Implement grants on database

Author: jeromepin

postgresql/helpers.go

@@ -105,6 +105,7 @@ func sliceContainsStr(haystack []string, needle string) bool {
 // allowedPrivileges is the list of privileges allowed per object types in Postgres.
 // see: https://www.postgresql.org/docs/current/sql-grant.html
 var allowedPrivileges = map[string][]string{
+	"database": []string{"ALL", "CREATE", "CONNECT", "TEMPORARY", "TEMP"},
 	"table":    []string{"ALL", "SELECT", "INSERT", "UPDATE", "DELETE", "TRUNCATE", "REFERENCES", "TRIGGER"},
 	"sequence": []string{"ALL", "USAGE", "SELECT", "UPDATE"},
 }

postgresql/resource_postgresql_grant.go

@@ -15,11 +15,19 @@ import (
 )
 
 var objectTypes = map[string]string{
+	"database": "d",
 	"table":    "r",
 	"sequence": "S",
 }
 
 func resourcePostgreSQLGrant() *schema.Resource {
+
+	allowedObjectTypes := make([]string, 0, len(objectTypes))
+
+	for k := range objectTypes {
+		allowedObjectTypes = append(allowedObjectTypes, k)
+	}
+
 	return &schema.Resource{
 		Create: resourcePostgreSQLGrantCreate,
 		// As create revokes and grants we can use it to update too
@@ -47,14 +55,11 @@ func resourcePostgreSQLGrant() *schema.Resource {
 				Description: "The database schema to grant privileges on for this role",
 			},
 			"object_type": {
-				Type:     schema.TypeString,
-				Required: true,
-				ForceNew: true,
-				ValidateFunc: validation.StringInSlice([]string{
-					"table",
-					"sequence",
-				}, false),
-				Description: "The PostgreSQL object type to grant the privileges on (one of: table, sequence)",
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validation.StringInSlice(allowedObjectTypes, false),
+				Description:  "The PostgreSQL object type to grant the privileges on (one of: " + strings.Join(allowedObjectTypes, ", ") + ")",
 			},
 			"privileges": &schema.Schema{
 				Type:        schema.TypeSet,
@@ -64,6 +69,13 @@ func resourcePostgreSQLGrant() *schema.Resource {
 				MinItems:    1,
 				Description: "The list of privileges to grant",
 			},
+			"with_grant_option": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				ForceNew:    true,
+				Default:     false,
+				Description: "Permit the grant recipient to grant it to others",
+			},
 		},
 	}
 }
@@ -236,32 +248,70 @@ GROUP BY pg_class.relname;
 	return nil
 }
 
+func createGrantQuery(d *schema.ResourceData, privileges []string) string {
+	var query string
+
+	switch strings.ToUpper(d.Get("object_type").(string)) {
+	case "DATABASE":
+		query = fmt.Sprintf(
+			"GRANT %s ON DATABASE %s TO %s",
+			strings.Join(privileges, ","),
+			pq.QuoteIdentifier(d.Get("database").(string)),
+			pq.QuoteIdentifier(d.Get("role").(string)),
+		)
+	case "TABLE", "SEQUENCE":
+		query = fmt.Sprintf(
+			"GRANT %s ON ALL %sS IN SCHEMA %s TO %s",
+			strings.Join(privileges, ","),
+			strings.ToUpper(d.Get("object_type").(string)),
+			pq.QuoteIdentifier(d.Get("schema").(string)),
+			pq.QuoteIdentifier(d.Get("role").(string)),
+		)
+	}
+
+	if d.Get("with_grant_option").(bool) == true {
+		query = query + " WITH GRANT OPTION"
+	}
+
+	return query
+}
+
+func createRevokeQuery(d *schema.ResourceData) string {
+	var query string
+
+	switch strings.ToUpper(d.Get("object_type").(string)) {
+	case "DATABASE":
+		query = fmt.Sprintf(
+			"REVOKE ALL PRIVILEGES ON DATABASE %s FROM %s",
+			pq.QuoteIdentifier(d.Get("database").(string)),
+			pq.QuoteIdentifier(d.Get("role").(string)),
+		)
+	case "TABLE", "SEQUENCE":
+		query = fmt.Sprintf(
+			"REVOKE ALL PRIVILEGES ON ALL %sS IN SCHEMA %s FROM %s",
+			strings.ToUpper(d.Get("object_type").(string)),
+			pq.QuoteIdentifier(d.Get("schema").(string)),
+			pq.QuoteIdentifier(d.Get("role").(string)),
+		)
+	}
+
+	return query
+}
+
 func grantRolePrivileges(txn *sql.Tx, d *schema.ResourceData) error {
 	privileges := []string{}
 	for _, priv := range d.Get("privileges").(*schema.Set).List() {
 		privileges = append(privileges, priv.(string))
 	}
 
