Rename most instances of "permission" to "privilege"

This commit is contained in:
Oystein Kristoffer Tveit 2024-08-07 21:51:03 +02:00
parent 7025982d44
commit 5a7516aed8
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
3 changed files with 106 additions and 96 deletions

View File

@ -28,29 +28,29 @@ pub enum DatabaseCommand {
#[command()] #[command()]
ListDb(DatabaseListArgs), ListDb(DatabaseListArgs),
/// List user permissions for one or more databases /// List user privileges for one or more databases
/// ///
/// If no database names are provided, it will show permissions for all databases you have access to. /// If no database names are provided, it will show privileges for all databases you have access to.
#[command()] #[command()]
ShowDbPerm(DatabaseShowPermArgs), ShowDbPrivs(DatabaseShowPrivsArgs),
/// Change user permissions for one or more databases. See `edit-db-perm --help` for details. /// Change user privileges for one or more databases. See `edit-db-privs --help` for details.
/// ///
/// This command has two modes of operation: /// This command has two modes of operation:
/// ///
/// 1. Interactive mode: If nothing else is specified, the user will be prompted to edit the permissions using a text editor. /// 1. Interactive mode: If nothing else is specified, the user will be prompted to edit the privileges using a text editor.
/// ///
/// You can configure your preferred text editor by setting the `VISUAL` or `EDITOR` environment variables. /// You can configure your preferred text editor by setting the `VISUAL` or `EDITOR` environment variables.
/// ///
/// Follow the instructions inside the editor for more information. /// Follow the instructions inside the editor for more information.
/// ///
/// 2. Non-interactive mode: If the `-p` flag is specified, the user can write permissions using arguments. /// 2. Non-interactive mode: If the `-p` flag is specified, the user can write privileges using arguments.
/// ///
/// The permission arguments should be formatted as `<db>:<user>:<privileges>` /// The privilege arguments should be formatted as `<db>:<user>:<privileges>`
/// where the privileges are a string of characters, each representing a single permissions. /// where the privileges are a string of characters, each representing a single privilege.
/// The character `A` is an exception, because it represents all permissions. /// The character `A` is an exception - it represents all privileges.
/// ///
/// The character to permission mapping is declared as follows: /// The character-to-privilege mapping is defined as follows:
/// ///
/// - `s` - SELECT /// - `s` - SELECT
/// - `i` - INSERT /// - `i` - INSERT
@ -65,24 +65,27 @@ pub enum DatabaseCommand {
/// - `r` - REFERENCES /// - `r` - REFERENCES
/// - `A` - ALL PRIVILEGES /// - `A` - ALL PRIVILEGES
/// ///
/// If you provide a database name, you can omit it from the permission arguments. /// If you provide a database name, you can omit it from the privilege string,
/// e.g. `edit-db-privs my_db -p my_user:siu` is equivalent to `edit-db-privs -p my_db:my_user:siu`.
/// While it doesn't make much of a difference for a single edit, it can be useful for editing multiple users
/// on the same database at once.
/// ///
/// Example usage of non-interactive mode: /// Example usage of non-interactive mode:
/// ///
/// Set permissions `SELECT`, `INSERT`, and `UPDATE` for user `my_user` on database `my_db`: /// Enable privileges `SELECT`, `INSERT`, and `UPDATE` for user `my_user` on database `my_db`:
/// ///
/// mysqladm edit-db-perm -p my_db:my_user:siu /// `mysqladm edit-db-privs -p my_db:my_user:siu`
/// ///
/// Set all permissions for user `my_other_user` on database `my_other_db`: /// Enable all privileges for user `my_other_user` on database `my_other_db`:
/// ///
/// mysqladm edit-db-perm -p my_other_db:my_other_user:A /// `mysqladm edit-db-privs -p my_other_db:my_other_user:A`
/// ///
/// Set miscellaneous permissions for multiple users on database `my_db`: /// Set miscellaneous privileges for multiple users on database `my_db`:
/// ///
/// mysqladm edit-db-perm my_db -p my_user:siu my_other_user:ct /// `mysqladm edit-db-privs my_db -p my_user:siu my_other_user:ct``
/// ///
#[command(verbatim_doc_comment)] #[command(verbatim_doc_comment)]
EditDbPerm(DatabaseEditPermArgs), EditDbPrivs(DatabaseEditPrivsArgs),
} }
#[derive(Parser)] #[derive(Parser)]
@ -107,7 +110,7 @@ pub struct DatabaseListArgs {
} }
#[derive(Parser)] #[derive(Parser)]
pub struct DatabaseShowPermArgs { pub struct DatabaseShowPrivsArgs {
/// The name of the database(s) to show. /// The name of the database(s) to show.
