Add support for RLS

  - implements Postgres exporter
  - new Policy model
  - new Policy element validator
  - new Policy element interpreter
  - tests
  - docs

Author: scribahti

dbml-homepage/docs/docs.md

@@ -30,6 +30,7 @@ outlines the full syntax documentations of DBML.
   - [Table Notes](#table-notes)
   - [Column Notes](#column-notes)
   - [TableGroup Notes](#tablegroup-notes)
+- [Policy Definition](#policy-definition)
 - [Sticky Notes](#sticky-notes)
 - [TableGroup](#tablegroup)
     - [TableGroup Notes](#tablegroup-notes-1)
@@ -508,6 +509,38 @@ TableGroup e_commerce [note: 'Contains tables that are related to e-commerce sys
 }
 ```
 
+## Policy Definition
+
+You can define RLS policies. dbml2sql only supports export for Postgres.
+
+```text
+Table users {
+  id integer [pk]
+  ...
+}
+
+Policy {
+  name 'Users can take all actions on their own accounts'
+  schema public
+  table users
+  behavior permissive
+  command all
+  roles [authenticated]
+  using `auth.uid() = id`
+  check null
+}
+```
+
+`schema` defaults to public if not provided.
+
+`behavior` can have the values `permissive` or `restrictive`. It defaults to `permissive` if not provided.
+
+`command` can have the values `select`, `insert`, `update`, `delete`, or `all`.
+
+`roles` accepts a list of roles and defaults to `public` if none are provided.
+
+`using` and `check` default to null if not provided.
+
 ## Sticky Notes
 
 You can add sticky notes to the diagram canvas to serve as a quick reminder or to elaborate on a complex idea.

packages/dbml-core/__tests__/examples/exporter/postgres_exporter/input/policy.in.dbml

@@ -0,0 +1,36 @@
+Table users {
+  id int [pk]
+  email varchar
+}
+
+Table posts {
+  id int [pk]
+  user_id int
+  title varchar
+}
+
+Policy {
+  name 'Users can view their own data'
+  schema public
+  table users
+  behavior permissive
+  command select
+  roles [authenticated]
+  using `auth.uid() = id`
+  check null
+}
+
+Policy {
+  name 'Users can insert their own posts'
+  table posts
+  command insert
+  roles [authenticated, admin]
+  using null
+  check `auth.uid() = user_id`
+}
+
+Policy {
+  name 'Public read access'
+  table posts
+  command select
+}

packages/dbml-core/__tests__/examples/exporter/postgres_exporter/output/policy.out.sql

@@ -0,0 +1,27 @@
+CREATE TABLE "users" (
+  "id" int PRIMARY KEY,
+  "email" varchar
+);
+
+CREATE TABLE "posts" (
+  "id" int PRIMARY KEY,
+  "user_id" int,
+  "title" varchar
+);
+
+CREATE POLICY "Users can view their own data" ON "public"."users"
+  AS PERMISSIVE
+  FOR SELECT
+  TO authenticated
+  USING (auth.uid() = id);
+
+CREATE POLICY "Users can insert their own posts" ON "public"."posts"
+  AS PERMISSIVE
+  FOR INSERT
+  TO authenticated, admin
+  WITH CHECK (auth.uid() = user_id);
+
+CREATE POLICY "Public read access" ON "public"."posts"
+  AS PERMISSIVE
+  FOR SELECT
+  TO public;

packages/dbml-core/src/export/PostgresExporter.js

@@ -540,6 +540,21 @@ class PostgresExporter {
     return commentArr;
   }
 
+  static exportPolicies (policyIds, model) {
+    return policyIds.map((policyId) => {
+      const policy = model.policies[policyId];
+      let line = `CREATE POLICY "${policy.name}"`;
+      line += ` ON "${policy.schemaName}"."${policy.tableName}"`;
+      line += `\n  AS ${policy.behavior.toUpperCase()}`;
+      line += `\n  FOR ${policy.command.toUpperCase()}`;
+      line += `\n  TO ${policy.roles.join(', ')}`;
+      if (policy.using) line += `\n  USING (${policy.using})`;
+      if (policy.check) line += `\n  WITH CHECK (${policy.check})`;
+      line += ';\n';
+      return line;
+    });
+  }
+
   static export (model) {
     const database = model.database['1'];
 
@@ -623,6 +638,10 @@ class PostgresExporter {
         ]
       : [];
 
+    const policyStatements = database.policyIds
+      ? PostgresExporter.exportPolicies(database.policyIds, model)
+      : [];
+
     const res = concat(
       statements.schemas,
       statements.enums,
@@ -631,6 +650,7 @@ class PostgresExporter {
       statements.comments,
       statements.refs,
       recordsSection,
+      policyStatements,
     ).join('\n');
     return res;
   }

packages/dbml-core/src/model_structure/config.js

@@ -4,3 +4,4 @@ export const NOTE = 'note';
 export const ENUM = 'enum';
 export const REF = 'ref';
 export const TABLE_GROUP = 'table_group';
+export const POLICY = 'policy';

