[DPE-7628] Fix permissions for predefined roles (#1003)

* Fix permissions for charmed_read and charmed_dml roles

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Add one more check in charmed_dml test and add test for both charmed_read and charmed_dml roles

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Check escalation possibility for predefined roles

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Add roles inheritance

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Add test configuration and setup

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix charmed_stats user permissions, increase timeout and delete database related users

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix connect privilege for charmed_read, charmed_dml, charmed_dba and charmed_databases_owner users

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Change admin user to charmed_admin and convert test to use jubilant

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Add initial connection test

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Major refactor of predefined roles and their connection tests

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Add sleep for HBA update

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix assertion

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix user existence check

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Check user auto escalation to database owner user

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix more permissions and add more checks

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Change CREATEDB auto escalation

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Block forbidden extra user roles combinations

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix blocked status check in invalid roles test

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix some linting with a new enum

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Test dropping owned and not owned databases

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Reduce complexity of helper function

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Test charmed_dba role not allowed

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Test pg_monitor not allowed and rename test file

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Check more CRUD operations

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Started to test charmed_dba role

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Test set_user function call

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix linting

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Test views creation

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Test escalation to database owner user

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Check charmed_stats role permissions

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Check read on views

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix charmed_backup role permisions

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix linting

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Block user requesting system databases

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Remove template0 from tested databases

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Avoid relation group in error message

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Allow connection to system databases

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Delete old tests

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Check if pg_hba temporary table exists before trying to delete it

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Don't log exception as error message is already logged

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Change event trigger function to be a security definer

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Check if relation_users temporary table exists before trying to delete it

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix pg_temp tables drop

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix test app channel in audit test

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Create schema to calll event trigger

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix check for invalid database name

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix mechanism that resolves blocked status after relation removal

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Cap database name at 49 characters to avoid issues when creating database level roles

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Handle None database name in relation broken event

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

---------

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

Author: marceloneppel

lib/charms/postgresql_k8s/v1/postgresql.py

@@ -14,6 +14,7 @@
 from charms.postgresql_k8s.v1.postgresql import (
     ACCESS_GROUP_RELATION,
     ACCESS_GROUPS,
+    INVALID_DATABASE_NAME_BLOCKING_MESSAGE,
     INVALID_EXTRA_USER_ROLE_BLOCKING_MESSAGE,
     PostgreSQLCreateDatabaseError,
     PostgreSQLCreateUserError,
@@ -113,7 +114,7 @@ def _on_database_requested(self, event: DatabaseRequestedEvent) -> None:
 
             password = new_password()
             self.charm.postgresql.create_user(
-                user, password, extra_user_roles=extra_user_roles, in_role=f"{database}_admin"
+                user, password, extra_user_roles=extra_user_roles, database=database
             )
 
             # Share the credentials with the application.
@@ -138,11 +139,14 @@ def _on_database_requested(self, event: DatabaseRequestedEvent) -> None:
             PostgreSQLCreateUserError,
             PostgreSQLGetPostgreSQLVersionError,
         ) as e:
-            logger.exception(e)
             self.charm.set_unit_status(
                 BlockedStatus(
                     e.message
-                    if issubclass(type(e), PostgreSQLCreateUserError) and e.message is not None
+                    if (
+                        issubclass(type(e), PostgreSQLCreateDatabaseError)
+                        or issubclass(type(e), PostgreSQLCreateUserError)
+                    )
+                    and e.message is not None
                     else f"Failed to initialize relation {self.relation_name}"
                 )
             )
@@ -299,9 +303,16 @@ def update_endpoints(self, event: DatabaseRequestedEvent = None) -> None:  # noq
     def _update_unit_status(self, relation: Relation) -> None:
         """# Clean up Blocked status if it's due to extensions request."""
         if (
-            self.charm.is_blocked
-            and self.charm.unit.status.message == INVALID_EXTRA_USER_ROLE_BLOCKING_MESSAGE
-        ) and not self.check_for_invalid_extra_user_roles(relation.id):
+            (
+                self.charm.is_blocked
+                and (
+                    self.charm.unit.status.message == INVALID_EXTRA_USER_ROLE_BLOCKING_MESSAGE
+                    or self.charm.unit.status.message == INVALID_DATABASE_NAME_BLOCKING_MESSAGE
+                )
+            )
+            and not self.check_for_invalid_extra_user_roles(relation.id)
+            and not self.check_for_invalid_database_name(relation.id)
+        ):
             self.charm.set_unit_status(ActiveStatus())
         if (
             self.charm.is_blocked
@@ -326,6 +337,24 @@ def check_for_invalid_extra_user_roles(self, relation_id: int) -> bool:
                     if (
                         extra_user_role not in valid_privileges
                         and extra_user_role not in valid_roles
+                        and extra_user_role != "createdb"
                     ):
                         return True
         return False
+
+    def check_for_invalid_database_name(self, relation_id: int) -> bool:
+        """Checks if there are relations with invalid database names.
+
+        Args:
+            relation_id: current relation to be skipped.
+        """
+        for relation in self.charm.model.relations.get(self.relation_name, []):
+            if relation.id == relation_id:
+                continue
+            for data in relation.data.values():
+                database = data.get("database")
+                if database is not None and (
+                    len(database) > 49 or database in ["postgres", "template0", "template1"]
+                ):
+                    return True
+        return False

