From b1d2dcfd89580dabe66e708305ede58b5cc57940 Mon Sep 17 00:00:00 2001
From: Rob Taylor <taylorrm1@users.noreply.github.com>
Date: Fri, 26 Nov 2021 19:38:34 +0000
Subject: [PATCH] Add drop privilege for table objects.

---
 redshift/helpers.go                              |  2 +-
 redshift/helpers_test.go                         |  2 +-
 redshift/resource_redshift_default_privileges.go |  5 ++++-
 .../resource_redshift_default_privileges_test.go | 16 ++++++++++++----
 redshift/resource_redshift_grant.go              |  8 ++++++--
 redshift/resource_redshift_grant_test.go         |  9 +++++++--
 redshift/resource_redshift_privilege.go          |  6 ++++--
 redshift/validation.go                           |  1 +
 8 files changed, 36 insertions(+), 13 deletions(-)

diff --git a/redshift/helpers.go b/redshift/helpers.go
index 5f71a32..55ab625 100644
--- a/redshift/helpers.go
+++ b/redshift/helpers.go
@@ -165,7 +165,7 @@ func validatePrivileges(privileges []string, objectType string) bool {
 			}
 		case "TABLE":
 			switch strings.ToUpper(p) {
-			case "SELECT", "UPDATE", "INSERT", "DELETE", "REFERENCES":
+			case "SELECT", "UPDATE", "INSERT", "DELETE", "DROP", "REFERENCES":
 				continue
 			default:
 				return false
diff --git a/redshift/helpers_test.go b/redshift/helpers_test.go
index 27f2c44..40f8600 100644
--- a/redshift/helpers_test.go
+++ b/redshift/helpers_test.go
@@ -31,7 +31,7 @@ func TestValidatePrivileges(t *testing.T) {
 			expected:   true,
 		},
 		"valid list for table": {
-			privileges: []string{"insert", "update", "delete", "select", "references"},
+			privileges: []string{"insert", "update", "delete", "select", "drop", "references"},
 			objectType: "table",
 			expected:   true,
 		},
diff --git a/redshift/resource_redshift_default_privileges.go b/redshift/resource_redshift_default_privileges.go
index 7f6ea44..67a0f56 100644
--- a/redshift/resource_redshift_default_privileges.go
+++ b/redshift/resource_redshift_default_privileges.go
@@ -194,13 +194,14 @@ func resourceRedshiftDefaultPrivilegesReadImpl(db *DBConnection, d *schema.Resou
 }
 
 func readGroupTableDefaultPrivileges(tx *sql.Tx, d *schema.ResourceData, groupID, schemaID, ownerID int) error {
-	var tableSelect, tableUpdate, tableInsert, tableDelete, tableReferences bool
+	var tableSelect, tableUpdate, tableInsert, tableDelete, tableDrop, tableReferences bool
 	tableDefaultPrivilegeQuery := `
 	      SELECT 
 		decode(charindex('r',split_part(split_part(array_to_string(defaclacl, '|'),'group ' || gr.groname,2 ) ,'/',1)),0,0,1) as select,
 		decode(charindex('w',split_part(split_part(array_to_string(defaclacl, '|'),'group ' || gr.groname,2 ) ,'/',1)),0,0,1) as update,
 		decode(charindex('a',split_part(split_part(array_to_string(defaclacl, '|'),'group ' || gr.groname,2 ) ,'/',1)),0,0,1) as insert,
 		decode(charindex('d',split_part(split_part(array_to_string(defaclacl, '|'),'group ' || gr.groname,2 ) ,'/',1)),0,0,1) as delete,
+		decode(charindex('D',split_part(split_part(array_to_string(defaclacl, '|'),'group ' || gr.groname,2 ) ,'/',1)),0,0,1) as drop,
 		decode(charindex('x',split_part(split_part(array_to_string(defaclacl, '|'),'group ' || gr.groname,2 ) ,'/',1)),0,0,1) as references
 	      FROM pg_group gr, pg_default_acl acl
 	      WHERE 
@@ -215,6 +216,7 @@ func readGroupTableDefaultPrivileges(tx *sql.Tx, d *schema.ResourceData, groupID
 		&tableUpdate,
 		&tableInsert,
 		&tableDelete,
+		&tableDrop,
 		&tableReferences); err != nil && err != sql.ErrNoRows {
 		return fmt.Errorf("failed to collect group privileges: %w", err)
 	}
@@ -224,6 +226,7 @@ func readGroupTableDefaultPrivileges(tx *sql.Tx, d *schema.ResourceData, groupID
 	appendIfTrue(tableUpdate, "update", &privileges)
 	appendIfTrue(tableInsert, "insert", &privileges)
 	appendIfTrue(tableDelete, "delete", &privileges)
+	appendIfTrue(tableDelete, "drop", &privileges)
 	appendIfTrue(tableReferences, "references", &privileges)
 
