grantinee 0.3.1

data/lib/grantinee/engine/abstract_engine.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Grantinee
+  module Engine
+    class AbstractEngine
+      NOT_IMPLEMENTED = "Not implemented".freeze
+
+      def logger
+        Grantinee.logger
+      end
+
+      def initialize
+        raise NOT_IMPLEMENTED
+      end
+
+      def flush_permissions!
+        raise NOT_IMPLEMENTED
+      end
+
+      def revoke_permissions!(_data)
+        raise NOT_IMPLEMENTED
+      end
+
+      def grant_permission!(_data)
+        raise NOT_IMPLEMENTED
+      end
+
+      def run!(_query, _data = {})
+        raise NOT_IMPLEMENTED
+      end
+
+      # Sanitize one value piece
+      def sanitize_value(_value)
+        raise NOT_IMPLEMENTED
+      end
+
+      # Sanitize column name
+      def sanitize_column_name(_name)
+        raise NOT_IMPLEMENTED
+      end
+
+      # Sanitize table name
+      def sanitize_table_name(_name)
+        raise NOT_IMPLEMENTED
+      end
+    end
+  end
+end

data/lib/grantinee/engine/mysql.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+gem 'mysql2', '>= 0.4.4', '< 0.6.0'
+require 'mysql2'
+
+module Grantinee
+  module Engine
+    class Mysql < AbstractEngine
+      def initialize
+        configuration = Grantinee.configuration
+
+        @connection = Mysql2::Client.new(
+          username: configuration.username,
+          password: configuration.password,
+          host:     configuration.hostname,
+          port:     configuration.port,
+          database: configuration.database
+        )
+      end
+
+      def flush_permissions!
+        query = "FLUSH PRIVILEGES;"
+
+        run! query
+      end
+
+      def revoke_permissions!(data)
+        database = sanitize_column_name(data[:database])
+        user     = sanitize_value(data[:user])
+        host     = sanitize_value(data[:host])
+
+        query = "REVOKE ALL PRIVILEGES ON #{database}.* FROM '#{user}'@'#{host}';"
+        run! query, data
+      end
+
+      def grant_permission!(data) # rubocop:disable Metrics/AbcSize
+        raise "Invalid permission kind" unless WHITELISTED_KINDS.include?(data[:kind])
+
+        database = sanitize_column_name(data[:database])
+        kind     = data[:kind]
+        table    = sanitize_table_name(data[:table])
+        user     = sanitize_value(data[:user])
+        host     = sanitize_value(data[:host])
+        fields   = data[:fields].map { |v| sanitize_column_name(v.to_s) }.join(', ')
+
+        query = if data[:fields].empty?
+                  "GRANT #{kind} ON #{database}.#{table} TO '#{user}'@'#{host}';"
+                else
+                  "GRANT #{kind}(#{fields}) ON #{database}.#{table} TO '#{user}'@'#{host}';"
+                end
+        run! query, data
+      end
+
+      private
+
+      def sanitize_value(value)
+        @connection.escape value
+      end
+
+      def sanitize_column_name(name)
+        "`#{name.to_s.gsub('`', '``')}`"
+      end
+
+      def sanitize_table_name(name)
+        sanitize_column_name(name).gsub('.', '`.`')
+      end
+
+      def run!(query, data = {})
+        logger.info query
+
+        begin
+          @connection.query query
+        rescue ::Mysql2::Error => e
+          case e.error_number
+          when 1141, 1269 # Can't revoke all privileges for one or more of the requested users
+            logger.debug format("User %{user}@%{host} doesn't have any grants yet", data)
+          when 1133 # Can't find any matching row in the user table
+            logger.fatal format("User %{user}@%{host} doesn't exist yet, create it with \"CREATE USER '%{user}'@'%{host}';\" first", data) # rubocop:disable Metrics/LineLength
+          else
+            logger.debug e.error_number
+            raise e
+          end
+        end
+      end
+    end
+  end
+end

