diff --git a/README.md b/README.md index 073c043d..174e38a5 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ Check the example: 2. Create managed resources for your SQL server flavor: - **MySQL**: `Database`, `Grant`, `User` (See [the examples](examples/mysql)) - - **PostgreSQL**: `Database`, `Grant`, `Extension`, `Role` (See [the examples](examples/postgresql)) + - **PostgreSQL**: `Database`, `Grant`, `DefaultPrivileges`, `Extension`, `Role` (See [the examples](examples/postgresql)) - **MSSQL**: `Database`, `Grant`, `User` (See [the examples](examples/mssql)) [crossplane]: https://crossplane.io diff --git a/apis/cluster/postgresql/v1alpha1/default_privileges_types.go b/apis/cluster/postgresql/v1alpha1/default_privileges_types.go new file mode 100644 index 00000000..6ca47f48 --- /dev/null +++ b/apis/cluster/postgresql/v1alpha1/default_privileges_types.go @@ -0,0 +1,144 @@ +package v1alpha1 + +import ( + "context" + + xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + "github.com/crossplane/crossplane-runtime/pkg/reference" + "github.com/pkg/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +// +kubebuilder:object:root=true + +// A DefaultPrivileges represents the declarative state of a PostgreSQL DefaultPrivileges. +// +kubebuilder:subresource:status +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:printcolumn:name="ROLE",type="string",JSONPath=".spec.forProvider.role" +// +kubebuilder:printcolumn:name="TARGET_ROLE",type="string",JSONPath=".spec.forProvider.targetRole" +// +kubebuilder:printcolumn:name="SCHEMA",type="string",JSONPath=".spec.forProvider.schema" +// +kubebuilder:printcolumn:name="DATABASE",type="string",JSONPath=".spec.forProvider.database" +// +kubebuilder:printcolumn:name="PRIVILEGES",type="string",JSONPath=".spec.forProvider.privileges" +// +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,sql} +type DefaultPrivileges struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec DefaultPrivilegesSpec `json:"spec"` + Status DefaultPrivilegesStatus `json:"status,omitempty"` +} + +// A DefaultPrivilegesSpec defines the desired state of a Default Grant. +type DefaultPrivilegesSpec struct { + xpv1.ResourceSpec `json:",inline"` + ForProvider DefaultPrivilegesParameters `json:"forProvider"` +} + +// A DefaultPrivilegesStatus represents the observed state of a Grant. +type DefaultPrivilegesStatus struct { + xpv1.ResourceStatus `json:",inline"` +} + +// DefaultPrivilegesParameters defines the desired state of a Default Grant. +type DefaultPrivilegesParameters struct { + // Privileges to be granted. + // See https://www.postgresql.org/docs/current/sql-grant.html for available privileges. + // +optional + Privileges GrantPrivileges `json:"privileges,omitempty"` + + // TargetRole is the role who owns objects on which the default privileges are granted. + // See https://www.postgresql.org/docs/current/sql-alterdefaultprivileges.html + // +required + TargetRole *string `json:"targetRole"` + + // ObjectType to which the privileges are granted. + // +kubebuilder:validation:Enum=table;sequence;function;schema;type + // +required + ObjectType *string `json:"objectType,omitempty"` + + // WithOption allows an option to be set on the grant. + // See https://www.postgresql.org/docs/current/sql-grant.html for available + // options for each grant type, and the effects of applying the option. + // +kubebuilder:validation:Enum=ADMIN;GRANT + // +optional + WithOption *GrantOption `json:"withOption,omitempty"` + + // Role to which default privileges are granted + // +optional + Role *string `json:"role,omitempty"` + + // RoleRef to which default privileges are granted. + // +immutable + // +optional + RoleRef *xpv1.Reference `json:"roleRef,omitempty"` + + // RoleSelector selects a reference to a Role this default grant is for. + // +immutable + // +optional + RoleSelector *xpv1.Selector `json:"roleSelector,omitempty"` + + // Database in which the default privileges are applied + // +optional + Database *string `json:"database,omitempty"` + + // DatabaseRef references the database object this default grant it for. + // +immutable + // +optional + DatabaseRef *xpv1.Reference `json:"databaseRef,omitempty"` + + // DatabaseSelector selects a reference to a Database this grant is for. + // +immutable + // +optional + DatabaseSelector *xpv1.Selector `json:"databaseSelector,omitempty"` + + // Schema in which the default privileges are applied + // +required + Schema *string `json:"schema,omitempty"` +} + +// +kubebuilder:object:root=true + +// DefaultPrivilegesList contains a list of DefaultPrivileges. +type DefaultPrivilegesList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []DefaultPrivileges `json:"items"` +} + +// ResolveReferences of this DefaultPrivileges. +func (mg *DefaultPrivileges) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + // // Resolve spec.forProvider.database + // rsp, err := r.Resolve(ctx, reference.ResolutionRequest{ + // CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Database), + // Reference: mg.Spec.ForProvider.DatabaseRef, + // Selector: mg.Spec.ForProvider.DatabaseSelector, + // To: reference.To{Managed: &Database{}, List: &DatabaseList{}}, + // Extract: reference.ExternalName(), + // }) + // if err != nil { + // return errors.Wrap(err, "spec.forProvider.database") + // } + // mg.Spec.ForProvider.Database = reference.ToPtrValue(rsp.ResolvedValue) + // mg.Spec.ForProvider.DatabaseRef = rsp.ResolvedReference + + // Resolve spec.forProvider.role + rsp, err := r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Role), + Reference: mg.Spec.ForProvider.RoleRef, + Selector: mg.Spec.ForProvider.RoleSelector, + To: reference.To{Managed: &Role{}, List: &RoleList{}}, + Extract: reference.ExternalName(), + }) + if err != nil { + return errors.Wrap(err, "spec.forProvider.role") + } + mg.Spec.ForProvider.Role = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.RoleRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/cluster/postgresql/v1alpha1/register.go b/apis/cluster/postgresql/v1alpha1/register.go index 536b8882..453da293 100644 --- a/apis/cluster/postgresql/v1alpha1/register.go +++ b/apis/cluster/postgresql/v1alpha1/register.go @@ -90,6 +90,14 @@ var ( GrantGroupVersionKind = SchemeGroupVersion.WithKind(GrantKind) ) +// DefaultPrivileges type metadata. +var ( + DefaultPrivilegesKind = reflect.TypeOf(DefaultPrivileges{}).Name() + DefaultPrivilegesGroupKind = schema.GroupKind{Group: Group, Kind: DefaultPrivilegesKind}.String() + DefaultPrivilegesKindAPIVersion = DefaultPrivilegesKind + "." + SchemeGroupVersion.String() + DefaultPrivilegesGroupVersionKind = SchemeGroupVersion.WithKind(DefaultPrivilegesKind) +) + // Schema type metadata. var ( SchemaKind = reflect.TypeOf(Schema{}).Name() @@ -106,4 +114,5 @@ func init() { SchemeBuilder.Register(&Grant{}, &GrantList{}) SchemeBuilder.Register(&Extension{}, &ExtensionList{}) SchemeBuilder.Register(&Schema{}, &SchemaList{}) + SchemeBuilder.Register(&DefaultPrivileges{}, &DefaultPrivilegesList{}) } diff --git a/apis/cluster/postgresql/v1alpha1/zz_generated.deepcopy.go b/apis/cluster/postgresql/v1alpha1/zz_generated.deepcopy.go index b483b745..5b9bf332 100644 --- a/apis/cluster/postgresql/v1alpha1/zz_generated.deepcopy.go +++ b/apis/cluster/postgresql/v1alpha1/zz_generated.deepcopy.go @@ -165,6 +165,168 @@ func (in *DatabaseStatus) DeepCopy() *DatabaseStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DefaultPrivileges) DeepCopyInto(out *DefaultPrivileges) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultPrivileges. +func (in *DefaultPrivileges) DeepCopy() *DefaultPrivileges { + if in == nil { + return nil + } + out := new(DefaultPrivileges) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *DefaultPrivileges) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DefaultPrivilegesList) DeepCopyInto(out *DefaultPrivilegesList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]DefaultPrivileges, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultPrivilegesList. +func (in *DefaultPrivilegesList) DeepCopy() *DefaultPrivilegesList { + if in == nil { + return nil + } + out := new(DefaultPrivilegesList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *DefaultPrivilegesList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DefaultPrivilegesParameters) DeepCopyInto(out *DefaultPrivilegesParameters) { + *out = *in + if in.Privileges != nil { + in, out := &in.Privileges, &out.Privileges + *out = make(GrantPrivileges, len(*in)) + copy(*out, *in) + } + if in.TargetRole != nil { + in, out := &in.TargetRole, &out.TargetRole + *out = new(string) + **out = **in + } + if in.ObjectType != nil { + in, out := &in.ObjectType, &out.ObjectType + *out = new(string) + **out = **in + } + if in.WithOption != nil { + in, out := &in.WithOption, &out.WithOption + *out = new(GrantOption) + **out = **in + } + if in.Role != nil { + in, out := &in.Role, &out.Role + *out = new(string) + **out = **in + } + if in.RoleRef != nil { + in, out := &in.RoleRef, &out.RoleRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.RoleSelector != nil { + in, out := &in.RoleSelector, &out.RoleSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } + if in.Database != nil { + in, out := &in.Database, &out.Database + *out = new(string) + **out = **in + } + if in.DatabaseRef != nil { + in, out := &in.DatabaseRef, &out.DatabaseRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.DatabaseSelector != nil { + in, out := &in.DatabaseSelector, &out.DatabaseSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } + if in.Schema != nil { + in, out := &in.Schema, &out.Schema + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultPrivilegesParameters. +func (in *DefaultPrivilegesParameters) DeepCopy() *DefaultPrivilegesParameters { + if in == nil { + return nil + } + out := new(DefaultPrivilegesParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DefaultPrivilegesSpec) DeepCopyInto(out *DefaultPrivilegesSpec) { + *out = *in + in.ResourceSpec.DeepCopyInto(&out.ResourceSpec) + in.ForProvider.DeepCopyInto(&out.ForProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultPrivilegesSpec. +func (in *DefaultPrivilegesSpec) DeepCopy() *DefaultPrivilegesSpec { + if in == nil { + return nil + } + out := new(DefaultPrivilegesSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DefaultPrivilegesStatus) DeepCopyInto(out *DefaultPrivilegesStatus) { + *out = *in + in.ResourceStatus.DeepCopyInto(&out.ResourceStatus) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultPrivilegesStatus. +func (in *DefaultPrivilegesStatus) DeepCopy() *DefaultPrivilegesStatus { + if in == nil { + return nil + } + out := new(DefaultPrivilegesStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Extension) DeepCopyInto(out *Extension) { *out = *in diff --git a/apis/cluster/postgresql/v1alpha1/zz_generated.managed.go b/apis/cluster/postgresql/v1alpha1/zz_generated.managed.go index 6d5f5f99..7c2d24f1 100644 --- a/apis/cluster/postgresql/v1alpha1/zz_generated.managed.go +++ b/apis/cluster/postgresql/v1alpha1/zz_generated.managed.go @@ -58,6 +58,66 @@ func (mg *Database) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) mg.Spec.WriteConnectionSecretToReference = r } +// GetCondition of this DefaultPrivileges. +func (mg *DefaultPrivileges) GetCondition(ct xpv1.ConditionType) xpv1.Condition { + return mg.Status.GetCondition(ct) +} + +// GetDeletionPolicy of this DefaultPrivileges. +func (mg *DefaultPrivileges) GetDeletionPolicy() xpv1.DeletionPolicy { + return mg.Spec.DeletionPolicy +} + +// GetManagementPolicies of this DefaultPrivileges. +func (mg *DefaultPrivileges) GetManagementPolicies() xpv1.ManagementPolicies { + return mg.Spec.ManagementPolicies +} + +// GetProviderConfigReference of this DefaultPrivileges. +func (mg *DefaultPrivileges) GetProviderConfigReference() *xpv1.Reference { + return mg.Spec.ProviderConfigReference +} + +// GetPublishConnectionDetailsTo of this DefaultPrivileges. +func (mg *DefaultPrivileges) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { + return mg.Spec.PublishConnectionDetailsTo +} + +// GetWriteConnectionSecretToReference of this DefaultPrivileges. +func (mg *DefaultPrivileges) GetWriteConnectionSecretToReference() *xpv1.SecretReference { + return mg.Spec.WriteConnectionSecretToReference +} + +// SetConditions of this DefaultPrivileges. +func (mg *DefaultPrivileges) SetConditions(c ...xpv1.Condition) { + mg.Status.SetConditions(c...) +} + +// SetDeletionPolicy of this DefaultPrivileges. +func (mg *DefaultPrivileges) SetDeletionPolicy(r xpv1.DeletionPolicy) { + mg.Spec.DeletionPolicy = r +} + +// SetManagementPolicies of this DefaultPrivileges. +func (mg *DefaultPrivileges) SetManagementPolicies(r xpv1.ManagementPolicies) { + mg.Spec.ManagementPolicies = r +} + +// SetProviderConfigReference of this DefaultPrivileges. +func (mg *DefaultPrivileges) SetProviderConfigReference(r *xpv1.Reference) { + mg.Spec.ProviderConfigReference = r +} + +// SetPublishConnectionDetailsTo of this DefaultPrivileges. +func (mg *DefaultPrivileges) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { + mg.Spec.PublishConnectionDetailsTo = r +} + +// SetWriteConnectionSecretToReference of this DefaultPrivileges. +func (mg *DefaultPrivileges) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { + mg.Spec.WriteConnectionSecretToReference = r +} + // GetCondition of this Extension. func (mg *Extension) GetCondition(ct xpv1.ConditionType) xpv1.Condition { return mg.Status.GetCondition(ct) diff --git a/apis/cluster/postgresql/v1alpha1/zz_generated.managedlist.go b/apis/cluster/postgresql/v1alpha1/zz_generated.managedlist.go index d6d2f04d..1f0def26 100644 --- a/apis/cluster/postgresql/v1alpha1/zz_generated.managedlist.go +++ b/apis/cluster/postgresql/v1alpha1/zz_generated.managedlist.go @@ -17,6 +17,15 @@ func (l *DatabaseList) GetItems() []resource.Managed { return items } +// GetItems of this DefaultPrivilegesList. +func (l *DefaultPrivilegesList) GetItems() []resource.Managed { + items := make([]resource.Managed, len(l.Items)) + for i := range l.Items { + items[i] = &l.Items[i] + } + return items +} + // GetItems of this ExtensionList. func (l *ExtensionList) GetItems() []resource.Managed { items := make([]resource.Managed, len(l.Items)) diff --git a/build b/build index 92457ef1..3b994632 160000 --- a/build +++ b/build @@ -1 +1 @@ -Subproject commit 92457ef1c0feb75cd235bdb90244e340d0796b7f +Subproject commit 3b99463225581259ce39c7d7a45290be12515abb diff --git a/examples/cluster/postgresql/defaultprivileges.yaml b/examples/cluster/postgresql/defaultprivileges.yaml new file mode 100644 index 00000000..c9135d31 --- /dev/null +++ b/examples/cluster/postgresql/defaultprivileges.yaml @@ -0,0 +1,16 @@ +apiVersion: postgresql.sql.crossplane.io/v1alpha1 +kind: DefaultPrivileges +metadata: + name: default-grant-role-1-on-database +spec: + forProvider: + privileges: + - SELECT + roleRef: + name: reader-role + targetRoleRef: + name: example-role + schemaRef: + name: example + databaseRef: + name: example diff --git a/package/crds/postgresql.sql.crossplane.io_defaultprivileges.yaml b/package/crds/postgresql.sql.crossplane.io_defaultprivileges.yaml new file mode 100644 index 00000000..e8037dc7 --- /dev/null +++ b/package/crds/postgresql.sql.crossplane.io_defaultprivileges.yaml @@ -0,0 +1,518 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: defaultprivileges.postgresql.sql.crossplane.io +spec: + group: postgresql.sql.crossplane.io + names: + categories: + - crossplane + - managed + - sql + kind: DefaultPrivileges + listKind: DefaultPrivilegesList + plural: defaultprivileges + singular: defaultprivileges + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.forProvider.role + name: ROLE + type: string + - jsonPath: .spec.forProvider.targetRole + name: TARGET_ROLE + type: string + - jsonPath: .spec.forProvider.schema + name: SCHEMA + type: string + - jsonPath: .spec.forProvider.database + name: DATABASE + type: string + - jsonPath: .spec.forProvider.privileges + name: PRIVILEGES + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: A DefaultPrivileges represents the declarative state of a PostgreSQL + DefaultPrivileges. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: A DefaultPrivilegesSpec defines the desired state of a Default + Grant. + properties: + deletionPolicy: + default: Delete + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + enum: + - Orphan + - Delete + type: string + forProvider: + description: DefaultPrivilegesParameters defines the desired state + of a Default Grant. + properties: + database: + description: Database in which the default privileges are applied + type: string + databaseRef: + description: DatabaseRef references the database object this default + grant it for. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + databaseSelector: + description: DatabaseSelector selects a reference to a Database + this grant is for. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + objectType: + description: ObjectType to which the privileges are granted. + enum: + - table + - sequence + - function + - schema + - type + type: string + privileges: + description: |- + Privileges to be granted. + See https://www.postgresql.org/docs/current/sql-grant.html for available privileges. + items: + description: GrantPrivilege represents a privilege to be granted + pattern: ^[A-Z]+$ + type: string + minItems: 1 + type: array + role: + description: Role to which default privileges are granted + type: string + roleRef: + description: RoleRef to which default privileges are granted. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + roleSelector: + description: RoleSelector selects a reference to a Role this default + grant is for. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + schema: + description: Schema in which the default privileges are applied + type: string + targetRole: + description: |- + TargetRole is the role who owns objects on which the default privileges are granted. + See https://www.postgresql.org/docs/current/sql-alterdefaultprivileges.html + type: string + withOption: + description: |- + WithOption allows an option to be set on the grant. + See https://www.postgresql.org/docs/current/sql-grant.html for available + options for each grant type, and the effects of applying the option. + enum: + - ADMIN + - GRANT + type: string + required: + - targetRole + type: object + managementPolicies: + default: + - '*' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + items: + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. + enum: + - Observe + - Create + - Update + - Delete + - LateInitialize + - '*' + type: string + type: array + providerConfigRef: + default: + name: default + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. + type: object + type: + description: |- + Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: A DefaultPrivilegesStatus represents the observed state of + a Grant. + properties: + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. + format: date-time + type: string + message: + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. + type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/package/crossplane.yaml b/package/crossplane.yaml index c146ae27..09c0fd9a 100644 --- a/package/crossplane.yaml +++ b/package/crossplane.yaml @@ -29,3 +29,4 @@ metadata: friendly-kind-name.meta.crossplane.io/grant.postgresql.sql.crossplane.io: Grant friendly-kind-name.meta.crossplane.io/role.postgresql.sql.crossplane.io: Role friendly-kind-name.meta.crossplane.io/user.mysql.sql.crossplane.io: User + friendly-kind-name.meta.crossplane.io/defaultprivileges.postgresql.sql.crossplane.io: DefaultPrivileges diff --git a/pkg/clients/postgresql/postgresql.go b/pkg/clients/postgresql/postgresql.go index a55d6ae2..53e12744 100644 --- a/pkg/clients/postgresql/postgresql.go +++ b/pkg/clients/postgresql/postgresql.go @@ -77,11 +77,12 @@ func (c postgresDB) ExecTx(ctx context.Context, ql []xsql.Query) error { // sure the connection is always closed. defer func() { defer d.Close() //nolint:errcheck - if err != nil { - tx.Rollback() //nolint:errcheck - return + // We always rollback, it's a no-op if the tx was already committed. + defer tx.Rollback() //nolint:errcheck + + if err == nil { + err = tx.Commit() } - err = tx.Commit() }() for _, q := range ql { diff --git a/pkg/controller/cluster/postgresql/postgresql.go b/pkg/controller/cluster/postgresql/postgresql.go index 46a41f74..ac20a550 100644 --- a/pkg/controller/cluster/postgresql/postgresql.go +++ b/pkg/controller/cluster/postgresql/postgresql.go @@ -21,12 +21,13 @@ import ( "github.com/crossplane/crossplane-runtime/v2/pkg/controller" - "github.com/crossplane-contrib/provider-sql/pkg/controller/cluster/postgresql/config" - "github.com/crossplane-contrib/provider-sql/pkg/controller/cluster/postgresql/database" - "github.com/crossplane-contrib/provider-sql/pkg/controller/cluster/postgresql/extension" - "github.com/crossplane-contrib/provider-sql/pkg/controller/cluster/postgresql/grant" - "github.com/crossplane-contrib/provider-sql/pkg/controller/cluster/postgresql/role" - "github.com/crossplane-contrib/provider-sql/pkg/controller/cluster/postgresql/schema" + "github.com/crossplane-contrib/provider-sql/pkg/controller/postgresql/config" + "github.com/crossplane-contrib/provider-sql/pkg/controller/postgresql/database" + "github.com/crossplane-contrib/provider-sql/pkg/controller/postgresql/default_privileges" + "github.com/crossplane-contrib/provider-sql/pkg/controller/postgresql/extension" + "github.com/crossplane-contrib/provider-sql/pkg/controller/postgresql/grant" + "github.com/crossplane-contrib/provider-sql/pkg/controller/postgresql/role" + "github.com/crossplane-contrib/provider-sql/pkg/controller/postgresql/schema" ) // Setup creates all PostgreSQL controllers with the supplied logger and adds @@ -39,6 +40,7 @@ func Setup(mgr ctrl.Manager, o controller.Options) error { grant.Setup, extension.Setup, schema.Setup, + default_privileges.Setup, } { if err := setup(mgr, o); err != nil { return err diff --git a/pkg/controller/postgresql/default_privileges/reconciler.go b/pkg/controller/postgresql/default_privileges/reconciler.go new file mode 100644 index 00000000..be7007ac --- /dev/null +++ b/pkg/controller/postgresql/default_privileges/reconciler.go @@ -0,0 +1,332 @@ +/* +Copyright 2020 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package default_privileges + +import ( + "context" + "fmt" + "sort" + "strings" + + "github.com/lib/pq" + "github.com/pkg/errors" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/controller" + + xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + xpcontroller "github.com/crossplane/crossplane-runtime/pkg/controller" + "github.com/crossplane/crossplane-runtime/pkg/event" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + "github.com/crossplane/crossplane-runtime/pkg/resource" + + "github.com/crossplane-contrib/provider-sql/apis/postgresql/v1alpha1" + "github.com/crossplane-contrib/provider-sql/pkg/clients" + "github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql" + "github.com/crossplane-contrib/provider-sql/pkg/clients/xsql" +) + +const ( + errTrackPCUsage = "cannot track ProviderConfig usage" + errGetPC = "cannot get ProviderConfig" + errNoSecretRef = "ProviderConfig does not reference a credentials Secret" + errGetSecret = "cannot get credentials Secret" + + errNotDefaultPrivileges = "managed resource is not a Grant custom resource" + errSelectDefaultPrivileges = "cannot select default privileges" + errCreateDefaultPrivileges = "cannot create default privileges" + errRevokeDefaultPrivileges = "cannot revoke default privileges" + errNoRole = "role not passed or could not be resolved" + errNoTargetRole = "target role not passed or could not be resolved" + errNoObjectType = "object type not passed" + errNoDatabase = "database not passed or could not be resolved" + errNoPrivileges = "privileges not passed" + errUnknownGrant = "cannot identify grant type based on passed params" + + maxConcurrency = 5 +) + +// Setup adds a controller that reconciles Grant managed resources. +func Setup(mgr ctrl.Manager, o xpcontroller.Options) error { + name := managed.ControllerName(v1alpha1.DefaultPrivilegesGroupKind) + + t := resource.NewProviderConfigUsageTracker(mgr.GetClient(), &v1alpha1.ProviderConfigUsage{}) + r := managed.NewReconciler(mgr, + resource.ManagedKind(v1alpha1.DefaultPrivilegesGroupVersionKind), + managed.WithExternalConnecter(&connector{kube: mgr.GetClient(), usage: t, newDB: postgresql.New}), + managed.WithLogger(o.Logger.WithValues("controller", name)), + managed.WithPollInterval(o.PollInterval), + managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name)))) + + return ctrl.NewControllerManagedBy(mgr). + Named(name). + For(&v1alpha1.DefaultPrivileges{}). + WithOptions(controller.Options{ + MaxConcurrentReconciles: maxConcurrency, + }). + Complete(r) +} + +type connector struct { + kube client.Client + usage resource.Tracker + newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB +} + +func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) { + cr, ok := mg.(*v1alpha1.DefaultPrivileges) + if !ok { + return nil, errors.New(errNotDefaultPrivileges) + } + + if err := c.usage.Track(ctx, mg); err != nil { + return nil, errors.Wrap(err, errTrackPCUsage) + } + + // ProviderConfigReference could theoretically be nil, but in practice the + // DefaultProviderConfig initializer will set it before we get here. + pc := &v1alpha1.ProviderConfig{} + if err := c.kube.Get(ctx, types.NamespacedName{Name: cr.GetProviderConfigReference().Name}, pc); err != nil { + return nil, errors.Wrap(err, errGetPC) + } + + // We don't need to check the credentials source because we currently only + // support one source (PostgreSQLConnectionSecret), which is required and + // enforced by the ProviderConfig schema. + ref := pc.Spec.Credentials.ConnectionSecretRef + if ref == nil { + return nil, errors.New(errNoSecretRef) + } + + s := &corev1.Secret{} + if err := c.kube.Get(ctx, types.NamespacedName{Namespace: ref.Namespace, Name: ref.Name}, s); err != nil { + return nil, errors.Wrap(err, errGetSecret) + } + return &external{ + db: c.newDB(s.Data, pc.Spec.DefaultDatabase, clients.ToString(pc.Spec.SSLMode)), + kube: c.kube, + }, nil +} + +type external struct { + db xsql.DB + kube client.Client +} + +var ( + objectTypes = map[string]string{ + "table": "r", + "sequence": "S", + "function": "f", + "type": "T", + "schema": "n", + } +) + +func selectDefaultPrivilegesQuery(gp v1alpha1.DefaultPrivilegesParameters, q *xsql.Query) { + sqlString := ` + select distinct(default_acl.privilege_type) + from pg_roles r + join (SELECT defaclnamespace, (aclexplode(defaclacl)).* FROM pg_default_acl + WHERE defaclobjtype = $1) default_acl + on r.oid = default_acl.grantee + where r.rolname = $2; + ` + q.String = sqlString + q.Parameters = []interface{}{ + objectTypes[*gp.ObjectType], + *gp.Role, + } + +} + +func withOption(option *v1alpha1.GrantOption) string { + if option != nil { + return fmt.Sprintf("WITH %s OPTION", string(*option)) + } + return "" +} + +func inSchema(params *v1alpha1.DefaultPrivilegesParameters) string { + if params.Schema != nil { + return fmt.Sprintf("IN SCHEMA %s", pq.QuoteIdentifier(*params.Schema)) + } + return "" +} + +func createDefaultPrivilegesQuery(gp v1alpha1.DefaultPrivilegesParameters, q *xsql.Query) { + + roleName := pq.QuoteIdentifier(*gp.Role) + + targetRoleName := pq.QuoteIdentifier(*gp.TargetRole) + + query := strings.TrimSpace(fmt.Sprintf( + "ALTER DEFAULT PRIVILEGES FOR ROLE %s %s GRANT %s ON %sS TO %s %s", + targetRoleName, + inSchema(&gp), + strings.Join(gp.Privileges.ToStringSlice(), ","), + *gp.ObjectType, + roleName, + withOption(gp.WithOption), + )) + + q.String = query +} + +func deleteDefaultPrivilegesQuery(gp v1alpha1.DefaultPrivilegesParameters, q *xsql.Query) { + roleName := pq.QuoteIdentifier(*gp.Role) + targetRoleName := pq.QuoteIdentifier(*gp.TargetRole) + objectType := objectTypes[*gp.ObjectType] + + query := strings.TrimSpace(fmt.Sprintf( + "ALTER DEFAULT PRIVILEGES FOR ROLE %s %s REVOKE ALL ON %s TO %s %s", + targetRoleName, + inSchema(&gp), + objectType, + roleName, + withOption(gp.WithOption), + )) + + q.String = query + +} + +func matchingGrants(currentGrants []string, specGrants []string) bool { + if len(currentGrants) != len(specGrants) { + return false + } + + sort.Strings(currentGrants) + sort.Strings(specGrants) + + for i, g := range currentGrants { + if g != specGrants[i] { + return false + } + } + + return true +} +func (c *external) Observe(ctx context.Context, mg resource.Managed) (managed.ExternalObservation, error) { //nolint:gocyclo + cr, ok := mg.