@nest-boot/row-level-security 7.2.3 → 7.2.5

package/dist/row-level-security-migration-generator.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.RowLevelSecurityMigrationGenerator = void 0;
 const node_crypto_1 = require("node:crypto");
 const migrations_1 = require("@mikro-orm/migrations");
+const pgsql_ast_parser_1 = require("pgsql-ast-parser");
 const policy_decorator_1 = require("./decorators/policy.decorator");
 const policy_command_enum_1 = require("./enums/policy-command.enum");
 const policy_mode_enum_1 = require("./enums/policy-mode.enum");
@@ -11,8 +12,7 @@ const create_policy_down_sql_1 = require("./utils/create-policy-down-sql");
 const create_policy_privilege_down_sql_statements_1 = require("./utils/create-policy-privilege-down-sql-statements");
 const create_policy_role_sql_statements_1 = require("./utils/create-policy-role-sql-statements");
 const create_policy_up_sql_statements_1 = require("./utils/create-policy-up-sql-statements");
-const is_postgres_keyword_requiring_quote_1 = require("./utils/is-postgres-keyword-requiring-quote");
-const normalize_postgres_type_alias_1 = require("./utils/normalize-postgres-type-alias");
+const normalize_postgres_type_alias_util_1 = require("./utils/normalize-postgres-type-alias.util");
 const POSTGRES_IDENTIFIER_MAX_LENGTH = 63;
 const POLICY_IDENTIFIER_TYPE = "policy";
 /** MikroORM TypeScript migration generator that injects generated RLS SQL. */
@@ -262,10 +262,8 @@ function hasSamePolicyDefinitionContent(left, right) {
     return (normalizePolicyMode(left.mode) === normalizePolicyMode(right.mode) &&
         normalizePolicyCommand(left.command) ===
             normalizePolicyCommand(right.command) &&
-        normalizePolicyExpression(left.using) ===
-            normalizePolicyExpression(right.using) &&
-        normalizePolicyExpression(left.withCheck) ===
-            normalizePolicyExpression(right.withCheck) &&
+        hasSamePolicyExpression(left.using, right.using) &&
+        hasSamePolicyExpression(left.withCheck, right.withCheck) &&
         normalizePolicyRoles(left.roles).join("\n") ===
             normalizePolicyRoles(right.roles).join("\n"));
 }
@@ -275,6 +273,17 @@ function normalizePolicyMode(mode) {
 function normalizePolicyCommand(command) {
     return command ?? policy_command_enum_1.PolicyCommand.ALL;
 }
+function hasSamePolicyExpression(left, right) {
+    const normalizedLeft = normalizePolicyExpression(left);
+    const normalizedRight = normalizePolicyExpression(right);
+    if (normalizedLeft !== undefined && normalizedRight !== undefined) {
+        return normalizedLeft === normalizedRight;
+    }
+    if (normalizedLeft === undefined && normalizedRight === undefined) {
+        return left?.trim() === right?.trim();
+    }
+    return false;
+}
 function normalizePolicyExpression(expression) {
     const normalized = expression?.trim();
     if (!normalized) {
@@ -283,270 +292,96 @@ function normalizePolicyExpression(expression) {
     return normalizePostgresExpression(normalized);
 }
 function normalizePostgresExpression(expression) {
-    const normalized = stripSelectProjectionAliases(mapSqlOutsideQuotedTokens(expression.replace(/'((?:''|[^'])*)'::text\b/gi, "'$1'"), normalizePostgresExpressionSegment).trim());
-    return stripRedundantJsonOperandParentheses(stripRedundantOuterParentheses(normalized));
-}
-function normalizePostgresExpressionSegment(segment) {
-    return normalizeSqlOperatorSpacing(normalizeNullTypeCasts(segment
-        .replace(/\s+/g, " ")
-        .replace(/\b(select|and|or|not|is|true|false|null|as)\b/gi, (match) => match.toLowerCase())
-        .replace(/\s*,\s*/g, ", ")))
-        .replace(/\(\s+/g, "(")
-        .replace(/\s+\)/g, ")");
-}
-function normalizeNullTypeCasts(segment) {
-    return segment
-        .replace(/\bnull::(?:character\s+varying|varchar)(?:\s*\([^)]*\))?/gi, "null::character varying")
-        .replace(/\bnull::(?:timestamp\s+with\s+time\s+zone|timestamptz)\b/gi, "null::timestamp with time zone")
-        .replace(/\bnull::([a-z_][a-z0-9_.]*)/gi, (_match, type) => `null::${(0, normalize_postgres_type_alias_1.normalizePostgresTypeAlias)(type.toLowerCase())}`);
-}
-function normalizeSqlOperatorSpacing(segment) {
-    const jsonOperators = [];
