posgra 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 779439047ffa052724a0188fddd2d07291d632be
+  data.tar.gz: dc13051ea5f743c90bb03f17e8552b8042403804
+SHA512:
+  metadata.gz: 969080594fab8c8fd0f4b99d7c7188ab52e15e9147a51caf55c41df74bc9485245460439639cde467e3f7fa491eca91382630e5983b9f884af162b5e877f44dd
+  data.tar.gz: 685cbe3e19daba11a16d2f4852ccab18794c4eebb8c183128ee0428e557a34d66f0b91ddb724bad9bc173aadd90dcdf0293fd7f154a88dbb1b9e3ba6afea4d88

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/*.rb
+account.csv

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,16 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.0.0
+  - 2.1.8
+  - 2.2.4
+  - 2.3.0
+before_install: gem install bundler -v 1.11.2
+script:
+  - bundle install
+  - bundle exec rake
+addons:
+  postgresql: "9.4"
+env:
+  global:
+    - POSGRA_TEST_USER=postgres

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in posgra.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Genki Sugawara
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,99 @@
+# Posgra
+
+Posgra is a tool to manage PostgreSQL roles/permissions.
+
+It defines the state of PostgreSQL roles/permissions using Ruby DSL, and updates roles/permissions according to DSL.
+
+[![Build Status](https://travis-ci.org/winebarrel/posgra.svg?branch=master)](https://travis-ci.org/winebarrel/posgra)
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'posgra'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install posgra
+
+## Usage
+
+```sh
+$ posgra help
+Commands:
+  posgra grant SUBCOMMAND  # Manage grants
+  posgra help [COMMAND]    # Describe available commands or one specific command
+  posgra role SUBCOMMAND   # Manage roles
+
+Options:
+  -h, [--host=HOST]
+                                         # Default: localhost
+  -p, [--port=N]
+                                         # Default: 5432
+  -d, [--dbname=DBNAME]
+                                         # Default: postgres
+  -U, [--user=USER]
+  -P, [--password=PASSWORD]
+      [--account-output=ACCOUNT-OUTPUT]
+                                         # Default: account.csv
+      [--color], [--no-color]
+                                         # Default: true
+      [--debug], [--no-debug]
+```
+
+```sh
+posgra role export pg_roles.rb
+vi pg_roles.rb
+posgra role apply --dry-run pg_roles.rb
+posgra role apply pg_roles.rb
+```
+
+```sh
+posgra grant export pg_grants.rb
+vi pg_grants.rb
+posgra grant apply --dry-run pg_grants.rb
+posgra grant apply pg_grants.rb
+```
+
+## DSL Example
+
+### Role
+
+```ruby
+user "alice"
+
+group "staff" do
+  user "bob"
+end
+```
+
+### Grant
+
+```ruby
+role "bob" do
+  schema "main" do
+    on "microposts" do
+      grant "DELETE", grantable: true
+      grant "INSERT"
+      grant "REFERENCES"
+      grant "SELECT"
+      grant "TRIGGER"
+      grant "TRUNCATE"
+      grant "UPDATE"
+    end
+    on "microposts_id_seq" do
+      grant "SELECT"
+      grant "UPDATE"
+    end
+    on /^user/ do
+      grant "SELECT"
+    end
+  end
+end
+```

data/Rakefile

@@ -0,0 +1,6 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "posgra"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/posgra

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+$: << File.expand_path('../../lib', __FILE__)
+require 'posgra'
+
+debug = ARGV.any? {|i| i == '--debug' }
+
+begin
+  Posgra::CLI::App.start(ARGV)
+rescue => e
+  if debug
+    raise e
+  else
+    $stderr.puts "ERROR: #{e}".red
+  end
+end

data/lib/posgra.rb

@@ -0,0 +1,33 @@
+require 'hashie'
+require 'logger'
+require 'pg'
+require 'singleton'
+require 'term/ansicolor'
+require 'thor'
+
+module Posgra; end
+
+require 'posgra/ext/string_ext'
+require 'posgra/logger'
+require 'posgra/template'
+require 'posgra/utils'
+require 'posgra/cli'
+require 'posgra/cli'
+require 'posgra/cli/helper'
+require 'posgra/cli/grant'
+require 'posgra/cli/role'
+require 'posgra/cli/app'
+require 'posgra/client'
+require 'posgra/driver'
+require 'posgra/dsl'
+require 'posgra/dsl/grants'
+require 'posgra/dsl/grants/role'
+require 'posgra/dsl/grants/role/schema'
+require 'posgra/dsl/grants/role/schema/on'
+require 'posgra/dsl/roles'
+require 'posgra/dsl/roles/group'
+require 'posgra/dsl/converter'
+require 'posgra/exporter'
+require 'posgra/identifier'
+require 'posgra/identifier/auto'
+require 'posgra/version'

