postgresql_grant support for procedures and routines (#128)

* add postgresql_grant support for procedures/routines

* update postgresql_grant docs to add procedures/routines

* check version for procedures/routines in tests

* move compatibility test before creating objects

* fixup! Merge remote-tracking branch 'origin/master' into feature/grant-procedures-and-routines

Co-authored-by: Cyril Gaudin <cyril.gaudin@gmail.com>

Author: alec-rabold

go.mod

@@ -20,6 +20,13 @@ require (
 	github.com/agext/levenshtein v1.2.2 // indirect
 	github.com/apparentlymart/go-textseg v1.0.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.4.0 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.5.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.2.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.3.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.4.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.7.0 // indirect
+	github.com/aws/smithy-go v1.8.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fatih/color v1.7.0 // indirect
 	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect

go.sum

@@ -29,6 +29,8 @@ const (
 	featureReplication
 	featureExtension
 	featurePrivileges
+	featureProcedure
+	featureRoutine
 	featurePrivilegesOnSchemas
 	featureForceDropDatabase
 	featurePid
@@ -68,6 +70,11 @@ var (
 		// for Postgresql < 9.
 		featurePrivileges: semver.MustParseRange(">=9.0.0"),
 
+		// Object PROCEDURE support
+		featureProcedure: semver.MustParseRange(">=11.0.0"),
+
+		// Object ROUTINE support
+		featureRoutine: semver.MustParseRange(">=11.0.0"),
 		// ALTER DEFAULT PRIVILEGES has ON SCHEMAS support
 		// for Postgresql >= 10
 		featurePrivilegesOnSchemas: semver.MustParseRange(">=10.0.0"),

postgresql/config.go

@@ -235,14 +235,16 @@ func sliceContainsStr(haystack []string, needle string) bool {
 // allowedPrivileges is the list of privileges allowed per object types in Postgres.
 // see: https://www.postgresql.org/docs/current/sql-grant.html
 var allowedPrivileges = map[string][]string{
-	"database":             []string{"ALL", "CREATE", "CONNECT", "TEMPORARY", "TEMP"},
-	"table":                []string{"ALL", "SELECT", "INSERT", "UPDATE", "DELETE", "TRUNCATE", "REFERENCES", "TRIGGER"},
-	"sequence":             []string{"ALL", "USAGE", "SELECT", "UPDATE"},
-	"schema":               []string{"ALL", "CREATE", "USAGE"},
-	"function":             []string{"ALL", "EXECUTE"},
-	"type":                 []string{"ALL", "USAGE"},
-	"foreign_data_wrapper": []string{"ALL", "USAGE"},
-	"foreign_server":       []string{"ALL", "USAGE"},
+	"database":             {"ALL", "CREATE", "CONNECT", "TEMPORARY", "TEMP"},
+	"table":                {"ALL", "SELECT", "INSERT", "UPDATE", "DELETE", "TRUNCATE", "REFERENCES", "TRIGGER"},
+	"sequence":             {"ALL", "USAGE", "SELECT", "UPDATE"},
+	"schema":               {"ALL", "CREATE", "USAGE"},
+	"function":             {"ALL", "EXECUTE"},
+	"procedure":            {"ALL", "EXECUTE"},
+	"routine":              {"ALL", "EXECUTE"},
+	"type":                 {"ALL", "USAGE"},
+	"foreign_data_wrapper": {"ALL", "USAGE"},
+	"foreign_server":       {"ALL", "USAGE"},
 }
 
 // validatePrivileges checks that privileges to apply are allowed for this object type.

postgresql/helpers.go

@@ -16,6 +16,8 @@ import (
 var allowedObjectTypes = []string{
 	"database",
 	"function",
+	"procedure",
+	"routine",
 	"schema",
 	"sequence",
 	"table",
@@ -73,7 +75,7 @@ func resourcePostgreSQLGrant() *schema.Resource {
 				Set:         schema.HashString,
 				Description: "The specific objects to grant privileges on for this role (empty means all objects of the requested type)",
 			},
-			"privileges": &schema.Schema{
+			"privileges": {
 				Type:        schema.TypeSet,
 				Required:    true,
 				Elem:        &schema.Schema{Type: schema.TypeString},
@@ -92,11 +94,8 @@ func resourcePostgreSQLGrant() *schema.Resource {
 }
 
