feat: Prevent modification of schemas unrelated to current indexer

near · Jun 28, 2023 · d61a356 · d61a356
1 parent b5e0c72
commit d61a356
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 3 deletions.
diff --git a/indexer-js-queue-handler/__snapshots__/hasura-client.test.js.snap b/indexer-js-queue-handler/__snapshots__/hasura-client.test.js.snap
@@ -106,11 +106,27 @@ exports[`HasuraClient runs migrations for the specified schema 1`] = `
     "read_only": false,
     "source": "default",
     "sql": "
-      CREATE SCHEMA schema
+      -- Create the role for the indexer
+      CREATE ROLE schema_role;
 
+      -- Create the schema and assign its ownership to the indexer role
+      CREATE SCHEMA schema AUTHORIZATION schema_role;
+
+      -- Grant necessary privileges to the indexer role
+      GRANT USAGE ON SCHEMA schema TO schema_role;
+      ALTER DEFAULT PRIVILEGES IN SCHEMA schema GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO schema_role;
+
+      -- Allow the role to create tables
+      GRANT CREATE ON SCHEMA schema TO schema_role;
+
+      -- Switch to the indexer role and schema
+      SET ROLE schema_role;
       SET SCHEMA 'schema';
 
+      -- indexer provided migration
       CREATE TABLE blocks (height numeric)
+
+      RESET ROLE;
       ",
   },
   "type": "run_sql",

diff --git a/indexer-js-queue-handler/hasura-client.js b/indexer-js-queue-handler/hasura-client.js
@@ -71,13 +71,31 @@ export default class HasuraClient {
   };
 
   runMigrations(schemaName, migration) {
+    const roleName = `${schemaName}_role`;
+
     return this.executeSql(
       `
-      CREATE SCHEMA ${schemaName}
+      -- Create the role for the indexer
+      CREATE ROLE ${roleName};
+
+      -- Create the schema and assign its ownership to the indexer role
+      CREATE SCHEMA ${schemaName} AUTHORIZATION ${roleName};
+
+      -- Grant necessary privileges to the indexer role
+      GRANT USAGE ON SCHEMA ${schemaName} TO ${roleName};
+      ALTER DEFAULT PRIVILEGES IN SCHEMA ${schemaName} GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO ${roleName};
 
+      -- Allow the role to create tables
+      GRANT CREATE ON SCHEMA ${schemaName} TO ${roleName};
+
+      -- Switch to the indexer role and schema
+      SET ROLE ${roleName};
       SET SCHEMA '${schemaName}';
 
-      ${migration}
+      -- indexer provided migration
+      ${migration};
+
+      RESET ROLE;
       `,
       { readOnly: false }
     );