Merge pull request #427 from Dwolla/pgadmin

bpholt · web-flow · commit 80419e46aeae · 2025-11-17T16:51:44.000-06:00
Grant all privileges on all tables in schema public to pgadmin
diff --git a/build.sbt b/build.sbt
@@ -62,10 +62,13 @@ lazy val `postgresql-init-core` = (project in file("."))
         "com.dwolla" %% "natchez-tagless" % "0.2.6-131-d6a1c7c-SNAPSHOT",
         "org.typelevel" %% "mouse" % "1.4.0",
         "com.comcast" %% "ip4s-core" % "3.7.0",
+        "org.typelevel" %% "literally" % "1.2.0",
         "org.scalameta" %% "munit" % "1.2.1" % Test,
         "org.scalameta" %% "munit-scalacheck" % "1.2.0" % Test,
         "io.circe" %% "circe-literal" % circeV % Test,
         "com.dwolla" %% "dwolla-otel-natchez" % "0.2.8" % Test,
+        "org.typelevel" %% "discipline-munit" % "2.0.0" % Test,
+        "org.typelevel" %% "cats-laws" % "2.13.0" % Test,
       )
     },
     buildInfoPackage := "com.dwolla.buildinfo.postgres.init",
diff --git a/serverless.yml b/serverless.yml
@@ -15,6 +15,8 @@ provider:
   iam:
     deploymentRole: "arn:aws:iam::${env:ACCOUNT}:role/cloudformation/deployer/cloudformation-deployer"
     role:
+      managedPolicies:
+        - arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
       statements:
         - Effect: Allow
           Action:
diff --git a/src/main/scala/com/dwolla/postgres/init/PostgresqlDatabaseInitHandler.scala b/src/main/scala/com/dwolla/postgres/init/PostgresqlDatabaseInitHandler.scala
@@ -36,10 +36,14 @@ class PostgresqlDatabaseInitHandler
       given Random[F] <- Resource.eval(Random.scalaUtilRandom[F])
       client <- httpClient[F]
       entryPoint <- entryPointOverride.toOptionT[Resource[F, *]].getOrElseF {
-        XRayEnvironment[F].daemonAddress.toResource.flatMap {
-          case Some(addr) => XRay.entryPoint(addr)
-          case None => XRay.entryPoint[F]()
-        }
+        XRayEnvironment[F]
+          .daemonAddress
+          .flatTap(maybeAddress => Console[F].println(s"found daemonAddress: $maybeAddress"))
+          .toResource
+          .flatMap {
+            case Some(addr) => XRay.entryPoint(addr)
+            case None => XRay.entryPoint[F]()
+          }
       }
       region <- Env[F].get("AWS_REGION").liftEitherT(new RuntimeException("missing AWS_REGION environment variable")).map(AwsRegion(_)).rethrowT.toResource
       awsEnv <- AwsEnvironment.default(client, region)
diff --git a/src/main/scala/com/dwolla/postgres/init/PostgresqlDatabaseInitHandlerImpl.scala b/src/main/scala/com/dwolla/postgres/init/PostgresqlDatabaseInitHandlerImpl.scala
@@ -45,21 +45,27 @@ object PostgresqlDatabaseInitHandlerImpl {
         dbId <- removeUsersFromDatabase(usernames, event.name).inSession(event.host, event.port, event.username, event.password)
       } yield HandlerResponse(dbId, None)
 
-    private def createOrUpdate(userPasswords: List[UserConnectionInfo], input: DatabaseMetadata): InSession[F, PhysicalResourceId] =
+    private def databaseScopedCreateOrUpdateOperations(userPasswords: List[UserConnectionInfo], input: DatabaseMetadata): InSession[F, Unit] =
       for {
-        db <- databaseAsPhysicalResourceId[InSession[F, *]](input.name)
-        _ <- databaseRepository.createDatabase(input)
+        _ <- databaseRepository.grantAllPrivilegesOnAllTablesInSchemaPublicToPgadmin
         _ <- roleRepository.createRole(input.name)
         _ <- userPasswords.traverse { userPassword =>
           userRepository.addOrUpdateUser(userPassword) >> roleRepository.addUserToRole(userPassword.user, userPassword.database)
         }
+      } yield ()
+
+    private def createOrUpdate(userPasswords: List[UserConnectionInfo], input: DatabaseMetadata): F[PhysicalResourceId] =
+      for {
+        db <- databaseAsPhysicalResourceId[F](input.name)
+        scope <- databaseRepository.createDatabase(input).inSession(input.host, input.port, input.username, input.password)
+        _ <- databaseScopedCreateOrUpdateOperations(userPasswords, input).inSession(input.host, input.port, input.username, input.password, scope)
       } yield db
 
