feat: add DBAL middleware to ensure proper role is used for all queries

Initially, I attempted to use the `wrapperClass` option to handle setting the
database role. However, I encountered issues because DBAL checks for the exact
`Connection` class type and not the interface, making it difficult to extend the
`Connection` class as needed.

I also considered overwriting the PgSQL-specific connection class (PDO variant)
to set the role upon connection. Unfortunately, this was not an option because
the class is declared as `final`, preventing me from extending it.

The next potential solution was to use an `EventSubscriber` to set the role
after the connection was established (using `postConnect`). However, this
approach is already deprecated in our version of DBAL and completely removed in
the next major release, rendering it unsuitable for us (maintainability).

Ultimately, I implemented the `SET ROLE` functionality using DBAL's middleware.
By wrapping the driver, and manually creating the `Connection` we can perform
the `SET ROLE` query before the connection is used by the application.

Runtime checks exist to ensure that the role (`DOCTRINE_ROLE`) is defined.
However, validation of the actual value is done by PostgreSQL itself (it will
complain if the role does not exist).

Author: tomudding

.env.dist

@@ -3,6 +3,7 @@ CHECKER_MEMBERSHIP_API_ENDPOINT=https://tue-lookup.test.gewis.nl/user/
 CHECKER_MEMBERSHIP_API_KEY=c2VjcmV0
 CHECKER_MEMBERSHIP_API_MAX_TOTAL_REQUESTS=200
 CHECKER_MEMBERSHIP_API_MAX_MANUAL_REQUESTS=20
+DOCTRINE_ROLE=gewisdb
 DOCTRINE_DEFAULT_HOST=postgresql
 DOCTRINE_DEFAULT_PORT=5432
 DOCTRINE_DEFAULT_USER=gewisdb

config/autoload/doctrine.local.development.php.dist

@@ -2,6 +2,7 @@
 
 declare(strict_types=1);
 
+use Application\Extensions\Doctrine\Middleware\SetRoleMiddleware;
 use Doctrine\DBAL\Driver\PDO\PgSQL\Driver as PgSQLDriver;
 use Doctrine\Persistence\Mapping\Driver\MappingDriverChain;
 
@@ -82,6 +83,9 @@ return [
                 // to use the default chained driver. The retrieved service name will
                 // be `doctrine.driver.$thisSetting`
                 'driver'            => 'orm_default',
+                'middlewares'       => [
+                    SetRoleMiddleware::class,
+                ],
 
                 // Generate proxies automatically (turn off for production)
                 'generate_proxies'  => true,
@@ -128,6 +132,9 @@ return [
                 // to use the default chained driver. The retrieved service name will
                 // be `doctrine.driver.$thisSetting`
                 'driver'            => 'orm_report',
+                'middlewares'       => [
+                    SetRoleMiddleware::class,
+                ],
 
                 // Generate proxies automatically (turn off for production)
                 'generate_proxies'  => true,

config/autoload/doctrine.local.production.php.dist

@@ -2,6 +2,7 @@
 
 declare(strict_types=1);
 
+use Application\Extensions\Doctrine\Middleware\SetRoleMiddleware;
 use Doctrine\DBAL\Driver\PDO\PgSQL\Driver as PgSQLDriver;
 use Doctrine\Persistence\Mapping\Driver\MappingDriverChain;
 
@@ -82,6 +83,9 @@ return [
                 // to use the default chained driver. The retrieved service name will
                 // be `doctrine.driver.$thisSetting`
                 'driver'            => 'orm_default',
+                'middlewares'       => [
+                    SetRoleMiddleware::class,
+                ],
 
                 // Generate proxies automatically (turn off for production)
                 'generate_proxies'  => false,
@@ -128,6 +132,9 @@ return [
                 // to use the default chained driver. The retrieved service name will
                 // be `doctrine.driver.$thisSetting`
                 'driver'            => 'orm_report',
+                'middlewares'       => [
+                    SetRoleMiddleware::class,
+                ],
 
                 // Generate proxies automatically (turn off for production)
                 'generate_proxies'  => false,

module/Application/src/Extensions/Doctrine/Middleware/Driver.php

@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Application\Extensions\Doctrine\Middleware;
+
+use Doctrine\DBAL\Driver as DriverInterface;
+use Doctrine\DBAL\Driver\Connection as ConnectionInterface;
+use Doctrine\DBAL\Driver\Middleware\AbstractDriverMiddleware;
+use SensitiveParameter;
+
+class Driver extends AbstractDriverMiddleware
+{
+    public function __construct(
+        DriverInterface $driver,
+        private readonly string $role,
+    ) {
+        parent::__construct($driver);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function connect(
+        #[SensitiveParameter]
+        array $params,
+    ): ConnectionInterface {
+        $connection = parent::connect($params);
+        $connection->exec('SET ROLE ' . $connection->quote($this->role));
+
+        return $connection;
+    }
+}

module/Application/src/Extensions/Doctrine/Middleware/SetRoleMiddleware.php

@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Application\Extensions\Doctrine\Middleware;
+use Doctrine\DBAL\Driver as DriverInterface;
+use Doctrine\DBAL\Driver\Middleware as MiddlewareInterface;
+use RuntimeException;
+
+class SetRoleMiddleware implements MiddlewareInterface
+{
+    public function wrap(DriverInterface $driver): DriverInterface
+    {
+        if (!$driver instanceof DriverInterface\PDO\PgSQL\Driver) {
+            throw new RuntimeException('Expected DBAL Driver to be PDO PgSQL, but got ' . get_class($driver));
+        }
+
+        $role = getenv('DOCTRINE_ROLE');
+        if (false === $role) {
+            throw new RuntimeException('Required DOCTRINE_ROLE not set...');
+        }
+
+        return new Driver($driver, $role);
+    }
+}

module/Application/src/Module.php

@@ -4,6 +4,7 @@
 
 namespace Application;
 
+use Application\Extensions\Doctrine\Middleware\SetRoleMiddleware;
 use Application\Mapper\ConfigItem as ConfigItemMapper;
 use Application\Mapper\Factory\ConfigItemFactory as ConfigItemMapperFactory;
 use Application\Service\Config as ConfigService;
@@ -123,6 +124,9 @@ public function getConfig(): array
     public function getServiceConfig(): array
     {
         return [
+            'invokables' => [
+                SetRoleMiddleware::class => SetRoleMiddleware::class,
+            ],
             'factories' => [
                 ConfigItemMapper::class => ConfigItemMapperFactory::class,
                 ConfigService::class => ConfigServiceFactory::class,