public static function has_permission($node_object, $node_permission)
{
$permission_operations = pgsql8_permission::get_permission_operations($node_permission);
// for each of the rights the node_permission provides
foreach ($permission_operations as $permission_operation) {
// look at each of the permissions on the node_object and see if the right is given
foreach (dbx::get_permissions($node_object) as $node_object_permission) {
if (strcasecmp($node_object_permission->getName(), $node_permission->getName()) == 0) {
if (strcasecmp($node_object_permission['role'], $node_permission['role']) == 0) {
// if this node_object_permission of node_object provides the right
// the permission is confirmed provided in the object already
if (in_array($permission_operation, pgsql8_permission::get_permission_operations($node_object_permission))) {
// so move on to the next permission_operation
continue 2;
}
}
}
}
// if we get here if the right is not found in the in_array comparison for the object
dbsteward::warning("permission_operation " . $permission_operation . " not found in " . $node_object['name'] . " permissions for " . $node_permission['role']);
return false;
}
// if we get here then all rights were found to be provided in the object already
// so the answer to has_permission? is yes
return true;
}
public static function build_schema($db_doc, $ofs, $table_depends)
{
// schema creation
foreach ($db_doc->schema as $schema) {
$ofs->write(pgsql8_schema::get_creation_sql($schema));
// schema grants
if (isset($schema->grant)) {
foreach ($schema->grant as $grant) {
$ofs->write(pgsql8_permission::get_sql($db_doc, $schema, $schema, $grant) . "\n");
}
}
}
// types: enumerated list, etc
foreach ($db_doc->schema as $schema) {
foreach ($schema->type as $type) {
$ofs->write(pgsql8_type::get_creation_sql($schema, $type) . "\n");
}
}
// table structure creation
foreach ($db_doc->schema as $schema) {
// create defined tables
pgsql8_table::$include_column_default_nextval_in_create_sql = FALSE;
foreach ($schema->table as $table) {
// table definition
$ofs->write(pgsql8_table::get_creation_sql($schema, $table) . "\n");
// table indexes
pgsql8_diff_indexes::diff_indexes_table($ofs, NULL, NULL, $schema, $table);
// table grants
if (isset($table->grant)) {
foreach ($table->grant as $grant) {
$ofs->write(pgsql8_permission::get_sql($db_doc, $schema, $table, $grant) . "\n");
}
}
$ofs->write("\n");
}
pgsql8_table::$include_column_default_nextval_in_create_sql = TRUE;
// sequences contained in the schema
if (isset($schema->sequence)) {
foreach ($schema->sequence as $sequence) {
$ofs->write(pgsql8_sequence::get_creation_sql($schema, $sequence));
// sequence permission grants
if (isset($sequence->grant)) {
foreach ($sequence->grant as $grant) {
$ofs->write(pgsql8_permission::get_sql($db_doc, $schema, $sequence, $grant) . "\n");
}
}
}
}
// add table nextvals that were omitted
foreach ($schema->table as $table) {
if (pgsql8_table::has_default_nextval($table)) {
$ofs->write(pgsql8_table::get_default_nextval_sql($schema, $table) . "\n");
}
}
}
$ofs->write("\n");
// function definitions
foreach ($db_doc->schema as $schema) {
foreach ($schema->function as $function) {
if (pgsql8_function::has_definition($function)) {
$ofs->write(pgsql8_function::get_creation_sql($schema, $function));
// when pg:build_schema() is doing its thing for straight builds, include function permissions
// they are not included in pg_function::get_creation_sql()
foreach (dbx::get_permissions($function) as $function_permission) {
$ofs->write(pgsql8_permission::get_sql($db_doc, $schema, $function, $function_permission) . "\n");
}
}
}
}
$ofs->write("\n");
// maybe move this but here we're defining column defaults fo realz
foreach ($db_doc->schema as $schema) {
foreach ($schema->table as $table) {
$ofs->write(pgsql8_table::define_table_column_defaults($schema, $table));
}
}
// define table primary keys before foreign keys so unique requirements are always met for FOREIGN KEY constraints
foreach ($db_doc->schema as $schema) {
foreach ($schema->table as $table) {
pgsql8_diff_tables::diff_constraints_table($ofs, NULL, NULL, $schema, $table, 'primaryKey', FALSE);
}
}
$ofs->write("\n");
// foreign key references
// use the dependency order to specify foreign keys in an order that will satisfy nested foreign keys and etc
