rls support

2024-10-26 07:00:54 +03:00 · 2018-12-01 20:21:43 +11:00 · 2018-12-01 20:21:43 +11:00 · aa9a3031c0
commit aa9a3031c0
parent 87de693ef5
9 changed files with 65 additions and 3 deletions
--- a/migra/changes.py
+++ b/migra/changes.py
@ -17,6 +17,7 @@ THINGS = [
    "extensions",
    "privileges",
    "collations",
+    "rlspolicies",
 ]
 PK = "PRIMARY KEY"

@ -173,6 +174,10 @@ def get_table_changes(tables_from, tables_target, enums_from, enums_target):
            statements.append(alter)
        for k, c in c_modified.items():
            statements += c.alter_table_statements(before.columns[k], t)
+
+        if v.rowsecurity != before.rowsecurity:
+            rls_alter = v.alter_rls_statement
+            statements += [rls_alter]
    return statements


--- a/migra/migra.py
+++ b/migra/migra.py
@ -1,8 +1,9 @@
 from __future__ import unicode_literals

-from schemainspect import DBInspector, get_inspector
 from sqlbag import raw_execute

+from schemainspect import DBInspector, get_inspector
+
 from .changes import Changes
 from .statements import Statements

@ -67,6 +68,7 @@ class Migration(object):
        self.add(self.changes.collations(creations_only=True))
        self.add(self.changes.enums(creations_only=True, modifications=False))
        self.add(self.changes.sequences(creations_only=True))
+        self.add(self.changes.rlspolicies(drops_only=True))
        if privileges:
            self.add(self.changes.privileges(drops_only=True))
        self.add(self.changes.non_pk_constraints(drops_only=True))
@ -83,6 +85,7 @@ class Migration(object):
        self.add(self.changes.non_pk_constraints(creations_only=True))
        if privileges:
            self.add(self.changes.privileges(creations_only=True))
+        self.add(self.changes.rlspolicies(creations_only=True))
        self.add(self.changes.collations(drops_only=True))
        self.add(self.changes.schemas(drops_only=True))

--- a/pyproject.toml
+++ b/pyproject.toml
@ -13,7 +13,7 @@ homepage = "https://migra.djrobstep.com/"
 python = "*"
 sqlbag = "*"
 six = "*"
-schemainspect = "*"
+schemainspect = ">=0.1.1543655873"
 psycopg2-binary = { version="*", optional = true }

 [tool.poetry.dev-dependencies]
--- a/tests/FIXTURES/rls/a.sql
+++ b/tests/FIXTURES/rls/a.sql
@ -0,0 +1,8 @@
+CREATE TABLE accounts (manager text, company text, contact_email text);
+
+ALTER TABLE accounts ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY account_managers ON accounts TO schemainspect_test_role
+    USING (manager = current_user);
+
+CREATE TABLE accounts2 (manager text, company text, contact_email text);
--- a/tests/FIXTURES/rls/additions.sql
+++ b/tests/FIXTURES/rls/additions.sql
--- a/tests/FIXTURES/rls/b.sql
+++ b/tests/FIXTURES/rls/b.sql
@ -0,0 +1,10 @@
+CREATE TABLE accounts (manager text, company text, contact_email text);
+
+ALTER TABLE accounts ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY account_managers ON accounts as restrictive TO schemainspect_test_role
+    USING (manager = current_user);
+
+CREATE TABLE accounts2 (manager text, company text, contact_email text);
+
+ALTER TABLE accounts2 ENABLE ROW LEVEL SECURITY;
--- a/tests/FIXTURES/rls/expected.sql
+++ b/tests/FIXTURES/rls/expected.sql
@ -0,0 +1,10 @@
+drop policy "account_managers" on "public"."accounts";
+
+alter table "public"."accounts2" enable row level security;
+
+create policy "account_managers"
+on "public"."accounts"
+as restrictive
+for all
+to schemainspect_test_role
+using (manager = (CURRENT_USER)::text);
--- a/tests/FIXTURES/rls/expected2.sql
+++ b/tests/FIXTURES/rls/expected2.sql
--- a/tests/test_migra.py
+++ b/tests/test_migra.py
@ -3,11 +3,11 @@ from __future__ import unicode_literals
 import io

 from pytest import raises
-from schemainspect import get_inspector
 from sqlbag import S, load_sql_from_file, temporary_database

 from migra import Migration, Statements, UnsafeMigrationException
 from migra.command import parse_args, run
+from schemainspect import get_inspector

 SQL = """select 1;

@ -69,6 +69,32 @@ def test_privs():
        do_fixture_test(FIXTURE_NAME, with_privileges=True)


+schemainspect_test_role = "schemainspect_test_role"
+
+
+def create_role(s, rolename):
+    role = s.execute(
+        f"""
+SELECT 1 FROM pg_roles WHERE rolname=:rolename
+    """,
+        dict(rolename=rolename),
+    )
+
+    role_exists = bool(list(role))
+
+    if not role_exists:
+        s.execute(
+            f"""
+            create role {rolename};
+        """
+        )
+
+
+def test_rls():
+    for FIXTURE_NAME in ["rls"]:
+        do_fixture_test(FIXTURE_NAME, with_privileges=True)
+
+
 def do_fixture_test(
    fixture_name, schema=None, create_extensions_only=False, with_privileges=False
 ):