posgra 0.1.0

data/lib/posgra/driver.rb

@@ -0,0 +1,354 @@
+class Posgra::Driver
+  include Posgra::Logger::Helper
+  include Posgra::Utils::Helper
+
+  DEFAULT_ACL = '{%s=arwdDxt/%s}'
+
+  PRIVILEGE_TYPES = {
+    'a' => 'INSERT',
+    'r' => 'SELECT',
+    'w' => 'UPDATE',
+    'd' => 'DELETE',
+    'D' => 'TRUNCATE',
+    'x' => 'REFERENCES',
+    't' => 'TRIGGER',
+  }
+
+  def initialize(client, options = {})
+    unless client.type_map_for_results.is_a?(PG::TypeMapAllStrings)
+      raise 'PG::Connection#type_map_for_results must be PG::TypeMapAllStrings'
+    end
+
+    @client = client
+    @options = options
+    @identifier = options.fetch(:identifier)
+  end
+
+  def create_user(user)
+    updated = false
+
+    password =  @identifier.identify(user)
+    sql = "CREATE USER #{@client.escape_identifier(user)} PASSWORD #{@client.escape_literal(password)}"
+    log(:info, sql, :color => :cyan)
+
+    unless @options[:dry_run]
+      @client.query(sql)
+      updated = true
+    end
+
+    updated
+  end
+
+  def drop_user(user)
+    updated = false
+
+    sql = "DROP USER #{@client.escape_identifier(user)}"
+    log(:info, sql, :color => :red)
+
+    unless @options[:dry_run]
+      @client.query(sql)
+      updated = true
+    end
+
+    updated
+  end
+
+  def create_group(group)
+    updated = false
+
+    sql = "CREATE GROUP #{@client.escape_identifier(group)}"
+    log(:info, sql, :color => :cyan)
+
+    unless @options[:dry_run]
+      @client.query(sql)
+      updated = true
+    end
+
+    updated
+  end
+
+  def add_user_to_group(user, group)
+    updated = false
+
+    sql = "ALTER GROUP #{@client.escape_identifier(group)} ADD USER #{@client.escape_identifier(user)}"
+    log(:info, sql, :color => :green)
+
+    unless @options[:dry_run]
+      @client.query(sql)
+      updated = true
+    end
+
+    updated
+  end
+
+  def drop_user_from_group(user, group)
+    updated = false
+
+    sql = "ALTER GROUP #{@client.escape_identifier(group)} DROP USER #{@client.escape_identifier(user)}"
+    log(:info, sql, :color => :cyan)
+
+    unless @options[:dry_run]
+      @client.query(sql)
+      updated = true
+    end
+
+    updated
+  end
+
+  def drop_group(group)
+    updated = false
+
+    sql = "DROP GROUP #{@client.escape_identifier(group)}"
+    log(:info, sql, :color => :red)
+
+    unless @options[:dry_run]
+      @client.query(sql)
+      updated = true
+    end
+
+    updated
+  end
+
+  def revoke_all_on_schema(role, schema)
+    updated = false
+
+    sql = "REVOKE ALL ON ALL TABLES IN SCHEMA #{@client.escape_identifier(schema)} FROM #{@client.escape_identifier(role)}"
+    log(:info, sql, :color => :green)
+
+    unless @options[:dry_run]
+      @client.query(sql)
+      updated = true
+    end
+
+    updated
+  end
+
+  def revoke_all_on_object(role, schema, object)
+    updated = false
+
+    sql = "REVOKE ALL ON #{@client.escape_identifier(schema)}.#{@client.escape_identifier(object)} FROM #{@client.escape_identifier(role)}"
+    log(:info, sql, :color => :green)
+
+    unless @options[:dry_run]
+      @client.query(sql)
+      updated = true
+    end
+
+    updated
+  end
+
+  def grant(role, priv, options, schema, object)
+    updated = false
+
+    sql = "GRANT #{priv} ON #{@client.escape_identifier(schema)}.#{@client.escape_identifier(object)} TO #{@client.escape_identifier(role)}"
+
+    if options['is_grantable']
+      sql << ' WITH GRANT OPTION'
+    end
+
+    log(:info, sql, :color => :green)
+
+    unless @options[:dry_run]
+      @client.query(sql)
+      updated = true
+    end
+
+    updated
+  end
+
+  def update_grant_options(role, priv, options, schema, object)
+    updated = false
+
+    if options.fetch('is_grantable')
+      updated = grant_grant_option(role, priv, schema, object)
+    else
+      updated = roveke_grant_option(role, priv, schema, object)
+    end
+
+    updated
+  end
+
+  def grant_grant_option(role, priv, schema, object)
+    updated = false
+
+    sql = "GRANT #{priv} ON #{@client.escape_identifier(schema)}.#{@client.escape_identifier(object)} TO #{@client.escape_identifier(role)} WITH GRANT OPTION"
+    log(:info, sql, :color => :green)
+
+    unless @options[:dry_run]
+      @client.query(sql)
+      updated = true
+    end
+
+    updated
+  end
+
+  def roveke_grant_option(role, priv, schema, object)
