~egtann/sum

9074303ad75866b855e30d86f3a7ef1a38173063 — Evan Tann a month ago 9d713f3
rename project from sf to sum
13 files changed, 51 insertions(+), 50 deletions(-)

M Makefile
M README.md
R cmd/sf/{main.go => /main.go}
R cmd/sf/{security.go => /security.go}
R cmd/sf/{security_openbsd.go => /security_openbsd.go}
M go.mod
R man/man1/{sf.1 => sum.1}
R man/man5/{sf.conf.5 => sum.conf.5}
M mysql/store.go
M parser.go
M parser_test.go
M store.go
R sf.go => sum.go
M Makefile => Makefile +10 -10
@@ 1,22 1,22 @@
BINDIR?=/usr/local/bin
MANDIR?=/usr/local/man

sf:
	go build ./cmd/sf
sum:
	go build ./cmd/sum

install: sf
install: sum
	mkdir -m755 -p $(BINDIR) $(MANDIR)/man1 $(MANDIR)/man5
	cp man/man1/sf.1      $(MANDIR)/man1/
	cp man/man5/sf.conf.5 $(MANDIR)/man5/
	mv sf /usr/local/bin/sf
	cp man/man1/sum.1      $(MANDIR)/man1/
	cp man/man5/sum.conf.5 $(MANDIR)/man5/
	mv sum /usr/local/bin/sum
.PHONY: install

clean:
	rm -f sf
	rm -f sum
.PHONY: clean

uninstall:
	rm $(BINDIR)/sf
	rm -f $(MANDIR)/man1/sf.1
	rm -f $(MANDIR)/man5/sf.conf.5
	rm -f $(BINDIR)/sum
	rm -f $(MANDIR)/man1/sum.1
	rm -f $(MANDIR)/man5/sum.conf.5
.PHONY: uninstall

M README.md => README.md +8 -7
@@ 1,9 1,10 @@
# sf
# sum

sf(1) declaratively configures user roles and permissions in SQL databases. Its
configuration is based heavily on the syntax of pf firewall in OpenBSD.
sum(1) ("SQL user manager") declaratively configures user roles and permissions
in SQL databases.  Its configuration is based heavily on the syntax of pf
firewall in OpenBSD.

sf(1) works around incredible shortcomings in MySQL user management, but it may
sum(1) works around incredible shortcomings in MySQL user management, but it may
be useful for other databases as well. Currently there's only support for MySQL
but patches for additional databases are welcome.



@@ 14,13 15,13 @@ rational for this.
## Install

```
$ git clone git@git.sr.ht:~egtann/sf && cd sf
$ git clone git@git.sr.ht:~egtann/sum && cd sum
$ make
$ sudo make install
```

After installation, check the man pages for usage information for sf(1) and
sf.conf(5).
After installation, check the man pages for usage information for sum(1) and
sum.conf(5).

## Contact


R cmd/sf/main.go => cmd/sum/main.go +5 -5
@@ 7,8 7,8 @@ import (
	"os"
	"syscall"

	"egt.run/sf"
	"egt.run/sf/mysql"
	"egt.run/sum"
	"egt.run/sum/mysql"
	"golang.org/x/crypto/ssh/terminal"
)



@@ 35,7 35,7 @@ func main() {
func run() error {
	f := parseFlags()

	// Restrict sf's view of the filesystem and its access to syscalls
	// Restrict sum's view of the filesystem and its access to syscalls
	unveil(f.file, "r")
	unveil(f.sslKey, "r")
	unveil(f.sslCert, "r")


@@ 69,7 69,7 @@ func run() error {
	}
	defer fi.Close()

	perms, err := sf.BuildPermissions(db, fi)
	perms, err := sum.BuildPermissions(db, fi)
	if err != nil {
		return fmt.Errorf("build permissions: %w", err)
	}


@@ 90,7 90,7 @@ func run() error {
func parseFlags() *flags {
	f := &flags{}
	flag.BoolVar(&f.dry, "d", false, "dry run")
	flag.StringVar(&f.file, "f", "sf.conf", "config file")
	flag.StringVar(&f.file, "f", "sum.conf", "config file")
	flag.StringVar(&f.user, "u", "root", "user")
	flag.StringVar(&f.password, "p", "", "password")
	flag.StringVar(&f.host, "H", "127.0.0.1", "host")

R cmd/sf/security.go => cmd/sum/security.go +0 -0

R cmd/sf/security_openbsd.go => cmd/sum/security_openbsd.go +2 -2
@@ 2,14 2,14 @@ package main

import "golang.org/x/sys/unix"

// pledge restricts sf to very limited syscalls.
// pledge restricts sum to very limited syscalls.
func pledge(promises, execPromises string) {
	if err := unix.Pledge(promises, execPromises); err != nil {
		panic(err)
	}
}

// unveil restricts sf to very limited (read-only) filesystem access.
// unveil restricts sum to very limited (read-only) filesystem access.
func unveil(filepath string, perm string) {
	if filepath == "" {
		return

M go.mod => go.mod +1 -1
@@ 1,4 1,4 @@
module egt.run/sf
module egt.run/sum

go 1.14


R man/man1/sf.1 => man/man1/sum.1 +5 -5
@@ 1,11 1,11 @@
.Dd $Mdocdate$
.Dt SF 1
.Dt SUM 1
.Os
.Sh NAME
.Nm sf
.Nm sum
.Nd declarative sql user management
.Sh SYNOPSIS
.Nm sf
.Nm sum
.Bk -words
.Op Fl d
.Op Fl f Ar file


@@ 19,7 19,7 @@
The
.Nm
utility applies privileges in your sql database according to
.Xr sf.conf 5 .
.Xr sum.conf 5 .
It wipes existing privileges and re-applies new ones, whitelisting and
blacklisting access to databases, tables, statements, and columns on a per-user
basis.