(*v1alpha1.DefaultPrivileges) + if !ok { + return managed.ExternalObservation{}, errors.New(errNotDefaultPrivileges) + } + + if cr.Spec.ForProvider.Role == nil { + return managed.ExternalObservation{}, errors.New(errNoRole) + } + + if cr.Spec.ForProvider.TargetRole == nil { + return managed.ExternalObservation{}, errors.New(errNoTargetRole) + } + + if cr.Spec.ForProvider.ObjectType == nil { + return managed.ExternalObservation{}, errors.New(errNoObjectType) + } + + gp := cr.Spec.ForProvider + var query xsql.Query + selectDefaultPrivilegesQuery(gp, &query) + + var defaultPrivileges []string + + rows, err := c.db.Query(ctx, query) + if xsql.IsNoRows(err) { + return managed.ExternalObservation{ResourceExists: false}, nil + } + + if err != nil { + return managed.ExternalObservation{}, errors.Wrap(err, errSelectDefaultPrivileges) + } + defer rows.Close() //nolint:errcheck + for rows.Next() { + var privilege string + if err := rows.Scan(&privilege); err != nil { + return managed.ExternalObservation{}, errors.Wrap(err, errSelectDefaultPrivileges) + } + defaultPrivileges = append(defaultPrivileges, privilege) + } + + // Check for any errors encountered during iteration + if err := rows.Err(); err != nil { + return managed.ExternalObservation{}, errors.Wrap(err, errSelectDefaultPrivileges) + } + + // If no default privileges are found, the resource does not exist. + // Maybe this is covered by the xsql.IsNoRows(err) check above? + if len(defaultPrivileges) == 0 { + return managed.ExternalObservation{ResourceExists: false}, nil + } + + cr.SetConditions(xpv1.Available()) + + resourceMatches := matchingGrants(defaultPrivileges, gp.Privileges.ToStringSlice()) + return managed.ExternalObservation{ + ResourceLateInitialized: false, + // check that the list of grants matches the expected grants + // if not, the resource is not up to date. + // Because create first revokes all grants and then grants them again, + // we can assume that if the grants are present, they are up to date. + ResourceExists: resourceMatches, + ResourceUpToDate: resourceMatches, + }, nil +} + +func (c *external) Create(ctx context.Context, mg resource.Managed) (managed.ExternalCreation, error) { + cr, ok := mg.(*v1alpha1.DefaultPrivileges) + if !ok { + return managed.ExternalCreation{}, errors.New(errNotDefaultPrivileges) + } + + cr.SetConditions(xpv1.Creating()) + + var createQuery xsql.Query + createDefaultPrivilegesQuery(cr.Spec.ForProvider, &createQuery) + + var deleteQuery xsql.Query + deleteDefaultPrivilegesQuery(cr.Spec.ForProvider, &deleteQuery) + + err := c.db.ExecTx(ctx, []xsql.Query{ + deleteQuery, createQuery, + }) + + return managed.ExternalCreation{}, errors.Wrap(err, errCreateDefaultPrivileges) +} + +func (c *external) Update( + ctx context.Context, mg resource.Managed) (managed.ExternalUpdate, error) { + // Update is a no-op, as permissions are fully revoked and then granted in the Create function, + // inside a transaction. Same approach as the grant resource. + return managed.ExternalUpdate{}, nil +} + +func (c *external) Delete(ctx context.Context, mg resource.Managed) error { + cr, ok := mg.(*v1alpha1.DefaultPrivileges) + if !ok { + return errors.New(errNotDefaultPrivileges) + } + var query xsql.Query + + cr.SetConditions(xpv1.Deleting()) + + deleteDefaultPrivilegesQuery(cr.Spec.ForProvider, &query) + + return errors.Wrap(c.db.Exec(ctx, query), errRevokeDefaultPrivileges) +} diff --git a/pkg/controller/postgresql/default_privileges/reconciler_test.go b/pkg/controller/postgresql/default_privileges/reconciler_test.go new file mode 100644 index 00000000..fe77abae --- /dev/null +++ b/pkg/controller/postgresql/default_privileges/reconciler_test.go @@ -0,0 +1,591 @@ +/* +Copyright 2020 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package default_privileges + +import ( + "context" + "database/sql" + "testing" + + "github.com/DATA-DOG/go-sqlmock" + "github.com/crossplane-contrib/provider-sql/apis/postgresql/v1alpha1" + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + "github.com/pkg/errors" + corev1 "k8s.io/api/core/v1" + "k8s.io/utils/ptr" + "sigs.k8s.io/controller-runtime/pkg/client" + + xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + "github.com/crossplane/crossplane-runtime/pkg/resource" + "github.com/crossplane/crossplane-runtime/pkg/test" + + "github.com/crossplane-contrib/provider-sql/pkg/clients/xsql" +) + +type mockDB struct { + MockExec func(ctx context.Context, q xsql.Query) error + MockExecTx func(ctx context.Context, ql []xsql.Query) error + MockScan func(ctx context.Context, q xsql.Query, dest ...interface{}) error + MockQuery func(ctx context.Context, q xsql.Query) (*sql.Rows, error) + MockGetConnectionDetails func(username, password string) managed.ConnectionDetails +} + +func (m mockDB) Exec(ctx context.Context, q xsql.Query) error { + return m.MockExec(ctx, q) +} + +func (m mockDB) ExecTx(ctx context.Context, ql []xsql.Query) error { + return m.MockExecTx(ctx, ql) +} + +func (m mockDB) Scan(ctx context.Context, q xsql.Query, dest ...interface{}) error { + return m.MockScan(ctx, q, dest...) +} + +func (m mockDB) Query(ctx context.Context, q xsql.Query) (*sql.Rows, error) { + return m.MockQuery(ctx, q) +} + +func (m mockDB) GetConnectionDetails(username, password string) managed.ConnectionDetails { + return m.MockGetConnectionDetails(username, password) +} + +func TestConnect(t *testing.T) { + errBoom := errors.New("boom") + + type fields struct { + kube client.Client + usage resource.Tracker + newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB + } + + type args struct { + ctx context.Context + mg resource.Managed + } + + cases := map[string]struct { + reason string + fields fields + args args + want error + }{ + "ErrNotGrant": { + reason: "An error should be returned if the managed resource is not a *DefaultPrivileges", + args: args{ + mg: nil, + }, + want: errors.New(errNotDefaultPrivileges), + }, + "ErrTrackProviderConfigUsage": { + reason: "An error should be returned if we can't track our ProviderConfig usage", + fields: fields{ + usage: resource.TrackerFn(func(ctx context.Context, mg resource.Managed) error { return errBoom }), + }, + args: args{ + mg: &v1alpha1.DefaultPrivileges{}, + }, + want: errors.Wrap(errBoom, errTrackPCUsage), + }, + "ErrGetProviderConfig": { + reason: "An error should be returned if we can't get our ProviderConfig", + fields: fields{ + kube: &test.MockClient{ + MockGet: test.NewMockGetFn(errBoom), + }, + usage: resource.TrackerFn(func(ctx context.Context, mg resource.Managed) error { return nil }), + }, + args: args{ + mg: &v1alpha1.DefaultPrivileges{ + Spec: v1alpha1.DefaultPrivilegesSpec{ + ResourceSpec: xpv1.ResourceSpec{ + ProviderConfigReference: &xpv1.Reference{}, + }, + }, + }, + }, + want: errors.Wrap(errBoom, errGetPC), + }, + "ErrMissingConnectionSecret": { + reason: "An error should be returned if our ProviderConfig doesn't specify a connection secret", + fields: fields{ + kube: &test.MockClient{ + // We call get to populate the Grant struct, then again + // to populate the (empty) ProviderConfig struct, resulting + // in a ProviderConfig with a nil connection secret. + MockGet: test.NewMockGetFn(nil), + }, + usage: resource.TrackerFn(func(ctx context.Context, mg resource.Managed) error { return nil }), + }, + args: args{ + mg: &v1alpha1.DefaultPrivileges{ + Spec: v1alpha1.DefaultPrivilegesSpec{ + ResourceSpec: xpv1.ResourceSpec{ + ProviderConfigReference: &xpv1.Reference{}, + }, + }, + }, + }, + want: errors.New(errNoSecretRef), + }, + "ErrGetConnectionSecret": { + reason: "An error should be returned if we can't get our ProviderConfig's connection secret", + fields: fields{ + kube: &test.MockClient{ + MockGet: test.NewMockGetFn(nil, func(obj client.Object) error { + switch o := obj.(type) { + case *v1alpha1.ProviderConfig: + o.Spec.Credentials.ConnectionSecretRef = &xpv1.SecretReference{} + case *corev1.Secret: + return errBoom + } + return nil + }), + }, + usage: resource.TrackerFn(func(ctx context.Context, mg resource.Managed) error { return nil }), + }, + args: args{ + mg: &v1alpha1.DefaultPrivileges{ + Spec: v1alpha1.DefaultPrivilegesSpec{ + ResourceSpec: xpv1.ResourceSpec{ + ProviderConfigReference: &xpv1.Reference{}, + }, + }, + }, + }, + want: errors.Wrap(errBoom, errGetSecret), + }, + } + + for name, tc := range cases { + t.Run(name, func(t *testing.T) { + e := &connector{kube: tc.fields.kube, usage: tc.fields.usage, newDB: tc.fields.newDB} + _, err := e.Connect(tc.args.ctx, tc.args.mg) + if diff := cmp.Diff(tc.want, err, test.EquateErrors()); diff != "" { + t.Errorf("\n%s\ne.Connect(...): -want error, +got error:\n%s\n", tc.reason, diff) + } + }) + } +} + +func TestObserve(t *testing.T) { + errBoom := errors.New("boom") + // goa := v1alpha1.GrantOptionAdmin + gog := v1alpha1.GrantOptionGrant + + type fields struct { + db xsql.DB + } + + type args struct { + ctx context.Context + mg resource.Managed + } + + type want struct { + o managed.ExternalObservation + err error + } + + cases := map[string]struct { + reason string + fields fields + args args + want want + }{ + "ErrNotGrant": { + reason: "An error should be returned if the managed resource is not a *DefaultPrivileges", + args: args{ + mg: nil, + }, + want: want{ + err: errors.New(errNotDefaultPrivileges), + }, + }, + "SuccessNoGrant": { + reason: "We should return ResourceExists: false when no default grant is found", + fields: fields{ + db: mockDB{ + MockQuery: func(ctx context.Context, q xsql.Query) (*sql.Rows, error) { + return mockRowsToSQLRows(sqlmock.NewRows([]string{})), nil + }, + MockScan: func(ctx context.Context, q xsql.Query, dest ...interface{}) error { + // Default value is empty, so we don't need to do anything here + return nil + }, + }, + }, + args: args{ + mg: &v1alpha1.DefaultPrivileges{ + Spec: v1alpha1.DefaultPrivilegesSpec{ + ForProvider: v1alpha1.DefaultPrivilegesParameters{ + Database: ptr.To("test-example"), + Role: ptr.To("test-example"), + TargetRole: ptr.To("target-role"), + ObjectType: ptr.To("TABLE"), + Privileges: v1alpha1.GrantPrivileges{"ALL"}, + }, + }, + }, + }, + want: want{ + o: managed.ExternalObservation{ResourceExists: false}, + }, + }, + "ErrSelectGrant": { + reason: "We should return any errors encountered while trying to show the default grant", + fields: fields{ + db: mockDB{ + MockQuery: func(ctx context.Context, q xsql.Query) (*sql.Rows, error) { + r := sqlmock.NewRows([]string{"PRIVILEGE"}). + AddRow("UPDATE"). + AddRow("SELECT") + return mockRowsToSQLRows(r), errBoom + }, + MockScan: func(ctx context.Context, q xsql.Query, dest ...interface{}) error { + return errBoom + }, + }, + }, + args: args{ + mg: &v1alpha1.DefaultPrivileges{ + Spec: v1alpha1.DefaultPrivilegesSpec{ + ForProvider: v1alpha1.DefaultPrivilegesParameters{ + Database: ptr.To("test-example"), + Role: ptr.To("test-example"), + TargetRole: ptr.To("target-role"), + ObjectType: ptr.To("TABLE"), + Privileges: v1alpha1.GrantPrivileges{"CONNECT", "TEMPORARY"}, + WithOption: &gog, + }, + }, + }, + }, + want: want{ + err: errors.Wrap(errBoom, errSelectDefaultPrivileges), + }, + }, + "DefaultPrivilegesFound": { + reason: "We should return no error if we can find the right permissions in the default grant", + fields: fields{ + db: mockDB{ + MockQuery: func(ctx context.Context, q xsql.Query) (*sql.Rows, error) { + r := sqlmock.NewRows([]string{"PRIVILEGE"}). + AddRow("UPDATE"). + AddRow("SELECT") + return mockRowsToSQLRows(r), nil + }, + // MockScan: func(ctx context.Context, q xsql.Query, dest ...interface{}) error { + // if len(dest) == 0 { + // runtime.Breakpoint() + // return nil + // } + // // populate the dest slice with the expected values + // // so we can compare them in the test + // *dest[0].