for ($i = 0; $i < count($table_depends); $i++) {
$schema = $table_depends[$i]['schema'];
$table = $table_depends[$i]['table'];
if ($table['name'] === dbsteward::TABLE_DEPENDENCY_IGNORABLE_NAME) {
// don't do anything with this table, it is a magic internal DBSteward value
continue;
}
pgsql8_diff_tables::diff_constraints_table($ofs, NULL, NULL, $schema, $table, 'constraint', FALSE);
}
$ofs->write("\n");
// trigger definitions
foreach ($db_doc->schema as $schema) {
foreach ($schema->trigger as $trigger) {
// only do triggers set to the current sql format
if (strcasecmp($trigger['sqlFormat'], dbsteward::get_sql_format()) == 0) {
$ofs->write(pgsql8_trigger::get_creation_sql($schema, $trigger));
}
}
}
$ofs->write("\n");
pgsql8_diff_views::create_views_ordered($ofs, null, $db_doc);
// view permission grants
foreach ($db_doc->schema as $schema) {
foreach ($schema->view as $view) {
if (isset($view->grant)) {
foreach ($view->grant as $grant) {
$ofs->write(pgsql8_permission::get_sql($db_doc, $schema, $view, $grant) . "\n");
}
}
}
}
$ofs->write("\n");
// use pgdiff to add any configurationParameters that are defined
pgsql8_diff::update_database_config_parameters($ofs, null, $db_doc);
}
protected static function update_permissions($ofs1, $ofs3)
{
foreach (dbx::get_schemas(dbsteward::$new_database) as $new_schema) {
pgsql8::set_context_replica_set_id($new_schema);
$old_schema = dbx::get_schema(dbsteward::$old_database, $new_schema['name']);
foreach (dbx::get_permissions($new_schema) as $new_permission) {
if ($old_schema == null || !pgsql8_permission::has_permission($old_schema, $new_permission)) {
$ofs1->write(pgsql8_permission::get_sql(dbsteward::$new_database, $new_schema, $new_schema, $new_permission) . "\n");
}
}
foreach (dbx::get_tables($new_schema) as $new_table) {
pgsql8::set_context_replica_set_id($new_table);
$old_table = null;
if ($old_schema != null) {
$old_table = dbx::get_table($old_schema, $new_table['name']);
}
if (!dbsteward::$ignore_oldnames && pgsql8_diff_tables::is_renamed_table($new_schema, $new_table)) {
// oldTableName renamed table ? skip permission diffing on it, it is the same
continue;
}
foreach (dbx::get_permissions($new_table) as $new_permission) {
if ($old_table == null || !pgsql8_permission::has_permission($old_table, $new_permission)) {
$ofs1->write(pgsql8_permission::get_sql(dbsteward::$new_database, $new_schema, $new_table, $new_permission) . "\n");
}
}
}
foreach (dbx::get_sequences($new_schema) as $new_sequence) {
$old_sequence = null;
if ($old_schema != null) {
$old_sequence = dbx::get_sequence($old_schema, $new_sequence['name']);
}
foreach (dbx::get_permissions($new_sequence) as $new_permission) {
if ($old_sequence == null || !pgsql8_permission::has_permission($old_sequence, $new_permission)) {
$ofs1->write(pgsql8_permission::get_sql(dbsteward::$new_database, $new_schema, $new_sequence, $new_permission) . "\n");
}
}
}
foreach (dbx::get_functions($new_schema) as $new_function) {
$old_function = null;
if ($old_schema != null) {
$old_function = dbx::get_function($old_schema, $new_function['name'], pgsql8_function::get_declaration($new_schema, $new_function));
}
foreach (dbx::get_permissions($new_function) as $new_permission) {
if ($old_function == null || !pgsql8_permission::has_permission($old_function, $new_permission)) {
$ofs1->write(pgsql8_permission::get_sql(dbsteward::$new_database, $new_schema, $new_function, $new_permission) . "\n");
}
}
}
foreach (dbx::get_views($new_schema) as $new_view) {
$old_view = NULL;
if ($old_schema != NULL) {
$old_view = dbx::get_view($old_schema, $new_view['name']);
}
foreach (dbx::get_permissions($new_view) as $new_permission) {
// if always_recreate_views flag is on, always grant all view permissions, as the view was recreated
if (dbsteward::$always_recreate_views || $old_view == NULL || !pgsql8_permission::has_permission($old_view, $new_permission) || pgsql8_diff_views::is_view_modified($old_view, $new_view)) {
// view permissions are in schema stage 3 file because views are (re)created in that stage for SELECT * expansion
$ofs3->write(pgsql8_permission::get_sql(dbsteward::$new_database, $new_schema, $new_view, $new_permission) . "\n");
}
}
}
}
}
/**
* Outputs commands for addition, removal and modifications of
* table columns.
