qontract-reconcile 0.10.1rc428__py3-none-any.whl → 0.10.1rc429__py3-none-any.whl

{qontract_reconcile-0.10.1rc428.dist-info → qontract_reconcile-0.10.1rc429.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc428
+Version: 0.10.1rc429
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc428.dist-info → qontract_reconcile-0.10.1rc429.dist-info}/RECORD

@@ -16,7 +16,7 @@ reconcile/dashdotdb_cso.py,sha256=FoXrWGpOwXG5jf0eklN84tjJVUAYzKat7rtq_28JMlQ,36
 reconcile/dashdotdb_dora.py,sha256=FINH-8dU3_r8EgUOMiF_fbxD9fKs6LFDxe6rufQ9XcM,17214
 reconcile/dashdotdb_dvo.py,sha256=YXqpI6fBQAql-ybGI0grj9gWMzmKiAvPE__pNju6obk,8996
 reconcile/dashdotdb_slo.py,sha256=bf1WSh5JP9obHVQsMy0OO71_VTYZgwAopElFZM6DmRo,6714
-reconcile/database_access_manager.py,sha256=in-tEyL7IfS0vLO88kG7Duq9hyFw4u9sdY1ARK-z_dk,21013
+reconcile/database_access_manager.py,sha256=pbf3n-8f2sxitMbj9Y2g0G_U7yfHiJaNX4lverxPnX8,21758
 reconcile/dynatrace_token_provider.py,sha256=HWItJ_LavPcUJlpYz5fmfnfOpP2-0Qjkar0EAzBJ5Cw,16602
 reconcile/email_sender.py,sha256=-5L-Ag_jaEYSzYRoMr52KQBRXz1E8yx9GqLbg2X4XFU,3533
 reconcile/gabi_authorized_users.py,sha256=rCosZv8Iu9jhWG88YiwK-gftX475aJ1R-PYIJYp_svY,4342
@@ -368,7 +368,7 @@ reconcile/test/test_checkpoint.py,sha256=sbDtqTbfw5yMZ_mCltMXxkyyGueVLGUjTDtcWhP
 reconcile/test/test_cli.py,sha256=qx_iBwh4Z-YkK3sbjK1wEziPTgn060EN-baf9DNvR3k,1096
 reconcile/test/test_closedbox_endpoint_monitoring.py,sha256=isMHYwRWMFARU2nbJgbl69kD6H0eA86noCM4MPVI1fo,7151
 reconcile/test/test_dashdotdb_dora.py,sha256=XDMdnLDvup8sSqQEynxdPhXQZAafYbd2IUo9flSRJ8I,7917
-reconcile/test/test_database_access_manager.py,sha256=JLoiR_OjRqgi6LdzqDUij_MaXAjGcY9RTFKDLkTJPCU,11987
+reconcile/test/test_database_access_manager.py,sha256=gevaMDgOrpnrzYy7JrcJsYf1ZnyvBA2RB5G96JxJYn4,13278
 reconcile/test/test_gabi_authorized_users.py,sha256=6XnV5Q9inxP81ktGMVKyWucjBTUj8Imy2L0HG3YHyUE,2496
 reconcile/test/test_github_org.py,sha256=j3KeB4OnSln1gm2hidce49xdMru-j75NS3cM-AEgzZc,4511
 reconcile/test/test_github_repo_invites.py,sha256=QJ0VFk5B59rx4XtHoT6XOGWw9xRIZMen_cgtviN_Vi8,3419
@@ -637,8 +637,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=dmEcNwZltP1rd_4DbxIYakO
 tools/test/test_qontract_cli.py,sha256=awwTHEc2DWlykuqGIYM0WOBoSL0KRnOraCLk3C7izis,1401
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc428.dist-info/METADATA,sha256=TSsRbwFJFumatlbN5nmXMkU7rVyqg5OFbmlTYav_qwc,2347
-qontract_reconcile-0.10.1rc428.dist-info/WHEEL,sha256=Xo9-1PvkuimrydujYJAjF7pCkriuXBpUPEjma1nZyJ0,92
-qontract_reconcile-0.10.1rc428.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
-qontract_reconcile-0.10.1rc428.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc428.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc429.dist-info/METADATA,sha256=IlUDMzAOQmNRBNLh7JrCttTiTIiQiuy-cCb8gLp4gNk,2347
+qontract_reconcile-0.10.1rc429.dist-info/WHEEL,sha256=Xo9-1PvkuimrydujYJAjF7pCkriuXBpUPEjma1nZyJ0,92
+qontract_reconcile-0.10.1rc429.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
+qontract_reconcile-0.10.1rc429.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc429.dist-info/RECORD,,

