Class: Forty::Sync

Inherits:

Object

• Object
• Forty::Sync

Defined in:

lib/forty/sync.rb

Defined Under Namespace

Classes: Error

Instance Method Summary

• #banner ⇒ Object
• #initialize(logger, master_username, production_schemas, acl_config, executor, dry_run = true) ⇒ Sync constructor

  A new instance of Sync.

• #run ⇒ Object
• #sync_acl ⇒ Object
• #sync_database_acl ⇒ Object
• #sync_groups ⇒ Object
• #sync_personal_schemas ⇒ Object
• #sync_schema_acl ⇒ Object
• #sync_table_acl ⇒ Object
• #sync_user_groups ⇒ Object
• #sync_user_roles ⇒ Object
• #sync_users ⇒ Object

Constructor Details

#initialize(logger, master_username, production_schemas, acl_config, executor, dry_run = true) ⇒ Sync

Returns a new instance of Sync.

# File 'lib/forty/sync.rb', line 19

def initialize(logger, master_username, production_schemas, acl_config, executor, dry_run=true)
  @logger = logger or raise Error, 'No logger provided'
  @master_username = master_username or raise Error, 'No master username provided'
  @production_schemas = production_schemas or raise Error, 'No production schemas provided'
  @system_groups = ["pg_signal_backend"]
  @system_users = ["postgres"]
  @acl_config = acl_config or raise Error, 'No acl config provided'
  @acl_config['users'] ||= {}
  @acl_config['groups'] ||= {}

  @executor   = executor   or raise Error, 'No dwh executor provided'
  @dry_run = dry_run

  @logger.warn('Dry mode disabled, executing on production') unless @dry_run
end

Instance Method Details

#banner ⇒ Object

# File 'lib/forty/sync.rb', line 44

def banner
  @logger.info("Starting sync...\n____           __       \n   / __/___  _____/ /___  __\n  / /_/ __ \\\\/ ___/ __/ / / /\n / __/ /_/ / /  / /_/ /_/ /\n/_/  \\\\____/_/   \\\\__/\\\\__, /  Database ACL Sync\n               /____/   v0.2.0\n\n===============================================================================\n\nRunning in \#{@dry_run ? 'DRY-MODE (not enforcing state)' : 'PRODUCTION-MODE (enforcing state)'}\n\nConfiguration:\nMaster user:    \#{@master_username}\nSynced schemas: \#{@production_schemas.join(', ')}\nSystem users:   \#{@system_users.join(', ')}\nSystem groups:  \#{@system_groups.join(', ')}\n\n===============================================================================\n")
end

#run ⇒ Object

# File 'lib/forty/sync.rb', line 35

def run
  banner()
  sync_users()
  sync_groups()
  sync_user_groups()
  sync_user_roles()
  sync_acl()
end

#sync_acl ⇒ Object

# File 'lib/forty/sync.rb', line 178

def sync_acl
  sync_database_acl()
  sync_schema_acl()
  sync_table_acl()
end

#sync_database_acl ⇒ Object

# File 'lib/forty/sync.rb', line 184

def sync_database_acl
  current_database_acl = _get_current_database_acl()
  defined_database_acl = _get_defined_database_acl()

  diverged = _sync_typed_acl('database', current_database_acl, defined_database_acl)
  @logger.info('All database privileges are in sync') if diverged == 0
end

#sync_groups ⇒ Object

# File 'lib/forty/sync.rb', line 90

def sync_groups
  current_groups = _get_current_dwh_groups().keys
  defined_groups = @acl_config['groups'].keys

  undefined_groups = (current_groups - defined_groups - @system_groups).uniq.compact
  missing_groups = (defined_groups - current_groups).uniq.compact

  undefined_groups.each { |group| _delete_group(group) }
  missing_groups.each   { |group| _create_group(group) }

  @logger.info('All groups are in sync') if (undefined_groups.count + missing_groups.count) == 0
end

