From 37273e229cb705528490cc6b794cd82b49578016 Mon Sep 17 00:00:00 2001
From: George Hansper <george@hansper.id.au>
Date: Fri, 7 Jul 2017 15:33:30 +1000
Subject: [PATCH] add ensure=>absent to postgresql::server::role

---
 README.md                             |  11 ++-
 manifests/server/role.pp              | 123 ++++++++++++++------------
 spec/unit/defines/server/role_spec.rb |  16 ++++
 3 files changed, 92 insertions(+), 58 deletions(-)

diff --git a/README.md b/README.md
index bac8a922a2..36ecadd8cf 100644
--- a/README.md
+++ b/README.md
@@ -1444,7 +1444,16 @@ Provides the target for the rule, and is generally an internal only property.
 **Use with caution.**
 
 #### postgresql::server::role
-Creates a role or user in PostgreSQL.
+Creates or drops a role or user in PostgreSQL.
+
+##### `ensure`
+
+Specify whether to create or drop the role.
+
+Specifying `present` will create the role.
+Specifying `absent` will drop the role.
+
+Default value: `present`.
 
 ##### `connection_limit`
 Specifies how many concurrent connections the role can make.
diff --git a/manifests/server/role.pp b/manifests/server/role.pp
index a0bc7ef461..daef4829d5 100644
--- a/manifests/server/role.pp
+++ b/manifests/server/role.pp
@@ -13,6 +13,7 @@
   $connection_limit = '-1',
   $username         = $title,
   $connect_settings = $postgresql::server::default_connect_settings,
+  Enum['present', 'absent'] $ensure = 'present',
 ) {
   $psql_user      = $postgresql::server::user
   $psql_group     = $postgresql::server::group
@@ -38,20 +39,6 @@
     $version = $postgresql::server::_version
   }
 
-  $login_sql       = $login       ? { true => 'LOGIN',       default => 'NOLOGIN' }
-  $inherit_sql     = $inherit     ? { true => 'INHERIT',     default => 'NOINHERIT' }
-  $createrole_sql  = $createrole  ? { true => 'CREATEROLE',  default => 'NOCREATEROLE' }
-  $createdb_sql    = $createdb    ? { true => 'CREATEDB',    default => 'NOCREATEDB' }
-  $superuser_sql   = $superuser   ? { true => 'SUPERUSER',   default => 'NOSUPERUSER' }
-  $replication_sql = $replication ? { true => 'REPLICATION', default => '' }
-  if ($password_hash != false) {
-    $environment  = "NEWPGPASSWD=${password_hash}"
-    $password_sql = "ENCRYPTED PASSWORD '\$NEWPGPASSWD'"
-  } else {
-    $password_sql = ''
-    $environment  = []
-  }
-
   Postgresql_psql {
     db         => $db,
     port       => $port_override,
@@ -66,60 +53,82 @@
     ],
   }
 
-  postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****":
-    command     => "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}",
-    unless      => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
-    environment => $environment,
-    require     => Class['Postgresql::Server'],
-  }
+  if $ensure == 'present' {
+    $login_sql       = $login       ? { true => 'LOGIN',       default => 'NOLOGIN' }
+    $inherit_sql     = $inherit     ? { true => 'INHERIT',     default => 'NOINHERIT' }
+    $createrole_sql  = $createrole  ? { true => 'CREATEROLE',  default => 'NOCREATEROLE' }
+    $createdb_sql    = $createdb    ? { true => 'CREATEDB',    default => 'NOCREATEDB' }
+    $superuser_sql   = $superuser   ? { true => 'SUPERUSER',   default => 'NOSUPERUSER' }
+    $replication_sql = $replication ? { true => 'REPLICATION', default => '' }
+    if ($password_hash != false) {
+      $environment  = "NEWPGPASSWD=${password_hash}"
+      $password_sql = "ENCRYPTED PASSWORD '\$NEWPGPASSWD'"
+    } else {
+      $password_sql = ''
+      $environment  = []
+    }
 
-  postgresql_psql {"ALTER ROLE \"${username}\" ${superuser_sql}":
-    unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolsuper = ${superuser}",
-  }
+    postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****":
+      command     => "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}",
+      unless      => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
+      environment => $environment,
+      require     => Class['Postgresql::Server'],
+    }
 
