forty 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 97efc5c8cb7262d1dfb61406f68497e31d49d90d
-  data.tar.gz: 393e67307c31c8273709d61bff8b6428186925ce
+  metadata.gz: 1c69cf32507f1a087a044f2571606170c3c28459
+  data.tar.gz: 7d13e1d39898bc33077e627463abff4040f0bb97
 SHA512:
-  metadata.gz: de46378f836e770d1d02f9e7319691ffc08dd59165255fd09440b86cba41f23e786674d2b84f18d2aa007ccdafaada6410b867bcb4bb7e41f3aeb011b29529cd
-  data.tar.gz: f866784cdcbce84f15f36943e0d188eaf731bdea969f0043ea2839040431c39fa518781399a24ca493bb18f4330af4f326d55101243e974f6c0f565813f9a489
+  metadata.gz: a77cdb8ce81e28740ece0fd5d6fc02809cb9c36d855b638224480476f07f18b63b4437882453e036d496fb31d63ddfd9c1d68d4b5beb69b7cf3bd9a5e40cc0e7
+  data.tar.gz: 7d5afa71ef584d53e72ae07b3a72741028fdabec327246381a8eb7d2792dd64d40a82f74c950822528d61eb73fcfd55566cdad1406836e10cda82831633a92c4

data/lib/forty/configuration.rb

@@ -1,3 +1,5 @@
+require 'logger'
+
 module Forty
   class Configuration
     attr_accessor :logger
@@ -5,6 +7,14 @@ module Forty
     attr_accessor :schemas
     attr_accessor :acl_file
     attr_accessor :generate_passwords
+
+    def initialize
+      @logger = ::Logger.new(STDOUT)
+      @logger.level = ::Logger::INFO
+      @logger.formatter = proc do |severity, _, _, message|
+        "[Forty] [#{severity}] #{message}\n"
+      end
+    end
   end
 
   class Database

data/lib/forty/database.rb

@@ -19,7 +19,5 @@ module Forty
 
       @db.exec(statement)
     end
-
-    alias_method :dwh, :execute
   end
 end

data/lib/forty/privilege.rb

@@ -0,0 +1,69 @@
+module Forty
+  module Privilege
+    class Base
+      PRIVILEGES = self.constants.map { |const| self.const_get(const) }
+
+      def self.get_privilege_name_by_acronym(acronym)
+        privilege = self.constants.select do |constant|
+          self.const_get(constant).eql?(acronym)
+        end[0]
+        privilege.nil? ? nil : privilege.to_s.downcase
+      end
+
+      def self.parse_privileges_from_string(privileges_string)
+        privileges = []
+        self.constants.each do |constant|
+          acronym = self.const_get(constant)
+          unless privileges_string.slice!(acronym).nil?
+            privileges << self.get_privilege_name_by_acronym(acronym)
+          end
+          break if privileges_string.empty?
+        end
+        privileges
+      end
+    end
+
+    # https://www.postgresql.org/docs/9.6/static/sql-grant.html
+    #        r -- SELECT ("read")
+    #        w -- UPDATE ("write")
+    #        a -- INSERT ("append")
+    #        d -- DELETE
+    #        D -- TRUNCATE
+    #        x -- REFERENCES
+    #        t -- TRIGGER
+    #        X -- EXECUTE
+    #        U -- USAGE
+    #        C -- CREATE
+    #        c -- CONNECT
+    #        T -- TEMPORARY
+    #  arwdDxt -- ALL PRIVILEGES (for tables, varies for other objects)
+    #        * -- grant option for preceding privilege
+    #
+    #    /yyyy -- role that granted this privilege
+
+    class Table < Base
+      ALL = 'arwdDxt'
+      SELECT = 'r'
+      UPDATE = 'W'
+      INSERT = 'a'
+      DELETE = 'd'
+      TRUNCATE = 'D'
+      REFERENCES = 'x'
+      TRIGGER = 't'
+      EXECUTE = 'X'
+    end
+
+    class Schema < Base
+      ALL = 'UC'
+      USAGE = 'U'
+      CREATE = 'C'
+    end
+
+    class Database < Base
+      ALL = 'CTc'
+      CREATE = 'C'
+      CONNECT = 'c'
+      TEMPORARY = 'T'
+    end
+  end
+end