data/lib/posgra/cli.rb

@@ -0,0 +1,6 @@
+module Posgra::CLI
+  MAGIC_COMMENT = <<-EOS
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+  EOS
+end

data/lib/posgra/cli/app.rb

@@ -0,0 +1,16 @@
+class Posgra::CLI::App < Thor
+  class_option :host, :default => 'localhost', :aliases => '-h'
+  class_option :port, :type => :numeric, :default => 5432, :aliases => '-p'
+  class_option :dbname, :default => 'postgres', :aliases => '-d'
+  class_option :user, :aliases => '-U'
+  class_option :password, :aliases => '-P'
+  class_option :'account-output', :default => 'account.csv'
+  class_option :color, :type => :boolean, :default => true
+  class_option :debug, :type => :boolean, :default => false
+
+  desc 'role SUBCOMMAND', 'Manage roles'
+  subcommand :role, Posgra::CLI::Role
+
+  desc 'grant SUBCOMMAND', 'Manage grants'
+  subcommand :grant, Posgra::CLI::Grant
+end

data/lib/posgra/cli/grant.rb

@@ -0,0 +1,68 @@
+class Posgra::CLI::Grant < Thor
+  include Posgra::CLI::Helper
+  include Posgra::Logger::Helper
+
+  DEFAULT_FILENAME = 'pg_grants.rb'
+
+  class_option :'include-schema'
+  class_option :'exclude-schema'
+  class_option :'include-role'
+  class_option :'exclude-role'
+
+  desc 'apply FILE', 'Apply grants'
+  option :'dry-run', :type => :boolean, :default => false
+  def apply(file)
+    check_fileanem(file)
+    updated = client.apply_grants(file)
+
+    unless updated
+      Posgra::Logger.instance.info('No change'.intense_blue)
+    end
+  end
+
+  desc 'export [FILE]', 'Export grants'
+  option :split, :type => :boolean, :default => false
+  def export(file = nil)
+    check_fileanem(file)
+    dsl = client.export_grants
+
+    if options[:split]
+      file = DEFAULT_FILENAME unless file
+
+      log(:info, 'Export Grants')
+      requires = []
+
+      dsl.each do |user, content|
+        grant_file = "#{user}.rb"
+        requires << grant_file
+        log(:info, "  write `#{grant_file}`")
+
+        open(grant_file, 'wb') do |f|
+          f.puts Posgra::CLI::MAGIC_COMMENT
+          f.puts content
+        end
+      end
+
+      log(:info, "  write `#{file}`")
+
+      open(file, 'wb') do |f|
+        f.puts Posgra::CLI::MAGIC_COMMENT
+
+        requires.each do |grant_file|
+          f.puts "require '#{File.basename grant_file}'"
+        end
+      end
+    else
+      if file.nil? or file == '-'
+        puts dsl
+      else
+        log(:info, "Export Grants to `#{file}`")
+
+        open(file, 'wb') do |f|
+          f.puts Posgra::CLI::MAGIC_COMMENT
+          f.puts dsl
+        end
+      end
+    end
+  end
+end

data/lib/posgra/cli/helper.rb

@@ -0,0 +1,37 @@
+module Posgra::CLI::Helper
+  REGEXP_OPTIONS = [
+    :include_schema,
+    :exclude_schema,
+    :include_role,
+    :exclude_role,
+  ]
+
+  def check_fileanem(file)
+    if file =~ /\A-.+/
+      raise "Invalid failname: #{file}"
+    end
+  end
+
+  def client
+    client_options = {}
+    String.colorize = options[:color]
+    Posgra::Logger.instance.set_debug(options[:debug])
+
+    options.each do |key, value|
+      if key.to_s =~ /-/
+        key = key.to_s.gsub('-', '_')
+      end
+
+      client_options[key.to_sym] = value if value
+    end
+
+    REGEXP_OPTIONS.each do |key|
+      if client_options[key]
+        client_options[key] = Regexp.new(client_options[key])
+      end
+    end
+
+    client_options[:identifier] = Posgra::Identifier::Auto.new(options['account-output'])
+    Posgra::Client.new(client_options)
+  end
+end

