postgresql_default_privileges: support of schema object type (#126)

kostiantyn-nemchenko · web-flow · commit 9c28441b54cc · 2021-09-24T17:35:13.000+02:00
* postgresql_default_privileges: support of schema object type

* Add schema test steps to TestAccPostgresqlDefaultPrivileges

* Fix id attr value

* Move schema tests to TestAccPostgresqlDefaultPrivileges_NoSchema

* Check supported PG version

* Dedicated acc test for acls on schemas

* Fix comment in acc test
diff --git a/postgresql/config.go b/postgresql/config.go
@@ -29,6 +29,7 @@ const (
 	featureReplication
 	featureExtension
 	featurePrivileges
+	featurePrivilegesOnSchemas
 	featureForceDropDatabase
 	featurePid
 )
@@ -67,6 +68,10 @@ var (
 		// for Postgresql < 9.
 		featurePrivileges: semver.MustParseRange(">=9.0.0"),
 
+		// ALTER DEFAULT PRIVILEGES has ON SCHEMAS support
+		// for Postgresql >= 10
+		featurePrivilegesOnSchemas: semver.MustParseRange(">=10.0.0"),
+
 		// DROP DATABASE WITH FORCE
 		// for Postgresql >= 13
 		featureForceDropDatabase: semver.MustParseRange(">=13.0.0"),
diff --git a/postgresql/resource_postgresql_default_privileges.go b/postgresql/resource_postgresql_default_privileges.go
@@ -54,6 +54,7 @@ func resourcePostgreSQLDefaultPrivileges() *schema.Resource {
 					"sequence",
 					"function",
 					"type",
+					"schema",
 				}, false),
 				Description: "The PostgreSQL object type to set the default privileges on (one of: table, sequence, function, type)",
 			},
@@ -76,6 +77,16 @@ func resourcePostgreSQLDefaultPrivileges() *schema.Resource {
 }
 
 func resourcePostgreSQLDefaultPrivilegesRead(db *DBConnection, d *schema.ResourceData) error {
+	pgSchema := d.Get("schema").(string)
+	objectType := d.Get("object_type").(string)
+
+	if pgSchema != "" && objectType == "schema" && !db.featureSupported(featurePrivilegesOnSchemas) {
+		return fmt.Errorf(
+			"changing default privileges for schemas is not supported for this Postgres version (%s)",
+			db.version,
+		)
+	}
+
 	exists, err := checkRoleDBSchemaExists(db.client, d)
 	if err != nil {
 		return err
@@ -95,6 +106,18 @@ func resourcePostgreSQLDefaultPrivilegesRead(db *DBConnection, d *schema.Resourc
 }
 
 func resourcePostgreSQLDefaultPrivilegesCreate(db *DBConnection, d *schema.ResourceData) error {
+	pgSchema := d.Get("schema").(string)
+	objectType := d.Get("object_type").(string)
+
+	if pgSchema != "" && objectType == "schema" {
+		if !db.featureSupported(featurePrivilegesOnSchemas) {
+			return fmt.Errorf(
+				"changing default privileges for schemas is not supported for this Postgres version (%s)",
+				db.version,
+			)
+		}
+		return fmt.Errorf("cannot specify `schema` when `object_type` is `schema`")
+	}
 
 	if d.Get("with_grant_option").(bool) && strings.ToLower(d.Get("role").(string)) == "public" {
 		return fmt.Errorf("with_grant_option cannot be true for role 'public'")
@@ -152,6 +175,15 @@ func resourcePostgreSQLDefaultPrivilegesCreate(db *DBConnection, d *schema.Resou
 
 func resourcePostgreSQLDefaultPrivilegesDelete(db *DBConnection, d *schema.ResourceData) error {
 	owner := d.Get("owner").(string)
+	pgSchema := d.Get("schema").(string)
+	objectType := d.Get("object_type").(string)
+
+	if pgSchema != "" && objectType == "schema" && !db.featureSupported(featurePrivilegesOnSchemas) {
+		return fmt.Errorf(
+			"changing default privileges for schemas is not supported for this Postgres version (%s)",
+			db.version,
+		)
+	}
 
 	txn, err := startTransaction(db.client, d.Get("database").(string))
 	if err != nil {
diff --git a/postgresql/resource_postgresql_default_privileges_test.go b/postgresql/resource_postgresql_default_privileges_test.go
@@ -142,7 +142,7 @@ func TestAccPostgresqlDefaultPrivileges_GrantOwner(t *testing.T) {
 	var stateConfig = fmt.Sprintf(`
 
 resource postgresql_role "test_owner" {
-       name = "test_owner"
+    name = "test_owner"
 }
 
 resource "postgresql_default_privileges" "test_ro" {
@@ -151,7 +151,7 @@ resource "postgresql_default_privileges" "test_ro" {
 	role        = "%s"
 	schema      = "public"
 	object_type = "table"
-	privileges   = ["SELECT"]
+	privileges  = ["SELECT"]
 }
 	`, dbName, roleName)
 
