Support accessing non-tenanted/instanced tables with tenanted/instanced roles

krishnamiriyala · krishnamiriyala · commit 13c58b6fedab · 2023-09-25T12:53:52.000-07:00
diff --git a/pkg/authorizer/authorizer_test.go b/pkg/authorizer/authorizer_test.go
@@ -47,7 +47,7 @@ func testGettingOrgFromContext(t *testing.T, authorizer Authorizer) {
 
 	ctx = metadata.NewIncomingContext(context.Background(), metadata.Pairs(METADATA_KEY_ORGID, PEPSI))
 	orgId, err := authorizer.GetOrgFromContext(ctx)
-	assert.Nil(err)
+	assert.NoError(err)
 	assert.Equal(PEPSI, orgId)
 }
 
@@ -63,41 +63,51 @@ func TestGettingMatchingDbRoleWithMetadataBasedAuthorizer(t *testing.T) {
 
 	gCtx := authorizer.GetDefaultOrgAdminContext()
 	dbRole, err := authorizer.GetMatchingDbRole(gCtx, "appUser", "app")
-	assert.Nil(err)
+	assert.NoError(err)
 	assert.Equal(dbrole.TENANT_WRITER, dbRole)
 
 	aCtx := metadata.NewIncomingContext(context.Background(), metadata.Pairs(METADATA_KEY_ORGID, PEPSI, METADATA_KEY_ROLE, METADATA_ROLE_SERVICE_ADMIN))
 	dbRole, err = authorizer.GetMatchingDbRole(aCtx, "appUser", "app")
-	assert.Nil(err)
+	assert.NoError(err)
 	assert.Equal(dbrole.WRITER, dbRole)
 
 	uCtx := metadata.NewIncomingContext(context.Background(), metadata.Pairs(METADATA_KEY_ORGID, PEPSI, METADATA_KEY_ROLE, METADATA_ROLE_SERVICE_AUDITOR))
 	dbRole, err = authorizer.GetMatchingDbRole(uCtx, "appUser", "app")
-	assert.Nil(err)
+	assert.NoError(err)
 	assert.Equal(dbrole.READER, dbRole)
 
 	wCtx := metadata.NewIncomingContext(context.Background(), metadata.Pairs(METADATA_KEY_ORGID, PEPSI, METADATA_KEY_ROLE, METADATA_ROLE_ADMIN))
 	dbRole, err = authorizer.GetMatchingDbRole(wCtx, "appUser", "app")
-	assert.Nil(err)
+	assert.NoError(err)
 	assert.Equal(dbrole.TENANT_WRITER, dbRole)
 
 	rCtx := metadata.NewIncomingContext(context.Background(), metadata.Pairs(METADATA_KEY_ORGID, PEPSI, METADATA_KEY_ROLE, METADATA_ROLE_AUDITOR))
 	dbRole, err = authorizer.GetMatchingDbRole(rCtx, "appUser", "app")
-	assert.Nil(err)
+	assert.NoError(err)
 	assert.Equal(dbrole.TENANT_READER, dbRole)
 }
 
 /*
 Checks if updating role mapping in MetadataBasedAuthorizer works.
 */
 func TestConfiguringMetadataBasedAuthorizer(t *testing.T) {
-	authorizer := &MetadataBasedAuthorizer{}
+	assert := assert.New(t)
 