#[arg(num_args = 0..)] #[arg(num_args = 0..)]
name: Vec<String>, name: Vec<String>,
@ -118,18 +121,18 @@ pub struct DatabaseShowPermArgs {
} }
#[derive(Parser)] #[derive(Parser)]
pub struct DatabaseEditPermArgs { pub struct DatabaseEditPrivsArgs {
/// The name of the database to edit permissions for. /// The name of the database to edit privileges for.
pub name: Option<String>, pub name: Option<String>,
#[arg(short, long, value_name = "[DATABASE:]USER:PERMISSIONS", num_args = 0..)] #[arg(short, long, value_name = "[DATABASE:]USER:PRIVILEGES", num_args = 0..)]
pub perm: Vec<String>, pub privs: Vec<String>,
/// Whether to output the information in JSON format. /// Whether to output the information in JSON format.
#[arg(short, long)] #[arg(short, long)]
pub json: bool, pub json: bool,
/// Specify the text editor to use for editing permissions. /// Specify the text editor to use for editing privileges
#[arg(short, long)] #[arg(short, long)]
pub editor: Option<String>, pub editor: Option<String>,
@ -149,8 +152,8 @@ pub async fn handle_command(
DatabaseCommand::CreateDb(args) => create_databases(args, txn).await, DatabaseCommand::CreateDb(args) => create_databases(args, txn).await,
DatabaseCommand::DropDb(args) => drop_databases(args, txn).await, DatabaseCommand::DropDb(args) => drop_databases(args, txn).await,
DatabaseCommand::ListDb(args) => list_databases(args, txn).await, DatabaseCommand::ListDb(args) => list_databases(args, txn).await,
DatabaseCommand::ShowDbPerm(args) => show_databases(args, txn).await, DatabaseCommand::ShowDbPrivs(args) => show_database_privileges(args, txn).await,
DatabaseCommand::EditDbPerm(args) => edit_permissions(args, txn).await, DatabaseCommand::EditDbPrivs(args) => edit_privileges(args, txn).await,
} }
}) })
}) })
@ -215,8 +218,8 @@ async fn list_databases(args: DatabaseListArgs, conn: &mut MySqlConnection) -> a
Ok(()) Ok(())
} }
async fn show_databases( async fn show_database_privileges(
args: DatabaseShowPermArgs, args: DatabaseShowPrivsArgs,
conn: &mut MySqlConnection, conn: &mut MySqlConnection,
) -> anyhow::Result<()> { ) -> anyhow::Result<()> {
let database_users_to_show = if args.name.is_empty() { let database_users_to_show = if args.name.is_empty() {
@ -276,11 +279,11 @@ async fn show_databases(
Ok(()) Ok(())
} }
/// See documentation for `DatabaseCommand::EditPerm`. /// See documentation for `DatabaseCommand::EditDbPrivs`.
