gratan 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1a970e74897bbcae2cf33d36cecf6b94950b7a55
+  data.tar.gz: fd04cfd92a0f5fa94c98aca24fc592dc53fc38ac
+SHA512:
+  metadata.gz: 9b5b1868f6322b38a90bc7fb771f947e090c60d9a63c6519ec5a9e66e4e07f832b495200b00091ef366949524e16bbf207251c9a21794dde729ca1104d5816fc
+  data.tar.gz: 621bf66ba1e3709a247b23bc648029b858f8be33c5e278763c91dda34274c68fe4959638e3cfdcb85c5625a378a4530d3bcc7ec2b2a8e4f97a807f835e3c83f6

data/.gitignore

@@ -0,0 +1,17 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+test.rb
+Grantfile
+*.grant

data/.rspec

@@ -0,0 +1,2 @@
+--colour
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,6 @@
+language: ruby
+rvm:
+  - 2.0.0
+script:
+  - bundle install
+  - bundle exec rake

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in gratan.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Genki Sugawara
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,86 @@
+# Gratan
+
+Gratan is a tool to manage MySQL permissions.
+
+It defines the state of MySQL permissions using Ruby DSL, and updates permissions according to DSL.
+
+[![Gem Version](https://badge.fury.io/rb/gratan.png)](http://badge.fury.io/rb/gratan)
+[![Build Status](https://travis-ci.org/winebarrel/gratan.svg?branch=master)](https://travis-ci.org/winebarrel/gratan)
+[![Coverage Status](https://coveralls.io/repos/winebarrel/gratan/badge.png?branch=master)](https://coveralls.io/r/winebarrel/gratan?branch=master)
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'gratan'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install gratan
+
+## Usage
+
+```sh
+gratan -e -o Grantfile
+vi Grantfile
+gratan -a --dry-run
+gratan -a
+```
+
+## Help
+
+```sh
+Usage: gratan [options]
+        --host HOST
+        --port PORT
+        --socket SOCKET
+        --username USERNAME
+        --password PASSWORD
+        --database DATABASE
+    -a, --apply
+    -f, --file FILE
+        --dry-run
+    -e, --export
+        --with-identifier
+        --enable-expired
+        --split
+    -o, --output FILE
+        --ignore-user REGEXP
+        --no-color
+        --debug
+        --auto-identify OUTPUT
+        --csv-identify CSV
+    -h, --help
+```
+
+## Grantfile example
+
+```ruby
+require 'other/grantfile'
+
+user "scott", "%" do
+  on "*.*" do
+    grant "USAGE"
+  end
+
+  on "test.*" do
+    grant "SELECT"
+  end
+end
+
+user "scott", "localhost", expired: '2014/10/10' do
+  on "*.*" do
+    grant "USAGE"
+  end
+
+  on "test.*" do
+    grant "SELECT"
+  end
+end
+```

data/Rakefile

@@ -0,0 +1,5 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new('spec')
+task :default => :spec

