[DPE-7520] Test that the charmed_read role cannot write data (#945)

marceloneppel · shayancanonical · web-flow · commit 6cf8599fbc5a · 2025-06-13T16:04:46.000-03:00
* Implement instance level predefined roles

* Fix minor bug introduced while rebasing off of 16/edge

* Add integration test for charmed_read and charmed_dml roles

* Revert all major changes except introduction of predefined roles

* Sweep diff and minor bug fixes

* Avoid creating set_user extension

* Port Carl's fix for broken unit tests

* Create set_up_predefined_catalog_roles_function

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Fix linting and run function on database creation

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Add login hook function

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Escalate relation users

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Add integration test

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Fix unit test

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Check for no write permissions for relation user

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Don't set up catalog roles if they already exist

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Test database creation permission

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Improve logs and move cleanup process to the beginning of the test

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Wait for relation to be removed and retrieve primary

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Handle re-relation

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Add test for removing and re-adding relation

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Test roles after database re-creation

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Test table creation failure for charmed_databases_owner user

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Deduplicate relations retrieval code

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Check that the relation user can escalate to the database owner user and create a table

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Check escalation back to charmed_databases_owner

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Test permissions on newly created database

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Check database owner user permissions in the newly created database

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Reduce duplicated code with check_connected_user helper function

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Reduce more duplicated code with check_connected_user helper function

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Bump library

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Fix test_charmed_read_role

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Remove admin and postgres roles

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Create DBA role

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Bump postgresql charm lib for 16/edge to v1 due to backwards incompatible changes

* Remove admin role test

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Add DBA user test

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Test DBA role in replica

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Grant reset_user function to DBA role

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Test set_user function for unprivileged users

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Reduce duplicate code in check_connected_user helper function

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Fix charmed_databases_owner permissions

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Fix test_charmed_dba_role

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Re-add mistakenly removed patch statements

* Reset connection to None before creating a new connection

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Remove irrelevant test and increase timeout

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Test that the charmed_read role cannot write data

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Add check for charmed_read role not being able to write data to an existing table

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

* Fix data used to perform insert

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;

---------

Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;
Co-authored-by: Shayan Patel &lt;shayan.patel@canonical.com&gt;
diff --git a/tests/integration/test_predefined_roles.py b/tests/integration/test_predefined_roles.py
@@ -106,6 +106,7 @@ async def test_charmed_read_role(ops_test: OpsTest):
         connection.autocommit = True
 
         with connection.cursor() as cursor:
+            logger.info("Checking that the charmed_read role can read from the database")
             cursor.execute("RESET ROLE;")
             cursor.execute(
                 "SELECT table_name FROM information_schema.tables WHERE table_name NOT LIKE 'pg_%' AND table_name NOT LIKE 'sql_%' AND table_type <> 'VIEW';"
@@ -118,6 +119,19 @@ async def test_charmed_read_role(ops_test: OpsTest):
             assert data == sorted(["test_data", "test_data_2"]), (
                 "Unexpected data in charmed_read_database with charmed_read role"
             )
+            logger.info("Checking that the charmed_read role cannot create a new table")
+            with pytest.raises(psycopg2.errors.InsufficientPrivilege):
+                cursor.execute("CREATE TABLE test_table_2 (id INTEGER);")
+    connection.close()
+
+    with psycopg2.connect(connection_string) as connection, connection.cursor() as cursor:
+        logger.info("Checking that the charmed_read role cannot write to an existing table")
+        cursor.execute("RESET ROLE;")
+        with pytest.raises(psycopg2.errors.InsufficientPrivilege):
+            cursor.execute(
+                "INSERT INTO test_table (data) VALUES ('test_data_3'), ('test_data_4');"
+            )
+    connection.close()
 
     await ops_test.model.applications[DATABASE_APP_NAME].remove_relation(
         f"{DATABASE_APP_NAME}:database", f"{DATA_INTEGRATOR_APP_NAME}:postgresql"
