wip

larsw · Apr 22, 2024 · d6e3c70 · d6e3c70
1 parent 53eacad
commit d6e3c70
Show file tree

Hide file tree

Showing 6 changed files with 110 additions and 14 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,12 @@
+.idea/
+.github/
+.git/
+docker-build-system/
+.cargo/
+LICENSE*
+README.md
+target/debug/
+target/artifacts/
+target/package/
+target/pgrx-test-data-15/
+target/CACHEDIR.TAG
diff --git a/10_postgis.sh b/10_postgis.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+# Perform all actions as $POSTGRES_USER
+export PGUSER="$POSTGRES_USER"
+
+# Create the 'template_postgis' template db
+"${psql[@]}" <<- 'EOSQL'
+CREATE DATABASE template_postgis IS_TEMPLATE true;
+EOSQL
+
+# Load PostGIS into both template_database and $POSTGRES_DB
+for DB in template_postgis "$POSTGRES_DB"; do
+	echo "Loading PostGIS extensions into $DB"
+	"${psql[@]}" --dbname="$DB" <<-'EOSQL'
+		CREATE EXTENSION IF NOT EXISTS postgis;
+		CREATE EXTENSION IF NOT EXISTS postgis_topology;
+		-- Reconnect to update pg_setting.resetval
+		-- See https://github.com/postgis/docker-postgis/issues/288
+		\c
+		CREATE EXTENSION IF NOT EXISTS fuzzystrmatch;
+		CREATE EXTENSION IF NOT EXISTS postgis_tiger_geocoder;
+        CREATE EXTENSION IF NOT EXISTS accumulo_access_pg;
+EOSQL
+done
diff --git a/Cargo.toml b/Cargo.toml
@@ -13,22 +13,22 @@ crate-type = ["cdylib"]
 
 [features]
 default = ["pg15"]
-pg11 = ["pgrx/pg11", "pgrx-tests/pg11" ]
-pg12 = ["pgrx/pg12", "pgrx-tests/pg12" ]
-pg13 = ["pgrx/pg13", "pgrx-tests/pg13" ]
-pg14 = ["pgrx/pg14", "pgrx-tests/pg14" ]
-pg15 = ["pgrx/pg15", "pgrx-tests/pg15" ]
-pg16 = ["pgrx/pg16", "pgrx-tests/pg16" ]
+# pg11 = ["pgrx/pg11", "pgrx-tests/pg11" ]
+# pg12 = ["pgrx/pg12", "pgrx-tests/pg12" ]
+# pg13 = ["pgrx/pg13", "pgrx-tests/pg13" ]
+# pg14 = ["pgrx/pg14", "pgrx-tests/pg14" ]
+pg15 = ["pgrx/pg15", "pgrx-tests/pg15"]
+# pg16 = ["pgrx/pg16", "pgrx-tests/pg16" ]
 pg_test = []
 
 [dependencies]
 #accumulo-access = { path = "../accumulo-access-rs/accumulo-access", features = ["caching"] } # for local dev
 accumulo-access = "0.1"
-pgrx = "=0.11.2"
+pgrx = "=0.11.4"
 serde = { version = "1.0.195", features = ["derive"] }
 
 [dev-dependencies]
-pgrx-tests = "=0.11.2"
+pgrx-tests = "=0.11.4"
 
