prodder 1.7

data/features/step_definitions/git_steps.rb

@@ -0,0 +1,65 @@
+Given 'a "$project" git repository' do |project|
+  fixture_repo = File.join(@prodder_root, 'features', 'support', "#{project}.git")
+  unless File.directory? fixture_repo
+    raise "Cannot initialize repo for project #{project}; expected fixture at: #{fixture_repo}"
+  end
+
+  run_simple "mkdir -p repos"
+  run_simple "chmod -R a+w repos/#{project}.git" if File.exist? File.join(current_dir, "repos", "#{project}.git")
+  remove_dir "repos/#{project}.git"
+  run_simple "cp -pR #{fixture_repo} repos/#{project}.git"
+end
+
+Given 'I deleted the "$project" git repository' do |project|
+  run_simple "rm -rf repos/#{project}.git"
+end
+
+Given 'the "$project" git repository does not allow pushing to it' do |project|
+  run_simple "chmod -R a-w repos/#{project}.git"
+end
+
+Given 'a new commit is already in the "$project" git repository' do |project|
+  commit_to_remote project
+end
+
+Then 'the new commit should be in the workspace copy of the "$project" repository' do |project|
+  check_file_content "prodder-workspace/#{project}/README", 'Also read this!', true
+end
+
+Then(/^(\d+) commits? by "([^"]+)" should be in the "([^"]+)" repository$/) do |n, author, project|
+  in_workspace(project) do
+    authors = `git log --pretty='format:%an'`.split("\n")
+    authors.grep(/#{author}/).size.should == Integer(n)
+  end
+end
+
+Then 'the file "$filename" should now be tracked' do |filename|
+  in_current_dir do
+    git = Prodder::Git.new(File.expand_path("prodder-workspace/blog"), nil)
+    git.should be_tracked(filename)
+  end
+end
+
+Then 'the latest commit should have changed "$file" to contain "$content"' do |filename, content|
+  in_workspace('blog') do
+    changed = `git show --name-only HEAD | grep #{filename}`.split("\n")
+    changed.should_not be_empty
+
+    diff = `git show HEAD | grep '#{content}'`.split("\n")
+    diff.should_not be_empty
+  end
+end
+
+Then 'the latest commit should not have changed "$filename"' do |filename|
+  in_workspace('blog') do
+    changed = `git show --name-only HEAD | grep #{filename}`.split("\n")
+    changed.should be_empty
+  end
+end
+
+Then 'the new commit should be in the remote repository' do
+  in_current_dir do
+    latest = `git --git-dir="./repos/blog.git" log | grep prodder`.split("\n")
+    latest.should_not be_empty
+  end
+end

data/features/step_definitions/prodder_steps.rb

@@ -0,0 +1,150 @@
+Given 'the "store/db/name" key is missing from "$filename"' do |filename|
+  # Eh, good enough!
+  path = File.join @aruba_root, filename
+  contents = File.read path
+  File.open(path, 'w') { |f| f.write contents.sub(/^\s+name: \w+$/, '') }
+end
+
+Given 'the "$role" role can not read from the "blog" database\'s tables' do |role|
+  Prodder::PG.new.psql('prodder__blog_prod', 'REVOKE SELECT ON ALL TABLES IN SCHEMA public FROM prodder;')
+end
+
+Given 'I add an index to table "$table" on column "$column" in the "$project" project\'s database' do |table, column, project|
+  Prodder::PG.new.psql "prodder__#{project}_prod", "CREATE INDEX test_index ON #{table} (#{column});"
+end
+
+Given 'I add a customer parameter "$parameter" with value "$value" in the "$project" project\'s database' do |parameter, value, project|
+  Prodder::PG.new.psql "prodder__#{project}_prod", "ALTER DATABASE prodder__#{project}_prod SET #{parameter} = #{value};"
+end
+
+Given 'I add a foreign key from table "$table1" and column "$column1" to table "$table2" and column "$column2" in the "$project" project\'s database' do |table1, column1, table2, column2, project|
+  Prodder::PG.new.psql "prodder__#{project}_prod", "ALTER TABLE #{table1} ADD CONSTRAINT fk_authors FOREIGN KEY (#{column1}) REFERENCES #{table2} (#{column2});"
+end
+
+Given 'no-op versions of these bins are available on my PATH: $bins' do |bins|
+  paths = bins.split(/,\s*/).map { |bin|
+    File.join(@aruba_root, "stub-#{bin}").tap do |dir|
+      FileUtils.mkdir_p dir
+      File.open(File.join(dir, bin), 'w') { |f| f.write 'foo' }