@@ 68,6 68,6 @@ User in the SQL database.  Must have the GRANT privilege.
.Sh EXIT STATUS
.Ex -std
.Sh SEE ALSO
.Xr sf.conf 5
.Xr sum.conf 5
.Sh AUTHORS
.An Evan Tann Aq Mt os@evantann.com

R man/man5/sf.conf.5 => man/man5/sum.conf.5 +8 -8
@@ 1,12 1,12 @@
.Dd $Mdocdate$
.Dt SF.CONF 5
.Dt SUM.CONF 5
.Os
.Sh NAME
.Nm sf.conf
.Nd sf configuration file
.Nm sum.conf
.Nd sum configuration file
.Sh DESCRIPTION
The
.Xr sf 1
.Xr sum 1
utility applies privileges in your sql database according to rules or
definitions specified in
.Nm .


@@ 41,12 41,12 @@ must be
.Ic deny Cm all .
This will ensure that the same privileges are applied on each run, allowing you
to run
.Xr sf 1
.Xr sum 1
multiple times and get the same behavior on each run.  This requirement is
enforced by
.Xr sf 1 .
.Xr sum 1 .
.Sh RULES
.Xr sf 1
.Xr sum 1
has the ability to
.Ic deny
and


@@ 137,4 137,4 @@ tables.  The user _dashboard will have privileges to run select, insert,
update, and delete throughout the database.  We use \e to extend our rule onto
the next line.
.Sh SEE ALSO
.Xr sf 1
.Xr sum 1

M mysql/store.go => mysql/store.go +8 -8
@@ 10,12 10,12 @@ import (
	"os"
	"strings"

	"egt.run/sf"
	"egt.run/sum"
	"github.com/go-sql-driver/mysql"
	"github.com/jmoiron/sqlx"
)

var _ sf.Store = &DB{}
var _ sum.Store = &DB{}

type DB struct {
	connURL   string


@@ 120,7 120,7 @@ func (db *DB) Statements() []string {
	}
}

func (db *DB) GetSchema() (*sf.Schema, error) {
func (db *DB) GetSchema() (*sum.Schema, error) {
	var data []struct {
		Database string `db:"table_schema"`
		Table    string `db:"table_name"`


@@ 131,13 131,13 @@ func (db *DB) GetSchema() (*sf.Schema, error) {
	if err := db.Select(&data, q); err != nil {
		return nil, fmt.Errorf("select columns: %w", err)
	}
	schema := &sf.Schema{Databases: map[string]sf.Database{}}
	schema := &sum.Schema{Databases: map[string]sum.Database{}}
	for _, d := range data {
		if _, ok := schema.Databases[d.Database]; !ok {
			schema.Databases[d.Database] = sf.Database{}
			schema.Databases[d.Database] = sum.Database{}
		}
		if _, ok := schema.Databases[d.Database][d.Table]; !ok {
			schema.Databases[d.Database][d.Table] = sf.Table{}
			schema.Databases[d.Database][d.Table] = sum.Table{}
		}
		schema.Databases[d.Database][d.Table][d.Column] = struct{}{}
	}


@@ 162,7 162,7 @@ func (db *DB) GetSchema() (*sf.Schema, error) {
}

// Apply permissions for all users.
func (db *DB) Apply(userPerms map[string]*sf.Permissions) (err error) {
func (db *DB) Apply(userPerms map[string]*sum.Permissions) (err error) {
	var tx *sqlx.Tx
	tx, err = db.BeginTxx(context.Background(), nil)
	if err != nil {


@@ 221,7 221,7 @@ func (db *DB) Apply(userPerms map[string]*sf.Permissions) (err error) {

// applyUser permissions by directly editing priv tables so we can manually
// trigger flushing privileges.
func applyUser(tx *sqlx.Tx, user, host string, p *sf.Permissions) error {
func applyUser(tx *sqlx.Tx, user, host string, p *sum.Permissions) error {
	var pq *sqlUserPerms
	if p.Deny {
		pq = newSQLUserPerms("N")

M parser.go => parser.go +1 -1
@@ 1,4 1,4 @@
package sf
package sum

import (
	"bufio"

M parser_test.go => parser_test.go +1 -1
@@ 1,4 1,4 @@
package sf
package sum

import (
	"encoding/json"

M store.go => store.go +1 -1
@@ 1,4 1,4 @@
package sf
package sum

// Schema maps names to databases.
type Schema struct {

R sf.go => sum.go +1 -1
@@ 1,4 1,4 @@
package sf
package sum

import (
	"fmt"