Enforce RLS when user opted in to MFA. (#188)

* Allow Super Admin to view tables using RLS * Replace previous usages of the Admin client using the authed client using the new RLS * Enforce MFA for Super Admin users * Enforce RLS when user opted in to MFA. * Add Super Admin Access Policies and Update Database Types * Consolidate super admin logic into a single function that uses the RPC is_super_admin * Added Super Admin E2E tests * Fixes and improvements * Bump version to 2.5.0
2025-03-02 10:21:01 +07:00
parent 9cf7bf0aac
commit 131b1061e6
61 changed files with 2193 additions and 302 deletions
--- a/apps/web/supabase/tests/database/00000-makerkit-helpers.sql
+++ b/apps/web/supabase/tests/database/00000-makerkit-helpers.sql
@@ -8,7 +8,7 @@ alter default PRIVILEGES in schema makerkit revoke execute on FUNCTIONS from pub

 -- Grant execute to anon, authenticated, and service_role for testing purposes
 alter default PRIVILEGES in schema makerkit grant execute on FUNCTIONS to anon,
-  authenticated, service_role;
+    authenticated, service_role;

 create or replace function makerkit.get_id_by_identifier(   
  identifier text
@@ -24,62 +24,114 @@ end;
 $$ language PLPGSQL;

 create or replace function makerkit.set_identifier(
-  identifier text,
-  user_email text
+    identifier text,
+    user_email text
 )
-  returns text
-  security definer
-  set search_path = auth, pg_temp
-  as $$
+    returns text
+    security definer
+    set search_path = auth, pg_temp
+as
+$$
 begin
- update auth.users set raw_user_meta_data = jsonb_build_object('test_identifier', identifier)
- where email = user_email;
+    update auth.users
+    set raw_user_meta_data = jsonb_build_object('test_identifier', identifier)
+    where email = user_email;

- return identifier;
+    return identifier;

 end;

 $$ language PLPGSQL;

 create or replace function makerkit.get_account_by_slug(
-  account_slug text
+    account_slug text
 )
-  returns setof accounts
-  as $$
+    returns setof accounts
+as
+$$
 begin
-
    return query
-      select
-        *
-      from
-        accounts
-      where
-        slug = account_slug;
+        select *
+        from accounts
+        where slug = account_slug;

 end;

 $$ language PLPGSQL;

+create or replace function makerkit.authenticate_as(
+    identifier text
+) returns void
+as
+$$
+begin
+    perform tests.authenticate_as(identifier);
+    perform makerkit.set_session_aal('aal1');
+end;
+$$ language plpgsql;
+
 create or replace function makerkit.get_account_id_by_slug(
-  account_slug text
+    account_slug text
 )
-  returns uuid
-  as $$
+    returns uuid
+as
+$$

 begin

    return
-      (select
-         id
-       from
-         accounts
-       where
-         slug = account_slug);
+        (select id
+         from accounts
+         where slug = account_slug);

 end;

 $$ language PLPGSQL;

+
+create or replace function makerkit.set_mfa_factor(
+    identifier text = gen_random_uuid()
+)
+    returns void
+as
+$$
+begin
+    insert into "auth"."mfa_factors" ("id", "user_id", "friendly_name", "factor_type", "status", "created_at", "updated_at", "secret")
+    values (gen_random_uuid(), auth.uid(), identifier, 'totp', 'verified', '2025-02-24 09:48:18.402031+00', '2025-02-24 09:48:18.402031+00',
+            'HOWQFBA7KBDDRSBNMGFYZAFNPRSZ62I5');
+end;
+$$ language plpgsql security definer;
+
+create or replace function makerkit.set_session_aal(session_aal auth.aal_level)
+    returns void
+as
+$$
+begin
+    perform set_config('request.jwt.claims', json_build_object(
+            'sub', current_setting('request.jwt.claims')::json ->> 'sub',
+            'email', current_setting('request.jwt.claims')::json ->> 'email',
+            'phone', current_setting('request.jwt.claims')::json ->> 'phone',
+            'user_metadata', current_setting('request.jwt.claims')::json ->> 'user_metadata',
+            'app_metadata', current_setting('request.jwt.claims')::json ->> 'app_metadata',
+            'aal', session_aal)::text, true);
+end;
+$$ language plpgsql;
+
+create or replace function makerkit.set_super_admin() returns void
+as
+$$
+begin
+    perform set_config('request.jwt.claims', json_build_object(
+            'sub', current_setting('request.jwt.claims')::json ->> 'sub',
+            'email', current_setting('request.jwt.claims')::json ->> 'email',
+            'phone', current_setting('request.jwt.claims')::json ->> 'phone',
+            'user_metadata', current_setting('request.jwt.claims')::json ->> 'user_metadata',
+            'app_metadata', json_build_object('role', 'super-admin'),
+            'aal', current_setting('request.jwt.claims')::json ->> 'aal'
+        )::text, true);
+end;
+$$ language plpgsql;
+
 begin;

 select plan(1);
@@ -89,12 +141,11 @@ select is_empty($$
    *
  from
    makerkit.get_account_by_slug('test') $$,
-  'get_account_by_slug should return an empty set when the account does not exist'
-);
+                'get_account_by_slug should return an empty set when the account does not exist'
+       );

-select
-  *
+select *
 from
-  finish();
+    finish();

 rollback;