publik_dump: limit DB connection to postgres user during restore

publik-dump/publik_dump/publik_dump.py

@@ -150,20 +150,36 @@ class PublikDump():
                     """ssh %s 'sudo -u postgres createdb %s --owner wcs --template="template0" --lc-collate=fr_FR.utf8 --lc-ctype=fr_FR.utf8'"""
                     % (self.dbtarget, service["database"])
                 )
+                self.run(
+                    """ssh %s 'sudo -u postgres psql -c "alter database %s connection limit 0;"'"""
+                    % (self.dbtarget, service["database"])
+                )
                 self.run(
                     "cat %s | ssh %s 'sudo -u postgres pg_restore -d %s'"
                     % (dump_file, self.dbtarget, service["database"])
                 )
+                self.run(
+                    """ssh %s 'sudo -u postgres psql -c "alter database %s connection limit -1;"'"""
+                    % (self.dbtarget, service["database"])
+                )
             else:
                 dump_file = "%s/%s.sql.gz" % (dump_folder, service["schema"])
                 self.run(
                     """ssh %s 'sudo -u postgres psql -c "drop schema if exists %s cascade" %s'"""
                     % (self.dbtarget, service["schema"], service["database"])
                 )
+                self.run(
+                    """ssh %s 'sudo -u postgres psql -c "alter database %s connection limit 0;"'"""
+                    % (self.dbtarget, service["database"])
+                )
                 self.run(
                     "cat %s | ssh %s 'sudo -u postgres pg_restore -d %s'"
                     % (dump_file, self.dbtarget, service["database"])
                 )
+                self.run(
+                    """ssh %s 'sudo -u postgres psql -c "alter database %s connection limit -1;"'"""
+                    % (self.dbtarget, service["database"])
+                )
 
     def invalidate_source_tenant(self):
         tenant = self.get_tenant_info()

publik-dump/tests/test_publik_dump.py

@@ -325,7 +325,7 @@ def test_dump_tenant_databases(mocked_tenant_info, mocked_run, publik_dump):
 def test_restore_tenant_database(mocked_tenant_info, mocked_run, publik_dump):
     publik_dump.dbtarget = DB_TARGET
     publik_dump.restore_tenant_databases()
-    assert len(mocked_run.mock_calls) == 1 + 3 + 2*8
+    assert len(mocked_run.mock_calls) == 1 + 5 + 4*8
     assert mocked_run.mock_calls[0][1][0] == \
         'ssh sql3.test-hds.saas.entrouvert hostname -f'
 
@@ -335,21 +335,29 @@ def test_restore_tenant_database(mocked_tenant_info, mocked_run, publik_dump):
         " 'sudo -u postgres psql -c \"drop schema if exists hobo_eurelien_test_entrouvert_org cascade\""\
         " hobo'"
     assert mocked_run.mock_calls[2][1][0].replace(publik_dump.host_folder, 'HF') == \
+        "ssh sql3.test-hds.saas.entrouvert 'sudo -u postgres psql -c \"alter database hobo connection limit 0;\"'"
+    assert mocked_run.mock_calls[3][1][0].replace(publik_dump.host_folder, 'HF') == \
         "cat HF/hobo-eurelien.test.entrouvert.org/hobo_eurelien_test_entrouvert_org.sql.gz"\
         " | ssh sql3.test-hds.saas.entrouvert 'sudo -u postgres pg_restore -d hobo'"
+    assert mocked_run.mock_calls[4][1][0].replace(publik_dump.host_folder, 'HF') == \
+        "ssh sql3.test-hds.saas.entrouvert 'sudo -u postgres psql -c \"alter database hobo connection limit -1;\"'"
 
     # wcs
-    assert mocked_run.mock_calls[5][1][0].replace(publik_dump.host_folder, 'HF') == \
+    assert mocked_run.mock_calls[9][1][0].replace(publik_dump.host_folder, 'HF') == \
         "ssh sql3.test-hds.saas.entrouvert"\
         " 'sudo -u postgres dropdb --if-exists wcs_demarches_eurelien_test_entrouvert_org'"
-    assert mocked_run.mock_calls[6][1][0].replace(publik_dump.host_folder, 'HF') == \
+    assert mocked_run.mock_calls[10][1][0].replace(publik_dump.host_folder, 'HF') == \
         "ssh sql3.test-hds.saas.entrouvert"\
         " 'sudo -u postgres createdb wcs_demarches_eurelien_test_entrouvert_org"\
         " --owner wcs --template=\"template0\" --lc-collate=fr_FR.utf8 --lc-ctype=fr_FR.utf8'"
-    assert mocked_run.mock_calls[7][1][0].replace(publik_dump.host_folder, 'HF') == \
+    assert mocked_run.mock_calls[11][1][0].replace(publik_dump.host_folder, 'HF') == \
+        'ssh sql3.test-hds.saas.entrouvert \'sudo -u postgres psql -c "alter database wcs_demarches_eurelien_test_entrouvert_org connection limit 0;"\''
+    assert mocked_run.mock_calls[12][1][0].replace(publik_dump.host_folder, 'HF') == \
         "cat HF/demarches-eurelien.test.entrouvert.org/wcs_demarches_eurelien_test_entrouvert_org.sql.gz"\
         " | ssh sql3.test-hds.saas.entrouvert"\
         " 'sudo -u postgres pg_restore -d wcs_demarches_eurelien_test_entrouvert_org'"
+    assert mocked_run.mock_calls[13][1][0].replace(publik_dump.host_folder, 'HF') == \
+        'ssh sql3.test-hds.saas.entrouvert \'sudo -u postgres psql -c "alter database wcs_demarches_eurelien_test_entrouvert_org connection limit -1;"\''
 
 
 @mock.patch('publik_dump.publik_dump.subprocess.run')