src/relations/postgresql_provider.py

@@ -164,7 +164,13 @@ postgresql:
     - local all backup peer map=operator
     - local all operator scram-sha-256
     - local all monitoring password
+    - {{ 'hostssl' if enable_tls else 'host' }} all +charmed_stats 0.0.0.0/0 scram-sha-256
+    - {{ 'hostssl' if enable_tls else 'host' }} all +charmed_read 0.0.0.0/0 scram-sha-256
+    - {{ 'hostssl' if enable_tls else 'host' }} all +charmed_dml 0.0.0.0/0 scram-sha-256
+    - {{ 'hostssl' if enable_tls else 'host' }} all +charmed_backup 0.0.0.0/0 scram-sha-256
     - {{ 'hostssl' if enable_tls else 'host' }} all +charmed_dba 0.0.0.0/0 scram-sha-256
+    - {{ 'hostssl' if enable_tls else 'host' }} all +charmed_admin 0.0.0.0/0 scram-sha-256
+    - {{ 'hostssl' if enable_tls else 'host' }} all +charmed_databases_owner 0.0.0.0/0 scram-sha-256
     {%- if not connectivity %}
     - {{ 'hostssl' if enable_tls else 'host' }} all all {{ self_ip }} md5
     - {{ 'hostssl' if enable_tls else 'host' }} all all 0.0.0.0/0 reject

templates/patroni.yml.j2

@@ -5,11 +5,13 @@
 import uuid
 
 import boto3
+import jubilant
 import pytest
 from pytest_operator.plugin import OpsTest
 
 from . import architecture
 from .helpers import construct_endpoint
+from .jubilant_helpers import RoleAttributeValue
 
 AWS = "AWS"
 GCP = "GCP"
@@ -25,7 +27,7 @@ def charm():
     return f"./[email protected]{architecture.architecture}.charm"
 
 
-def get_cloud_config(cloud: str) -> tuple[dict[str, str], dict[str, str]]:
+def get_cloud_config(cloud: str) -> tuple[dict[str, str], dict[str, str]] | None:
     # Define some configurations and credentials.
     if cloud == AWS:
         return {
@@ -47,6 +49,7 @@ def get_cloud_config(cloud: str) -> tuple[dict[str, str], dict[str, str]]:
             "access-key": os.environ["GCP_ACCESS_KEY"],
             "secret-key": os.environ["GCP_SECRET_KEY"],
         }
+    return None
 
 
 def cleanup_cloud(config: dict[str, str], credentials: dict[str, str]) -> None:
@@ -94,3 +97,173 @@ async def gcp_cloud_configs(ops_test: OpsTest) -> None:
     yield config, credentials
 