-    const protectedSegment = segment.replace(/\s*(#>>|#>|->>|->|@>|<@)\s*/g, (_match, operator) => {
-        const placeholder = `__rls_json_operator_${String(jsonOperators.length)}__`;
-        jsonOperators.push(` ${operator} `);
-        return placeholder;
-    });
-    return protectedSegment
-        .replace(/\s*(<>|!=|<=|>=|=|<|>)\s*/g, (_match, operator) => ` ${operator === "!=" ? "<>" : operator} `)
-        .replace(/__rls_json_operator_(\d+)__/g, (_match, index) => jsonOperators[Number(index)]);
-}
-function stripSelectProjectionAliases(expression) {
-    let normalized = "";
-    const selectDepths = new Set();
-    let depth = 0;
-    let index = 0;
-    while (index < expression.length) {
-        const character = expression[index];
-        if (character === "'") {
-            const literalEnd = readSqlStringLiteralEnd(expression, index);
-            normalized += expression.slice(index, literalEnd);
-            index = literalEnd;
-            continue;
-        }
-        if (character === '"') {
-            const identifierEnd = readQuotedIdentifierEnd(expression, index);
-            normalized += expression.slice(index, identifierEnd);
-            index = identifierEnd;
-            continue;
-        }
-        if (character === "(") {
-            depth += 1;
-            normalized += character;
-            index += 1;
-            continue;
-        }
-        if (character === ")") {
-            selectDepths.delete(depth);
-            depth -= 1;
-            normalized += character;
-            index += 1;
-            continue;
-        }
-        const wordEnd = readSqlWordEnd(expression, index);
-        if (wordEnd > index) {
-            const word = expression.slice(index, wordEnd);
-            const lowerWord = word.toLowerCase();
-            if (lowerWord === "select") {
-                selectDepths.add(depth);
-            }
-            if (lowerWord === "as" && selectDepths.has(depth)) {
-                const aliasEnd = readSelectProjectionAliasEnd(expression, wordEnd);
-                if (aliasEnd !== undefined) {
-                    normalized = normalized.replace(/\s+$/, "");
-                    index = aliasEnd;
-                    continue;
-                }
-            }
-            normalized += word;
-            index = wordEnd;
-            continue;
-        }
-        normalized += character;
-        index += 1;
+    const parsed = parsePolicyExpressionAst(expression);
+    if (!parsed) {
+        return undefined;
     }
-    return normalized;
+    return JSON.stringify(canonicalizePolicyExpressionAst(parsed.ast, parsed.sql));
 }
-function readSelectProjectionAliasEnd(expression, startIndex) {
-    const aliasStart = skipSqlWhitespace(expression, startIndex);
-    const aliasEnd = readSqlIdentifierEnd(expression, aliasStart);
-    if (aliasEnd === aliasStart) {
+function parsePolicyExpressionAst(expression) {
+    const parsed = parsePolicyExpressionStatement(expression);
+    if (parsed?.statement.type !== "select" || !parsed.statement.where) {
         return undefined;
     }
-    const nextIndex = skipSqlWhitespace(expression, aliasEnd);
-    return expression[nextIndex] === ")" ? nextIndex : undefined;
-}
-function stripRedundantOuterParentheses(expression) {
-    let normalized = expression;
-    while (isWrappedInParentheses(normalized)) {
-        normalized = normalized.slice(1, -1).trim();
-    }
-    return normalized;
-}
-function stripRedundantJsonOperandParentheses(expression) {
-    let normalized = expression;
-    let previous;
-    do {
-        previous = normalized;
-        normalized = stripRedundantJsonOperandParenthesesOnce(normalized);
-    } while (normalized !== previous);
-    return normalized;
-}
-function stripRedundantJsonOperandParenthesesOnce(expression) {
-    const removals = new Set();
-    const parenthesisPairs = findParenthesisPairs(expression);
-    for (const [start, end] of parenthesisPairs) {
-        const innerExpression = expression.slice(start + 1, end);
-        if (hasTopLevelJsonOperator(innerExpression) &&
-            (hasComparisonOperatorBefore(expression, start) ||
-                hasComparisonOperatorAfter(expression, end))) {