+    updated = false
+
+    sql = "REVOKE GRANT OPTION FOR #{priv} ON #{@client.escape_identifier(schema)}.#{@client.escape_identifier(object)} FROM #{@client.escape_identifier(role)}"
+    log(:info, sql, :color => :green)
+
+    unless @options[:dry_run]
+      @client.query(sql)
+      updated = true
+    end
+
+    updated
+  end
+
+  def revoke(role, priv, schema, object)
+    updated = false
+
+    sql = "REVOKE #{priv} ON #{@client.escape_identifier(schema)}.#{@client.escape_identifier(object)} FROM #{@client.escape_identifier(role)}"
+    log(:info, sql, :color => :green)
+
+    unless @options[:dry_run]
+      @client.query(sql)
+      updated = true
+    end
+
+    updated
+  end
+
+  def describe_objects(schema)
+    rs = @client.exec <<-SQL
+      SELECT
+        pg_class.relname,
+        pg_namespace.nspname
+      FROM
+        pg_class
+        INNER JOIN pg_namespace ON pg_class.relnamespace = pg_namespace.oid
+      WHERE
+        pg_namespace.nspname = #{@client.escape_literal(schema)}
+        AND pg_class.relkind NOT IN ('i')
+    SQL
+
+    rs.map do |row|
+      row.fetch('relname')
+    end
+  end
+
+  def describe_users
+    rs = @client.exec('SELECT * FROM pg_user')
+
+    options_by_user = {}
+
+    rs.each do |row|
+      user = row.fetch('usename')
+      next unless matched?(user, @options[:include_role], @options[:exclude_role])
+      options_by_user[user] = row.select {|_, v| v == 't' }.keys
+    end
+
+    options_by_user
+  end
+
+  def describe_groups
+    rs = @client.exec <<-SQL
+      SELECT
+        pg_group.groname,
+        pg_user.usename
+      FROM
+        pg_group
+        LEFT JOIN pg_user ON pg_user.usesysid = ANY(pg_group.grolist)
+    SQL
+
+    users_by_group = {}
+
+    rs.each do |row|
+      group = row.fetch('groname')
+      user = row.fetch('usename')
+      next unless [group, user].any? {|i| matched?(i, @options[:include_role], @options[:exclude_role]) }
+      users_by_group[group] ||= []
+      users_by_group[group] << user if user
+    end
+
+    users_by_group
+  end
+
+  def describe_grants
+    rs = @client.exec <<-SQL
+      SELECT
+        pg_class.relname,
+        pg_namespace.nspname,
+        pg_class.relacl,
+        pg_user.usename
+      FROM
+        pg_class
+        INNER JOIN pg_namespace ON pg_class.relnamespace = pg_namespace.oid
+        INNER JOIN pg_user ON pg_class.relowner = pg_user.usesysid
+      WHERE
+        pg_class.relkind NOT IN ('i')
+    SQL
+
+    grants_by_role = {}
+    rs.each do |row|
+      relname = row.fetch('relname')
+      nspname = row.fetch('nspname')
+      relacl = row.fetch('relacl')
+      usename = row.fetch('usename')
+
+      next unless matched?(nspname, @options[:include_schema], @options[:exclude_schema])
+
+      parse_aclitems(relacl, usename).each do |aclitem|
+        role = aclitem.fetch('grantee')
+        privs = aclitem.fetch('privileges')
+        next unless matched?(role, @options[:include_role], @options[:exclude_role])
+        grants_by_role[role] ||= {}
+        grants_by_role[role][nspname] ||= {}
+        grants_by_role[role][nspname][relname] = privs
+      end
+    end
+
+    grants_by_role
+  end
+
+  def describe_schemas
+    rs = @client.exec <<-SQL
+      SELECT
+        nspname
+      FROM
+        pg_namespace
+    SQL
+
+    rs.map do |row|
+      row.fetch('nspname')
+    end
+  end
+
+  private
+
+  def parse_aclitems(aclitems, owner)
+    aclitems ||= DEFAULT_ACL % [owner, owner]
+    aclitems = aclitems[1..-2].split(',')
+
+    aclitems.map do |aclitem|
+      grantee, privileges_grantor = aclitem.split('=', 2)
+      privileges, grantor = privileges_grantor.split('/', 2)
+
+      {
+        'grantee' => grantee,
+        'privileges' => expand_privileges(privileges),
+        'grantor' => grantor,
+      }
+    end
+  end
+
+  def expand_privileges(privileges)
+    options_by_privilege = {}
+
+    privileges.scan(/([a-z])(\*)?/i).each do |privilege_type_char,is_grantable|
+      privilege_type = PRIVILEGE_TYPES[privilege_type_char]
+
+      unless privilege_type
+        log(:warn, "unknown privilege type: #{privilege_type_char}", :color => :yellow)
+        next
+      end
+
+      options_by_privilege[privilege_type] = {
+        'is_grantable' => !!is_grantable,
+      }
+    end
+
+    options_by_privilege
+  end
+end