+	authorizer := &MetadataBasedAuthorizer{}
 	newRoleMapping := map[string]map[string]dbrole.DbRole{
 		"app": {
-			"SERVICE_ADMIN": dbrole.WRITER,
+			"SERVICE_ADMIN": dbrole.READER,
 		},
 	}
-
 	authorizer.Configure("app", newRoleMapping["app"])
+
+	ctx := metadata.NewIncomingContext(context.Background(), metadata.Pairs(METADATA_KEY_ROLE, "SERVICE_ADMIN"))
+	dbRole, err := authorizer.GetMatchingDbRole(ctx, "app")
+	assert.NoError(err)
+	assert.Equal(dbrole.READER, dbRole)
+
+	ctx = metadata.NewIncomingContext(context.Background(), metadata.Pairs(METADATA_KEY_ROLE, "SERVICE_OP"))
+	dbRole, err = authorizer.GetMatchingDbRole(ctx, "app")
+	assert.NoError(err)
+	assert.Equal(dbrole.TENANT_READER, dbRole)
 }
diff --git a/pkg/datastore/database.go b/pkg/datastore/database.go
@@ -622,15 +622,15 @@ func (db *relationalDb) RegisterHelper(_ context.Context, roleMapping map[string
 // This function considers multi-tenancy and multi-instance configurations to determine
 // the users relevant to the given table.
 func (db *relationalDb) GetDbUsers(record Record, tableName string) []dbUserSpec {
-	users := getDbUsers(tableName, false, false)
-	if IsMultiTenanted(record, tableName) {
-		users = append(users, getDbUsers(tableName, true, false)...)
-		if IsMultiInstanced(record, tableName, db.instancer != nil) {
-			users = append(users, getDbUsers(tableName, true, true)...)
-		}
-	} else if IsMultiInstanced(record, tableName, db.instancer != nil) {
-		users = append(users, getDbUsers(tableName, false, true)...)
-	}
+	tableTenanted := IsMultiTenanted(record, tableName)
+	tableInstanced := IsMultiInstanced(record, tableName, db.instancer != nil)
+	// Create all users but with conditions set based on whether the role and the table configuration
+	// Tenant role without tenant column would not set the condition for tenant
+	// Insntacer role without instance column would not set the condition for instancer
+	users := getDbUsers(tableName, false, false, false, false)
+	users = append(users, getDbUsers(tableName, true, false, tableTenanted, false)...)
+	users = append(users, getDbUsers(tableName, false, true, false, tableInstanced)...)
+	users = append(users, getDbUsers(tableName, true, true, tableTenanted, tableInstanced)...)
 	return users
 }
 
diff --git a/pkg/datastore/datastore_test.go b/pkg/datastore/datastore_test.go
@@ -729,6 +729,6 @@ func TestTransactions(t *testing.T) {
 	assert.NoError(err)
 
 	testSingleTableTransactions(t, ds, ps)
-	// testMultiTableTransactions(t, ds, ps)
-	// testMultiProtoTransactions(t, ds, ps)
+	testMultiTableTransactions(t, ds, ps)
+	testMultiProtoTransactions(t, ds, ps)
 }
diff --git a/pkg/datastore/db_user.go b/pkg/datastore/db_user.go
@@ -73,7 +73,7 @@ func (spec dbUserSpec) String() string {
 }
 
 func getDbUser(dbRole dbrole.DbRole) dbUserSpec {
-	for _, spec := range getAllDbUsers("ANY") {
+	for _, spec := range getAllDbUsers() {
 		if spec.username == dbRole {
 			return spec
 		}
@@ -86,35 +86,40 @@ Generates specifications of 2 DB users:
 - user with read-only access (to specific org/instance)
 - user with read-write access (to specific org/instance)
 All the users have additional conditions to restrict access to records
-belonging to specific instance, if withInstanceIdCheck is set.
+belonging to specific instance, if instancerRole is set.
 */
-func getDbUsers(tableName string, withTenantIdCheck, withInstanceIdCheck bool) []dbUserSpec {
+func getDbUsers(tableName string, tenantRole, instancerRole bool, isTableTenanted, isTableInstanced bool) []dbUserSpec {
 	readerCommands := []string{"SELECT"}
 	writerCommands := []string{"SELECT", "INSERT", "UPDATE", "DELETE"}
 
 	tenantCond := COLUMN_ORGID + " = current_setting('" + DbConfigOrgId + "')"
 	instanceCond := COLUMN_INSTANCEID + " = current_setting('" + DbConfigInstanceId + "')"
 	tenantInstanceCond := tenantCond + " AND " + instanceCond
 
-	cond := "true"
 	rwUser := dbrole.WRITER
 	rUser := dbrole.READER
-
 	switch {
-	case withInstanceIdCheck && withTenantIdCheck:
-		cond = tenantInstanceCond
+	case tenantRole && instancerRole:
 		rwUser = dbrole.TENANT_INSTANCE_WRITER
 		rUser = dbrole.TENANT_INSTANCE_READER
-	case withTenantIdCheck:
-		cond = tenantCond
+	case tenantRole:
 		rwUser = dbrole.TENANT_WRITER
 		rUser = dbrole.TENANT_READER
-	case withInstanceIdCheck:
-		cond = instanceCond
+	case instancerRole:
 		rwUser = dbrole.INSTANCE_WRITER
 		rUser = dbrole.INSTANCE_READER
 	}
 