*
* @param $ofs1 stage1 output file segmenter
* @param $ofs3 stage3 output file segmenter
* @param $old_table original table
* @param $new_table new table
*/
private static function update_table_columns($ofs1, $ofs3, $old_table, $new_schema, $new_table)
{
$commands = array();
$drop_defaults_columns = array();
self::add_drop_table_columns($commands, $old_table, $new_table);
self::add_create_table_columns($commands, $old_table, $new_schema, $new_table, $drop_defaults_columns);
self::add_modify_table_columns($commands, $old_table, $new_schema, $new_table, $drop_defaults_columns);
if (count($commands) > 0) {
// do 'pre' 'entire' statements before aggregate table alterations
for ($i = 0; $i < count($commands); $i++) {
if ($commands[$i]['stage'] == 'BEFORE1') {
$ofs1->write($commands[$i]['command'] . "\n");
} else {
if ($commands[$i]['stage'] == 'BEFORE3') {
$ofs3->write($commands[$i]['command'] . "\n");
}
}
}
$quotedTableName = pgsql8::get_quoted_schema_name($new_schema['name']) . '.' . pgsql8::get_quoted_table_name($new_table['name']);
$stage1_sql = '';
$stage3_sql = '';
for ($i = 0; $i < count($commands); $i++) {
if (!isset($commands[$i]['stage']) || !isset($commands[$i]['command'])) {
var_dump($commands[$i]);
throw new exception("bad command format");
}
if ($commands[$i]['stage'] == '1') {
// we have a stage 1 alteration to make
// do the alter table prefix if we haven't yet
if (strlen($stage1_sql) == 0) {
$stage1_sql = "ALTER TABLE " . $quotedTableName . "\n";
}
$stage1_sql .= $commands[$i]['command'] . " ,\n";
} else {
if ($commands[$i]['stage'] == '3') {
// we have a stage 3 alteration to make
// do the alter table prefix if we haven't yet
if (strlen($stage3_sql) == 0) {
$stage3_sql = "ALTER TABLE " . $quotedTableName . "\n";
}
$stage3_sql .= $commands[$i]['command'] . " ,\n";
}
}
}
if (strlen($stage1_sql) > 0) {
// slony will make the alter table statement changes as its super user
// which if the db owner is different,
// implicit sequence creation will fail with:
// ERROR: 55000: sequence must have same owner as table it is linked to
// so if the alter statement contains a new serial column,
// change the user to the slony user for the alter, then (see similar block below)
if (isset($new_table['slonyId']) && strlen($new_table['slonyId']) > 0 && stripos($stage1_sql, 'serial') !== false) {
// if replication user is defined, check if ownership switch is needed
if (strlen(dbsteward::$new_database->database->role->replication) > 0) {
if (strcasecmp(dbsteward::$new_database->database->role->owner, dbsteward::$new_database->database->role->replication) != 0) {
$alter = "ALTER TABLE " . $quotedTableName . " OWNER TO " . dbsteward::$new_database->database->role->replication . "; -- dbsteward: postgresql needs to be appeased by making the owner the user we are executing as when pushing DDL through slony\n";
$ofs1->write($alter);
}
}
}
$stage1_sql = substr($stage1_sql, 0, -3) . ";\n";
$ofs1->write($stage1_sql);
// replicated table? put ownership back (see full exp above)
if (isset($new_table['slonyId']) && strlen($new_table['slonyId']) > 0 && stripos($stage1_sql, 'serial') !== false) {
// if replication user is defined, check ownership switchback
if (strlen(dbsteward::$new_database->database->role->replication) > 0) {
if (strcasecmp(dbsteward::$new_database->database->role->owner, dbsteward::$new_database->database->role->replication) != 0) {
