FEAT: add postgres rls for tenant isolation

sru-thy · bharathkeyvalue · commit 2900db22dca6 · 2024-12-13T10:13:15.000+05:30
diff --git a/src/authentication/authentication.guard.ts b/src/authentication/authentication.guard.ts
@@ -1,7 +1,6 @@
 import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
 import { GqlExecutionContext } from '@nestjs/graphql';
 import { AuthenticationHelper } from './authentication.helper';
-import { ExecutionManager } from '../util/execution.manager';
 
 @Injectable()
 export class AuthGuard implements CanActivate {
@@ -14,7 +13,6 @@ export class AuthGuard implements CanActivate {
       if (token) {
         const reqAuthToken = token.split(' ')[1];
         ctx.user = this.authenticationHelper.validateAuthToken(reqAuthToken);
-        ExecutionManager.setTenantId(ctx.user.tenantId);
         return true;
       }
     }
diff --git a/src/authorization/entity/abstract.tenant.entity.ts b/src/authorization/entity/abstract.tenant.entity.ts
@@ -2,7 +2,10 @@ import { Column } from 'typeorm';
 import BaseEntity from './base.entity';
 
 class AbstractTenantEntity extends BaseEntity {
-  @Column({ type: 'uuid' })
+  @Column({
+    type: 'uuid',
+    default: () => "current_setting('app.current_tenant')",
+  })
   public tenantId!: string;
 }
 
diff --git a/src/database/database.module.ts b/src/database/database.module.ts
@@ -2,6 +2,7 @@ import { Module } from '@nestjs/common';
 import { TypeOrmModule } from '@nestjs/typeorm';
 import { ConfigModule, ConfigService } from '@nestjs/config';
 import { SnakeNamingStrategy } from 'typeorm-naming-strategies';
+import { ExecutionManager } from '../util/execution.manager';
 
 @Module({
   imports: [
@@ -22,6 +23,18 @@ import { SnakeNamingStrategy } from 'typeorm-naming-strategies';
         namingStrategy: new SnakeNamingStrategy(),
         synchronize: false,
         logging: true,
+        extra: {
+          poolMiddleware: async (query: string, params: any[]) => {
+            const tenantId = ExecutionManager.getTenantId();
+            if (tenantId) {
+              return [
+                `SELECT set_config('app.tenant_id', ${tenantId}, false) ${query}`,
+                params,
+              ];
+            }
+            return [query, params];
+          },
+        },
       }),
     }),
   ],
diff --git a/src/middleware/executionId.middleware.ts b/src/middleware/executionId.middleware.ts
@@ -2,9 +2,18 @@ import { NestMiddleware } from '@nestjs/common';
 import { NextFunction, Request, Response } from 'express';
 
 import { ExecutionManager } from '../util/execution.manager';
+import { AuthenticationHelper } from '../authentication/authentication.helper';
 