data/lib/forty/rake/task.rb

@@ -0,0 +1,23 @@
+require 'rake'
+require_relative '../../forty'
+
+module Forty
+  module Rake
+    class Task
+      include ::Rake::DSL if defined? ::Rake::DSL
+
+      def install_tasks
+        namespace :acl do
+          namespace :sync do
+            desc 'syncs entire acl config with database'
+            task :all, [:disable_dry_run] do
+              Forty.sync
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+Forty::Rake::Task.new.install_tasks

data/lib/forty/sync.rb

@@ -1,6 +1,7 @@
 # require_relative 'configuration'
 
 module Forty
+
   def self.sync
     Forty::Sync.new(
       Forty.configuration.logger,
@@ -19,6 +20,8 @@ module Forty
       @logger = logger or raise Error, 'No logger provided'
       @master_username = master_username or raise Error, 'No master username provided'
       @production_schemas = production_schemas or raise Error, 'No production schemas provided'
+      @system_groups = ["pg_signal_backend"]
+      @system_users = ["postgres"]
       @acl_config = acl_config or raise Error, 'No acl config provided'
       @acl_config['users'] ||= {}
       @acl_config['groups'] ||= {}
@@ -30,6 +33,7 @@ module Forty
     end
 
     def run
+      banner()
       sync_users()
       sync_groups()
       sync_user_groups()
@@ -37,13 +41,39 @@ module Forty
       sync_acl()
     end
 
+    def banner
+      @logger.info(<<-BANNER)
+Starting sync...
+    ____           __       
+   / __/___  _____/ /___  __
+  / /_/ __ \\/ ___/ __/ / / /
+ / __/ /_/ / /  / /_/ /_/ /
+/_/  \\____/_/   \\__/\\__, /  Database ACL Sync
+                   /____/   v0.2.0
+
+===============================================================================
+
+Running in #{@dry_run ? 'DRY-MODE (not enforcing state)' : 'PRODUCTION-MODE (enforcing state)'}
+
+Configuration:
+    Master user:    #{@master_username}
+    Synced schemas: #{@production_schemas.join(', ')}
+    System users:   #{@system_users.join(', ')}
+    System groups:  #{@system_groups.join(', ')}
+
+===============================================================================
+BANNER
+    end
+
     def sync_users
       current_users = _get_current_dwh_users.keys
       defined_users = @acl_config['users'].keys
 
-      undefined_users = (current_users - defined_users).uniq.compact
+      undefined_users = (current_users - defined_users - @system_users).uniq.compact
       missing_users = (defined_users - current_users).uniq.compact
 
+      @logger.debug("Undefined users: #{undefined_users}")
+      @logger.debug("Missing users: #{missing_users}")
       undefined_users.each { |user| _delete_user(user) }
 
       missing_users.each do |user|
@@ -61,7 +91,7 @@ module Forty
       current_groups = _get_current_dwh_groups().keys
       defined_groups = @acl_config['groups'].keys
 
-      undefined_groups = (current_groups - defined_groups).uniq.compact
+      undefined_groups = (current_groups - defined_groups - @system_groups).uniq.compact
       missing_groups = (defined_groups - current_groups).uniq.compact
 
       undefined_groups.each { |group| _delete_group(group) }
@@ -108,8 +138,8 @@ module Forty
         unless schemas_owned_by_user.empty?
           tables_owned_by_user = _get_currently_owned_tables(user)
           schemas_owned_by_user.each do |schema|
-            @executor.dwh("set search_path=#{schema}")
-            tables = @executor.dwh("select tablename from pg_tables where schemaname='#{schema}'").map { |row| "#{schema}.#{row['tablename']}" }
+            @executor.execute("set search_path=#{schema}")
+            tables = @executor.execute("select tablename from pg_tables where schemaname='#{schema}'").map { |row| "#{schema}.#{row['tablename']}" }
             nonowned_tables_by_user = tables.uniq - tables_owned_by_user
             nonowned_tables_by_user.each { |table| _execute_statement("alter table #{table} owner to #{user};") }
           end
@@ -126,7 +156,7 @@ module Forty
       diverged = 0
 
       users.each do |user|
-        next if user.eql?(@master_username)
+        next if user.eql?(@master_username) or @system_users.include?(user)
 
         raise Error, "Users are not in sync #{user}" if current_user_roles[user].nil? or defined_user_roles[user].nil?
 
