{-# LANGUAGE FlexibleContexts #-} {-# LANGUAGE AllowAmbiguousTypes #-} -- | Maintainer: Nicolas Schodet -- -- Support for MySQL/MariaDB server. -- -- Enough to setup a database with a dedicated user for web applications. module Propellor.Property.Mysql ( Database(..), Privilege(..), allPrivileges, basicPrivileges, basicStructurePrivileges, installed, installedAndReady, databaseExists, databaseRestored, userGrantedOnDatabase, userGrantedOnDatabaseWithPassword, userGranted, userGrantedWithPassword, ) where import Propellor import Propellor.Base import Propellor.Types import Data.List import qualified Propellor.Property.Apt as Apt -- | A database is defined by its name. newtype Database = Database String data Privilege = Select | Insert | Update | Delete | Create | Drop | Index | Alter | CreateTemporaryTables | LockTables | Execute | CreateView | ShowView | CreateRoutine | AlterRoutine | Event | Trigger deriving (Eq, Ord, Enum) sqlPrivilege :: Privilege -> String sqlPrivilege Select = "SELECT" sqlPrivilege Insert = "INSERT" sqlPrivilege Update = "UPDATE" sqlPrivilege Delete = "DELETE" sqlPrivilege Create = "CREATE" sqlPrivilege Drop = "DROP" sqlPrivilege Index = "INDEX" sqlPrivilege Alter = "ALTER" sqlPrivilege CreateTemporaryTables = "CREATE TEMPORARY TABLES" sqlPrivilege LockTables = "LOCK TABLES" sqlPrivilege Execute = "EXECUTE" sqlPrivilege CreateView = "CREATE VIEW" sqlPrivilege ShowView = "SHOW VIEW" sqlPrivilege CreateRoutine = "CREATE ROUTINE" sqlPrivilege AlterRoutine = "ALTER ROUTINE" sqlPrivilege Event = "EVENT" sqlPrivilege Trigger = "TRIGGER" -- | All privileges allPrivileges :: [Privilege] allPrivileges = [Select .. Trigger] -- | Basic privileges needed to use a classic database already created. basicPrivileges :: [Privilege] basicPrivileges = [ Select , Insert , Update , Delete ] -- | Classic privileges needed to create a database and its structure. basicStructurePrivileges :: [Privilege] basicStructurePrivileges = [ Select , Insert , Update , Delete , Create , Drop , Index , Alter ] -- | Make sure a server is installed. installed :: RevertableProperty DebianLike DebianLike installed = install remove where install = Apt.installed server remove = Apt.removed server server = ["default-mysql-server"] -- | Make sure a server is installed and ready. installedAndReady :: Property DebianLike installedAndReady = ready `requires` installed where ready = scriptProperty ["mysqladmin -w3 ping > /dev/null"] `assume` NoChange -- | Check whether server is installed. isInstalled :: IO Bool isInstalled = Apt.isInstalled server where server = "default-mysql-server" -- | Create a database if it does not exist. When reverted, remove the -- database. databaseExists :: Database -> RevertableProperty DebianLike UnixLike databaseExists (Database dbname) = setup cleanup where setup :: Property DebianLike setup = setup' `requires` installedAndReady cleanup :: Property UnixLike cleanup = check isInstalled $ cleanup' -- Test for database existance and create it if needed. setup' :: Property UnixLike setup' = property' desc $ \w -> do present <- liftIO $ dbPresent ensureProperty w $ setupprop present where desc = "database " ++ dbname ++ " exists" setupprop :: Bool -> Property UnixLike setupprop True = doNothing setupprop False = cmdProperty "mysqladmin" ["create", dbname] `assume` MadeChange -- Test for database existance and drop it if needed. cleanup' :: Property UnixLike cleanup' = property' desc $ \w -> do present <- liftIO $ dbPresent ensureProperty w $ cleanupprop present where desc = "database " ++ dbname ++ " does not exist" cleanupprop :: Bool -> Property UnixLike cleanupprop True = cmdProperty "mysqladmin" ["drop", "-f", dbname] `assume` MadeChange cleanupprop False = doNothing -- Is database present? dbPresent :: IO Bool dbPresent = (== trueResult) <$> readProcess "mysql" ["-BNre", sql] where sql = "SHOW DATABASES LIKE " ++ qdbname qdbname = sqlQuote '\'' dbname trueResult = dbname ++ "\n" -- | Restore a database from a gziped backup. -- -- Only does anything if the database does not exist, or is completely empty. -- -- If the backup does not exists yet, only make sure the database exists. databaseRestored :: Database -> FilePath -> Property DebianLike databaseRestored (Database dbname) gzFile = restored `requires` databaseExists (Database dbname) where restored :: Property UnixLike restored = property desc $ ifM (liftIO $ doesFileExist gzFile) ( ifM (liftIO dbEmpty) ( do warningMessage restoringMessage liftIO restore , noChange ) , do warningMessage nobackupMessage noChange ) dbEmpty :: IO Bool dbEmpty = (== "") <$> readProcess "mysql" ["-BNre", sql] where sql = "SHOW TABLES FROM " ++ qdbname qdbname = sqlQuote '`' dbname restore :: IO Result restore = restoreResult <$> boolSystem "sh" [ Param "-c" , Param $ "zcat " ++ shellEscape gzFile ++ " | mysql " ++ shellEscape dbname ] restoreResult False = FailedChange restoreResult True = MadeChange desc = "database " ++ dbname ++ " restored" restoringMessage = "database " ++ dbname ++ " is empty; restoring from backup ..." nobackupMessage = "no backup for database " ++ dbname -- | Create an user and make sure he has grants on the specific database but -- no other grant. userGrantedOnDatabase :: IsContext c => User -> Database -> [Privilege] -> c -> RevertableProperty (HasInfo + DebianLike) UnixLike userGrantedOnDatabase user db privs context = userGrantedOnDatabase' user db privs withPassword where withPassword = withPasswordFromPrivData user context -- | Same as userGrantedOnDatabase, but provide the password as parameter. userGrantedOnDatabaseWithPassword :: User -> Database -> [Privilege] -> String -> RevertableProperty DebianLike UnixLike userGrantedOnDatabaseWithPassword user db privs password = userGrantedOnDatabase' user db privs withPassword where withPassword = withPasswordFromParameter password -- | Common code between userGrantedOnDatabase*. userGrantedOnDatabase' :: Combines (Property i) (Property UnixLike) => User -> Database -> [Privilege] -> ((((String -> Propellor Result) -> Propellor Result) -> Property i) -> Property i) -> RevertableProperty (CombinedType (Property i) (Property UnixLike)) UnixLike userGrantedOnDatabase' user@(User username) (Database dbname) privs withPassword = userGrantedProp user privs withPassword setupDesc setupSql userGrants where setupDesc = "user " ++ username ++ " granted on database " ++ dbname setupSql quser hash privList = "GRANT " ++ privList ++ " ON " ++ privLevel ++ " TO " ++ quser ++ " IDENTIFIED BY PASSWORD '" ++ hash ++ "'" -- Expected user grants as output by MySQL. userGrants quser hash privList = "GRANT USAGE ON *.* TO " ++ quser ++ " IDENTIFIED BY PASSWORD '" ++ hash ++ "'\n" ++ "GRANT " ++ privList ++ " ON " ++ privLevel ++ " TO " ++ quser ++ "\n" -- Privilege level for database access. privLevel = (sqlQuote '`' dbname) ++ ".*" -- | Create an user and make sure he has global grants but no other grant. userGranted :: IsContext c => User -> [Privilege] -> c -> RevertableProperty (HasInfo + DebianLike) UnixLike userGranted user privs context = userGranted' user privs withPassword where withPassword = withPasswordFromPrivData user context -- | Same as userGranted, but provide the password as parameter. userGrantedWithPassword :: User -> [Privilege] -> String -> RevertableProperty DebianLike UnixLike userGrantedWithPassword user privs password = userGranted' user privs withPassword where withPassword = withPasswordFromParameter password -- | Common code between userGranted*. userGranted' :: Combines (Property i) (Property UnixLike) => User -> [Privilege] -> ((((String -> Propellor Result) -> Propellor Result) -> Property i) -> Property i) -> RevertableProperty (CombinedType (Property i) (Property UnixLike)) UnixLike userGranted' user@(User username) privs withPassword = userGrantedProp user privs withPassword setupDesc setupSql userGrants where setupDesc = "user " ++ username ++ " granted" setupSql quser hash privList = "GRANT " ++ privList ++ " ON *.