Skip to content

Commit

Permalink
Correct GRANTS management bugs sous-chefs#236 & sous-chefs#243
Browse files Browse the repository at this point in the history
  • Loading branch information
sinfomicien committed Apr 11, 2019
1 parent b4a822c commit 58446f2
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 14 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- Write a new documentation following sous-chefs.org guidelines
- undefined method `ext_conf_dir` when using mariadb 2.0.0 ([#225](https://github.com/sous-chefs/mariadb/issues/225))
- Rename property `apt_repository` to `apt_repository_uri` in repository resource ([#245](https://github.com/sous-chefs/mariadb/issues/245))
- Grant action should not require and modify the password ([#236](https://github.com/sous-chefs/mariadb/issues/236))
- Grant fails if symbol privilege contains an underscore ([#243](https://github.com/sous-chefs/mariadb/issues/243))

### Removed

Expand Down
28 changes: 16 additions & 12 deletions resources/user.rb
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
if current_resource.nil?
converge_by "Creating user '#{new_resource.username}'@'#{new_resource.host}'" do
create_sql = "CREATE USER '#{new_resource.username}'@'#{new_resource.host}'"
if new_resource.password
unless new_resource.password.nil?
create_sql << ' IDENTIFIED BY '
create_sql << if new_resource.password.is_a?(HashedPassword)
" PASSWORD '#{new_resource.password}'"
Expand Down Expand Up @@ -194,7 +194,7 @@ def desired_privs
desired_privs
end

def revokify_key(key)
def clean_grant_name(key)
return '' if key.nil?

# Some keys need to be translated as outlined by the table found here:
Expand Down Expand Up @@ -245,15 +245,19 @@ def revokify_key(key)

# Repair
if incorrect_privs
privileges_to_set = new_resource.privileges.map { |key| clean_grant_name(key) }
converge_by "Granting privs for '#{new_resource.username}'@'#{new_resource.host}'" do
repair_sql = "GRANT #{new_resource.privileges.join(',')}"
repair_sql = "GRANT #{privileges_to_set.join(',')}"
repair_sql << " ON #{db_name}.#{tbl_name}"
repair_sql << " TO '#{new_resource.username}'@'#{new_resource.host}' IDENTIFIED BY"
repair_sql << if new_resource.password.is_a?(HashedPassword)
" PASSWORD '#{new_resource.password}'"
else
" '#{new_resource.password}'"
end
repair_sql << " TO '#{new_resource.username}'@'#{new_resource.host}'"
unless new_resource.password.nil?
repair_sql << ' IDENTIFIED BY'
repair_sql << if new_resource.password.is_a?(HashedPassword)
" PASSWORD '#{new_resource.password}'"
else
" '#{new_resource.password}'"
end
end
repair_sql << ' REQUIRE SSL' if new_resource.require_ssl
repair_sql << ' REQUIRE X509' if new_resource.require_x509
repair_sql << ' WITH GRANT OPTION' if new_resource.grant_option
Expand All @@ -263,9 +267,9 @@ def revokify_key(key)
run_query(repair_sql)
run_query('FLUSH PRIVILEGES')
end
else
elsif !password_up_to_date && !new_resource.password.nil?
# The grants are correct, but perhaps the password needs updating?
update_user_password unless password_up_to_date
update_user_password
end
end

Expand All @@ -286,7 +290,7 @@ def revokify_key(key)
desired_privs.each do |p|
key = p.to_s.capitalize.tr(' ', '_').gsub('Replication_', 'Repl_').gsub('Create_temporary_tables', 'Create_tmp_table').gsub('Show_databases', 'Show_db')
key = "#{key}_priv"
privs_to_revoke << revokify_key(p) if r[key] != 'N'
privs_to_revoke << clean_grant_name(p) if r[key] != 'N'
end
end

Expand Down
11 changes: 9 additions & 2 deletions test/cookbooks/test/recipes/user_database.rb
Original file line number Diff line number Diff line change
Expand Up @@ -119,15 +119,22 @@
end

mariadb_user 'fozzie' do
database_name 'databass'
password 'wokkawokka'
host 'mars'
privileges [:select, :update, :insert]
privileges [:usage]
require_ssl true
ctrl_password 'gsql'
action :grant
end

mariadb_user 'fozzie' do
database_name 'databass'
host 'mars'
privileges [:select, :update, :insert, :show_view]
ctrl_password 'gsql'
action :grant
end

hash2 = hashed_password('*F798E7C0681068BAE3242AA2297D2360DBBDA62B'); # 'zokkazokka'

mariadb_user 'moozie' do
Expand Down
1 change: 1 addition & 0 deletions test/integration/resources/controls/user_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@

describe sql.query("show grants for 'fozzie'@'mars'") do
its(:stdout) { should include '*EF112B3D562CB63EA3275593C10501B59C4A390D' }
its(:stdout) { should include 'SHOW VIEW' }
end

describe sql.query('show grants for \'moozie\'@\'127.0.0.1\'') do
Expand Down

0 comments on commit 58446f2

Please sign in to comment.