feat: table privileges

Author: soedirgo

src/lib/PostgresMeta.ts

@@ -11,6 +11,7 @@ import PostgresMetaPublications from './PostgresMetaPublications.js'
 import PostgresMetaRelationships from './PostgresMetaRelationships.js'
 import PostgresMetaRoles from './PostgresMetaRoles.js'
 import PostgresMetaSchemas from './PostgresMetaSchemas.js'
+import PostgresMetaTablePrivileges from './PostgresMetaTablePrivileges.js'
 import PostgresMetaTables from './PostgresMetaTables.js'
 import PostgresMetaTriggers from './PostgresMetaTriggers.js'
 import PostgresMetaTypes from './PostgresMetaTypes.js'
@@ -34,6 +35,7 @@ export default class PostgresMeta {
   roles: PostgresMetaRoles
   schemas: PostgresMetaSchemas
   tables: PostgresMetaTables
+  tablePrivileges: PostgresMetaTablePrivileges
   triggers: PostgresMetaTriggers
   types: PostgresMetaTypes
   version: PostgresMetaVersion
@@ -58,6 +60,7 @@ export default class PostgresMeta {
     this.relationships = new PostgresMetaRelationships(this.query)
     this.roles = new PostgresMetaRoles(this.query)
     this.schemas = new PostgresMetaSchemas(this.query)
+    this.tablePrivileges = new PostgresMetaTablePrivileges(this.query)
     this.tables = new PostgresMetaTables(this.query)
     this.triggers = new PostgresMetaTriggers(this.query)
     this.types = new PostgresMetaTypes(this.query)

src/lib/PostgresMetaTablePrivileges.ts

@@ -0,0 +1,170 @@
+import { ident, literal } from 'pg-format'
+import { DEFAULT_SYSTEM_SCHEMAS } from './constants.js'
+import { filterByList } from './helpers.js'
+import { tablePrivilegesSql } from './sql/index.js'
+import {
+  PostgresMetaResult,
+  PostgresTablePrivileges,
+  PostgresTablePrivilegesGrant,
+  PostgresTablePrivilegesRevoke,
+} from './types.js'
+
+export default class PostgresMetaTablePrivileges {
+  query: (sql: string) => Promise<PostgresMetaResult<any>>
+
+  constructor(query: (sql: string) => Promise<PostgresMetaResult<any>>) {
+    this.query = query
+  }
+
+  async list({
+    includeSystemSchemas = false,
+    includedSchemas,
+    excludedSchemas,
+    limit,
+    offset,
+  }: {
+    includeSystemSchemas?: boolean
+    includedSchemas?: string[]
+    excludedSchemas?: string[]
+    limit?: number
+    offset?: number
+  } = {}): Promise<PostgresMetaResult<PostgresTablePrivileges[]>> {
+    let sql = `
+with table_privileges as (${tablePrivilegesSql})
+select *
+from table_privileges
+`
+    const filter = filterByList(
+      includedSchemas,
+      excludedSchemas,
+      !includeSystemSchemas ? DEFAULT_SYSTEM_SCHEMAS : undefined
+    )
+    if (filter) {
+      sql += ` where schema ${filter}`
+    }
+    if (limit) {
+      sql += ` limit ${limit}`
+    }
+    if (offset) {
+      sql += ` offset ${offset}`
+    }
+    return await this.query(sql)
+  }
+
+  async retrieve({ id }: { id: number }): Promise<PostgresMetaResult<PostgresTablePrivileges>>
+  async retrieve({
+    name,
+    schema,
+  }: {
+    name: string
+    schema: string
+  }): Promise<PostgresMetaResult<PostgresTablePrivileges>>
+  async retrieve({
+    id,
+    name,
+    schema = 'public',
+  }: {
+    id?: number
+    name?: string
+    schema?: string
+  }): Promise<PostgresMetaResult<PostgresTablePrivileges>> {
+    if (id) {
+      const sql = `
+with table_privileges as (${tablePrivilegesSql})
+select *
+from table_privileges
+where table_privileges.relation_id = ${literal(id)};`
+      const { data, error } = await this.query(sql)
+      if (error) {
+        return { data, error }
+      } else if (data.length === 0) {
+        return { data: null, error: { message: `Cannot find a relation with ID ${id}` } }
+      } else {
+        return { data: data[0], error }
+      }
+    } else if (name) {
+      const sql = `
+with table_privileges as (${tablePrivilegesSql})
+select *
+from table_privileges
+where table_privileges.schema = ${literal(schema)}
+  and table_privileges.name = ${literal(name)}
+`
+      const { data, error } = await this.query(sql)
+      if (error) {
+        return { data, error }
+      } else if (data.length === 0) {
+        return {
+          data: null,
+          error: { message: `Cannot find a relation named ${name} in schema ${schema}` },
+        }
+      } else {
+        return { data: data[0], error }
+      }
+    } else {
+      return { data: null, error: { message: 'Invalid parameters on retrieving table privileges' } }
+    }
+  }
+
+  async grant(
+    grants: PostgresTablePrivilegesGrant[]
+  ): Promise<PostgresMetaResult<PostgresTablePrivileges[]>> {
+    let sql = `
+do $$
+begin
+${grants
+  .map(
+    ({ privilege_type, relation_id, grantee, is_grantable }) =>
+      `execute format('grant ${privilege_type} on table %I to ${
+        grantee.toLowerCase() === 'public' ? 'public' : ident(grantee)
+      } ${is_grantable ? 'with grant option' : ''}', ${relation_id}::regclass);`
+  )
+  .join('\n')}
+end $$;
+`
+    const { data, error } = await this.query(sql)
+    if (error) {
+      return { data, error }
+    }
+
+    // Return the updated table privileges for modified relations.
+    const relationIds = [...new Set(grants.map(({ relation_id }) => relation_id))]
+    sql = `
+with table_privileges as (${tablePrivilegesSql})
+select *
+from table_privileges
+where relation_id in (${relationIds.map(literal).join(',')})
+`
+    return await this.query(sql)
+  }
+
+  async revoke(
+    revokes: PostgresTablePrivilegesRevoke[]
+  ): Promise<PostgresMetaResult<PostgresTablePrivileges[]>> {
+    let sql = `
+do $$
+begin
+${revokes
+  .map(
+    (revoke) =>
+      `execute format('revoke ${revoke.privilege_type} on table %I from ${revoke.grantee}', ${revoke.relation_id}::regclass);`
+  )
+  .join('\n')}
+end $$;
+`
+    const { data, error } = await this.query(sql)
+    if (error) {
+      return { data, error }
+    }
+
+    // Return the updated table privileges for modified relations.
+    const relationIds = [...new Set(revokes.map(({ relation_id }) => relation_id))]
+    sql = `
+with table_privileges as (${tablePrivilegesSql})
+select *
+from table_privileges
+where relation_id in (${relationIds.map(literal).join(',')})
+`
+    return await this.query(sql)
+  }
+}