$alter = "ALTER TABLE " . $quotedTableName . " OWNER TO " . dbsteward::$new_database->database->role->owner . "; -- dbsteward: postgresql has been appeased (see above)\n";
$ofs1->write($alter);
}
}
// we are here because a serial column was added, the application will need permissions on the sequence
foreach (dbx::get_permissions($new_table) as $sa_permission) {
// re-grant all permissions, because permssions run through pgsql8_permission::get_sql()
// will do implicit serial column permissions to match table permissions
$ofs1->write(pgsql8_permission::get_sql(dbsteward::$new_database, $new_schema, $new_table, $sa_permission) . "\n");
}
}
}
if (strlen($stage3_sql) > 0) {
$stage3_sql = substr($stage3_sql, 0, -3) . ";\n";
$ofs3->write($stage3_sql);
}
if (count($drop_defaults_columns) > 0) {
$ofs1->write("\n");
$ofs1->write("ALTER TABLE " . $quotedTableName . "\n");
for ($i = 0; $i < count($drop_defaults_columns); $i++) {
$ofs1->write("\tALTER COLUMN " . pgsql8::get_quoted_column_name($drop_defaults_columns[$i]['name']) . " DROP DEFAULT");
if ($i < count($drop_defaults_columns) - 1) {
$ofs1->write(",\n");
} else {
$ofs1->write(";\n");
}
}
}
// do 'post' 'entire' statements immediately following aggregate table alterations
for ($i = 0; $i < count($commands); $i++) {
if ($commands[$i]['stage'] == 'BEFORE1') {
// already taken care of in earlier entire command output loop
} else {
if ($commands[$i]['stage'] == 'BEFORE3') {
// already taken care of in earlier entire command output loop
} else {
if ($commands[$i]['stage'] == '1') {
// already taken care of in earlier command aggregate loop
} else {
if ($commands[$i]['stage'] == '3') {
// already taken care of in earlier command aggregate loop
} else {
if ($commands[$i]['stage'] == 'AFTER1') {
$ofs1->write($commands[$i]['command'] . "\n");
} else {
if ($commands[$i]['stage'] == 'AFTER3') {
$ofs3->write($commands[$i]['command'] . "\n");
} else {
throw new exception("Unknown stage " . $commands[$i]['stage'] . " during table " . $quotedTableName . " updates");
}
}
}
}
}
}
}
}
}
public static function get_sql($db_doc, $node_schema, $node_object, $node_permission)
{
format::set_context_replica_set_id($node_object);
$perms = pgsql8_permission::get_permission_operations($node_permission);
$roles = preg_split(dbsteward::PATTERN_SPLIT_ROLE, $node_permission['role'], -1, PREG_SPLIT_NO_EMPTY);
$object_type = strtoupper($node_object->getName());
switch ($object_type) {
case 'SCHEMA':
$object_name = pgsql8::get_quoted_schema_name($node_schema['name']);
break;
case 'SEQUENCE':
case 'TABLE':
case 'VIEW':
$object_name = pgsql8::get_quoted_schema_name($node_schema['name']) . '.' . pgsql8::get_quoted_table_name($node_object['name']);
break;
case 'FUNCTION':
$object_name = pgsql8_function::get_declaration($node_schema, $node_object);
break;
default:
throw new exception("unknown object type encountered: " . $object_type);
}
$sql = '';
for ($j = 0; $j < count($roles); $j++) {
$with = '';
if (isset($node_permission['with']) && strlen($node_permission['with']) > 0) {
$with = "WITH " . $node_permission['with'] . " OPTION";
}
if (strcasecmp($object_type, 'VIEW') == 0) {
// postgresql doesn't want you to name the view keyword when you grant rights to views
$pg_object_type = '';
} else {
$pg_object_type = $object_type;
