← Back to team overview

launchpad-reviewers team mailing list archive

[Merge] ~cjwatson/launchpad:charm-admin-apply-security into launchpad:master

 

Colin Watson has proposed merging ~cjwatson/launchpad:charm-admin-apply-security into launchpad:master.

Commit message:
charm: Update DB permissions when configuring launchpad-admin

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/+git/launchpad/+merge/440257

This replaces code currently run by our deployment machinery at the end of its `build` phase.

I also fixed a typo in a reactive flag name that caused hooks to do unnecessary work, since we were never considering the service to be configured.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/launchpad:charm-admin-apply-security into launchpad:master.
diff --git a/charm/launchpad-admin/reactive/launchpad-admin.py b/charm/launchpad-admin/reactive/launchpad-admin.py
index 4d65102..ff76afc 100644
--- a/charm/launchpad-admin/reactive/launchpad-admin.py
+++ b/charm/launchpad-admin/reactive/launchpad-admin.py
@@ -2,6 +2,7 @@
 # GNU Affero General Public License version 3 (see the file LICENSE).
 
 import os.path
+import subprocess
 
 from charmhelpers.core import hookenv, host, templating
 from charms.launchpad.base import (
@@ -28,13 +29,55 @@ def strip_password(dsn):
     return make_dsn(**parsed_dsn)
 
 
+def database_is_initialized() -> bool:
+    """Has the database been initialized?
+
+    The launchpad-admin charm is itself used to initialize the database, so
+    we can't assume that that's been done yet at the time our `configure`
+    handler runs.  The `LaunchpadDatabaseRevision` table is used to track
+    schema migrations, so its presence is a good indicator of whether we
+    have a useful database.
+    """
+    return (
+        subprocess.run(
+            [
+                "sudo",
+                "-H",
+                "-u",
+                base.user(),
+                os.path.join(home_dir(), "bin", "db"),
+                "-c",
+                r"\d LaunchpadDatabaseRevision",
+            ],
+            stdout=subprocess.DEVNULL,
+            stderr=subprocess.DEVNULL,
+        ).returncode
+        == 0
+    )
+
+
+def update_database_permissions():
+    subprocess.run(
+        [
+            "sudo",
+            "-H",
+            "-u",
+            base.user(),
+            "LPCONFIG=launchpad-admin",
+            os.path.join(base.code_dir(), "database", "schema", "security.py"),
+            "--no-revoke",
+        ],
+        check=True,
+    )
+
+
 @when(
     "launchpad.base.configured",
     "db.master.available",
     "db-admin.master.available",
     "session-db.master.available",
 )
-@when_not("service_configured")
+@when_not("service.configured")
 def configure():
     db = endpoint_from_flag("db.master.available")
     db_admin = endpoint_from_flag("db-admin.master.available")
@@ -82,5 +125,11 @@ def configure():
             perms=0o755,
         )
 
+    if database_is_initialized():
+        hookenv.log("Updating database permissions.")
+        update_database_permissions()
+    else:
+        hookenv.log("Database has not been initialized yet.")
+
     set_state("service.configured")
     hookenv.status_set("active", "Ready")
diff --git a/charm/launchpad-admin/templates/db-admin.j2 b/charm/launchpad-admin/templates/db-admin.j2
index aa0f73d..4749ab3 100644
--- a/charm/launchpad-admin/templates/db-admin.j2
+++ b/charm/launchpad-admin/templates/db-admin.j2
@@ -6,5 +6,5 @@
 
 set -e
 
-psql '{{ db_admin_primary }}'
+psql '{{ db_admin_primary }}' "$@"
 
diff --git a/charm/launchpad-admin/templates/db-session.j2 b/charm/launchpad-admin/templates/db-session.j2
index 4d776ae..76a47e1 100755
--- a/charm/launchpad-admin/templates/db-session.j2
+++ b/charm/launchpad-admin/templates/db-session.j2
@@ -6,5 +6,5 @@
 
 set -e
 
-psql '{{ db_session_primary }}'
+psql '{{ db_session_primary }}' "$@"
 
diff --git a/charm/launchpad-admin/templates/db.j2 b/charm/launchpad-admin/templates/db.j2
index f07f7e8..7976492 100644
--- a/charm/launchpad-admin/templates/db.j2
+++ b/charm/launchpad-admin/templates/db.j2
@@ -6,5 +6,5 @@
 
 set -e
 
-psql '{{ db_primary }}'
+psql '{{ db_primary }}' "$@"