@@ -206,7 +236,7 @@ module Forty
     end
 
     def _get_current_user_roles
-      Hash[@executor.dwh(<<-SQL).map { |row| [row['usename'], row['user_roles'].split(',').select { |e| not e.empty? }.compact] }]
+      Hash[@executor.execute(<<-SQL).map { |row| [row['usename'], row['user_roles'].split(',').select { |e| not e.empty? }.compact] }]
           select
               usename
             , case when usecreatedb is true then 'createdb' else '' end
@@ -221,11 +251,13 @@ module Forty
     end
 
     def _check_group_unknown(current_groups, defined_groups)
-      raise Error, 'Groups are out of sync!' if _mismatch?(current_groups, defined_groups)
+      @logger.debug("Check whether groups are in sync. Current: #{current_groups}; Defined: #{defined_groups}; System: #{@system_groups}")
+      raise Error, 'Groups are out of sync!' if _mismatch?(current_groups - @system_groups, defined_groups)
     end
 
     def _check_user_unknown(current_users, defined_users)
-      raise Error, 'Users are out of sync!' if _mismatch?(current_users, defined_users)
+      @logger.debug("Check whether users are in sync. Current: #{current_users}; Defined: #{defined_users}; System: #{@system_users}")
+      raise Error, 'Users are out of sync!' if _mismatch?(current_users - @system_users, defined_users)
     end
 
     def _mismatch?(current, defined)
@@ -243,7 +275,7 @@ module Forty
           @logger.info("Retrying to execute statement in #{attempts*10} seconds...") if attempts > 0
           sleep (attempts*10)
           attempts += 1
-          @executor.dwh(statement)
+          @executor.execute(statement)
         rescue PG::UndefinedTable => e
           @logger.error("#{e.class}: #{e.message}" )
           retry unless attempts > 3
@@ -353,7 +385,7 @@ module Forty
         ;
       SQL
 
-      raw_dwh_users = @executor.dwh(query)
+      raw_dwh_users = @executor.execute(query)
 
       Hash[raw_dwh_users.map do |row|
         name = row['name']
@@ -375,7 +407,7 @@ module Forty
         from pg_group
         ;
       SQL
-      raw_dwh_groups = @executor.dwh(query)
+      raw_dwh_groups = @executor.execute(query)
 
       Hash[raw_dwh_groups.map do |row|
         name = row['name']
@@ -398,7 +430,7 @@ module Forty
         ;
       SQL
 
-      raw_schema_acl = @executor.dwh(query)
+      raw_schema_acl = @executor.execute(query)
       _parse_current_acl('schema', raw_schema_acl)
     end
 
@@ -414,7 +446,7 @@ module Forty
         ;
       SQL
 
-      raw_database_acl = @executor.dwh(query)
+      raw_database_acl = @executor.execute(query)
       _parse_current_acl('database', raw_database_acl)
     end
 
@@ -437,7 +469,7 @@ module Forty
         ;
       SQL
 
-      raw_table_acl = @executor.dwh(query)
+      raw_table_acl = @executor.execute(query)
       _parse_current_acl('table', raw_table_acl)
     end
 
@@ -459,7 +491,7 @@ module Forty
         .compact
 
       if grantees.any? { |grantee| !known_grantees.include?(grantee) }
-        raise Error, 'Users or groups not in sync!'
+        raise Error, "Users or groups not in sync! Could not find #{grantees.select { |grantee| !known_grantees.include?(grantee) }.join(', ')}"
       end
 
       grantees.each do |grantee|
@@ -613,14 +645,14 @@ module Forty
 
                 if schema.eql?('*')
                   @production_schemas.each do |prod_schema|
-                    tables = @executor.dwh(<<-SQL).map { |row| "#{prod_schema}.#{row['tablename']}" }
+                    tables = @executor.execute(<<-SQL).map { |row| "#{prod_schema}.#{row['tablename']}" }
                       select tablename from pg_tables where schemaname='#{prod_schema}'
                     SQL
 