data/bin/gratan

@@ -0,0 +1,132 @@
+#!/usr/bin/env ruby
+$: << File.expand_path("#{File.dirname __FILE__}/../lib")
+require 'rubygems'
+require 'gratan'
+require 'optparse'
+require 'json'
+
+Version = Gratan::VERSION
+DEFAULT_FILENAME = 'Grantfile'
+
+mode = nil
+file = DEFAULT_FILENAME
+output_file = '-'
+split = false
+
+mysql_options = {
+  :host     => 'localhost',
+  :username => 'root',
+}
+
+options = {
+  :dry_run    => false,
+  :color      => true,
+  :debug      => false,
+}
+
+ARGV.options do |opt|
+  begin
+    opt.on(''  , '--host HOST')          {|v| mysql_options[:host]      = v             }
+    opt.on(''  , '--port PORT', Integer) {|v| mysql_options[:port]      = v             }
+    opt.on(''  , '--socket SOCKET')      {|v| mysql_options[:socket]    = v             }
+    opt.on(''  , '--username USERNAME')  {|v| mysql_options[:username]  = v             }
+    opt.on(''  , '--password PASSWORD')  {|v| mysql_options[:password]  = v             }
+    opt.on(''  , '--database DATABASE')  {|v| mysql_options[:database]  = v             }
+    opt.on('-a', '--apply')              {    mode                      = :apply        }
+    opt.on('-f', '--file FILE')          {|v| file                      = v             }
+    opt.on(''  , '--dry-run')            {    options[:dry_run]         = true          }
+    opt.on('-e', '--export')             {    mode                      = :export       }
+    opt.on(''  , '--with-identifier')    {    options[:with_identifier] = true          }
+    opt.on(''  , '--enable-expired')     {    options[:enable_expired]  = true          }
+    opt.on(''  , '--split')              {    split                     = true          }
+    opt.on('-o', '--output FILE')        {|v| output_file               = v             }
+    opt.on(''  , '--ignore-user REGEXP') {|v| options[:ignore_user]     = Regexp.new(v) }
+    opt.on(''  , '--no-color')           {    options[:color]           = false         }
+    opt.on(''  , '--debug')              {    options[:debug]           = true          }
+
+    opt.on(''  , '--auto-identify OUTPUT') {|v| options[:identifier] = Gratan::Identifier::Auto.new(v, options) }
+    opt.on(''  , '--csv-identify CSV')     {|v| options[:identifier] = Gratan::Identifier::CSV.new(v, options)  }
+
+    opt.on('-h', '--help') do
+      puts opt.help
+      exit 1
+    end
+
+    opt.parse!
+
+    unless mode
+      puts opt.help
+      exit 1
+    end
+  rescue => e
+    $stderr.puts("[ERROR] #{e.message}")
+    exit 1
+  end
+end
+
+options.update(mysql_options)
+String.colorize = options[:color]
+
+begin
+  logger = Gratan::Logger.instance
+  logger.set_debug(options[:debug])
+  client = Gratan::Client.new(options)
+
+  case mode
+  when :export
+    if split
+      logger.info('Export Grants')
+      output_file = DEFAULT_FILENAME if output_file == '-'
+      requires = []
+
+      client.export do |user, dsl|
+        grant_file = File.join(File.dirname(output_file), "#{user}.grant")
+        requires << grant_file
+        logger.info("  write `#{grant_file}`")
+
+        open(grant_file, 'wb') do |f|
+          f.puts dsl
+        end
+      end
+
+      logger.info("  write `#{output_file}`")
+
+      open(output_file, 'wb') do |f|
+        requires.each do |grant_file|
+          f.puts "require '#{File.basename grant_file}'"
+        end
+      end
+    else
+      if output_file == '-'
+        logger.info('# Export Grants')
+        puts client.export(options)
+      else
+        logger.info("Export Grants to `#{output_file}`")
+        open(output_file, 'wb') {|f| f.puts client.export(options) }
+      end
+    end
+  when :apply
+    unless File.exist?(file)
+      raise "No Grantfile found (looking for: #{file})"
+    end
+
+    mysql_info = mysql_options.dup
+    mysql_info.delete(:password)
+    mysql_info = JSON.dump(mysql_info)
+
+    msg = "Apply `#{file}` to #{mysql_info}"
+    msg << ' (dry-run)' if options[:dry_run]
+    logger.info(msg)
+
+    updated = client.apply(file)
+
+    logger.info('No change'.intense_blue) unless updated
+  end
+rescue => e
+  if options[:debug]
+    raise e
+  else
+    $stderr.puts("[ERROR] #{e.message}".red)
+    exit 1
+  end
+end

data/gratan.gemspec

@@ -0,0 +1,28 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'gratan/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'gratan'
+  spec.version       = Gratan::VERSION
+  spec.authors       = ['Genki Sugawara']
+  spec.email         = ['sgwr_dts@yahoo.co.jp']
+  spec.summary       = %q{Gratan is a tool to manage MySQL permissions using Ruby DSL.}
+  spec.description   = %q{Gratan is a tool to manage MySQL permissions using Ruby DSL.}
+  spec.homepage      = 'https://github.com/winebarrel/gratan'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'mysql2'
+  spec.add_dependency "term-ansicolor"
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '>= 3.0.0'
+  spec.add_development_dependency 'timecop'
+  spec.add_development_dependency 'coveralls'
+end