data/lib/posgra/dsl.rb

@@ -0,0 +1,17 @@
+class Posgra::DSL
+  def self.convert_roles(exported, options = {})
+    Posgra::DSL::Converter.convert_roles(exported, options)
+  end
+
+  def self.convert_grants(exported, options = {})
+    Posgra::DSL::Converter.convert_grants(exported, options)
+  end
+
+  def self.parse_roles(dsl, path, options = {})
+    Posgra::DSL::Roles.eval(dsl, path, options).result
+  end
+
+  def self.parse_grants(dsl, path, options = {})
+    Posgra::DSL::Grants.eval(dsl, path, options).result
+  end
+end

data/lib/posgra/dsl/converter.rb

@@ -0,0 +1,136 @@
+class Posgra::DSL::Converter
+  def self.convert_roles(exported, options = {})
+    self.new(exported, options).convert_roles
+  end
+
+  def self.convert_grants(exported, options = {})
+    self.new(exported, options).convert_grants
+  end
+
+  def initialize(exported, options = {})
+    @exported = exported
+    @options = options
+  end
+
+  def convert_roles
+    users_by_group = @exported[:users_by_group] || {}
+    users = @exported.fetch(:users, []) - users_by_group.values.flatten
+
+    [
+      output_users(users),
+      output_groups(users_by_group),
+    ].join("\n").strip
+  end
+
+  def convert_grants
+    grants_by_role = @exported || {}
+    output_roles(grants_by_role).strip
+  end
+
+  private
+
+  def output_users(users)
+    users.sort.map {|user|
+      "user #{user.inspect}"
+    }.join("\n") + "\n"
+  end
+
+  def output_groups(users_by_group)
+    users_by_group.sort_by {|g, _| g }.map {|group, users|
+      output_group(group, users)
+    }.join("\n")
+  end
+
+  def output_group(group, users)
+    if users.empty?
+      users = "# no users"
+    else
+      users = users.sort.map {|user|
+        "user #{user.inspect}"
+      }.join("\n  ")
+    end
+
+    <<-EOS
+group #{group.inspect} do
+  #{users}
+end
+    EOS
+  end
+
+  def output_roles(grants_by_role)
+    grants_by_role.sort_by {|r, _| r }.map {|role, grants_by_schema|
+      output_role(role, grants_by_schema)
+    }.join("\n")
+  end
+
+  def output_role(role, grants_by_schema)
+    if grants_by_schema.empty?
+      schemas = "# no schemas"
+    else
+      schemas = output_schemas(grants_by_schema)
+    end
+
+    <<-EOS
+role #{role.inspect} do
+  #{schemas}
+end
+    EOS
+  end
+
+  def output_schemas(grants_by_schema)
+    grants_by_schema.sort_by {|s, _| s }.map {|schema, grants_by_object|
+      output_schema(schema, grants_by_object).strip
+    }.join("\n  ")
+  end
+
+  def output_schema(schema, grants_by_object)
+    if grants_by_object.empty?
+      objects = "# no objects"
+    else
+      objects = output_objects(grants_by_object)
+    end
+
+    <<-EOS
+  schema #{schema.inspect} do
+    #{objects}
+  end
+    EOS
+  end
+
+  def output_objects(grants_by_object)
+    grants_by_object.sort_by {|o, _| o }.map {|object, grants|
+      output_object(object, grants).strip
+    }.join("\n    ")
+  end
+
+  def output_object(object, grants)
+    if grants.empty?
+      grants = "# no grants"
+    else
+      grants = output_grants(grants)
+    end
+
+    <<-EOS
+    on #{object.inspect} do
+      #{grants}
+    end
+    EOS
+  end
+
+  def output_grants(grants)
+    grants.sort_by {|g| g.to_s }.map {|privilege_type, options|
+      output_grant(privilege_type, options).strip
+    }.join("\n      ")
+  end
+
+  def output_grant(privilege_type, options)
+    is_grantable = options.fetch('is_grantable')
+    out = "grant #{privilege_type.inspect}"
+
+    if is_grantable
+      out << ", :grantable => #{is_grantable}"
+    end
+
+    out
+  end
+end