feat: CRUD on /roles

Author: soedirgo

src/api/roles.ts

@@ -1,7 +1,8 @@
 import { Router } from 'express'
 
-import sql = require('../lib/sql')
-const { grants, roles } = sql
+import SQL from 'sql-template-strings'
+import sqlTemplates = require('../lib/sql')
+const { grants, roles } = sqlTemplates
 import { coalesceRowsToArray } from '../lib/helpers'
 import { RunQuery } from '../lib/connectionPool'
 import { DEFAULT_ROLES, DEFAULT_SYSTEM_SCHEMAS } from '../lib/constants'
@@ -37,13 +38,53 @@ router.get('/', async (req, res) => {
 
 router.post('/', async (req, res) => {
   try {
-    const sql = createRoleSqlize(req.body)
-    const { data } = await RunQuery(req.headers.pg, sql)
-    return res.status(200).json(data)
+    const query = createRoleSqlize(req.body)
+    await RunQuery(req.headers.pg, query)
+
+    const getRoleQuery = singleRoleByNameSqlize(roles, req.body.name)
+    const role = (await RunQuery(req.headers.pg, getRoleQuery)).data[0]
+
+    return res.status(200).json(role)
+  } catch (error) {
+    console.log('throwing error', error)
+    res.status(500).json({ error: 'Database error', status: 500 })
+  }
+})
+
+router.patch('/:id', async (req, res) => {
+  try {
+    const id = req.params.id
+    const getRoleQuery = singleRoleSqlize(roles, id)
+    const role = (await RunQuery(req.headers.pg, getRoleQuery)).data[0]
+    const { name: oldName } = role
+
+    const alterRoleArgs = req.body
+    alterRoleArgs.oldName = oldName
+    const query = alterRoleSqlize(alterRoleArgs)
+    await RunQuery(req.headers.pg, query)
+
+    const updated = (await RunQuery(req.headers.pg, getRoleQuery)).data[0]
+    return res.status(200).json(updated)
+  } catch (error) {
+    console.log('throwing error', error)
+    res.status(500).json({ error: 'Database error', status: 500 })
+  }
+})
+
+router.delete('/:id', async (req, res) => {
+  try {
+    const id = req.params.id
+    const getRoleQuery = singleRoleSqlize(roles, id)
+    const role = (await RunQuery(req.headers.pg, getRoleQuery)).data[0]
+    const { name } = role
+
+    const query = dropRoleSqlize(name)
+    await RunQuery(req.headers.pg, query)
+
+    return res.status(200).json(role)
   } catch (error) {
-    // For this one, we always want to give back the error to the customer
-    console.log('Soft error!', error)
-    res.status(200).json([{ error: error.toString() }])
+    console.log('throwing error', error)
+    res.status(500).json({ error: 'Database error', status: 500 })
   }
 })
 
@@ -103,7 +144,7 @@ const createRoleSqlize = ({
   const adminsSql = admins === undefined ? '' : `ADMIN ${admins.join(',')}`
 
   return `
-CREATE ROLE ${name}
+CREATE ROLE "${name}"
 WITH
   ${isSuperuserSql}
   ${canCreateDbSql}
@@ -119,6 +160,92 @@ WITH
   ${membersSql}
   ${adminsSql}`
 }
+const singleRoleSqlize = (roles: string, id: string) => {
+  return SQL``.append(roles).append(SQL` WHERE oid = ${id}`)
+}
+const singleRoleByNameSqlize = (roles: string, name: string) => {
+  return SQL``.append(roles).append(SQL` WHERE rolname = ${name}`)
+}
+const alterRoleSqlize = ({
+  oldName,
+  name,
+  isSuperuser,
+  canCreateDb,
+  canCreateRole,
+  inheritRole,
+  canLogin,
+  isReplicationRole,
+  canBypassRls,
+  connectionLimit,
+  password,
+  validUntil,
+}: {
+  oldName: string
+  name?: string
+  isSuperuser?: boolean
+  canCreateDb?: boolean
+  canCreateRole?: boolean
+  inheritRole?: boolean
+  canLogin?: boolean
+  isReplicationRole?: boolean
+  canBypassRls?: boolean
+  connectionLimit?: number
+  password?: string
+  validUntil?: string
+}) => {
+  const nameSql = name === undefined ? '' : `ALTER ROLE "${oldName}" RENAME TO "${name}";`
+  let isSuperuserSql = ''
+  if (isSuperuser !== undefined) {
+    isSuperuserSql = isSuperuser ? 'SUPERUSER' : 'NOSUPERUSER'
+  }
+  let canCreateDbSql = ''
+  if (canCreateDb !== undefined) {
+    canCreateDbSql = canCreateDb ? 'CREATEDB' : 'NOCREATEDB'
+  }
+  let canCreateRoleSql = ''
+  if (canCreateRole !== undefined) {
+    canCreateRoleSql = canCreateRole ? 'CREATEROLE' : 'NOCREATEROLE'
+  }
+  let inheritRoleSql = ''
+  if (inheritRole !== undefined) {
+    inheritRoleSql = inheritRole ? 'INHERIT' : 'NOINHERIT'
+  }
+  let canLoginSql = ''
+  if (canLogin !== undefined) {
+    canLoginSql = canLogin ? 'LOGIN' : 'NOLOGIN'
+  }
+  let isReplicationRoleSql = ''
+  if (isReplicationRole !== undefined) {
+    isReplicationRoleSql = isReplicationRole ? 'REPLICATION' : 'NOREPLICATION'
+  }
+  let canBypassRlsSql = ''
+  if (canBypassRls !== undefined) {
+    canBypassRlsSql = canBypassRls ? 'BYPASSRLS' : 'NOBYPASSRLS'
+  }
+  const connectionLimitSql =
+    connectionLimit === undefined ? '' : `CONNECTION LIMIT ${connectionLimit}`
+  let passwordSql = password === undefined ? '' : `PASSWORD '${password}'`
+  let validUntilSql = validUntil === undefined ? '' : `VALID UNTIL '${validUntil}'`
+
+  return `
+BEGIN;
+  ALTER ROLE "${oldName}"
+    ${isSuperuserSql}
+    ${canCreateDbSql}
+    ${canCreateRoleSql}
+    ${inheritRoleSql}
+    ${canLoginSql}
+    ${isReplicationRoleSql}
+    ${canBypassRlsSql}
+    ${connectionLimitSql}
+    ${passwordSql}
+    ${validUntilSql};
+  ${nameSql}
+COMMIT;`
+}
+const dropRoleSqlize = (name: string) => {
+  return `DROP ROLE "${name}"`
+}
 const removeSystemSchemas = (data: Roles.Role[]) => {
   return data.map((role) => {
     let grants = role.grants.filter((x) => !DEFAULT_SYSTEM_SCHEMAS.includes(x.schema))