reconcile/database_access_manager.py

@@ -9,6 +9,7 @@ from typing import (
     Any,
     Callable,
     Optional,
+    TypedDict,
 )
 
 from pydantic import BaseModel
@@ -67,6 +68,7 @@ class DatabaseConnectionParameters(BaseModel):
 class PSQLScriptGenerator(BaseModel):
     db_access: DatabaseAccessV1
     connection_parameter: DatabaseConnectionParameters
+    admin_connection_parameter: DatabaseConnectionParameters
     engine: str
 
     def _get_db(self) -> str:
@@ -92,7 +94,7 @@ select 'CREATE ROLE "{self._get_user()}"  WITH LOGIN PASSWORD ''{self.connection
 WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{self._get_db()}');\\gexec
 
 -- rds specific, grant role to admin or create schema fails
-grant "{self._get_user()}" to postgres;
+GRANT "{self._get_user()}" to "{self.admin_connection_parameter.user}";
 CREATE SCHEMA IF NOT EXISTS "{self._get_user()}" AUTHORIZATION "{self._get_user()}";"""
 
     def _generate_db_access(self) -> str:
@@ -357,7 +359,8 @@ def _populate_resources(
     admin_secret_name: str,
     resource_prefix: str,
     settings: dict[Any, Any],
-    database_connection: DatabaseConnectionParameters,
+    user_connection: DatabaseConnectionParameters,
+    admin_connection: DatabaseConnectionParameters,
 ) -> list[DBAMResource]:
     managed_resources: list[DBAMResource] = []
     # create service account
@@ -371,7 +374,8 @@ def _populate_resources(
     # create script secret
     generator = PSQLScriptGenerator(
         db_access=db_access,
-        connection_parameter=database_connection,
+        connection_parameter=user_connection,
+        admin_connection_parameter=admin_connection,
         engine=engine,
     )
     script_secret_name = f"{resource_prefix}-script"
@@ -387,7 +391,7 @@ def _populate_resources(
     # create user secret
     managed_resources.append(
         DBAMResource(
-            resource=generate_user_secret_spec(resource_prefix, database_connection),
+            resource=generate_user_secret_spec(resource_prefix, user_connection),
             clean_up=False,
         )
     )
@@ -433,13 +437,18 @@ def _generate_password() -> str:
     return "".join(choices(ascii_letters + digits, k=32))
 
 
+class _DBDonnections(TypedDict):
+    user: DatabaseConnectionParameters
+    admin: DatabaseConnectionParameters
+
+
 def _create_database_connection_parameter(
     db_access: DatabaseAccessV1,
     namespace_name: str,
     oc: OCClient,
     admin_secret_name: str,
     user_secret_name: str,
-) -> DatabaseConnectionParameters:
+) -> _DBDonnections:
     def _decode_secret_value(value: str) -> str:
         return base64.b64decode(value).decode("utf-8")
 
