fix: flag for rls migrations (#1342)

* fix: flag for rls migrations

* chore: update tests

* chore: fix test cases

* chore: run fresh migrations in rls test

api/config.go

@@ -42,6 +42,7 @@ type Config struct {
 	LogName                  string
 
 	EnableRLS          bool // Enable Row-level security
+	DisableRLS         bool // Disable Row-level security
 	RunMigrations      bool
 	SkipMigrations     bool
 	SkipMigrationFiles []string

migrate/migrate.go

@@ -35,12 +35,13 @@ func RunMigrations(pool *sql.DB, config api.Config) error {
 		return errors.New("pool is nil")
 	}
 
+	// RLS enable/disable should always be explicit
 	if config.EnableRLS {
 		config.SkipMigrationFiles = append(config.SkipMigrationFiles, "035_rls_disable.sql")
-		config.MustRun = append(config.MustRun, "034_rls_enable.sql")
-	} else {
+	} else if config.DisableRLS {
 		config.SkipMigrationFiles = append(config.SkipMigrationFiles, "034_rls_enable.sql")
-		config.MustRun = append(config.MustRun, "035_rls_disable.sql")
+	} else {
+		config.SkipMigrationFiles = append(config.SkipMigrationFiles, "034_rls_enable.sql", "035_rls_disable.sql")
 	}
 
 	row := pool.QueryRow("SELECT current_database();")

start.go

@@ -57,6 +57,11 @@ var EnableRLS = func(config api.Config) api.Config {
 	return config
 }
 
+var DisableRLS = func(config api.Config) api.Config {
+	config.DisableRLS = true
+	return config
+}
+
 var DisablePostgrest = func(config api.Config) api.Config {
 	config.Postgrest.Disable = true
 	return config

tests/migration_dependency_test.go

@@ -72,7 +72,7 @@ var _ = Describe("migration dependency", Ordered, Serial, func() {
 		sqlDB, err := DefaultContext.DB().DB()
 		Expect(err).To(BeNil())
 
-		funcs, views, err := migrate.GetExecutableScripts(sqlDB, nil, []string{"035_rls_disable.sql"})
+		funcs, views, err := migrate.GetExecutableScripts(sqlDB, nil, []string{"034_rls_enable.sql", "035_rls_disable.sql"})
 		Expect(err).To(BeNil())
 		Expect(len(funcs)).To(Equal(1))
 		Expect(len(views)).To(Equal(2))
@@ -82,10 +82,10 @@ var _ = Describe("migration dependency", Ordered, Serial, func() {
 
 		{
 			// run the migrations again to ensure that the hashes are repopulated
-			err := migrate.RunMigrations(sqlDB, api.Config{ConnectionString: connString})
+			err := migrate.RunMigrations(sqlDB, api.Config{ConnectionString: connString, DisableRLS: true})
 			Expect(err).To(BeNil())
 
-			// at the end, there should be no scrips to apply
+			// at the end, there should be no scripts to apply
 			db, err := DefaultContext.DB().DB()
 			Expect(err).To(BeNil())
 

tests/rls_test.go

@@ -4,7 +4,9 @@ import (
 	"database/sql"
 	"fmt"
 
+	"github.com/flanksource/duty/api"
 	"github.com/flanksource/duty/job"
+	"github.com/flanksource/duty/migrate"
 	"github.com/flanksource/duty/models"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -37,12 +39,24 @@ var _ = Describe("RLS test", Ordered, func() {
 			Expect(DefaultContext.DB().Model(&models.ConfigItem{}).Count(&totalConfigs).Error).To(BeNil())
 			Expect(DefaultContext.DB().Where("tags->>'cluster' = 'aws'").Model(&models.ConfigItem{}).Count(&awsConfigs).Error).To(BeNil())
 
+			Expect(totalConfigs).To(Not(Equal(awsConfigs)))
+
+			sqldb, err := DefaultContext.DB().DB()
+			Expect(err).To(BeNil())
+
+			// The migration_dependency_test can mess with the migration_logs so we clean and run migrations again
+			Expect(DefaultContext.DB().Exec("DELETE FROM migration_logs").Error).To(BeNil())
+
+			connString := DefaultContext.Value("db_url").(string)
+			err = migrate.RunMigrations(sqldb, api.Config{ConnectionString: connString, EnableRLS: true})
+			Expect(err).To(BeNil())
+
 			tx = DefaultContext.DB().Begin()
 
 			Expect(tx.Exec("SET LOCAL ROLE 'postgrest_api'").Error).To(BeNil())
 			Expect(tx.Exec(`SET LOCAL request.jwt.claims = '{"tags": [{"cluster": "aws"}]}'`).Error).To(BeNil())
 
-			err := job.RefreshConfigItemSummary7d(DefaultContext)
+			err = job.RefreshConfigItemSummary7d(DefaultContext)
 			Expect(err).To(BeNil())
 		})
 

views/034_rls_enable.sql

@@ -7,9 +7,35 @@ BEGIN
 END;
 $$ LANGUAGE plpgsql SECURITY DEFINER;
 