+	cond := "true"
+	switch {
+	case isTableInstanced && isTableTenanted:
+		cond = tenantInstanceCond
+	case isTableTenanted:
+		cond = tenantCond
+	case isTableInstanced:
+		cond = instanceCond
+	}
+
 	writer := dbUserSpec{
 		username:         rwUser,
 		commands:         writerCommands,
@@ -134,8 +139,8 @@ func getDbUsers(tableName string, withTenantIdCheck, withInstanceIdCheck bool) [
 		dbUsers[i].password = getPassword(string(dbUsers[i].username))
 		dbUsers[i].policyName = getRlsPolicyName(string(dbUsers[i].username), tableName)
 	}
-	TRACE("Returning DB user specs for table %q:\n\twithTenantIdCheck - %t\n\twithInstanceIdCheck -  %t\n\tdbUsers - %+v\n",
-		tableName, withTenantIdCheck, withInstanceIdCheck, dbUsers)
+	TRACE("Returning DB user specs for table %q:\n\t[roleT=%s, roleI=%s, tableT=%s, tableI=%s]\n\tdbUsers - %+v\n",
+		tableName, tenantRole, instancerRole, isTableTenanted, isTableInstanced, dbUsers)
 	return dbUsers
 }
 
@@ -147,11 +152,12 @@ func getPassword(username string) string {
 	return strconv.FormatInt(int64(h.Sum32()), 16)
 }
 
-func getAllDbUsers(tableName string) []dbUserSpec {
+func getAllDbUsers() []dbUserSpec {
+	tableName := "ANY" // The returned user specs are for creating users only not policies
 	allDbUsers := make([]dbUserSpec, 0)
-	allDbUsers = append(allDbUsers, getDbUsers(tableName, false, false)...)
-	allDbUsers = append(allDbUsers, getDbUsers(tableName, false, true)...)
-	allDbUsers = append(allDbUsers, getDbUsers(tableName, true, false)...)
-	allDbUsers = append(allDbUsers, getDbUsers(tableName, true, true)...)
+	allDbUsers = append(allDbUsers, getDbUsers(tableName, false, false, true, true)...)
+	allDbUsers = append(allDbUsers, getDbUsers(tableName, false, true, false, true)...)
+	allDbUsers = append(allDbUsers, getDbUsers(tableName, true, false, true, false)...)
+	allDbUsers = append(allDbUsers, getDbUsers(tableName, true, true, true, true)...)
 	return allDbUsers
 }
diff --git a/pkg/datastore/helper.go b/pkg/datastore/helper.go
@@ -134,7 +134,7 @@ func FromConfig(l *logrus.Entry, a authorizer.Authorizer, instancer authorizer.I
 			}
 
 			// Create Users when the MAIN connection to DB is established
-			for _, dbUserSpec := range getAllDbUsers("ANY") {
+			for _, dbUserSpec := range getAllDbUsers() {
 				stmt := getCreateUserStmt(string(dbUserSpec.username), dbUserSpec.password)
 				if tx := db.gormDBMap[dbrole.MAIN].Exec(stmt); tx.Error != nil {
 					err = ErrExecutingSqlStmt.Wrap(tx.Error).WithValue(SQL_STMT, stmt).WithValue(DB_NAME, db.dbName)
diff --git a/pkg/datastore/sql_struct.go b/pkg/datastore/sql_struct.go
@@ -252,7 +252,7 @@ func GetTableName(x interface{}) (tableName string) {
 
 // Generates RLS-policy name based on database role/user and table name.
 func getRlsPolicyName(username string, tableName string) string {
-	policyName := strings.ToLower(username + "_" + tableName + "_v2")
+	policyName := strings.ToLower(username + "_" + tableName + "_policy_v2")
 	policyName = strings.ReplaceAll(policyName, "\"", "")
 	return policyName
 }
diff --git a/pkg/datastore/transaction_test.go b/pkg/datastore/transaction_test.go
@@ -28,6 +28,7 @@ import (
 	"github.com/vmware-labs/multi-tenant-persistence-for-saas/pkg/datastore"
 	"github.com/vmware-labs/multi-tenant-persistence-for-saas/pkg/protostore"
 	. "github.com/vmware-labs/multi-tenant-persistence-for-saas/test"
+	"github.com/vmware-labs/multi-tenant-persistence-for-saas/test/pb"
 )
 
 func testSingleTableTransactions(t *testing.T, ds datastore.DataStore, ps protostore.ProtoStore) {
@@ -118,7 +119,6 @@ func testSingleTableTransactions(t *testing.T, ds datastore.DataStore, ps protos
 	assert.NoError(tx.Error)
 }
 