@@ -210,7 +210,7 @@ resource "postgresql_default_privileges" "test_ro" {
 	owner       = "%s"
 	role        = "%s"
 	object_type = "table"
-	privileges   = %%s
+	privileges  = %%s
 }
 `
 			// We set PGUSER as owner as he will create the test table
@@ -262,3 +262,82 @@ resource "postgresql_default_privileges" "test_ro" {
 		})
 	}
 }
+
+// Test defaults privileges on schemas
+func TestAccPostgresqlDefaultPrivilegesOnSchemas(t *testing.T) {
+	skipIfNotAcc(t)
+
+	// We have to create the database outside of resource.Test
+	// because we need to create schemas to assert that grant are correctly applied
+	// and we don't have this resource yet
+	dbSuffix, teardown := setupTestDatabase(t, true, true)
+	defer teardown()
+
+	config := getTestConfig(t)
+	dbName, roleName := getTestDBNames(dbSuffix)
+
+	// Set default privileges to the test role then to public (i.e.: everyone)
+	for _, role := range []string{roleName, "public"} {
+		t.Run(role, func(t *testing.T) {
+
+			hclText := `
+resource "postgresql_default_privileges" "test_ro" {
+	database    = "%s"
+	owner       = "%s"
+	role        = "%s"
+	object_type = "schema"
+	privileges  = %%s
+}
+`
+			// We set PGUSER as owner as he will create the test schemas
+			var tfConfig = fmt.Sprintf(hclText, dbName, config.Username, role)
+
+			resource.Test(t, resource.TestCase{
+				PreCheck: func() {
+					testAccPreCheck(t)
+					testCheckCompatibleVersion(t, featurePrivileges)
+					testCheckCompatibleVersion(t, featurePrivilegesOnSchemas)
+				},
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: fmt.Sprintf(tfConfig, `[]`),
+						Check: resource.ComposeTestCheckFunc(
+							func(*terraform.State) error {
+								schemas := []string{"test_schema2", "dev_schema2"}
+								// To test default privileges, we need to create a schema
+								// after having apply the state.
+								dropFunc := createTestSchemas(t, dbSuffix, schemas, "")
+								defer dropFunc()
+
+								return testCheckSchemasPrivileges(t, dbName, roleName, schemas, []string{})
+							},
+							resource.TestCheckResourceAttr("postgresql_default_privileges.test_ro", "object_type", "schema"),
+							resource.TestCheckResourceAttr("postgresql_default_privileges.test_ro", "privileges.#", "0"),
+						),
+					},
+					{
+						Config: fmt.Sprintf(tfConfig, `["CREATE", "USAGE"]`),
+						Check: resource.ComposeTestCheckFunc(
+							func(*terraform.State) error {
+								schemas := []string{"test_schema2", "dev_schema2"}
+								// To test default privileges, we need to create a schema
+								// after having apply the state.
+								dropFunc := createTestSchemas(t, dbSuffix, schemas, "")
+								defer dropFunc()
+
+								return testCheckSchemasPrivileges(t, dbName, roleName, schemas, []string{"CREATE", "USAGE"})
+							},
+							resource.TestCheckResourceAttr(
+								"postgresql_default_privileges.test_ro", "id", fmt.Sprintf("%s_%s_noschema_%s_schema", role, dbName, config.Username),
+							),
+							resource.TestCheckResourceAttr("postgresql_default_privileges.test_ro", "privileges.#", "2"),
+							resource.TestCheckResourceAttr("postgresql_default_privileges.test_ro", "privileges.2133731197", "CREATE"),
+							resource.TestCheckResourceAttr("postgresql_default_privileges.test_ro", "privileges.666868928", "USAGE"),
+						),
+					},
+				},
+			})
+		})
+	}
+}
diff --git a/postgresql/resource_postgresql_grant.go b/postgresql/resource_postgresql_grant.go
@@ -28,6 +28,7 @@ var objectTypes = map[string]string{
 	"sequence": "S",
 	"function": "f",
 	"type":     "T",
+	"schema":   "n",
 }
 
 func resourcePostgreSQLGrant() *schema.Resource {
diff --git a/postgresql/utils_test.go b/postgresql/utils_test.go
@@ -209,6 +209,71 @@ func createTestTables(t *testing.T, dbSuffix string, tables []string, owner stri
 	}
 }
 