data/lib/gratan/client.rb

@@ -0,0 +1,211 @@
+class Gratan::Client
+  def initialize(options = {})
+    @options = options
+    @options[:identifier] ||= Gratan::Identifier::Null.new
+    client = Mysql2::Client.new(options)
+    @driver = Gratan::Driver.new(client, options)
+  end
+
+  def export(options = {})
+    options = @options.merge(options)
+    exported = Gratan::Exporter.export(@driver, options)
+
+    if block_given?
+      exported.sort_by {|user_host, attrs|
+        user_host
+      }.chunk {|user_host, attrs|
+        user_host[0].empty? ? 'root' : user_host[0]
+      }.each {|user, grants|
+        h = {}
+        grants.each {|k, v| h[k] = v }
+        dsl = Gratan::DSL.convert(h, options)
+        yield(user, dsl)
+      }
+    else
+      exported = Gratan::Exporter.export(@driver, options)
+      Gratan::DSL.convert(exported, options)
+    end
+  end
+
+  def apply(file, options = {})
+    options = @options.merge(options)
+
+    in_progress do
+      walk(file, options)
+    end
+  end
+
+  private
+
+  def walk(file, options)
+    expected = load_file(file, options)
+    actual = Gratan::Exporter.export(@driver, options.merge(:with_identifier => true))
+
+    expected.each do |user_host, expected_attrs|
+      next if user_host[0] =~ options[:ignore_user]
+      actual_attrs = actual.delete(user_host)
+
+      if actual_attrs
+        walk_user(*user_host, expected_attrs, actual_attrs)
+      else
+        create_user(*user_host, expected_attrs)
+      end
+    end
+
+    actual.each do |user_host, attrs|
+      next if user_host[0] =~ options[:ignore_user]
+      drop_user(*user_host)
+    end
+  end
+
+  def create_user(user, host, attrs)
+    attrs[:options] ||= {}
+
+    unless attrs.has_key?(:identified)
+      identified = @options[:identifier].identify(user, host)
+      attrs[:options][:identified] = identified if identified
+    end
+
+    @driver.create_user(user, host, attrs)
+    update!
+  end
+
+  def drop_user(user, host)
+    @driver.drop_user(user, host)
+    update!
+  end
+
+  def walk_user(user, host, expected_attrs, actual_attrs)
+    walk_options(user, host, expected_attrs[:options], actual_attrs[:options])
+    walk_objects(user, host, expected_attrs[:objects], actual_attrs[:objects])
+  end
+
+  def walk_options(user, host, expected_options, actual_options)
+    if expected_options.has_key?(:identified)
+      walk_identified(user, host, expected_options[:identified], actual_options[:identified])
+    end
+
+    walk_required(user, host, expected_options[:required], actual_options[:required])
+  end
+
+  def walk_identified(user, host, expected_identified, actual_identified)
+    if expected_identified != actual_identified
+      @driver.identify(user, host, expected_identified)
+      update!
+    end
+  end
+
+  def walk_required(user, host, expected_required, actual_required)
+    if expected_required != actual_required
+      @driver.set_require(user, host, expected_required)
+      update!
+    end
+  end
+
+  def walk_objects(user, host, expected_objects, actual_objects)
+    expected_objects.each do |object, expected_options|
+      expected_options ||= {}
+      actual_options = actual_objects.delete(object)
+
+      if actual_options
+        walk_object(user, host, object, expected_options, actual_options)
+      else
+        @driver.grant(user, host, object, expected_options)
+        update!
+      end
+    end
+
+    actual_objects.each do |object, options|
+      options ||= {}
+      @driver.revoke(user, host, object, options)
+      update!
+    end
+  end
+
+  def walk_object(user, host, object, expected_options, actual_options)
+    walk_with_option(user, host, object, expected_options[:with], actual_options[:with])
+    walk_privs(user, host, object, expected_options[:privs], actual_options[:privs])
+  end
+
+  def walk_with_option(user, host, object, expected_with_option, actual_with_option)
+    expected_with_option = (expected_with_option || '').upcase
+    actual_with_option = (actual_with_option || '').upcase
+
+    if expected_with_option != actual_with_option
+      @driver.update_with_option(user, host, object, expected_with_option)
+      update!
+    end
+  end
+
+  def walk_privs(user, host, object, expected_privs, actual_privs)
+    expected_privs = normalize_privs(expected_privs)
+    actual_privs = normalize_privs(actual_privs)
+
+    revoke_privs = actual_privs - expected_privs
+    grant_privs = expected_privs - actual_privs
+
+    unless revoke_privs.empty?
+      if revoke_privs.length == 1 and revoke_privs[0] == 'USAGE' and not grant_privs.empty?
+        # nothing to do
+      else
+        @driver.revoke(user, host, object, :privs => revoke_privs)
+        update!
+      end
+    end
+
+    unless grant_privs.empty?
+      @driver.grant(user, host, object, :privs => grant_privs)
+      update!
+    end
+  end
+
+  def normalize_privs(privs)
+    privs.map do |priv|
+      priv = priv.split('(', 2)
+      priv[0].upcase!
+
+      if priv[1]
+        priv[1] = priv[1].split(',').map {|i| i.gsub(')', '').strip }.sort.join(', ')
+        priv[1] << ')'
+      end
+
+      priv = priv.join('(')
+
+      if priv == 'ALL'
+        priv = 'ALL PRIVILEGES'
+      end
+
+      priv
+    end
+  end
+
+  def load_file(file, options)
+    if file.kind_of?(String)
+      open(file) do |f|
+        Gratan::DSL.parse(f.read, file, options)
+      end
+    elsif file.respond_to?(:read)
+      Gratan::DSL.parse(file.read, file.path, options)
+    else
+      raise TypeError, "can't convert #{file} into File"
+    end
+  end
+
+  def in_progress
+    updated = false
+
+    begin
+      @updated = false
+      yield
+      updated = @updated
+    ensure
+      @updated = nil
+    end
+
+    updated
+  end
+
+  def update!
+    @updated = true unless @options[:dry_run]
+  end
+end