 func resourcePostgreSQLGrantRead(db *DBConnection, d *schema.ResourceData) error {
-	if !db.featureSupported(featurePrivileges) {
-		return fmt.Errorf(
-			"postgresql_grant resource is not supported for this Postgres version (%s)",
-			db.version,
-		)
+	if err := validateFeatureSupport(db, d); err != nil {
+		return fmt.Errorf("feature is not supported: %v", err)
 	}
 
 	exists, err := checkRoleDBSchemaExists(db.client, d)
@@ -119,11 +118,8 @@ func resourcePostgreSQLGrantRead(db *DBConnection, d *schema.ResourceData) error
 }
 
 func resourcePostgreSQLGrantCreate(db *DBConnection, d *schema.ResourceData) error {
-	if !db.featureSupported(featurePrivileges) {
-		return fmt.Errorf(
-			"postgresql_grant resource is not supported for this Postgres version (%s)",
-			db.version,
-		)
+	if err := validateFeatureSupport(db, d); err != nil {
+		return fmt.Errorf("feature is not supported: %v", err)
 	}
 
 	// Validate parameters.
@@ -189,11 +185,8 @@ func resourcePostgreSQLGrantCreate(db *DBConnection, d *schema.ResourceData) err
 }
 
 func resourcePostgreSQLGrantDelete(db *DBConnection, d *schema.ResourceData) error {
-	if !db.featureSupported(featurePrivileges) {
-		return fmt.Errorf(
-			"postgresql_grant resource is not supported for this Postgres version (%s)",
-			db.version,
-		)
+	if err := validateFeatureSupport(db, d); err != nil {
+		return fmt.Errorf("feature is not supported: %v", err)
 	}
 
 	txn, err := startTransaction(db.client, d.Get("database").(string))
@@ -329,7 +322,7 @@ func readRolePrivileges(txn *sql.Tx, d *schema.ResourceData) error {
 	case "foreign_server":
 		return readForeignServerRolePrivileges(txn, d, roleOID)
 
-	case "function":
+	case "function", "procedure", "routine":
 		query = `
 SELECT pg_proc.proname, array_remove(array_agg(privilege_type), NULL)
 FROM pg_proc
@@ -441,7 +434,7 @@ func createGrantQuery(d *schema.ResourceData, privileges []string) string {
 			pq.QuoteIdentifier(srvName.(string)),
 			pq.QuoteIdentifier(d.Get("role").(string)),
 		)
-	case "TABLE", "SEQUENCE", "FUNCTION":
+	case "TABLE", "SEQUENCE", "FUNCTION", "PROCEDURE", "ROUTINE":
 		objects := d.Get("objects").(*schema.Set)
 		if objects.Len() > 0 {
 			query = fmt.Sprintf(
@@ -499,7 +492,7 @@ func createRevokeQuery(d *schema.ResourceData) string {
 			pq.QuoteIdentifier(srvName.(string)),
 			pq.QuoteIdentifier(d.Get("role").(string)),
 		)
-	case "TABLE", "SEQUENCE", "FUNCTION":
+	case "TABLE", "SEQUENCE", "FUNCTION", "PROCEDURE", "ROUTINE":
 		objects := d.Get("objects").(*schema.Set)
 		if objects.Len() > 0 {
 			query = fmt.Sprintf(
@@ -648,3 +641,25 @@ func getRolesToGrant(txn *sql.Tx, d *schema.ResourceData) ([]string, error) {
 
 	return owners, nil
 }
+
+func validateFeatureSupport(db *DBConnection, d *schema.ResourceData) error {
+	if !db.featureSupported(featurePrivileges) {
+		return fmt.Errorf(
+			"postgresql_grant resource is not supported for this Postgres version (%s)",
+			db.version,
+		)
+	}
+	if d.Get("object_type") == "procedure" && !db.featureSupported(featureProcedure) {
+		return fmt.Errorf(
+			"object type PROCEDURE is not supported for this Postgres version (%s)",
+			db.version,
+		)
+	}
+	if d.Get("object_type") == "routine" && !db.featureSupported(featureRoutine) {
+		return fmt.Errorf(
+			"object type ROUTINE is not supported for this Postgres version (%s)",
+			db.version,
+		)
+	}
+	return nil
+}