     private def handleCreateOrUpdate(input: DatabaseMetadata)
-                                    (f: List[UserConnectionInfo] => InSession[F, PhysicalResourceId]): F[PhysicalResourceId] =
+                                    (f: List[UserConnectionInfo] => F[PhysicalResourceId]): F[PhysicalResourceId] =
       for {
         userPasswords <- input.secretIds.traverse(secretsManagerAlg.getSecretAs[UserConnectionInfo])
-        id <- f(userPasswords).inSession(input.host, input.port, input.username, input.password)
+        id <- f(userPasswords)
       } yield id
 
     private def getUsernamesFromSecrets(secretIds: List[SecretIdType], fallback: Username): F[List[Username]] =
diff --git a/src/main/scala/com/dwolla/postgres/init/package.scala b/src/main/scala/com/dwolla/postgres/init/package.scala
@@ -1,21 +1,48 @@
 package com.dwolla.postgres.init
 
+import cats.*
 import cats.syntax.all.*
 import com.comcast.ip4s.{Host, Port}
 import eu.timepit.refined.*
 import eu.timepit.refined.api.*
 import eu.timepit.refined.string.*
 import io.circe.Decoder
-import monix.newtypes.{HasExtractor, NewtypeWrapped}
 import monix.newtypes.integrations.DerivedCirceCodec
+import monix.newtypes.{HasExtractor, NewtypeWrapped}
 import natchez.TraceableValue
+import org.typelevel.literally.Literally
 
 given [A: TraceableValue, P]: TraceableValue[A Refined P] = TraceableValue[A].contramap(_.value)
 
 type SqlIdentifierPredicate = MatchesRegex["[A-Za-z][A-Za-z0-9_]*"]
 
 type SqlIdentifier = String Refined SqlIdentifierPredicate
 object SqlIdentifier extends RefinedTypeOps[SqlIdentifier, String]
+given Semigroup[SqlIdentifier] = Semigroup.instance((a, b) => SqlIdentifier.unsafeFrom(a.value + b.value))
+given Eq[SqlIdentifier] = Eq.by(_.value)
+
+type SqlIdentifierTailPredicate = MatchesRegex["[A-Za-z0-9_]*"]
+type SqlIdentifierTail = String Refined SqlIdentifierTailPredicate
+object SqlIdentifierTail extends RefinedTypeOps[SqlIdentifierTail, String]
+extension (base: SqlIdentifier)
+  def append(tail: SqlIdentifierTail): SqlIdentifier =
+    SqlIdentifier.unsafeFrom(base.value + tail.value)
+
+extension (inline ctx: StringContext)
+  inline def sqlIdentifier(inline args: Any*): SqlIdentifier =
+    ${ SqlIdentifierLiteral('ctx, 'args) }
+  inline def sqlIdentifierTail(inline args: Any*): SqlIdentifierTail =
+    ${ SqlIdentifierTailLiteral('ctx, 'args) }
+
+object SqlIdentifierLiteral extends Literally[SqlIdentifier]:
+  def validate(s: String)(using Quotes): Either[String, Expr[SqlIdentifier]] =
+    SqlIdentifier.from(s).as:
+      '{ SqlIdentifier.from(${ Expr(s) }).toOption.get }
+
+object SqlIdentifierTailLiteral extends Literally[SqlIdentifierTail]:
+  def validate(s: String)(using Quotes): Either[String, Expr[SqlIdentifierTail]] =
+    SqlIdentifierTail.from(s).as:
+      '{ SqlIdentifierTail.from(${ Expr(s) }).toOption.get }
 
 type GeneratedPasswordPredicate = MatchesRegex["""[-A-Za-z0-9!"#$%&()*+,./:<=>?@\[\]\\^_{|}~]+"""]
 
diff --git a/src/main/scala/com/dwolla/postgres/init/repositories/CreateSkunkSession.scala b/src/main/scala/com/dwolla/postgres/init/repositories/CreateSkunkSession.scala
@@ -42,11 +42,29 @@ object CreateSkunkSession {
                   password: MasterDatabasePassword,
                  )
                  (using CreateSkunkSession[F], MonadCancelThrow[F]): F[A] =
+      impl(host, port, username, password, none)
+
+    def inSession(host: Host,
+                  port: Port,
+                  username: MasterDatabaseUsername,
+                  password: MasterDatabasePassword,
+                  database: Database,
+                 )
+                 (using CreateSkunkSession[F], MonadCancelThrow[F]): F[A] =
+      impl(host, port, username, password, database.some)
+
+    private def impl(host: Host,
+                  port: Port,
+                  username: MasterDatabaseUsername,
+                  password: MasterDatabasePassword,
+                  database: Option[Database],
+                 )
+                 (using CreateSkunkSession[F], MonadCancelThrow[F]): F[A] =
       CreateSkunkSession[F].single(
         host = host.show,
         port = port.value,
         user = username.value.value,
-        database = "postgres",
+        database = database.map(_.value).getOrElse(sqlIdentifier"postgres").value,
         password = password.value.some,
         ssl = if (host == host"localhost") SSL.None else SSL.System,
       ).use(kleisli.run)
diff --git a/src/main/scala/com/dwolla/postgres/init/repositories/DatabaseRepository.scala b/src/main/scala/com/dwolla/postgres/init/repositories/DatabaseRepository.scala
@@ -17,11 +17,17 @@ import skunk.implicits.*
 trait DatabaseRepository[F[_]] {
   def createDatabase(db: DatabaseMetadata): F[Database]
   def removeDatabase(database: Database): F[Database]
+  def grantAllPrivilegesOnAllTablesInSchemaPublicToPgadmin: F[Unit]
 }
 