+    end
+  }.join(File::PATH_SEPARATOR)
+
+  set_env 'PATH', "#{paths}#{File::PATH_SEPARATOR}#{ENV['PATH']}"
+end
+
+Given '"$bin" is not available on my PATH' do |bin|
+  path = ENV['PATH'].split(File::PATH_SEPARATOR)
+  dirs = path.select { |dir| File.exist? File.join(dir, bin) }
+  set_env 'PATH', path.reject { |dir| dirs.include?(dir) }.join(File::PATH_SEPARATOR)
+end
+
+When 'I create a new table "$table" in the "$project" database' do |table, project|
+  pg = Prodder::PG.new
+  pg.psql "prodder__#{project}_prod", "CREATE TABLE #{table} ( id SERIAL PRIMARY KEY );"
+end
+
+When 'I add a new author "$author" to the "$project" database' do |author, project|
+  pg = Prodder::PG.new
+  pg.psql "prodder__#{project}_prod", "INSERT INTO authors (name) VALUES ('#{author}');"
+end
+
+When 'I add a "$name" schema to the "$project" project\'s database' do |name, project|
+  pg = Prodder::PG.new
+  pg.psql "prodder__#{project}_prod", "CREATE SCHEMA #{name} AUTHORIZATION prodder CREATE TABLE #{name}.providers ( id SERIAL PRIMARY KEY );"
+end
+
+When 'I grant all permissions on table "$table" in the "$project" database to "$role"' do |table, project, role|
+  pg = Prodder::PG.new
+  pg.psql "prodder__#{project}_prod", "GRANT ALL ON #{table} TO #{role}"
+end
+
+Then 'the output should contain the example config contents' do
+  assert_partial_output Prodder::Config.example_contents, all_output
+end
+
+Then /^the workspace file "([^"]*)" should match \/([^\/]*)\/$/ do |file, partial_content|
+  check_file_content("prodder-workspace/#{file}", /#{partial_content}/, true)
+end
+
+Then /^the workspace file "([^"]*)" should not match \/([^\/]*)\/$/ do |file, partial_content|
+  check_file_content("prodder-workspace/#{file}", /#{partial_content}/, false)
+end
+
+Then /^the workspace file "([^"]*)" should not exist$/ do |file|
+  check_file_presence(["prodder-workspace/#{file}"], false)
+end
+
+Given(/a prodder config in "([^"]*)" with projects?: (.*)/) do |filename, projects|
+  contents = projects.split(/,\s*/).map { |name|
+    strip_leading <<-EOF
+    #{name}:
+      structure_file: db/structure.sql
+      seed_file: db/seeds.sql
+      quality_check_file: db/quality_checks.sql
+      permissions:
+        file: db/permissions.sql
+        included_users: prodder, include_this
+      git:
+        origin: ./repos/#{name}.git
+        author: prodder auto-commit <pd+prodder@krh.me>
+      db:
+        name: prodder__#{name}_prod
+        host: localhost
+        user: prodder
+        tables:
+          - posts
+          - authors
+    EOF
+  }.join("\n")
+
+  write_file filename, contents
+end
+
+Given 'the "$project" file "$filename" contains:' do |project, filename, contents|
+  write_file "prodder-workspace/#{project}/#{filename}", contents
+end
+
+Given 'the prodder config in "$filename" says to read the "$project" seed tables from "$seeds"' do |filename, project, seeds|
+  update_config filename do |config|
+    config[project]['db']['tables'] = seeds
+  end
+end
+
+Given 'the prodder config in "$filename" excludes the table "$table" from the dump of "$project"' do |filename, table, project|
+  update_config filename do |config|
+    config[project]['db']['exclude_tables'] ||= []
+    config[project]['db']['exclude_tables'].push table
+  end
+end
+
+Given 'the prodder config in "$filename" excludes the schema "$schema" from the dump of "$project"' do |filename, schema, project|
+  update_config filename do |config|
+    config[project]['db']['exclude_schemas'] ||= []
+    config[project]['db']['exclude_schemas'].push schema
+  end
+end
+
+Given 'the prodder config in "$filename" does not include a quality check file for the "$project" project' do |filename, project|
+  update_config filename do |config|
+    config[project].delete 'quality_check_file'
+  end
+end
+
+Given 'the prodder config in "$filename" does not include a permissions file for the "$project" project' do |filename, project|
+  update_config filename do |config|
+    config[project]['permissions'].delete 'file'
