From 745b5e3c85e05ea7b795e02484bea4df732ee7ef Mon Sep 17 00:00:00 2001 From: ibizaman Date: Sun, 3 Dec 2023 23:33:55 -0800 Subject: [PATCH] fix ensure clauses in postgresql fixes #35 --- modules/blocks/postgresql.nix | 8 ++------ test/modules/postgresql.nix | 32 ++++++++------------------------ test/vm/postgresql.nix | 28 ++++++++++++++-------------- 3 files changed, 24 insertions(+), 44 deletions(-) diff --git a/modules/blocks/postgresql.nix b/modules/blocks/postgresql.nix index 136822d..391e8a2 100644 --- a/modules/blocks/postgresql.nix +++ b/modules/blocks/postgresql.nix @@ -73,12 +73,8 @@ in services.postgresql.ensureDatabases = map ({ database, ... }: database) ensureCfgs; services.postgresql.ensureUsers = map ({ username, database, ... }: { name = username; - ensurePermissions = { - "DATABASE ${database}" = "ALL PRIVILEGES"; - }; - ensureClauses = { - "login" = true; - }; + ensureDBOwnership = true; + ensureClauses.login = true; }) ensureCfgs; }; diff --git a/test/modules/postgresql.nix b/test/modules/postgresql.nix index 91db948..863fa75 100644 --- a/test/modules/postgresql.nix +++ b/test/modules/postgresql.nix @@ -64,9 +64,7 @@ in enable = true; ensureUsers = [{ name = "myuser"; - ensurePermissions = { - "DATABASE mydatabase" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; ensureClauses = { "login" = true; }; @@ -92,9 +90,7 @@ in enable = true; ensureUsers = [{ name = "myuser"; - ensurePermissions = { - "DATABASE mydatabase" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; ensureClauses = { "login" = true; }; @@ -131,18 +127,14 @@ in ensureUsers = [ { name = "user1"; - ensurePermissions = { - "DATABASE db1" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; ensureClauses = { "login" = true; }; } { name = "user2"; - ensurePermissions = { - "DATABASE db2" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; ensureClauses = { "login" = true; }; @@ -174,18 +166,14 @@ in ensureUsers = [ { name = "user1"; - ensurePermissions = { - "DATABASE db1" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; ensureClauses = { "login" = true; }; } { name = "user2"; - ensurePermissions = { - "DATABASE db2" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; ensureClauses = { "login" = true; }; @@ -230,18 +218,14 @@ in ensureUsers = [ { name = "user1"; - ensurePermissions = { - "DATABASE db1" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; ensureClauses = { "login" = true; }; } { name = "user2"; - ensurePermissions = { - "DATABASE db2" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; ensureClauses = { "login" = true; }; diff --git a/test/vm/postgresql.nix b/test/vm/postgresql.nix index 61872c3..28db06c 100644 --- a/test/vm/postgresql.nix +++ b/test/vm/postgresql.nix @@ -11,7 +11,7 @@ shb.postgresql.ensures = [ { username = "me"; - database = "mine"; + database = "me"; } ]; }; @@ -25,10 +25,10 @@ return "sudo -u me psql -U {user} {db} --command \"\"".format(user=user, db=database) with subtest("cannot login because of missing user"): - machine.fail(peer_cmd("me", "mine"), timeout=10) + machine.fail(peer_cmd("me", "me"), timeout=10) with subtest("cannot login with unknown user"): - machine.fail(peer_cmd("notme", "mine"), timeout=10) + machine.fail(peer_cmd("notme", "me"), timeout=10) with subtest("cannot login to unknown database"): machine.fail(peer_cmd("me", "notmine"), timeout=10) @@ -53,7 +53,7 @@ shb.postgresql.ensures = [ { username = "me"; - database = "mine"; + database = "me"; } ]; }; @@ -70,16 +70,16 @@ return "psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port) with subtest("can login with provisioned user and database"): - machine.succeed(peer_cmd("me", "mine"), timeout=10) + machine.succeed(peer_cmd("me", "me"), timeout=10) with subtest("cannot login with unknown user"): - machine.fail(peer_cmd("notme", "mine"), timeout=10) + machine.fail(peer_cmd("notme", "me"), timeout=10) with subtest("cannot login to unknown database"): machine.fail(peer_cmd("me", "notmine"), timeout=10) with subtest("cannot login with tcpip"): - machine.fail(tcpip_cmd("me", "mine", "5432"), timeout=10) + machine.fail(tcpip_cmd("me", "me", "5432"), timeout=10) ''; }; @@ -95,7 +95,7 @@ shb.postgresql.ensures = [ { username = "me"; - database = "mine"; + database = "me"; } ]; }; @@ -112,10 +112,10 @@ return "psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port) with subtest("cannot login without existing user"): - machine.fail(peer_cmd("me", "mine"), timeout=10) + machine.fail(peer_cmd("me", "me"), timeout=10) with subtest("cannot login with user without password"): - machine.fail(tcpip_cmd("me", "mine", "5432"), timeout=10) + machine.fail(tcpip_cmd("me", "me", "5432"), timeout=10) ''; }; @@ -141,7 +141,7 @@ shb.postgresql.ensures = [ { username = "me"; - database = "mine"; + database = "me"; passwordFile = "/run/dbsecret"; } ]; @@ -159,13 +159,13 @@ return "PGPASSWORD={password} psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port, password=password) with subtest("can peer login with provisioned user and database"): - machine.succeed(peer_cmd("me", "mine"), timeout=10) + machine.succeed(peer_cmd("me", "me"), timeout=10) with subtest("can tcpip login with provisioned user and database"): - machine.succeed(tcpip_cmd("me", "mine", "5432", "secretpw"), timeout=10) + machine.succeed(tcpip_cmd("me", "me", "5432", "secretpw"), timeout=10) with subtest("cannot tcpip login with wrong password"): - machine.fail(tcpip_cmd("me", "mine", "5432", "oops"), timeout=10) + machine.fail(tcpip_cmd("me", "me", "5432", "oops"), timeout=10) ''; }; }