-            removals.add(start);
-            removals.add(end);
-        }
-    }
-    if (removals.size === 0) {
-        return expression;
-    }
-    return [...expression]
-        .filter((_character, index) => !removals.has(index))
-        .join("");
+    return {
+        ast: parsed.statement.where,
+        sql: parsed.sql,
+    };
 }
-function isWrappedInParentheses(expression) {
-    if (!expression.startsWith("(") || !expression.endsWith(")")) {
-        return false;
-    }
-    let depth = 0;
-    let index = 0;
-    while (index < expression.length) {
-        const character = expression[index];
-        if (character === "'") {
-            index = readSqlStringLiteralEnd(expression, index);
-            continue;
-        }
-        if (character === '"') {
-            index = readQuotedIdentifierEnd(expression, index);
-            continue;
-        }
-        if (character === "(") {
-            depth += 1;
-        }
-        else if (character === ")") {
-            depth -= 1;
-            if (depth === 0 && index < expression.length - 1) {
-                return false;
-            }
-        }
-        if (depth < 0) {
-            return false;
-        }
-        index += 1;
+function parsePolicyExpressionStatement(expression) {
+    const sql = `select 1 where ${expression}`;
+    try {
+        return {
+            sql,
+            statement: (0, pgsql_ast_parser_1.parse)(sql, { locationTracking: true })[0],
+        };
     }
-    return depth === 0;
-}
-function findParenthesisPairs(expression) {
-    const pairs = [];
-    const stack = [];
-    let index = 0;
-    while (index < expression.length) {
-        const character = expression[index];
-        if (character === "'") {
-            index = readSqlStringLiteralEnd(expression, index);
-            continue;
-        }
-        if (character === '"') {
-            index = readQuotedIdentifierEnd(expression, index);
-            continue;
-        }
-        if (character === "(") {
-            stack.push(index);
-        }
-        else if (character === ")") {
-            const start = stack.pop();
-            if (start !== undefined) {
-                pairs.push([start, index]);
+    catch {
+        const parserCompatibleExpression = getPolicyExpressionForAstParser(expression);
+        if (parserCompatibleExpression !== expression) {
+            try {
+                const parserCompatibleSql = `select 1 where ${parserCompatibleExpression}`;
+                return {
+                    sql: parserCompatibleSql,
+                    statement: (0, pgsql_ast_parser_1.parse)(parserCompatibleSql, {
+                        locationTracking: true,
+                    })[0],
+                };
             }
-        }
-        index += 1;
-    }
-    return pairs;
-}
-function hasTopLevelJsonOperator(expression) {
-    let depth = 0;
-    let index = 0;
-    while (index < expression.length) {
-        const character = expression[index];
-        if (character === "'") {
-            index = readSqlStringLiteralEnd(expression, index);
-            continue;
-        }
-        if (character === '"') {
-            index = readQuotedIdentifierEnd(expression, index);
-            continue;
-        }
-        if (character === "(") {
-            depth += 1;
-            index += 1;
-            continue;
-        }
-        if (character === ")") {
-            depth -= 1;
-            index += 1;
-            continue;
-        }
-        if (depth === 0) {
-            const jsonOperator = readJsonOperatorAt(expression, index);
-            if (jsonOperator) {
-                return true;
+            catch {
+                return undefined;
             }
         }
-        index += 1;
+        return undefined;
     }
-    return false;
 }
-function hasComparisonOperatorBefore(expression, startIndex) {
-    const operatorEnd = skipSqlWhitespaceBackwards(expression, startIndex - 1) + 1;
-    return ["<>", "!=", "<=", ">=", "=", "<", ">"].some((operator) => expression.slice(operatorEnd - operator.length, operatorEnd) === operator);
+function getPolicyExpressionForAstParser(expression) {
+    // pgsql-ast-parser treats these multi-word casts in select projections as ambiguous.