postgresql/resource_postgresql_grant.go

@@ -49,6 +49,24 @@ func TestCreateGrantQuery(t *testing.T) {
 			privileges: []string{"EXECUTE"},
 			expected:   fmt.Sprintf("GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA %s TO %s", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
 		},
+		{
+			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
+				"object_type": "procedure",
+				"schema":      databaseName,
+				"role":        roleName,
+			}),
+			privileges: []string{"EXECUTE"},
+			expected:   fmt.Sprintf("GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA %s TO %s", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
+		},
+		{
+			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
+				"object_type": "routine",
+				"schema":      databaseName,
+				"role":        roleName,
+			}),
+			privileges: []string{"EXECUTE"},
+			expected:   fmt.Sprintf("GRANT EXECUTE ON ALL ROUTINES IN SCHEMA %s TO %s", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
+		},
 		{
 			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
 				"object_type":       "TABLE",
@@ -171,6 +189,30 @@ func TestCreateRevokeQuery(t *testing.T) {
 			}),
 			expected: fmt.Sprintf("REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA %s FROM %s", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
 		},
+		{
+			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
+				"object_type": "function",
+				"schema":      databaseName,
+				"role":        roleName,
+			}),
+			expected: fmt.Sprintf("REVOKE ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA %s FROM %s", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
+		},
+		{
+			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
+				"object_type": "procedure",
+				"schema":      databaseName,
+				"role":        roleName,
+			}),
+			expected: fmt.Sprintf("REVOKE ALL PRIVILEGES ON ALL PROCEDURES IN SCHEMA %s FROM %s", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
+		},
+		{
+			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
+				"object_type": "routine",
+				"schema":      databaseName,
+				"role":        roleName,
+			}),
+			expected: fmt.Sprintf("REVOKE ALL PRIVILEGES ON ALL ROUTINES IN SCHEMA %s FROM %s", pq.QuoteIdentifier(databaseName), pq.QuoteIdentifier(roleName)),
+		},
 		{
 			resource: schema.TestResourceDataRaw(t, resourcePostgreSQLGrant().Schema, map[string]interface{}{
 				"object_type": "database",
@@ -608,6 +650,7 @@ func TestAccPostgresqlGrantFunction(t *testing.T) {
 	dbExecute(t, dsn, fmt.Sprintf("CREATE ROLE test_role LOGIN PASSWORD '%s'", testRolePassword))
 	dbExecute(t, dsn, "CREATE SCHEMA test_schema")
 	dbExecute(t, dsn, "GRANT USAGE ON SCHEMA test_schema TO test_role")
+	dbExecute(t, dsn, "ALTER DEFAULT PRIVILEGES REVOKE ALL ON FUNCTIONS FROM PUBLIC")
 
 	// Create test function in this schema
 	dbExecute(t, dsn, `
@@ -658,6 +701,137 @@ resource postgresql_grant "test" {
 	}
 }
 