 	log.Printf("[DEBUG] Collected privileges for group ID %d: %v\n", groupID, privileges)
diff --git a/redshift/resource_redshift_default_privileges_test.go b/redshift/resource_redshift_default_privileges_test.go
index 775f3d1..75b3e99 100644
--- a/redshift/resource_redshift_default_privileges_test.go
+++ b/redshift/resource_redshift_default_privileges_test.go
@@ -24,9 +24,13 @@ func TestAccRedshiftDefaultPrivileges_Basic(t *testing.T) {
 					resource.TestCheckResourceAttr("redshift_default_privileges.simple_table", "id", fmt.Sprintf("%s_noschema_root_table", groupName)),
 					resource.TestCheckResourceAttr("redshift_default_privileges.simple_table", "group", groupName),
 					resource.TestCheckResourceAttr("redshift_default_privileges.simple_table", "object_type", "table"),
-					resource.TestCheckResourceAttr("redshift_default_privileges.simple_table", "privileges.#", "2"),
+					resource.TestCheckResourceAttr("redshift_default_privileges.simple_table", "privileges.#", "6"),
 					resource.TestCheckTypeSetElemAttr("redshift_default_privileges.simple_table", "privileges.*", "select"),
 					resource.TestCheckTypeSetElemAttr("redshift_default_privileges.simple_table", "privileges.*", "update"),
+					resource.TestCheckTypeSetElemAttr("redshift_default_privileges.simple_table", "privileges.*", "insert"),
+					resource.TestCheckTypeSetElemAttr("redshift_default_privileges.simple_table", "privileges.*", "delete"),
+					resource.TestCheckTypeSetElemAttr("redshift_default_privileges.simple_table", "privileges.*", "drop"),
+					resource.TestCheckTypeSetElemAttr("redshift_default_privileges.simple_table", "privileges.*", "references"),
 				),
 			},
 		},
@@ -46,9 +50,13 @@ func TestAccRedshiftDefaultPrivileges_UpdateToRevoke(t *testing.T) {
 					resource.TestCheckResourceAttr("redshift_default_privileges.priv", "id", fmt.Sprintf("%s_noschema_root_table", groupName)),
 					resource.TestCheckResourceAttr("redshift_default_privileges.priv", "group", groupName),
 					resource.TestCheckResourceAttr("redshift_default_privileges.priv", "object_type", "table"),
-					resource.TestCheckResourceAttr("redshift_default_privileges.priv", "privileges.#", "2"),
+					resource.TestCheckResourceAttr("redshift_default_privileges.priv", "privileges.#", "6"),
 					resource.TestCheckTypeSetElemAttr("redshift_default_privileges.priv", "privileges.*", "select"),
+					resource.TestCheckTypeSetElemAttr("redshift_default_privileges.priv", "privileges.*", "update"),
 					resource.TestCheckTypeSetElemAttr("redshift_default_privileges.priv", "privileges.*", "insert"),
+					resource.TestCheckTypeSetElemAttr("redshift_default_privileges.priv", "privileges.*", "delete"),
+					resource.TestCheckTypeSetElemAttr("redshift_default_privileges.priv", "privileges.*", "drop"),
+					resource.TestCheckTypeSetElemAttr("redshift_default_privileges.priv", "privileges.*", "references"),
 				),
 			},
 			{
@@ -122,7 +130,7 @@ resource "redshift_default_privileges" "simple_table" {
   group = redshift_group.group.name
   owner = "root"
   object_type = "table"
-  privileges = ["SELECT", "update"]
+  privileges = ["select", "update", "insert", "delete", "drop", "references"]
 }`, groupName)
 }
 
