WIP grant.go

Former-commit-id: 3f95b91

Author: joncrlsn

grant.go

@@ -1,11 +1,12 @@
 package main
 
 import "sort"
+import "os"
 import "fmt"
 import "strings"
+import "regexp"
 import "database/sql"
 import "github.com/joncrlsn/pgutil"
-import "regexp"
 
 var aclRegex = regexp.MustCompile(`([a-zA-Z0-9]+)*=([rwadDxtXUCcT]+)/([a-zA-Z0-9]+)$`)
 
@@ -43,6 +44,12 @@ func (slice GrantRows) Less(i, j int) bool {
 	if slice[i]["column_name"] != slice[j]["column_name"] {
 		return slice[i]["column_name"] < slice[j]["column_name"]
 	}
+	if slice[i]["relationship_acl"] != slice[j]["relationship_acl"] {
+		return slice[i]["relationship_acl"] < slice[j]["relationship_acl"]
+	}
+	if slice[i]["column_acl"] != slice[j]["column_acl"] {
+		return slice[i]["column_acl"] < slice[j]["column_acl"]
+	}
 	return false
 }
 
@@ -92,7 +99,7 @@ func (c *GrantSchema) NextRow() bool {
 func (c *GrantSchema) Compare(obj interface{}) int {
 	c2, ok := obj.(*GrantSchema)
 	if !ok {
-		fmt.Println("Error!!!, change needs a GrantSchema instance", c2)
+		fmt.Println("Error!!!, Compare needs a GrantSchema instance", c2)
 		return +999
 	}
 
@@ -114,49 +121,55 @@ func (c *GrantSchema) Compare(obj interface{}) int {
 func (c *GrantSchema) Add() {
 	fmt.Println("--Add")
 
-	if c.get("column_acl") != "null" && len(c.get("column_acl")) > 0 {
-		lines := strings.Split(c.get("column_acl"), "\n")
-		for _, line := range lines {
-			roleName, perms := parseGrants(line)
-			fmt.Printf("GRANT %s (%s) ON %s TO %s; \n", strings.Join(perms, ", "), c.get("column_name"), c.get("relationship_name"), roleName)
-		}
-	} else if c.get("relationship_acl") != "null" && len(c.get("relationship_acl")) > 0 {
-		lines := strings.Split(c.get("relationship_acl"), "\n")
-		for _, line := range lines {
-			roleName, perms := parseGrants(line)
-			fmt.Printf("GRANT %s ON %s TO %s; \n", strings.Join(perms, ", "), c.get("relationship_name"), roleName)
-		}
+	acls := parseGrants(c.get("relationship_acl"))
+	for _, acl := range acls {
+		fmt.Printf("GRANT %s ON %s TO %s;\n", strings.Join(acl.grants, ", "), c.get("relationship_name"), acl.role)
+	}
+
+	acls = parseGrants(c.get("column_acl"))
+	for _, acl := range acls {
+		fmt.Printf("GRANT %s (%s) ON %s TO %s;\n", strings.Join(acl.grants, ", "), c.get("column_name"), c.get("relationship_name"), acl.role)
 	}
 }
 
 // Drop prints SQL to drop the column
 func (c *GrantSchema) Drop() {
 	fmt.Println("--Drop")
 
-	if c.get("column_acl") != "null" && len(c.get("column_acl")) > 0 {
-		lines := strings.Split(c.get("column_acl"), "\n")
-		for _, line := range lines {
-			roleName, perms := parseGrants(line)
-			fmt.Printf("REVOKE %s (%s) ON %s TO %s; \n", strings.Join(perms, ", "), c.get("column_name"), c.get("relationship_name"), roleName)
-		}
-	} else if c.get("relationship_acl") != "null" && len(c.get("relationship_acl")) > 0 {
-		lines := strings.Split(c.get("relationship_acl"), "\n")
-		for _, line := range lines {
-			roleName, perms := parseGrants(line)
-			fmt.Printf("REVOKE %s ON %s TO %s; \n", strings.Join(perms, ", "), c.get("relationship_name"), roleName)
-		}
+	acls := parseGrants(c.get("relationship_acl"))
+	for _, acl := range acls {
+		fmt.Printf("REVOKE %s ON %s TO %s;\n", strings.Join(acl.grants, ", "), c.get("relationship_name"), acl.role)
+	}
+
+	acls = parseGrants(c.get("column_acl"))
+	for _, acl := range acls {
+		fmt.Printf("REVOKE %s (%s) ON %s TO %s;\n", strings.Join(acl.grants, ", "), c.get("column_name"), c.get("relationship_name"), acl.role)
 	}
 }
 
