feat: Adds CRUD for policies

Fixes #31. Note that the update functionality doesn't include action and command. This is because postgres expects a DROP and recreate to alter these settings. I don't want to do that within the PATCH command because it will return a new ID. End users should follow the convention - delete and recreate

Author: kiwicopple

src/api.ts

@@ -8,6 +8,7 @@ router.use('/config', addConnectionToRequest, require('./api/config'))
 router.use('/columns', addConnectionToRequest, require('./api/columns'))
 router.use('/extensions', addConnectionToRequest, require('./api/extensions'))
 router.use('/functions', addConnectionToRequest, require('./api/functions'))
+router.use('/policies', addConnectionToRequest, require('./api/policies'))
 router.use('/query', addConnectionToRequest, require('./api/query'))
 router.use('/schemas', addConnectionToRequest, require('./api/schemas'))
 router.use('/tables', addConnectionToRequest, require('./api/tables'))

src/api/policies.ts

@@ -0,0 +1,201 @@
+import { Router } from 'express'
+import { coalesceRowsToArray, toTransaction } from '../lib/helpers'
+import { RunQuery } from '../lib/connectionPool'
+import { DEFAULT_SYSTEM_SCHEMAS } from '../lib/constants'
+import { Tables } from '../lib/interfaces'
+import sqlTemplates = require('../lib/sql')
+
+/**
+ * @param {string} [includeSystemSchemas=false] - Return system schemas as well as user schemas
+ */
+interface QueryParams {
+  includeSystemSchemas?: string
+}
+
+const router = Router()
+
+router.get('/', async (req, res) => {
+  try {
+    const sql = getAllSql(sqlTemplates)
+    const { data } = await RunQuery(req.headers.pg, sql)
+    const query: QueryParams = req.query
+    const includeSystemSchemas = query?.includeSystemSchemas === 'true'
+    let payload: Tables.Policy[] = data
+    if (!includeSystemSchemas) payload = removeSystemSchemas(data)
+    return res.status(200).json(payload)
+  } catch (error) {
+    console.log('throwing error', error)
+    res.status(500).json({ error: 'Database error', status: 500 })
+  }
+})
+
+router.post('/', async (req, res) => {
+  try {
+    const pcConnection: string = req.headers.pg.toString()
+    const payload: Tables.Policy = { ...req.body }
+    const schema: string = payload.schema || 'public'
+    const name: string = payload.name
+    const table: string = payload.table
+
+    // Create
+    const createSqlString = createSql(payload)
+    await RunQuery(pcConnection, createSqlString)
+
+    // Return fresh details
+    const newPolicy = await getPolicyByName(pcConnection, name, schema, table)
+    return res.status(200).json(newPolicy)
+  } catch (error) {
+    // For this one, we always want to give back the error to the customer
+    console.log('POST error!', error)
+    res.status(200).json([{ error: error.toString() }])
+  }
+})
+
+router.patch('/:id', async (req, res) => {
+  try {
+    const pcConnection: string = req.headers.pg.toString()
+    const id: number = parseInt(req.params.id)
+    if (!(id > 0)) throw new Error('id is required')
+
+    const payload: Tables.Policy = { ...req.body }
+    const previousPolicy: Tables.Policy = await getPolicyById(pcConnection, id)
+    const nameChange = !!payload.name && payload.name != previousPolicy.name
+    let updates = { ...payload }
+    if (!updates.name) updates.name = previousPolicy.name
+    if (!updates.schema) updates.schema = previousPolicy.schema
+    if (!updates.table) updates.table = previousPolicy.table
+
+    // Update fields and name
+    const nameSqlString = nameChange
+      ? alterPolicyNameSql(
+          previousPolicy.name,
+          payload.name,
+          previousPolicy.schema,
+          previousPolicy.table
+        )
+      : ''
+    const alterSqlString = alterSql(updates)
+    const transaction = toTransaction([nameSqlString, alterSqlString])
+    await RunQuery(pcConnection, transaction)
+
+    // Return fresh details
+    const updated = await getPolicyById(pcConnection, id)
+    return res.status(200).json(updated)
+  } catch (error) {
+    // For this one, we always want to give back the error to the customer
+    console.log('Soft error!', error)
+    res.status(200).json([{ error: error.toString() }])
+  }
+})
+
+router.delete('/:id', async (req, res) => {
+  try {
+    const pcConnection: string = req.headers.pg.toString()
+    const id: number = parseInt(req.params.id)
+    if (!(id > 0)) throw new Error('id is required')
+
+    // Get
+    const policy = await getPolicyById(pcConnection, id)
+    const { name, schema, table } = policy
+
+    // Drop
+    const query = dropSql(name, schema, table)
+    await RunQuery(pcConnection, query)
+
+    return res.status(200).json(policy)
+  } catch (error) {
+    console.log('throwing error', error)
+    res.status(500).json({ error: 'Database error', status: 500 })
+  }
+})
+
+const getAllSql = (sqlTemplates) => {
+  const { policies } = sqlTemplates
+  return `${policies}`.trim()
+}
+const getPolicyById = async (connection: string, id: number) => {
+  const { policies } = sqlTemplates
+  let sql = `
+    with policies as (${policies}) 
+    select * from policies
+    where policies.id = '${id}'
+    limit 1
+  `.trim()
+  const { data } = await RunQuery(connection, sql)
+  return data[0]
+}
+const getPolicyByName = async (connection: string, name: string, schema: string, table: string) => {
+  const { policies } = sqlTemplates
+  let sql = `
+    with policies as (${policies}) 
+    select * from policies
+    where policies.name = '${name}' and policies.schema = '${schema}' and policies.table = '${table}'
+    limit 1
+  `.trim()
+  const { data } = await RunQuery(connection, sql)
+  return data[0]
+}
+const createSql = ({
+  name,
+  table,
+  definition,
+  check,
+  schema = 'postgres',
+  action = 'PERMISSIVE',
+  command = 'ALL',
+  roles = ['PUBLIC'],
+}: {
+  name: string
+  table: string
+  definition?: string
+  check?: string
+  schema?: string
+  action?: string
+  command?: string
+  roles?: string[]
+}) => {
+  let sql = ` CREATE POLICY "${name}" ON "${schema}"."${table}"
+    AS ${action}
+    FOR ${command}
+    TO ${roles.join(',')} `.trim()
+  if (definition) sql += ` USING (${definition}) `
+  if (check) sql += ` WITH CHECK (${check}) `
+  sql += ';'
+  return sql
+}
+const alterPolicyNameSql = (oldName: string, newName: string, schema: string, table: string) => {
+  return `ALTER POLICY "${oldName}" ON "${schema}"."${table}" RENAME TO "${newName}";`.trim()
+}
+const alterSql = ({
+  name,
+  schema,
+  table,
+  definition,
+  check,
+  roles,
+}: {
+  schema: string
+  name: string
+  table: string
+  definition?: string
+  check?: string
+  roles?: string[]
+}) => {
+  let alter = `ALTER POLICY "${name}" ON "${schema}"."${table}"`
+  let newDefinition = definition !== undefined ? `${alter} USING (${definition});` : ''
+  let newCheck = check !== undefined ? `${alter} WITH CHECK (${check});` : ''
+  let newRoles = roles !== undefined ? `${alter} TO (${roles.join(',')});` : ''
+
+  return `
+    ${newDefinition}
+    ${newCheck}
+    ${newRoles}`.trim()
+}
+const dropSql = (name: string, schema: string, table: string) => {
+  return `DROP POLICY "${name}" ON "${schema}"."${table}";`.trim()
+}
+const removeSystemSchemas = (data: Tables.Policy[]) => {
+  return data.filter((x) => !DEFAULT_SYSTEM_SCHEMAS.includes(x.schema))
+}
+
+export = router