fn parse_permission_table_cli_arg(arg: &str) -> anyhow::Result<DatabasePrivilegeRow> { fn parse_privilege_table_cli_arg(arg: &str) -> anyhow::Result<DatabasePrivilegeRow> {
let parts: Vec<&str> = arg.split(':').collect(); let parts: Vec<&str> = arg.split(':').collect();
if parts.len() != 3 { if parts.len() != 3 {
anyhow::bail!("Invalid argument format. See `edit-perm --help` for more information."); anyhow::bail!("Invalid argument format. See `edit-db-privs --help` for more information.");
} }
let db = parts[0].to_string(); let db = parts[0].to_string();
@ -329,14 +332,14 @@ fn parse_permission_table_cli_arg(arg: &str) -> anyhow::Result<DatabasePrivilege
result.lock_tables_priv = true; result.lock_tables_priv = true;
result.references_priv = true; result.references_priv = true;
} }
_ => anyhow::bail!("Invalid permission character: {}", char), _ => anyhow::bail!("Invalid privilege character: {}", char),
} }
} }
Ok(result) Ok(result)
} }
fn parse_permission(yn: &str) -> anyhow::Result<bool> { fn parse_privilege(yn: &str) -> anyhow::Result<bool> {
match yn.to_ascii_lowercase().as_str() { match yn.to_ascii_lowercase().as_str() {
"y" => Ok(true), "y" => Ok(true),
"n" => Ok(false), "n" => Ok(false),
@ -344,7 +347,7 @@ fn parse_permission(yn: &str) -> anyhow::Result<bool> {
} }
} }
fn parse_permission_data_from_editor(content: String) -> anyhow::Result<Vec<DatabasePrivilegeRow>> { fn parse_privilege_data_from_editor(content: String) -> anyhow::Result<Vec<DatabasePrivilegeRow>> {
content content
.trim() .trim()
.split('\n') .split('\n')
@ -360,27 +363,27 @@ fn parse_permission_data_from_editor(content: String) -> anyhow::Result<Vec<Data
Ok(DatabasePrivilegeRow { Ok(DatabasePrivilegeRow {
db: (*line_parts.first().unwrap()).to_owned(), db: (*line_parts.first().unwrap()).to_owned(),
user: (*line_parts.get(1).unwrap()).to_owned(), user: (*line_parts.get(1).unwrap()).to_owned(),
select_priv: parse_permission(line_parts.get(2).unwrap()) select_priv: parse_privilege(line_parts.get(2).unwrap())
.context("Could not parse SELECT privilege")?, .context("Could not parse SELECT privilege")?,
insert_priv: parse_permission(line_parts.get(3).unwrap()) insert_priv: parse_privilege(line_parts.get(3).unwrap())
.context("Could not parse INSERT privilege")?, .context("Could not parse INSERT privilege")?,
update_priv: parse_permission(line_parts.get(4).unwrap()) update_priv: parse_privilege(line_parts.get(4).unwrap())
.context("Could not parse UPDATE privilege")?, .context("Could not parse UPDATE privilege")?,
delete_priv: parse_permission(line_parts.get(5).unwrap()) delete_priv: parse_privilege(line_parts.get(5).unwrap())
.context("Could not parse DELETE privilege")?, .context("Could not parse DELETE privilege")?,
create_priv: parse_permission(line_parts.get(6).unwrap()) create_priv: parse_privilege(line_parts.get(6).unwrap())
.context("Could not parse CREATE privilege")?, .context("Could not parse CREATE privilege")?,
drop_priv: parse_permission(line_parts.get(7).unwrap()) drop_priv: parse_privilege(line_parts.get(7).unwrap())
.context("Could not parse DROP privilege")?, .context("Could not parse DROP privilege")?,
alter_priv: parse_permission(line_parts.get(8).unwrap()) alter_priv: parse_privilege(line_parts.get(8).unwrap())
.context("Could not parse ALTER privilege")?, .context("Could not parse ALTER privilege")?,
index_priv: parse_permission(line_parts.get(9).unwrap()) index_priv: parse_privilege(line_parts.get(9).unwrap())
.context("Could not parse INDEX privilege")?, .context("Could not parse INDEX privilege")?,
create_tmp_table_priv: parse_permission(line_parts.get(10).unwrap()) create_tmp_table_priv: parse_privilege(line_parts.get(10).unwrap())
.context("Could not parse CREATE TEMPORARY TABLE privilege")?, .context("Could not parse CREATE TEMPORARY TABLE privilege")?,
lock_tables_priv: parse_permission(line_parts.get(11).unwrap()) lock_tables_priv: parse_privilege(line_parts.get(11).unwrap())
.context("Could not parse LOCK TABLES privilege")?, .context("Could not parse LOCK TABLES privilege")?,
references_priv: parse_permission(line_parts.get(12).unwrap()) references_priv: parse_privilege(line_parts.get(12).unwrap())
.context("Could not parse REFERENCES privilege")?, .context("Could not parse REFERENCES privilege")?,
}) })
}) })
@ -412,40 +415,40 @@ fn format_privileges_line(
.to_string() .to_string()
} }
pub async fn edit_permissions( pub async fn edit_privileges(
args: DatabaseEditPermArgs, args: DatabaseEditPrivsArgs,
conn: &mut MySqlConnection, conn: &mut MySqlConnection,
) -> anyhow::Result<()> { ) -> anyhow::Result<()> {
let permission_data = if let Some(name) = &args.name { let privilege_data = if let Some(name) = &args.name {
get_database_privileges(name, conn).await? get_database_privileges(name, conn).await?