data/lib/posgra/cli/role.rb

@@ -0,0 +1,35 @@
+class Posgra::CLI::Role < Thor
+  include Posgra::CLI::Helper
+  include Posgra::Logger::Helper
+
+  class_option :'include-role'
+  class_option :'exclude-role'
+
+  desc 'apply FILE', 'Apply roles'
+  option :'dry-run', :type => :boolean, :default => false
+  def apply(file)
+    check_fileanem(file)
+    updated = client.apply_roles(file)
+
+    unless updated
+      Posgra::Logger.instance.info('No change'.intense_blue)
+    end
+  end
+
+  desc 'export [FILE]', 'Export roles'
+  def export(file = nil)
+    check_fileanem(file)
+    dsl = client.export_roles
+
+    if file.nil? or file == '-'
+      puts dsl
+    else
+      log(:info, "Export Roles to `#{file}`")
+
+      open(file, 'wb') do |f|
+        f.puts Posgra::CLI::MAGIC_COMMENT
+        f.puts dsl
+      end
+    end
+  end
+end

data/lib/posgra/client.rb

@@ -0,0 +1,247 @@
+class Posgra::Client
+  DEFAULT_EXCLUDE_SCHEMA = /\A(?:pg_.*|information_schema)\z/
+  DEFAULT_EXCLUDE_ROLE = /\A\z/
+
+  def initialize(options = {})
+    if options[:exclude_schema]
+      options[:exclude_schema] = Regexp.union(
+        options[:exclude_schema],
+        DEFAULT_EXCLUDE_SCHEMA
+      )
+    else
+      options[:exclude_schema] = DEFAULT_EXCLUDE_SCHEMA
+    end
+
+    if options[:exclude_role]
+      options[:exclude_role] = Regexp.union(
+        options[:exclude_role],
+        DEFAULT_EXCLUDE_SCHEMA
+      )
+    else
+      options[:exclude_role] = DEFAULT_EXCLUDE_ROLE
+    end
+
+    @options = options
+    @client = connect(options)
+    @driver = Posgra::Driver.new(@client, options)
+  end
+
+  def export_roles(options = {})
+    options = @options.merge(options)
+    exported = Posgra::Exporter.export_roles(@driver, options)
+    Posgra::DSL.convert_roles(exported, options)
+  end
+
+  def export_grants(options = {})
+    options = @options.merge(options)
+    exported = Posgra::Exporter.export_grants(@driver, options)
+
+    if options[:split]
+      dsl_h = Hash.new {|hash, key| hash[key] = {} }
+
+
+      exported.each do |role, schemas|
+        dsl = Posgra::DSL.convert_grants({role => schemas}, options)
+        dsl_h[role] = dsl
+      end
+
+      dsl_h
+    else
+      Posgra::DSL.convert_grants(exported, options)
+    end
+  end
+
+  def apply_roles(file, options = {})
+    options = @options.merge(options)
+    walk_for_roles(file, options)
+  end
+
+  def apply_grants(file, options = {})
+    options = @options.merge(options)
+    walk_for_grants(file, options)
+  end
+
+  def close
+    @client.close
+  end
+
+  private
+
+  def walk_for_roles(file, options)
+    expected = load_file(file, :parse_roles, options)
+    actual = Posgra::Exporter.export_roles(@driver, options)
+
+    expected_users_by_group = expected.fetch(:users_by_group)
+    actual_users_by_group = actual.fetch(:users_by_group)
+    expected_users = (expected_users_by_group.values.flatten + expected.fetch(:users)).uniq
+    actual_users = actual.fetch(:users)
+
+    updated = pre_walk_groups(expected_users_by_group, actual_users_by_group)
+    updated = walk_users(expected_users, actual_users) || updated
+    walk_groups(expected_users_by_group, actual_users_by_group, expected_users) || updated
+  end
+
+  def walk_for_grants(file, options)
+    expected = load_file(file, :parse_grants, options)
+    actual = Posgra::Exporter.export_grants(@driver, options)
+    walk_roles(expected, actual)
+  end
+
+  def walk_users(expected, actual)
+    updated = false
+
+    (expected - actual).each do |user|
+      updated = @driver.create_user(user) || updated
+    end
+
+    (actual - expected).each do |user|
+      updated = @driver.drop_user(user) || updated
+    end
+
+    updated
+  end
+
+  def pre_walk_groups(expected, actual)
+    updated = false
+
+    actual.reject {|group, _|
+      expected.has_key?(group)
