1
0
Fork 0

fix ensure clauses in postgresql

fixes #35
This commit is contained in:
ibizaman 2023-12-03 23:33:55 -08:00 committed by Pierre Penninckx
parent 13a90f1ad4
commit 0242ae26c4
4 changed files with 40 additions and 60 deletions

View file

@ -35,11 +35,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1687412861,
"narHash": "sha256-Z/g0wbL68C+mSGerYS2quv9FXQ1RRP082cAC0Bh4vcs=",
"lastModified": 1701253981,
"narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "e603dc5f061ca1d8a19b3ede6a8cf9c9fcba6cdc",
"rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
"type": "github"
},
"original": {
@ -51,11 +51,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1687031877,
"narHash": "sha256-yMFcVeI+kZ6KD2QBrFPNsvBrLq2Gt//D0baHByMrjFY=",
"lastModified": 1701568804,
"narHash": "sha256-iwr1fjOCvlirVL/xNvOTwY9kg3L/F3TC/7yh/QszaPI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e2e2059d19668dab1744301b8b0e821e3aae9c99",
"rev": "dc01248a9c946953ad4d438b0a626f5c987a93e4",
"type": "github"
},
"original": {
@ -67,11 +67,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1686979235,
"narHash": "sha256-gBlBtk+KrezFkfMrZw6uwTuA7YWtbFciiS14mEoTCo0=",
"lastModified": 1701336116,
"narHash": "sha256-kEmpezCR/FpITc6yMbAh4WrOCiT2zg5pSjnKrq51h5Y=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7cc30fd5372ddafb3373c318507d9932bd74aafe",
"rev": "f5c27c6136db4d76c30e533c20517df6864c46ee",
"type": "github"
},
"original": {
@ -84,11 +84,11 @@
"nmdsrc": {
"flake": false,
"locked": {
"lastModified": 1687627428,
"narHash": "sha256-7zGfXuNS5RHqhpEdz2fwrtqvF86JRo5U1hrxZSYgcm8=",
"lastModified": 1701431551,
"narHash": "sha256-5HPHG1u3koaWHG/TXHl5/YxYPYOuKc58104btrD8ypE=",
"ref": "refs/heads/master",
"rev": "824a380546b5d0d0eb701ff8cd5dbafb360750ff",
"revCount": 63,
"rev": "f18defadcc25e69e95b04493ee02682005472255",
"revCount": 65,
"type": "git",
"url": "https://git.sr.ht/~rycee/nmd"
},
@ -112,11 +112,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1687398569,
"narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=",
"lastModified": 1701572436,
"narHash": "sha256-0anfOQqDend6kSuF8CmOSAZsiAS1nwOsin5VQukh6Q4=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "2ff6973350682f8d16371f8c071a304b8067f192",
"rev": "8bca48cb9a12bbd8766f359ad00336924e91b7f7",
"type": "github"
},
"original": {

View file

@ -72,12 +72,8 @@ in
services.postgresql.ensureDatabases = map ({ database, ... }: database) ensureCfgs;
services.postgresql.ensureUsers = map ({ username, database, ... }: {
name = username;
ensurePermissions = {
"DATABASE ${database}" = "ALL PRIVILEGES";
};
ensureClauses = {
"login" = true;
};
ensureDBOwnership = true;
ensureClauses.login = true;
}) ensureCfgs;
};

