feat: add grant specs schema, objects, objectType

Author: Bastichou

.gitignore

@@ -8,3 +8,4 @@
 .work
 _output
 __debug_bin
+.tool-versions

apis/postgresql/v1alpha1/grant_types.go

@@ -47,6 +47,7 @@ type GrantPrivileges []GrantPrivilege
 // happen internally inside postgresql when making grants. When we query the
 // privileges back, we need to look for the expanded set.
 // https://www.postgresql.org/docs/15/ddl-priv.html
+// TODO: Grand ALL ON SCHEMA should be expanded to GRANT USAGE, CREATE ON SCHEMA
 var grantReplacements = map[GrantPrivilege]GrantPrivileges{
 	"ALL":            {"CREATE", "TEMPORARY", "CONNECT"},
 	"ALL PRIVILEGES": {"CREATE", "TEMPORARY", "CONNECT"},
@@ -172,6 +173,22 @@ type GrantParameters struct {
 	// RevokePublicOnDb apply the statement "REVOKE ALL ON DATABASE %s FROM PUBLIC" to make database unreachable from public
 	// +optional
 	RevokePublicOnDb *bool `json:"revokePublicOnDb,omitempty" default:"false"`
+
+	// ObjectType is the PostgreSQL object type to grant the privileges on.
+	// +kubebuilder:validation:Enum=database;schema;table;sequence;function;procedure;routine;foreign_data_wrapper;foreign_server;column
+	ObjectType string `json:"objectType" default:"database"`
+
+	// Objects are the objects upon which to grant the privileges.
+	// An empty list (the default) means to grant permissions on all objects of the specified type.
+	// You cannot specify this option if the objectType is database or schema.
+	// When objectType is column, only one value is allowed.
+	// +optional
+	Objects []string `json:"objects,omitempty"`
+
+	// The columns upon which to grant the privileges.
+	// Required when object_type is column. You cannot specify this option if the object_type is not column
+	// +optional
+	Columns []string `json:"columns,omitempty"`
 }
 
 // A GrantStatus represents the observed state of a Grant.

apis/postgresql/v1alpha1/zz_generated.deepcopy.go

@@ -83,6 +83,13 @@ spec:
                 description: GrantParameters define the desired state of a PostgreSQL
                   grant instance.
                 properties:
+                  columns:
+                    description: |-
+                      The columns upon which to grant the privileges.
+                      Required when object_type is column. You cannot specify this option if the object_type is not column
+                    items:
+                      type: string
+                    type: array
                   database:
                     description: Database this grant is for.
                     type: string
@@ -242,6 +249,30 @@ spec:
                             type: string
                         type: object
                     type: object
+                  objectType:
+                    description: ObjectType is the PostgreSQL object type to grant
+                      the privileges on.
+                    enum:
+                    - database
+                    - schema
+                    - table
+                    - sequence
+                    - function
+                    - procedure
+                    - routine
+                    - foreign_data_wrapper
+                    - foreign_server
+                    - column
+                    type: string
+                  objects:
+                    description: |-
+                      Objects are the objects upon which to grant the privileges.
+                      An empty list (the default) means to grant permissions on all objects of the specified type.
+                      You cannot specify this option if the objectType is database or schema.
+                      When objectType is column, only one value is allowed.
+                    items:
+                      type: string
+                    type: array
                   privileges:
                     description: |-
                       Privileges to be granted.
@@ -351,21 +382,21 @@ spec:
                         properties:
                           resolution:
                             default: Required
-                            description: Resolution specifies whether resolution of
-                              this reference is required. The default is 'Required',
-                              which means the reconcile will fail if the reference
-                              cannot be resolved. 'Optional' means this reference
-                              will be a no-op if it cannot be resolved.
+                            description: |-
+                              Resolution specifies whether resolution of this reference is required.
+                              The default is 'Required', which means the reconcile will fail if the
+                              reference cannot be resolved. 'Optional' means this reference will be
+                              a no-op if it cannot be resolved.
                             enum:
                             - Required
                             - Optional
                             type: string
                           resolve:
-                            description: Resolve specifies when this reference should
-                              be resolved. The default is 'IfNotPresent', which will
-                              attempt to resolve the reference only when the corresponding
-                              field is not present. Use 'Always' to resolve the reference
-                              on every reconcile.
+                            description: |-
+                              Resolve specifies when this reference should be resolved. The default
+                              is 'IfNotPresent', which will attempt to resolve the reference only when
+                              the corresponding field is not present. Use 'Always' to resolve the
+                              reference on every reconcile.
                             enum:
                             - Always
                             - IfNotPresent
@@ -379,8 +410,9 @@ spec:
                       grant is for.
                     properties:
                       matchControllerRef:
-                        description: MatchControllerRef ensures an object with the
-                          same controller reference as the selecting object is selected.
+                        description: |-
+                          MatchControllerRef ensures an object with the same controller reference
+                          as the selecting object is selected.
                         type: boolean
                       matchLabels:
                         additionalProperties:
@@ -393,21 +425,21 @@ spec:
                         properties:
                           resolution:
                             default: Required
-                            description: Resolution specifies whether resolution of
-                              this reference is required. The default is 'Required',
-                              which means the reconcile will fail if the reference
-                              cannot be resolved. 'Optional' means this reference
-                              will be a no-op if it cannot be resolved.
+                            description: |-
+                              Resolution specifies whether resolution of this reference is required.
+                              The default is 'Required', which means the reconcile will fail if the
+                              reference cannot be resolved. 'Optional' means this reference will be
+                              a no-op if it cannot be resolved.
                             enum:
                             - Required
                             - Optional
                             type: string
                           resolve:
-                            description: Resolve specifies when this reference should
-                              be resolved. The default is 'IfNotPresent', which will
-                              attempt to resolve the reference only when the corresponding
-                              field is not present. Use 'Always' to resolve the reference
-                              on every reconcile.
+                            description: |-
+                              Resolve specifies when this reference should be resolved. The default
+                              is 'IfNotPresent', which will attempt to resolve the reference only when
+                              the corresponding field is not present. Use 'Always' to resolve the
+                              reference on every reconcile.
                             enum:
                             - Always
                             - IfNotPresent
@@ -423,6 +455,8 @@ spec:
                     - ADMIN
                     - GRANT
                     type: string
+                required:
+                - objectType
                 type: object
               managementPolicies:
                 default:

build

@@ -138,6 +138,41 @@ const (
 	roleDatabase grantType = "ROLE_DATABASE"
 )
 
