mysql_users 0.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 3f45a1d36a6bedd880564ff0cabf55045ace7ec4
+  data.tar.gz: 5a27cedec5a341b1604b9ac2ce6bdcd69d58401f
+SHA512:
+  metadata.gz: b8bd466f430a87cee3753ac9925643f42d8f6aac0ea453530fd19c4c2a5a86a7338589c354261954348e1bd9d246fd70db4742d3366969f8bf3d430f86b5b1e4
+  data.tar.gz: ad9a32631befb2f544eae0beb8107ff9cdad89c109d62c22d7cb60e911da31c347e0d14f71a4a5598511d9bcbebe6d01070211847796a81a1463652c01db09f0

data/.gitignore

@@ -0,0 +1,16 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+.vendor
+/spec/examples.txt

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/README.md

@@ -0,0 +1,79 @@
+simple mysql grant management inspired by [this chef recipe](https://github.com/opscode-cookbooks/database/blob/master/libraries/provider_database_mysql_user.rb)
+
+# Installation
+
+It's still being developed so it's not on rubygems right now. Add this to your
+Gemfile:
+
+```
+gem 'mysql_users', git: 'https://github.com/margueritepd/ruby_mysql_users.git'
+```
+
+# Usage
+
+The user object takes a database client as part of its constructor. You can use
+the mysql2 database client, or you can write your own - as long as it responds
+to `query` and `escape`, you're good.
+
+If using the `mysql2` client, you should probably make sure you close the
+connection when you're done manipulating the user object.
+
+In the constructor, you want to also pass the user's username and hosts from
+which it can log into.
+
+You can optionally pass a password.
+
+eg:
+
+```ruby
+require 'mysql_users'
+require 'mysql2'
+
+begin
+  db = Mysql2::Client.new(
+    host: "localhost",
+    username: "root",
+  )
+
+  ['%', 'localhost'].each do |host|
+    user = MysqlUsers::User.new(
+      db,
+      {
+        username: 'marguerite',
+        host: host,
+        password: 'foo',
+      }
+    )
+    user.create  # won't complain if user exists already
+    user.grant({
+      grants: ['ALL PRIVILEGES'],
+      database: 'web',
+      table: 'auth',
+    })
+    user.revoke({
+      grants: ['SELECT'],
+      database: 'web',
+      table: 'auth',
+    })
+    user.drop  # won't complain if user doesn't exist
+  end
+rescue => e
+  puts e
+  raise e
+ensure
+  db.close unless db.nil?
+end
+```
+
+# Testing
+
+```
+bundle exec rake
+```
+
+# Creating a new package
+
+```
+bundle exec rake build
+# new gem is in pkg/
+```

data/Rakefile

@@ -0,0 +1,5 @@
+require 'bundler/gem_tasks'
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec)
+task :default => :spec

data/lib/mysql_users.rb

@@ -0,0 +1 @@
+require 'mysql_users/user'

data/lib/mysql_users/user.rb

@@ -0,0 +1,96 @@
+module MysqlUsers
+  class User
+    attr_reader :db_client
+    attr_reader :e_username
+    attr_reader :e_host
+
+    def initialize(db_client, options={})
+      @db_client = db_client
+      @e_username = escape(options.fetch(:username))
+      @e_host = escape(options.fetch(:host))
+      p = options[:password]
+      @e_password = p ? escape(p) : nil
+    end
+
+    def exists?
+      query = "SELECT User, Host FROM mysql.user WHERE "\
+        "User='#{e_username}' AND Host='#{e_host}'"
+      result = db_client.query(query)
+      result.count != 0
+    end
+
+    def create
+      return if exists?
+      create_without_check
+    end
+
+    def drop
+      return unless exists?
+      sql = "DROP USER #{user_address}"
+      db_client.query(sql)
+    end
+
+    # TODO should this be its own class?
+    def grant(options)
+      db = backtick_or_star(options[:database], 'give grants to')
+      table = backtick_or_star(options[:table], 'give grants to')
+      grants = options.fetch(:grants)
+      verify_grants_sanitized(grants, 'give')
+
+      sql = "GRANT #{grants.join(',')}"
+      sql += " ON #{db}.#{table}"
+      sql += " TO #{user_address}"
+      sql += " WITH GRANT OPTION" if options.fetch(:with_grant_option, false)
+
+      db_client.query(sql)
+    end
+
+    def revoke(options)
+      db = backtick_or_star(options[:database], 'revoke grants from')
+      table = backtick_or_star(options[:table], 'revoke grants from')
+      grants = options.fetch(:grants)
+      verify_grants_sanitized(grants, 'revoke')
+      sql = "REVOKE #{grants.join(',')}"
+      sql += " ON #{db}.#{table}"
+      sql += " FROM #{user_address}"
+      db_client.query(sql)
+    end
+
+    private
+
+    def user_address
+      "'#{e_username}'@'#{e_host}'"
+    end
+
+    def verify_grants_sanitized(grants, verb)
+      unless grants.all?{ |grant| /^[a-zA-Z ]+$/.match(grant) }
+        raise "grants should match [a-zA-Z ]. Refusing to #{verb} grants"
+      end
+      if grants.empty?
+        raise 'provided list of grants must be non-empty'
+      end
+    end
+
+    def backtick_or_star(name, verb)
+      return '*' unless name
+      backtick_error = "refusing to #{verb} an entity "\
+        'whose name contains backticks'
+      raise backtick_error if /`/.match(name)
+      "`#{escape(name)}`"
+    end
+
+    def has_password?
+      !@e_password.nil?
+    end
+
+    def create_without_check
+      sql = "CREATE USER #{user_address}"
+      sql += " IDENTIFIED BY '#{@e_password}'" if has_password?
+      db_client.query(sql)
+    end
+
+    def escape(string)
+      db_client.escape(string)
+    end
+  end
+end

