Extend Grant support to narrow permissions to object in a Schema

Bastichou · Bastichou · commit 23bec132d7c9 · 2025-02-02T19:10:17.000+01:00
diff --git a/apis/postgresql/v1alpha1/grant_types.go b/apis/postgresql/v1alpha1/grant_types.go
@@ -141,6 +141,20 @@ type GrantParameters struct {
 	// +optional
 	DatabaseSelector *xpv1.Selector `json:"databaseSelector,omitempty"`
 
+	// Schema this grant is for.
+	// +optional
+	Schema *string `json:"schema,omitempty"`
+
+	// SchemaRef references the schema object this grant it for.
+	// +immutable
+	// +optional
+	SchemaRef *xpv1.Reference `json:"schemaRef,omitempty"`
+
+	// SchemaSelector selects a reference to a Schema this grant is for.
+	// +immutable
+	// +optional
+	SchemaSelector *xpv1.Selector `json:"schemaSelector,omitempty"`
+
 	// MemberOf is the Role that this grant makes Role a member of.
 	// +optional
 	MemberOf *string `json:"memberOf,omitempty"`
@@ -212,6 +226,20 @@ func (mg *Grant) ResolveReferences(ctx context.Context, c client.Reader) error {
 	mg.Spec.ForProvider.Database = reference.ToPtrValue(rsp.ResolvedValue)
 	mg.Spec.ForProvider.DatabaseRef = rsp.ResolvedReference
 
+	// Resolve spec.forProvider.schema
+	rsp, err = r.Resolve(ctx, reference.ResolutionRequest{
+		CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Schema),
+		Reference:    mg.Spec.ForProvider.SchemaRef,
+		Selector:     mg.Spec.ForProvider.SchemaSelector,
+		To:           reference.To{Managed: &Schema{}, List: &SchemaList{}},
+		Extract:      reference.ExternalName(),
+	})
+	if err != nil {
+		return errors.Wrap(err, "spec.forProvider.schema")
+	}
+	mg.Spec.ForProvider.Schema = reference.ToPtrValue(rsp.ResolvedValue)
+	mg.Spec.ForProvider.SchemaRef = rsp.ResolvedReference
+
 	// Resolve spec.forProvider.role
 	rsp, err = r.Resolve(ctx, reference.ResolutionRequest{
 		CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Role),
diff --git a/apis/postgresql/v1alpha1/zz_generated.deepcopy.go b/apis/postgresql/v1alpha1/zz_generated.deepcopy.go
diff --git a/package/crds/postgresql.sql.crossplane.io_grants.yaml b/package/crds/postgresql.sql.crossplane.io_grants.yaml
@@ -336,6 +336,84 @@ spec:
                             type: string
                         type: object
                     type: object
+                  schema:
+                    description: Schema this grant is for.
+                    type: string
+                  schemaRef:
+                    description: SchemaRef references the schema object this grant
+                      it for.
+                    properties:
+                      name:
+                        description: Name of the referenced object.
+                        type: string
+                      policy:
+                        description: Policies for referencing.
+                        properties:
+                          resolution:
+                            default: Required
+                            description: Resolution specifies whether resolution of
+                              this reference is required. The default is 'Required',
+                              which means the reconcile will fail if the reference
+                              cannot be resolved. 'Optional' means this reference
+                              will be a no-op if it cannot be resolved.
+                            enum:
+                            - Required
+                            - Optional
+                            type: string
+                          resolve:
+                            description: Resolve specifies when this reference should
+                              be resolved. The default is 'IfNotPresent', which will
+                              attempt to resolve the reference only when the corresponding
+                              field is not present. Use 'Always' to resolve the reference
+                              on every reconcile.
+                            enum:
+                            - Always
+                            - IfNotPresent
+                            type: string
+                        type: object
+                    required:
+                    - name
+                    type: object
+                  schemaSelector:
+                    description: SchemaSelector selects a reference to a Schema this
+                      grant is for.
+                    properties:
+                      matchControllerRef:
+                        description: MatchControllerRef ensures an object with the
+                          same controller reference as the selecting object is selected.
+                        type: boolean
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: MatchLabels ensures an object with matching labels
+                          is selected.
+                        type: object
+                      policy:
+                        description: Policies for selection.
+                        properties:
+                          resolution:
+                            default: Required
+                            description: Resolution specifies whether resolution of
+                              this reference is required. The default is 'Required',
+                              which means the reconcile will fail if the reference
+                              cannot be resolved. 'Optional' means this reference
+                              will be a no-op if it cannot be resolved.
+                            enum:
+                            - Required
+                            - Optional
+                            type: string
+                          resolve:
+                            description: Resolve specifies when this reference should
+                              be resolved. The default is 'IfNotPresent', which will
+                              attempt to resolve the reference only when the corresponding
+                              field is not present. Use 'Always' to resolve the reference
+                              on every reconcile.
+                            enum:
+                            - Always
+                            - IfNotPresent
+                            type: string
+                        type: object
+                    type: object
                   withOption:
                     description: |-
                       WithOption allows an option to be set on the grant.
diff --git a/pkg/controller/postgresql/grant/reconciler.go b/pkg/controller/postgresql/grant/reconciler.go
@@ -51,6 +51,7 @@ const (
 	errSelectGrant  = "cannot select grant"
 	errCreateGrant  = "cannot create grant"
 	errRevokeGrant  = "cannot revoke grant"
+	errNoSchema     = "schema not passed or could not be resolved"
 	errNoRole       = "role not passed or could not be resolved"
 	errNoDatabase   = "database not passed or could not be resolved"
 	errNoPrivileges = "privileges not passed"
@@ -199,29 +200,40 @@ func selectGrantQuery(gp v1alpha1.GrantParameters, q *xsql.Query) error {
 		// permissions.
 		q.String = "SELECT EXISTS(SELECT 1 " +
 			"FROM pg_database db, " +
-			"aclexplode(datacl) as acl " +
+			"aclexplode(datacl) as acl, " +
+			"pg_namespace as schema " +
 			"INNER JOIN pg_roles s ON acl.grantee = s.oid " +
 			// Filter by database, role and grantable setting
 			"WHERE db.datname=$1 " +
 			"AND s.rolname=$2 " +
 			"AND acl.is_grantable=$3 " +
-			"GROUP BY db.datname, s.rolname, acl.is_grantable " +
+			// TODO: Filter by schema this is not working
+			"AND schema.nspname=$4 " +
+			"GROUP BY db.datname, s.rolname, acl.is_grantable, schema.nspname " +
 			// Check privileges match. Convoluted right-hand-side is necessary to
 			// ensure identical sort order of the input permissions.
 			"HAVING array_agg(acl.privilege_type ORDER BY privilege_type ASC) " +
-			"= (SELECT array(SELECT unnest($4::text[]) as perms ORDER BY perms ASC)))"
+			"= (SELECT array(SELECT unnest($5::text[]) as perms ORDER BY perms ASC)))"
 
