Updated user modification operations to leverage parameterized queries

crate · Feb 6, 2024 · 03a0321 · 03a0321
1 parent 97e39c7
commit 03a0321
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 35 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -5,6 +5,9 @@ Changelog
 Unreleased
 ----------
 
+* Updated user modification operations to leverage parameterized queries and
+  ``curl``, replacing direct usage of ``crash``.
+
 2.34.1 (2024-02-06)
 -------------------
 

diff --git a/crate/operator/bootstrap.py b/crate/operator/bootstrap.py
@@ -19,6 +19,7 @@
 # with Crate these terms will supersede the license and you may use the
 # software solely pursuant to the terms of the relevant commercial agreement.
 
+import json
 import logging
 from typing import Any, Dict, List, Optional
 
@@ -76,30 +77,35 @@ async def bootstrap_system_user(
     scheme = "https" if has_ssl else "http"
     password = await get_system_user_password(core, namespace, name)
     password_quoted = QuotedString(password).getquoted().decode()
-    # Yes, we're constructing the SQL for the system user manually. But that's
-    # fine in this case, because we have full control of the formatting of
-    # the username and it's only `[a-z]+`.
-    command_create_user = [
-        "crash",
-        "--verify-ssl=false",
-        f"--host={scheme}://localhost:4200",
-        "-c",
-        f'CREATE USER "{SYSTEM_USERNAME}" WITH (password={password_quoted});',
-    ]
-    command_alter_user = [
-        "crash",
-        "--verify-ssl=false",
-        f"--host={scheme}://localhost:4200",
-        "-c",
-        f'ALTER USER "{SYSTEM_USERNAME}" SET (password={password_quoted});',
-    ]
-    command_grant = [
-        "crash",
-        "--verify-ssl=false",
-        f"--host={scheme}://localhost:4200",
-        "-c",
-        f'GRANT ALL PRIVILEGES TO "{SYSTEM_USERNAME}";',
-    ]
+
+    def get_curl_command(payload: dict) -> List[str]:
+        return [
+            "curl",
+            "-k",
+            "-X",
+            "POST",
+            f"{scheme}://localhost:4200/_sql",
+            "-H",
+            "Content-Type: application/json",
+            "-d",
+            json.dumps(payload),
+        ]
+
+    command_create_user = get_curl_command(
+        {
+            "stmt": 'CREATE USER "{}" WITH (password = $1)'.format(SYSTEM_USERNAME),
+            "args": [password_quoted],
+        }
+    )
+    command_alter_user = get_curl_command(
+        {
+            "stmt": 'ALTER USER "{}" SET (password = $1)'.format(SYSTEM_USERNAME),
+            "args": [password_quoted],
+        }
+    )
+    command_grant = get_curl_command(
+        {"stmt": 'GRANT ALL PRIVILEGES TO "{}" '.format(SYSTEM_USERNAME)}
+    )
     exception_logger = logger.exception if config.TESTING else logger.error
 
     needs_update = False
@@ -130,7 +136,7 @@ async def bootstrap_system_user(
             exception_logger("... failed. Status: %s Message: %s", e.status, e.message)
             raise _temporary_error()
         else:
-            if "CREATE OK" in result:
+            if "rowcount" in result:
                 logger.info("... success")
             elif "AlreadyExistsException" in result:
                 needs_update = True
@@ -169,7 +175,7 @@ async def bootstrap_system_user(
                 )
                 raise _temporary_error()
             else:
-                if "ALTER OK" in result:
+                if "rowcount" in result:
                     logger.info("... success")
                 else:
                     logger.info("... error. %s", result)
@@ -191,7 +197,7 @@ async def bootstrap_system_user(
             logger.exception("... failed")
             raise _temporary_error()
         else:
-            if "GRANT OK" in result:
+            if "rowcount" in result:
                 logger.info("... success")
             else:
                 logger.info("... error. %s", result)

diff --git a/crate/operator/update_user_password.py b/crate/operator/update_user_password.py
@@ -19,7 +19,9 @@
 # with Crate these terms will supersede the license and you may use the
 # software solely pursuant to the terms of the relevant commercial agreement.
 
+import json
 import logging
+from typing import List
 
 from aiohttp.client_exceptions import WSServerHandshakeError
 from kopf import TemporaryError
@@ -61,13 +63,26 @@ async def update_user_password(
     """
     scheme = "https" if has_ssl else "http"
     password_quoted = QuotedString(b64decode(new_password)).getquoted().decode()
-    command_alter_user = [
-        "crash",
-        "--verify-ssl=false",
-        f"--host={scheme}://localhost:4200",
-        "-c",
-        f'ALTER USER "{username}" SET (password={password_quoted});',
-    ]
+
+    def get_curl_command(payload: dict) -> List[str]:
+        return [
+            "curl",
+            "-k",
+            "-X",
+            "POST",
+            f"{scheme}://localhost:4200/_sql",
+            "-H",
+            "Content-Type: application/json",
+            "-d",
+            json.dumps(payload),
+        ]
+
+    command_alter_user = get_curl_command(
+        {
+            "stmt": 'ALTER USER "{}" SET (password = $1)'.format(username),
+            "args": [password_quoted],
+        }
+    )
     exception_logger = logger.exception if config.TESTING else logger.error
 
     async with WsApiClient() as ws_api_client:
@@ -84,7 +99,7 @@ async def update_user_password(
                 stdout=True,
                 tty=False,
             )
-            if "ALTER OK" in result:
+            if "rowcount" in result:
                 logger.info("... success")
             else:
                 logger.info("... error. %s", result)