 export class ExecutionContextBinder implements NestMiddleware {
+  constructor(private readonly auth: AuthenticationHelper) {}
   async use(req: Request, res: Response, next: NextFunction) {
-    ExecutionManager.runWithContext(next);
+    ExecutionManager.runWithContext(async () => {
+      const token = req.headers.authorization?.split(' ')[1];
+      if (token) {
+        const user = this.auth.validateAuthToken(token);
+        ExecutionManager.setTenantId(user.tenantId);
+      }
+      next();
+    });
   }
 }
diff --git a/src/migrations/1733833844028-MultiTenantFeature.ts b/src/migrations/1733833844028-MultiTenantFeature.ts
@@ -71,9 +71,64 @@ export class MultiTenantFeature1733833844028 implements MigrationInterface {
     await queryRunner.query(
       `ALTER TABLE "user_permission" ALTER COLUMN "tenant_id" DROP DEFAULT`,
     );
+    await queryRunner.query(`
+      ALTER TABLE "user" ENABLE ROW LEVEL SECURITY;
+      ALTER TABLE "role" ENABLE ROW LEVEL SECURITY;
+      ALTER TABLE "group" ENABLE ROW LEVEL SECURITY;
+      ALTER TABLE "entity_model" ENABLE ROW LEVEL SECURITY;
+      ALTER TABLE "user_group" ENABLE ROW LEVEL SECURITY;
+      ALTER TABLE "user_permission" ENABLE ROW LEVEL SECURITY;
+      ALTER TABLE "group_role" ENABLE ROW LEVEL SECURITY;
+      ALTER TABLE "group_permission" ENABLE ROW LEVEL SECURITY;
+      ALTER TABLE "role_permission" ENABLE ROW LEVEL SECURITY;
+      ALTER TABLE "entity_permission" ENABLE ROW LEVEL SECURITY;
+ 
+      CREATE POLICY tenant_isolation_policy ON "user" 
+        USING (tenant_id = current_setting('app.tenant_id')::uuid);
+      CREATE POLICY tenant_isolation_policy ON "role"
+        USING (tenant_id = current_setting('app.tenant_id')::uuid);
+      CREATE POLICY tenant_isolation_policy ON "group"
+        USING (tenant_id = current_setting('app.tenant_id')::uuid);
+      CREATE POLICY tenant_isolation_policy ON "entity_model"
+        USING (tenant_id = current_setting('app.tenant_id')::uuid);
+      CREATE POLICY tenant_isolation_policy ON "user_group"
+        USING (tenant_id = current_setting('app.tenant_id')::uuid);
+      CREATE POLICY tenant_isolation_policy ON "user_permission"
+        USING (tenant_id = current_setting('app.tenant_id')::uuid);
+      CREATE POLICY tenant_isolation_policy ON "group_role"
+        USING (tenant_id = current_setting('app.tenant_id')::uuid);
+      CREATE POLICY tenant_isolation_policy ON "group_permission"
+        USING (tenant_id = current_setting('app.tenant_id')::uuid);
+      CREATE POLICY tenant_isolation_policy ON "role_permission"
+        USING (tenant_id = current_setting('app.tenant_id')::uuid);
+      CREATE POLICY tenant_isolation_policy ON "entity_permission"
+        USING (tenant_id = current_setting('app.tenant_id')::uuid);
+      `);
   }
 
   public async down(queryRunner: QueryRunner): Promise<void> {
+    await queryRunner.query(`
+      DROP POLICY tenant_isolation_policy ON "user";
+      DROP POLICY tenant_isolation_policy ON "role";
+      DROP POLICY tenant_isolation_policy ON "group";
+      DROP POLICY tenant_isolation_policy ON "entity_model";
+      DROP POLICY tenant_isolation_policy ON "user_group";
+      DROP POLICY tenant_isolation_policy ON "user_permission";
+      DROP POLICY tenant_isolation_policy ON "group_role";
+      DROP POLICY tenant_isolation_policy ON "group_permission";
+      DROP POLICY tenant_isolation_policy ON "role_permission";
+      DROP POLICY tenant_isolation_policy ON "entity_permission";
+      ALTER TABLE "user" DISABLE ROW LEVEL SECURITY;
+      ALTER TABLE "role" DISABLE ROW LEVEL SECURITY;
+      ALTER TABLE "group" DISABLE ROW LEVEL SECURITY;
+      ALTER TABLE "entity_model" DISABLE ROW LEVEL SECURITY;
+      ALTER TABLE "user_group" DISABLE ROW LEVEL SECURITY;
+      ALTER TABLE "user_permission" DISABLE ROW LEVEL SECURITY;
+      ALTER TABLE "group_role" DISABLE ROW LEVEL SECURITY;
+      ALTER TABLE "group_permission" DISABLE ROW LEVEL SECURITY;
+      ALTER TABLE "role_permission" DISABLE ROW LEVEL SECURITY;
+      ALTER TABLE "entity_permission" DISABLE ROW LEVEL SECURITY;
+    `);
     await queryRunner.query(
       `ALTER TABLE "user_permission" DROP COLUMN "tenant_id"`,
     );

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,6 @@`
`1`	`1`	`import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';`
`2`	`2`	`import { GqlExecutionContext } from '@nestjs/graphql';`
`3`	`3`	`import { AuthenticationHelper } from './authentication.helper';`
`4`		`-import { ExecutionManager } from '../util/execution.manager';`
`5`	`4`
`6`	`5`	`@Injectable()`
`7`	`6`	`export class AuthGuard implements CanActivate {`
`@@ -14,7 +13,6 @@ export class AuthGuard implements CanActivate {`
`14`	`13`	`if (token) {`
`15`	`14`	`const reqAuthToken = token.split(' ')[1];`
`16`	`15`	`ctx.user = this.authenticationHelper.validateAuthToken(reqAuthToken);`
`17`		`- ExecutionManager.setTenantId(ctx.user.tenantId);`
`18`	`16`	`return true;`
`19`	`17`	`}`
`20`	`18`	`}`