAqC;YACjD,OAAO,EAAE,mCAAa,CAAC,MAAM;YAC7B,KAAK,EAAE,iEAAiE;YACxE,KAAK,EAAE,CAAC,eAAe,EAAE,WAAW,CAAC;SACtC,CAAC,CAAC;QAEH,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CACxB,2FAA2F,CAC5F,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,UAAU,GAAG,IAAA,6DAA2B,EAAC;YAC7C,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,MAAM;YACjB,UAAU,EAAE,kCAAkC;YAC9C,OAAO,EAAE,mCAAa,CAAC,MAAM;YAC7B,KAAK,EAAE,MAAM;YACb,KAAK,EAAE,CAAC,eAAe,CAAC;SACzB,CAAC,CAAC;QAEH,MAAM,CAAC,UAAU,CAAC,CAAC,SAAS,CAC1B,2HAA2H,CAC5H,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,UAAU,GAAG,IAAA,6DAA2B,EAAC;YAC7C,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,qCAAqC;YACjD,OAAO,EAAE,mCAAa,CAAC,MAAM;YAC7B,KAAK,EAAE,iEAAiE;YACxE,KAAK,EAAE,CAAC,eAAe,EAAE,WAAW,CAAC;SACtC,CAAC,CAAC;QAEH,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC;YACzB,oEAAoE;YACpE,gFAAgF;YAChF,2FAA2F;YAC3F,gNAAgN;SACjN,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,UAAU,GAAG,IAAA,6DAA2B,EAAC;YAC7C,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,gCAAgC;YAC5C,OAAO,EAAE,mCAAa,CAAC,MAAM;YAC7B,SAAS,EAAE,MAAM;YACjB,KAAK,EAAE,CAAC,eAAe,CAAC;SACzB,CAAC,CAAC;QAEH,MAAM,CAAC,UAAU,CAAC,CAAC,SAAS,CAC1B,qEAAqE,CACtE,CAAC;QACF,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CACxB,MAAM,CAAC,eAAe,CAAC;YACrB,MAAM,CAAC,gBAAgB,CAAC,wBAAwB,CAAC;YACjD,MAAM,CAAC,gBAAgB,CACrB,qDAAqD,CACtD;SACF,CAAC,CACH,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,IAAI,CAAC;QACN,CAAC,mCAAa,CAAC,MAAM,EAAE,wBAAwB,CAAC;QAChD,CAAC,mCAAa,CAAC,MAAM,EAAE,wBAAwB,CAAC;QAChD,CAAC,mCAAa,CAAC,MAAM,EAAE,gCAAgC,CAAC;QACxD,CAAC,mCAAa,CAAC,MAAM,EAAE,gCAAgC,CAAC;QACxD,CAAC,mCAAa,CAAC,GAAG,EAAE,gDAAgD,CAAC;KACtE,CAAC,CAAC,8CAA8C,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,EAAE;QACvE,MAAM,UAAU,GAAG,IAAA,oFAAsC,EAAC;YACxD,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,yBAAyB;YACrC,OAAO;YACP,KAAK,EAAE,CAAC,eAAe,CAAC;SACzB,CAAC,CAAC;QAEH,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAE1C,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,IAAI,OAAO,KAAK,mCAAa,CAAC,GAAG,EAAE,CAAC;YACtE,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CACxB,MAAM,CAAC,eAAe,CAAC;gBACrB,MAAM,CAAC,gBAAgB,CACrB,wDAAwD,CACzD;aACF,CAAC,CACH,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,UAAU,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,GAAG,EAAE;QAC9E,MAAM,CACJ,IAAA,oFAAsC,EAAC;YACrC,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,yBAAyB;SACtC,CAAC,CACH,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAChB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gEAAgE,EAAE,GAAG,EAAE;QACxE,MAAM,CACJ,IAAA,oFAAsC,EAAC;YACrC,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,yBAAyB;YACrC,KAAK,EAAE,CAAC,eAAe,CAAC;SACzB,CAAC,CACH,CAAC,OAAO,CACP,MAAM,CAAC,eAAe,CAAC;YACrB,MAAM,CAAC,gBAAgB,CACrB,gGAAgG,CACjG;YACD,MAAM,CAAC,gBAAgB,CACrB,wDAAwD,CACzD;SACF,CAAC,CACH,