data/lib/mysql_users/version.rb

@@ -0,0 +1,3 @@
+module MysqlUsers
+  VERSION = '0.0.2'
+end

data/mysql_users.gemspec

@@ -0,0 +1,23 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'mysql_users/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'mysql_users'
+  spec.version       = MysqlUsers::VERSION
+  spec.authors       = ['marguerite']
+  spec.email         = ['marguerite@pagerduty.com']
+  spec.summary       = %q{Manage mysql users with minimal dependencies}
+  spec.homepage      = ''
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 1.7'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.3.0'
+end

data/spec/mysql_users/user_spec.rb

@@ -0,0 +1,308 @@
+require 'mysql_users'
+
+RSpec.describe(:user) do
+  let(:database_client) do
+    db_client = double()
+    allow(db_client).to receive(:query).and_return([])
+    allow(db_client).to receive(:escape) do |string|
+      string.gsub('\\', '\\').gsub("'", { "'" => "\\'" })
+    end
+    db_client
+  end
+
+  let(:user) do
+    MysqlUsers::User.new(
+      database_client,
+      { username: 'marguerite', host: '%' },
+    )
+  end
+
+  let(:db_user_result) { [{'User' => 'marguerite', 'Host' => '%'}] }
+  let(:db_empty_result) { [] }
+  let(:user_select_regex) { /SELECT User, Host FROM mysql.user/ }
+  let(:bobby_tables) { "Robert'; DROP TABLE Students; --" }
+
+  def with_no_user_in_db
+    allow(database_client).to receive(:query).with(user_select_regex)
+      .and_return(db_empty_result)
+  end
+
+  def with_user_in_db
+    allow(database_client).to receive(:query).with(user_select_regex)
+      .and_return(db_user_result)
+  end
+
+  context('.new') do
+    it 'errors if username is missing' do
+      expect {
+        MysqlUsers::User.new(database_client, { host: '%' })
+      }.to raise_exception(KeyError)
+    end
+
+    it 'errors if host is missing' do
+      expect {
+        MysqlUsers::User.new(database_client, { username: 'marg' })
+      }.to raise_exception(KeyError)
+    end
+  end
+
+  context('#exists?') do
+
+    it 'exists? should return true if that username+host exists' do
+      with_user_in_db
+      expect(user.exists?).to eq(true)
+    end
+
+    it 'exists? should return false if that username+host doesn\'t exists' do
+      with_no_user_in_db
+      expect(user.exists?).to eq(false)
+    end
+
+    it 'should escape username before interpolating in sql string' do
+      user = MysqlUsers::User.new(
+        database_client,
+        { username: bobby_tables, host: '%' },
+      )
+
+      expect(database_client).to_not receive(:query).with(/bert'/)
+      expect(database_client).to receive(:query).with(/bert\\'/)
+
+      user.exists?
+    end
+
+    it 'should escape host before interpolating in sql string' do
+      user = MysqlUsers::User.new(
+        database_client,
+        { username: 'marguerite', host: bobby_tables },
+      )
+
+      expect(database_client).to_not receive(:query).with(/bert'/)
+      expect(database_client).to receive(:query).with(/bert\\'/)
+
+      user.exists?
+    end
+  end
+
+  context('#create') do
+    let(:create_user_regex) { /^CREATE USER 'marguerite'@'%'$/ }
+
+    it 'should create the user without password if no password given' do
+      with_no_user_in_db
+      expect(database_client).to receive(:query).with(create_user_regex)
+
+      user.create
+    end
+
+    it 'should not create the user if it does exist' do
+      with_user_in_db
+      expect(database_client).to_not receive(:query).with(create_user_regex)
+
+      user.create
+    end
+
+    it 'should create the user with password if password given' do
+      with_no_user_in_db
+      user = MysqlUsers::User.new(
+        database_client,
+        { username: 'u', host: '%', password: 'p' },
+      )
+
+      expect(database_client).to receive(:query).with(
+        /^CREATE USER 'u'@'%' IDENTIFIED BY 'p'$/
+      )
+
+      user.create
+    end
+
+    it 'should escape interpolated password when creating' do
+      with_no_user_in_db
+      user = MysqlUsers::User.new(
+        database_client,
+        { username: 'u', host: '%', password: bobby_tables },
+      )
+      expect(database_client).to_not receive(:query).with(/bert'/)
+      expect(database_client).to receive(:query).with(/^CREATE.*bert\\'/)
+
+      user.create
+    end
+  end
+
+  context('#drop') do
+    let(:drop_user_sql) { %q{DROP USER 'marguerite'@'%'} }
+
+    it 'should remove user from database if user exists' do
+      with_user_in_db
+      expect(database_client).to receive(:query).with(drop_user_sql)
+      user.drop
+    end
+
+    it 'should not drop the user if it doesn\'t exist' do