-// Change handles the case where the table and column match, but the details do not
+// Change handles the case where the relationship and column match, but the details do not
 func (c *GrantSchema) Change(obj interface{}) {
 	c2, ok := obj.(*GrantSchema)
 	if !ok {
 		fmt.Println("-- Error!!!, change needs a GrantSchema instance", c2)
 	}
+
+	{
+		acls1 := parseGrants(c.get("relationship_acl"))
+		acls2 := parseGrants(c2.get("relationship_acl"))
+		_diffGrants(acls1, acls2, c.get("relationship_name"), c.get("column_name"))
+	}
+
+	{
+		//	if c.get("column_acl") != "null" && len(c.get("column_acl")) > 0 {
+		acls1 := parseGrants(c.get("column_acl"))
+		acls2 := parseGrants(c2.get("column_acl"))
+		_diffGrants(acls1, acls2, c.get("relationship_name"), c.get("column_name"))
+	}
+
 	fmt.Println("--Change")
-	fmt.Printf("rel:%s, relAcl:%s, col:%s, colAcl:%s\n", c.get("relationship_name"), c.get("relationship_acl"), c.get("column_name"), c.get("column_acl"))
-	fmt.Printf("rel:%s, relAcl:%s, col:%s, colAcl:%s\n", c2.get("relationship_name"), c2.get("relationship_acl"), c2.get("column_name"), c2.get("column_acl"))
+	fmt.Printf("--1 rel:%s, relAcl:%s, col:%s, colAcl:%s\n", c.get("relationship_name"), c.get("relationship_acl"), c.get("column_name"), c.get("column_acl"))
+	fmt.Printf("--2 rel:%s, relAcl:%s, col:%s, colAcl:%s\n", c2.get("relationship_name"), c2.get("relationship_acl"), c2.get("column_name"), c2.get("column_acl"))
 }
 
 // ==================================
@@ -167,25 +180,53 @@ func (c *GrantSchema) Change(obj interface{}) {
  * Compare the columns in the two databases
  */
 func compareGrants(conn1 *sql.DB, conn2 *sql.DB) {
+    fmt.Println(" Grant is broken right now. Please come back later! :-)")
+    os.Exit(0)
+
 	sql := `
 SELECT
   n.nspname AS schema
   , CASE c.relkind
-    	WHEN 'r' THEN 'TABLE'
-		WHEN 'v' THEN 'VIEW'
-		WHEN 'S' THEN 'SEQUENCE'
-		WHEN 'f' THEN 'FOREIGN TABLE'
-	END as type
+    WHEN 'r' THEN 'TABLE'
+        WHEN 'v' THEN 'VIEW'
+        WHEN 'S' THEN 'SEQUENCE'
+        WHEN 'f' THEN 'FOREIGN TABLE'
+    END as type
   , c.relname AS relationship_name
-  , pg_catalog.array_to_string(c.relacl, E'\n') AS relationship_acl
+--  , pg_catalog.array_to_string(c.relacl, E'\n') AS relationship_acl
+--  , pg_catalog.array_to_string(a.attacl, E'\n') AS column_acl
+  , unnest(c.relacl) AS relationship_acl
   , a.attname AS column_name
-  , pg_catalog.array_to_string(a.attacl, E'\n') AS column_acl
+  , a.attacl AS column_acl
 FROM pg_catalog.pg_class c
 LEFT JOIN pg_catalog.pg_namespace n ON (n.oid = c.relnamespace)
-LEFT JOIN pg_catalog.pg_attribute a ON (a.attrelid = c.oid AND NOT a.attisdropped AND a.attacl IS NOT NULL)
+LEFT JOIN (SELECT attname, unnest(attacl) AS attacl, attrelid, attisdropped 
+           FROM pg_catalog.pg_attribute 
+           WHERE NOT attisdropped AND attacl IS NOT NULL) 
+      AS a ON (a.attrelid = c.oid)
 WHERE c.relkind IN ('r', 'v', 'S', 'f')
-  AND n.nspname !~ '^pg_' AND pg_catalog.pg_table_is_visible(c.oid);
+  AND n.nspname !~ '^pg_' AND pg_catalog.pg_table_is_visible(c.oid)
+ORDER BY n.nspname, c.relname, a.attname;
 `
+//oldSql := `SELECT
+//  n.nspname AS schema
+//  , CASE c.relkind
+//    	WHEN 'r' THEN 'TABLE'
+//		WHEN 'v' THEN 'VIEW'
+//		WHEN 'S' THEN 'SEQUENCE'
+//		WHEN 'f' THEN 'FOREIGN TABLE'
+//	END as type
+//  , c.relname AS relationship_name
+//  , pg_catalog.array_to_string(c.relacl, E'\n') AS relationship_acl
+//  , a.attname AS column_name
+//  , pg_catalog.array_to_string(a.attacl, E'\n') AS column_acl
+//FROM pg_catalog.pg_class c
+//LEFT JOIN pg_catalog.pg_namespace n ON (n.oid = c.relnamespace)
+//LEFT JOIN pg_catalog.pg_attribute a ON (a.attrelid = c.oid AND NOT a.attisdropped AND a.attacl IS NOT NULL)
+//WHERE c.relkind IN ('r', 'v', 'S', 'f')
+//  AND n.nspname !~ '^pg_' AND pg_catalog.pg_table_is_visible(c.oid);
+//`
+
 	rowChan1, _ := pgutil.QueryStrings(conn1, sql)
 	rowChan2, _ := pgutil.QueryStrings(conn2, sql)
 
