BYPASSRLS admin policy falllback (#4493)

* BYPASSRLS admin policy falllback * use fixed list instead --------- Co-authored-by: Ruben Fiszel <[email protected]>
windmill-labs · Oct 8, 2024 · e44decb · e44decb
1 parent 644dd87
commit e44decb
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 78 deletions.
diff --git a/backend/.sqlx/query-722a3096f03d25ef94292d53801d41037de4bc69dd434232029c731cbbcbc22f.json b/backend/.sqlx/query-722a3096f03d25ef94292d53801d41037de4bc69dd434232029c731cbbcbc22f.json
diff --git a/backend/.sqlx/query-eb1f916f9beea3eea83ce359f5305d0cfb0d6cdba9cc56c6139f57e46345f843.json b/backend/.sqlx/query-eb1f916f9beea3eea83ce359f5305d0cfb0d6cdba9cc56c6139f57e46345f843.json
diff --git a/backend/custom_migrations/bypassrls_1.sql b/backend/custom_migrations/bypassrls_1.sql
diff --git a/backend/migrations/20241006144414_admin_policy.down.sql b/backend/migrations/20241006144414_admin_policy.down.sql
@@ -0,0 +1 @@
+-- Add down migration script here
diff --git a/backend/migrations/20241006144414_admin_policy.up.sql b/backend/migrations/20241006144414_admin_policy.up.sql
@@ -0,0 +1,24 @@
+-- Add up migration script here
+DO
+$$
+DECLARE
+    tbl_name text;
+   	policy_exists boolean;
+    tbl_names text[] := ARRAY['account', 'app', 'audit', 'capture', 'completed_job', 'flow', 'folder', 'http_trigger', 'queue', 'raw_app', 'resource', 'schedule', 'script', 'usr_to_group', 'variable'];
+BEGIN
+    FOR tbl_name IN SELECT unnest(tbl_names)
+    LOOP
+        SELECT EXISTS (
+            SELECT 1 
+            FROM pg_policies 
+            WHERE schemaname = 'public'
+              AND tablename = tbl_name
+              AND policyname = 'admin_policy'
+        ) INTO policy_exists;
+
+       	IF NOT policy_exists THEN
+        	EXECUTE format('CREATE POLICY admin_policy ON %I TO windmill_admin USING (true);', tbl_name);
+       	END IF;
+    END LOOP;
+END;
+$$;
diff --git a/backend/windmill-api/src/db.rs b/backend/windmill-api/src/db.rs
@@ -199,11 +199,6 @@ pub async fn migrate(db: &DB) -> Result<(), Error> {
         Err(err) => Err(err),
     }?;
 
-    #[cfg(feature = "enterprise")]
-    if let Err(e) = windmill_migrations(&mut custom_migrator, db).await {
-        tracing::error!("Could not apply windmill custom migrations: {e:#}")
-    }
-
     Ok(())
 }
 
@@ -497,33 +492,6 @@ async fn fix_job_completed_index(db: &DB) -> Result<(), Error> {
     Ok(())
 }
 
-#[cfg(feature = "enterprise")]
-async fn windmill_migrations(migrator: &mut CustomMigrator, db: &DB) -> Result<(), Error> {
-    if std::env::var("MIGRATION_NO_BYPASSRLS").is_ok() {
-        migrator.lock().await?;
-        let has_done_migration = sqlx::query_scalar!(
-            "SELECT EXISTS(SELECT name FROM windmill_migrations WHERE name = 'bypassrls_1-2')",
-        )
-        .fetch_one(db)
-        .await?
-        .unwrap_or(false);
-
-        if !has_done_migration {
-            let query = include_str!("../../custom_migrations/bypassrls_1.sql");
-            tracing::info!("Applying bypassrls_1.sql");
-            let mut tx: sqlx::Transaction<'_, Postgres> = db.begin().await?;
-            tx.execute(query).await?;
-            tracing::info!("Applied bypassrls_1.sql");
-            sqlx::query!("INSERT INTO windmill_migrations (name) VALUES ('bypassrls_1-2')")
-                .execute(&mut *tx)
-                .await?;
-            tx.commit().await?;
-        }
-        migrator.unlock().await?;
-    }
-    Ok(())
-}
-
 #[derive(Clone, Debug)]
 pub struct ApiAuthed {
     pub email: String,