fix(rust): avoid full table scans

polvorin · polvorin · commit ab73250de136 · 2025-05-16T21:10:30.000-03:00
just a handful of places, a full review is needed
diff --git a/implementations/rust/ockam/ockam_abac/src/policy/storage/resource_policy_repository_sql.rs b/implementations/rust/ockam/ockam_abac/src/policy/storage/resource_policy_repository_sql.rs
@@ -77,7 +77,7 @@ impl ResourcePoliciesRepository for ResourcePolicySqlxDatabase {
         let query = query_as(
             r#"SELECT resource_name, action, expression
             FROM resource_policy
-            WHERE node_name = $1 and resource_name = $2 and action = $3"#,
+            WHERE tenant_id = $1 and node_name = $1 and resource_name = $2 and action = $3"#,
         )
         .bind(&self.node_name)
         .bind(resource_name)
@@ -93,7 +93,7 @@ impl ResourcePoliciesRepository for ResourcePolicySqlxDatabase {
         let query = query_as(
             r#"SELECT resource_name, action, expression
             FROM resource_policy
-            WHERE node_name = $1"#,
+            WHERE tenant_id = $1 and node_name = $1"#,
         )
         .bind(&self.node_name);
         let row: Vec<PolicyRow> = query.fetch_all(&*self.database.pool).await.into_core()?;
@@ -109,7 +109,7 @@ impl ResourcePoliciesRepository for ResourcePolicySqlxDatabase {
         let query = query_as(
             r#"SELECT resource_name, action, expression
             FROM resource_policy
-            WHERE node_name = $1 and resource_name = $2"#,
+            WHERE tenant_id = $1 and node_name = $1 and resource_name = $2"#,
         )
         .bind(&self.node_name)
         .bind(resource_name);
diff --git a/implementations/rust/ockam/ockam_abac/src/policy/storage/resource_repository_sql.rs b/implementations/rust/ockam/ockam_abac/src/policy/storage/resource_repository_sql.rs
@@ -70,7 +70,7 @@ impl ResourcesRepository for ResourcesSqlxDatabase {
         let query = query_as(
             r#"SELECT resource_name, resource_type
             FROM resource
-            WHERE node_name = $1 and resource_name = $2"#,
+            WHERE tenant_id = $1 and node_name = $1 and resource_name = $2"#,
         )
         .bind(&self.node_name)
         .bind(resource_name);
diff --git a/implementations/rust/ockam/ockam_abac/src/policy/storage/resource_type_policy_repository_sql.rs b/implementations/rust/ockam/ockam_abac/src/policy/storage/resource_type_policy_repository_sql.rs
@@ -82,7 +82,7 @@ impl ResourceTypePoliciesRepository for ResourceTypePolicySqlxDatabase {
         let query = query_as(
             r#"SELECT resource_type, action, expression
             FROM resource_type_policy
-            WHERE node_name = $1 and resource_type = $2 and action = $3"#,
+            WHERE tenant_id = $1 and node_name = $1 and resource_type = $2 and action = $3"#,
         )
         .bind(&self.node_name)
         .bind(resource_type)
@@ -97,7 +97,7 @@ impl ResourceTypePoliciesRepository for ResourceTypePolicySqlxDatabase {
     async fn get_policies(&self) -> Result<Vec<ResourceTypePolicy>> {
         let query = query_as(
             r#"SELECT resource_type, action, expression
-            FROM resource_type_policy where node_name = $1"#,
+            FROM resource_type_policy where tenant_id = $1 and node_name = $1"#,
         )
         .bind(&self.node_name);
         let row: Vec<PolicyRow> = query.fetch_all(&*self.database.pool).await.into_core()?;
@@ -112,7 +112,7 @@ impl ResourceTypePoliciesRepository for ResourceTypePolicySqlxDatabase {
     ) -> Result<Vec<ResourceTypePolicy>> {
         let query = query_as(
             r#"SELECT resource_type, action, expression
-            FROM resource_type_policy where node_name = $1 and resource_type = $2"#,
+            FROM resource_type_policy where tenant_id = $1 and node_name = $1 and resource_type = $2"#,
         )
         .bind(&self.node_name)
         .bind(resource_type);
diff --git a/implementations/rust/ockam/ockam_identity/src/identities/storage/identity_attributes_repository_sql.rs b/implementations/rust/ockam/ockam_identity/src/identities/storage/identity_attributes_repository_sql.rs
@@ -60,7 +60,7 @@ impl IdentityAttributesRepository for IdentityAttributesSqlxDatabase {
         attested_by: &Identifier,
     ) -> Result<Option<AttributesEntry>> {
         let query = query_as(
-            "SELECT identifier, attributes, added, expires, attested_by FROM identity_attributes WHERE identifier = $1 AND attested_by = $2 AND node_name = $3"
+            "SELECT identifier, attributes, added, expires, attested_by FROM identity_attributes WHERE identifier = $1 AND attested_by = $2 AND node_name = $3 and tenant_id = $3"
             )
             .bind(identity)
             .bind(attested_by)

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ impl ResourcesRepository for ResourcesSqlxDatabase {`
`70`	`70`	`let query = query_as(`
`71`	`71`	`r#"SELECT resource_name, resource_type`
`72`	`72`	`FROM resource`
`73`		`- WHERE node_name = $1 and resource_name = $2"#,`
	`73`	`+ WHERE tenant_id = $1 and node_name = $1 and resource_name = $2"#,`
`74`	`74`	`)`
`75`	`75`	`.bind(&self.node_name)`
`76`	`76`	`.bind(resource_name);`
Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ impl IdentityAttributesRepository for IdentityAttributesSqlxDatabase {`
`60`	`60`	`attested_by: &Identifier,`
`61`	`61`	`) -> Result<Option<AttributesEntry>> {`
`62`	`62`	`let query = query_as(`
`63`		`- "SELECT identifier, attributes, added, expires, attested_by FROM identity_attributes WHERE identifier = $1 AND attested_by = $2 AND node_name = $3"`
	`63`	`+ "SELECT identifier, attributes, added, expires, attested_by FROM identity_attributes WHERE identifier = $1 AND attested_by = $2 AND node_name = $3 and tenant_id = $3"`
`64`	`64`	`)`
`65`	`65`	`.bind(identity)`
`66`	`66`	`.bind(attested_by)`