Merge pull request #65 from branan/14218_query_db_for_permissions

Query the database for possible permissions

Author: bodepd

lib/puppet/provider/database_grant/mysql.rb

@@ -3,21 +3,6 @@
 #   user@host => global
 #   user@host/db => per-db
 
-MYSQL_USER_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv,
-  :create_priv, :drop_priv, :reload_priv, :shutdown_priv, :process_priv,
-  :file_priv, :grant_priv, :references_priv, :index_priv, :alter_priv,
-  :show_db_priv, :super_priv, :create_tmp_table_priv, :lock_tables_priv,
-  :execute_priv, :repl_slave_priv, :repl_client_priv, :create_view_priv,
-  :show_view_priv, :create_routine_priv, :alter_routine_priv,
-  :create_user_priv, :event_priv, :trigger_priv
-]
-
-MYSQL_DB_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv,
-  :create_priv, :drop_priv, :grant_priv, :references_priv, :index_priv,
-  :alter_priv, :create_tmp_table_priv, :lock_tables_priv, :create_view_priv,
-  :show_view_priv, :create_routine_priv, :alter_routine_priv, :execute_priv
-]
-
 Puppet::Type.type(:database_grant).provide(:mysql) do
 
   desc "Uses mysql as database."
@@ -27,6 +12,39 @@
   optional_commands :mysql      => 'mysql'
   optional_commands :mysqladmin => 'mysqladmin'
 
+  def self.prefetch(resources)
+    @user_privs = query_user_privs
+    @db_privs = query_db_privs
+  end
+
+  def self.user_privs
+    @user_privs || query_user_privs
+  end
+
+  def self.db_privs
+    @db_privs || query_db_privs
+  end
+
+  def user_privs
+    self.class.user_privs
+  end
+
+  def db_privs
+    self.class.db_privs
+  end
+
+  def self.query_user_privs
+    results = mysql("mysql", "-Be", "describe user")
+    column_names = results.split(/\n/).map { |l| l.chomp.split(/\t/)[0] }
+    @user_privs = column_names.delete_if { |e| !( e =~/_priv$/) }.map! { |p| p.intern }
+  end
+
+  def self.query_db_privs
+    results = mysql("mysql", "-Be", "describe db")
+    column_names = results.split(/\n/).map { |l| l.chomp.split(/\t/)[0] }
+    @db_privs = column_names.delete_if { |e| !(e =~/_priv$/) }.map! { |p| p.intern }
+  end
+
   def mysql_flush
     mysqladmin "flush-privileges"
   end
@@ -84,9 +102,9 @@ def row_exists?
   def all_privs_set?
     all_privs = case split_name(@resource[:name])[:type]
                 when :user
-                  MYSQL_USER_PRIVS
+                  user_privs
                 when :db
-                  MYSQL_DB_PRIVS
+                  db_privs
                 end
     all_privs = all_privs.collect do |p| p.to_s end.sort.join("|")
     privs = privileges.collect do |p| p.to_s end.sort.join("|")
@@ -115,7 +133,7 @@ def privileges
       privs = privs.select do |p| p[0].match(/_priv$/) and p[1] == 'Y' end
     end
 
-    privs.collect do |p| symbolize(p[0].downcase) end
+    privs.collect do |p| symbolize(p[0]) end
   end
 
   def privileges=(privs)
@@ -132,11 +150,11 @@ def privileges=(privs)
     when :user
       stmt = 'update user set '
       where = ' where user="%s" and host="%s"' % [ name[:user], name[:host] ]
-      all_privs = MYSQL_USER_PRIVS
+      all_privs = user_privs
     when :db
       stmt = 'update db set '
       where = ' where user="%s" and host="%s"' % [ name[:user], name[:host] ]
-      all_privs = MYSQL_DB_PRIVS
+      all_privs = db_privs
     end
 
     if privs[0] == :all

manifests/db.pp

@@ -38,12 +38,6 @@
   $enforce_sql = false
 ) {
 
-  if $grant == 'all' {
-    $safe_grant = [ 'alter_priv', 'alter_routine_priv', 'create_priv', 'create_routine_priv', 'create_tmp_table_priv', 'create_view_priv', 'delete_priv', 'drop_priv', 'event_priv', 'execute_priv', 'grant_priv', 'index_priv', 'insert_priv', 'lock_tables_priv', 'references_priv', 'select_priv', 'show_view_priv', 'trigger_priv', 'update_priv']
-  } else {
-    $safe_grant = $grant
-  }
-
   database { $name:
     ensure   => present,
     charset  => $charset,
@@ -59,7 +53,7 @@
   }
 