*" ++ " TO " ++ quser ++ " IDENTIFIED BY PASSWORD '" ++ hash ++ "'" -- Expected user grants as output by MySQL. userGrants quser hash privList = "GRANT " ++ privList ++ " ON *.* TO " ++ quser ++ " IDENTIFIED BY PASSWORD '" ++ hash ++ "'\n" -- | Common code to get password from private data. withPasswordFromPrivData :: IsContext c => User -> c -> ((((String -> Propellor Result) -> Propellor Result) -> Property (HasInfo + UnixLike)) -> Property (HasInfo + UnixLike)) withPasswordFromPrivData (User username) context = \mkprop -> withPrivData (Password username) context $ \getdata -> mkprop $ \a -> getdata $ \priv -> a $ privDataVal priv -- | Common code to pass password from parameter. withPasswordFromParameter :: String -> ((((String -> Propellor Result) -> Propellor Result) -> Property UnixLike) -> Property UnixLike) withPasswordFromParameter password = \mkprop -> mkprop $ \a -> a password -- | Common code to grant or remove an user. userGrantedProp :: Combines (Property i) (Property UnixLike) => User -> [Privilege] -> ((((String -> Propellor Result) -> Propellor Result) -> Property i) -> Property i) -> String -> (String -> String -> String -> String) -> (String -> String -> String -> String) -> RevertableProperty (CombinedType (Property i) (Property UnixLike)) UnixLike userGrantedProp (User username) privs withPassword setupDesc setupSql userGrants = setup cleanup where setup :: CombinedType (Property i) (Property UnixLike) setup = setup' `requires` installedAndReady cleanup :: Property UnixLike cleanup = check isInstalled $ cleanup' -- Check user grants and reset them if needed. setup' :: Property i setup' = withPassword $ \getpassword -> property' setupDesc $ \w -> getpassword $ \password -> do hash <- liftIO $ hashPassword $ password curGrants <- liftIO $ getUserGrants let match = curGrants == (userGrants quser hash privList) ensureProperty w $ setupprop match hash setupprop :: Bool -> String -> Property UnixLike setupprop True _ = doNothing setupprop False hash = cmdProperty "mysql" ["-BNre", sql] `assume` MadeChange where sql = "DROP USER IF EXISTS " ++ quser ++ ";" ++ (setupSql quser hash privList) -- Test for user existance and drop it if needed. cleanup' :: Property UnixLike cleanup' = property' desc $ \w -> do curGrants <- liftIO $ getUserGrants ensureProperty w $ cleanupprop $ curGrants /= "" where desc = "user " ++ username ++ " does not exist" cleanupprop :: Bool -> Property UnixLike cleanupprop False = doNothing cleanupprop True = cmdProperty "mysql" ["-BNre", sql] `assume` MadeChange where sql = "DROP USER " ++ quser -- Request MySQL to hash a password. hashPassword :: String -> IO String hashPassword password = Data.List.head . lines <$> writeReadProcessEnv "mysql" ["-BNr"] Nothing (Just writer) Nothing where writer h = hPutStr h sql sql = "SELECT PASSWORD(" ++ qpassword ++ ")" qpassword = sqlQuote '\'' password -- Request current user grants from MySQL. getUserGrants :: IO String getUserGrants = catchDefaultIO "" $ readProcess "mysql" ["-BNre", sql] where sql = "SHOW GRANTS FOR " ++ quser -- Privilege list as output by MySQL. privList = intercalate ", " $ map sqlPrivilege $ nub $ sort privs -- Qualified user name. quser = (sqlQuote '\'' username) ++ "@'localhost'" -- | Quote a string using the given quote character. sqlQuote :: Char -> String -> String sqlQuote quote s = [quote] ++ (concatMap escape s) ++ [quote] where escape c | c == quote = [quote, quote] | otherwise = [c]