                     tables_to_grant_privileges_on.concat(tables)
                   end
                 else
-                  tables_to_grant_privileges_on = @executor.dwh(<<-SQL).map { |row| "#{schema}.#{row['tablename']}" }
+                  tables_to_grant_privileges_on = @executor.execute(<<-SQL).map { |row| "#{schema}.#{row['tablename']}" }
                     select tablename from pg_tables where schemaname='#{schema}'
                   SQL
                 end
@@ -651,9 +683,14 @@ module Forty
       parsed_acls = {}
       raw_acl.each do |row|
         name = row['name']
+        @logger.debug("Current ACL: [#{identifier_type}] '#{name}': #{row['acls']}")
         parsed_acl = _parse_current_permissions(identifier_type, row['acls'])
         parsed_acl.each do |grantee, privileges|
           unless grantee.empty?
+            if _get_current_dwh_groups().keys.include?(grantee)
+              @logger.debug("Grantee '#{grantee}' has been identified as a group")
+              grantee = "group #{grantee}"
+            end
             parsed_acls[grantee] ||= {}
             parsed_acls[grantee][name] ||= []
             parsed_acls[grantee][name].concat(privileges)
@@ -667,7 +704,7 @@ module Forty
       # http://www.postgresql.org/docs/8.1/static/sql-grant.html
       # Typical ACL string:
       #
-      #     admin=arwdRxt/admin,jimdo=r/admin,"group selfservice=r/admin"
+      #     admin=arwdRxt/admin,someone=r/admin,"group selfservice=r/admin"
       #
       #                =xxxx -- privileges granted to PUBLIC
       #           uname=xxxx -- privileges granted to a user
@@ -708,7 +745,7 @@ module Forty
         where pg_user.usename = '#{user}'
         ;
       SQL
-      @executor.dwh(query).map { |row| row['schemaname'] }
+      @executor.execute(query).map { |row| row['schemaname'] }
     end
 
     def _get_currently_owned_tables(user)
@@ -718,7 +755,7 @@ module Forty
         where tableowner = '#{user}'
         ;
       SQL
-      @executor.dwh(query).map { |row| row['tablename'] }
+      @executor.execute(query).map { |row| row['tablename'] }
     end
   end
 end

metadata

@@ -1,15 +1,115 @@
 --- !ruby/object:Gem::Specification
 name: forty
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Stefanie Grunwald
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-07-25 00:00:00.000000000 Z
-dependencies: []
+date: 2017-04-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: pg
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.16'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.16'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: cucumber
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '10.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '10.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-collection_matchers
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.1.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.1.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 description: 
 email: steffi@physics.org
 executables: []
@@ -20,8 +120,8 @@ files:
 - lib/forty/acl.rb
 - lib/forty/configuration.rb
 - lib/forty/database.rb
-- lib/forty/dbms.rb
-- lib/forty/redshift/privilege.rb
+- lib/forty/privilege.rb
+- lib/forty/rake/task.rb
 - lib/forty/sync.rb
 homepage: https://github.com/moertel/forty
 licenses:

data/lib/forty/dbms.rb

@@ -1 +0,0 @@
-require_relative 'redshift/privilege'

data/lib/forty/redshift/privilege.rb

@@ -1,49 +0,0 @@
-module Forty
-  module Redshift
-    module Privilege
-      class Base
-        PRIVILEGES = self.constants.map { |const| self.const_get(const) }
-
-        def self.get_privilege_name_by_acronym(acronym)
-          privilege = self.constants.select do |constant|
-            self.const_get(constant).eql?(acronym)
-          end[0]
-          privilege.nil? ? nil : privilege.to_s.downcase
-        end
-
-        def self.parse_privileges_from_string(privileges_string)
-          privileges = []
-          self.constants.each do |constant|
-            acronym = self.const_get(constant)
-            unless privileges_string.slice!(acronym).nil?
-              privileges << self.get_privilege_name_by_acronym(acronym)
-            end
-            break if privileges_string.empty?
-          end
-          privileges
-        end
-      end
-
-      class Table < Base
-        ALL = 'arwdRxt'
-        SELECT = 'r'
-        UPDATE = 'w'
-        INSERT = 'a'
-        DELETE = 'd'
-        REFERENCES = 'x'
-      end
-
-      class Schema < Base
-        ALL = 'UC'
-        USAGE = 'U'
-        CREATE = 'C'
-      end
-
-      class Database < Base
-        ALL = 'CT'
-        CREATE = 'C'
-        TEMPORARY = 'T'
-      end
-    end
-  end
-end