Skip to content

Commit

Permalink
Merge pull request #897 from infoxchange/add_role_ensure_absent
Browse files Browse the repository at this point in the history
add ensure=>absent to postgresql::server::role
  • Loading branch information
david22swan authored Jan 18, 2018
2 parents ebaf270 + 37273e2 commit 1705a35
Show file tree
Hide file tree
Showing 3 changed files with 92 additions and 58 deletions.
11 changes: 10 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -1487,7 +1487,16 @@ Provides the target for the rule, and is generally an internal only property.
**Use with caution.**

#### postgresql::server::role
Creates a role or user in PostgreSQL.
Creates or drops a role or user in PostgreSQL.

##### `ensure`

Specify whether to create or drop the role.

Specifying `present` will create the role.
Specifying `absent` will drop the role.

Default value: `present`.

##### `connection_limit`
Specifies how many concurrent connections the role can make.
Expand Down
123 changes: 66 additions & 57 deletions manifests/server/role.pp
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
$connection_limit = '-1',
$username = $title,
$connect_settings = $postgresql::server::default_connect_settings,
Enum['present', 'absent'] $ensure = 'present',
) {
$psql_user = $postgresql::server::user
$psql_group = $postgresql::server::group
Expand All @@ -38,20 +39,6 @@
$version = $postgresql::server::_version
}

$login_sql = $login ? { true => 'LOGIN', default => 'NOLOGIN' }
$inherit_sql = $inherit ? { true => 'INHERIT', default => 'NOINHERIT' }
$createrole_sql = $createrole ? { true => 'CREATEROLE', default => 'NOCREATEROLE' }
$createdb_sql = $createdb ? { true => 'CREATEDB', default => 'NOCREATEDB' }
$superuser_sql = $superuser ? { true => 'SUPERUSER', default => 'NOSUPERUSER' }
$replication_sql = $replication ? { true => 'REPLICATION', default => '' }
if ($password_hash != false) {
$environment = "NEWPGPASSWD=${password_hash}"
$password_sql = "ENCRYPTED PASSWORD '\$NEWPGPASSWD'"
} else {
$password_sql = ''
$environment = []
}

Postgresql_psql {
db => $db,
port => $port_override,
Expand All @@ -66,60 +53,82 @@
],
}

postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****":
command => "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}",
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
environment => $environment,
require => Class['Postgresql::Server'],
}
if $ensure == 'present' {
$login_sql = $login ? { true => 'LOGIN', default => 'NOLOGIN' }
$inherit_sql = $inherit ? { true => 'INHERIT', default => 'NOINHERIT' }
$createrole_sql = $createrole ? { true => 'CREATEROLE', default => 'NOCREATEROLE' }
$createdb_sql = $createdb ? { true => 'CREATEDB', default => 'NOCREATEDB' }
$superuser_sql = $superuser ? { true => 'SUPERUSER', default => 'NOSUPERUSER' }
$replication_sql = $replication ? { true => 'REPLICATION', default => '' }
if ($password_hash != false) {
$environment = "NEWPGPASSWD=${password_hash}"
$password_sql = "ENCRYPTED PASSWORD '\$NEWPGPASSWD'"
} else {
$password_sql = ''
$environment = []
}

postgresql_psql {"ALTER ROLE \"${username}\" ${superuser_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolsuper = ${superuser}",
}
postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****":
command => "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}",
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
environment => $environment,
require => Class['Postgresql::Server'],
}

postgresql_psql {"ALTER ROLE \"${username}\" ${createdb_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreatedb = ${createdb}",
}
postgresql_psql {"ALTER ROLE \"${username}\" ${superuser_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolsuper = ${superuser}",
}

postgresql_psql {"ALTER ROLE \"${username}\" ${createrole_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreaterole = ${createrole}",
}
postgresql_psql {"ALTER ROLE \"${username}\" ${createdb_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreatedb = ${createdb}",
}

postgresql_psql {"ALTER ROLE \"${username}\" ${login_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcanlogin = ${login}",
}
postgresql_psql {"ALTER ROLE \"${username}\" ${createrole_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreaterole = ${createrole}",
}

postgresql_psql {"ALTER ROLE \"${username}\" ${inherit_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolinherit = ${inherit}",
}
postgresql_psql {"ALTER ROLE \"${username}\" ${login_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcanlogin = ${login}",
}

if(versioncmp($version, '9.1') >= 0) {
if $replication_sql == '' {
postgresql_psql {"ALTER ROLE \"${username}\" NOREPLICATION":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}",
}
} else {
postgresql_psql {"ALTER ROLE \"${username}\" ${replication_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}",
postgresql_psql {"ALTER ROLE \"${username}\" ${inherit_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolinherit = ${inherit}",
}

if(versioncmp($version, '9.1') >= 0) {
if $replication_sql == '' {
postgresql_psql {"ALTER ROLE \"${username}\" NOREPLICATION":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}",
}
} else {
postgresql_psql {"ALTER ROLE \"${username}\" ${replication_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}",
}
}
}
}

postgresql_psql {"ALTER ROLE \"${username}\" CONNECTION LIMIT ${connection_limit}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolconnlimit = ${connection_limit}",
}
postgresql_psql {"ALTER ROLE \"${username}\" CONNECTION LIMIT ${connection_limit}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolconnlimit = ${connection_limit}",
}

if $password_hash and $update_password {
if($password_hash =~ /^md5.+/) {
$pwd_hash_sql = $password_hash
} else {
$pwd_md5 = md5("${password_hash}${username}")
$pwd_hash_sql = "md5${pwd_md5}"
if $password_hash and $update_password {
if($password_hash =~ /^md5.+/) {
$pwd_hash_sql = $password_hash
} else {
$pwd_md5 = md5("${password_hash}${username}")
$pwd_hash_sql = "md5${pwd_md5}"
}
postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****":
command => "ALTER ROLE \"${username}\" ${password_sql}",
unless => "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'",
environment => $environment,
}
}
postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****":
command => "ALTER ROLE \"${username}\" ${password_sql}",
unless => "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'",
environment => $environment,
} else {
# ensure == absent
postgresql_psql { "DROP ROLE \"${username}\"":
onlyif => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
require => Class['Postgresql::Server'],
}
}
}
16 changes: 16 additions & 0 deletions spec/unit/defines/server/role_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -149,4 +149,20 @@
end
end

context 'with ensure set to absent' do
let :params do
{
:ensure => 'absent',
}
end

let :pre_condition do
"class {'postgresql::server':}"
end

it 'should have drop role for "test" user if ensure absent' do
is_expected.to contain_postgresql_psql('DROP ROLE "test"')
end
end

end

0 comments on commit 1705a35

Please sign in to comment.