From 18b17cd59bde295615b4ed5d8ac12e6ad6c29ff3 Mon Sep 17 00:00:00 2001 From: Nicolas Schodet Date: Fri, 31 Aug 2018 22:45:48 +0200 Subject: Mysql: grant global privileges to an user --- src/Propellor/Property/Mysql.hs | 73 ++++++++++++++++++++++++++++++----------- 1 file changed, 54 insertions(+), 19 deletions(-) diff --git a/src/Propellor/Property/Mysql.hs b/src/Propellor/Property/Mysql.hs index e387e2fe..77775889 100644 --- a/src/Propellor/Property/Mysql.hs +++ b/src/Propellor/Property/Mysql.hs @@ -13,6 +13,7 @@ module Propellor.Property.Mysql ( installed, databaseExists, userGrantedOnDatabase, + userGranted, ) where import Propellor @@ -167,7 +168,54 @@ userGrantedOnDatabase -> [Privilege] -> c -> RevertableProperty (HasInfo + DebianLike) DebianLike -userGrantedOnDatabase (User username) (Database dbname) privs context = +userGrantedOnDatabase user@(User username) (Database dbname) privs context = + userGranted' user privs context setupDesc setupSql userGrants + where + setupDesc = "user " ++ username ++ " granted on database " ++ dbname + setupSql quser hash privList = + "GRANT " ++ privList ++ " ON " ++ privLevel + ++ " TO " ++ quser + ++ " IDENTIFIED BY PASSWORD '" ++ hash ++ "'" + -- Expected user grants as output by MySQL. + userGrants quser hash privList = + "GRANT USAGE ON *.* TO " ++ quser + ++ " IDENTIFIED BY PASSWORD '" ++ hash ++ "'\n" + ++ "GRANT " ++ privList ++ " ON " ++ privLevel + ++ " TO " ++ quser ++ "\n" + -- Privilege level for database access. + privLevel = "`" ++ dbname ++ "`.*" + +-- Create an user and make sure he has global grants but no other grant. +userGranted + :: IsContext c + => User + -> [Privilege] + -> c + -> RevertableProperty (HasInfo + DebianLike) DebianLike +userGranted user@(User username) privs context = + userGranted' user privs context setupDesc setupSql userGrants + where + setupDesc = "user " ++ username ++ " granted" + setupSql quser hash privList = + "GRANT " ++ privList ++ " ON *.*" + ++ " TO " ++ quser + ++ " IDENTIFIED BY PASSWORD '" ++ hash ++ "'" + -- Expected user grants as output by MySQL. + userGrants quser hash privList = + "GRANT " ++ privList ++ " ON *.* TO " ++ quser + ++ " IDENTIFIED BY PASSWORD '" ++ hash ++ "'\n" + +-- Common code to grant or remove an user. +userGranted' + :: IsContext c + => User + -> [Privilege] + -> c + -> String + -> (String -> String -> String -> String) + -> (String -> String -> String -> String) + -> RevertableProperty (HasInfo + DebianLike) DebianLike +userGranted' (User username) privs context setupDesc setupSql userGrants = setup cleanup where setup :: Property (HasInfo + DebianLike) @@ -179,23 +227,20 @@ userGrantedOnDatabase (User username) (Database dbname) privs context = -- Check user grants and reset them if needed. setup' :: Property (HasInfo + UnixLike) setup' = withPrivData (Password username) context $ \getpassword -> - property' desc $ \w -> getpassword $ \priv -> do + property' setupDesc $ \w -> getpassword $ \priv -> do hash <- liftIO $ hashPassword $ privDataVal priv curGrants <- liftIO $ getUserGrants - let match = curGrants == (userGrants hash) + let match = curGrants == + (userGrants quser hash privList) ensureProperty w $ setupprop match hash - where - desc = "user " ++ username ++ " granted on database " ++ dbname setupprop :: Bool -> String -> Property UnixLike setupprop True _ = doNothing setupprop False hash = cmdProperty "mysql" ["-BNre", sql] `assume` MadeChange where - sql = "DROP USER IF EXISTS " ++ quser ++ ";" - ++ "GRANT " ++ privList ++ " ON " ++ privLevel - ++ " TO " ++ quser - ++ " IDENTIFIED BY PASSWORD '" ++ hash ++ "'" + sql = "DROP USER IF EXISTS " ++ quser ++ ";" ++ + (setupSql quser hash privList) -- Test for user existance and drop it if needed. cleanup' :: Property UnixLike @@ -230,16 +275,6 @@ userGrantedOnDatabase (User username) (Database dbname) privs context = where sql = "show grants for " ++ quser - -- Expected user grants as output by MySQL. - userGrants :: String -> String - userGrants hash = - "GRANT USAGE ON *.* TO " ++ quser - ++ " IDENTIFIED BY PASSWORD '" ++ hash ++ "'\n" - ++ "GRANT " ++ privList ++ " ON " ++ privLevel - ++ " TO " ++ quser ++ "\n" - - -- Privilege level for database access. - privLevel = "`" ++ dbname ++ "`.*" -- Privilege list as output by MySQL. privList = intercalate ", " $ map show $ nub $ sort privs -- Qualified user name. -- cgit v1.2.3