src/lib/sql/index.ts

@@ -21,6 +21,7 @@ export const tableRelationshipsSql = await readFile(
 export const rolesSql = await readFile(join(__dirname, 'roles.sql'), 'utf-8')
 export const schemasSql = await readFile(join(__dirname, 'schemas.sql'), 'utf-8')
 export const tablesSql = await readFile(join(__dirname, 'tables.sql'), 'utf-8')
+export const tablePrivilegesSql = await readFile(join(__dirname, 'table_privileges.sql'), 'utf-8')
 export const triggersSql = await readFile(join(__dirname, 'triggers.sql'), 'utf-8')
 export const typesSql = await readFile(join(__dirname, 'types.sql'), 'utf-8')
 export const versionSql = await readFile(join(__dirname, 'version.sql'), 'utf-8')

src/lib/sql/table_privileges.sql

@@ -0,0 +1,75 @@
+-- Despite the name `table_privileges`, this includes other kinds of relations:
+-- views, matviews, etc. "Relation privileges" just doesn't roll off the tongue.
+--
+-- For each relation, get its relacl in a jsonb format,
+-- e.g.
+--
+-- '{postgres=arwdDxt/postgres}'
+--
+-- becomes
+--
+-- [
+--   {
+--     "grantee": "postgres",
+--     "grantor": "postgres",
+--     "is_grantable": false,
+--     "privilege_type": "INSERT"
+--   },
+--   ...
+-- ]
+select
+  c.oid as relation_id,
+  nc.nspname as schema,
+  c.relname as name,
+  case
+    when c.relkind = 'r' then 'table'
+    when c.relkind = 'v' then 'view'
+    when c.relkind = 'm' then 'materialized view'
+    when c.relkind = 'f' then 'foreign table'
+    when c.relkind = 'p' then 'partitioned table'
+  end as kind,
+  coalesce(
+    jsonb_agg(
+      jsonb_build_object(
+        'grantor', grantor.rolname,
+        'grantee', grantee.rolname,
+        'privilege_type', _priv.privilege_type,
+        'is_grantable', _priv.is_grantable
+      )
+    ) filter (where _priv is not null),
+    '[]'
+  ) as privileges
+from pg_class c
+join pg_namespace as nc
+  on nc.oid = c.relnamespace
+left join lateral (
+  select grantor, grantee, privilege_type, is_grantable
+  from aclexplode(coalesce(c.relacl, acldefault('r', c.relowner)))
+) as _priv on true
+left join pg_roles as grantor
+  on grantor.oid = _priv.grantor
+left join (
+  select
+    pg_roles.oid,
+    pg_roles.rolname
+  from pg_roles
+  union all
+  select
+    (0)::oid as oid, 'PUBLIC'
+) as grantee (oid, rolname)
+  on grantee.oid = _priv.grantee
+where c.relkind in ('r', 'v', 'm', 'f', 'p')
+  and not pg_is_other_temp_schema(c.relnamespace)
+  and (
+    pg_has_role(c.relowner, 'USAGE')
+    or has_table_privilege(
+      c.oid,
+      'SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER'
+    )
+    or has_any_column_privilege(c.oid, 'SELECT, INSERT, UPDATE, REFERENCES')
+  )
+group by
+  c.oid,
+  nc.nspname,
+  c.relname,
+  c.relkind