 @annotation.experimental
 object DatabaseRepository {
-  given Aspect[DatabaseRepository, TraceableValue, TraceableValue] = Derive.aspect
+  given Aspect[DatabaseRepository, TraceableValue, TraceableValue] = {
+    import com.dwolla.tracing.LowPriorityTraceableValueInstances.unitTraceableValue
+    Derive.aspect
+  }
+
+  val pgadminRole = RoleName(sqlIdentifier"pgadmin")
 
   def apply[F[_] : {MonadCancelThrow, Logger, Trace}]: DatabaseRepository[InSession[F, *]] = new DatabaseRepository[InSession[F, *]] {
     override def createDatabase(db: DatabaseMetadata): Kleisli[F, Session[F], Database] =
@@ -56,6 +62,15 @@ object DatabaseRepository {
         .as(database)
         .recoverUndefinedAs(database)
     }
+
+    override def grantAllPrivilegesOnAllTablesInSchemaPublicToPgadmin: InSession[F, Unit] = Kleisli { (session: Session[F]) =>
+      List(
+        DatabaseQueries.grantAllPrivilegesOnAllTablesInSchemaPublicTo(_),
+        DatabaseQueries.alterDefaultPrivilegesToGrantAllPrivilegesOnAllTablesInSchemaPublicTo(_),
+      ).traverse { (f: RoleName => Command[Void]) =>
+        session.execute(f(pgadminRole))
+      }
+    }.void
   }.traceWithInputsAndOutputs
 }
 
@@ -74,4 +89,10 @@ object DatabaseQueries {
   def dropDatabase(database: Database): Command[Void] =
     sql"DROP DATABASE IF EXISTS #${database.value.value}"
       .command
+
+  def grantAllPrivilegesOnAllTablesInSchemaPublicTo(role: RoleName): Command[Void] =
+    sql"GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO #${role.value.value}".command
+
+  def alterDefaultPrivilegesToGrantAllPrivilegesOnAllTablesInSchemaPublicTo(role: RoleName): Command[Void] =
+    sql"ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO #${role.value.value}".command
 }
diff --git a/src/main/scala/com/dwolla/postgres/init/repositories/RoleRepository.scala b/src/main/scala/com/dwolla/postgres/init/repositories/RoleRepository.scala
@@ -29,9 +29,9 @@ object RoleRepository {
   given Aspect[RoleRepository, TraceableValue, TraceableValue] = Derive.aspect
 
   def roleNameForDatabase(database: Database): RoleName =
-    RoleName(Refined.unsafeApply(database.value + "_role"))
+    RoleName(database.value.append(sqlIdentifierTail"_role"))
 
-  def apply[F[_] : MonadCancelThrow : Logger : Trace]: RoleRepository[Kleisli[F, Session[F], *]] = new RoleRepository[Kleisli[F, Session[F], *]] {
+  def apply[F[_] : {MonadCancelThrow, Logger, Trace}]: RoleRepository[Kleisli[F, Session[F], *]] = new RoleRepository[Kleisli[F, Session[F], *]] {
     override def createRole(database: Database): Kleisli[F, Session[F], Unit] = {
       val role = roleNameForDatabase(database)
 
diff --git a/src/main/scala/com/dwolla/postgres/init/repositories/UserRepository.scala b/src/main/scala/com/dwolla/postgres/init/repositories/UserRepository.scala
@@ -28,7 +28,7 @@ object UserRepository {
   given Aspect[UserRepository, TraceableValue, TraceableValue] = Derive.aspect
 
   def usernameForDatabase(database: Database): Username =
-    Username(Refined.unsafeApply(database.value.value))
+    Username(database.value)
 
