Skip to content

Commit

Permalink
feat: update structure
Browse files Browse the repository at this point in the history
- add Session class and context getter abstract class
- integrate with alembic and add alembic operations to detect rls policies

Co-authored-by: Ghaith Kdimati <[email protected]>
  • Loading branch information
2 people authored and baraka95 committed Sep 27, 2024
1 parent 60b9aed commit 6bb58c8
Show file tree
Hide file tree
Showing 21 changed files with 1,339 additions and 384 deletions.
117 changes: 117 additions & 0 deletions alembic.ini
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
# A generic, single database configuration.

[alembic]
# path to migration scripts
# Use forward slashes (/) also on windows to provide an os agnostic path
script_location = alembic

# template used to generate migration file names; The default value is %%(rev)s_%%(slug)s
# Uncomment the line below if you want the files to be prepended with date and time
# see https://alembic.sqlalchemy.org/en/latest/tutorial.html#editing-the-ini-file
# for all available tokens
# file_template = %%(year)d_%%(month).2d_%%(day).2d_%%(hour).2d%%(minute).2d-%%(rev)s_%%(slug)s

# sys.path path, will be prepended to sys.path if present.
# defaults to the current working directory.
prepend_sys_path = .

# timezone to use when rendering the date within the migration file
# as well as the filename.
# If specified, requires the python>=3.9 or backports.zoneinfo library.
# Any required deps can installed by adding `alembic[tz]` to the pip requirements
# string value is passed to ZoneInfo()
# leave blank for localtime
# timezone =

# max length of characters to apply to the "slug" field
# truncate_slug_length = 40

# set to 'true' to run the environment during
# the 'revision' command, regardless of autogenerate
# revision_environment = false

# set to 'true' to allow .pyc and .pyo files without
# a source .py file to be detected as revisions in the
# versions/ directory
# sourceless = false

# version location specification; This defaults
# to alembic/versions. When using multiple version
# directories, initial revisions must be specified with --version-path.
# The path separator used here should be the separator specified by "version_path_separator" below.
# version_locations = %(here)s/bar:%(here)s/bat:alembic/versions

# version path separator; As mentioned above, this is the character used to split
# version_locations. The default within new alembic.ini files is "os", which uses os.pathsep.
# If this key is omitted entirely, it falls back to the legacy behavior of splitting on spaces and/or commas.
# Valid values for version_path_separator are:
#
# version_path_separator = :
# version_path_separator = ;
# version_path_separator = space
# version_path_separator = newline
version_path_separator = os # Use os.pathsep. Default configuration used for new projects.

# set to 'true' to search source files recursively
# in each "version_locations" directory
# new in Alembic version 1.10
# recursive_version_locations = false

# the output encoding used when revision files
# are written from script.py.mako
# output_encoding = utf-8

sqlalchemy.url = postgresql://user:password@localhost/session


[post_write_hooks]
# post_write_hooks defines scripts or Python functions that are run
# on newly generated revision scripts. See the documentation for further
# detail and examples

# format using "black" - use the console_scripts runner, against the "black" entrypoint
# hooks = black
# black.type = console_scripts
# black.entrypoint = black
# black.options = -l 79 REVISION_SCRIPT_FILENAME

# lint with attempts to fix using "ruff" - use the exec runner, execute a binary
# hooks = ruff
# ruff.type = exec
# ruff.executable = %(here)s/.venv/bin/ruff
# ruff.options = --fix REVISION_SCRIPT_FILENAME

# Logging configuration
[loggers]
keys = root,sqlalchemy,alembic

[handlers]
keys = console

[formatters]
keys = generic

[logger_root]
level = WARN
handlers = console
qualname =

[logger_sqlalchemy]
level = WARN
handlers =
qualname = sqlalchemy.engine

[logger_alembic]
level = INFO
handlers =
qualname = alembic

[handler_console]
class = StreamHandler
args = (sys.stderr,)
level = NOTSET
formatter = generic

[formatter_generic]
format = %(levelname)-5.5s [%(name)s] %(message)s
datefmt = %H:%M:%S
1 change: 1 addition & 0 deletions alembic/README
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Generic single-database configuration.
84 changes: 84 additions & 0 deletions alembic/env.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
from logging.config import fileConfig

from sqlalchemy import engine_from_config
from sqlalchemy import pool

from alembic import context
from test.models import Base
from rls.alembic_rls import set_metadata_info


# this is the Alembic Config object, which provides
# access to the values within the .ini file in use.
config = context.config

# Interpret the config file for Python logging.
# This line sets up loggers basically.
if config.config_file_name is not None:
fileConfig(config.config_file_name)

# add your model's MetaData object here
# for 'autogenerate' support
# from myapp import mymodel
# target_metadata = mymodel.Base.metadata


# TODO: change meta_data_info name to rls_base_wrapper(base: declarative_base)
target_metadata = set_metadata_info(Base).metadata

print("target_metadata", target_metadata.info)

# other values from the config, defined by the needs of env.py,
# can be acquired:
# my_important_option = config.get_main_option("my_important_option")
# ... etc.