@@ -449,6 +458,13 @@ def _create_database_connection_parameter(
         user_secret_name,
         allow_not_found=True,
     )
+    admin_secret = oc.get(
+        namespace_name,
+        "Secret",
+        admin_secret_name,
+        allow_not_found=False,
+    )
+
     if user_secret:
         password = _decode_secret_value(user_secret["data"]["db.password"])
         host = _decode_secret_value(user_secret["data"]["db.host"])
@@ -456,25 +472,27 @@ def _create_database_connection_parameter(
         port = _decode_secret_value(user_secret["data"]["db.port"])
         database = _decode_secret_value(user_secret["data"]["db.name"])
     else:
-        admin_secret = oc.get(
-            namespace_name,
-            "Secret",
-            admin_secret_name,
-            allow_not_found=False,
-        )
         host = _decode_secret_value(admin_secret["data"]["db.host"])
         port = _decode_secret_value(admin_secret["data"]["db.port"])
         user = db_access.username
         password = _generate_password()
         database = db_access.database
-    database_connection = DatabaseConnectionParameters(
-        host=host,
-        port=port,
-        user=user,
-        password=password,
-        database=database,
+    return _DBDonnections(
+        user=DatabaseConnectionParameters(
+            host=host,
+            port=port,
+            user=user,
+            password=password,
+            database=database,
+        ),
+        admin=DatabaseConnectionParameters(
+            host=_decode_secret_value(admin_secret["data"]["db.host"]),
+            port=_decode_secret_value(admin_secret["data"]["db.port"]),
+            user=_decode_secret_value(admin_secret["data"]["db.user"]),
+            password=_decode_secret_value(admin_secret["data"]["db.password"]),
+            database=_decode_secret_value(admin_secret["data"]["db.name"]),
+        ),
     )
-    return database_connection
 
 
 class JobFailedError(Exception):
@@ -506,7 +524,7 @@ def _process_db_access(
     ) as oc_map:
         oc = oc_map.get_cluster(cluster_name, False)
 
-        database_connection = _create_database_connection_parameter(
+        connections = _create_database_connection_parameter(
             db_access,
             namespace_name,
             oc,
@@ -526,7 +544,8 @@ def _process_db_access(
             admin_secret_name,
             resource_prefix,
             settings,
-            database_connection,
+            connections["user"],
+            connections["admin"],
         )
 
         # create job, delete old, failed job first

reconcile/test/test_database_access_manager.py

@@ -16,6 +16,7 @@ from reconcile.database_access_manager import (
     JobStatusCondition,
     PSQLScriptGenerator,
     _create_database_connection_parameter,
+    _DBDonnections,
     _generate_password,
     _populate_resources,
     _process_db_access,
@@ -87,6 +88,17 @@ def db_connection_parameter():
     )
 
 
+@pytest.fixture
+def db_admin_connection_parameter():
+    return DatabaseConnectionParameters(
+        host="localhost",
+        port="5432",
+        user="admin",
+        password="adminpw",  # notsecret
+        database="test",
+    )
+
+
 @pytest.fixture
 def db_secret_dict() -> dict[str, dict[str, str]]:
     return {
@@ -118,6 +130,7 @@ def _assert_create_script(script: str) -> None:
     assert "REVOKE ALL ON DATABASE" in script
     assert 'CREATE ROLE "test"  WITH LOGIN PASSWORD' in script
     assert "CREATE SCHEMA IF NOT EXISTS" in script
+    assert 'GRANT "test" to "admin";' in script
 
 
 def _assert_grant_access(script: str) -> None:
@@ -125,11 +138,14 @@ def _assert_grant_access(script: str) -> None:
 
 
 def test_generate_create_user(
-    db_access: DatabaseAccessV1, db_connection_parameter: DatabaseConnectionParameters
+    db_access: DatabaseAccessV1,
+    db_connection_parameter: DatabaseConnectionParameters,
+    db_admin_connection_parameter: DatabaseConnectionParameters,
 ) -> None:
     s = PSQLScriptGenerator(
         db_access=db_access,
         connection_parameter=db_connection_parameter,
+        admin_connection_parameter=db_admin_connection_parameter,
         engine="postgres",
     )
     script = s._generate_create_user()
@@ -140,12 +156,14 @@ def test_generate_access(
     db_access: DatabaseAccessV1,
     db_access_access: DatabaseAccessAccessV1,
     db_connection_parameter: DatabaseConnectionParameters,
+    db_admin_connection_parameter: DatabaseConnectionParameters,
 ):
     db_access.access = [db_access_access]
 