src/lib/sql/roles.sql

@@ -1,3 +1,4 @@
+-- TODO: Consider using pg_authid vs. pg_roles for unencrypted password field
 SELECT
   rolname AS name,
   rolsuper AS is_superuser,

test/integration/index.spec.js

@@ -347,6 +347,9 @@ describe('/roles', () => {
       name: 'test',
       isSuperuser: true,
       canCreateDb: true,
+      canCreateRole: true,
+      inheritRole: false,
+      canLogin: true,
       isReplicationRole: true,
       canBypassRls: true,
       connectionLimit: 100,
@@ -356,10 +359,52 @@ describe('/roles', () => {
     const test = roles.find((role) => role.name === 'test')
     assert.equal(test.is_superuser, true)
     assert.equal(test.can_create_db, true)
+    assert.equal(test.can_create_role, true)
+    assert.equal(test.inherit_role, false)
+    assert.equal(test.can_login, true)
     assert.equal(test.is_replication_role, true)
     assert.equal(test.can_bypass_rls, true)
     assert.equal(test.connection_limit, 100)
     assert.equal(test.valid_until, '2020-01-01T00:00:00.000Z')
     await axios.post(`${URL}/query`, { query: 'DROP ROLE test;' })
   })
+  it('PATCH', async () => {
+    const { data: newRole } = await axios.post(`${URL}/roles`, { name: 'foo' })
+
+    await axios.patch(`${URL}/roles/${newRole.id}`, {
+      name: 'bar',
+      isSuperuser: true,
+      canCreateDb: true,
+      canCreateRole: true,
+      inheritRole: false,
+      canLogin: true,
+      isReplicationRole: true,
+      canBypassRls: true,
+      connectionLimit: 100,
+      validUntil: '2020-01-01T00:00:00.000Z',
+    })
+
+    const { data: roles } = await axios.get(`${URL}/roles`)
+    const updatedRole = roles.find((role) => role.id === newRole.id)
+    assert.equal(updatedRole.name, 'bar')
+    assert.equal(updatedRole.is_superuser, true)
+    assert.equal(updatedRole.can_create_db, true)
+    assert.equal(updatedRole.can_create_role, true)
+    assert.equal(updatedRole.inherit_role, false)
+    assert.equal(updatedRole.can_login, true)
+    assert.equal(updatedRole.is_replication_role, true)
+    assert.equal(updatedRole.can_bypass_rls, true)
+    assert.equal(updatedRole.connection_limit, 100)
+    assert.equal(updatedRole.valid_until, '2020-01-01T00:00:00.000Z')
+
+    await axios.delete(`${URL}/roles/${newRole.id}`)
+  })
+  it('DELETE', async () => {
+    const { data: newRole } = await axios.post(`${URL}/roles`, { name: 'foo bar' })
+
+    await axios.delete(`${URL}/roles/${newRole.id}`)
+    const { data: roles } = await axios.get(`${URL}/roles`)
+    const newRoleExists = roles.some((role) => role.id === newRole.id)
+    assert.equal(newRoleExists, false)
+  })
 })