feat: Adds grants to the roles

This will allow us to display all the different grants on the dashboard

Author: kiwicopple

dist/api/roles.js

@@ -1,3 +1,15 @@
+"use strict";
+var __assign = (this && this.__assign) || function () {
+    __assign = Object.assign || function(t) {
+        for (var s, i = 1, n = arguments.length; i < n; i++) {
+            s = arguments[i];
+            for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p))
+                t[p] = s[p];
+        }
+        return t;
+    };
+    return __assign.apply(this, arguments);
+};
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
@@ -34,21 +46,26 @@ var __generator = (this && this.__generator) || function (thisArg, body) {
         if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
     }
 };
-var _this = this;
+Object.defineProperty(exports, "__esModule", { value: true });
 var Router = require('express').Router;
 var router = new Router();
 var roles = require('../lib/sql').roles;
 var RunQuery = require('../lib/connectionPool');
-router.get('/', function (req, res) { return __awaiter(_this, void 0, void 0, function () {
-    var data, error_1;
+var schemas_1 = require("../lib/constants/schemas");
+router.get('/', function (req, res) { return __awaiter(void 0, void 0, void 0, function () {
+    var data, query, payload, error_1;
     return __generator(this, function (_a) {
         switch (_a.label) {
             case 0:
                 _a.trys.push([0, 2, , 3]);
                 return [4 /*yield*/, RunQuery(req.headers.pg, roles.list)];
             case 1:
                 data = (_a.sent()).data;
-                return [2 /*return*/, res.status(200).json(data)];
+                query = req.query;
+                payload = data;
+                if (!(query === null || query === void 0 ? void 0 : query.includeSystemSchemas))
+                    payload = removeSystemSchemas(data);
+                return [2 /*return*/, res.status(200).json(payload)];
             case 2:
                 error_1 = _a.sent();
                 console.log('throwing error');
@@ -58,4 +75,10 @@ router.get('/', function (req, res) { return __awaiter(_this, void 0, void 0, fu
         }
     });
 }); });
+var removeSystemSchemas = function (data) {
+    return data.map(function (role) {
+        var grants = role.grants.filter(function (x) { return !schemas_1.DEFAULT_SYSTEM_SCHEMAS.includes(x.schema); });
+        return __assign(__assign({}, role), { grants: grants });
+    });
+};
 module.exports = router;

dist/lib/interfaces/roles.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

dist/lib/sql/roles/list.sql

@@ -1,25 +1,61 @@
-select
-    usename as "name",
-    usesysid as "id",
-    usecreatedb as "has_create_db_privileges",
-    usesuper as "is_super_user",
-    userepl as "has_replication_privileges",
-    usebypassrls as "can_bypass_rls",
-    valuntil as "valid_until", -- Password expiry time (only used for password authentication)
-    useconfig as "user_config", -- Session defaults for run-time configuration variables
-    active_connections.connections,
-    pg_roles.rolconnlimit as max_user_connections,
-    max_db_connections.max_connections as max_db_connections
-from
-    pg_user as users 
-    inner join pg_roles on users.usename = pg_roles.rolname
-    INNER JOIN LATERAL 
-   	(
-   		SELECT count(*) as connections 
-   		FROM pg_stat_activity as active_connections
-   		WHERE state = 'active' and users.usename = active_connections.usename
-   	) as active_connections on 1=1 
-    INNER JOIN LATERAL ( 
-   		SELECT setting as max_connections 
-   		from pg_settings where name = 'max_connections'
-   	) as max_db_connections on 1=1;
+with 
+roles as (
+    select
+        usename as "name",
+        usesysid as "id",
+        usecreatedb as "has_create_db_privileges",
+        usesuper as "is_super_user",
+        userepl as "has_replication_privileges",
+        usebypassrls as "can_bypass_rls",
+        valuntil as "valid_until", -- Password expiry time (only used for password authentication)
+        useconfig as "user_config", -- Session defaults for run-time configuration variables
+        active_connections.connections,
+        pg_roles.rolconnlimit as max_user_connections,
+        max_db_connections.max_connections::int2 as max_db_connections
+    from
+        pg_user as users 
+        inner join pg_roles on users.usename = pg_roles.rolname
+        INNER JOIN LATERAL 
+        (
+            SELECT count(*) as connections 
+            FROM pg_stat_activity as active_connections
+            WHERE state = 'active' and users.usename = active_connections.usename
+        ) as active_connections on 1=1 
+        INNER JOIN LATERAL ( 
+            SELECT setting as max_connections from pg_settings where name = 'max_connections'
+        ) as max_db_connections on 1=1
+),
+grants as (
+    SELECT
+        (table_schema || '.' || table_name) as table_id,
+        grantor,
+        grantee,
+        table_catalog as catalog,
+        table_schema as schema,
+        table_name,
+        privilege_type,
+        is_grantable::boolean,
+        with_hierarchy::boolean
+    FROM
+        information_schema.role_table_grants
+)
+SELECT
+    *,
+    COALESCE(
+        (
+        SELECT
+            array_to_json(array_agg(row_to_json(grants)))
+        FROM
+            (
+            SELECT
+                *
+            FROM
+                grants
+            WHERE
+                grants.grantee = roles.name
+            ) grants
+        ),
+        '[]'
+    ) AS grants
+FROM
+    roles