-	query := fmt.Sprintf(
-		"GRANT %s ON ALL %sS IN SCHEMA %s TO %s",
-		strings.Join(privileges, ","),
-		strings.ToUpper(d.Get("object_type").(string)),
-		pq.QuoteIdentifier(d.Get("schema").(string)),
-		pq.QuoteIdentifier(d.Get("role").(string)),
-	)
+	query := createGrantQuery(d, privileges)
 
 	_, err := txn.Exec(query)
 	return err
 }
 
 func revokeRolePrivileges(txn *sql.Tx, d *schema.ResourceData) error {
-	query := fmt.Sprintf(
-		"REVOKE ALL PRIVILEGES ON ALL %sS IN SCHEMA %s FROM %s",
-		strings.ToUpper(d.Get("object_type").(string)),
-		pq.QuoteIdentifier(d.Get("schema").(string)),
-		pq.QuoteIdentifier(d.Get("role").(string)),
-	)
-
+	query := createRevokeQuery(d)
 	_, err := txn.Exec(query)
 	return err
 }

postgresql/resource_postgresql_grant_test.go

@@ -5,9 +5,136 @@ import (
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/terraform"
+	"github.com/lib/pq"
 )
 
+func TestCreateGrantQuery(t *testing.T) {
+	var databaseName = "foo"
+	var roleName = "bar"
+
+	cases := []struct {
+		resource   *schema.ResourceData
+		privileges []string
+		expected   string
+	}{
+		{
+			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
+				"object_type": "table",
+				"schema":      databaseName,
+				"role":        roleName,
+			}),
+			privileges: []string{"SELECT"},
+			expected:   fmt.Sprintf("GRANT SELECT ON ALL TABLES IN SCHEMA %s TO %s", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
+		},
+		{
+			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
+				"object_type": "sequence",
+				"schema":      databaseName,
+				"role":        roleName,
+			}),
+			privileges: []string{"SELECT"},
+			expected:   fmt.Sprintf("GRANT SELECT ON ALL SEQUENCES IN SCHEMA %s TO %s", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
+		},
+		{
+			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
+				"object_type":       "TABLE",
+				"schema":            databaseName,
+				"role":              roleName,
+				"with_grant_option": true,
+			}),
+			privileges: []string{"SELECT", "INSERT", "UPDATE"},
+			expected:   fmt.Sprintf("GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA %s TO %s WITH GRANT OPTION", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
+		},
+		{
+			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
+				"object_type": "database",
+				"database":    databaseName,
+				"role":        roleName,
+			}),
+			privileges: []string{"CREATE"},
+			expected:   fmt.Sprintf("GRANT CREATE ON DATABASE %s TO %s", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
+		},
+		{
+			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
+				"object_type": "database",
+				"database":    databaseName,
+				"role":        roleName,
+			}),
+			privileges: []string{"CREATE", "CONNECT"},
+			expected:   fmt.Sprintf("GRANT CREATE,CONNECT ON DATABASE %s TO %s", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
+		},
+		{
+			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
+				"object_type":       "DATABASE",
+				"database":          databaseName,
+				"role":              roleName,
+				"with_grant_option": true,
+			}),
+			privileges: []string{"ALL PRIVILEGES"},
+			expected:   fmt.Sprintf("GRANT ALL PRIVILEGES ON DATABASE %s TO %s WITH GRANT OPTION", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
+		},
+	}
+
+	for _, c := range cases {
+		out := createGrantQuery(c.resource, c.privileges)
+		if out != c.expected {
+			t.Fatalf("Error matching output and expected: %#v vs %#v", out, c.expected)
+		}
+	}
+}
+
+func TestCreateRevokeQuery(t *testing.T) {
+	var databaseName = "foo"
+	var roleName = "bar"
+
+	cases := []struct {
+		resource *schema.ResourceData
+		expected string
+	}{
+		{
+			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
+				"object_type": "table",
+				"schema":      databaseName,
+				"role":        roleName,
+			}),
+			expected: fmt.Sprintf("REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA %s FROM %s", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
+		},
+		{
+			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
+				"object_type": "sequence",
+				"schema":      databaseName,
+				"role":        roleName,
+			}),
+			expected: fmt.Sprintf("REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA %s FROM %s", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
+		},
+		{
+			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
+				"object_type": "database",
+				"database":    databaseName,
+				"role":        roleName,
+			}),
+			expected: fmt.Sprintf("REVOKE ALL PRIVILEGES ON DATABASE %s FROM %s", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
+		},
+		{
+			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
+				"object_type": "DATABASE",
+				"database":    databaseName,
+				"role":        roleName,
+			}),
+			expected: fmt.Sprintf("REVOKE ALL PRIVILEGES ON DATABASE %s FROM %s", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
+		},
+	}
+
+	for _, c := range cases {
+		out := createRevokeQuery(c.resource)
+		if out != c.expected {
+			t.Fatalf("Error matching output and expected: %#v vs %#v", out, c.expected)
+		}
+	}
+}
+
 func TestAccPostgresqlGrant(t *testing.T) {
 	skipIfNotAcc(t)
 