src/lib/helpers.ts

@@ -17,7 +17,7 @@ COALESCE(
 export const toTransaction = (statements: string[]) => {
   let cleansed = statements.map((x) => {
     let sql = x.trim()
-    if (x.slice(-1) !== ';') sql += ';'
+    if (sql.length > 0 && x.slice(-1) !== ';') sql += ';'
     return sql
   })
   let allStatements = cleansed.join('')

src/lib/interfaces.ts

@@ -115,14 +115,15 @@ export namespace Tables {
 
   export interface Policy {
     id: number
+    name: string
     schema: string
     table: string
     table_id: number
-    permissive: boolean
+    action: 'PERMISSIVE' | 'RESTRICTIVE'
     roles: string[]
-    cmd: string
+    command: string
     definition: string
-    with_check: string
+    check: string
   }
 
   export interface PrimaryKey {

src/lib/sql/policies.sql

@@ -1,13 +1,13 @@
 select
-  n.oid as id,
+  pol.oid as id,
   n.nspname AS schema,
   c.relname AS table,
   c.oid AS table_id,
   pol.polname AS name,
   CASE
     WHEN pol.polpermissive THEN 'PERMISSIVE' :: text
     ELSE 'RESTRICTIVE' :: text
-  END AS permissive,
+  END AS action,
   CASE
     WHEN pol.polroles = '{0}' :: oid [] 
     THEN array_to_json(string_to_array('public' :: text, '' :: text) :: name [])
@@ -30,9 +30,9 @@ select
     WHEN 'd' :: "char" THEN 'DELETE' :: text
     WHEN '*' :: "char" THEN 'ALL' :: text
     ELSE NULL :: text
-  END AS cmd,
-  pg_get_expr(pol.polqual, pol.polrelid) AS qual,
-  pg_get_expr(pol.polwithcheck, pol.polrelid) AS with_check
+  END AS command,
+  pg_get_expr(pol.polqual, pol.polrelid) AS definition,
+  pg_get_expr(pol.polwithcheck, pol.polrelid) AS check
 FROM
   pg_policy pol
   JOIN pg_class c ON c.oid = pol.polrelid