+      with_no_user_in_db
+      expect(database_client).to_not receive(:query).with(drop_user_sql)
+      user.drop
+    end
+  end
+
+  context('#grant') do
+    let(:grant_options) do
+      {
+        database: 'db',
+        table: 'tbl',
+        grants: [
+          :select
+        ]
+      }
+    end
+
+    it 'should grant with full correct query (happy path)' do
+      expect(database_client).to receive(:query).with(
+        "GRANT select ON `db`.`tbl` TO 'marguerite'@'%'"
+      )
+      user.grant(grant_options)
+    end
+
+    it 'should grant to * if no database provided' do
+      grant_options.delete(:database)
+      expect(database_client).to receive(:query).with(/GRANT .* ON \*\.`tbl`/)
+      user.grant(grant_options)
+    end
+
+    it 'should grant to * if no table provided' do
+      grant_options.delete(:table)
+      expect(database_client).to receive(:query).with(/GRANT .* ON `db`\.\*/)
+      user.grant(grant_options)
+    end
+
+    it 'should surround table and db name in backticks' do
+      expect(database_client).to receive(:query).with(/GRANT .* ON `db`\.`tbl`/)
+      user.grant(grant_options)
+    end
+
+    it 'should error if provided table name contains backticks' do
+      expect(database_client).to_not receive(:query).with(/stompy`/)
+      expect {
+        user.grant(grant_options.merge({table: 'stompy`'}))
+      }.to raise_error(/refusing to give grants/)
+    end
+
+    it 'should error if provided database name contains `' do
+      expect(database_client).to_not receive(:query).with(/stompy`/)
+      expect {
+        user.grant(grant_options.merge({database: 'stompy`'}))
+      }.to raise_error(/refusing to give grants/)
+    end
+
+    it 'should not run grant query if grant contains odd characters' do
+      expect {
+        user.grant(grant_options.merge({grants: ['&']}))
+      }.to raise_error('grants should match [a-zA-Z ]. Refusing to give grants')
+    end
+
+    it 'should raise error if no grants specified' do
+      grant_options.delete(:grants)
+      expect { user.grant(grant_options) }.to raise_error(KeyError)
+    end
+
+    it 'should raise error if empty grants specified' do
+      expect { user.grant(grant_options.merge({grants: []})) }
+        .to raise_error('provided list of grants must be non-empty')
+    end
+
+    it 'should give all grants' do
+      expect(database_client).to receive(:query).with(/^GRANT foo,bar/)
+      user.grant(grant_options.merge({grants: [:foo, :bar]}))
+    end
+
+    it 'should give grants to the user' do
+      expect(database_client).to receive(:query).with(
+        /^GRANT .* TO 'marguerite'@'%'$/
+      )
+      user.grant(grant_options)
+    end
+
+    it 'should give give "with grant option" if required' do
+      expect(database_client).to receive(:query).with(
+        /^GRANT .* WITH GRANT OPTION$/
+      )
+      user.grant(grant_options.merge({with_grant_option: true}))
+    end
+  end
+
+  context('#revoke') do
+    let(:grant_options) do
+      {
+        database: 'db',
+        table: 'tbl',
+        grants: [
+          :select
+        ]
+      }
+    end
+
+    it 'should revoke with full correct query (happy path)' do
+      expect(database_client).to receive(:query).with(
+        "REVOKE select ON `db`.`tbl` FROM 'marguerite'@'%'"
+      )
+      user.revoke(grant_options)
+    end
+
+    it 'should revoke from * if no database provided' do
+      grant_options.delete(:database)
+      expect(database_client).to receive(:query).with(/REVOKE .* ON \*\.`tbl`/)
+      user.revoke(grant_options)
+    end
+
+    it 'should revoke from * if no table provided' do
+      grant_options.delete(:table)
+      expect(database_client).to receive(:query).with(/REVOKE .* ON `db`\.\*/)
+      user.revoke(grant_options)
+    end
+
+    it 'should surround table and db name in backticks' do
+      expect(database_client).to receive(:query).with(/REVOKE.* ON `db`\.`tbl`/)
+      user.revoke(grant_options)
+    end
+
+    it 'should error if provided table name contains backticks' do
+      expect(database_client).to_not receive(:query).with(/stompy`/)
+      expect {
+        user.revoke(grant_options.merge({table: 'stompy`'}))
+      }.to raise_error(/refusing to revoke grants/)
+    end
+
+    it 'should error if provided database name contains `' do
+      expect(database_client).to_not receive(:query).with(/stompy`/)
+      expect {
+        user.revoke(grant_options.merge({database: 'stompy`'}))
+      }.to raise_error(/refusing to revoke grants/)
+    end
+
+    it 'should revoke all specified grants' do
+      expect(database_client).to receive(:query).with(/^REVOKE foo,bar/)