     s = PSQLScriptGenerator(
         db_access=db_access,
         connection_parameter=db_connection_parameter,
+        admin_connection_parameter=db_connection_parameter,
         engine="postgres",
     )
     script = s._generate_db_access()
@@ -155,10 +173,12 @@ def test_generate_access(
 def test_generate_complete(
     db_access_complete: DatabaseAccessV1,
     db_connection_parameter: DatabaseConnectionParameters,
+    db_admin_connection_parameter: DatabaseConnectionParameters,
 ):
     s = PSQLScriptGenerator(
         db_access=db_access_complete,
         connection_parameter=db_connection_parameter,
+        admin_connection_parameter=db_admin_connection_parameter,
         engine="postgres",
     )
     script = s.generate_script()
@@ -185,6 +205,7 @@ def test_populate_resources(
     mocker: MockerFixture,
     db_access: DatabaseAccessV1,
     db_connection_parameter: DatabaseConnectionParameters,
+    db_admin_connection_parameter: DatabaseConnectionParameters,
     openshift_resource_secet: OpenshiftResource,
 ):
     mocker.patch(
@@ -205,7 +226,8 @@ def test_populate_resources(
         admin_secret_name="db-secret",
         resource_prefix="dbam-foo",
         settings={"foo": "bar"},
-        database_connection=db_connection_parameter,
+        user_connection=db_connection_parameter,
+        admin_connection=db_admin_connection_parameter,
     )
 
     r_kinds = [r.resource.kind for r in reources]
@@ -226,7 +248,7 @@ def test__create_database_connection_parameter_user_exists(
         admin_secret_name="db-secret",
         user_secret_name="db-user-secret",
     )
-    assert p == DatabaseConnectionParameters(
+    conn = DatabaseConnectionParameters(
         host="localhost",
         port="5432",
         user="test",
@@ -234,6 +256,10 @@ def test__create_database_connection_parameter_user_exists(
         database="test",
     )
 
+    assert p["user"] == conn
+    assert p["admin"] == conn
+    assert oc.get.call_count == 2
+
 
 def test__create_database_connection_parameter_user_missing(
     db_access: DatabaseAccessV1,
@@ -254,7 +280,7 @@ def test__create_database_connection_parameter_user_missing(
         admin_secret_name="db-secret",
         user_secret_name="db-user-secret",
     )
-    assert p == DatabaseConnectionParameters(
+    conn = DatabaseConnectionParameters(
         host="localhost",
         port="5432",
         user="test",
@@ -262,6 +288,13 @@ def test__create_database_connection_parameter_user_missing(
         database="test",
     )
 
+    admin_conn = conn.copy()
+    admin_conn.password = "hduhsdfuhsdf"
+
+    assert p["user"] == conn
+    assert p["admin"] == admin_conn
+    assert oc.get.call_count == 2
+
 
 def test_generate_password():
     assert len(_generate_password()) == 32
@@ -275,12 +308,18 @@ def dbam_state(mocker: MockerFixture) -> MockerFixture:
 
 @pytest.fixture
 def dbam_process_mocks(
-    openshift_resource_secet: OpenshiftResource, mocker: MockerFixture
+    openshift_resource_secet: OpenshiftResource,
+    mocker: MockerFixture,
+    db_connection_parameter: DatabaseConnectionParameters,
+    db_admin_connection_parameter: DatabaseConnectionParameters,
 ) -> DBAMResource:
     expected_resource = DBAMResource(resource=openshift_resource_secet, clean_up=True)
     mocker.patch(
         "reconcile.database_access_manager._create_database_connection_parameter",
-        return_value=db_connection_parameter,
+        return_value=_DBDonnections(
+            user=db_connection_parameter,
+            admin=db_admin_connection_parameter,
+        ),
     )
     mocker.patch(
         "reconcile.database_access_manager._populate_resources",