 [profile.dev]
 panic = "unwind"
@@ -38,3 +38,9 @@ panic = "unwind"
 opt-level = 3
 lto = "fat"
 codegen-units = 1
+
+[profile.artifacts]
+inherits = "release"
+opt-level = 3
+lto = "fat"
+codegen-units = 1
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,52 @@
+FROM debian:bullseye-slim AS build
+ARG USER=docker
+ARG UID=1000
+ARG GID=1000
+
+RUN useradd -m ${USER} --uid=${UID}
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y wget gnupg
+RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main" >> /etc/apt/sources.list.d/pgdg.list
+RUN wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+
+RUN apt-get update && apt-get install -y git curl
+RUN apt-get update && apt-get install -y gcc make build-essential libz-dev zlib1g-dev strace libssl-dev pkg-config
+
+RUN apt-get update && apt-get install -y postgresql-15 postgresql-server-dev-15
+RUN apt-get update && apt-get install -y ruby ruby-dev rubygems build-essential
+RUN gem install dotenv -v 2.8.1
+RUN gem install --no-document fpm
+
+USER ${UID}:${GID}
+WORKDIR /home/${USER}
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y
+ENV PATH="/home/${USER}/.cargo/bin:${PATH}"
+
+RUN cargo install cargo-pgrx
+RUN cargo pgrx init \
+    --pg15=/usr/lib/postgresql/15/bin/pg_config
+
+RUN mkdir -p accumulo-access-pg/src/
+ADD accumulo_access_pg.control Cargo.toml Cargo.lock accumulo-access-pg/
+ADD src/* accumulo-access-pg/src/
+
+WORKDIR /home/${USER}/accumulo-access-pg
+RUN cargo build --profile artifacts
+RUN cargo pgrx package --profile artifacts -c /usr/bin/pg_config
+RUN cd target/artifacts/accumulo_access_pg-pg15 && \
+    fpm \
+    -s dir \
+    -t deb \
+    -n accumuloaccess-pg15 \
+    -v 0.1.0 \
+    --deb-no-default-config-files \
+    -p /tmp/accumulo_access_bullseye_pg15_0.1.0_amd64.deb \
+    -a amd64 \
+    .
+
+FROM postgis/postgis:15-3.4 AS runtime
+
+COPY --from=build /tmp/accumulo_access_bullseye_pg15_0.1.0_amd64.deb /tmp/
+ADD 10_postgis.sh /docker-entrypoint-initdb.d/
+RUN apt install -y /tmp/accumulo_access_bullseye_pg15_0.1.0_amd64.deb
diff --git a/README.md b/README.md
@@ -40,7 +40,7 @@ insert into secret_stuff(data, authz_expr) values('win', 'label2 & (label3 | lab
 
 grant select on secret_stuff to users;
 
-create policy evaluate_policies on secret_stuff using ( sec_authz_check(authz_expr, current_setting('session.authorizations'), ','));
+create policy evaluate_policies on secret_stuff using ( sec_authz_check(authz_expr, current_setting('session.authorizations')));
 
 -- ...
 set session authorization johnny;
@@ -80,4 +80,4 @@ This project is licensed under both the Apache 2.0 license and the MIT license.
 
 ## Contributions
 
-Contributions are welcome.  Please open an issue or a pull request.
+Contributions are welcome.  Please open an issue or a pull request.
diff --git a/src/lib.rs b/src/lib.rs
@@ -8,7 +8,7 @@ use serde::{Deserialize, Serialize};
 pg_module_magic!();
 
 #[pg_extern]
-fn sec_authz_check(expression: Option<String>, tokens: Option<String>) -> bool {
+fn sec_authz_check(expression: Option<&str>, tokens: Option<&str>) -> bool {
     if expression.is_none() || tokens.is_none() {
         return false;
     }
@@ -21,7 +21,7 @@ fn sec_authz_check(expression: Option<String>, tokens: Option<String>) -> bool {
     if tokens.is_empty() {
         return false;
     }
-    match check_authorization_csv(expression, tokens) {
+    match check_authorization_csv(expression.to_string(), tokens.to_string()) {
         Ok(result) => result,
         Err(e) => {
             let msg = format!("Error parsing expression: {}", e);
@@ -66,8 +66,8 @@ mod tests {
 
     #[pg_test]
     fn test_accumulo_check_authorization() {
-        let expression = String::from("label1 & label5 & (label2 | \"label 🕺\")");
-        let tokens = String::from("label1,label5,label 🕺");
+        let expression = "label1 & label5 & (label2 | \"label 🕺\")";
+        let tokens = "label1,label5,label 🕺";
         assert_eq!(true, crate::sec_authz_check(Some(expression), Some(tokens)));
     }
 }