Skip to content

Commit ab21a9e

Browse files
adityathebeadityathebe
committed
Fix RLS disable for view tables
1 parent 108ab97 commit ab21a9e

3 files changed

Lines changed: 43 additions & 4 deletions

File tree

tests/view_test.go

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
ginkgo "github.com/onsi/ginkgo/v2"
77
. "github.com/onsi/gomega"
88

9+
"github.com/flanksource/duty/api"
910
"github.com/flanksource/duty/models"
1011
"github.com/flanksource/duty/tests/fixtures/dummy"
1112
"github.com/flanksource/duty/types"
@@ -168,7 +169,8 @@ var _ = ginkgo.Describe("View Tests", ginkgo.Serial, ginkgo.Ordered, func() {
168169
WHERE relname = ? AND relkind = 'r'
169170
`, testTableName).Scan(&rlsEnabled).Error
170171
Expect(err).ToNot(HaveOccurred())
171-
Expect(rlsEnabled).To(BeTrue(), "RLS should be enabled on view table")
172+
applyRLS := api.DefaultConfig.EnableRLS && !api.DefaultConfig.DisableRLS
173+
Expect(rlsEnabled).To(Equal(applyRLS), "RLS state should match config")
172174
})
173175

174176
ginkgo.It("should create view_grants_policy on view table", func() {
@@ -180,7 +182,8 @@ var _ = ginkgo.Describe("View Tests", ginkgo.Serial, ginkgo.Ordered, func() {
180182
)
181183
`, testTableName).Scan(&policyExists).Error
182184
Expect(err).ToNot(HaveOccurred())
183-
Expect(policyExists).To(BeTrue(), "view_grants_policy should exist on view table")
185+
applyRLS := api.DefaultConfig.EnableRLS && !api.DefaultConfig.DisableRLS
186+
Expect(policyExists).To(Equal(applyRLS), "view_grants_policy should match RLS state")
184187
})
185188
})
186189

view/db.go

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -127,8 +127,11 @@ func applyViewTableSchema(ctx context.Context, tableName string, columns ViewCol
127127
// Apply RLS policy to enforce grants
128128
// (Re)apply RLS and Policy on first table creation or on schema changes
129129
if len(changes) > 0 {
130-
if err := ensureViewRLSPolicy(ctx, tableName); err != nil {
131-
return fmt.Errorf("failed to apply RLS policy: %w", err)
130+
applyRLS := api.DefaultConfig.EnableRLS && !api.DefaultConfig.DisableRLS
131+
if applyRLS {
132+
if err := ensureViewRLSPolicy(ctx, tableName); err != nil {
133+
return fmt.Errorf("failed to apply RLS policy: %w", err)
134+
}
132135
}
133136
}
134137

views/9999_rls_disable.sql

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,24 @@ BEGIN
4848
IF (SELECT relrowsecurity FROM pg_class WHERE relname = 'view_panels') THEN
4949
EXECUTE 'ALTER TABLE view_panels DISABLE ROW LEVEL SECURITY;';
5050
END IF;
51+
52+
END $$;
53+
54+
-- Disable RLS on dynamically generated view tables
55+
DO $$
56+
DECLARE
57+
r record;
58+
BEGIN
59+
FOR r IN
60+
SELECT c.relname, c.relrowsecurity
61+
FROM pg_class c
62+
JOIN pg_namespace n ON c.relnamespace = n.oid
63+
WHERE n.nspname = 'public' AND c.relkind = 'r' AND c.relname LIKE 'view\_%' ESCAPE '\'
64+
LOOP
65+
IF r.relrowsecurity THEN
66+
EXECUTE format('ALTER TABLE %I DISABLE ROW LEVEL SECURITY;', r.relname);
67+
END IF;
68+
END LOOP;
5169
END $$;
5270
5371
-- POLICIES
@@ -74,3 +92,18 @@ DROP POLICY IF EXISTS checks_auth ON checks;
7492
DROP POLICY IF EXISTS views_auth ON views;
7593
7694
DROP POLICY IF EXISTS view_panels_auth ON view_panels;
95+
96+
DO $$
97+
DECLARE
98+
r record;
99+
BEGIN
100+
-- Drop policies on dynamically generated view tables
101+
FOR r IN
102+
SELECT c.relname
103+
FROM pg_class c
104+
JOIN pg_namespace n ON c.relnamespace = n.oid
105+
WHERE n.nspname = 'public' AND c.relkind = 'r' AND c.relname LIKE 'view\_%' ESCAPE '\'
106+
LOOP
107+
EXECUTE format('DROP POLICY IF EXISTS view_grants_policy ON %I;', r.relname);
108+
END LOOP;
109+
END $$;

0 commit comments

Comments
 (0)