{"id":22918221,"url":"https://github.com/stlbucket/pg-rls-util","last_synced_at":"2025-04-01T13:17:04.947Z","repository":{"id":39632320,"uuid":"286457595","full_name":"stlbucket/pg-rls-util","owner":"stlbucket","description":null,"archived":false,"fork":false,"pushed_at":"2023-10-19T22:32:59.000Z","size":1377,"stargazers_count":0,"open_issues_count":12,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-01T00:31:38.161Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stlbucket.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null},"funding":{"github":["jsynowiec"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":null}},"created_at":"2020-08-10T11:35:05.000Z","updated_at":"2021-11-18T17:19:38.000Z","dependencies_parsed_at":"2023-02-12T04:01:55.221Z","dependency_job_id":"6bbdb390-8fed-440c-bc8c-ac366e39386f","html_url":"https://github.com/stlbucket/pg-rls-util","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":"jsynowiec/node-typescript-boilerplate","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stlbucket%2Fpg-rls-util","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stlbucket%2Fpg-rls-util/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stlbucket%2Fpg-rls-util/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stlbucket%2Fpg-rls-util/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stlbucket","download_url":"https://codeload.github.com/stlbucket/pg-rls-util/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246644099,"owners_count":20810687,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-14T06:29:26.776Z","updated_at":"2025-04-01T13:17:04.918Z","avatar_url":"https://github.com/stlbucket.png","language":"TypeScript","funding_links":["https://github.com/sponsors/jsynowiec"],"categories":[],"sub_categories":[],"readme":"# pg-rls-util\na tool to manage clean generation of postgres row level security scripts\nbasic usage and to view help:\n```\nnpx pg-rls-util\n```\nshould give you\n```\npg-rls-util \u003ccommand\u003e\n\nCommands:\n  pg-rls-util init      initialize the current draft or an entire project\n                                                                    [aliases: i]\n  pg-rls-util generate  generate all policy scripts                 [aliases: g]\n  pg-rls-util release   copy current-draft dir to a new release dir [aliases: r]\n  pg-rls-util diff      examine differences between current draft assignments\n                        and db introspection                        [aliases: d]\n  pg-rls-util merge     merge current-diff into table and function assignments,\n                        removing and adding entries as appropriate. [aliases: m]\n\nOptions:\n  --version  Show version number                                       [boolean]\n  --help     Show help                                                 [boolean]\n  ```\n## graphile starter \n### create db\nwith the graphile-starter schema located here: https://github.com/graphile/starter/blob/main/data/schema.sql\n### init\nperform intial db introspection and table assignment.  the default configuration for graphile-starter should do this automatically\n```\nnpx pg-rls-util init -x -c postgres://[USER]:[PWD]@[HOST]:[PORT]/[DB_NAME] -s app_hidden,app_private,app_public -p graphile-starter\n```\n### review files in pg-rls-util-gen/current-draft directory\n- roles.json: not really meant to be edited, but it could be\n  - graphile_starter\n  - graphile_starter_authenticator\n  - graphile_starter_visitor\n- script-templates.json: currently poorly formatted - json5? - later could be edited, but may remove??\n- table-security-profiles.json: meant to be edited\n- table-profile-assignments.json: meant to be edited\n- function-security-profiles.json: meant to be edited\n- function-profile-assignments.json: meant to be edited\n### generate\ncreates the *current-draft/artifacts* directory\n```\nnpx pg-rls-util generate\n```\nscripts created include:\n- one-script-to-rule-them-all.sql\n  - all table and function policies across all schemata\n  - does NOT affect any existing rls policies\n- all-table-policies---all-schemata.sql\n- all-function-policies---all-schemata.sql\n- create-roles.sql\n  - will create any missing roles that are needed\n- ownership.sql\n  - ensure that all schemas/tables/functions are owned by the proper user\n- remove-all-rls.sql\n  - optional script that will remove any existing rls policies across the entire database\n  - maybe useful if you are trying to apply a new security procedure to an old database\n\neach schema will have rollup scripts as well as function and table scripts to quickly view the impact of a portion of the overall security policy on just one table. \n\nfor instance, *pg-rls-util-gen/current-draft/artifacts/app_public/tableScripts/users.sql*\n```\n-- to run this sql:\n--\n-- psql -h 0.0.0.0 -U postgres -d graphile_starter -f /Users/buckfactor/tmp/pg-rls-util-gen/current-draft/artifacts/app_public/tableScripts/users.sql\n\n-- this script is meant to used during development                    ----------------------\n-- to give a quick view of the before and after state for table:      app_public.users\nbegin;\n\\echo\n\\echo ........\n\\echo ....DETAILED TABLE INFORMATION\n\\echo ........\n\\d+ app_public.users\n\\echo\n\\echo ........\n\\echo ....SECURITY BEFORE SCRIPT EXECUTES\n\\echo ........\n\\dp+ app_public.users\n\n\\echo\n\\echo ........\n\\echo ....LEAVING ANY EXISTING RLS INTACT\n\\echo ....this setting can be controlled by table-security-profiles.includeTableRlsRemoval settinc\n\\echo ........\n\n\\echo\n\\echo ........\n\\echo ....now executing actual table script\n\\echo ........\n\n----******\n----******  BEGIN TABLE POLICY: app_public.users\n----******  TABLE SECURITY PROFILE:  graphile-starter:: app_public.users\n----******\n----------  REMOVE EXISTING TABLE GRANTS\n  revoke all privileges on table app_public.users\n  from public,\n       graphile_starter_visitor\n  ;\n\n----------  ENABLE ROW LEVEL SECURITY: app_public.users\n  alter table app_public.users enable row level security;\n\n  drop policy if exists select_all on app_public.users;\n  create policy select_all on app_public.users as PERMISSIVE for SELECT to graphile_starter_visitor using (true);\n  drop policy if exists update_self on app_public.users;\n  create policy update_self on app_public.users as PERMISSIVE for UPDATE to graphile_starter_visitor with check (id = app_public.current_user_id());\n\n----------  CREATE NEW TABLE GRANTS: app_public.users\n\n----------  graphile_starter_visitor\n  grant\n    SELECT ,\n    UPDATE (username, name, avatar_url)\n       --  excluded columns for UPDATE: id, created_at, is_admin, is_verified, updated_at\n  on table app_public.users to graphile_starter_visitor;\n\n\n----*******  END TABLE POLICY: app_public.users\n--**\n\n\n\\echo\n\\echo ........\n\\echo ....SECURITY AFTER SCRIPT EXECUTES\n\\echo ........\n\\dp+ app_public.users;\nrollback;\n```\n### release\ncopy the current draft over to a numbered release.  really, you will also want to also copy one or more of the generated scripts over to your own db change management tool.  but this is a way to snapshot your work as you go along and could be more tightly coupled via automation\n```\nnpx pg-rls-util release\n```\n### diff\nlater, when you have added new tables and functions, diff freshly introspects the database to help identify and review differences.\n```\nnpx pg-rls-util diff\n```\nthis will create *current-draft/current-diff.json*\n### merge\nfold current-diff.json into table-profile-assignments.json and function-profile-assignments.json\n```\nnpx pg-rls-util merge\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstlbucket%2Fpg-rls-util","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstlbucket%2Fpg-rls-util","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstlbucket%2Fpg-rls-util/lists"}