Use a non-superuser user to access GitLab to ensure permissions are proper

We have run into permission issues with MySQL triggers in #36633 that would have been caught earlier either if our migration tests or GitLab QA tests had been testing against non-superuser users. This change creates a non-superuser that has access to the GitLab test database and uses that. Closes #39932

Use a non-superuser user to access GitLab to ensure permissions are proper
8efdf75b · Stan Hu · 304ceb14 · 8efdf75b · 8efdf75b · 8efdf75b
Commit 8efdf75b authored Nov 09, 2017 by Stan Hu
Showing with 32 additions and 1 deletion

.gitlab-ci.yml .gitlab-ci.yml +2 -1

create_mysql_user.sh scripts/create_mysql_user.sh +8 -0

create_postgres_user.sh scripts/create_postgres_user.sh +8 -0

prepare_build.sh scripts/prepare_build.sh +14 -0

No files found.
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -453,6 +453,7 @@ db:migrate:reset-mysql:
  stage: test
  variables:
    SETUP_DB: "false"
+    CREATE_DB_USER: "true"
  script:
    - git fetch https://gitlab.com/gitlab-org/gitlab-ce.git v9.3.0
    - git checkout -f FETCH_HEAD
@@ -497,6 +498,7 @@ db:rollback-mysql:
  variables:
    SIZE: "1"
    SETUP_DB: "false"
+    CREATE_DB_USER: "true"
  script:
    - git clone https://gitlab.com/gitlab-org/gitlab-test.git
       /home/git/repositories/gitlab-org/gitlab-test.git
@@ -532,7 +534,6 @@ gitlab:assets:compile:
    NODE_ENV: "production"
    RAILS_ENV: "production"
    SETUP_DB: "false"
-    USE_DB: "false"
    SKIP_STORAGE_VALIDATION: "true"
    WEBPACK_REPORT: "true"
    NO_COMPRESSION: "true"

--- a/scripts/create_mysql_user.sh
+++ b/scripts/create_mysql_user.sh
+#!/bin/bash
+
+mysql --user=root --host=mysql <<EOF
+CREATE DATABASE IF NOT EXISTS gitlabhq_test;
+CREATE USER IF NOT EXISTS 'gitlab'@'%';
+GRANT ALL PRIVILEGES ON gitlabhq_test.* TO 'gitlab'@'%';
+FLUSH PRIVILEGES;
+EOF
--- a/scripts/create_postgres_user.sh
+++ b/scripts/create_postgres_user.sh
+#!/bin/bash
+
+psql -h postgres -U postgres postgres <<EOF
+DROP DATABASE IF EXISTS gitlabhq_test;
+CREATE DATABASE gitlabhq_test;
+CREATE USER gitlab;
+GRANT ALL PRIVILEGES ON DATABASE gitlabhq_test TO gitlab;
+EOF
--- a/scripts/prepare_build.sh
+++ b/scripts/prepare_build.sh
 . scripts/utils.sh

 export SETUP_DB=${SETUP_DB:-true}
+export CREATE_DB_USER=${CREATE_DB_USER:-$SETUP_DB}
 export USE_BUNDLE_INSTALL=${USE_BUNDLE_INSTALL:-true}
 export BUNDLE_INSTALL_FLAGS="--without production --jobs $(nproc) --path vendor --retry 3 --quiet"

@@ -26,6 +27,9 @@ fi

 cp config/database.yml.$GITLAB_DATABASE config/database.yml

+# Set user to a non-superuser to ensure we test permissions
+sed -i 's/username: root/username: gitlab/g' config/database.yml
+
 if [ "$GITLAB_DATABASE" = 'postgresql' ]; then
    sed -i 's/localhost/postgres/g' config/database.yml
 else # Assume it's mysql
@@ -44,6 +48,16 @@ sed -i 's/localhost/redis/g' config/redis.queues.yml
 cp config/redis.shared_state.yml.example config/redis.shared_state.yml
 sed -i 's/localhost/redis/g' config/redis.shared_state.yml

+# Some tasks (e.g. db:seed_fu) need to have a properly-configured database
+# user but not necessarily a full schema loaded
+if [ "$CREATE_DB_USER" != "false" ]; then
+    if [ "$GITLAB_DATABASE" = 'postgresql' ]; then
+        . scripts/create_postgres_user.sh
+    else
+        . scripts/create_mysql_user.sh
+    fi
+fi
+
 if [ "$SETUP_DB" != "false" ]; then
    bundle exec rake db:drop db:create db:schema:load db:migrate