cyrilgdn · cyrilgdn · Oct 24, 2024 · Aug 26, 2023 · Aug 27, 2023 · Aug 27, 2023
diff --git a/postgresql/helpers.go b/postgresql/helpers.go
@@ -267,6 +267,34 @@ func validatePrivileges(d *schema.ResourceData) error {
 	return nil
 }
 
+func arePrivilegesEqual(granted *schema.Set, wanted *schema.Set, d *schema.ResourceData) bool {
+	objectType := d.Get("object_type").(string)
+
+	if granted.Equal(wanted) {
+		return true
+	}
+
+	if !wanted.Contains("ALL") {
+		return false
+	}
+
+	// implicit check: e.g. for object_type schema -> ALL == ["CREATE", "USAGE"]
+	log.Printf("The wanted privilege is 'ALL'. therefore, we will check if the current privileges are ALL implicitely")
+	implicits := make([]string, 0)
+	for _, p := range allowedPrivileges[objectType] {
+		if p != "ALL" {
+			implicits = append(implicits, p)
+		}
+	}
+
+	s := make([]interface{}, len(implicits))
+	for i, privilege := range implicits {
+		s[i] = privilege
+	}
+	wantedSet := schema.NewSet(schema.HashString, s)
+	return granted.Equal(wantedSet)
+}
+
 func pgArrayToSet(arr pq.ByteaArray) *schema.Set {
 	s := make([]interface{}, len(arr))
 	for i, v := range arr {

diff --git a/postgresql/helpers_test.go b/postgresql/helpers_test.go
@@ -1,6 +1,7 @@
 package postgresql
 
 import (
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -17,3 +18,74 @@ func TestFindStringSubmatchMap(t *testing.T) {
 		},
 	)
 }
+
+func TestArePrivilegesEqual(t *testing.T) {
+
+	type PrivilegesTestObject struct {
+		d         *schema.ResourceData
+		granted   *schema.Set
+		wanted    *schema.Set
+		assertion bool
+	}
+
+	tt := []PrivilegesTestObject{
+		{
+			buildResourceData("database", t),
+			buildPrivilegesSet("CONNECT", "CREATE", "TEMPORARY"),
+			all(),
+			true,
+		},
+		{
+			buildResourceData("database", t),
+			buildPrivilegesSet("CREATE", "USAGE"),
+			buildPrivilegesSet("USAGE"),
+			false,
+		},
+		{
+			buildResourceData("table", t),
+			buildPrivilegesSet("SELECT", "INSERT", "UPDATE", "DELETE", "TRUNCATE", "REFERENCES", "TRIGGER"),
+			all(),
+			true,
+		},
+		{
+			buildResourceData("table", t),
+			buildPrivilegesSet("SELECT"),
+			buildPrivilegesSet("SELECT, INSERT"),
+			false,
+		},
+		{
+			buildResourceData("schema", t),
+			buildPrivilegesSet("CREATE", "USAGE"),
+			all(),
+			true,
+		},
+		{
+			buildResourceData("schema", t),
+			buildPrivilegesSet("CREATE"),
+			all(),
+			false,
+		},
+	}
+
+	for _, configuration := range tt {
+		equal := arePrivilegesEqual(configuration.granted, configuration.wanted, configuration.d)
+		assert.Equal(t, configuration.assertion, equal)
+	}
+}
+
+func buildPrivilegesSet(grants ...interface{}) *schema.Set {
+	return schema.NewSet(schema.HashString, grants)
+}
+
+func all() *schema.Set {
+	return buildPrivilegesSet("ALL")
+}
+
+func buildResourceData(objectType string, t *testing.T) *schema.ResourceData {
+	var testSchema = map[string]*schema.Schema{
+		"object_type": {Type: schema.TypeString},
+	}
+	m := make(map[string]interface{})
+	m["object_type"] = objectType
+	return schema.TestResourceDataRaw(t, testSchema, m)
+}
diff --git a/postgresql/resource_postgresql_default_privileges.go b/postgresql/resource_postgresql_default_privileges.go
@@ -268,8 +268,12 @@ func readRoleDefaultPrivileges(txn *sql.Tx, d *schema.ResourceData) error {
 	}
 