+    return replaceSqlOutsideQuotedTokens(expression, (segment) => segment
+        .replace(/::\s*character\s+varying\b/gi, "::varchar")
+        .replace(/::\s*bit\s+varying\b/gi, "::varbit"));
 }
-function hasComparisonOperatorAfter(expression, endIndex) {
-    const operatorStart = skipSqlWhitespace(expression, endIndex + 1);
-    return Boolean(readComparisonOperatorAt(expression, operatorStart));
-}
-function mapSqlOutsideQuotedTokens(expression, transform) {
+function replaceSqlOutsideQuotedTokens(expression, transform) {
     const parts = [];
     let segmentStart = 0;
     let index = 0;
     while (index < expression.length) {
-        if (expression[index] !== "'" && expression[index] !== '"') {
+        const tokenEnd = readSqlQuotedTokenEnd(expression, index);
+        if (tokenEnd === undefined) {
             index += 1;
             continue;
         }
         parts.push(transform(expression.slice(segmentStart, index)));
-        if (expression[index] === "'") {
-            const literalStart = index;
-            index = readSqlStringLiteralEnd(expression, index);
-            parts.push(expression.slice(literalStart, index));
-        }
-        else {
-            const identifierStart = index;
-            index = readQuotedIdentifierEnd(expression, index);
-            parts.push(normalizeQuotedIdentifier(expression.slice(identifierStart, index)));
-        }
-        segmentStart = index;
+        parts.push(expression.slice(index, tokenEnd));
+        segmentStart = tokenEnd;
+        index = tokenEnd;
     }
     parts.push(transform(expression.slice(segmentStart)));
     return parts.join("");
 }
-function normalizeQuotedIdentifier(identifierToken) {
-    const identifier = identifierToken.slice(1, -1).replace(/""/g, '"');
-    if (/^[a-z_][a-z0-9_]*$/.test(identifier) &&
-        !(0, is_postgres_keyword_requiring_quote_1.isPostgresKeywordRequiringQuote)(identifier)) {
-        return identifier;
+function readSqlQuotedTokenEnd(expression, startIndex) {
+    if (expression[startIndex] === "'") {
+        return readSqlStringLiteralEnd(expression, startIndex, hasPostgresEscapeStringPrefix(expression, startIndex));
+    }
+    if (expression[startIndex] === '"') {
+        return readQuotedIdentifierEnd(expression, startIndex);
+    }
+    return readDollarQuotedStringEnd(expression, startIndex);
+}
+function hasPostgresEscapeStringPrefix(expression, quoteIndex) {
+    const prefixIndex = quoteIndex - 1;
+    if (!/[eE]/.test(expression[prefixIndex] ?? "")) {
+        return false;
     }
-    return identifierToken;
+    return prefixIndex === 0 || !isSqlIdentifierPart(expression[prefixIndex - 1]);
 }
-function readSqlStringLiteralEnd(expression, startIndex) {
+function readSqlStringLiteralEnd(expression, startIndex, allowBackslashEscapes = false) {
     let index = startIndex + 1;
     while (index < expression.length) {
+        if (allowBackslashEscapes && expression[index] === "\\") {
+            index += 2;
+            continue;
+        }
         if (expression[index] !== "'") {
             index += 1;
             continue;
@@ -560,6 +395,9 @@ function readSqlStringLiteralEnd(expression, startIndex) {
     }
     return index;
 }
+function isSqlIdentifierPart(character) {
+    return character !== undefined && /[A-Za-z0-9_$]/.test(character);
+}
 function readQuotedIdentifierEnd(expression, startIndex) {
     let index = startIndex + 1;
     while (index < expression.length) {
@@ -576,41 +414,139 @@ function readQuotedIdentifierEnd(expression, startIndex) {
     }
     return index;
 }
-function readSqlIdentifierEnd(expression, startIndex) {
-    if (expression[startIndex] === '"') {
-        return readQuotedIdentifierEnd(expression, startIndex);
+function readDollarQuotedStringEnd(expression, startIndex) {
+    const delimiter = /^\$[a-z_][a-z0-9_]*\$|^\$\$/i.exec(expression.slice(startIndex))?.[0];
+    if (!delimiter) {
+        return undefined;
     }
-    return readSqlWordEnd(expression, startIndex);
+    const endIndex = expression.indexOf(delimiter, startIndex + delimiter.length);
+    return endIndex === -1 ? expression.length : endIndex + delimiter.length;
 }
-function readJsonOperatorAt(expression, startIndex) {
-    return ["#>>", "->>", "#>", "->", "@>", "<@"].find((operator) => expression.startsWith(operator, startIndex));
-}
-function readComparisonOperatorAt(expression, startIndex) {
-    return ["<>", "!=", "<=", ">=", "=", "<", ">"].find((operator) => expression.startsWith(operator, startIndex));
+function canonicalizePolicyExpressionAst(value, sourceSql) {
+    if (value === null || typeof value !== "object") {
+        return value === undefined
+            ? null
+            : value;
+    }
+    if (Array.isArray(value)) {
+        return value.map((item) => canonicalizePolicyExpressionAst(item, sourceSql));
+    }
+    if (isRedundantTextCast(value)) {
+        return canonicalizePolicyExpressionAst(value.operand, sourceSql);
+    }
+    const node = value;
+    const entries = [];
+    for (const key of Object.keys(node).sort()) {
+        const property = node[key];
+        if (property === undefined || key === "_location") {
+            continue;
+        }
+        if (key === "alias" && "expr" in node) {
+            continue;
+        }
+        if (key === "value" && isNumericPolicyExpressionAstNode(node)) {
+            entries.push([
+                key,
+                getPolicyExpressionAstNodeSource(node, sourceSql) ??