-/* FIXME(miriyalak): Enable test with non conflicting role bindings
 func testMultiTableTransactions(t *testing.T, ds datastore.DataStore, ps protostore.ProtoStore) {
 	t.Helper()
 	assert := assert.New(t)
@@ -329,4 +329,3 @@ func testMultiProtoTransactions(t *testing.T, ds datastore.DataStore, ps protost
 	assert.NoError(err)
 	t.Log("Purging pb.Disk after soft delete succeeded")
 }
-*/

Original file line number	Diff line number	Diff line change
`@@ -729,6 +729,6 @@ func TestTransactions(t *testing.T) {`
`729`	`729`	`assert.NoError(err)`
`730`	`730`
`731`	`731`	`testSingleTableTransactions(t, ds, ps)`
`732`		`- // testMultiTableTransactions(t, ds, ps)`
`733`		`- // testMultiProtoTransactions(t, ds, ps)`
	`732`	`+ testMultiTableTransactions(t, ds, ps)`
	`733`	`+ testMultiProtoTransactions(t, ds, ps)`
`734`	`734`	`}`
Original file line number	Diff line number	Diff line change
`@@ -134,7 +134,7 @@ func FromConfig(l *logrus.Entry, a authorizer.Authorizer, instancer authorizer.I`
`134`	`134`	`}`
`135`	`135`
`136`	`136`	`// Create Users when the MAIN connection to DB is established`
`137`		`- for _, dbUserSpec := range getAllDbUsers("ANY") {`
	`137`	`+ for _, dbUserSpec := range getAllDbUsers() {`
`138`	`138`	`stmt := getCreateUserStmt(string(dbUserSpec.username), dbUserSpec.password)`
`139`	`139`	`if tx := db.gormDBMap[dbrole.MAIN].Exec(stmt); tx.Error != nil {`
`140`	`140`	`err = ErrExecutingSqlStmt.Wrap(tx.Error).WithValue(SQL_STMT, stmt).WithValue(DB_NAME, db.dbName)`
Original file line number	Diff line number	Diff line change
`@@ -252,7 +252,7 @@ func GetTableName(x interface{}) (tableName string) {`
`252`	`252`
`253`	`253`	`// Generates RLS-policy name based on database role/user and table name.`
`254`	`254`	`func getRlsPolicyName(username string, tableName string) string {`
`255`		`- policyName := strings.ToLower(username + "_" + tableName + "_v2")`
	`255`	`+ policyName := strings.ToLower(username + "_" + tableName + "_policy_v2")`
`256`	`256`	`policyName = strings.ReplaceAll(policyName, "\"", "")`
`257`	`257`	`return policyName`
`258`	`258`	`}`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ import (`
`28`	`28`	`"github.com/vmware-labs/multi-tenant-persistence-for-saas/pkg/datastore"`
`29`	`29`	`"github.com/vmware-labs/multi-tenant-persistence-for-saas/pkg/protostore"`
`30`	`30`	`. "github.com/vmware-labs/multi-tenant-persistence-for-saas/test"`
	`31`	`+ "github.com/vmware-labs/multi-tenant-persistence-for-saas/test/pb"`
`31`	`32`	`)`
`32`	`33`
`33`	`34`	`func testSingleTableTransactions(t *testing.T, ds datastore.DataStore, ps protostore.ProtoStore) {`
`@@ -118,7 +119,6 @@ func testSingleTableTransactions(t *testing.T, ds datastore.DataStore, ps protos`
`118`	`119`	`assert.NoError(tx.Error)`
`119`	`120`	`}`
`120`	`121`
`121`		`-/* FIXME(miriyalak): Enable test with non conflicting role bindings`
`122`	`122`	`func testMultiTableTransactions(t *testing.T, ds datastore.DataStore, ps protostore.ProtoStore) {`
`123`	`123`	`t.Helper()`
`124`	`124`	`assert := assert.New(t)`
`@@ -329,4 +329,3 @@ func testMultiProtoTransactions(t *testing.T, ds datastore.DataStore, ps protost`
`329`	`329`	`assert.NoError(err)`
`330`	`330`	`t.Log("Purging pb.Disk after soft delete succeeded")`
`331`	`331`	`}`
`332`		`-*/`