}
if (strlen($sql) > 0) {
$sql .= "\n";
}
$sql .= self::compile_sql_statement(strtoupper($node_permission->getName()), implode(', ', $perms), $pg_object_type, $object_name, xml_parser::role_enum($db_doc, $roles[$j]), $with);
// SCHEMA IMPLICIT GRANTS
if (strcasecmp($object_type, 'SCHEMA') == 0) {
// READYONLY USER PROVISION: grant usage on the schema for the readonly user
if (strlen($db_doc->database->role->readonly) > 0) {
if (strlen($sql) > 0) {
$sql .= "\n";
}
$sql .= self::compile_sql_statement('GRANT', 'USAGE', 'SCHEMA', pgsql8::get_quoted_schema_name($node_schema['name']), $db_doc->database->role->readonly);
}
}
// SEQUENCE IMPLICIT GRANTS
if (strcasecmp($object_type, 'SEQUENCE') == 0) {
// READYONLY USER PROVISION: generate a SELECT on the sequence for the readonly user
if (strlen($db_doc->database->role->readonly) > 0) {
if (strlen($sql) > 0) {
$sql .= "\n";
}
$sql .= self::compile_sql_statement('GRANT', 'SELECT', 'SEQUENCE', pgsql8::get_quoted_schema_name($node_schema['name']) . '.' . pgsql8::get_quoted_table_name($node_object['name']), $db_doc->database->role->readonly);
}
}
// TABLE IMPLICIT GRANTS
if (strcasecmp($object_type, 'TABLE') == 0) {
// READYONLY USER PROVISION: grant select on the table for the readonly user
if (strlen($db_doc->database->role->readonly) > 0) {
if (strlen($sql) > 0) {
$sql .= "\n";
}
$sql .= self::compile_sql_statement('GRANT', 'SELECT', 'TABLE', pgsql8::get_quoted_schema_name($node_schema['name']) . '.' . pgsql8::get_quoted_table_name($node_object['name']), $db_doc->database->role->readonly);
}
// don't need to grant cascaded serial permissions to the table owner
if (strcasecmp('ROLE_OWNER', $roles[$j]) == 0) {
continue;
}
// set serial columns permissions based on table permissions
foreach ($node_object->column as $column) {
if (preg_match(pgsql8::PATTERN_TABLE_LINKED_TYPES, $column['type']) > 0) {
$col_sequence = pgsql8::identifier_name($node_schema['name'], $node_object['name'], $column['name'], '_seq');
$seq_priv = array();
// if you can SELECT, INSERT or UPDATE the table, you can SELECT on the sequence
if (in_array('SELECT', $perms) || in_array('INSERT', $perms) || in_array('UPDATE', $perms)) {
$seq_priv[] = 'SELECT';
}
// if you can INSERT or UPDATE the table, you can UPDATE the sequence
if (in_array('INSERT', $perms) || in_array('UPDATE', $perms)) {
$seq_priv[] = 'UPDATE';
}
// if you only have USAGE or SELECT
// then seq_priv is empty, and no grant should be issued
if (count($seq_priv) > 0) {
$with = '';
if (isset($node_permission['with']) && strlen($node_permission['with']) > 0) {
$with = "WITH " . $node_permission['with'] . " OPTION";
}
if (strlen($sql) > 0) {
$sql .= "\n";
}
$sql .= self::compile_sql_statement('GRANT', implode(',', $seq_priv), 'SEQUENCE', pgsql8::get_quoted_schema_name($node_schema['name']) . '.' . pgsql8::get_quoted_table_name($col_sequence), xml_parser::role_enum($db_doc, $roles[$j]), $with);
}
// READYONLY USER PROVISION: grant implicit select on the sequence for the readonly user
if (strlen($db_doc->database->role->readonly) > 0) {
if (strlen($sql) > 0) {
$sql .= "\n";
}
$sql .= self::compile_sql_statement('GRANT', 'SELECT', 'SEQUENCE', pgsql8::get_quoted_schema_name($node_schema['name']) . '.' . pgsql8::get_quoted_table_name($col_sequence), $db_doc->database->role->readonly);
}
}
}
}
}
return $sql;
}