feat: add grant specs schema, objects, objectType

Author: Bastichou

.gitignore

@@ -8,3 +8,4 @@
 .work
 _output
 __debug_bin
+.tool-versions

apis/postgresql/v1alpha1/grant_types.go

@@ -47,6 +47,7 @@ type GrantPrivileges []GrantPrivilege
 // happen internally inside postgresql when making grants. When we query the
 // privileges back, we need to look for the expanded set.
 // https://www.postgresql.org/docs/15/ddl-priv.html
+// TODO: Grand ALL ON SCHEMA should be expanded to GRANT USAGE, CREATE ON SCHEMA
 var grantReplacements = map[GrantPrivilege]GrantPrivileges{
 	"ALL":            {"CREATE", "TEMPORARY", "CONNECT"},
 	"ALL PRIVILEGES": {"CREATE", "TEMPORARY", "CONNECT"},
@@ -141,6 +142,20 @@ type GrantParameters struct {
 	// +optional
 	DatabaseSelector *xpv1.Selector `json:"databaseSelector,omitempty"`
 
+	// Schema this grant is for.
+	// +optional
+	Schema *string `json:"schema,omitempty"`
+
+	// SchemaRef references the schema object this grant it for.
+	// +immutable
+	// +optional
+	SchemaRef *xpv1.Reference `json:"schemaRef,omitempty"`
+
+	// SchemaSelector selects a reference to a Schema this grant is for.
+	// +immutable
+	// +optional
+	SchemaSelector *xpv1.Selector `json:"schemaSelector,omitempty"`
+
 	// MemberOf is the Role that this grant makes Role a member of.
 	// +optional
 	MemberOf *string `json:"memberOf,omitempty"`
@@ -158,6 +173,22 @@ type GrantParameters struct {
 	// RevokePublicOnDb apply the statement "REVOKE ALL ON DATABASE %s FROM PUBLIC" to make database unreachable from public
 	// +optional
 	RevokePublicOnDb *bool `json:"revokePublicOnDb,omitempty" default:"false"`
+
+	// ObjectType is the PostgreSQL object type to grant the privileges on.
+	// +kubebuilder:validation:Enum=database;schema;table;sequence;function;procedure;routine;foreign_data_wrapper;foreign_server;column
+	ObjectType string `json:"objectType" default:"database"`
+
+	// Objects are the objects upon which to grant the privileges.
+	// An empty list (the default) means to grant permissions on all objects of the specified type.
+	// You cannot specify this option if the objectType is database or schema.
+	// When objectType is column, only one value is allowed.
+	// +optional
+	Objects []string `json:"objects,omitempty"`
+
+	// The columns upon which to grant the privileges.
+	// Required when object_type is column. You cannot specify this option if the object_type is not column
+	// +optional
+	Columns []string `json:"columns,omitempty"`
 }
 
 // A GrantStatus represents the observed state of a Grant.
@@ -212,6 +243,20 @@ func (mg *Grant) ResolveReferences(ctx context.Context, c client.Reader) error {
 	mg.Spec.ForProvider.Database = reference.ToPtrValue(rsp.ResolvedValue)
 	mg.Spec.ForProvider.DatabaseRef = rsp.ResolvedReference
 
+	// Resolve spec.forProvider.schema
+	rsp, err = r.Resolve(ctx, reference.ResolutionRequest{
+		CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Schema),
+		Reference:    mg.Spec.ForProvider.SchemaRef,
+		Selector:     mg.Spec.ForProvider.SchemaSelector,
+		To:           reference.To{Managed: &Schema{}, List: &SchemaList{}},
+		Extract:      reference.ExternalName(),
+	})
+	if err != nil {
+		return errors.Wrap(err, "spec.forProvider.schema")
+	}
+	mg.Spec.ForProvider.Schema = reference.ToPtrValue(rsp.ResolvedValue)
+	mg.Spec.ForProvider.SchemaRef = rsp.ResolvedReference
+
 	// Resolve spec.forProvider.role
 	rsp, err = r.Resolve(ctx, reference.ResolutionRequest{
 		CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Role),

