Merge pull request #3 from Facets-cloud/fix-seq-privileges

filter valid permissions for sequences and use them in grant query

Author: pramodh-ayyappan

Dockerfile

@@ -15,6 +15,7 @@ RUN go mod download
 COPY main.go main.go
 COPY apis/ apis/
 COPY controllers/ controllers/
+COPY utility/ utility/
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command

controllers/postgresql/grant_controller.go

@@ -42,6 +42,7 @@ import (
 
 	"github.com/Facets-cloud/postgresql-operator/apis/common"
 	postgresql "github.com/Facets-cloud/postgresql-operator/apis/postgresql/v1alpha1"
+	"github.com/Facets-cloud/postgresql-operator/utility"
 	"github.com/google/go-cmp/cmp"
 	"github.com/lib/pq"
 )
@@ -438,10 +439,14 @@ func (r *GrantReconciler) CreateGrant(ctx context.Context, grantType string, gra
 			// https://www.postgresql.org/docs/current/sql-alterdefaultprivileges.html
 			createGrantQueryForFutureTables := fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT %s ON TABLES TO \"%s\"", schema, privileges, roleName)
 			createGrantQueryForExistingTables := fmt.Sprintf("GRANT %s ON ALL TABLES IN SCHEMA %s TO \"%s\"", privileges, schema, roleName)
-			createGrantSeqQueryForFutureTables := fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT %s ON SEQUENCES TO \"%s\"", schema, privileges, roleName)
-			createGrantSeqQueryForExistingTables := fmt.Sprintf("GRANT %s ON ALL SEQUENCES IN SCHEMA %s TO \"%s\"", privileges, schema, roleName)
-
-			createGrantQuery = strings.Join([]string{createGrantQueryForFutureTables, createGrantQueryForExistingTables, createGrantSeqQueryForFutureTables, createGrantSeqQueryForExistingTables}, "; ")
+			sequencePrivileges := utility.GenerateSequencePrivileges(privileges)
+			createGrantSeqQueryForFutureTables := fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT %s ON SEQUENCES TO \"%s\"", schema, sequencePrivileges, roleName)
+			createGrantSeqQueryForExistingTables := fmt.Sprintf("GRANT %s ON ALL SEQUENCES IN SCHEMA %s TO \"%s\"", sequencePrivileges, schema, roleName)
+			if strings.Compare(sequencePrivileges, "") == 0 {
+				createGrantQuery = strings.Join([]string{createGrantQueryForFutureTables, createGrantQueryForExistingTables}, "; ")
+			} else {
+				createGrantQuery = strings.Join([]string{createGrantQueryForFutureTables, createGrantQueryForExistingTables, createGrantSeqQueryForFutureTables, createGrantSeqQueryForExistingTables}, "; ")
+			}
 		} else {
 			createGrantQuery = fmt.Sprintf("GRANT %s ON %s.%s TO \"%s\"", privileges, schema, table, roleName)
 		}
@@ -532,9 +537,14 @@ func (r *GrantReconciler) SyncGrant(ctx context.Context, grantType string, grant
 			// https://www.postgresql.org/docs/current/sql-alterdefaultprivileges.html
 			syncGrantQueryForFutureTables := fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT %s ON TABLES TO \"%s\"", schema, privileges, roleName)
 			syncGrantQueryForExistingTables := fmt.Sprintf("GRANT %s ON ALL TABLES IN SCHEMA %s TO \"%s\"", privileges, schema, roleName)
-			syncGrantSeqQueryForFutureTables := fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT %s ON SEQUENCES TO \"%s\"", schema, privileges, roleName)
-			syncGrantSeqQueryForExistingTables := fmt.Sprintf("GRANT %s ON ALL SEQUENCES IN SCHEMA %s TO \"%s\"", privileges, schema, roleName)
-			syncGrantQuery = strings.Join([]string{syncGrantQueryForFutureTables, syncGrantQueryForExistingTables, syncGrantSeqQueryForFutureTables, syncGrantSeqQueryForExistingTables}, "; ")
+			sequencePrivileges := utility.GenerateSequencePrivileges(privileges)
+			syncGrantSeqQueryForFutureTables := fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT %s ON SEQUENCES TO \"%s\"", schema, sequencePrivileges, roleName)
+			syncGrantSeqQueryForExistingTables := fmt.Sprintf("GRANT %s ON ALL SEQUENCES IN SCHEMA %s TO \"%s\"", sequencePrivileges, schema, roleName)
+			if strings.Compare(sequencePrivileges, "") == 0 {
+				syncGrantQuery = strings.Join([]string{syncGrantQueryForFutureTables, syncGrantQueryForExistingTables}, "; ")
+			} else {
+				syncGrantQuery = strings.Join([]string{syncGrantQueryForFutureTables, syncGrantQueryForExistingTables, syncGrantSeqQueryForFutureTables, syncGrantSeqQueryForExistingTables}, "; ")
+			}
 		} else {
 			syncGrantQuery = fmt.Sprintf("GRANT %s ON %s.%s TO \"%s\"", privileges, schema, table, roleName)
 		}

utility/privileges.go

@@ -0,0 +1,25 @@
+package utility
+
+import "strings"
+
+func GenerateSequencePrivileges(privileges string) string {
+
+	// map of valid privilges that can be granted on sequence
+	allowedPrivileges := map[string]struct{}{"SELECT": {}, "UPDATE": {}, "USAGE": {}}
+
+	// filtering the valid privileges
+	splitStrings := strings.Split(privileges, ",")
+
+	sequencePrivileges := make([]string, 0)
+	for _, str := range splitStrings {
+		trimmedStr := strings.TrimSpace(str)
+		_, ok := allowedPrivileges[trimmedStr]
+		if ok {
+			sequencePrivileges = append(sequencePrivileges, trimmedStr)
+		}
+	}
+
+	sequencePrivilegesStr := strings.Join(sequencePrivileges, ", ")
+
+	return sequencePrivilegesStr
+}

utility/privileges_test.go

@@ -0,0 +1,36 @@
+package utility
+
+import "testing"
+
+func TestGenerateSequencePrivileges(t *testing.T) {
+	type args struct {
+		privileges string
+	}
+	tests := []struct {
+		name string
+		args args
+		want string
+	}{
+		{
+			name: "test has sequence privileges",
+			args: args{
+				privileges: " INSERT   , SELECT,UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER, USAGE  ",
+			},
+			want: "SELECT, UPDATE, USAGE",
+		},
+		{
+			name: "test has no sequence privileges",
+			args: args{
+				privileges: " INSERT, DELETE, TRUNCATE, REFERENCES, TRIGGER",
+			},
+			want: "",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := GenerateSequencePrivileges(tt.args.privileges); got != tt.want {
+				t.Errorf("GenerateSequencePrivileges() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}