   def apply[F[_] : {Logger, Temporal, Trace}]: UserRepository[Kleisli[F, Session[F], *]] = new UserRepository[Kleisli[F, Session[F], *]] {
     private given [A]: Logger[Kleisli[F, A, *]] = Logger[F].mapK(Kleisli.liftK)
diff --git a/src/test/scala/com/dwolla/postgres/init/ExtractRequestPropertiesSpec.scala b/src/test/scala/com/dwolla/postgres/init/ExtractRequestPropertiesSpec.scala
@@ -27,8 +27,8 @@ class ExtractRequestPropertiesSpec extends munit.FunSuite {
       Right(DatabaseMetadata(
         host"database-hostname",
         port"5432",
-        Database(SqlIdentifier.unsafeFrom("mydb")),
-        MasterDatabaseUsername(SqlIdentifier.unsafeFrom("masterdb")),
+        Database(sqlIdentifier"mydb"),
+        MasterDatabaseUsername(sqlIdentifier"masterdb"),
         MasterDatabasePassword("master-pass"),
         List("secret1", "secret2").map(SecretIdType(_)),
       ))
diff --git a/src/test/scala/com/dwolla/postgres/init/LocalApp.scala b/src/test/scala/com/dwolla/postgres/init/LocalApp.scala
@@ -46,9 +46,9 @@ object LocalApp extends IOApp {
           ResourceProperties = DatabaseMetadata(
             host = host"localhost",
             port = port"5432",
-            name = Database(SqlIdentifier.unsafeFrom("transactionactivitymonitor")),
-            username = MasterDatabaseUsername(SqlIdentifier.unsafeFrom("root")),
-            password = MasterDatabasePassword(SqlIdentifier.unsafeFrom("root")),
+            name = Database(sqlIdentifier"transactionactivitymonitor"),
+            username = MasterDatabaseUsername(sqlIdentifier"root"),
+            password = MasterDatabasePassword(sqlIdentifier"root"),
             secretIds = List("my-UserConnectionInfo-secret").map(SecretIdType(_)),
           ),
           OldResourceProperties = None,
diff --git a/src/test/scala/com/dwolla/postgres/init/SqlStringRegexSpec.scala b/src/test/scala/com/dwolla/postgres/init/SqlStringRegexSpec.scala
@@ -1,11 +1,14 @@
 package com.dwolla.postgres.init
 
+import cats.kernel.laws.discipline.SemigroupTests
 import cats.syntax.all.*
 import eu.timepit.refined.refineV
+import munit.DisciplineSuite
 import org.scalacheck.Prop.forAll
 import org.scalacheck.{Arbitrary, Gen, Shrink}
+import org.scalacheck.Arbitrary.arbitrary
 
-class SqlStringRegexSpec extends munit.ScalaCheckSuite {
+class SqlStringRegexSpec extends DisciplineSuite {
   given Shrink[String] = Shrink.shrinkAny
 
   test("strings containing semicolons don't validate") {
@@ -16,17 +19,34 @@ class SqlStringRegexSpec extends munit.ScalaCheckSuite {
     assert(refineV[GeneratedPasswordPredicate]("'").isLeft)
   }
 
-  property("sql identifiers match [A-Za-z][A-Za-z0-9_]*") {
-    given Arbitrary[String] = Arbitrary {
-      for {
+
+  {
+    given Arbitrary[SqlIdentifierTail] = Arbitrary:
+      Gen.stringOf(Gen.oneOf(Gen.alphaChar, Gen.numChar, Gen.const('_')))
+        .flatMap:
+          SqlIdentifierTail.from(_).fold(msg => throw new IllegalArgumentException(msg), Gen.const)
+
+    given Arbitrary[String] = Arbitrary:
+      for
         initial <- Gen.alphaChar
-        tail <- Gen.stringOf(Gen.oneOf(Gen.alphaChar, Gen.numChar, Gen.const('_')))
-      } yield s"$initial$tail"
-    }
+        tail <- arbitrary[SqlIdentifierTail]
+      yield s"$initial$tail"
 
-    forAll { (s: String) =>
-      assertEquals(refineV[SqlIdentifierPredicate](s).map(_.value), s.asRight)
+    given Arbitrary[SqlIdentifier] = Arbitrary:
+      arbitrary[String].flatMap:
+        SqlIdentifier.from(_).fold(msg => throw new IllegalArgumentException(msg), Gen.const)
+
+    property("sql identifiers match [A-Za-z][A-Za-z0-9_]*") {
+      forAll { (s: String) =>
+        assertEquals(refineV[SqlIdentifierPredicate](s).map(_.value), s.asRight)
+      }
     }
+
+    property("SqlIdentifierTails can be appended to SqlIdentifiers"):
+      forAll: (base: SqlIdentifier, tail: SqlIdentifierTail) =>
+        assertEquals(SqlIdentifier.from(base.value |+| tail.value), base.append(tail).asRight)
+
+    checkAll("Semigroup[SqlIdentifier]", SemigroupTests[SqlIdentifier].semigroup)
   }
 
   property("passwords contain the allowed characters") {