     cleanup_cloud(config, credentials)
+
+
+@pytest.fixture(scope="module")
+def juju(request: pytest.FixtureRequest):
+    """Pytest fixture that wraps :meth:`jubilant.with_model`.
+
+    This adds command line parameter ``--keep-models`` (see help for details).
+    """
+    controller = request.config.getoption("--controller")
+    model = request.config.getoption("--model")
+    controller_and_model = None
+    if controller and model:
+        controller_and_model = f"{controller}:{model}"
+    elif controller:
+        controller_and_model = controller
+    elif model:
+        controller_and_model = model
+    keep_models = bool(request.config.getoption("--keep-models"))
+
+    if controller_and_model:
+        juju = jubilant.Juju(model=controller_and_model)  # type: ignore
+        yield juju
+        log = juju.debug_log(limit=1000)
+    else:
+        with jubilant.temp_model(keep=keep_models) as juju:
+            yield juju
+            log = juju.debug_log(limit=1000)
+
+    if request.session.testsfailed:
+        print(log, end="")
+
+
+@pytest.fixture(scope="module")
+def predefined_roles() -> dict:
+    """Return a list of predefined roles with their expected permissions."""
+    return {
+        "": {
+            "auto-escalate-to-database-owner": RoleAttributeValue.REQUESTED_DATABASE,
+            "permissions": {
+                "connect": RoleAttributeValue.REQUESTED_DATABASE,
+                "create-databases": RoleAttributeValue.NO,
+                "create-objects": RoleAttributeValue.NO,
+                "escalate-to-database-owner": RoleAttributeValue.REQUESTED_DATABASE,
+                "read-data": RoleAttributeValue.NO,
+                "read-stats": RoleAttributeValue.ALL_DATABASES,
+                "run-backup-commands": RoleAttributeValue.NO,
+                "set-up-predefined-catalog-roles": RoleAttributeValue.NO,
+                "set-user": RoleAttributeValue.NO,
+                "write-data": RoleAttributeValue.NO,
+            },
+        },
+        "charmed_stats": {
+            "auto-escalate-to-database-owner": RoleAttributeValue.NO,
+            "permissions": {
+                "connect": RoleAttributeValue.ALL_DATABASES,
+                "create-databases": RoleAttributeValue.NO,
+                "create-objects": RoleAttributeValue.NO,
+                "escalate-to-database-owner": RoleAttributeValue.NO,
+                "read-data": RoleAttributeValue.NO,
+                "read-stats": RoleAttributeValue.ALL_DATABASES,
+                "run-backup-commands": RoleAttributeValue.NO,
+                "set-up-predefined-catalog-roles": RoleAttributeValue.NO,
+                "set-user": RoleAttributeValue.NO,
+                "write-data": RoleAttributeValue.NO,
+            },
+        },
+        "charmed_read": {
+            "auto-escalate-to-database-owner": RoleAttributeValue.NO,
+            "permissions": {
+                "connect": RoleAttributeValue.ALL_DATABASES,
+                "create-databases": RoleAttributeValue.NO,
+                "create-objects": RoleAttributeValue.NO,
+                "escalate-to-database-owner": RoleAttributeValue.NO,
+                "read-data": RoleAttributeValue.ALL_DATABASES,
+                "read-stats": RoleAttributeValue.ALL_DATABASES,
+                "run-backup-commands": RoleAttributeValue.NO,
+                "set-up-predefined-catalog-roles": RoleAttributeValue.NO,
+                "set-user": RoleAttributeValue.NO,
+                "write-data": RoleAttributeValue.NO,
+            },
+        },
+        "charmed_dml": {
+            "auto-escalate-to-database-owner": RoleAttributeValue.NO,
+            "permissions": {
+                "connect": RoleAttributeValue.ALL_DATABASES,
+                "create-databases": RoleAttributeValue.NO,
+                "create-objects": RoleAttributeValue.NO,
+                "escalate-to-database-owner": RoleAttributeValue.NO,
+                "read-data": RoleAttributeValue.ALL_DATABASES,
+                "read-stats": RoleAttributeValue.ALL_DATABASES,
+                "run-backup-commands": RoleAttributeValue.NO,
+                "set-up-predefined-catalog-roles": RoleAttributeValue.NO,
+                "set-user": RoleAttributeValue.NO,
+                "write-data": RoleAttributeValue.ALL_DATABASES,
+            },
+        },
+        "charmed_backup": {
+            "auto-escalate-to-database-owner": RoleAttributeValue.NO,
+            "permissions": {
+                "connect": RoleAttributeValue.ALL_DATABASES,
+                "create-databases": RoleAttributeValue.NO,
