[mailman] Fixes for post-update script

Another bunch of fixes for post-update.sh script. * Migrate pg-give-rights.py to python3 * Add settings_test.py to staging as well Signed-off-by: Michal Konecny <mkonecny@redhat.com>
2024-03-15 13:00:05 +01:00 · 2024-03-15 13:00:05 +01:00 · aa56a6bb45
commit aa56a6bb45
parent ad315c5536
2 changed files with 91 additions and 1 deletions
--- a/roles/mailman/files/mailman3_pg-give-rights.py
+++ b/roles/mailman/files/mailman3_pg-give-rights.py
@ -0,0 +1,85 @@
+#!/usr/bin/env python3
+# vim: et ts=4 sw=4 fileencoding=utf-8
+
+"""
+Give non-admin rights to the database app user.
+"""
+
+CONFFILE = "/etc/mailman-migration.conf"
+
+
+import site
+import yaml
+import psycopg2
+
+
+def give_rights(dbhost, dbuser, dbpasswd, dbname, dbreguser=None):
+    if dbreguser is None:
+        dbreguser = dbname + "app"
+    conn = psycopg2.connect(host=dbhost, user=dbuser, password=dbpasswd,
+                            database=dbname)
+    cur = conn.cursor()
+    # Database permissions
+    dbrightsquery = "GRANT CONNECT,TEMP ON DATABASE %s TO %s;" % (dbname, dbreguser)
+    print(dbrightsquery)
+    cur.execute(dbrightsquery)
+    # Table permissions
+    cur.execute("""
+        SELECT 'GRANT SELECT,INSERT,UPDATE,DELETE,TRUNCATE ON "' || relname || '" TO %s;'
+        FROM pg_class
+        JOIN pg_namespace ON pg_namespace.oid = pg_class.relnamespace
+        WHERE nspname = 'public' AND relkind IN ('r', 'v');
+    """ % dbreguser)
+    queries = [q[0] for q in cur]
+    for query in queries:
+        print(query)
+        cur.execute(query)
+    # Sequence permissions
+    cur.execute("""
+        SELECT 'GRANT USAGE,SELECT,UPDATE ON ' || relname || ' TO %s;'
+        FROM pg_class
+        JOIN pg_namespace ON pg_namespace.oid = pg_class.relnamespace
+        WHERE nspname = 'public' AND relkind = 'S';
+    """ % dbreguser)
+    queries = [q[0] for q in cur]
+    for query in queries:
+        print(query)
+        cur.execute(query)
+    conn.commit()
+    cur.close()
+    conn.close()
+
+
+def main():
+    with open(CONFFILE) as conffile:
+        conf = yaml.safe_load(conffile)
+    site.addsitedir(conf["confdir"])
+    import settings_admin
+
+    ## KittyStore
+    #dbspec = re.match("""
+    #    postgresql://
+    #    (?P<user>[a-z]+)
+    #    :
+    #    (?P<password>[^@]+)
+    #    @
+    #    (?P<host>[^/]+)
+    #    /
+    #    (?P<database>[^/?]+)
+    #    """, settings_admin.KITTYSTORE_URL, re.X)
+    #give_rights(dbspec.group("host"),
+    #            dbspec.group("user"),
+    #            dbspec.group("password"),
+    #            dbspec.group("database")
+    #            )
+
+    # HyperKitty
+    give_rights(
+        settings_admin.DATABASES["default"]["HOST"],
+        settings_admin.DATABASES["default"]["USER"],
+        settings_admin.DATABASES["default"]["PASSWORD"],
+        settings_admin.DATABASES["default"]["NAME"],
+    )
+
+
+if __name__ == "__main__": main()
--- a/roles/mailman/tasks/main.yml
+++ b/roles/mailman/tasks/main.yml
@ -357,7 +357,6 @@
  tags:
  - config
  - mailman
-  when: env == 'production'

 - name: install the fedora-specific modules
  copy: src={{ item }}.py
@ -568,6 +567,12 @@
  tags: mailman
  when: env == 'staging'

+- name: install the updated pg-give-rights script
+  copy: src=mailman3_pg-give-rights.py dest="{{ mailman_webui_basedir }}/bin/pg-give-rights.py"
+        owner=root group=root mode=0755
+  tags: mailman
+  when: env == 'staging'
+
 - name: install the templatized scripts
  template: src={{ item }}.j2 dest="{{ mailman_webui_basedir }}/bin/{{ item }}"
            owner=root group=root mode=0755