+    }.each {|group, _|
+      updated = @driver.drop_group(group) || updated
+    }
+
+    updated
+  end
+
+  def walk_groups(expected, actual, expected_users)
+    updated = false
+
+    expected.each do |expected_group, expected_users|
+      actual_users = actual.delete(expected_group)
+
+      unless actual_users
+        updated = @driver.create_group(expected_group) || updated
+        actual_users = []
+      end
+
+      (expected_users - actual_users).each do |user|
+        updated = @driver.add_user_to_group(user, expected_group) || updated
+      end
+
+      (actual_users - expected_users).each do |user|
+        if expected_users.include?(user)
+          updated = @driver.drop_user_from_group(user, expected_group) || updated
+        end
+      end
+    end
+
+    updated
+  end
+
+  def walk_roles(expected, actual)
+    updated = false
+
+    expected.each do |expected_role, expected_schemas|
+      actual_schemas = actual.delete(expected_role) || {}
+      updated = walk_schemas(expected_schemas, actual_schemas, expected_role) || updated
+    end
+
+    actual.each do |actual_role, actual_schemas|
+      actual_schemas.each do |schema, _|
+        updated = @driver.revoke_all_on_schema(actual_role, schema) || updated
+      end
+    end
+
+    updated
+  end
+
+  def walk_schemas(expected, actual, role)
+    updated = false
+
+    expected.each do |expected_schema, expected_objects|
+      actual_objects = actual.delete(expected_schema) || {}
+      updated = walk_objects(expected_objects, actual_objects, role, expected_schema) || updated
+    end
+
+    actual.each do |actual_schema, _|
+      updated = @driver.revoke_all_on_schema(role, actual_schema) || updated
+    end
+
+    updated
+  end
+
+  def walk_objects(expected, actual, role, schema)
+    updated = false
+
+    expected.keys.each do |expected_object|
+      if expected_object.is_a?(Regexp)
+        expected_grants = expected.delete(expected_object)
+
+        @driver.describe_objects(schema).each do |object|
+          if object =~ expected_object
+            expected[object] = expected_grants.dup
+          end
+        end
+      end
+    end
+
+    expected.each do |expected_object, expected_grants|
+      actual_grants = actual.delete(expected_object) || {}
+      updated = walk_grants(expected_grants, actual_grants, role, schema, expected_object) || updated
+    end
+
+    actual.each do |actual_object, _|
+      updated = @driver.revoke_all_on_object(role, schema, actual_object) || updated
+    end
+
+    updated
+  end
+
+  def walk_grants(expected, actual, role, schema, object)
+    updated = false
+
+    expected.each do |expected_priv, expected_options|
+      actual_options = actual.delete(expected_priv)
+
+      if actual_options
+        if expected_options != actual_options
+          updated = @driver.update_grant_options(role, expected_priv, expected_options, schema, object) || updated
+        end
+      else
+        updated = @driver.grant(role, expected_priv, expected_options, schema, object) || updated
+      end
+    end
+
+    actual.each do |actual_priv, _|
+      updated = @driver.revoke(role, actual_priv, schema, object) || updated
+    end
+
+    updated
+  end
+
+  def load_file(file, method, options)
+    if file.kind_of?(String)
+      open(file) do |f|
+        Posgra::DSL.send(method, f.read, file, options)
+      end
+    elsif file.respond_to?(:read)
+      Posgra::DSL.send(method, file.read, file.path, options)
+    else
+      raise TypeError, "can't convert #{file} into File"
+    end
+  end
+
+  def connect(options)
+    connect_options = {}
+
+    PG::Connection::CONNECT_ARGUMENT_ORDER.each do |key|
+      value = options[key] || options[key.to_sym]
+
+      if value
+        connect_options[key] = value
+      end
+    end
+
+    PGconn.connect(connect_options)
+  end
+end