-
-
Notifications
You must be signed in to change notification settings - Fork 63
/
Copy pathrole.go
106 lines (93 loc) · 2.8 KB
/
role.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package postgres
import (
"fmt"
"github.com/go-logr/logr"
"github.com/lib/pq"
)
const (
CREATE_GROUP_ROLE = `CREATE ROLE "%s"`
CREATE_USER_ROLE = `CREATE ROLE "%s" WITH LOGIN PASSWORD '%s'`
GRANT_ROLE = `GRANT "%s" TO "%s"`
ALTER_USER_SET_ROLE = `ALTER USER "%s" SET ROLE "%s"`
REVOKE_ROLE = `REVOKE "%s" FROM "%s"`
UPDATE_PASSWORD = `ALTER ROLE "%s" WITH PASSWORD '%s'`
DROP_ROLE = `DROP ROLE "%s"`
DROP_OWNED_BY = `DROP OWNED BY "%s"`
REASIGN_OBJECTS = `REASSIGN OWNED BY "%s" TO "%s"`
)
func (c *pg) CreateGroupRole(role string) error {
// Error code 42710 is duplicate_object (role already exists)
_, err := c.db.Exec(fmt.Sprintf(CREATE_GROUP_ROLE, role))
if err != nil && err.(*pq.Error).Code != "42710" {
return err
}
return nil
}
func (c *pg) CreateUserRole(role, password string) (string, error) {
_, err := c.db.Exec(fmt.Sprintf(CREATE_USER_ROLE, role, password))
if err != nil {
return "", err
}
return role, nil
}
func (c *pg) GrantRole(role, grantee string) error {
// Don't grant role to itself
if grantee == role {
return nil
}
_, err := c.db.Exec(fmt.Sprintf(GRANT_ROLE, role, grantee))
if err != nil {
return err
}
return nil
}
func (c *pg) AlterDefaultLoginRole(role, setRole string) error {
_, err := c.db.Exec(fmt.Sprintf(ALTER_USER_SET_ROLE, role, setRole))
if err != nil {
return err
}
return nil
}
func (c *pg) RevokeRole(role, revoked string) error {
_, err := c.db.Exec(fmt.Sprintf(REVOKE_ROLE, role, revoked))
if err != nil {
return err
}
return nil
}
func (c *pg) DropRole(role, newOwner, database string, logger logr.Logger) error {
// REASSIGN OWNED BY only works if the correct database is selected
tmpDb, err := GetConnection(c.user, c.pass, c.host, database, c.args, logger)
if err != nil {
if err.(*pq.Error).Code == "3D000" {
return nil // Database is does not exist (anymore)
} else {
return err
}
}
_, err = tmpDb.Exec(fmt.Sprintf(REASIGN_OBJECTS, role, newOwner))
defer tmpDb.Close()
// Check if error exists and if different from "ROLE NOT FOUND" => 42704
if err != nil && err.(*pq.Error).Code != "42704" {
return err
}
// We previously assigned all objects to the operator's role so DROP OWNED BY will drop privileges of role
_, err = tmpDb.Exec(fmt.Sprintf(DROP_OWNED_BY, role))
// Check if error exists and if different from "ROLE NOT FOUND" => 42704
if err != nil && err.(*pq.Error).Code != "42704" {
return err
}
_, err = c.db.Exec(fmt.Sprintf(DROP_ROLE, role))
// Check if error exists and if different from "ROLE NOT FOUND" => 42704
if err != nil && err.(*pq.Error).Code != "42704" {
return err
}
return nil
}
func (c *pg) UpdatePassword(role, password string) error {
_, err := c.db.Exec(fmt.Sprintf(UPDATE_PASSWORD, role, password))
if err != nil {
return err
}
return nil
}