add provisioning for table

Author: MarcusGoldschmidt

pkg/connector/function.go

@@ -90,6 +90,8 @@ func (r *functionSyncer) Entitlements(ctx context.Context, resource *v2.Resource
 	}
 
 	for _, en := range ens {
+		annos := annotations.Annotations(en.Annotations)
+		annos.Update(&v2.EntitlementImmutable{})
 		en.DisplayName = fmt.Sprintf("%s on %s", dbModel.Name, en.DisplayName)
 	}
 

pkg/connector/sequence.go

@@ -94,6 +94,8 @@ func (r *sequenceSyncer) Entitlements(ctx context.Context, resource *v2.Resource
 	}
 
 	for _, en := range ens {
+		annos := annotations.Annotations(en.Annotations)
+		annos.Update(&v2.EntitlementImmutable{})
 		en.DisplayName = fmt.Sprintf("%s on %s", dbModel.Name, en.DisplayName)
 	}
 

pkg/connector/table.go

@@ -104,6 +104,9 @@ func (r *tableSyncer) Entitlements(ctx context.Context, resource *v2.Resource, p
 	}
 
 	for _, en := range ens {
+		annos := annotations.Annotations(en.Annotations)
+		annos.Update(&v2.EntitlementImmutable{})
+
 		en.DisplayName = fmt.Sprintf("%s - %s", dbModel.Name, resource.DisplayName)
 	}
 
@@ -139,6 +142,67 @@ func (r *tableSyncer) Grants(ctx context.Context, resource *v2.Resource, pToken
 	return ret, nextPageToken, nil, nil
 }
 
+func (r *tableSyncer) Grant(ctx context.Context, principal *v2.Resource, entitlement *v2.Entitlement) ([]*v2.Grant, annotations.Annotations, error) {
+	if principal.Id.ResourceType != roleResourceType.Id {
+		return nil, nil, fmt.Errorf("baton-postgres: only users and roles can have roles granted")
+	}
+
+	_, _, privilegeName, isGrant, err := parseEntitlementID(entitlement.Id)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	dbId, rID, err := parseWithDatabaseID(entitlement.Resource.Id.Resource)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	dbClient, dbName, err := r.clientPool.Get(ctx, dbId)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	table, err := dbClient.GetTable(ctx, rID)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	err = dbClient.GrantTable(ctx, dbName, table.Name, principal.DisplayName, privilegeName, isGrant)
+	return nil, nil, err
+}
+
+func (r *tableSyncer) Revoke(ctx context.Context, grant *v2.Grant) (annotations.Annotations, error) {
+	entitlement := grant.Entitlement
+	principal := grant.Principal
+
+	if principal.Id.ResourceType != roleResourceType.Id {
+		return nil, fmt.Errorf("baton-postgres: only users and roles can have roles granted")
+	}
+
+	_, _, privilegeName, isGrant, err := parseEntitlementID(entitlement.Id)
+	if err != nil {
+		return nil, err
+	}
+
+	dbId, rID, err := parseWithDatabaseID(entitlement.Resource.Id.Resource)
+	if err != nil {
+		return nil, err
+	}
+
+	dbClient, dbName, err := r.clientPool.Get(ctx, dbId)
+	if err != nil {
+		return nil, err
+	}
+
+	table, err := dbClient.GetTable(ctx, rID)
+	if err != nil {
+		return nil, err
+	}
+
+	err = dbClient.RevokeTable(ctx, dbName, table.Name, principal.DisplayName, privilegeName, isGrant)
+	return nil, err
+}
+
 func newTableSyncer(ctx context.Context, c *postgres.ClientDatabasesPool, includeColumns bool) *tableSyncer {
 	return &tableSyncer{
 		resourceType:   tableResourceType,

pkg/connector/view.go

@@ -94,6 +94,8 @@ func (r *viewSyncer) Entitlements(ctx context.Context, resource *v2.Resource, pT
 	}
 
 	for _, en := range ens {
+		annos := annotations.Annotations(en.Annotations)
+		annos.Update(&v2.EntitlementImmutable{})
 		en.DisplayName = fmt.Sprintf("%s on %s", dbModel.Name, en.DisplayName)
 	}
 

pkg/postgres/databases.go

@@ -202,3 +202,43 @@ func (c *Client) RevokeDatabase(ctx context.Context, dbName string, target strin
 	_, err := c.db.Exec(ctx, q)
 	return err
 }
+
+func (c *Client) GrantTable(ctx context.Context, dbName string, tableName string, principalName string, privilege string, isGrant bool) error {
+	l := ctxzap.Extract(ctx)
+	l.Debug("granting database", zap.String("dbName", dbName), zap.String("principalName", principalName), zap.String("privilege", privilege))
+
+	sanitizedDbName := pgx.Identifier{dbName}.Sanitize()
+	sanitizedTableName := pgx.Identifier{tableName}.Sanitize()
+	sanitizedPrincipalName := pgx.Identifier{principalName}.Sanitize()
+	sanitizedPrivilege := pgx.Identifier{transformPrivilege(privilege)}.Sanitize()
+
+	q := fmt.Sprintf("GRANT %s ON TABLE %s.%s TO %s", sanitizedPrivilege, sanitizedDbName, sanitizedTableName, sanitizedPrincipalName)
+
+	if isGrant {
+		q += " WITH GRANT OPTION"
+	}
+
+	_, err := c.db.Exec(ctx, q)
+	return err
+}
+
+func (c *Client) RevokeTable(ctx context.Context, dbName string, tableName string, principalName string, privilege string, isGrant bool) error {
+	l := ctxzap.Extract(ctx)
+	l.Debug("granting database", zap.String("dbName", dbName), zap.String("principalName", principalName), zap.String("privilege", privilege))
+
+	sanitizedDbName := pgx.Identifier{dbName}.Sanitize()
+	sanitizedTableName := pgx.Identifier{tableName}.Sanitize()
+	sanitizedPrincipalName := pgx.Identifier{principalName}.Sanitize()
+	sanitizedPrivilege := pgx.Identifier{transformPrivilege(privilege)}.Sanitize()
+
+	var q string
+
+	if isGrant {
+		q = fmt.Sprintf("REVOKE GRANT OPTION for %s ON TABLE %s.%s FROM %s", sanitizedPrivilege, sanitizedDbName, sanitizedTableName, sanitizedPrincipalName)
+	} else {
+		q = fmt.Sprintf("REVOKE %s ON TABLE %s.%s FROM %s", sanitizedPrivilege, sanitizedDbName, sanitizedTableName, sanitizedPrincipalName)
+	}
+
+	_, err := c.db.Exec(ctx, q)
+	return err
+}