Simon/romm
1
0
Fork 0
mirror of https://github.com/rommapp/romm.git synced 2026-06-28 14:56:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Scope test-user grant to the romm_test namespace

Browse Source 
Addresses review feedback: granting ALL PRIVILEGES on *.* is overly broad,
especially against a shared DB instance. A database-level grant on the
`romm\_test%` wildcard pattern still lets the user CREATE the per-worker
databases (romm_test_gw0, ...) needed by pytest-xdist, while confining it to
that namespace — verified that out-of-namespace CREATE DATABASE is denied.

PostgreSQL needs no equivalent change: its CI service user (POSTGRES_USER)
is the container superuser.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Georges-Antoine Assi
2026-06-19 21:34:46 -04:00
parent 02815ec403
commit 26cf4b36f8
2 changed files with 11 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/pytest.yml vendored
View File

@@ -71,7 +71,11 @@ jobs:
- name: Initiate MariaDB database
if: matrix.db == 'mariadb'
run: |
mysql --host 127.0.0.1 --port ${{ job.services.mariadb.ports['3306'] }} -uroot -ppasswd -e "GRANT ALL PRIVILEGES ON *.* TO 'romm_test'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;"
# Grant on the `romm_test%` namespace so the test user can create the
# per-worker databases (romm_test_gw0, ...) used under pytest-xdist,
# without granting it global privileges. The backticks are escaped so
# the shell doesn't treat them as command substitution.
mysql --host 127.0.0.1 --port ${{ job.services.mariadb.ports['3306'] }} -uroot -ppasswd -e "GRANT ALL PRIVILEGES ON \`romm\_test%\`.* TO 'romm_test'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;"
- name: Run python tests
env:

9
backend/romm_test/setup.sql
View File

@@ -1,6 +1,9 @@
CREATE DATABASE IF NOT EXISTS romm_test;
CREATE USER IF NOT EXISTS 'romm_test'@'%' IDENTIFIED BY 'passwd';
-- Grant on *.* (not just romm_test.*) so the test user can create the
-- per-worker databases (romm_test_gw0, ...) used when running under pytest-xdist.
GRANT ALL PRIVILEGES ON *.* TO 'romm_test'@'%' WITH GRANT OPTION;
-- Grant on the `romm_test%` namespace (the base DB plus the per-worker
-- `romm_test_gw0`, ... databases created under pytest-xdist). A database-level
-- grant on a wildcard pattern also lets the user CREATE matching databases,
-- while confining it to that namespace on a shared instance. The `\_` escapes
-- the underscore so it is matched literally rather than as a single-char wildcard.
GRANT ALL PRIVILEGES ON `romm\_test%`.* TO 'romm_test'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;