+  end
+end
+
+Given 'the prodder config in "$filename" does not include permissions for the "$project" project' do |filename, project|
+  update_config filename do |config|
+    config[project].delete 'permissions'
+  end
+end
+
+Given 'the "$project" file "$filename" does not exist' do |project, filename|
+  begin
+    remove_file "prodder-workspace/#{project}/#{filename}"
+  rescue Errno::ENOENT
+  end
+end

data/features/support/env.rb

@@ -0,0 +1,116 @@
+require 'cucumber'
+require 'aruba/cucumber'
+
+$LOAD_PATH.unshift File.expand_path('../../lib', File.dirname(__FILE__))
+require 'prodder'
+
+module ProdderHelpers
+  def strip_leading(string)
+    leading = string.scan(/^\s*/).min_by &:length
+    string.gsub /^#{leading}/, ''
+  end
+
+  def in_workspace(name, &block)
+    in_current_dir { Dir.chdir("prodder-workspace/#{name}", &block) }
+  end
+
+  def commit_to_remote(project)
+    @dirs = ['tmp', 'aruba']
+    run_simple "git clone repos/#{project}.git tmp-extra-commit-#{project}"
+    cd "tmp-extra-commit-#{project}"
+
+    append_to_file "README", 'Also read this!'
+    run_simple 'git add README'
+    run_simple 'git commit -m "Second commit"'
+    run_simple "git push origin master"
+
+    cd '..'
+    run_simple "rm -rf tmp-extra-commit-#{project}"
+  end
+
+  def update_config(filename, &block)
+    config = with_file_content(filename) do |contents|
+      config = YAML.load contents
+      block.call(config)
+      config
+    end
+
+    write_file filename, config.to_yaml
+  end
+
+  def self.setup!
+    pg = Prodder::PG.new
+    pg.create_role 'prodder'
+    pg.create_role 'include_this', ['--no-login']
+    pg.create_role 'exclude_this'
+    pg.create_role 'prodder__blog_prod:read_only', ['--no-login']
+    pg.create_role 'prodder__blog_prod:read_write', ['--no-login']
+    pg.create_role 'prodder__blog_prod:permissions_test:read_only', ['--no-login']
+    pg.create_role 'prodder__blog_prod:permissions_test:read_write', ['--no-login']
+    pg.create_role '_90enva', ['--no-login']
+    pg.create_role '_91se', ['--no-login']
+    pg.create_role '_91qa', ['--no-login']
+    pg.create_role '_91b', ['--no-login']
+    pg.create_role '_92b', ['--no-login']
+    pg.create_role '_92se', ['--no-login']
+    pg.create_role '_92qa', ['--no-login']
+    pg.create_role '_93se', ['--no-login']
+    pg.create_role '_93b', ['--no-login']
+    pg.create_role '_94se', ['--no-login']
+
+    fixture_dbs.each do |name, contents|
+      pg.create_db name
+      pg.psql name, "ALTER DEFAULT PRIVILEGES GRANT SELECT ON TABLES TO prodder;"
+      pg.psql name, "ALTER DEFAULT PRIVILEGES GRANT SELECT ON SEQUENCES TO prodder;"
+      pg.psql name, contents
+    end
+  end
+
+  def self.teardown!
+    pg = Prodder::PG.new
+    fixture_dbs.each { |name, contents| pg.drop_db name }
+    pg.drop_role 'prodder'
+    pg.drop_role 'include_this'
+    pg.drop_role 'exclude_this'
+    pg.drop_role "prodder__blog_prod:read_only"
+    pg.drop_role "prodder__blog_prod:read_write"
+    pg.drop_role "prodder__blog_prod:permissions_test:read_only"
+    pg.drop_role "prodder__blog_prod:permissions_test:read_write"
+    pg.drop_role '_90enva'
+    pg.drop_role '_91se'
+    pg.drop_role '_91qa'
+    pg.drop_role '_91b'
+    pg.drop_role '_92se'
+    pg.drop_role '_92b'
+    pg.drop_role '_92qa'
+    pg.drop_role '_93se'
+    pg.drop_role '_93b'
+    pg.drop_role '_94se'
+
+  end
+
+  def self.fixture_dbs
+    @fixture_dbs ||= Dir[File.join(File.dirname(__FILE__), '*.sql')].map do |sql|
+      db = File.basename(sql).sub('.sql', '')
+      [db, File.read(sql)]
+    end
+  end
+end
+
+World ProdderHelpers
+
+Before do
+  @prodder_root = File.expand_path('../..', File.dirname(__FILE__))
+  @aruba_root   = File.join(@prodder_root, 'tmp', 'aruba')
+  @aruba_timeout_seconds = 10
+  Dir.chdir @prodder_root
+end
+
+After('@restore-perms') do
+  pg = Prodder::PG.new
+  pg.psql 'prodder__blog_prod', "GRANT SELECT ON ALL TABLES IN SCHEMA public TO prodder;"
+end
+
+## Bootstrap the test role, databases, git repos.