--- Policy config items
-ALTER TABLE config_items ENABLE ROW LEVEL SECURITY;
+-- Enable RLS for tables
+DO $$
+BEGIN
+    IF NOT (SELECT relrowsecurity FROM pg_class WHERE relname = 'config_items') THEN
+        EXECUTE 'ALTER TABLE config_items ENABLE ROW LEVEL SECURITY;';
+    END IF;
+
+    IF NOT (SELECT relrowsecurity FROM pg_class WHERE relname = 'config_changes') THEN
+        EXECUTE 'ALTER TABLE config_changes ENABLE ROW LEVEL SECURITY;';
+    END IF;
+
+    IF NOT (SELECT relrowsecurity FROM pg_class WHERE relname = 'config_analysis') THEN
+        EXECUTE 'ALTER TABLE config_changes ENABLE ROW LEVEL SECURITY;';
+    END IF;
+
+    IF NOT (SELECT relrowsecurity FROM pg_class WHERE relname = 'components') THEN
+        EXECUTE 'ALTER TABLE components ENABLE ROW LEVEL SECURITY;';
+    END IF;
+
+    IF NOT (SELECT relrowsecurity FROM pg_class WHERE relname = 'config_component_relationships') THEN
+        EXECUTE 'ALTER TABLE config_component_relationships ENABLE ROW LEVEL SECURITY;';
+    END IF;
+
+    IF NOT (SELECT relrowsecurity FROM pg_class WHERE relname = 'config_relationships') THEN
+        EXECUTE 'ALTER TABLE config_relationships ENABLE ROW LEVEL SECURITY;';
+    END IF;
+END $$;
 
+-- Policy config items
 DROP POLICY IF EXISTS config_items_auth ON config_items;
 
 CREATE POLICY config_items_auth ON config_items
@@ -28,8 +54,6 @@ CREATE POLICY config_items_auth ON config_items
     );
 
 -- Policy config_changes 
-ALTER TABLE config_changes ENABLE ROW LEVEL SECURITY;
-
 DROP POLICY IF EXISTS config_changes_auth ON config_changes;
 
 CREATE POLICY config_changes_auth ON config_changes
@@ -46,8 +70,6 @@ CREATE POLICY config_changes_auth ON config_changes
     );
 
 -- Policy config_analysis
-ALTER TABLE config_analysis ENABLE ROW LEVEL SECURITY;
-
 DROP POLICY IF EXISTS config_analysis_auth ON config_analysis;
 
 CREATE POLICY config_analysis_auth ON config_analysis
@@ -64,8 +86,6 @@ CREATE POLICY config_analysis_auth ON config_analysis
     );
 
 -- Policy config_relationships
-ALTER TABLE config_relationships ENABLE ROW LEVEL SECURITY;
-
 DROP POLICY IF EXISTS config_relationships_auth ON config_relationships;
 
 CREATE POLICY config_relationships_auth ON config_relationships
@@ -81,9 +101,7 @@ CREATE POLICY config_relationships_auth ON config_relationships
       END
     );
 
--- Policy config_relationships
-ALTER TABLE config_component_relationships ENABLE ROW LEVEL SECURITY;
-
+-- Policy config_component_relationships
 DROP POLICY IF EXISTS config_component_relationships_auth ON config_component_relationships;
 
 CREATE POLICY config_component_relationships_auth ON config_component_relationships
@@ -100,8 +118,6 @@ CREATE POLICY config_component_relationships_auth ON config_component_relationsh
     );
 
 -- Policy components
-ALTER TABLE components ENABLE ROW LEVEL SECURITY;
-
 DROP POLICY IF EXISTS components_auth ON components;
 
 CREATE POLICY components_auth ON components
@@ -137,4 +153,4 @@ ALTER VIEW config_tags SET (security_invoker = true);
 ALTER VIEW config_tags_labels_keys SET (security_invoker = true);
 ALTER VIEW config_types SET (security_invoker = true);
 ALTER VIEW configs SET (security_invoker = true);
-ALTER VIEW incidents_by_config SET (security_invoker = true);
+ALTER VIEW incidents_by_config SET (security_invoker = true);

views/035_rls_disable.sql

@@ -1,15 +1,30 @@
 -- Disable RLS
-ALTER TABLE config_items DISABLE ROW LEVEL SECURITY;
-
-ALTER TABLE config_changes DISABLE ROW LEVEL SECURITY;
-
-ALTER TABLE config_analysis DISABLE ROW LEVEL SECURITY;
-
-ALTER TABLE components DISABLE ROW LEVEL SECURITY;
-
-ALTER TABLE config_component_relationships DISABLE ROW LEVEL SECURITY;
-
-ALTER TABLE config_relationships DISABLE ROW LEVEL SECURITY;
+DO $$
+BEGIN
+    IF (SELECT relrowsecurity FROM pg_class WHERE relname = 'config_items') THEN
+        EXECUTE 'ALTER TABLE config_items DISABLE ROW LEVEL SECURITY;';
+    END IF;
+
+    IF (SELECT relrowsecurity FROM pg_class WHERE relname = 'config_changes') THEN
+        EXECUTE 'ALTER TABLE config_changes DISABLE ROW LEVEL SECURITY;';
+    END IF;
+
+    IF (SELECT relrowsecurity FROM pg_class WHERE relname = 'config_analysis') THEN
+        EXECUTE 'ALTER TABLE config_changes DISABLE ROW LEVEL SECURITY;';
+    END IF;
+
+    IF (SELECT relrowsecurity FROM pg_class WHERE relname = 'components') THEN
+        EXECUTE 'ALTER TABLE components DISABLE ROW LEVEL SECURITY;';
+    END IF;
+
+    IF (SELECT relrowsecurity FROM pg_class WHERE relname = 'config_component_relationships') THEN
+        EXECUTE 'ALTER TABLE config_component_relationships DISABLE ROW LEVEL SECURITY;';
+    END IF;
+
+    IF (SELECT relrowsecurity FROM pg_class WHERE relname = 'config_relationships') THEN
+        RAISE NOTICE 'RLS is already disabled on config_relationships.';
+    END IF;
+END $$;
 
 -- POLICIES
 DROP POLICY IF EXISTS config_items_auth ON config_items;