   database_grant { "${user}@${host}/${name}":
-    privileges => $safe_grant,
+    privileges => $grant,
     provider   => 'mysql',
     require    => Database_user["${user}@${host}"],
   }

spec/unit/puppet/provider/database_grant/mysql_spec.rb

@@ -0,0 +1,74 @@
+require 'puppet'
+require 'mocha'
+RSpec.configure do |config|
+  config.mock_with :mocha
+end
+provider_class = Puppet::Type.type(:database_grant).provider(:mysql)
+describe provider_class do
+  before :each do
+    @resource = Puppet::Type::Database_grant.new(
+      { :privileges => 'all"', :provider => 'mysql', :name => 'user@host'}
+    )
+    @provider = provider_class.new(@resource)
+  end
+  it 'should query privilegess from the database' do
+    provider_class.expects(:mysql) .with('mysql', '-Be', 'describe user').returns <<-EOT
+Field	Type	Null	Key	Default	Extra
+Host	char(60)	NO	PRI		
+User	char(16)	NO	PRI		
+Password	char(41)	NO			
+Select_priv	enum('N','Y')	NO		N	
+Insert_priv	enum('N','Y')	NO		N	
+Update_priv	enum('N','Y')	NO		N
+EOT
+    provider_class.expects(:mysql).with('mysql', '-Be', 'describe db').returns <<-EOT
+Field	Type	Null	Key	Default	Extra
+Host	char(60)	NO	PRI		
+Db	char(64)	NO	PRI		
+User	char(16)	NO	PRI		
+Select_priv	enum('N','Y')	NO		N	
+Insert_priv	enum('N','Y')	NO		N	
+Update_priv	enum('N','Y')	NO		N
+EOT
+    provider_class.user_privs.should == [ :Select_priv, :Insert_priv, :Update_priv ]
+    provider_class.db_privs.should == [ :Select_priv, :Insert_priv, :Update_priv ]
+  end
+
+  it 'should query set priviliges' do
+    provider_class.expects(:mysql).with('mysql', '-Be', 'select * from user where user="user" and host="host"').returns <<-EOT
+Host	User	Password	Select_priv	Insert_priv	Update_priv
+host	user		Y	N	Y
+EOT
+    @provider.privileges.should == [ :Select_priv, :Update_priv ]
+  end
+
+  it 'should recognize when all priviliges are set' do
+    provider_class.expects(:mysql).with('mysql', '-Be', 'select * from user where user="user" and host="host"').returns <<-EOT
+Host	User	Password	Select_priv	Insert_priv	Update_priv
+host	user		Y	Y	Y
+EOT
+    @provider.all_privs_set?.should == true
+  end
+
+  it 'should recognize when all privileges are not set' do
+    provider_class.expects(:mysql).with('mysql', '-Be', 'select * from user where user="user" and host="host"').returns <<-EOT
+Host	User	Password	Select_priv	Insert_priv	Update_priv
+host	user		Y	N	Y
+EOT
+    @provider.all_privs_set?.should == false
+  end
+
+  it 'should be able to set all privileges' do
+    provider_class.expects(:mysql).with('mysql', '-NBe', 'SELECT "1" FROM user WHERE user = \'user\' AND host = \'host\'').returns "1\n"
+    provider_class.expects(:mysql).with('mysql', '-Be', "update user set Select_priv = 'Y', Insert_priv = 'Y', Update_priv = 'Y' where user=\"user\" and host=\"host\"")
+    provider_class.expects(:mysqladmin).with("flush-privileges")
+    @provider.privileges=([:all])
+  end
+
+  it 'should be able to set partial privileges' do
+    provider_class.expects(:mysql).with('mysql', '-NBe', 'SELECT "1" FROM user WHERE user = \'user\' AND host = \'host\'').returns "1\n"
+    provider_class.expects(:mysql).with('mysql', '-Be', "update user set Select_priv = 'Y', Insert_priv = 'N', Update_priv = 'Y' where user=\"user\" and host=\"host\"")
+    provider_class.expects(:mysqladmin).with("flush-privileges")
+    @provider.privileges=([:Select_priv, :Update_priv])
+  end
+end