+ProdderHelpers.setup!
+at_exit { ProdderHelpers.teardown! }

data/features/support/prodder__blog_prod.sql

@@ -0,0 +1,153 @@
+ALTER DATABASE prodder__blog_prod SET custom.parameter = 1;
+
+CREATE TABLE authors (
+  author_id serial primary key,
+  name text
+);
+
+CREATE TABLE posts (
+  post_id serial primary key,
+  author_id integer,
+  body text
+);
+
+CREATE TABLE comments (
+  comment_id serial primary key,
+  post_id integer,
+  author_id integer,
+  body text
+);
+
+INSERT INTO authors (name) VALUES ('Kyle');
+INSERT INTO authors (name) VALUES ('Josh');
+
+INSERT INTO posts (author_id, body) VALUES (1, 'Thoughts');
+INSERT INTO posts (author_id, body) VALUES (2, 'Other thoughts');
+
+INSERT INTO comments (post_id, author_id, body) VALUES (1, 2, 'I agree');
+
+CREATE FUNCTION test () RETURNS TRIGGER LANGUAGE PLPGSQL AS $$
+BEGIN
+NEW.body='test function trigger collusion';
+RETURN NEW;
+END;
+$$
+;
+
+CREATE TRIGGER test_comments BEFORE UPDATE OR INSERT ON comments FOR EACH ROW EXECUTE PROCEDURE test();
+
+CREATE OR REPLACE FUNCTION create_role_if_not_exists(rolename VARCHAR)
+RETURNS VOID
+AS
+$create_role_if_not_exists$
+DECLARE
+BEGIN
+  IF NOT EXISTS (
+      SELECT *
+      FROM   pg_catalog.pg_roles
+      WHERE  rolname = rolename) THEN
+    EXECUTE 'CREATE ROLE ' || quote_ident(rolename) || ' ;';
+  END IF;
+END;
+$create_role_if_not_exists$
+LANGUAGE PLPGSQL;
+
+SELECT create_role_if_not_exists('_90enva');
+SELECT create_role_if_not_exists('_91se');
+SELECT create_role_if_not_exists('_91qa');
+SELECT create_role_if_not_exists('_91b');
+SELECT create_role_if_not_exists('_92se');
+SELECT create_role_if_not_exists('_92qa');
+SELECT create_role_if_not_exists('_92b');
+SELECT create_role_if_not_exists('_93se');
+SELECT create_role_if_not_exists('_93qa');
+SELECT create_role_if_not_exists('_93b');
+SELECT create_role_if_not_exists('_94se');
+SELECT create_role_if_not_exists('_94qa');
+SELECT create_role_if_not_exists('_94b');
+SELECT create_role_if_not_exists('include_this');
+SELECT create_role_if_not_exists('exclude_this');
+SELECT create_role_if_not_exists('prodder__blog_prod:permissions_test:read_write');
+SELECT create_role_if_not_exists('prodder__blog_prod:permissions_test:read_only');
+SELECT create_role_if_not_exists('prodder__blog_prod:read_write');
+SELECT create_role_if_not_exists('prodder__blog_prod:read_only');
+
+GRANT "_90enva" TO "_91se";
+GRANT "_90enva" TO "_91qa";
+GRANT "_90enva" TO "_91b";
+
+GRANT "_91se" TO "_92se";
+GRANT "_91qa" TO "_92se";
+GRANT "_91qa" TO "_92qa";
+GRANT "_91b" TO "_92qa";
+GRANT "_91qa" TO "_94se";
+
+GRANT "_92se" TO "_93se";
+GRANT "_93se" TO "_94se";
+
+GRANT "_92b" TO "_93b";
+
+GRANT "prodder__blog_prod:permissions_test:read_write" TO "_92se";
+
+GRANT "prodder__blog_prod:permissions_test:read_write" TO include_this;
+GRANT "prodder__blog_prod:permissions_test:read_only" TO exclude_this;
+
+GRANT "prodder__blog_prod:permissions_test:read_only" TO "prodder__blog_prod:read_only";
+GRANT "prodder__blog_prod:permissions_test:read_write" TO "prodder__blog_prod:read_write";
+ALTER ROLE "include_this" VALID UNTIL '2222-08-11 00:00:00-05';
