Skip to content

Commit

Permalink
postgresql::server::grant use SELECT 1 WHERE NOT EXISTS in preference…
Browse files Browse the repository at this point in the history 
… to HAVING count(*)=0
  • Loading branch information
George Hansper committed Jun 28, 2017
1 parent 89ad955 commit 92f4842
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 15 deletions.
26 changes: 12 additions & 14 deletions manifests/server/grant.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@
# the role does not have the specified privilege, making it necessary to
# execute the GRANT statement.
if $ensure == 'present' {
$custom_unless = "SELECT 1 FROM (
$custom_unless = "SELECT 1 WHERE NOT EXISTS (
SELECT sequence_name
FROM information_schema.sequences
WHERE sequence_schema='${schema}'
Expand Down Expand Up @@ -174,11 +174,10 @@
WHERE grantee='${role}'
AND object_schema='${schema}'
AND privilege_type='${custom_privilege}'
) P
HAVING count(P.sequence_name) = 0"
)"
} else {
# ensure == absent
$custom_unless = "SELECT 1 FROM (
$custom_unless = "SELECT 1 WHERE NOT EXISTS (
SELECT object_name as sequence_name
FROM (
SELECT object_schema,
Expand Down Expand Up @@ -209,8 +208,7 @@
WHERE grantee='${role}'
AND object_schema='${schema}'
AND privilege_type='${custom_privilege}'
) P
HAVING count(P.sequence_name) = 0"
)"
}
}
'TABLE': {
Expand Down Expand Up @@ -251,7 +249,7 @@
if $ensure == 'present' {
if $_privilege == 'ALL' or $_privilege == 'ALL PRIVILEGES' {
# GRANT ALL
$custom_unless = "SELECT 1 FROM
$custom_unless = "SELECT 1 WHERE NOT EXISTS
( SELECT 1 FROM pg_catalog.pg_tables AS t,
(VALUES ('SELECT'), ('UPDATE'), ('INSERT'), ('DELETE'), ('TRIGGER'), ('REFERENCES'), ('TRUNCATE')) AS p(privilege_type)
WHERE t.schemaname = '${schema}'
Expand All @@ -261,11 +259,11 @@
AND g.table_schema = '${schema}'
AND g.privilege_type = p.privilege_type
)
) AS privs_missing HAVING privs_missing.count=0"
)"

} else {
# GRANT $_privilege
$custom_unless = "SELECT 1 FROM
$custom_unless = "SELECT 1 WHERE NOT EXISTS
( SELECT 1 FROM pg_catalog.pg_tables AS t
WHERE t.schemaname = '${schema}'
AND NOT EXISTS (
Expand All @@ -274,22 +272,22 @@
AND g.table_schema = '${schema}'
AND g.privilege_type = '${_privilege}'
)
) AS tbls HAVING tbls.count=0"
)"
}
} else {
if $_privilege == 'ALL' or $_privilege == 'ALL PRIVILEGES' {
# REVOKE ALL
$custom_unless = "SELECT 1 FROM
$custom_unless = "SELECT 1 WHERE NOT EXISTS
( SELECT table_name FROM information_schema.role_table_grants
WHERE grantee = '${role}' AND table_schema ='${schema}'
) AS tbls HAVING tbls.count=0"
)"
} else {
# REVOKE $_privilege
$custom_unless = "SELECT 1 FROM
$custom_unless = "SELECT 1 WHERE NOT EXISTS
( SELECT table_name FROM information_schema.role_table_grants
WHERE grantee = '${role}' AND table_schema ='${schema}'
AND privilege_type = '${_privilege}'
) AS tbls HAVING tbls.count=0"
)"
}
}

Expand Down
2 changes: 1 addition & 1 deletion spec/unit/defines/server/grant_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@
it { is_expected.to contain_postgresql_psql('grant:test').with(
{
'command' => /GRANT USAGE ON ALL SEQUENCES IN SCHEMA "public" TO\s* "test"/m,
'unless' => /SELECT 1 FROM \(\s*SELECT sequence_name\s* FROM information_schema\.sequences\s* WHERE sequence_schema='public'\s* EXCEPT DISTINCT\s* SELECT object_name as sequence_name\s* FROM .* WHERE .*grantee='test'\s* AND object_schema='public'\s* AND privilege_type='USAGE'\s*\) P\s* HAVING count\(P\.sequence_name\) = 0/m,
'unless' => /SELECT 1 WHERE NOT EXISTS \(\s*SELECT sequence_name\s* FROM information_schema\.sequences\s* WHERE sequence_schema='public'\s* EXCEPT DISTINCT\s* SELECT object_name as sequence_name\s* FROM .* WHERE .*grantee='test'\s* AND object_schema='public'\s* AND privilege_type='USAGE'\s*\)/m,
}
) }
end
Expand Down

0 comments on commit 92f4842

Please sign in to comment.