+                    canonicalizePolicyExpressionAst(property, sourceSql),
+            ]);
+            continue;
+        }
+        if (key === "op" && typeof property === "string") {
+            entries.push([key, normalizePolicyExpressionOperator(property)]);
+            continue;
+        }
+        if (key === "to" && node.type === "cast") {
+            entries.push([
+                key,
+                canonicalizePolicyExpressionDataType(property, sourceSql),
+            ]);
+            continue;
+        }
+        entries.push([key, canonicalizePolicyExpressionAst(property, sourceSql)]);
+    }
+    return Object.fromEntries(entries);
 }
-function readSqlWordEnd(expression, startIndex) {
-    if (!/[a-z_]/i.test(expression[startIndex] ?? "")) {
-        return startIndex;
+function canonicalizePolicyExpressionDataType(value, sourceSql) {
+    if (value === null || typeof value !== "object") {
+        return value === undefined
+            ? null
+            : value;
     }
-    let index = startIndex + 1;
-    while (/[a-z0-9_$]/i.test(expression[index] ?? "")) {
-        index += 1;
+    if (Array.isArray(value)) {
+        return value.map((item) => canonicalizePolicyExpressionDataType(item, sourceSql));
     }
-    return index;
+    const node = value;
+    const entries = [];
+    const isDoubleQuoted = node.doubleQuoted === true;
+    for (const key of Object.keys(node).sort()) {
+        const property = node[key];
+        if (property === undefined || key === "_location") {
+            continue;
+        }
+        if (key === "name" && typeof property === "string" && !isDoubleQuoted) {
+            entries.push([key, normalizePolicyExpressionDataTypeName(property)]);
+            continue;
+        }
+        if (key === "arrayOf") {
+            entries.push([
+                key,
+                canonicalizePolicyExpressionDataType(property, sourceSql),
+            ]);
+            continue;
+        }
+        entries.push([key, canonicalizePolicyExpressionAst(property, sourceSql)]);
+    }
+    return Object.fromEntries(entries);
 }
-function skipSqlWhitespace(expression, startIndex) {
-    let index = startIndex;
-    while (/\s/.test(expression[index] ?? "")) {
-        index += 1;
+function isRedundantTextCast(value) {
+    if (!isPolicyExpressionAstNode(value, "cast") || !isTextType(value.to)) {
+        return false;
     }
-    return index;
+    return (isPolicyExpressionAstNode(value.operand, "string") ||
+        isTextJsonMember(value.operand));
 }
-function skipSqlWhitespaceBackwards(expression, startIndex) {
-    let index = startIndex;
-    while (/\s/.test(expression[index] ?? "")) {
-        index -= 1;
+function isTextJsonMember(value) {
+    return isPolicyExpressionAstNode(value, "member") && value.op === "->>";
+}
+function isTextType(value) {
+    if (value === null || typeof value !== "object" || Array.isArray(value)) {
+        return false;
     }
-    return index;
+    const node = value;
+    const typeName = node.name;
+    return (node.doubleQuoted !== true &&
+        typeof typeName === "string" &&
+        normalizePolicyExpressionDataTypeName(typeName) === "text");
+}
+function isNumericPolicyExpressionAstNode(value) {
+    return value.type === "integer" || value.type === "numeric";
+}
+function getPolicyExpressionAstNodeSource(value, sourceSql) {
+    const location = value._location;
+    if (location === null ||
+        typeof location !== "object" ||
+        Array.isArray(location)) {
+        return undefined;
+    }
+    const start = location.start;
+    const end = location.end;
+    if (typeof start !== "number" || typeof end !== "number") {
+        return undefined;
+    }
+    return sourceSql.slice(start, end);
+}
+function isPolicyExpressionAstNode(value, type) {
+    return (value !== null &&
+        typeof value === "object" &&
+        !Array.isArray(value) &&
+        value.type === type);
+}
+function normalizePolicyExpressionDataTypeName(typeName) {
+    return (0, normalize_postgres_type_alias_util_1.normalizePostgresTypeAlias)(typeName.toLowerCase().replace(/\s+/g, " "));
+}
+function normalizePolicyExpressionOperator(operator) {
+    return operator === "!=" ? "<>" : operator;
 }
 function normalizePolicyRoles(roles) {
     return [