summaryrefslogtreecommitdiff
path: root/src/Propellor/Property
diff options
context:
space:
mode:
Diffstat (limited to 'src/Propellor/Property')
-rw-r--r--src/Propellor/Property/Mysql.hs73
1 files changed, 54 insertions, 19 deletions
diff --git a/src/Propellor/Property/Mysql.hs b/src/Propellor/Property/Mysql.hs
index e387e2fe..77775889 100644
--- a/src/Propellor/Property/Mysql.hs
+++ b/src/Propellor/Property/Mysql.hs
@@ -13,6 +13,7 @@ module Propellor.Property.Mysql (
installed,
databaseExists,
userGrantedOnDatabase,
+ userGranted,
) where
import Propellor
@@ -167,7 +168,54 @@ userGrantedOnDatabase
-> [Privilege]
-> c
-> RevertableProperty (HasInfo + DebianLike) DebianLike
-userGrantedOnDatabase (User username) (Database dbname) privs context =
+userGrantedOnDatabase user@(User username) (Database dbname) privs context =
+ userGranted' user privs context setupDesc setupSql userGrants
+ where
+ setupDesc = "user " ++ username ++ " granted on database " ++ dbname
+ setupSql quser hash privList =
+ "GRANT " ++ privList ++ " ON " ++ privLevel
+ ++ " TO " ++ quser
+ ++ " IDENTIFIED BY PASSWORD '" ++ hash ++ "'"
+ -- Expected user grants as output by MySQL.
+ userGrants quser hash privList =
+ "GRANT USAGE ON *.* TO " ++ quser
+ ++ " IDENTIFIED BY PASSWORD '" ++ hash ++ "'\n"
+ ++ "GRANT " ++ privList ++ " ON " ++ privLevel
+ ++ " TO " ++ quser ++ "\n"
+ -- Privilege level for database access.
+ privLevel = "`" ++ dbname ++ "`.*"
+
+-- Create an user and make sure he has global grants but no other grant.
+userGranted
+ :: IsContext c
+ => User
+ -> [Privilege]
+ -> c
+ -> RevertableProperty (HasInfo + DebianLike) DebianLike
+userGranted user@(User username) privs context =
+ userGranted' user privs context setupDesc setupSql userGrants
+ where
+ setupDesc = "user " ++ username ++ " granted"
+ setupSql quser hash privList =
+ "GRANT " ++ privList ++ " ON *.*"
+ ++ " TO " ++ quser
+ ++ " IDENTIFIED BY PASSWORD '" ++ hash ++ "'"
+ -- Expected user grants as output by MySQL.
+ userGrants quser hash privList =
+ "GRANT " ++ privList ++ " ON *.* TO " ++ quser
+ ++ " IDENTIFIED BY PASSWORD '" ++ hash ++ "'\n"
+
+-- Common code to grant or remove an user.
+userGranted'
+ :: IsContext c
+ => User
+ -> [Privilege]
+ -> c
+ -> String
+ -> (String -> String -> String -> String)
+ -> (String -> String -> String -> String)
+ -> RevertableProperty (HasInfo + DebianLike) DebianLike
+userGranted' (User username) privs context setupDesc setupSql userGrants =
setup <!> cleanup
where
setup :: Property (HasInfo + DebianLike)
@@ -179,23 +227,20 @@ userGrantedOnDatabase (User username) (Database dbname) privs context =
-- Check user grants and reset them if needed.
setup' :: Property (HasInfo + UnixLike)
setup' = withPrivData (Password username) context $ \getpassword ->
- property' desc $ \w -> getpassword $ \priv -> do
+ property' setupDesc $ \w -> getpassword $ \priv -> do
hash <- liftIO $ hashPassword $ privDataVal priv
curGrants <- liftIO $ getUserGrants
- let match = curGrants == (userGrants hash)
+ let match = curGrants ==
+ (userGrants quser hash privList)
ensureProperty w $ setupprop match hash
- where
- desc = "user " ++ username ++ " granted on database " ++ dbname
setupprop :: Bool -> String -> Property UnixLike
setupprop True _ = doNothing
setupprop False hash = cmdProperty "mysql" ["-BNre", sql]
`assume` MadeChange
where
- sql = "DROP USER IF EXISTS " ++ quser ++ ";"
- ++ "GRANT " ++ privList ++ " ON " ++ privLevel
- ++ " TO " ++ quser
- ++ " IDENTIFIED BY PASSWORD '" ++ hash ++ "'"
+ sql = "DROP USER IF EXISTS " ++ quser ++ ";" ++
+ (setupSql quser hash privList)
-- Test for user existance and drop it if needed.
cleanup' :: Property UnixLike
@@ -230,16 +275,6 @@ userGrantedOnDatabase (User username) (Database dbname) privs context =
where
sql = "show grants for " ++ quser
- -- Expected user grants as output by MySQL.
- userGrants :: String -> String
- userGrants hash =
- "GRANT USAGE ON *.* TO " ++ quser
- ++ " IDENTIFIED BY PASSWORD '" ++ hash ++ "'\n"
- ++ "GRANT " ++ privList ++ " ON " ++ privLevel
- ++ " TO " ++ quser ++ "\n"
-
- -- Privilege level for database access.
- privLevel = "`" ++ dbname ++ "`.*"
-- Privilege list as output by MySQL.
privList = intercalate ", " $ map show $ nub $ sort privs
-- Qualified user name.