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,UAAU,GAAG,IAAA,oFAAsC,EACvD;YACE,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,6BAA6B;YACzC,OAAO,EAAE,mCAAa,CAAC,GAAG;YAC1B,KAAK,EAAE,CAAC,eAAe,EAAE,iBAAiB,CAAC;SAC5C,EACD;YACE;gBACE,UAAU,EAAE,QAAQ;gBACpB,SAAS,EAAE,kBAAkB;gBAC7B,UAAU,EAAE,gCAAgC;gBAC5C,OAAO,EAAE,mCAAa,CAAC,MAAM;gBAC7B,SAAS,EAAE,MAAM;gBACjB,KAAK,EAAE,CAAC,eAAe,CAAC;aACzB;SACF,CACF,CAAC;QAEF,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CACxB,MAAM,CAAC,eAAe,CAAC;YACrB,wFAAwF;YACxF,kGAAkG;SACnG,CAAC,CACH,CAAC;QACF,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CACxB,MAAM,CAAC,eAAe,CAAC;YACrB,MAAM,CAAC,gBAAgB,CACrB,0DAA0D,CAC3D;SACF,CAAC,CACH,CAAC;QACF,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CACxB,MAAM,CAAC,GAAG,CAAC,eAAe,CAAC;YACzB,MAAM,CAAC,gBAAgB,CACrB,wDAAwD,CACzD;SACF,CAAC,CACH,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,UAAU,GAAG,IAAA,6DAA2B,EAAC;YAC7C,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,wBAAwB;YACpC,IAAI,EAAE,6BAAU,CAAC,WAAW;YAC5B,KAAK,EAAE,mEAAmE;SAC3E,CAAC,CAAC;QAEH,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CACxB,uKAAuK,CACxK,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,UAAU,GAAG,IAAA,6DAA2B,EAAC;YAC7C,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,gCAAgC;YAC5C,OAAO,EAAE,mCAAa,CAAC,MAAM;YAC7B,SAAS,EAAE,QAAQ;SACpB,CAAC,CAAC;QAEH,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CACxB,yHAAyH,CAC1H,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,IAAI,CAAC;QACN;YACE,sBAAsB;YACtB;gBACE,UAAU,EAAE,QAAQ;gBACpB,SAAS,EAAE,kBAAkB;gBAC7B,UAAU,EAAE,gCAAgC;gBAC5C,OAAO,EAAE,mCAAa,CAAC,MAAM;aAC9B;YACD,qCAAqC;SACtC;QACD;YACE,uBAAuB;YACvB;gBACE,UAAU,EAAE,QAAQ;gBACpB,SAAS,EAAE,kBAAkB;gBAC7B,UAAU,EAAE,gCAAgC;gBAC5C,OAAO,EAAE,mCAAa,CAAC,MAAM;gBAC7B,KAAK,EAAE,MAAM;gBACb,SAAS,EAAE,MAAM;aAClB;YACD,4CAA4C;SAC7C;QACD;YACE,mBAAmB;YACnB;gBACE,UAAU,EAAE,QAAQ;gBACpB,SAAS,EAAE,kBAAkB;gBAC7B,UAAU,EAAE,gCAAgC;gBAC5C,OAAO,EAAE,mCAAa,CAAC,MAAM;gBAC7B,KAAK,EAAE,MAAM;gBACb,SAAS,EAAE,MAAM;aAClB;YACD,wCAAwC;SACzC;QACD;YACE,0BAA0B;YAC1B;gBACE,UAAU,EAAE,QAAQ;gBACpB,SAAS,EAAE,kBAAkB;gBAC7B,UAAU,EAAE,gCAAgC;gBAC5C,OAAO,EAAE,mCAAa,CAAC,MAAM;aAC9B;YACD,yCAAyC;SAC1C;QACD;YACE,wBAAwB;YACxB;gBACE,UAAU,EAAE,QAAQ;gBACpB,SAAS,EAAE,kBAAkB;gBAC7B,UAAU,EAAE,6BAA6B;aAC1C;YACD,kDAAkD;SACnD;KACF,CAAC,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE;QAC3C,MAAM,CAAC,GAAG,EAAE,CAAC,IAAA,6DAA2B,EAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,GAAG,GAAG,IAAA,4CAAmB,EAAC;YAC9B,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,qCAAqC;SAClD,CAAC,CAAC;QAEH,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,8CAA8C,CAAC,CAAC;QACtE,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CACnB,0FAA0F,CAC3F,CAAC;QACF,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,4BAA4B,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@nest-boot/row-level-security",
|
|
3
|
-
"version": "7.