} else { } else {
get_all_database_privileges(conn).await? get_all_database_privileges(conn).await?
}; };
let permissions_to_change = if !args.perm.is_empty() { let privileges_to_change = if !args.privs.is_empty() {
if let Some(name) = args.name { if let Some(name) = args.name {
args.perm args.privs
.iter() .iter()
.map(|perm| { .map(|p| {
parse_permission_table_cli_arg(&format!("{}:{}", name, &perm)) parse_privilege_table_cli_arg(&format!("{}:{}", name, &p))
.context(format!("Failed parsing database permissions: `{}`", &perm)) .context(format!("Failed parsing database privileges: `{}`", &p))
}) })
.collect::<anyhow::Result<Vec<DatabasePrivilegeRow>>>()? .collect::<anyhow::Result<Vec<DatabasePrivilegeRow>>>()?
} else { } else {
args.perm args.privs
.iter() .iter()
.map(|perm| { .map(|p| {
parse_permission_table_cli_arg(perm) parse_privilege_table_cli_arg(p)
.context(format!("Failed parsing database permissions: `{}`", &perm)) .context(format!("Failed parsing database privileges: `{}`", &p))
}) })
.collect::<anyhow::Result<Vec<DatabasePrivilegeRow>>>()? .collect::<anyhow::Result<Vec<DatabasePrivilegeRow>>>()?
} }
} else { } else {
let comment = indoc! {r#" let comment = indoc! {r#"
# Welcome to the permission editor. # Welcome to the privilege editor.
# Each line defines what permissions a single user has on a single database. # Each line defines what privileges a single user has on a single database.
# The first two columns respectively represent the database name and the user, and the remaining columns are the permissions. # The first two columns respectively represent the database name and the user, and the remaining columns are the privileges.
# If the user should have a permission, write 'Y', otherwise write 'N'. # If the user should have a certain privilege, write 'Y', otherwise write 'N'.
# #
# Lines starting with '#' are comments and will be ignored. # Lines starting with '#' are comments and will be ignored.
"#}; "#};
@ -454,13 +457,13 @@ pub async fn edit_permissions(
let example_user = format!("{}_user", unix_user.name); let example_user = format!("{}_user", unix_user.name);
let example_db = format!("{}_db", unix_user.name); let example_db = format!("{}_db", unix_user.name);
let longest_username = permission_data let longest_username = privilege_data
.iter() .iter()
.map(|p| p.user.len()) .map(|p| p.user.len())
.max() .max()
.unwrap_or(example_user.len()); .unwrap_or(example_user.len());
let longest_database_name = permission_data let longest_database_name = privilege_data
.iter() .iter()
.map(|p| p.db.len()) .map(|p| p.db.len())
.max() .max()
@ -471,7 +474,7 @@ pub async fn edit_permissions(
.map(db_priv_field_human_readable_name) .map(db_priv_field_human_readable_name)
.collect(); .collect();
// Pad the first two columns with spaces to align the permissions. // Pad the first two columns with spaces to align the privileges.