@@ -136,7 +144,7 @@ resource "redshift_default_privileges" "priv" {
   group = redshift_group.group.name
   owner = "root"
   object_type = "table"
-  privileges = ["insert", "select"]
+  privileges = ["select", "update", "insert", "delete", "drop", "references"]
 }`, groupName)
 }
 
diff --git a/redshift/resource_redshift_grant.go b/redshift/resource_redshift_grant.go
index 9461db9..9f6a010 100644
--- a/redshift/resource_redshift_grant.go
+++ b/redshift/resource_redshift_grant.go
@@ -246,6 +246,7 @@ func readGroupTableGrants(db *DBConnection, d *schema.ResourceData) error {
     decode(charindex('w',split_part(split_part(array_to_string(relacl, '|'),'group ' || gr.groname,2 ) ,'/',1)), null,0, 0,0, 1) as update,
     decode(charindex('a',split_part(split_part(array_to_string(relacl, '|'),'group ' || gr.groname,2 ) ,'/',1)), null,0, 0,0, 1) as insert,
     decode(charindex('d',split_part(split_part(array_to_string(relacl, '|'),'group ' || gr.groname,2 ) ,'/',1)), null,0, 0,0, 1) as delete,
+    decode(charindex('D',split_part(split_part(array_to_string(relacl, '|'),'group ' || gr.groname,2 ) ,'/',1)), null,0, 0,0, 1) as drop,
     decode(charindex('x',split_part(split_part(array_to_string(relacl, '|'),'group ' || gr.groname,2 ) ,'/',1)), null,0, 0,0, 1) as references
   FROM pg_group gr, pg_class cl
   JOIN pg_namespace nsp ON nsp.oid = cl.relnamespace
@@ -266,9 +267,9 @@ func readGroupTableGrants(db *DBConnection, d *schema.ResourceData) error {
 
 	for rows.Next() {
 		var objName string
-		var tableSelect, tableUpdate, tableInsert, tableDelete, tableReferences bool
+		var tableSelect, tableUpdate, tableInsert, tableDelete, tableDrop, tableReferences bool
 
-		if err := rows.Scan(&objName, &tableSelect, &tableUpdate, &tableInsert, &tableDelete, &tableReferences); err != nil {
+		if err := rows.Scan(&objName, &tableSelect, &tableUpdate, &tableInsert, &tableDelete, &tableDrop, &tableReferences); err != nil {
 			return err
 		}
 
@@ -289,6 +290,9 @@ func readGroupTableGrants(db *DBConnection, d *schema.ResourceData) error {
 		if tableDelete {
 			privilegesSet.Add("delete")
 		}
+		if tableDrop {
+			privilegesSet.Add("drop")
+		}
 		if tableReferences {
 			privilegesSet.Add("references")
 		}
diff --git a/redshift/resource_redshift_grant_test.go b/redshift/resource_redshift_grant_test.go
index 09a8391..873a977 100644
--- a/redshift/resource_redshift_grant_test.go
+++ b/redshift/resource_redshift_grant_test.go
@@ -113,8 +113,13 @@ func TestAccRedshiftGrant_BasicTable(t *testing.T) {
 					resource.TestCheckResourceAttr("redshift_grant.grant", "object_type", "table"),
 					resource.TestCheckResourceAttr("redshift_grant.grant", "objects.#", "1"),
 					resource.TestCheckTypeSetElemAttr("redshift_grant.grant", "objects.*", "pg_user_info"),
-					resource.TestCheckResourceAttr("redshift_grant.grant", "privileges.#", "1"),
+					resource.TestCheckResourceAttr("redshift_grant.grant", "privileges.#", "6"),
 					resource.TestCheckTypeSetElemAttr("redshift_grant.grant", "privileges.*", "select"),
+					resource.TestCheckTypeSetElemAttr("redshift_grant.grant", "privileges.*", "update"),
+					resource.TestCheckTypeSetElemAttr("redshift_grant.grant", "privileges.*", "insert"),
+					resource.TestCheckTypeSetElemAttr("redshift_grant.grant", "privileges.*", "delete"),
+					resource.TestCheckTypeSetElemAttr("redshift_grant.grant", "privileges.*", "drop"),
+					resource.TestCheckTypeSetElemAttr("redshift_grant.grant", "privileges.*", "references"),
 				),
 			},
 		},
@@ -133,7 +138,7 @@ resource "redshift_grant" "grant" {
 