packages/dbml-core/src/model_structure/database.js

@@ -6,6 +6,7 @@ import TableGroup from './tableGroup';
 import Table from './table';
 import StickyNote from './stickyNote';
 import Element from './element';
+import Policy from './policy';
 import {
   DEFAULT_SCHEMA_NAME, TABLE, TABLE_GROUP, ENUM, REF, NOTE,
 } from './config';
@@ -24,6 +25,7 @@ class Database extends Element {
     aliases = [],
     records = [],
     tablePartials = [],
+    policies = [],
   }) {
     super();
     this.dbState = new DbState();
@@ -39,6 +41,7 @@ class Database extends Element {
     this.aliases = aliases;
     this.records = [];
     this.tablePartials = [];
+    this.policies = [];
 
     // The global array containing references with 1 endpoint being a field injected from a partial to a table
     // These refs are add to this array when resolving partials in tables (`Table.processPartials()`)
@@ -48,6 +51,7 @@ class Database extends Element {
     this.processNotes(notes);
     this.processRecords(records);
     this.processTablePartials(tablePartials);
+    this.processPolicies(policies);
     this.processSchemas(schemas);
     this.processSchemaElements(enums, ENUM);
     this.processSchemaElements(tables, TABLE);
@@ -93,6 +97,12 @@ class Database extends Element {
     });
   }
 
+  processPolicies (rawPolicies) {
+    rawPolicies.forEach((rawPolicy) => {
+      this.policies.push(new Policy({ ...rawPolicy, database: this }));
+    });
+  }
+
   pushNote (note) {
     this.checkNote(note);
     this.notes.push(note);
@@ -233,13 +243,15 @@ class Database extends Element {
       schemas: this.schemas.map((s) => s.export()),
       notes: this.notes.map((n) => n.export()),
       records: this.records.map((r) => ({ ...r })),
+      policies: this.policies.map((p) => p.export()),
     };
   }
 
   exportChildIds () {
     return {
       schemaIds: this.schemas.map((s) => s.id),
       noteIds: this.notes.map((n) => n.id),
+      policyIds: this.policies.map((p) => p.id),
     };
   }
 
@@ -266,12 +278,14 @@ class Database extends Element {
       fields: {},
       records: {},
       tablePartials: {},
+      policies: {},
     };
 
     this.schemas.forEach((schema) => schema.normalize(normalizedModel));
     this.notes.forEach((note) => note.normalize(normalizedModel));
     this.records.forEach((record) => { normalizedModel.records[record.id] = { ...record }; });
     this.tablePartials.forEach((tablePartial) => tablePartial.normalize(normalizedModel));
+    this.policies.forEach((policy) => policy.normalize(normalizedModel));
     return normalizedModel;
   }
 }

packages/dbml-core/src/model_structure/dbState.js

@@ -15,6 +15,7 @@ export default class DbState {
     this.indexColumnId = 1;
     this.recordId = 1;
     this.tablePartialId = 1;
+    this.policyId = 1;
   }
 
   generateId (el) {

packages/dbml-core/src/model_structure/policy.js

@@ -0,0 +1,52 @@
+import Element from './element';
+
+class Policy extends Element {
+  constructor ({
+    name, schemaName, tableName, behavior, command, roles, using, check, token, database = {},
+  } = {}) {
+    super(token);
+    this.name = name;
+    this.schemaName = schemaName;
+    this.tableName = tableName;
+    this.behavior = behavior;
+    this.command = command;
+    this.roles = roles;
+    this.using = using;
+    this.check = check;
+    this.database = database;
+    this.dbState = this.database.dbState;
+    this.generateId();
+  }
+
+  generateId () {
+    this.id = this.dbState.generateId('policyId');
+  }
+
+  shallowExport () {
+    return {
+      name: this.name,
+      schemaName: this.schemaName,
+      tableName: this.tableName,
+      behavior: this.behavior,
+      command: this.command,
+      roles: this.roles,
+      using: this.using,
+      check: this.check,
+    };
+  }
+
+  export () {
+    return {
+      ...this.shallowExport(),
+    };
+  }
+
+  normalize (model) {
+    model.policies[this.id] = {
+      id: this.id,
+      ...this.shallowExport(),
+    };
+  }
+}
+
+export default Policy;

packages/dbml-parse/__tests__/snapshots/interpreter/output/array_type.out.json

@@ -151,5 +151,6 @@
   "aliases": [],
   "project": {},
   "tablePartials": [],
-  "records": []
+  "records": [],
+  "policies": []
 }

packages/dbml-parse/__tests__/snapshots/interpreter/output/checks.out.json

@@ -362,5 +362,6 @@
       ]
     }
   ],
-  "records": []
+  "records": [],
+  "policies": []
 }