dist/lib/sql/tables/list.sql

@@ -70,8 +70,8 @@ grants as (
     table_schema as schema,
     table_name,
     privilege_type,
-    is_grantable,
-    with_hierarchy
+    is_grantable::boolean,
+    with_hierarchy::boolean
   FROM
     information_schema.role_table_grants
 ),

src/api/roles.js

@@ -0,0 +1,39 @@
+const { Router } = require('express')
+const router = new Router()
+const { roles } = require('../lib/sql')
+const RunQuery = require('../lib/connectionPool')
+import { DEFAULT_SYSTEM_SCHEMAS } from '../lib/constants/schemas'
+import { Roles } from '../lib/interfaces/roles'
+
+/**
+ * @param {boolean} [includeSystemSchemas=false] - Return system schemas as well as user schemas
+ */
+interface GetRolesQueryParams {
+  includeSystemSchemas: boolean
+}
+router.get('/', async (req, res) => {
+  try {
+    const { data } = await RunQuery(req.headers.pg, roles.list)
+    const query: GetRolesQueryParams = req.query
+    let payload: Roles.Role[] = data
+    if (!query?.includeSystemSchemas) payload = removeSystemSchemas(data)
+
+    return res.status(200).json(payload)
+  } catch (error) {
+    console.log('throwing error')
+    res.status(500).json({ error: 'Database error', status: 500 })
+  }
+})
+
+
+const removeSystemSchemas = (data: Roles.Role[]) => {
+  return data.map(role => {
+    let grants = role.grants.filter((x) => !DEFAULT_SYSTEM_SCHEMAS.includes(x.schema))
+    return {
+      ...role,
+      grants
+    }
+  })
+}
+
+module.exports = router

src/api/roles.ts

@@ -0,0 +1,31 @@
+export namespace Roles {
+
+  export interface Role {
+    name: string
+    id: number
+    has_create_db_privileges: boolean
+    is_super_user: boolean
+    has_replication_privileges: boolean
+    can_bypass_rls: boolean
+    valid_until: string | null
+    user_config: string | null
+    connections: number
+    max_user_connections: number
+    max_db_connections: number,
+    grants: Grants[]
+  }
+
+  export interface Grants {
+    table_id: string
+    grantor: string
+    grantee: string
+    catalog: string
+    schema: string
+    table_name: string
+    privilege_type: string
+    is_grantable: boolean
+    with_hierarchy: boolean
+  }
+
+
+}

