Support for Percona effective grants

Percona returns all grants; even ones, that were not directly requested. Eg. SHOW GRANTS FOR 'user'@'127.0.0.1' shows also grants for 'user'@'%'. Skip them to support this edge case.
pendo-io · Jul 17, 2021 · 75d1953 · 75d1953
1 parent fb7fb45
commit 75d1953
Show file tree

Hide file tree

Showing 2 changed files with 96 additions and 2 deletions.
diff --git a/mysql/resource_grant.go b/mysql/resource_grant.go
@@ -504,7 +504,7 @@ func showGrants(db *sql.DB, user string) ([]*MySQLGrant, error) {
 	}
 
 	defer rows.Close()
-	re := regexp.MustCompile(`^GRANT (.+) ON (.+?)\.(.+?) TO`)
+	re := regexp.MustCompile(`^GRANT (.+) ON (.+?)\.(.+?) TO ([^ ]+)`)
 
 	// Ex: GRANT `app_read`@`%`,`app_write`@`%` TO `rw_user1`@`localhost
 	reRole := regexp.MustCompile(`^GRANT (.+) TO`)
@@ -518,14 +518,20 @@ func showGrants(db *sql.DB, user string) ([]*MySQLGrant, error) {
 			return nil, err
 		}
 
-		if m := re.FindStringSubmatch(rawGrant); len(m) == 4 {
+		if m := re.FindStringSubmatch(rawGrant); len(m) == 5 {
 			privsStr := m[1]
 			priv_list := extractPermTypes(privsStr)
 			privileges := make([]string, len(priv_list))
 
 			for i, priv := range priv_list {
 				privileges[i] = strings.TrimSpace(priv)
 			}
+			grantUserHost := m[4]
+			if stripQuotes(grantUserHost) != stripQuotes(user) {
+				// Percona returns also grants for % if we requested IP.
+				// Skip them as we don't want terraform to consider it.
+				continue
+			}
 
 			grant := &MySQLGrant{
 				Database:   strings.ReplaceAll(m[2], "`", ""),
@@ -569,6 +575,12 @@ func normalizeColumnOrderMulti(perm []string) []string {
 	return ret
 }
 
+func stripQuotes(user string) string {
+	withoutQuotes := strings.ReplaceAll(user, "'", "")
+	withoutBackticks := strings.ReplaceAll(withoutQuotes, "`", "")
+	return withoutBackticks
+}
+
 func removeUselessPerms(grants []string) []string {
 	ret := []string{}
 	for _, grant := range grants {

diff --git a/mysql/resource_grant_test.go b/mysql/resource_grant_test.go
@@ -79,6 +79,38 @@ func TestAccBroken(t *testing.T) {
 	})
 }
 
+func TestAccDifferentHosts(t *testing.T) {
+	dbName := fmt.Sprintf("tf-test-%d", rand.Intn(100))
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccGrantCheckDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccGrantConfig_extraHost(dbName, false),
+				Check: resource.ComposeTestCheckFunc(
+					testAccPrivilege("mysql_grant.test_all", "SELECT", true),
+					resource.TestCheckResourceAttr("mysql_grant.test_all", "user", fmt.Sprintf("jdoe-%s", dbName)),
+					resource.TestCheckResourceAttr("mysql_grant.test_all", "host", "%"),
+					resource.TestCheckResourceAttr("mysql_grant.test_all", "table", "*"),
+				),
+			},
+			{
+				Config: testAccGrantConfig_extraHost(dbName, true),
+				Check: resource.ComposeTestCheckFunc(
+					testAccPrivilege("mysql_grant.test", "SELECT", true),
+					resource.TestCheckResourceAttr("mysql_grant.test", "user", fmt.Sprintf("jdoe-%s", dbName)),
+					resource.TestCheckResourceAttr("mysql_grant.test", "host", "10.1.2.3"),
+					resource.TestCheckResourceAttr("mysql_grant.test", "table", "*"),
+					resource.TestCheckResourceAttr("mysql_grant.test_all", "user", fmt.Sprintf("jdoe-%s", dbName)),
+					resource.TestCheckResourceAttr("mysql_grant.test_all", "host", "%"),
+					resource.TestCheckResourceAttr("mysql_grant.test_all", "table", "*"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccGrantComplex(t *testing.T) {
 	dbName := fmt.Sprintf("tf-test-%d", rand.Intn(100))
 	resource.Test(t, resource.TestCase{
@@ -430,6 +462,56 @@ resource "mysql_grant" "test" {
 `, dbName, dbName)
 }
 
+func testAccGrantConfig_extraHost(dbName string, extraHost bool) string {
+	extra := ""
+	if extraHost {
+		extra = fmt.Sprintf(`
+resource "mysql_grant" "test_bet" {
+  user       = "${mysql_user.test_bet.user}"
+  host       = "${mysql_user.test_bet.host}"
+  database   = "mysql"
+  privileges = ["DELETE"]
+}
+		`)
+	}
+
+	return fmt.Sprintf(`
+resource "mysql_database" "test" {
+  name = "%s"
+}
+
+resource "mysql_user" "test_all" {
+  user     = "jdoe-%s"
+  host     = "%%"
+}
+
+resource "mysql_user" "test" {
+  user       = "jdoe-%s"
+  host       = "10.1.2.3"
+}
+
+resource "mysql_user" "test_bet" {
+  user       = "jdoe-%s"
+  host       = "10.1.%%.%%"
+}
+
+resource "mysql_grant" "test_all" {
+  user       = "${mysql_user.test_all.user}"
+  host       = "${mysql_user.test_all.host}"
+  database   = "mysql"
+  privileges = ["UPDATE", "SELECT"]
+}
+
+resource "mysql_grant" "test" {
+  user       = "${mysql_user.test.user}"
+  host       = "${mysql_user.test.host}"
+  database   = "mysql"
+  privileges = ["SELECT", "INSERT"]
+}
+%s
+`, dbName, dbName, dbName, dbName, extra)
+}
+
 func testAccGrantConfig_broken(dbName string) string {
 	return fmt.Sprintf(`
 resource "mysql_database" "test" {