data/lib/gratan/driver.rb

@@ -0,0 +1,166 @@
+class Gratan::Driver
+  include Gratan::Logger::Helper
+
+  def initialize(client, options = {})
+    @client = client
+    @options = options
+  end
+
+  def each_user
+    read('SELECT user, host FROM mysql.user').each do |row|
+      yield(row['user'], row['host'])
+    end
+  end
+
+  def show_grants(user, host)
+    read("SHOW GRANTS FOR #{quote_user(user, host)}").each do |row|
+      yield(row.values.first)
+    end
+  end
+
+  def create_user(user, host, options = {})
+    objects = options[:objects]
+    grant_options = options[:options]
+
+    objects.each do |object, object_options|
+      grant(user, host, object, grant_options.merge(object_options))
+    end
+  end
+
+  def drop_user(user, host)
+    sql = "DROP USER #{quote_user(user, host)}"
+    delete(sql)
+  end
+
+  def grant(user, host, object, options)
+    privs = options.fetch(:privs)
+    identified = options[:identified]
+    required = options[:required]
+    with_option = options[:with]
+
+    sql = 'GRANT %s ON %s TO %s' % [
+      privs.join(', '),
+      quote_object(object),
+      quote_user(user, host),
+    ]
+
+    sql << " IDENTIFIED BY #{quote_identifier(identified)}" if identified
+    sql << " REQUIRE #{required}" if required
+    sql << " WITH #{with_option}" if with_option
+
+    update(sql)
+  end
+
+  def identify(user, host, identifier)
+    sql = 'GRANT USAGE ON *.* TO %s IDENTIFIED BY %s' % [
+      quote_user(user, host),
+      quote_identifier(identifier),
+    ]
+
+    update(sql)
+  end
+
+  def set_require(user, host, required)
+    required ||= 'NONE'
+
+    sql = 'GRANT USAGE ON *.* TO %s REQUIRE %s' % [
+      quote_user(user, host),
+      required
+    ]
+
+    update(sql)
+  end
+
+  def revoke(user, host, object, options = {})
+    privs = options.fetch(:privs)
+    with_option = options[:with]
+
+    if with_option =~ /\bGRANT\s+OPTION\b/i
+      revoke0(user, host, object, ['GRANT OPTION'])
+
+      if privs.length == 1 and privs[0] =~ /\AUSAGE\z/i
+        return
+      end
+    end
+
+    revoke0(user, host, object, privs)
+  end
+
+  def revoke0(user, host, object, privs)
+    sql = 'REVOKE %s ON %s FROM %s' % [
+      privs.join(', '),
+      quote_object(object),
+      quote_user(user, host),
+    ]
+
+    delete(sql)
+  end
+
+  def update_with_option(user, host, object, with_option)
+    options = []
+
+    if with_option =~ /\bGRANT\s+OPTION\b/i
+      options << 'GRANT OPTION'
+    else
+      revoke(user, host, object, :privs => ['GRANT OPTION'])
+    end
+
+    %w(
+      MAX_QUERIES_PER_HOUR
+      MAX_UPDATES_PER_HOUR
+      MAX_CONNECTIONS_PER_HOUR
+      MAX_USER_CONNECTIONS
+    ).each do |name|
+      count = 0
+
+      if with_option =~ /\b#{name}\s+(\d+)\b/i
+        count = $1
+      end
+
+      options << [name, count].join(' ')
+    end
+
+    unless options.empty?
+      grant(user, host, object, :privs => ['USAGE'], :with => options.join(' '))
+    end
+  end
+
+  private
+
+  def read(sql)
+    log(:debug, sql)
+    @client.query(sql)
+  end
+
+  def update(sql)
+    log(:info, sql, :green)
+    @client.query(sql) unless @options[:dry_run]
+  end
+
+  def delete(sql)
+    log(:info, sql, :red)
+    @client.query(sql) unless @options[:dry_run]
+  end
+
+  def escape(str)
+    @client.escape(str)
+  end
+
+  def quote_user(user, host)
+    "'%s'@'%s'" % [escape(user), escape(host)]
+  end
+
+  def quote_object(object)
+    object.split('.', 2).map {|i| i == '*' ? i : "`#{i}`" }.join('.')
+  end
+
+  def quote_identifier(identifier)
+    identifier ||= ''
+
+    unless identifier =~ /\APASSWORD\s+'.+'\z/
+      identifier = "'#{escape(identifier)}'"
+    end
+
+    identifier
+  end
+end