hosting/selfhostblocks
1
0
Fork 0
Code Issues Activity

fix ensure clauses in postgresql

Browse source 
fixes #35
This commit is contained in:
ibizaman 2023-12-03 23:33:55 -08:00
parent 183dbc0ca6
commit 745b5e3c85
3 changed files with 24 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
modules/blocks/postgresql.nix
View file

@ -73,12 +73,8 @@ in
services.postgresql.ensureDatabases = map ({ database, ... }: database) ensureCfgs;
services.postgresql.ensureUsers = map ({ username, database, ... }: {
name = username;
ensurePermissions = {
"DATABASE ${database}" = "ALL PRIVILEGES";
};
ensureClauses = {
"login" = true;
};
ensureDBOwnership = true;
ensureClauses.login = true;
}) ensureCfgs;
};

32
test/modules/postgresql.nix
View file

@ -64,9 +64,7 @@ in
enable = true;
ensureUsers = [{
name = "myuser";
ensurePermissions = {
"DATABASE mydatabase" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
ensureClauses = {
"login" = true;
};
@ -92,9 +90,7 @@ in
enable = true;
ensureUsers = [{
name = "myuser";
ensurePermissions = {
"DATABASE mydatabase" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
ensureClauses = {
"login" = true;
};
@ -131,18 +127,14 @@ in
ensureUsers = [
{
name = "user1";
ensurePermissions = {
"DATABASE db1" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
ensureClauses = {
"login" = true;
};
}
{
name = "user2";
ensurePermissions = {
"DATABASE db2" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
ensureClauses = {
"login" = true;
};
@ -174,18 +166,14 @@ in
ensureUsers = [
{
name = "user1";
ensurePermissions = {
"DATABASE db1" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
ensureClauses = {
"login" = true;
};
}
{
name = "user2";
ensurePermissions = {
"DATABASE db2" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
ensureClauses = {
"login" = true;
};
@ -230,18 +218,14 @@ in
ensureUsers = [
{
name = "user1";
ensurePermissions = {
"DATABASE db1" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
ensureClauses = {
"login" = true;
};
}
{
name = "user2";
ensurePermissions = {
"DATABASE db2" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
ensureClauses = {
"login" = true;
};

28
test/vm/postgresql.nix
View file

@ -11,7 +11,7 @@
shb.postgresql.ensures = [
{
username = "me";
database = "mine";
database = "me";
}
];
};
@ -25,10 +25,10 @@
return "sudo -u me psql -U {user} {db} --command \"\"".format(user=user, db=database)
with subtest("cannot login because of missing user"):
machine.fail(peer_cmd("me", "mine"), timeout=10)
machine.fail(peer_cmd("me", "me"), timeout=10)
with subtest("cannot login with unknown user"):
machine.fail(peer_cmd("notme", "mine"), timeout=10)
machine.fail(peer_cmd("notme", "me"), timeout=10)
with subtest("cannot login to unknown database"):
machine.fail(peer_cmd("me", "notmine"), timeout=10)
@ -53,7 +53,7 @@
shb.postgresql.ensures = [
{
username = "me";
database = "mine";
database = "me";
}
];
};
@ -70,16 +70,16 @@
return "psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port)
with subtest("can login with provisioned user and database"):
machine.succeed(peer_cmd("me", "mine"), timeout=10)
machine.succeed(peer_cmd("me", "me"), timeout=10)
with subtest("cannot login with unknown user"):
machine.fail(peer_cmd("notme", "mine"), timeout=10)
machine.fail(peer_cmd("notme", "me"), timeout=10)
with subtest("cannot login to unknown database"):
machine.fail(peer_cmd("me", "notmine"), timeout=10)
with subtest("cannot login with tcpip"):
machine.fail(tcpip_cmd("me", "mine", "5432"), timeout=10)
machine.fail(tcpip_cmd("me", "me", "5432"), timeout=10)
'';
};
@ -95,7 +95,7 @@
shb.postgresql.ensures = [
{
username = "me";
database = "mine";
database = "me";
}
];
};
@ -112,10 +112,10 @@
return "psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port)
with subtest("cannot login without existing user"):
machine.fail(peer_cmd("me", "mine"), timeout=10)
machine.fail(peer_cmd("me", "me"), timeout=10)
with subtest("cannot login with user without password"):
machine.fail(tcpip_cmd("me", "mine", "5432"), timeout=10)
machine.fail(tcpip_cmd("me", "me", "5432"), timeout=10)
'';
};
@ -141,7 +141,7 @@
shb.postgresql.ensures = [
{
username = "me";
database = "mine";
database = "me";
passwordFile = "/run/dbsecret";
}
];
@ -159,13 +159,13 @@
return "PGPASSWORD={password} psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port, password=password)
with subtest("can peer login with provisioned user and database"):
machine.succeed(peer_cmd("me", "mine"), timeout=10)
machine.succeed(peer_cmd("me", "me"), timeout=10)
with subtest("can tcpip login with provisioned user and database"):
machine.succeed(tcpip_cmd("me", "mine", "5432", "secretpw"), timeout=10)
machine.succeed(tcpip_cmd("me", "me", "5432", "secretpw"), timeout=10)
with subtest("cannot tcpip login with wrong password"):
machine.fail(tcpip_cmd("me", "mine", "5432", "oops"), timeout=10)
machine.fail(tcpip_cmd("me", "me", "5432", "oops"), timeout=10)
'';
};
}