+
+GRANT "prodder__blog_prod:read_only" TO prodder;
+
+CREATE SCHEMA permissions_test;
+GRANT USAGE ON SCHEMA permissions_test TO include_this;
+GRANT USAGE ON SCHEMA permissions_test TO exclude_this;
+GRANT USAGE ON SCHEMA permissions_test TO "prodder__blog_prod:permissions_test:read_only";
+GRANT USAGE ON SCHEMA permissions_test TO "prodder__blog_prod:permissions_test:read_write";
+
+GRANT SELECT, USAGE, UPDATE ON ALL SEQUENCES IN SCHEMA permissions_test TO include_this;
+GRANT SELECT, USAGE, UPDATE ON ALL SEQUENCES IN SCHEMA permissions_test TO exclude_this;
+GRANT SELECT, USAGE, UPDATE ON ALL SEQUENCES IN SCHEMA permissions_test TO "prodder__blog_prod:permissions_test:read_only";
+GRANT SELECT, USAGE, UPDATE ON ALL SEQUENCES IN SCHEMA permissions_test TO "prodder__blog_prod:permissions_test:read_write";
+
+CREATE TABLE permissions_test.standard_acl (
+  standard_acl_id serial primary key,
+  value text
+);
+
+REVOKE ALL ON permissions_test.standard_acl FROM PUBLIC;
+REVOKE ALL ON permissions_test.standard_acl FROM include_this;
+REVOKE ALL ON permissions_test.standard_acl FROM exclude_this;
+REVOKE ALL ON permissions_test.standard_acl FROM "prodder__blog_prod:permissions_test:read_only";
+REVOKE ALL ON permissions_test.standard_acl FROM "prodder__blog_prod:permissions_test:read_write";
+GRANT SELECT ON permissions_test.standard_acl TO "prodder__blog_prod:permissions_test:read_only";
+GRANT SELECT, INSERT, UPDATE, DELETE ON permissions_test.standard_acl TO "prodder__blog_prod:permissions_test:read_write";
+
+CREATE TABLE permissions_test.column_acl (
+  column_acl_id serial primary key,
+  non_acl_column integer,
+  acl_column integer
+);
+
+REVOKE ALL ON permissions_test.column_acl FROM PUBLIC;
+REVOKE ALL ON permissions_test.column_acl FROM include_this;
+REVOKE ALL ON permissions_test.column_acl FROM exclude_this;
+REVOKE ALL ON permissions_test.column_acl FROM "prodder__blog_prod:permissions_test:read_only";
+REVOKE ALL ON permissions_test.column_acl FROM "prodder__blog_prod:permissions_test:read_write";
+GRANT SELECT (acl_column) ON permissions_test.column_acl TO "prodder__blog_prod:permissions_test:read_only";
+GRANT SELECT,INSERT, UPDATE (acl_column) ON permissions_test.column_acl TO "prodder__blog_prod:permissions_test:read_write";
+
+CREATE OR REPLACE FUNCTION permissions_test.does_absolutely_nothing()
+RETURNS VOID
+AS
+$$
+BEGIN
+  PERFORM 'SELECT 1';
+END;
+$$
+SECURITY DEFINER
+LANGUAGE PLPGSQL;
+
+ALTER DEFAULT PRIVILEGES FOR ROLE prodder IN SCHEMA permissions_test GRANT SELECT ON TABLES TO "prodder__blog_prod:permissions_test:read_only";
+ALTER DEFAULT PRIVILEGES FOR ROLE prodder IN SCHEMA permissions_test GRANT SELECT, USAGE ON SEQUENCES  TO "prodder__blog_prod:permissions_test:read_only";
+ALTER DEFAULT PRIVILEGES FOR ROLE prodder IN SCHEMA permissions_test GRANT SELECT, UPDATE, INSERT, DELETE  ON TABLES TO "prodder__blog_prod:permissions_test:read_write";
+ALTER DEFAULT PRIVILEGES FOR ROLE prodder IN SCHEMA permissions_test GRANT SELECT, UPDATE, USAGE ON SEQUENCES TO "prodder__blog_prod:permissions_test:read_write";