From af81a04e49ad63fb006546b8daf83691706e5284 Mon Sep 17 00:00:00 2001
From: Valentin Lab <valentin.lab@kalysto.org>
Date: Sat, 14 Sep 2024 20:59:14 +0200
Subject: [PATCH] new: [odoo-tecnativa] add support of restricted postgres
 access

---
 .../hooks/postgres_database-relation-joined   | 54 ++++++++++++++++++-
 odoo-tecnativa/lib/common                     | 29 ++++++++++
 odoo-tecnativa/metadata.yml                   |  3 ++
 .../odoo/common/entrypoint.d/20-postgres-wait | 17 ++++++
 4 files changed, 102 insertions(+), 1 deletion(-)
 create mode 100644 odoo-tecnativa/resources/opt/odoo/common/entrypoint.d/20-postgres-wait

diff --git a/odoo-tecnativa/hooks/postgres_database-relation-joined b/odoo-tecnativa/hooks/postgres_database-relation-joined
index 5cb9d1c..0e7a521 100755
--- a/odoo-tecnativa/hooks/postgres_database-relation-joined
+++ b/odoo-tecnativa/hooks/postgres_database-relation-joined
@@ -41,7 +41,6 @@ services:
       PGDATABASE: \"$DBNAME\"
       PGPASSWORD: \"$PASSWORD\"
       PGUSER: \"$USER\"
-      #DBFILTER: $DBNAME
       ADMIN_PASSWORD: \"$ADMIN_PASSWORD\"
 "
 
@@ -60,6 +59,59 @@ odoo_uid=$(get_odoo_uid)
 chown "$odoo_uid" "$CONFIG" && chmod 600 "$CONFIG"
 
 
+if ! out=$(echo "SELECT datname FROM pg_database;" | sql postgres 2>&1); then
+    warn "Failed to get database list" >&2
+    printf "%s\n" "$out" | prefix "  " >&2
+    ## We don't have access to database list, so...
+
+    ## if we have a dbfilter set, complain.
+    if dbfilter=$(options-get dbfilter 2>&1) && [ -n "$dbfilter" ]; then
+        err "Cannot set ${WHITE}dbfilter${NORMAL} without access to db list"
+        echo "  You don't seem to have access rights on" \
+             "${DARKYELLOW}$TARGET_SERVICE_NAME${NORMAL} to" \
+             "the database list" >&2
+        echo "  So you cannot set" \
+             "${WHITE}dbfilter${NORMAL} option in" \
+             "${DARKYELLOW}$SERVICE_NAME${NORMAL} options." >&2
+        exit 1
+    fi
+
+    service_base_image_export_dir \
+        "$MASTER_BASE_SERVICE_NAME" \
+        /opt/odoo/custom/src/odoo/odoo/sql_db.py \
+        "$SERVICE_CONFIGSTORE/odoo-sql_db.py"
+
+    chown "$odoo_uid" "$SERVICE_CONFIGSTORE/odoo-sql_db.py"
+
+    patch -d "$SERVICE_CONFIGSTORE" -p0 <<EOF
+--- odoo-sql_db.py      2024-09-14 20:44:40.540104600 +0200
++++ odoo-sql_db.py      2024-09-14 20:45:39.868394908 +0200
+@@ -789,6 +789,9 @@
+     if _Pool is None:
+         _Pool = ConnectionPool(int(tools.config['db_maxconn']))
+
++    if to == 'postgres':
++        to = tools.config['db_name']
++
+     db, info = connection_info_for(to)
+     if not allow_uri and db != to:
+         raise ValueError('URI connections not allowed')
+EOF
+    
+    ## We need to force DBFILTER to be empty as odoo-tecnativa image
+    ## will set '.*' by default, which makes odoo switch to a mode
+    ## where it ignores DBNAME.
+    config-add "\
+services:
+  $MASTER_BASE_SERVICE_NAME:
+    volumes:
+      - '$SERVICE_CONFIGSTORE/odoo-sql_db.py:/opt/odoo/custom/src/odoo/odoo/sql_db.py'
+    environment:
+      DBFILTER: ''
+"
+
+fi
+
 relation-set control "$control"
 
 info "Configured $SERVICE_NAME code for $HOST:$PORT access."
diff --git a/odoo-tecnativa/lib/common b/odoo-tecnativa/lib/common
index 3b84d86..8babbde 100644
--- a/odoo-tecnativa/lib/common
+++ b/odoo-tecnativa/lib/common
@@ -9,3 +9,32 @@ get_odoo_uid() {
     info "openerp uid from ${DARKYELLOW}$SERVICE_NAME${NORMAL} is '$odoo_uid'"
     echo "$odoo_uid"
 }
+
+sql() {
+    local dbname="$1"
+    (
+        DBNAME="$(relation:get "$SERVICE_NAME":postgres-database dbname)" || return 1
+        ts=$(service:traverse "$SERVICE_NAME":"postgres-database") || return 1
+        export SERVICE_NAME="$ts"
+        export SERVICE_DATASTORE="$DATASTORE/$SERVICE_NAME"
+
+        target_charm=$(get_service_charm "$ts") || return 1
+        target_charm_path=$(charm.get_dir "$target_charm") || return 1
+
+        set +e
+
+        . "$target_charm_path/lib/common"
+
+        set -e
+
+        metadata_service_def=$(_get_service_metadata "$ts") || return 1
+        type=$(e "$metadata_service_def" | yq -r '.type') || true
+        if [[ "$type" != "stub" ]]; then
+            DOCKER_BASE_IMAGE=$(service_ensure_image_ready "$SERVICE_NAME") || return 1
+            export DOCKER_BASE_IMAGE
+            ensure_db_docker_running
+        fi
+
+        ddb "${dbname:-$DBNAME}"
+    )
+}
diff --git a/odoo-tecnativa/metadata.yml b/odoo-tecnativa/metadata.yml
index f40af39..f2121d7 100644
--- a/odoo-tecnativa/metadata.yml
+++ b/odoo-tecnativa/metadata.yml
@@ -6,6 +6,9 @@ data-resources:
 #   ## create/update this file ?
 #   # - /etc/odoo-server.conf
 
+charm-resources:
+  - /opt/odoo/common/entrypoint.d/20-postgres-wait
+
 docker-compose:
   command:
     - odoo
diff --git a/odoo-tecnativa/resources/opt/odoo/common/entrypoint.d/20-postgres-wait b/odoo-tecnativa/resources/opt/odoo/common/entrypoint.d/20-postgres-wait
new file mode 100644
index 0000000..c6652cd
--- /dev/null
+++ b/odoo-tecnativa/resources/opt/odoo/common/entrypoint.d/20-postgres-wait
@@ -0,0 +1,17 @@
+#!/bin/bash
+if [ "$WAIT_DB" != true ]; then
+    log INFO Not waiting for a postgres server
+    exit 0
+fi
+
+log INFO Waiting until postgres is listening at $PGHOST...
+while true; do
+    if [ -n "$PGDATABASE" ]; then
+        echo "SELECT 1;" | psql "$PGDATABASE"
+    else
+        # Assumes that your access level to postgres includes the
+        # right to list databases
+        psql -l
+    fi > /dev/null 2>&1 && break
+    sleep 1
+done