-  postgresql_psql {"ALTER ROLE \"${username}\" ${createdb_sql}":
-    unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreatedb = ${createdb}",
-  }
+    postgresql_psql {"ALTER ROLE \"${username}\" ${superuser_sql}":
+      unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolsuper = ${superuser}",
+    }
 
-  postgresql_psql {"ALTER ROLE \"${username}\" ${createrole_sql}":
-    unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreaterole = ${createrole}",
-  }
+    postgresql_psql {"ALTER ROLE \"${username}\" ${createdb_sql}":
+      unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreatedb = ${createdb}",
+    }
 
-  postgresql_psql {"ALTER ROLE \"${username}\" ${login_sql}":
-    unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcanlogin = ${login}",
-  }
+    postgresql_psql {"ALTER ROLE \"${username}\" ${createrole_sql}":
+      unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreaterole = ${createrole}",
+    }
 
-  postgresql_psql {"ALTER ROLE \"${username}\" ${inherit_sql}":
-    unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolinherit = ${inherit}",
-  }
+    postgresql_psql {"ALTER ROLE \"${username}\" ${login_sql}":
+      unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcanlogin = ${login}",
+    }
 
-  if(versioncmp($version, '9.1') >= 0) {
-    if $replication_sql == '' {
-      postgresql_psql {"ALTER ROLE \"${username}\" NOREPLICATION":
-        unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}",
-      }
-    } else {
-      postgresql_psql {"ALTER ROLE \"${username}\" ${replication_sql}":
-        unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}",
+    postgresql_psql {"ALTER ROLE \"${username}\" ${inherit_sql}":
+      unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolinherit = ${inherit}",
+    }
+
+    if(versioncmp($version, '9.1') >= 0) {
+      if $replication_sql == '' {
+        postgresql_psql {"ALTER ROLE \"${username}\" NOREPLICATION":
+          unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}",
+        }
+      } else {
+        postgresql_psql {"ALTER ROLE \"${username}\" ${replication_sql}":
+          unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}",
+        }
       }
     }
-  }
 
-  postgresql_psql {"ALTER ROLE \"${username}\" CONNECTION LIMIT ${connection_limit}":
-    unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolconnlimit = ${connection_limit}",
-  }
+    postgresql_psql {"ALTER ROLE \"${username}\" CONNECTION LIMIT ${connection_limit}":
+      unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolconnlimit = ${connection_limit}",
+    }
 
-  if $password_hash and $update_password {
-    if($password_hash =~ /^md5.+/) {
-      $pwd_hash_sql = $password_hash
-    } else {
-      $pwd_md5 = md5("${password_hash}${username}")
-      $pwd_hash_sql = "md5${pwd_md5}"
+    if $password_hash and $update_password {
+      if($password_hash =~ /^md5.+/) {
+        $pwd_hash_sql = $password_hash
+      } else {
+        $pwd_md5 = md5("${password_hash}${username}")
+        $pwd_hash_sql = "md5${pwd_md5}"
+      }
+      postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****":
+        command     => "ALTER ROLE \"${username}\" ${password_sql}",
+        unless      => "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'",
+        environment => $environment,
+      }
     }
-    postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****":
-      command     => "ALTER ROLE \"${username}\" ${password_sql}",
-      unless      => "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'",
-      environment => $environment,
+  } else {
+    # ensure == absent
+    postgresql_psql { "DROP ROLE \"${username}\"":
+      onlyif  => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
+      require => Class['Postgresql::Server'],
     }
   }
 }
diff --git a/spec/unit/defines/server/role_spec.rb b/spec/unit/defines/server/role_spec.rb
index 1b061d0733..6da904d7b8 100644
--- a/spec/unit/defines/server/role_spec.rb
+++ b/spec/unit/defines/server/role_spec.rb
@@ -149,4 +149,20 @@
     end
   end
 
+  context 'with ensure set to absent' do
+    let :params do
+      {
+          :ensure => 'absent',
+      }
+    end
+
+    let :pre_condition do
+      "class {'postgresql::server':}"
+    end
+
+    it 'should have drop role for "test" user if ensure absent' do
+      is_expected.to contain_postgresql_psql('DROP ROLE "test"')
+    end
+  end
+
 end