View file

@ -64,9 +64,7 @@ in
enable = true;
ensureUsers = [{
name = "myuser";
ensurePermissions = {
"DATABASE mydatabase" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
ensureClauses = {
"login" = true;
};
@ -92,9 +90,7 @@ in
enable = true;
ensureUsers = [{
name = "myuser";
ensurePermissions = {
"DATABASE mydatabase" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
ensureClauses = {
"login" = true;
};
@ -131,18 +127,14 @@ in
ensureUsers = [
{
name = "user1";
ensurePermissions = {
"DATABASE db1" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
ensureClauses = {
"login" = true;
};
}
{
name = "user2";
ensurePermissions = {
"DATABASE db2" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
ensureClauses = {
"login" = true;
};
@ -174,18 +166,14 @@ in
ensureUsers = [
{
name = "user1";
ensurePermissions = {
"DATABASE db1" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
ensureClauses = {
"login" = true;
};
}
{
name = "user2";
ensurePermissions = {
"DATABASE db2" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
ensureClauses = {
"login" = true;
};
@ -230,18 +218,14 @@ in
ensureUsers = [
{
name = "user1";
ensurePermissions = {
"DATABASE db1" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
ensureClauses = {
"login" = true;
};
}
{
name = "user2";
ensurePermissions = {
"DATABASE db2" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
ensureClauses = {
"login" = true;
};

View file

@ -11,7 +11,7 @@
shb.postgresql.ensures = [
{
username = "me";
database = "mine";
database = "me";
}
];
};
@ -25,10 +25,10 @@
return "sudo -u me psql -U {user} {db} --command \"\"".format(user=user, db=database)
with subtest("cannot login because of missing user"):
machine.fail(peer_cmd("me", "mine"), timeout=10)
machine.fail(peer_cmd("me", "me"), timeout=10)
with subtest("cannot login with unknown user"):
machine.fail(peer_cmd("notme", "mine"), timeout=10)
machine.fail(peer_cmd("notme", "me"), timeout=10)
with subtest("cannot login to unknown database"):
machine.fail(peer_cmd("me", "notmine"), timeout=10)
@ -53,7 +53,7 @@
shb.postgresql.ensures = [
{
username = "me";
database = "mine";
database = "me";
}
];
};
@ -70,16 +70,16 @@
return "psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port)
with subtest("can login with provisioned user and database"):
machine.succeed(peer_cmd("me", "mine"), timeout=10)
machine.succeed(peer_cmd("me", "me"), timeout=10)
with subtest("cannot login with unknown user"):
machine.fail(peer_cmd("notme", "mine"), timeout=10)
machine.fail(peer_cmd("notme", "me"), timeout=10)
with subtest("cannot login to unknown database"):
machine.fail(peer_cmd("me", "notmine"), timeout=10)
with subtest("cannot login with tcpip"):
machine.fail(tcpip_cmd("me", "mine", "5432"), timeout=10)
machine.fail(tcpip_cmd("me", "me", "5432"), timeout=10)
'';
};
@ -95,7 +95,7 @@
shb.postgresql.ensures = [
{
username = "me";
database = "mine";
database = "me";
}
];
};
@ -112,10 +112,10 @@
return "psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port)
with subtest("cannot login without existing user"):
machine.fail(peer_cmd("me", "mine"), timeout=10)
machine.fail(peer_cmd("me", "me"), timeout=10)
with subtest("cannot login with user without password"):
machine.fail(tcpip_cmd("me", "mine", "5432"), timeout=10)
machine.fail(tcpip_cmd("me", "me", "5432"), timeout=10)
'';
};
@ -141,7 +141,7 @@
shb.postgresql.ensures = [
{
username = "me";
database = "mine";
database = "me";
passwordFile = "/run/dbsecret";
}
];
@ -159,13 +159,13 @@
return "PGPASSWORD={password} psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port, password=password)
with subtest("can peer login with provisioned user and database"):
machine.succeed(peer_cmd("me", "mine"), timeout=10)
machine.succeed(peer_cmd("me", "me"), timeout=10)
with subtest("can tcpip login with provisioned user and database"):
machine.succeed(tcpip_cmd("me", "mine", "5432", "secretpw"), timeout=10)
machine.succeed(tcpip_cmd("me", "me", "5432", "secretpw"), timeout=10)
with subtest("cannot tcpip login with wrong password"):
machine.fail(tcpip_cmd("me", "mine", "5432", "oops"), timeout=10)
machine.fail(tcpip_cmd("me", "me", "5432", "oops"), timeout=10)
'';
};
}