Check and remove grants and role memberships before removing a role #117

Workflow file for this run

	name: ci
	on: pull_request
	jobs:
	go-lint:
	runs-on: ubuntu-latest
	steps:
	- name: Install Go
	uses: actions/setup-go@v5
	with:
	go-version: 1.23.x
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Run linters
	uses: golangci/golangci-lint-action@v3
	with:
	version: latest
	args: --timeout=10m
	go-test:
	strategy:
	matrix:
	go-version: [1.23.x]
	platform: [ubuntu-latest]
	runs-on: ${{ matrix.platform }}
	steps:
	- name: Install Go
	if: success()
	uses: actions/setup-go@v5
	with:
	go-version: ${{ matrix.go-version }}
	- name: Checkout code
	uses: actions/checkout@v4
	- name: go tests
	run: go test -v -covermode=count -json ./... > test.json
	- name: annotate go tests
	if: always()
	uses: guyarb/[email protected]
	with:
	test-results: test.json
	test:
	runs-on: ubuntu-latest
	services:
	postgres:
	image: postgres:16
	ports:
	- "5432:5432"
	env:
	POSTGRES_PASSWORD: secretpassword
	env:
	BATON_LOG_LEVEL: debug
	BATON_DSN: "postgres://postgres:secretpassword@localhost:5432/postgres"
	CONNECTOR_GRANT: "grant:entitlement:role:3375:member:role:10"
	CONNECTOR_ENTITLEMENT: "entitlement:role:3375:member"
	CONNECTOR_PRINCIPAL: "role:10"
	CONNECTOR_PRINCIPAL_TYPE: "role"
	CONNECTOR_NEW_USER: "testuser"
	steps:
	- name: Install Go
	uses: actions/setup-go@v5
	with:
	go-version: 1.23.x
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Install postgres client
	run: sudo apt install postgresql-client
	# - name: Import sql into postgres
	# env:
	# PGPASSWORD: secretpassword
	# run: psql -h localhost --user postgres -f test/ci.sql
	- name: Install baton
	run: ./scripts/get-baton.sh && mv baton /usr/local/bin
	- name: Build baton-postgresql
	run: go build ./cmd/baton-postgresql
	- name: Run baton-postgresql
	run: ./baton-postgresql

	- name: Grant entitlement
	run: ./baton-postgresql --grant-entitlement "${{ env.CONNECTOR_ENTITLEMENT }}" --grant-principal "${{ env.CONNECTOR_PRINCIPAL }}" --grant-principal-type "${{ env.CONNECTOR_PRINCIPAL_TYPE }}"

	- name: Check grant was granted
	run: ./baton-postgresql && baton grants --entitlement "${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json \| jq --exit-status ".grants[].principal.id.resource == \"${{ env.CONNECTOR_PRINCIPAL }}\""

	- name: Revoke grant
	run: ./baton-postgresql --revoke-grant "${{ env.CONNECTOR_GRANT }}"

	- name: Check grant was revoked
	run: ./baton-postgresql && baton grants --entitlement "${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json \| jq --exit-status "if .grants then .grants[]?.principal.id.resource != \"${{ env.CONNECTOR_PRINCIPAL }}\" else . end"

	- name: Grant entitlement
	run: ./baton-postgresql --grant-entitlement "${{ env.CONNECTOR_ENTITLEMENT }}" --grant-principal "${{ env.CONNECTOR_PRINCIPAL }}" --grant-principal-type "${{ env.CONNECTOR_PRINCIPAL_TYPE }}"

	- name: Check grant was re-granted
	run: ./baton-postgresql && baton grants --entitlement "${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json \| jq --exit-status ".grants[].principal.id.resource == \"${{ env.CONNECTOR_PRINCIPAL }}\""

	- name: Create user
	run: ./baton-postgresql --create-account-login "${{ env.CONNECTOR_NEW_USER }}"

	- name: Check user was created
	run: ./baton-postgresql && baton resources -o json \| jq -e --arg login "${{ env.CONNECTOR_NEW_USER }}" 'any(.resources[].resource.annotations[]?;.["@type"]=="type.googleapis.com/c1.connector.v2.UserTrait" and .login==$login)'

	- name: Fetch user id
	shell: bash
	run: \|
	set -eub pipefail
	NEW_USER_ID=$(baton resources -t role -o json \| jq -r --arg login "${{ env.CONNECTOR_NEW_USER }}" '.resources[].resource \| select(any(.annotations[]?; .["@type"]=="type.googleapis.com/c1.connector.v2.UserTrait" and .login==$login)) \| .id.resource')
	echo "NEW_USER_ID=$NEW_USER_ID" >> "$GITHUB_ENV"

	- name: Grant role to user
	run: ./baton-postgresql --grant-entitlement "${{ env.CONNECTOR_ENTITLEMENT }}" --grant-principal "${{ env.NEW_USER_ID }}" --grant-principal-type "${{ env.CONNECTOR_PRINCIPAL_TYPE }}"

	- name: Check role was granted
	run: ./baton-postgresql && baton grants --entitlement "${{ env.CONNECTOR_ENTITLEMENT }}" -o json \| jq -e --arg login "${{ env.CONNECTOR_NEW_USER }}" 'any(.grants[]?; any(.principal.annotations[]?; .["@type"]=="type.googleapis.com/c1.connector.v2.UserTrait" and .login==$login) or any(.grant.principal.annotations[]?; .["@type"]=="type.googleapis.com/c1.connector.v2.UserTrait" and .login==$login))'

	- name: Delete user
	run: ./baton-postgresql --delete-resource "${{ env.NEW_USER_ID }}" --resource-type "${{ env.CONNECTOR_PRINCIPAL_TYPE }}"

	- name: Check user was deleted
	run: ./baton-postgresql && baton resources -o json \| jq -e --arg login "${{ env.CONNECTOR_NEW_USER }}" 'any(.resources[].resource.annotations[]?;.["@type"]=="type.googleapis.com/c1.connector.v2.UserTrait" and .login==$login) \| not'

	# TODO: get correct role id using baton CLI
	# - name: Rotate credentials for user
	# run: ./baton-postgresql --rotate-credentials 'role:16384' --rotate-credentials-type 'role'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Check and remove grants and role memberships before removing a role #117

Workflow file

Check and remove grants and role memberships before removing a role #117

Uh oh!

Workflow file for this run