data/lib/grantinee/engine/postgresql.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+gem 'pg', '>= 0.18', '< 2.0'
+require 'pg'
+
+module Grantinee
+  module Engine
+    class Postgresql < AbstractEngine
+      def initialize
+        configuration = Grantinee.configuration
+
+        @connection = PG::Connection.open(
+          user:     configuration.username,
+          password: configuration.password,
+          host:     configuration.hostname,
+          port:     configuration.port,
+          dbname:   configuration.database
+        )
+      end
+
+      def flush_permissions!
+        # Postgres doesn't need to flush privileges
+      end
+
+      def revoke_permissions!(data)
+        database = sanitize_column_name(data[:database])
+        user     = sanitize_column_name(data[:database])
+
+        query = "REVOKE ALL PRIVILEGES ON DATABASE #{database} FROM #{user};"
+        run! query, data
+      end
+
+      def grant_permission!(data)
+        raise "Invalid permission kind" unless WHITELISTED_KINDS.include?(data[:kind])
+
+        kind   = data[:kind]
+        table  = sanitize_table_name(data[:table])
+        user   = sanitize_column_name(data[:user])
+        fields = data[:fields].map { |v| sanitize_column_name(v.to_s) }.join(', ')
+
+        query = if data[:fields].empty?
+                  "GRANT #{kind} ON #{table} TO #{user};"
+                else
+                  "GRANT #{kind}(#{fields}) ON TABLE #{table} TO #{user};"
+                end
+        run! query, data
+      end
+
+      private
+
+      def sanitize_value(value)
+        @connection.escape_string value.to_s
+      end
+
+      def sanitize_column_name(name)
+        @connection.quote_ident name.to_s
+      end
+
+      def sanitize_table_name(name)
+        @connection.quote_ident name.to_s
+      end
+
+      def run!(query, data = {})
+        logger.info query
+
+        begin
+          @connection.exec query
+        rescue PG::Error => e
+          case e
+          when PG::UndefinedObject
+            logger.fatal format("User %{user}@%{host} doesn't exist yet, create it with \"CREATE ROLE %{user};\" first", data) # rubocop:disable Metrics/LineLength
+          else
+            logger.debug e.class
+            raise e
+          end
+        end
+      end
+    end
+  end
+end

data/lib/grantinee/executor.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Grantinee
+  class Executor
+    def initialize(dsl, engine = Executor.default_engine)
+      @dsl    = dsl
+      @engine = engine
+    end
+
+    def run!
+      revoke_permissions
+      grant_permissions
+      flush_permissions
+    end
+
+    def self.default_engine
+      Grantinee::Engine.for(Grantinee.configuration.engine)
+    end
+
+    private
+
+    def revoke_permissions
+      @dsl.permissions.each { |data| @engine.revoke_permissions!(data) }
+    end
+
+    def grant_permissions
+      @dsl.permissions.each { |data| @engine.grant_permission!(data) }
+    end
+
+    def flush_permissions
+      @engine.flush_permissions!
+    end
+  end
+end

data/lib/grantinee/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Grantinee
+  VERSION = '0.3.1'.freeze
+end

metadata

@@ -0,0 +1,161 @@
+--- !ruby/object:Gem::Specification
+name: grantinee
+version: !ruby/object:Gem::Version
+  version: 0.3.1
+platform: ruby
+authors:
+- Paweł Komarnicki
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2018-06-25 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: method_source
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: A Ruby library to manage your database permissions for MySQL and PostgreSQL.
+  Supports per-table, and per-column permissions for granular access and security.
+email:
+- pawel@blinkist.com
+executables:
+- grantinee
+extensions: []
+extra_rdoc_files: []
+files:
+- ".circleci/config.yml"
+- ".circleci/setup-rubygems.sh"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".travis.yml"
+- CODE_OF_CONDUCT.md
+- Dockerfile
+- Gemfile
+- Gemfile.lock
+- Grantinee
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- config/grantinee.rb
+- docker-compose.yml
+- exe/grantinee
+- grantinee.gemspec
+- lib/grantinee.rb
+- lib/grantinee/cli.rb
+- lib/grantinee/configuration.rb
+- lib/grantinee/dsl.rb
+- lib/grantinee/engine.rb
+- lib/grantinee/engine/abstract_engine.rb
+- lib/grantinee/engine/mysql.rb
+- lib/grantinee/engine/postgresql.rb
+- lib/grantinee/executor.rb
+- lib/grantinee/version.rb
+homepage: https://github.com/blinkist/grantinee
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.2.2
+signing_key: 
+specification_version: 4
+summary: '"Your permissions, freshly baked!" | A library to manage your database permissions
+  for MySQL and Postgres'
+test_files: []