@@ -208,10 +249,120 @@ WHERE c.relkind IN ('r', 'v', 'S', 'f')
 	doDiff(schema1, schema2)
 }
 
+// ==================================
+// Private functions and structures
+// ==================================
+
+func _diffGrants(acls1 RoleAcls, acls2 RoleAcls, table string, column string) {
+	//fmt.Printf("GRANT %s (%s) ON %s TO %s; \n", strings.Join(perms, ", "), c.get("column_name"), c.get("relationship_name"), roleName)
+	ix1, ix2 := 0, 0
+	more1 := ix1 < len(acls1)
+	more2 := ix2 < len(acls2)
+	var acl1 RoleAcl
+	var acl2 RoleAcl
+	if more1 {
+		acl1 = acls1[ix1]
+	}
+	if more2 {
+		acl2 = acls2[ix2]
+	}
+	for more1 || more2 {
+		if acl1.role == acl2.role {
+			//_diffRole(acl1.grants, acl2.grants, acl1.role, table, column)
+			ix1 += 1
+			ix2 += 1
+			more1 := ix1 < len(acls1)
+			more2 := ix2 < len(acls2)
+			if more1 {
+				acl1 = acls1[ix1]
+			}
+			if more2 {
+				acl2 = acls2[ix2]
+			}
+		} else if acl1.role < acl2.role {
+		} else if acl1.role > acl2.role {
+		}
+		//	compareVal := db1.Compare(db2)
+		//	if compareVal == 0 {
+		//		// table and column match, look for non-identifying changes
+		//		db1.Change(db2)
+		//		more1 = db1.NextRow()
+		//		more2 = db2.NextRow()
+		//	} else if compareVal < 0 {
+		//		// db2 is missing a value that db1 has
+		//		if more1 {
+		//			db1.Add()
+		//			more1 = db1.NextRow()
+		//		} else {
+		//			// db1 is at the end
+		//			db2.Drop()
+		//			more2 = db2.NextRow()
+		//		}
+		//	} else if compareVal > 0 {
+		//		// db2 has an extra column that we don't want
+		//		if more2 {
+		//			db2.Drop()
+		//			more2 = db2.NextRow()
+		//		} else {
+		//			// db2 is at the end
+		//			db1.Add()
+		//			more1 = db1.NextRow()
+		//		}
+		//	}
+	}
+}
+
+//
+// RoleAcls (a sortable slice of RoleAcl instances)
+//
+type RoleAcls []RoleAcl
+
+func (slice RoleAcls) Len() int {
+	return len(slice)
+}
+
+func (slice RoleAcls) Less(i, j int) bool {
+	return slice[i].role < slice[j].role
+}
+
+func (slice RoleAcls) Swap(i, j int) {
+	slice[i], slice[j] = slice[j], slice[i]
+}
+
+func (slice RoleAcls) get(role string) RoleAcl {
+	for _, roleAcl := range slice {
+		if roleAcl.role == role {
+			return roleAcl
+		}
+	}
+	return RoleAcl{role: "", grants: []string{}}
+}
+
+//
+// RoleAcl
+//
+type RoleAcl struct {
+	role   string
+	grants []string
+}
+
+// parseGrants breaks up a set of ACL lines and parses them into a slice of permission strings per line.
+func parseGrants(acl string) (roleAcls RoleAcls) {
+	lines := strings.Split(acl, "\n")
+	roleAcls = make(RoleAcls, 0)
+	for _, line := range lines {
+		roleName, perms := _parseGrants(line)
+		roleAcl := RoleAcl{role: roleName, grants: perms}
+		roleAcls = append(roleAcls, roleAcl)
+	}
+	sort.Sort(roleAcls)
+	return
+}
+
 /*
-parseGrants converts an ACL string into a slice of permission strings
+_parseGrants converts an ACL line into a slice of permission strings
 
-Example of an ACL: c42ro=rwa/c42  (we want to split out the "rwa" part)
+Example of an ACL: c42ro=rwa/c42  (we want to separate out the "rwa" part)
 
 rolename=xxxx -- privileges granted to a role
         =xxxx -- privileges granted to PUBLIC
@@ -231,17 +382,17 @@ rolename=xxxx -- privileges granted to a role
             * -- grant option for preceding privilege
         /yyyy -- role that granted this privilege
 */
-func parseGrants(acl string) (string, []string) {
-
+func _parseGrants(acl string) (string, sort.StringSlice) {
 	matches := aclRegex.FindStringSubmatch(acl)
 	role := matches[1]
 	perms := matches[2]
-	var permWords []string
+	permWords := make(sort.StringSlice, 0)
 	for _, c := range strings.Split(perms, "") {
 		permWord := permMap[c]
 		if len(permWord) > 0 {
 			permWords = append(permWords, permWord)
 		}
 	}
+	permWords.Sort()
 	return role, permWords
 }

grant_test.go

@@ -6,9 +6,10 @@ import (
 )
 
 func Test_parseGrants(t *testing.T) {
-	doParseGrants(t, "c42ro=rwa/c42", "c42ro", 3)
-	doParseGrants(t, "=arwdDxt/c42", "", 7)
-	doParseGrants(t, "user2=arwxt/postgres", "user2", 5)
+	doParseGrants(t, "c42ro=rwa/c42", "c42ro", 3, 0)
+	doParseGrants(t, "=arwdDxt/c42\nc42=rwad/postgres", "", 7, 0)    // first of two lines
+	doParseGrants(t, "=arwdDxt/c42\nc42=rwad/postgres", "c42", 4, 1) // second of two lines
+	doParseGrants(t, "user2=arwxt/postgres", "user2", 5, 0)
 }
 
 /*
@@ -46,13 +47,14 @@ func Test_diffGrants(t *testing.T) {
 	doDiff(schema1, schema2)
 }
 
-func doParseGrants(t *testing.T, acl string, expectedRole string, expectedPermCount int) {
+func doParseGrants(t *testing.T, acl string, expectedRole string, expectedPermCount int, index int) {
 	fmt.Println("Testing", acl)
-	role, perms := parseGrants(acl)
-	if role != expectedRole {
-		t.Error("Wrong role parsed: %s instead of %s", role, expectedRole)
+	roleAcls := parseGrants(acl)
+	roleAcl := roleAcls[index]
+	if roleAcl.role != expectedRole {
+		t.Error("Wrong role parsed: %s instead of %s", roleAcl.role, expectedRole)
 	}
-	if len(perms) != expectedPermCount {
-		t.Error("Incorrect number of permissions parsed: %d instead of %d", len(perms), expectedPermCount)
+	if len(roleAcl.grants) != expectedPermCount {
+		t.Error("Incorrect number of permissions parsed: %d instead of %d", len(roleAcl.grants), expectedPermCount)
 	}
 }