+                "create-objects": RoleAttributeValue.NO,
+                "escalate-to-database-owner": RoleAttributeValue.NO,
+                "read-data": RoleAttributeValue.NO,
+                "read-stats": RoleAttributeValue.ALL_DATABASES,
+                "run-backup-commands": RoleAttributeValue.YES,
+                "set-up-predefined-catalog-roles": RoleAttributeValue.NO,
+                "set-user": RoleAttributeValue.NO,
+                "write-data": RoleAttributeValue.NO,
+            },
+        },
+        "charmed_dba": {
+            "auto-escalate-to-database-owner": RoleAttributeValue.NO,
+            "permissions": {
+                "connect": RoleAttributeValue.ALL_DATABASES,
+                "create-databases": RoleAttributeValue.NO,
+                "create-objects": RoleAttributeValue.NO,
+                "escalate-to-database-owner": RoleAttributeValue.NO,
+                "read-data": RoleAttributeValue.ALL_DATABASES,
+                "read-stats": RoleAttributeValue.ALL_DATABASES,
+                "run-backup-commands": RoleAttributeValue.NO,
+                "set-up-predefined-catalog-roles": RoleAttributeValue.NO,
+                "set-user": RoleAttributeValue.YES,
+                "write-data": RoleAttributeValue.ALL_DATABASES,
+            },
+        },
+        "charmed_admin": {
+            "auto-escalate-to-database-owner": RoleAttributeValue.ALL_DATABASES,
+            "permissions": {
+                "connect": RoleAttributeValue.ALL_DATABASES,
+                "create-databases": RoleAttributeValue.NO,
+                "create-objects": RoleAttributeValue.NO,
+                "escalate-to-database-owner": RoleAttributeValue.ALL_DATABASES,
+                "read-data": RoleAttributeValue.ALL_DATABASES,
+                "read-stats": RoleAttributeValue.ALL_DATABASES,
+                "run-backup-commands": RoleAttributeValue.NO,
+                "set-up-predefined-catalog-roles": RoleAttributeValue.NO,
+                "set-user": RoleAttributeValue.NO,
+                "write-data": RoleAttributeValue.ALL_DATABASES,
+            },
+        },
+        "CREATEDB": {
+            "auto-escalate-to-database-owner": RoleAttributeValue.NO,
+            "permissions": {
+                "connect": RoleAttributeValue.ALL_DATABASES,
+                "create-databases": RoleAttributeValue.YES,
+                "create-objects": RoleAttributeValue.NO,
+                "escalate-to-database-owner": RoleAttributeValue.NO,
+                "read-data": RoleAttributeValue.NO,
+                "read-stats": RoleAttributeValue.NO,
+                "run-backup-commands": RoleAttributeValue.NO,
+                "set-up-predefined-catalog-roles": RoleAttributeValue.YES,
+                "set-user": RoleAttributeValue.NO,
+                "write-data": RoleAttributeValue.NO,
+            },
+        },
+    }
+
+
+@pytest.fixture(scope="module")
+def predefined_roles_combinations() -> list:
+    """Return a list of valid combinations of predefined roles."""
+    return [
+        ("",),
+        ("charmed_stats",),
+        ("charmed_read",),
+        ("charmed_dml",),
+        ("charmed_admin",),
+        ("charmed_admin", "CREATEDB"),
+    ]

tests/integration/conftest.py

@@ -747,10 +747,10 @@ def check_connected_user(
     if result is not None:
         instance = "primary" if primary else "replica"
         assert result[0] == session_user, (
-            f"The session user should be the {session_user} user in the {instance}"
+            f"The session user should be the {session_user} user in the {instance} (it's currently {result[0]})"
         )
         assert result[1] == current_user, (
-            f"The current user should be the {current_user} user in the {instance}"
+            f"The current user should be the {current_user} user in the {instance} (it's currently {result[1]})"
         )
     else:
         assert False, "No result returned from the query"
@@ -793,6 +793,12 @@ async def check_roles_and_their_permissions(
             check_connected_user(cursor, username, username)
             with pytest.raises(psycopg2.errors.InsufficientPrivilege):
                 cursor.execute("CREATE TABLE test_table_2 (id INTEGER);")
+
+            logger.info(
+                "Checking that the relation user can escalate back to the database owner user"
+            )
+            cursor.execute(f"SET ROLE {database_name}_owner;")
+            check_connected_user(cursor, username, f"{database_name}_owner")
     finally:
         if connection is not None:
             connection.close()