+      user.revoke(grant_options.merge({grants: [:foo, :bar]}))
+    end
+
+    it 'should not run revoke query if grant contains odd characters' do
+      expect {
+        user.revoke(grant_options.merge({grants: ['&']}))
+      }.to raise_error('grants should match [a-zA-Z ]. Refusing to revoke grants')
+    end
+
+    it 'should raise error if no grants specified' do
+      grant_options.delete(:grants)
+      expect { user.revoke(grant_options) }.to raise_error(KeyError)
+    end
+
+    it 'should raise error if empty grants specified' do
+      expect { user.revoke(grant_options.merge({grants: []})) }
+        .to raise_error('provided list of grants must be non-empty')
+    end
+
+    it 'should revoke grants from the user' do
+      expect(database_client).to receive(:query).with(
+        /^REVOKE .* FROM 'marguerite'@'%'$/
+      )
+      user.revoke(grant_options)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,96 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause
+# this file to always be loaded, without a need to explicitly require it in any
+# files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider making
+# a separate helper file that requires the additional dependencies and performs
+# the additional setup, and require it from the spec files that actually need
+# it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+  # The settings below are suggested to provide a good initial experience
+  # with RSpec, but feel free to customize to your heart's content.
+  begin
+    # These two settings work together to allow you to limit a spec run
+    # to individual examples or groups you care about by tagging them with
+    # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+    # get run.
+    config.filter_run :focus
+    config.run_all_when_everything_filtered = true
+
+    # Allows RSpec to persist some state between runs in order to support
+    # the `--only-failures` and `--next-failure` CLI options. We recommend
+    # you configure your source control system to ignore this file.
+    config.example_status_persistence_file_path = "spec/examples.txt"
+
+    # Limits the available syntax to the non-monkey patched syntax that is
+    # recommended. For more details, see:
+    #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
+    #   - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+    #   - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
+    config.disable_monkey_patching!
+
+    # This setting enables warnings. It's recommended, but in some cases may
+    # be too noisy due to issues in dependencies.
+    config.warnings = true
+
+    # Many RSpec users commonly either run the entire suite or an individual
+    # file, and it's useful to allow more verbose output when running an
+    # individual spec file.
+    if config.files_to_run.one?
+      # Use the documentation formatter for detailed output,
+      # unless a formatter has already been configured
+      # (e.g. via a command-line flag).
+      config.default_formatter = 'doc'
+    end
+
+    # Print the 10 slowest examples and example groups at the
+    # end of the spec run, to help surface which specs are running
+    # particularly slow.
+    #config.profile_examples = 10
+
+    # Run specs in random order to surface order dependencies. If you find an
+    # order dependency and want to debug it, you can fix the order by providing
+    # the seed, which is printed after each run.
+    #     --seed 1234
+    config.order = :random
+
+    # Seed global randomization in this process using the `--seed` CLI option.
+    # Setting this allows you to use `--seed` to deterministically reproduce
+    # test failures related to randomization by passing the same `--seed` value
+    # as the one that triggered the failure.
+    Kernel.srand config.seed
+  end
+end

metadata

@@ -0,0 +1,99 @@
+--- !ruby/object:Gem::Specification
+name: mysql_users
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+platform: ruby
+authors:
+- marguerite
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-08-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.3.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.3.0
+description: 
+email:
+- marguerite@pagerduty.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- Gemfile
+- README.md
+- Rakefile
+- lib/mysql_users.rb
+- lib/mysql_users/user.rb
+- lib/mysql_users/version.rb
+- mysql_users.gemspec
+- spec/mysql_users/user_spec.rb
+- spec/spec_helper.rb
+homepage: ''
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: Manage mysql users with minimal dependencies
+test_files:
+- spec/mysql_users/user_spec.rb
+- spec/spec_helper.rb