#sync_personal_schemas ⇒ Object

# File 'lib/forty/sync.rb', line 133

def sync_personal_schemas
  users = @acl_config['users'].keys
  users.each do |user|
    next if user.eql?(@master_username)
    schemas_owned_by_user = _get_currently_owned_schemas(user).uniq - @production_schemas
    unless schemas_owned_by_user.empty?
      tables_owned_by_user = _get_currently_owned_tables(user)
      schemas_owned_by_user.each do |schema|
        @executor.execute("set search_path=#{schema}")
        tables = @executor.execute("select tablename from pg_tables where schemaname='#{schema}'").map { |row| "#{schema}.#{row['tablename']}" }
        nonowned_tables_by_user = tables.uniq - tables_owned_by_user
        nonowned_tables_by_user.each { |table| _execute_statement("alter table #{table} owner to #{user};") }
      end
    end
  end
end

#sync_schema_acl ⇒ Object

# File 'lib/forty/sync.rb', line 192

def sync_schema_acl
  current_schema_acl = _get_current_schema_acl()
  defined_schema_acl = _get_defined_schema_acl()

  diverged = _sync_typed_acl('schema', current_schema_acl, defined_schema_acl)
  @logger.info('All schema privileges are in sync') if diverged == 0
end

#sync_table_acl ⇒ Object

# File 'lib/forty/sync.rb', line 200

def sync_table_acl
  current_table_acl = _get_current_table_acl()
  defined_table_acl = _get_defined_table_acl()

  diverged = _sync_typed_acl('table', current_table_acl, defined_table_acl)
  @logger.info('All table privileges are in sync') if diverged == 0
end

#sync_user_groups ⇒ Object

# File 'lib/forty/sync.rb', line 103

def sync_user_groups
  current_user_groups = _get_current_user_groups()
  defined_user_groups = _get_defined_user_groups()
  _check_group_unknown(current_user_groups.keys, defined_user_groups.keys)

  current_users = _get_current_dwh_users().keys
  defined_users = _get_defined_users()
  _check_user_unknown(current_users, defined_users)

  diverged = 0

  current_user_groups.each do |group, list|
    current_list = list
    defined_list = defined_user_groups[group] || []

    undefined_assignments = (current_list - defined_list).uniq.compact
    missing_assignments = (defined_list - current_list).uniq.compact

    undefined_assignments.each { |user| _remove_user_from_group(user, group) }
    missing_assignments.each   { |user| _add_user_to_group(user, group) }

    current_group_diverged = (undefined_assignments.count + missing_assignments.count)
    diverged += current_group_diverged

    @logger.debug("Users of group #{group} are in sync") if current_group_diverged == 0
  end

  @logger.info('All user groups are in sync') if diverged == 0
end

#sync_user_roles ⇒ Object

# File 'lib/forty/sync.rb', line 150

def sync_user_roles
  defined_user_roles = _get_defined_user_roles()
  current_user_roles = _get_current_user_roles()

  users = ((defined_user_roles.keys).concat(current_user_roles.keys)).uniq.compact

  diverged = 0

  users.each do |user|
    next if user.eql?(@master_username) or @system_users.include?(user)

    raise Error, "Users are not in sync #{user}" if current_user_roles[user].nil? or defined_user_roles[user].nil?

    undefined_roles = (current_user_roles[user] - defined_user_roles[user]).uniq.compact
    missing_roles   = (defined_user_roles[user] - current_user_roles[user]).uniq.compact

    current_roles_diverged = (undefined_roles.count + missing_roles.count)
    diverged += current_roles_diverged

    undefined_roles.each { |role| _execute_statement("alter user #{user} no#{role};") }
    missing_roles.each   { |role| _execute_statement("alter user #{user} #{role};") }

    @logger.debug("Roles of #{user} are in sync") if current_roles_diverged == 0
  end

  @logger.info('All user roles are in sync') if diverged == 0
end

#sync_users ⇒ Object

# File 'lib/forty/sync.rb', line 68

def sync_users
  current_users = _get_current_dwh_users.keys
  defined_users = @acl_config['users'].keys

  undefined_users = (current_users - defined_users - @system_users).uniq.compact
  missing_users = (defined_users - current_users).uniq.compact

  @logger.debug("Undefined users: #{undefined_users}")
  @logger.debug("Missing users: #{missing_users}")
  undefined_users.each { |user| _delete_user(user) }

  missing_users.each do |user|
    roles = @acl_config['users'][user]['roles'] || []
    password = @acl_config['users'][user]['password']
    search_path = @production_schemas.join(',')

    _create_user(user, password, roles, search_path)
  end

  @logger.info('All users are in sync') if (undefined_users.count + missing_users.count) == 0
end