+// sliceContainsStr checks if a slice contains a specific string.
+func sliceContainsStr(haystack []string, needle string) bool {
+	for _, s := range haystack {
+		if s == needle {
+			return true
+		}
+	}
+	return false
+}
+
+func validateGrantParams(gp v1alpha1.GrantParameters) error {
+	if gp.Schema == nil && !sliceContainsStr([]string{"database", "foreign_data_wrapper", "foreign_server"}, gp.ObjectType) {
+		return fmt.Errorf("parameter 'schema' is mandatory for grant resource")
+	}
+	if len(gp.Objects) > 0 && (gp.ObjectType == "database" || gp.ObjectType == "schema") {
+		return fmt.Errorf("cannot specify `objects` when `object_type` is `database` or `schema`")
+	}
+	if len(gp.Columns) > 0 && gp.ObjectType != "column" {
+		return fmt.Errorf("cannot specify `columns` when `object_type` is not `column`")
+	}
+	if len(gp.Columns) == 0 && gp.ObjectType == "column" {
+		return fmt.Errorf("must specify `columns` when `object_type` is `column`")
+	}
+	if len(gp.Privileges) != 1 && gp.ObjectType == "column" {
+		return fmt.Errorf("must specify exactly 1 `privileges` when `object_type` is `column`")
+	}
+	if len(gp.Objects) != 1 && gp.ObjectType == "column" {
+		return fmt.Errorf("must specify exactly 1 table in the `objects` field when `object_type` is `column`")
+	}
+	if len(gp.Objects) != 1 && (gp.ObjectType == "foreign_data_wrapper" || gp.ObjectType == "foreign_server") {
+		return fmt.Errorf("one element must be specified in `objects` when `object_type` is `foreign_data_wrapper` or `foreign_server`")
+	}
+	return nil
+}
+
 func identifyGrantType(gp v1alpha1.GrantParameters) (grantType, error) {
 	pc := len(gp.Privileges)
 
@@ -195,34 +230,32 @@ func selectGrantQuery(gp v1alpha1.GrantParameters, q *xsql.Query) error {
 
 		ep := gp.Privileges.ExpandPrivileges()
 		sp := ep.ToStringSlice()
+
 		// Join grantee. Filter by database name and grantee name.
 		// Finally, perform a permission comparison against expected
 		// permissions.
 		q.String = "SELECT EXISTS(SELECT 1 " +
-			"FROM pg_database db, " +
-			"aclexplode(datacl) as acl, " +
-			"pg_namespace as schema " +
-			"INNER JOIN pg_roles s ON acl.grantee = s.oid " +
-			// Filter by database, role and grantable setting
-			"WHERE db.datname=$1 " +
-			"AND s.rolname=$2 " +
-			"AND acl.is_grantable=$3 " +
-			// TODO: Filter by schema this is not working
-			"AND schema.nspname=$4 " +
-			"GROUP BY db.datname, s.rolname, acl.is_grantable, schema.nspname " +
-			// Check privileges match. Convoluted right-hand-side is necessary to
-			// ensure identical sort order of the input permissions.
-			"HAVING array_agg(acl.privilege_type ORDER BY privilege_type ASC) " +
-			"= (SELECT array(SELECT unnest($5::text[]) as perms ORDER BY perms ASC)))"
+			"FROM pg_database db " +
+			"JOIN pg_namespace nsp ON db.datname = $1 " +
+			"JOIN LATERAL aclexplode(nsp.nspacl) acl ON true " +
+			"JOIN pg_roles s ON acl.grantee = s.oid " +
+			// Filter by role, schema and grantable setting
+			"WHERE nsp.nspname = $2 " +
+			"AND s.rolname = $3 " +
+			"AND acl.is_grantable = $6 " +
+			"GROUP BY db.datname, nsp.nspname, s.rolname, acl.is_grantable " +
+			"HAVING array_agg(acl.privilege_type ORDER BY privilege_type ASC) = " +
+			"(SELECT array(SELECT unnest($7::text[]) ORDER BY 1)))"
 
 		q.Parameters = []interface{}{
 			gp.Database,
+			gp.Schema,
 			gp.Role,
+			gp.ObjectType,
+			gp.Objects,
 			gro,
-			gp.Schema,
 			pq.Array(sp),
 		}
-		return nil
 	}
 	return errors.New(errUnknownGrant)
 }
@@ -372,6 +405,11 @@ func (c *external) Create(ctx context.Context, mg resource.Managed) (managed.Ext
 		return managed.ExternalCreation{}, errors.New(errNotGrant)
 	}
 
+	// Validate grant specs
+	if err := validateGrantParams(cr.Spec.ForProvider); err != nil {
+		return managed.ExternalCreation{}, errors.Wrap(err, errInvalidParams)
+	}
+
 	var queries []xsql.Query
 
 	cr.SetConditions(xpv1.Creating())