apis/postgresql/v1alpha1/zz_generated.deepcopy.go

@@ -83,6 +83,13 @@ spec:
                 description: GrantParameters define the desired state of a PostgreSQL
                   grant instance.
                 properties:
+                  columns:
+                    description: |-
+                      The columns upon which to grant the privileges.
+                      Required when object_type is column. You cannot specify this option if the object_type is not column
+                    items:
+                      type: string
+                    type: array
                   database:
                     description: Database this grant is for.
                     type: string
@@ -242,6 +249,30 @@ spec:
                             type: string
                         type: object
                     type: object
+                  objectType:
+                    description: ObjectType is the PostgreSQL object type to grant
+                      the privileges on.
+                    enum:
+                    - database
+                    - schema
+                    - table
+                    - sequence
+                    - function
+                    - procedure
+                    - routine
+                    - foreign_data_wrapper
+                    - foreign_server
+                    - column
+                    type: string
+                  objects:
+                    description: |-
+                      Objects are the objects upon which to grant the privileges.
+                      An empty list (the default) means to grant permissions on all objects of the specified type.
+                      You cannot specify this option if the objectType is database or schema.
+                      When objectType is column, only one value is allowed.
+                    items:
+                      type: string
+                    type: array
                   privileges:
                     description: |-
                       Privileges to be granted.
@@ -336,6 +367,85 @@ spec:
                             type: string
                         type: object
                     type: object
+                  schema:
+                    description: Schema this grant is for.
+                    type: string
+                  schemaRef:
+                    description: SchemaRef references the schema object this grant
+                      it for.
+                    properties:
+                      name:
+                        description: Name of the referenced object.
+                        type: string
+                      policy:
+                        description: Policies for referencing.
+                        properties:
+                          resolution:
+                            default: Required
+                            description: |-
+                              Resolution specifies whether resolution of this reference is required.
+                              The default is 'Required', which means the reconcile will fail if the
+                              reference cannot be resolved. 'Optional' means this reference will be
+                              a no-op if it cannot be resolved.
+                            enum:
+                            - Required
+                            - Optional
+                            type: string
+                          resolve:
+                            description: |-
+                              Resolve specifies when this reference should be resolved. The default
+                              is 'IfNotPresent', which will attempt to resolve the reference only when
+                              the corresponding field is not present. Use 'Always' to resolve the
+                              reference on every reconcile.
+                            enum:
+                            - Always
+                            - IfNotPresent
+                            type: string
+                        type: object
+                    required:
+                    - name
+                    type: object
+                  schemaSelector:
+                    description: SchemaSelector selects a reference to a Schema this
+                      grant is for.
+                    properties:
+                      matchControllerRef:
+                        description: |-
+                          MatchControllerRef ensures an object with the same controller reference
+                          as the selecting object is selected.
+                        type: boolean
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: MatchLabels ensures an object with matching labels
+                          is selected.
+                        type: object
+                      policy:
+                        description: Policies for selection.
+                        properties:
+                          resolution:
+                            default: Required
+                            description: |-
+                              Resolution specifies whether resolution of this reference is required.
+                              The default is 'Required', which means the reconcile will fail if the
+                              reference cannot be resolved. 'Optional' means this reference will be
+                              a no-op if it cannot be resolved.
+                            enum:
+                            - Required
+                            - Optional
+                            type: string
+                          resolve:
+                            description: |-
+                              Resolve specifies when this reference should be resolved. The default
+                              is 'IfNotPresent', which will attempt to resolve the reference only when
+                              the corresponding field is not present. Use 'Always' to resolve the
+                              reference on every reconcile.
+                            enum:
+                            - Always
+                            - IfNotPresent
+                            type: string
+                        type: object
+                    type: object
                   withOption:
                     description: |-
                       WithOption allows an option to be set on the grant.
@@ -345,6 +455,8 @@ spec:
                     - ADMIN
                     - GRANT
                     type: string
+                required:
+                - objectType
                 type: object
               managementPolicies:
                 default: