Before revoking a privilege from a schema, check to ensure role exists.

This commit is contained in:
Sean Chittenden 2016-12-25 04:56:39 -08:00
parent 6c91676c40
commit d92a3caedf
No known key found for this signature in database
GPG Key ID: 4EBC9DC16C2E5E16
2 changed files with 27 additions and 16 deletions

View File

@ -350,8 +350,19 @@ func setSchemaPolicy(txn *sql.Tx, d *schema.ResourceData) error {
for _, p := range dropped { for _, p := range dropped {
pMap := p.(map[string]interface{}) pMap := p.(map[string]interface{})
rolePolicy := schemaPolicyToACL(pMap) rolePolicy := schemaPolicyToACL(pMap)
var foundUser bool
err := txn.QueryRow(`SELECT TRUE FROM pg_catalog.pg_user WHERE usename = $1`, rolePolicy.Role).Scan(&foundUser)
switch {
case err == sql.ErrNoRows:
// Don't execute this role's REVOKEs because the role
// was dropped first and therefore doesn't exist.
case err != nil:
return errwrap.Wrapf("Error reading schema: {{err}}", err)
default:
queries = append(queries, rolePolicy.Revokes(schemaName)...) queries = append(queries, rolePolicy.Revokes(schemaName)...)
} }
}
for _, p := range added { for _, p := range added {
pMap := p.(map[string]interface{}) pMap := p.(map[string]interface{})

View File

@ -69,11 +69,11 @@ func TestAccPostgresqlSchema_AddPolicy(t *testing.T) {
resource.TestCheckResourceAttr("postgresql_role.policy_move", "name", "policy_move"), resource.TestCheckResourceAttr("postgresql_role.policy_move", "name", "policy_move"),
resource.TestCheckResourceAttr("postgresql_role.all_with_grantstay", "name", "all_with_grantstay"), resource.TestCheckResourceAttr("postgresql_role.all_with_grantstay", "name", "all_with_grantstay"),
// resource.TestCheckResourceAttr("postgresql_role.all_with_grantdrop", "name", "all_with_grantdrop"), resource.TestCheckResourceAttr("postgresql_role.all_with_grantdrop", "name", "all_with_grantdrop"),
resource.TestCheckResourceAttr("postgresql_schema.test4", "name", "test4"), resource.TestCheckResourceAttr("postgresql_schema.test4", "name", "test4"),
resource.TestCheckResourceAttr("postgresql_schema.test4", "owner", "all_without_grant_stay"), resource.TestCheckResourceAttr("postgresql_schema.test4", "owner", "all_without_grant_stay"),
resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.#", "6"), resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.#", "7"),
resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.108605972.create", "false"), resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.108605972.create", "false"),
resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.108605972.create_with_grant", "true"), resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.108605972.create_with_grant", "true"),
resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.108605972.role", "all_with_grantstay"), resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.108605972.role", "all_with_grantstay"),
@ -99,11 +99,11 @@ func TestAccPostgresqlSchema_AddPolicy(t *testing.T) {
resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.3959936977.role", "policy_compose"), resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.3959936977.role", "policy_compose"),
resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.3959936977.usage", "false"), resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.3959936977.usage", "false"),
resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.3959936977.usage_with_grant", "true"), resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.3959936977.usage_with_grant", "true"),
// resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.4178211897.create", "false"), resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.4178211897.create", "false"),
// resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.4178211897.create_with_grant", "true"), resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.4178211897.create_with_grant", "true"),
// resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.4178211897.role", "all_with_grantdrop"), resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.4178211897.role", "all_with_grantdrop"),
// resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.4178211897.usage", "false"), resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.4178211897.usage", "false"),
// resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.4178211897.usage_with_grant", "true"), resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.4178211897.usage_with_grant", "true"),
resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.815478369.create", "true"), resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.815478369.create", "true"),
resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.815478369.create_with_grant", "false"), resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.815478369.create_with_grant", "false"),
resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.815478369.role", "policy_compose"), resource.TestCheckResourceAttr("postgresql_schema.test4", "policy.815478369.role", "policy_compose"),
@ -298,9 +298,9 @@ resource "postgresql_role" "all_with_grantstay" {
name = "all_with_grantstay" name = "all_with_grantstay"
} }
// resource "postgresql_role" "all_with_grantdrop" { resource "postgresql_role" "all_with_grantdrop" {
// name = "all_with_grantdrop" name = "all_with_grantdrop"
// } }
resource "postgresql_schema" "test4" { resource "postgresql_schema" "test4" {
name = "test4" name = "test4"
@ -336,11 +336,11 @@ resource "postgresql_schema" "test4" {
role = "${postgresql_role.all_with_grantstay.name}" role = "${postgresql_role.all_with_grantstay.name}"
} }
// policy { policy {
// create_with_grant = true create_with_grant = true
// usage_with_grant = true usage_with_grant = true
// role = "${postgresql_role.all_with_grantdrop.name}" role = "${postgresql_role.all_with_grantdrop.name}"
// } }
policy { policy {
create_with_grant = true create_with_grant = true