src/lib/types.ts

@@ -404,3 +404,66 @@ export const postgresMaterializedViewSchema = Type.Object({
   columns: Type.Optional(Type.Array(postgresColumnSchema)),
 })
 export type PostgresMaterializedView = Static<typeof postgresMaterializedViewSchema>
+
+export const postgresTablePrivilegesSchema = Type.Object({
+  relation_id: Type.Integer(),
+  schema: Type.String(),
+  name: Type.String(),
+  kind: Type.Union([
+    Type.Literal('table'),
+    Type.Literal('view'),
+    Type.Literal('materialized view'),
+    Type.Literal('foreign table'),
+    Type.Literal('partitioned table'),
+  ]),
+  privileges: Type.Array(
+    Type.Object({
+      grantor: Type.String(),
+      grantee: Type.String(),
+      privilege_type: Type.Union([
+        Type.Literal('SELECT'),
+        Type.Literal('INSERT'),
+        Type.Literal('UPDATE'),
+        Type.Literal('DELETE'),
+        Type.Literal('TRUNCATE'),
+        Type.Literal('REFERENCES'),
+        Type.Literal('TRIGGER'),
+      ]),
+      is_grantable: Type.Boolean(),
+    })
+  ),
+})
+export type PostgresTablePrivileges = Static<typeof postgresTablePrivilegesSchema>
+
+export const postgresTablePrivilegesGrantSchema = Type.Object({
+  relation_id: Type.Integer(),
+  grantee: Type.String(),
+  privilege_type: Type.Union([
+    Type.Literal('ALL'),
+    Type.Literal('SELECT'),
+    Type.Literal('INSERT'),
+    Type.Literal('UPDATE'),
+    Type.Literal('DELETE'),
+    Type.Literal('TRUNCATE'),
+    Type.Literal('REFERENCES'),
+    Type.Literal('TRIGGER'),
+  ]),
+  is_grantable: Type.Optional(Type.Boolean()),
+})
+export type PostgresTablePrivilegesGrant = Static<typeof postgresTablePrivilegesGrantSchema>
+
+export const postgresTablePrivilegesRevokeSchema = Type.Object({
+  relation_id: Type.Integer(),
+  grantee: Type.String(),
+  privilege_type: Type.Union([
+    Type.Literal('ALL'),
+    Type.Literal('SELECT'),
+    Type.Literal('INSERT'),
+    Type.Literal('UPDATE'),
+    Type.Literal('DELETE'),
+    Type.Literal('TRUNCATE'),
+    Type.Literal('REFERENCES'),
+    Type.Literal('TRIGGER'),
+  ]),
+})
+export type PostgresTablePrivilegesRevoke = Static<typeof postgresTablePrivilegesRevokeSchema>

src/server/routes/index.ts

@@ -11,6 +11,7 @@ import PublicationsRoute from './publications.js'
 import QueryRoute from './query.js'
 import SchemasRoute from './schemas.js'
 import RolesRoute from './roles.js'
+import TablePrivilegesRoute from './table-privileges.js'
 import TablesRoute from './tables.js'
 import TriggersRoute from './triggers.js'
 import TypesRoute from './types.js'
@@ -52,6 +53,7 @@ export default async (fastify: FastifyInstance) => {
   fastify.register(QueryRoute, { prefix: '/query' })
   fastify.register(SchemasRoute, { prefix: '/schemas' })
   fastify.register(RolesRoute, { prefix: '/roles' })
+  fastify.register(TablePrivilegesRoute, { prefix: '/table-privileges' })
   fastify.register(TablesRoute, { prefix: '/tables' })
   fastify.register(TriggersRoute, { prefix: '/triggers' })
   fastify.register(TypesRoute, { prefix: '/types' })