@@ -84,3 +211,45 @@ func TestAccPostgresqlGrant(t *testing.T) {
 		},
 	})
 }
+
+func TestAccPostgresqlGrantDatabase(t *testing.T) {
+	skipIfNotAcc(t)
+
+	// We have to create the database outside of resource.Test
+	// because we need to create tables to assert that grant are correctly applied
+	// and we don't have this resource yet
+	dbSuffix, teardown := setupTestDatabase(t, true, true)
+	defer teardown()
+
+	dbName, roleName := getTestDBNames(dbSuffix)
+	var testGrantSelect = fmt.Sprintf(`
+	resource "postgresql_grant" "test" {
+		database           = "%s"
+		role               = "%s"
+		schema             = "test_schema"
+		object_type        = "database"
+		privileges         = ["CONNECT", "CREATE"]
+		with_grant_option  = true
+	}
+	`, dbName, roleName)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			testCheckCompatibleVersion(t, featurePrivileges)
+		},
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testGrantSelect,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("postgresql_grant.test", "privileges.#", "2"),
+					resource.TestCheckResourceAttr("postgresql_grant.test", "with_grant_option", "true"),
+					func(*terraform.State) error {
+						return testCheckDatabasesPrivileges(t, dbSuffix, []string{"CONNECT"})
+					},
+				),
+			},
+		},
+	})
+}

postgresql/utils_test.go

@@ -192,3 +192,28 @@ func testCheckTablesPrivileges(t *testing.T, dbSuffix string, tables []string, a
 	}
 	return nil
 }
+
+func testCheckDatabasesPrivileges(t *testing.T, dbSuffix string, allowedPrivileges []string) error {
+	config := getTestConfig(t)
+	dbName, roleName := getTestDBNames(dbSuffix)
+
+	// Connect as the test role
+	config.Username = roleName
+	config.Password = testRolePassword
+
+	db, err := sql.Open("postgres", config.connStr(dbName))
+	if err != nil {
+		t.Fatalf("could not open connection pool for db %s: %v", dbName, err)
+	}
+	defer db.Close()
+
+	queries := map[string]string{
+		"CREATE": fmt.Sprintf("CREATE DATABASE foo"),
+	}
+
+	for _, query := range queries {
+		db.Exec(query)
+	}
+
+	return nil
+}