Merge pull request #244 from launchql/feat/roles

pyramation · web-flow · commit 19a218463b34 · 2025-10-04T16:56:32.000-07:00
config roles
diff --git a/packages/pgsql-test/__tests__/postgres-test.connections.test.ts b/packages/pgsql-test/__tests__/postgres-test.connections.test.ts
@@ -1,6 +1,7 @@
 process.env.LOG_SCOPE = 'pgsql-test';
 
 import { getConnections } from '../src/connect';
+import { getRoleName } from '../src/roles';
 import { PgTestClient } from '../src/test-client';
 
 let db: PgTestClient;
@@ -25,14 +26,16 @@ describe('anonymous', () => {
 
   it('runs under anonymous context', async () => {
     const result = await db.query('SELECT current_setting(\'role\', true) AS role');
-    expect(result.rows[0].role).toBe('anonymous');
+    const expectedRole = getRoleName('anonymous');
+    expect(result.rows[0].role).toBe(expectedRole);
   });
 });
 
 describe('authenticated', () => {
   beforeEach(async () => {
+    const authRole = getRoleName('authenticated');
     db.setContext({
-      role: 'authenticated',
+      role: authRole,
       'jwt.claims.user_agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
       'jwt.claims.ip_address': '127.0.0.1',
       'jwt.claims.database_id': 'jwt.database_id',
@@ -47,7 +50,8 @@ describe('authenticated', () => {
 
   it('runs under authenticated context', async () => {
     const role = await db.query('SELECT current_setting(\'role\', true) AS role');
-    expect(role.rows[0].role).toBe('authenticated');
+    const expectedRole = getRoleName('authenticated');
+    expect(role.rows[0].role).toBe(expectedRole);
     const ip = await db.query('SELECT current_setting(\'jwt.claims.ip_address\', true) AS role');
     expect(ip.rows[0].role).toBe('127.0.0.1');
   });
diff --git a/packages/pgsql-test/src/admin.ts b/packages/pgsql-test/src/admin.ts
@@ -1,8 +1,10 @@
 import { Logger } from '@launchql/logger';
+import { PgTestConnectionOptions } from '@launchql/types';
 import { execSync } from 'child_process';
 import { existsSync } from 'fs';
 import { getPgEnvOptions, PgConfig } from 'pg-env';
 
+import { getRoleName } from './roles';
 import { SeedAdapter } from './seed/types';
 import { streamSql as stream } from './stream';
 
@@ -11,7 +13,8 @@ const log = new Logger('db-admin');
 export class DbAdmin {
   constructor(
     private config: PgConfig,
-    private verbose: boolean = false
+    private verbose: boolean = false,
+    private roleConfig?: PgTestConnectionOptions
   ) {
     this.config = getPgEnvOptions(config);
   }
@@ -113,13 +116,16 @@ export class DbAdmin {
   }
 
   async createUserRole(user: string, password: string, dbName: string): Promise<void> {
+    const anonRole = getRoleName('anonymous', this.roleConfig);
+    const authRole = getRoleName('authenticated', this.roleConfig);
+    
     const sql = `
       DO $$
       BEGIN
         IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${user}') THEN
           CREATE ROLE ${user} LOGIN PASSWORD '${password}';
-          GRANT anonymous TO ${user};
-          GRANT authenticated TO ${user};
+          GRANT ${anonRole} TO ${user};
+          GRANT ${authRole} TO ${user};
         END IF;
       END $$;
     `.trim();
diff --git a/packages/pgsql-test/src/connect.ts b/packages/pgsql-test/src/connect.ts
@@ -9,6 +9,7 @@ import {
 
 import { DbAdmin } from './admin';
 import { PgTestConnector } from './manager';
+import { getDefaultRole } from './roles';
 import { seed } from './seed';
 import { SeedAdapter } from './seed/types';
 import { PgTestClient } from './test-client';
@@ -19,7 +20,7 @@ export const getPgRootAdmin = (connOpts: PgTestConnectionOptions = {}) => {
   const opts = getPgEnvOptions({
     database: connOpts.rootDb
   });
-  const admin = new DbAdmin(opts);
+  const admin = new DbAdmin(opts, false, connOpts);
   return admin;
 };
 
@@ -65,7 +66,7 @@ export const getConnections = async (
     connOpts.rootDb
   );
 
-  const admin = new DbAdmin(config as PgConfig);
+  const admin = new DbAdmin(config as PgConfig, false, connOpts);
   
   if (process.env.TEST_DB) {
     config.database = process.env.TEST_DB;
@@ -106,7 +107,7 @@ export const getConnections = async (
     user: connOpts.connection.user,
     password: connOpts.connection.password
   });
-  db.setContext({ role: 'anonymous' });
+  db.setContext({ role: getDefaultRole(connOpts) });
 
   return { pg, db, teardown, manager, admin };
 };
diff --git a/packages/pgsql-test/src/index.ts b/packages/pgsql-test/src/index.ts
@@ -1,5 +1,6 @@
 export * from './admin';
 export * from './connect';
 export * from './manager';
+export * from './roles';
 export * from './seed';
 export * from './test-client';
diff --git a/packages/pgsql-test/src/roles.ts b/packages/pgsql-test/src/roles.ts
@@ -0,0 +1,40 @@
+import { PgTestConnectionOptions, RoleMapping } from '@launchql/types';
+
+/**
+ * Default role mapping configuration
+ */
+export const DEFAULT_ROLE_MAPPING: Required<RoleMapping> = {
+  anonymous: 'anonymous',
+  authenticated: 'authenticated',
+  administrator: 'administrator',
+  default: 'anonymous'
+};
+
+/**
+ * Get resolved role mapping with defaults
+ */
+export const getRoleMapping = (options?: PgTestConnectionOptions): Required<RoleMapping> => {
+  return {
+    ...DEFAULT_ROLE_MAPPING,
+    ...(options?.roles || {})
+  };
+};
+
+/**
+ * Get role name by key with fallback to default mapping
+ */
+export const getRoleName = (
+  roleKey: keyof Omit<RoleMapping, 'default'>, 
+  options?: PgTestConnectionOptions
+): string => {
+  const mapping = getRoleMapping(options);
+  return mapping[roleKey];
+};
+
+/**
+ * Get default role name
+ */
+export const getDefaultRole = (options?: PgTestConnectionOptions): string => {
+  const mapping = getRoleMapping(options);
+  return mapping.default;
+};
diff --git a/packages/types/src/launchql.ts b/packages/types/src/launchql.ts
@@ -19,6 +19,22 @@ export interface PgTestConnectionOptions {
     cwd?: string;
     /** Database connection credentials */
     connection?: DatabaseConnectionOptions;
+    /** Role mapping configuration */
+    roles?: RoleMapping;
+}
+
+/**
+ * Role mapping configuration for database security
+ */
+export interface RoleMapping {
+    /** Anonymous (unauthenticated) role name */
+    anonymous?: string;
+    /** Authenticated user role name */
+    authenticated?: string;
+    /** Administrator role name */
+    administrator?: string;
+    /** Default role for new connections */
+    default?: string;
 }
 
 /**
@@ -205,6 +221,12 @@ export const launchqlDefaults: LaunchQLOptions = {
       user: 'app_user',
       password: 'app_password',
       role: 'anonymous'
+    },
+    roles: {
+      anonymous: 'anonymous',
+      authenticated: 'authenticated',
+      administrator: 'administrator',
+      default: 'anonymous'
     }
   },
   pg: {