header[0] = format!("{:width$}", header[0], width = longest_database_name); header[0] = format!("{:width$}", header[0], width = longest_database_name);
header[1] = format!("{:width$}", header[1], width = longest_username); header[1] = format!("{:width$}", header[1], width = longest_username);
@ -503,14 +506,14 @@ pub async fn edit_permissions(
"{}\n{}\n{}", "{}\n{}\n{}",
comment, comment,
header.join(" "), header.join(" "),
if permission_data.is_empty() { if privilege_data.is_empty() {
format!("# {}", example_line) format!("# {}", example_line)
} else { } else {
permission_data privilege_data
.iter() .iter()
.map(|perm| { .map(|privs| {
format_privileges_line( format_privileges_line(
perm, privs,
longest_username, longest_username,
longest_database_name, longest_database_name,
) )
@ -522,18 +525,18 @@ pub async fn edit_permissions(
)? )?
.unwrap(); .unwrap();
parse_permission_data_from_editor(result) parse_privilege_data_from_editor(result)
.context("Could not parse permission data from editor")? .context("Could not parse privilege data from editor")?
}; };
for row in permissions_to_change.iter() { for row in privileges_to_change.iter() {
if !user_exists(&row.user, conn).await? { if !user_exists(&row.user, conn).await? {
// TODO: allow user to return and correct their mistake // TODO: allow user to return and correct their mistake
anyhow::bail!("User {} does not exist", row.user); anyhow::bail!("User {} does not exist", row.user);
} }
} }
let diffs = diff_permissions(permission_data, &permissions_to_change).await; let diffs = diff_privileges(privilege_data, &privileges_to_change).await;
if diffs.is_empty() { if diffs.is_empty() {
println!("No changes to make."); println!("No changes to make.");
@ -542,7 +545,7 @@ pub async fn edit_permissions(
// TODO: Add confirmation prompt. // TODO: Add confirmation prompt.
apply_permission_diffs(diffs, conn).await?; apply_privilege_diffs(diffs, conn).await?;
Ok(()) Ok(())
} }

View File

@ -50,6 +50,10 @@ pub struct Args {
pub help_editperm: bool, pub help_editperm: bool,
} }
// NOTE: mysql-dbadm explicitly calls privileges "permissions".
// This is something we're trying to move away from.
// See https://git.pvv.ntnu.no/Projects/mysqladm-rs/issues/29
/// Create, drop or edit permissions for the DATABASE(s), /// Create, drop or edit permissions for the DATABASE(s),
/// as determined by the COMMAND. /// as determined by the COMMAND.
/// ///
@ -158,15 +162,15 @@ pub async fn main() -> anyhow::Result<()> {
// Hopefully, not many people rely on this in an automated fashion, as it // Hopefully, not many people rely on this in an automated fashion, as it
// is made to be interactive in nature. However, we should still try to // is made to be interactive in nature. However, we should still try to
// replicate the old behavior as closely as possible. // replicate the old behavior as closely as possible.
let edit_permissions_args = database_command::DatabaseEditPermArgs { let edit_privileges_args = database_command::DatabaseEditPrivsArgs {
name: Some(args.database), name: Some(args.database),
perm: vec![], privs: vec![],
json: false, json: false,
editor: None, editor: None,
yes: false, yes: false,
}; };
database_command::edit_permissions(edit_permissions_args, &mut connection).await?; database_command::edit_privileges(edit_privileges_args, &mut connection).await?;
} }
} }
@ -178,7 +182,7 @@ async fn show_db(name: &str, conn: &mut MySqlConnection) -> anyhow::Result<()> {
// for non-existent databases will report with no users. // for non-existent databases will report with no users.