src/lib/interfaces/roles.ts

@@ -1,25 +1,61 @@
-select
-    usename as "name",
-    usesysid as "id",
-    usecreatedb as "has_create_db_privileges",
-    usesuper as "is_super_user",
-    userepl as "has_replication_privileges",
-    usebypassrls as "can_bypass_rls",
-    valuntil as "valid_until", -- Password expiry time (only used for password authentication)
-    useconfig as "user_config", -- Session defaults for run-time configuration variables
-    active_connections.connections,
-    pg_roles.rolconnlimit as max_user_connections,
-    max_db_connections.max_connections as max_db_connections
-from
-    pg_user as users 
-    inner join pg_roles on users.usename = pg_roles.rolname
-    INNER JOIN LATERAL 
-   	(
-   		SELECT count(*) as connections 
-   		FROM pg_stat_activity as active_connections
-   		WHERE state = 'active' and users.usename = active_connections.usename
-   	) as active_connections on 1=1 
-    INNER JOIN LATERAL ( 
-   		SELECT setting as max_connections 
-   		from pg_settings where name = 'max_connections'
-   	) as max_db_connections on 1=1;
+with 
+roles as (
+    select
+        usename as "name",
+        usesysid as "id",
+        usecreatedb as "has_create_db_privileges",
+        usesuper as "is_super_user",
+        userepl as "has_replication_privileges",
+        usebypassrls as "can_bypass_rls",
+        valuntil as "valid_until", -- Password expiry time (only used for password authentication)
+        useconfig as "user_config", -- Session defaults for run-time configuration variables
+        active_connections.connections,
+        pg_roles.rolconnlimit as max_user_connections,
+        max_db_connections.max_connections::int2 as max_db_connections
+    from
+        pg_user as users 
+        inner join pg_roles on users.usename = pg_roles.rolname
+        INNER JOIN LATERAL 
+        (
+            SELECT count(*) as connections 
+            FROM pg_stat_activity as active_connections
+            WHERE state = 'active' and users.usename = active_connections.usename
+        ) as active_connections on 1=1 
+        INNER JOIN LATERAL ( 
+            SELECT setting as max_connections from pg_settings where name = 'max_connections'
+        ) as max_db_connections on 1=1
+),
+grants as (
+    SELECT
+        (table_schema || '.' || table_name) as table_id,
+        grantor,
+        grantee,
+        table_catalog as catalog,
+        table_schema as schema,
+        table_name,
+        privilege_type,
+        is_grantable::boolean,
+        with_hierarchy::boolean
+    FROM
+        information_schema.role_table_grants
+)
+SELECT
+    *,
+    COALESCE(
+        (
+        SELECT
+            array_to_json(array_agg(row_to_json(grants)))
+        FROM
+            (
+            SELECT
+                *
+            FROM
+                grants
+            WHERE
+                grants.grantee = roles.name
+            ) grants
+        ),
+        '[]'
+    ) AS grants
+FROM
+    roles

src/lib/sql/roles/list.sql

@@ -70,8 +70,8 @@ grants as (
     table_schema as schema,
     table_name,
     privilege_type,
-    is_grantable,
-    with_hierarchy
+    is_grantable::boolean,
+    with_hierarchy::boolean
   FROM
     information_schema.role_table_grants
 ),

src/lib/sql/tables/list.sql

@@ -176,7 +176,11 @@ describe('/roles', () => {
   it('GET', async () => {
     const res = await axios.get(`${URL}/roles`)
     const datum = res.data.find((x) => x.name == 'postgres')
+    const hasSystemSchema = res.data[0].grants.some((x) => x.schema == 'information_schema')
+    const hasPublicSchema = res.data[0].grants.some((x) => x.schema == 'public')
     assert.equal(res.status, STATUS.SUCCESS)
     assert.equal(true, !!datum)
+    assert.equal(hasSystemSchema, false)
+    assert.equal(hasPublicSchema, true)
   })
 })