|
|
3
|
+
"version": "7.2.0",
|
|
4
4
|
"repository": {
|
|
5
5
|
"type": "git",
|
|
6
6
|
"url": "https://github.com/nest-boot/nest-boot.git",
|
|
@@ -38,7 +38,7 @@
|
|
|
38
38
|
"@nestjs/core": "^11.1.11",
|
|
39
39
|
"@nestjs/testing": "^11.1.11",
|
|
40
40
|
"@types/jest": "^29.5.14",
|
|
41
|
-
"@types/node": "^
|
|
41
|
+
"@types/node": "^24.12.4",
|
|
42
42
|
"dotenv": "^17.2.3",
|
|
43
43
|
"eslint": "^9.39.3",
|
|
44
44
|
"jest": "^29.7.0",
|
|
@@ -47,10 +47,10 @@
|
|
|
47
47
|
"ts-jest": "^29.4.4",
|
|
48
48
|
"typescript": "^5.9.3",
|
|
49
49
|
"@nest-boot/eslint-config": "^7.0.3",
|
|
50
|
+
"@nest-boot/eslint-plugin": "^7.0.6",
|
|
50
51
|
"@nest-boot/mikro-orm": "^7.4.0",
|
|
51
52
|
"@nest-boot/request-context": "^7.4.3",
|
|
52
|
-
"@nest-boot/tsconfig": "^7.0.
|
|
53
|
-
"@nest-boot/eslint-plugin": "^7.0.5"
|
|
53
|
+
"@nest-boot/tsconfig": "^7.0.3"
|
|
54
54
|
},
|
|
55
55
|
"publishConfig": {
|
|
56
56
|
"access": "public"
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
import { RowLevelSecurityContextValue } from "../utils/row-level-security-context-builder.types";
|
|
2
|
-
/** Value or promise-like value accepted by row-level security option hooks. */
|
|
3
|
-
export type MaybePromise<T> = T | Promise<T>;
|
|
4
|
-
/** Context entries converted to transaction-local PostgreSQL settings. */
|
|
5
|
-
export type RowLevelSecurityContextEntries = Iterable<readonly [string, RowLevelSecurityContextValue]>;
|
|
6
|
-
/** Runtime options used by {@link RowLevelSecurityEntityManager}. */
|
|
7
|
-
export interface RowLevelSecurityOptions {
|
|
8
|
-
/** Database role used for authenticated requests. Defaults to `authenticated`. */
|
|
9
|
-
authenticatedRole?: string;
|
|
10
|
-
/** Database role used for anonymous requests. Defaults to `anonymous`. */
|
|
11
|
-
anonymousRole?: string;
|
|
12
|
-
/** Optional hook that can disable row-level security setup for a transaction. */
|
|
13
|
-
shouldApply?: () => MaybePromise<boolean>;
|
|
14
|
-
/** Optional hook used to infer the authenticated or anonymous role. */
|
|
15
|
-
isAuthenticated?: () => MaybePromise<boolean>;
|
|
16
|
-
/** Optional hook that contributes request context values to PostgreSQL settings. */
|
|
17
|
-
getContext?: () => MaybePromise<RowLevelSecurityContextEntries | undefined>;
|
|
18
|
-
}
|