 	privilegesSet := pgArrayToSet(privileges)
-	d.Set("privileges", privilegesSet)
-	d.SetId(generateDefaultPrivilegesID(d))
+	privilegesEqual := arePrivilegesEqual(privilegesSet, d.Get("privileges").(*schema.Set), d)
+
+	if !privilegesEqual {
+		d.Set("privileges", privilegesSet)
+		d.SetId(generateDefaultPrivilegesID(d))
+	}
 
 	return nil
 }

diff --git a/postgresql/resource_postgresql_grant.go b/postgresql/resource_postgresql_grant.go
@@ -108,7 +108,9 @@ func resourcePostgreSQLGrantRead(db *DBConnection, d *schema.ResourceData) error
 	if err := validateFeatureSupport(db, d); err != nil {
 		return fmt.Errorf("feature is not supported: %v", err)
 	}
-
+	if true {
+		//return fmt.Errorf("hello world! %v", "you")
+	}
 	exists, err := checkRoleDBSchemaExists(db.client, d)
 	if err != nil {
 		return err
@@ -269,8 +271,12 @@ WHERE grantee = $2
 	if err := txn.QueryRow(query, dbName, roleOID).Scan(&privileges); err != nil {
 		return fmt.Errorf("could not read privileges for database %s: %w", dbName, err)
 	}
-
-	d.Set("privileges", pgArrayToSet(privileges))
+	granted := pgArrayToSet(privileges)
+	wanted := d.Get("privileges").(*schema.Set)
+	equal := arePrivilegesEqual(granted, wanted, d)
+	if !equal {
+		return d.Set("privileges", wanted)
-		return d.Set("privileges", wanted)
+		return d.Set("privileges", granted)
-		return d.Set("privileges", wanted)
+		return d.Set("privileges", granted)
+	}
 	return nil
 }
 
@@ -289,7 +295,12 @@ WHERE grantee = $2
 		return fmt.Errorf("could not read privileges for schema %s: %w", dbName, err)
 	}
 
-	d.Set("privileges", pgArrayToSet(privileges))
+	granted := pgArrayToSet(privileges)
+	wanted := d.Get("privileges").(*schema.Set)
+	equal := arePrivilegesEqual(granted, wanted, d)
+	if !equal {
+		return d.Set("privileges", wanted)
+	}
 	return nil
 }
 
@@ -309,7 +320,12 @@ WHERE grantee = $2
 		return fmt.Errorf("could not read privileges for foreign data wrapper %s: %w", fdwName, err)
 	}
 
-	d.Set("privileges", pgArrayToSet(privileges))
+	granted := pgArrayToSet(privileges)
+	wanted := d.Get("privileges").(*schema.Set)
+	equal := arePrivilegesEqual(granted, wanted, d)
+	if !equal {
+		return d.Set("privileges", wanted)
+	}
 	return nil
 }
 
@@ -329,7 +345,12 @@ WHERE grantee = $2
 		return fmt.Errorf("could not read privileges for foreign server %s: %w", srvName, err)
 	}
 
-	d.Set("privileges", pgArrayToSet(privileges))
+	granted := pgArrayToSet(privileges)
+	wanted := d.Get("privileges").(*schema.Set)
+	equal := arePrivilegesEqual(granted, wanted, d)
+	if !equal {
+		return d.Set("privileges", wanted)
+	}
 	return nil
 }
 
@@ -415,6 +436,9 @@ func readRolePrivileges(txn *sql.Tx, d *schema.ResourceData) error {
 	role := d.Get("role").(string)
 	objectType := d.Get("object_type").(string)
 	objects := d.Get("objects").(*schema.Set)
+	for _, entry := range objects.List() {
+		log.Printf("this is a entry: %v", entry)
+	}
 
 	roleOID, err := getRoleOID(txn, role)
 	if err != nil {
@@ -502,8 +526,8 @@ GROUP BY pg_class.relname
 		}
 
 		privilegesSet := pgArrayToSet(privileges)
-
-		if !privilegesSet.Equal(d.Get("privileges").(*schema.Set)) {
+		privilegesEqual := arePrivilegesEqual(privilegesSet, d.Get("privileges").(*schema.Set), d)
+		if !privilegesEqual {
 			// If any object doesn't have the same privileges as saved in the state,
 			// we return its privileges to force an update.
 			log.Printf(