(*string) = "SELECT" + // return nil + // }, + }, + }, + args: args{ + mg: &v1alpha1.DefaultPrivileges{ + Spec: v1alpha1.DefaultPrivilegesSpec{ + ForProvider: v1alpha1.DefaultPrivilegesParameters{ + Database: ptr.To("testdb"), + Role: ptr.To("testrole"), + TargetRole: ptr.To("target-role"), + ObjectType: ptr.To("TABLE"), + Privileges: v1alpha1.GrantPrivileges{"SELECT", "UPDATE"}, + WithOption: &gog, + }, + }, + }, + }, + want: want{ + o: managed.ExternalObservation{ + ResourceExists: true, + ResourceUpToDate: true, + }, + err: nil, + }, + }, + } + + for name, tc := range cases { + t.Run(name, func(t *testing.T) { + e := external{db: tc.fields.db} + got, err := e.Observe(tc.args.ctx, tc.args.mg) + if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" { + t.Errorf("\n%s\ne.Observe(...): -want error, +got error:\n%s\n", tc.reason, diff) + } + if diff := cmp.Diff(tc.want.o, got); diff != "" { + t.Errorf("\n%s\ne.Observe(...): -want, +got:\n%s\n", tc.reason, diff) + } + }) + } +} + +func mockRowsToSQLRows(mockRows *sqlmock.Rows) *sql.Rows { + db, mock, _ := sqlmock.New() + mock.ExpectQuery("select").WillReturnRows(mockRows) + rows, err := db.Query("select") + if err != nil { + println("%v", err) + return nil + } + return rows +} + +func TestCreate(t *testing.T) { + errBoom := errors.New("boom") + + type fields struct { + db xsql.DB + } + + type args struct { + ctx context.Context + mg resource.Managed + } + + type want struct { + c managed.ExternalCreation + err error + } + + cases := map[string]struct { + reason string + fields fields + args args + want want + }{ + "ErrNotGrant": { + reason: "An error should be returned if the managed resource is not a *DefaultPrivileges", + args: args{ + mg: nil, + }, + want: want{ + err: errors.New(errNotDefaultPrivileges), + }, + }, + "ErrExec": { + reason: "Any errors encountered while creating the default grant should be returned", + fields: fields{ + db: &mockDB{ + MockExecTx: func(ctx context.Context, ql []xsql.Query) error { return errBoom }, + }, + }, + args: args{ + mg: &v1alpha1.DefaultPrivileges{ + Spec: v1alpha1.DefaultPrivilegesSpec{ + ForProvider: v1alpha1.DefaultPrivilegesParameters{ + Database: ptr.To("test-example"), + Role: ptr.To("test-example"), + TargetRole: ptr.To("target-role"), + ObjectType: ptr.To("TABLE"), + Privileges: v1alpha1.GrantPrivileges{"ALL"}, + }, + }, + }, + }, + want: want{ + err: errors.Wrap(errBoom, errCreateDefaultPrivileges), + }, + }, + "Success": { + reason: "No error should be returned when we successfully create a default grant", + fields: fields{ + db: &mockDB{ + MockExecTx: func(ctx context.Context, ql []xsql.Query) error { + return nil + }, + }, + }, + args: args{ + mg: &v1alpha1.DefaultPrivileges{ + Spec: v1alpha1.DefaultPrivilegesSpec{ + ForProvider: v1alpha1.DefaultPrivilegesParameters{ + Database: ptr.To("test-example"), + Role: ptr.To("test-example"), + TargetRole: ptr.To("target-role"), + Privileges: v1alpha1.GrantPrivileges{"SELECT", "UPDATE"}, + ObjectType: ptr.To("TABLE"), + }, + }, + }, + }, + want: want{ + err: nil, + }, + }, + } + + for name, tc := range cases { + t.Run(name, func(t *testing.T) { + e := external{db: tc.fields.db} + got, err := e.Create(tc.args.ctx, tc.args.mg) + if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" { + t.Errorf("\n%s\ne.Create(...): -want error, +got error:\n%s\n", tc.reason, diff) + } + if diff := cmp.Diff(tc.want.c, got); diff != "" { + t.Errorf("\n%s\ne.Create(...): -want, +got:\n%s\n", tc.reason, diff) + } + }) + } +} + +func TestUpdate(t *testing.T) { + type fields struct { + db xsql.DB + } + + type args struct { + ctx context.Context + mg resource.Managed + } + + type want struct { + c managed.ExternalUpdate + err error + } + + cases := map[string]struct { + reason string + fields fields + args args + want want + }{ + "ErrNoOp": { + reason: "Update is a no-op, make sure we dont throw an error *DefaultPrivileges", + args: args{ + mg: &v1alpha1.DefaultPrivileges{ + Spec: v1alpha1.DefaultPrivilegesSpec{ + ForProvider: v1alpha1.DefaultPrivilegesParameters{ + Database: ptr.To("test-example"), + Role: ptr.To("test-example"), + Privileges: v1alpha1.GrantPrivileges{"ALL"}, + }, + }, + }, + }, + want: want{ + err: nil, + }, + }, + } + + for name, tc := range cases { + t.Run(name, func(t *testing.T) { + e := external{ + db: tc.fields.db, + } + got, err := e.Update(tc.args.ctx, tc.args.mg) + if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" { + t.Errorf("\n%s\ne.Create(...): -want error, +got error:\n%s\n", tc.reason, diff) + } + if diff := cmp.Diff(tc.want.c, got, cmpopts.IgnoreMapEntries(func(key string, _ []byte) bool { return key == "password" })); diff != "" { + t.Errorf("\n%s\ne.Create(...): -want, +got:\n%s\n", tc.reason, diff) + } + }) + } +} + +func TestDelete(t *testing.T) { + errBoom := errors.New("boom") + + type fields struct { + db xsql.DB + } + + type args struct { + ctx context.Context + mg resource.Managed + } + + cases := map[string]struct { + reason string + fields fields + args args + want error + }{ + "ErrNotDefaultPrivileges": { + reason: "An error should be returned if the managed resource is not a *DefaultPrivileges", + args: args{ + mg: nil, + }, + want: errors.New(errNotDefaultPrivileges), + }, + "ErrDropDefaultPrivileges": { + reason: "Errors dropping default privileges should be returned", + fields: fields{ + db: &mockDB{ + MockExec: func(ctx context.Context, q xsql.Query) error { + return errBoom + }, + }, + }, + args: args{ + mg: &v1alpha1.DefaultPrivileges{ + Spec: v1alpha1.DefaultPrivilegesSpec{ + ForProvider: v1alpha1.DefaultPrivilegesParameters{ + Database: ptr.To("test-example"), + Role: ptr.To("test-example"), + Privileges: v1alpha1.GrantPrivileges{"ALL"}, + ObjectType: ptr.To("SEQUENCE"), + TargetRole: ptr.To("target-role"), + }, + }, + }, + }, + want: errors.Wrap(errBoom, errRevokeDefaultPrivileges), + }, + "Success": { + reason: "No error should be returned if the default grant was revoked", + args: args{ + mg: &v1alpha1.DefaultPrivileges{ + Spec: v1alpha1.DefaultPrivilegesSpec{ + ForProvider: v1alpha1.DefaultPrivilegesParameters{ + Database: ptr.To("test-example"), + Role: ptr.To("test-example"), + Privileges: v1alpha1.GrantPrivileges{"ALL"}, + ObjectType: ptr.To("SEQUENCE"), + TargetRole: ptr.To("target-role"), + }, + }, + }, + }, + fields: fields{ + db: &mockDB{ + MockExec: func(ctx context.Context, q xsql.Query) error { return nil }, + }, + }, + want: nil, + }, + } + + for name, tc := range cases { + t.Run(name, func(t *testing.T) { + e := external{db: tc.fields.db} + err := e.Delete(tc.args.ctx, tc.args.mg) + if diff := cmp.Diff(tc.want, err, test.EquateErrors()); diff != "" { + t.Errorf("\n%s\ne.Delete(...): -want error, +got error:\n%s\n", tc.reason, diff) + } + }) + } +}