   object_type = "table"
   objects = ["pg_user_info"]
-  privileges = ["select"]
+  privileges = ["select", "update", "insert", "delete", "drop", "references"]
 }
 `, groupName)
 }
diff --git a/redshift/resource_redshift_privilege.go b/redshift/resource_redshift_privilege.go
index 1b8e33f..f3928c7 100644
--- a/redshift/resource_redshift_privilege.go
+++ b/redshift/resource_redshift_privilege.go
@@ -225,13 +225,14 @@ func readGroupSchemaPrivileges(tx *sql.Tx, d *schema.ResourceData, groupID, sche
 }
 
 func readGroupTablePrivileges(tx *sql.Tx, d *schema.ResourceData, groupID, schemaID int) error {
-	var tableSelect, tableUpdate, tableInsert, tableDelete, tableReferences bool
+	var tableSelect, tableUpdate, tableInsert, tableDelete, tableDrop, tableReferences bool
 	tableDefaultPrivilegeQuery := `
 	      SELECT 
 		decode(charindex('r',split_part(split_part(array_to_string(defaclacl, '|'),'group ' || gr.groname,2 ) ,'/',1)),0,0,1) as select,
 		decode(charindex('w',split_part(split_part(array_to_string(defaclacl, '|'),'group ' || gr.groname,2 ) ,'/',1)),0,0,1) as update,
 		decode(charindex('a',split_part(split_part(array_to_string(defaclacl, '|'),'group ' || gr.groname,2 ) ,'/',1)),0,0,1) as insert,
 		decode(charindex('d',split_part(split_part(array_to_string(defaclacl, '|'),'group ' || gr.groname,2 ) ,'/',1)),0,0,1) as delete,
+		decode(charindex('D',split_part(split_part(array_to_string(defaclacl, '|'),'group ' || gr.groname,2 ) ,'/',1)),0,0,1) as drop,
 		decode(charindex('x',split_part(split_part(array_to_string(defaclacl, '|'),'group ' || gr.groname,2 ) ,'/',1)),0,0,1) as references
 	      FROM pg_group gr, pg_default_acl acl, pg_namespace ns
 	      WHERE 
@@ -241,7 +242,7 @@ func readGroupTablePrivileges(tx *sql.Tx, d *schema.ResourceData, groupID, schem
 		AND gr.grosysid = $2
 		AND acl.defaclobjtype = $3`
 
-	if err := tx.QueryRow(tableDefaultPrivilegeQuery, schemaID, groupID, objectTypesCodes["table"]).Scan(&tableSelect, &tableUpdate, &tableInsert, &tableDelete, &tableReferences); err != nil && err != sql.ErrNoRows {
+	if err := tx.QueryRow(tableDefaultPrivilegeQuery, schemaID, groupID, objectTypesCodes["table"]).Scan(&tableSelect, &tableUpdate, &tableInsert, &tableDelete, &tableDrop, &tableReferences); err != nil && err != sql.ErrNoRows {
 		return fmt.Errorf("failed to collect group privileges: %w", err)
 	}
 
@@ -250,6 +251,7 @@ func readGroupTablePrivileges(tx *sql.Tx, d *schema.ResourceData, groupID, schem
 	appendIfTrue(tableUpdate, "update", &privileges)
 	appendIfTrue(tableInsert, "insert", &privileges)
 	appendIfTrue(tableDelete, "delete", &privileges)
+	appendIfTrue(tableDrop, "drop", &privileges)
 	appendIfTrue(tableReferences, "references", &privileges)
 
 	d.Set(privilegePrivilegesAttr, privileges)
diff --git a/redshift/validation.go b/redshift/validation.go
index 96b8202..b95a20e 100644
--- a/redshift/validation.go
+++ b/redshift/validation.go
@@ -51,6 +51,7 @@ var reservedWords = []string{
 	"disable",
 	"distinct",
 	"do",
+	"drop",
 	"else",
 	"emptyasnull",
 	"enable",