+func TestAccPostgresqlGrantProcedure(t *testing.T) {
+	skipIfNotAcc(t)
+	testCheckCompatibleVersion(t, featureProcedure)
+
+	config := getTestConfig(t)
+	dsn := config.connStr("postgres")
+
+	// Create a test role and a schema as public has too wide open privileges
+	dbExecute(t, dsn, fmt.Sprintf("CREATE ROLE test_role LOGIN PASSWORD '%s'", testRolePassword))
+	dbExecute(t, dsn, "CREATE SCHEMA test_schema")
+	dbExecute(t, dsn, "GRANT USAGE ON SCHEMA test_schema TO test_role")
+	dbExecute(t, dsn, "ALTER DEFAULT PRIVILEGES REVOKE ALL ON FUNCTIONS FROM PUBLIC")
+
+	// Create test procedure in this schema
+	dbExecute(t, dsn, `
+CREATE PROCEDURE test_schema.test()
+	AS $$ select 'foo'::text $$
+    LANGUAGE SQL;
+`)
+	defer func() {
+		dbExecute(t, dsn, "DROP SCHEMA test_schema CASCADE")
+		dbExecute(t, dsn, "DROP ROLE test_role")
+	}()
+
+	// Test to grant directly to test_role and to public
+	// in both case test_case should have the right
+	for _, role := range []string{"test_role", "public"} {
+		t.Run(role, func(t *testing.T) {
+
+			tfConfig := fmt.Sprintf(`
+resource postgresql_grant "test" {
+  database    = "postgres"
+  role        = "%s"
+  schema      = "test_schema"
+  object_type = "procedure"
+  privileges  = ["EXECUTE"]
+}
+	`, role)
+
+			resource.Test(t, resource.TestCase{
+				PreCheck: func() {
+					testAccPreCheck(t)
+					testCheckCompatibleVersion(t, featurePrivileges)
+				},
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: tfConfig,
+						Check: resource.ComposeTestCheckFunc(
+							resource.TestCheckResourceAttr("postgresql_grant.test", "id", fmt.Sprintf("%s_postgres_test_schema_procedure", role)),
+							resource.TestCheckResourceAttr("postgresql_grant.test", "privileges.#", "1"),
+							resource.TestCheckResourceAttr("postgresql_grant.test", "privileges.0", "EXECUTE"),
+							resource.TestCheckResourceAttr("postgresql_grant.test", "with_grant_option", "false"),
+							testCheckProcedureExecutable(t, "test_role", "test_schema.test"),
+						),
+					},
+				},
+			})
+		})
+	}
+}
+
+func TestAccPostgresqlGrantRoutine(t *testing.T) {
+	skipIfNotAcc(t)
+	testCheckCompatibleVersion(t, featureRoutine)
+
+	config := getTestConfig(t)
+	dsn := config.connStr("postgres")
+
+	// Create a test role and a schema as public has too wide open privileges
+	dbExecute(t, dsn, fmt.Sprintf("CREATE ROLE test_role LOGIN PASSWORD '%s'", testRolePassword))
+	dbExecute(t, dsn, "CREATE SCHEMA test_schema")
+	dbExecute(t, dsn, "GRANT USAGE ON SCHEMA test_schema TO test_role")
+	dbExecute(t, dsn, "ALTER DEFAULT PRIVILEGES REVOKE ALL ON FUNCTIONS FROM PUBLIC")
+
+	// Create test function in this schema
+	dbExecute(t, dsn, `
+CREATE FUNCTION test_schema.test_function() RETURNS text
+	AS $$ select 'foo'::text $$
+    LANGUAGE SQL;
+`)
+	// Create test procedure in this schema
+	dbExecute(t, dsn, `
+CREATE PROCEDURE test_schema.test_procedure()
+	AS $$ select 'foo'::text $$
+    LANGUAGE SQL;
+`)
+	defer func() {
+		dbExecute(t, dsn, "DROP SCHEMA test_schema CASCADE")
+		dbExecute(t, dsn, "DROP ROLE test_role")
+	}()
+
+	// Test to grant directly to test_role and to public
+	// in both case test_case should have the right
+	for _, role := range []string{"test_role", "public"} {
+		t.Run(role, func(t *testing.T) {
+
+			tfConfigRoutine := fmt.Sprintf(`
+resource postgresql_grant "test" {
+  database    = "postgres"
+  role        = "%s"
+  schema      = "test_schema"
+  object_type = "routine"
+  privileges  = ["EXECUTE"]
+}
+	`, role)
+
+			resource.Test(t, resource.TestCase{
+				PreCheck: func() {
+					testAccPreCheck(t)
+					testCheckCompatibleVersion(t, featurePrivileges)
+				},
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: tfConfigRoutine,
+						Check: resource.ComposeTestCheckFunc(
+							resource.TestCheckResourceAttr("postgresql_grant.test", "id", fmt.Sprintf("%s_postgres_test_schema_routine", role)),
+							resource.TestCheckResourceAttr("postgresql_grant.test", "privileges.#", "1"),
+							resource.TestCheckResourceAttr("postgresql_grant.test", "privileges.0", "EXECUTE"),
+							resource.TestCheckResourceAttr("postgresql_grant.test", "with_grant_option", "false"),
+							testCheckFunctionExecutable(t, "test_role", "test_schema.test_function"),
+							testCheckProcedureExecutable(t, "test_role", "test_schema.test_procedure"),
+						),
+					},
+				},
+			})
+		})
+	}
+}
+
 func TestAccPostgresqlGrantDatabase(t *testing.T) {
 	// create a TF config with placeholder for privileges
 	// it will be filled in each step.
@@ -931,6 +1105,18 @@ func testCheckFunctionExecutable(t *testing.T, role, function string) func(*terr
 	}
 }
 
+func testCheckProcedureExecutable(t *testing.T, role, procedure string) func(*terraform.State) error {
+	return func(*terraform.State) error {
+		db := connectAsTestRole(t, role, "postgres")
+		defer db.Close()
+
+		if err := testHasGrantForQuery(db, fmt.Sprintf("CALL %s()", procedure), true); err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
 func testCheckSchemaPrivileges(t *testing.T, usage, create bool) func(*terraform.State) error {
 	return func(*terraform.State) error {
 		config := getTestConfig(t)