// This function should *not* check for db existence, only // This function should *not* check for db existence, only
// validate the names. // validate the names.
let permissions = database_privilege_operations::get_database_privileges(name, conn) let privileges = database_privilege_operations::get_database_privileges(name, conn)
.await .await
.unwrap_or(vec![]); .unwrap_or(vec![]);
@ -190,24 +194,24 @@ async fn show_db(name: &str, conn: &mut MySqlConnection) -> anyhow::Result<()> {
), ),
name, name,
); );
if permissions.is_empty() { if privileges.is_empty() {
println!("# (no permissions currently granted to any users)"); println!("# (no permissions currently granted to any users)");
} else { } else {
for permission in permissions { for privilege in privileges {
println!( println!(
" {:<16} {:<7} {:<7} {:<7} {:<7} {:<7} {:<7} {:<7} {:<7} {:<7} {:<7} {}", " {:<16} {:<7} {:<7} {:<7} {:<7} {:<7} {:<7} {:<7} {:<7} {:<7} {:<7} {}",
permission.user, privilege.user,
yn(permission.select_priv), yn(privilege.select_priv),
yn(permission.insert_priv), yn(privilege.insert_priv),
yn(permission.update_priv), yn(privilege.update_priv),
yn(permission.delete_priv), yn(privilege.delete_priv),
yn(permission.create_priv), yn(privilege.create_priv),
yn(permission.drop_priv), yn(privilege.drop_priv),
yn(permission.alter_priv), yn(privilege.alter_priv),
yn(permission.index_priv), yn(privilege.index_priv),
yn(permission.create_tmp_table_priv), yn(privilege.create_tmp_table_priv),
yn(permission.lock_tables_priv), yn(privilege.lock_tables_priv),
yn(permission.references_priv) yn(privilege.references_priv)
); );
} }
} }

View File

@ -5,7 +5,7 @@
//! //!
//! A lot of the complexity comes from two core components: //! A lot of the complexity comes from two core components:
//! //!
//! - The permission editor that needs to be able to print //! - The privilege editor that needs to be able to print
//! an editable table of privileges and reparse the content //! an editable table of privileges and reparse the content
//! after the user has made manual changes. //! after the user has made manual changes.
//! //!
@ -28,6 +28,9 @@ use crate::core::{
database_operations::validate_database_name, database_operations::validate_database_name,
}; };
/// This is the list of fields that are used to fetch the db + user + privileges
/// from the `db` table in the database. If you need to add or remove privilege
/// fields, this is a good place to start.
pub const DATABASE_PRIVILEGE_FIELDS: [&str; 13] = [ pub const DATABASE_PRIVILEGE_FIELDS: [&str; 13] = [
"db", "db",
"user", "user",
@ -227,7 +230,7 @@ pub enum DatabasePrivilegesDiff {
Deleted(DatabasePrivilegeRow), Deleted(DatabasePrivilegeRow),
} }
pub async fn diff_permissions( pub async fn diff_privileges(
from: Vec<DatabasePrivilegeRow>, from: Vec<DatabasePrivilegeRow>,
to: &[DatabasePrivilegeRow], to: &[DatabasePrivilegeRow],
) -> Vec<DatabasePrivilegesDiff> { ) -> Vec<DatabasePrivilegesDiff> {
@ -265,7 +268,7 @@ pub async fn diff_permissions(
result result
} }
pub async fn apply_permission_diffs( pub async fn apply_privilege_diffs(
diffs: Vec<DatabasePrivilegesDiff>, diffs: Vec<DatabasePrivilegesDiff>,
conn: &mut MySqlConnection, conn: &mut MySqlConnection,
) -> anyhow::Result<()> { ) -> anyhow::Result<()> {
@ -349,7 +352,7 @@ mod tests {
} }
#[tokio::test] #[tokio::test]
async fn test_diff_permissions() { async fn test_diff_privileges() {
let from = vec![DatabasePrivilegeRow { let from = vec![DatabasePrivilegeRow {
db: "db".to_owned(), db: "db".to_owned(),
user: "user".to_owned(), user: "user".to_owned(),
@ -382,7 +385,7 @@ mod tests {
references_priv: true, references_priv: true,
}]; }];
let diffs = diff_permissions(from, &to).await; let diffs = diff_privileges(from, &to).await;
assert_eq!( assert_eq!(
diffs, diffs,