test/integration/index.spec.js

@@ -174,18 +174,18 @@ describe('/tables', async () => {
     const nameColumn = datum.columns.find((x) => x.name === 'name')
     const statusColumn = memes.columns.find((x) => x.name ==='status')
     assert.equal(tables.status, STATUS.SUCCESS)
-    assert.equal(true, !!datum)
-    assert.equal(true, !notIncluded)
-    assert.equal(datum['rls_enabled'], false)
-    assert.equal(datum['rls_forced'], false)
-    assert.equal(datum.columns.length > 0, true)
-    assert.equal(datum.primary_keys.length > 0, true)
-    assert.equal(idColumn.is_updatable, true)
-    assert.equal(idColumn.is_identity, true)
-    assert.equal(nameColumn.is_identity, false)
-    assert.equal(datum.grants.length > 0, true)
-    assert.equal(datum.policies.length == 0, true)
-    assert.equal(statusColumn.enums[0], 'new')
+    assert.equal(true, !!datum, 'Table included')
+    assert.equal(true, !notIncluded, 'System table not included')
+    assert.equal(datum['rls_enabled'], false, 'RLS false')
+    assert.equal(datum['rls_forced'], false, 'RLS Forced')
+    assert.equal(datum.columns.length > 0, true, 'Has columns')
+    assert.equal(datum.primary_keys.length > 0, true, 'Has PK')
+    assert.equal(idColumn.is_updatable, true, 'Is updatable')
+    assert.equal(idColumn.is_identity, true, 'ID is Identity')
+    assert.equal(nameColumn.is_identity, false, 'Name is not identity')
+    assert.equal(datum.grants.length > 0, true, 'Has grants')
+    assert.equal(datum.policies.length == 0, true, 'Has no policies')
+    assert.equal(statusColumn.enums[0], 'new', 'Has enums')
   })
   it('/tables should return the relationships', async () => {
     const tables = await axios.get(`${URL}/tables`)
@@ -443,3 +443,62 @@ describe('/roles', () => {
     assert.equal(newRoleExists, false)
   })
 })
+describe('/policies', () => {
+  var policy = {
+    id: null,
+    name: 'test policy',
+    schema: 'public',
+    table: 'memes',
+    action: 'RESTRICTIVE'
+  }
+  before(async () => {
+    await axios.post(`${URL}/query`, {
+      query: `DROP POLICY IF EXISTS "${policy.name}" on "${policy.schema}"."${policy.table}" `,
+    })
+  })
+  it('GET', async () => {
+    const res = await axios.get(`${URL}/policies`)
+    // console.log('res', res)
+    const policy = res.data[0]
+    assert.equal('id' in policy, true, 'Has ID')
+    assert.equal('name' in policy, true, 'Has name')
+    assert.equal('action' in policy, true, 'Has action')
+    assert.equal('table' in policy, true, 'Has table')
+    assert.equal('table_id' in policy, true, 'Has table_id')
+    assert.equal('roles' in policy, true, 'Has roles')
+    assert.equal('command' in policy, true, 'Has command')
+    assert.equal('definition' in policy, true, 'Has definition')
+    assert.equal('check' in policy, true, 'Has check')
+  })
+  it('POST', async () => {
+    const { data: newPolicy } = await axios.post(`${URL}/policies`, policy)
+    assert.equal(newPolicy.name, 'test policy')
+    assert.equal(newPolicy.schema, 'public')
+    assert.equal(newPolicy.table, 'memes')
+    assert.equal(newPolicy.action, 'RESTRICTIVE')
+    assert.equal(newPolicy.roles[0], 'public')
+    assert.equal(newPolicy.command, 'ALL')
+    assert.equal(newPolicy.definition, null)
+    assert.equal(newPolicy.check, null)
+    policy.id = newPolicy.id
+  })
+  it('PATCH', async () => {
+    const updates = {
+      name: 'policy updated',
+      definition: `current_setting('my.username') IN (name)`,
+      check: `current_setting('my.username') IN (name)`,
+    }
+    let { data: updated } = await axios.patch(`${URL}/policies/${policy.id}`, updates)
+    // console.log('updated', updated)
+    assert.equal(updated.id, policy.id)
+    assert.equal(updated.name, 'policy updated', 'name updated')
+    assert.notEqual(updated.definition, null, 'definition updated')
+    assert.notEqual(updated.check, null, 'check updated')
+  })
+  it('DELETE', async () => {
+    await axios.delete(`${URL}/policies/${policy.id}`)
+    const { data: policies } = await axios.get(`${URL}/policies`)
+    const stillExists = policies.some((x) => policy.id === x.id)
+    assert.equal(stillExists, false, 'Policy is deleted')
+  })
+})