 		q.Parameters = []interface{}{
 			gp.Database,
 			gp.Role,
 			gro,
+			gp.Schema,
 			pq.Array(sp),
 		}
 		return nil
 	}
 	return errors.New(errUnknownGrant)
 }
 
+func withSchema(schema *string) string {
+	if schema != nil {
+		return fmt.Sprintf("IN SCHEMA %s", *schema)
+	}
+	return ""
+}
+
 func withOption(option *v1alpha1.GrantOption) string {
 	if option != nil {
 		return fmt.Sprintf("WITH %s OPTION", string(*option))
@@ -262,17 +274,19 @@ func createGrantQueries(gp v1alpha1.GrantParameters, ql *[]xsql.Query) error { /
 
 		*ql = append(*ql,
 			// REVOKE ANY MATCHING EXISTING PERMISSIONS
-			xsql.Query{String: fmt.Sprintf("REVOKE %s ON DATABASE %s FROM %s",
+			xsql.Query{String: fmt.Sprintf("REVOKE %s ON DATABASE %s %s FROM %s",
 				sp,
 				db,
+				withSchema(gp.Schema),
 				ro,
 			)},
 
 			// GRANT REQUESTED PERMISSIONS
-			xsql.Query{String: fmt.Sprintf("GRANT %s ON DATABASE %s TO %s %s",
+			xsql.Query{String: fmt.Sprintf("GRANT %s ON DATABASE %s TO %s %s %s",
 				sp,
 				db,
 				ro,
+				withSchema(gp.Schema),
 				withOption(gp.WithOption),
 			)},
 		)
@@ -305,9 +319,10 @@ func deleteGrantQuery(gp v1alpha1.GrantParameters, q *xsql.Query) error {
 		)
 		return nil
 	case roleDatabase:
-		q.String = fmt.Sprintf("REVOKE %s ON DATABASE %s FROM %s",
+		q.String = fmt.Sprintf("REVOKE %s ON DATABASE %s %s FROM %s",
 			strings.Join(gp.Privileges.ToStringSlice(), ","),
 			pq.QuoteIdentifier(*gp.Database),
+			withSchema(gp.Schema),
 			ro,
 		)
 		return nil