+func createTestSchemas(t *testing.T, dbSuffix string, schemas []string, owner string) func() {
+	config := getTestConfig(t)
+	dbName, _ := getTestDBNames(dbSuffix)
+	adminUser := config.getDatabaseUsername()
+
+	db, err := sql.Open("postgres", config.connStr(dbName))
+	if err != nil {
+		t.Fatalf("could not open connection pool for db %s: %v", dbName, err)
+	}
+	defer db.Close()
+
+	if owner != "" {
+		if !config.Superuser {
+			if _, err := db.Exec(fmt.Sprintf("GRANT %s TO CURRENT_USER", owner)); err != nil {
+				t.Fatalf("could not grant role %s to current user: %v", owner, err)
+			}
+		}
+		if _, err := db.Exec(fmt.Sprintf("SET ROLE %s", owner)); err != nil {
+			t.Fatalf("could not set role to %s: %v", owner, err)
+		}
+	}
+
+	for _, schema := range schemas {
+		if _, err := db.Exec(fmt.Sprintf("CREATE SCHEMA %s", schema)); err != nil {
+			t.Fatalf("could not create test schema in db %s: %v", dbName, err)
+		}
+		if owner != "" {
+			if _, err := db.Exec(fmt.Sprintf("ALTER SCHEMA %s OWNER TO %s", schema, owner)); err != nil {
+				t.Fatalf("could not set test schema owner to %s: %v", owner, err)
+			}
+		}
+	}
+	if owner != "" && !config.Superuser {
+		if _, err := db.Exec(fmt.Sprintf("SET ROLE %s; REVOKE %s FROM %s", adminUser, owner, adminUser)); err != nil {
+			t.Fatalf("could not revoke role %s from %s: %v", owner, adminUser, err)
+		}
+	}
+
+	// In this case we need to drop schema after each test.
+	return func() {
+		db, err := sql.Open("postgres", config.connStr(dbName))
+		if err != nil {
+			t.Fatalf("could not open connection pool for db %s: %v", dbName, err)
+		}
+		defer db.Close()
+
+		if owner != "" && !config.Superuser {
+			if _, err := db.Exec(fmt.Sprintf("GRANT %s TO CURRENT_USER", owner)); err != nil {
+				t.Fatalf("could not grant role %s to current user: %v", owner, err)
+			}
+		}
+
+		for _, schema := range schemas {
+			if _, err := db.Exec(fmt.Sprintf("DROP SCHEMA %s CASCADE", schema)); err != nil {
+				t.Fatalf("could not drop schema %s: %v", schema, err)
+			}
+		}
+		if owner != "" && !config.Superuser {
+			if _, err := db.Exec(fmt.Sprintf("SET ROLE %s; REVOKE %s FROM %s", adminUser, owner, adminUser)); err != nil {
+				t.Fatalf("could not revoke role %s from %s: %v", owner, adminUser, err)
+			}
+		}
+	}
+}
+
 // testHasGrantForQuery executes a query and checks that it fails if
 // we were not allowed or succeses if we're allowed.
 func testHasGrantForQuery(db *sql.DB, query string, allowed bool) error {
@@ -260,3 +325,22 @@ func testCheckTablesPrivileges(t *testing.T, dbName, roleName string, tables []s
 	}
 	return nil
 }
+
+func testCheckSchemasPrivileges(t *testing.T, dbName, roleName string, schemas []string, allowedPrivileges []string) error {
+	db := connectAsTestRole(t, roleName, dbName)
+	defer db.Close()
+
+	for _, schema := range schemas {
+		queries := map[string]string{
+			"USAGE":  fmt.Sprintf("DROP TABLE IF EXISTS %s.test_table", schema),
+			"CREATE": fmt.Sprintf("CREATE TABLE %s.test_table()", schema),
+		}
+
+		for queryType, query := range queries {
+			if err := testHasGrantForQuery(db, query, sliceContainsStr(allowedPrivileges, queryType)); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ var objectTypes = map[string]string{`
`28`	`28`	`"sequence": "S",`
`29`	`29`	`"function": "f",`
`30`	`30`	`"type": "T",`
	`31`	`+ "schema": "n",`
`31`	`32`	`}`
`32`	`33`
`33`	`34`	`func resourcePostgreSQLGrant() *schema.Resource {`