def run_migrations_offline() -> None:
"""Run migrations in 'offline' mode.
This configures the context with just a URL
and not an Engine, though an Engine is acceptable
here as well. By skipping the Engine creation
we don't even need a DBAPI to be available.
Calls to context.execute() here emit the given string to the
script output.
"""
url = config.get_main_option("sqlalchemy.url")
context.configure(
url=url,
target_metadata=target_metadata,
literal_binds=True,
dialect_opts={"paramstyle": "named"},
)

with context.begin_transaction():
context.run_migrations()


def run_migrations_online() -> None:
"""Run migrations in 'online' mode.
In this scenario we need to create an Engine
and associate a connection with the context.
"""
connectable = engine_from_config(
config.get_section(config.config_ini_section, {}),
prefix="sqlalchemy.",
poolclass=pool.NullPool,
)

with connectable.connect() as connection:
context.configure(connection=connection, target_metadata=target_metadata)

with context.begin_transaction():
context.run_migrations()


if context.is_offline_mode():
run_migrations_offline()
else:
run_migrations_online()
26 changes: 26 additions & 0 deletions alembic/script.py.mako
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
"""${message}

Revision ID: ${up_revision}
Revises: ${down_revision | comma,n}
Create Date: ${create_date}

"""
from typing import Sequence, Union

from alembic import op
import sqlalchemy as sa
${imports if imports else ""}

# revision identifiers, used by Alembic.
revision: str = ${repr(up_revision)}
down_revision: Union[str, None] = ${repr(down_revision)}
branch_labels: Union[str, Sequence[str], None] = ${repr(branch_labels)}
depends_on: Union[str, Sequence[str], None] = ${repr(depends_on)}


def upgrade() -> None:
${upgrades if upgrades else "pass"}


def downgrade() -> None:
${downgrades if downgrades else "pass"}
58 changes: 58 additions & 0 deletions alembic/versions/04ae15da6298_add_items_table.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
"""add items table
Revision ID: 04ae15da6298
Revises:
Create Date: 2024-09-26 14:39:13.438205
"""

from typing import Sequence, Union

from alembic import op
import sqlalchemy as sa


# revision identifiers, used by Alembic.
revision: str = "04ae15da6298"
down_revision: Union[str, None] = None
branch_labels: Union[str, Sequence[str], None] = None
depends_on: Union[str, Sequence[str], None] = None


def upgrade() -> None:
# ### commands auto generated by Alembic - please adjust! ###
op.create_table(
"items",
sa.Column("id", sa.Integer(), nullable=False),
sa.Column("title", sa.String(), nullable=True),
sa.Column("description", sa.String(), nullable=True),
sa.Column("owner_id", sa.Integer(), nullable=True),
sa.ForeignKeyConstraint(
["owner_id"],
["users.id"],
),
sa.PrimaryKeyConstraint("id"),
)
op.create_index(op.f("ix_items_id"), "items", ["id"], unique=False)
op.create_index(op.f("ix_items_title"), "items", ["title"], unique=False)
op.enable_rls("items")
op.create_policy(
table_name="items",
policy_name="items_permissive_all_policy_0",
cmd="ALL",
definition="PERMISSIVE",
expr="owner_id > NULLIF(current_setting('rls.items_sub_bearer_token_payload_condition_0_policy_0', true),'')::INTEGER",
)
op.disable_rls("users")
# ### end Alembic commands ###


def downgrade() -> None:
# ### commands auto generated by Alembic - please adjust! ###
op.enable_rls("users")
op.drop_policy(tablename="items", policyname="items_permissive_all_policy_0")
op.disable_rls("items")
op.drop_index(op.f("ix_items_title"), table_name="items")
op.drop_index(op.f("ix_items_id"), table_name="items")
op.drop_table("items")
# ### end Alembic commands ###
12 changes: 12 additions & 0 deletions delete-policies.sql
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
DO $$
DECLARE
r RECORD;
BEGIN
FOR r IN
SELECT policyname
FROM pg_policies
WHERE tablename = 'items'
LOOP
EXECUTE 'DROP POLICY ' || quote_ident(r.policyname) || ' ON items';
END LOOP;
END $$;
37 changes: 37 additions & 0 deletions document.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
### Custom expression

The user gives us a parametrized expression and array of conidition_args

```python
__rls_policies__ = [
Permissive(
condition_args=[
{
"comparator_name": "sub",
"comparator_source": ComparatorSource.bearerTokenPayload,
"operation": Operation.equality,
"type": ExpressionTypes.integer,
"column_name": "owner_id",
},
{
"comparator_name": "title",
"comparator_source": ComparatorSource.bearerTokenPayload,
"operation": Operation.equality,
"type": ExpressionTypes.text,
"column_name": "title",
},
{
"comparator_name": "description",
"comparator_source": ComparatorSource.bearerTokenPayload,
"operation": Operation.equality,
"type": ExpressionTypes.text,
"column_name": "description",
},
],
cmd=[Command.all],
expr= "{0} AND ({1} OR {2})",
)
]
```

you can pass multiple expressions and in the `expr` field specify their joining conditions.
Loading

0 comments on commit 6bb58c8

Please sign in to comment.