From 92f48427158b36376b71d0dd2ee3d8c65a714950 Mon Sep 17 00:00:00 2001 From: George Hansper Date: Wed, 28 Jun 2017 14:10:17 +1000 Subject: [PATCH] postgresql::server::grant use SELECT 1 WHERE NOT EXISTS in preference to HAVING count(*)=0 --- manifests/server/grant.pp | 26 ++++++++++++-------------- spec/unit/defines/server/grant_spec.rb | 2 +- 2 files changed, 13 insertions(+), 15 deletions(-) diff --git a/manifests/server/grant.pp b/manifests/server/grant.pp index 66941d83bb..97899c6a86 100644 --- a/manifests/server/grant.pp +++ b/manifests/server/grant.pp @@ -139,7 +139,7 @@ # the role does not have the specified privilege, making it necessary to # execute the GRANT statement. if $ensure == 'present' { - $custom_unless = "SELECT 1 FROM ( + $custom_unless = "SELECT 1 WHERE NOT EXISTS ( SELECT sequence_name FROM information_schema.sequences WHERE sequence_schema='${schema}' @@ -174,11 +174,10 @@ WHERE grantee='${role}' AND object_schema='${schema}' AND privilege_type='${custom_privilege}' - ) P - HAVING count(P.sequence_name) = 0" + )" } else { # ensure == absent - $custom_unless = "SELECT 1 FROM ( + $custom_unless = "SELECT 1 WHERE NOT EXISTS ( SELECT object_name as sequence_name FROM ( SELECT object_schema, @@ -209,8 +208,7 @@ WHERE grantee='${role}' AND object_schema='${schema}' AND privilege_type='${custom_privilege}' - ) P - HAVING count(P.sequence_name) = 0" + )" } } 'TABLE': { @@ -251,7 +249,7 @@ if $ensure == 'present' { if $_privilege == 'ALL' or $_privilege == 'ALL PRIVILEGES' { # GRANT ALL - $custom_unless = "SELECT 1 FROM + $custom_unless = "SELECT 1 WHERE NOT EXISTS ( SELECT 1 FROM pg_catalog.pg_tables AS t, (VALUES ('SELECT'), ('UPDATE'), ('INSERT'), ('DELETE'), ('TRIGGER'), ('REFERENCES'), ('TRUNCATE')) AS p(privilege_type) WHERE t.schemaname = '${schema}' @@ -261,11 +259,11 @@ AND g.table_schema = '${schema}' AND g.privilege_type = p.privilege_type ) - ) AS privs_missing HAVING privs_missing.count=0" + )" } else { # GRANT $_privilege - $custom_unless = "SELECT 1 FROM + $custom_unless = "SELECT 1 WHERE NOT EXISTS ( SELECT 1 FROM pg_catalog.pg_tables AS t WHERE t.schemaname = '${schema}' AND NOT EXISTS ( @@ -274,22 +272,22 @@ AND g.table_schema = '${schema}' AND g.privilege_type = '${_privilege}' ) - ) AS tbls HAVING tbls.count=0" + )" } } else { if $_privilege == 'ALL' or $_privilege == 'ALL PRIVILEGES' { # REVOKE ALL - $custom_unless = "SELECT 1 FROM + $custom_unless = "SELECT 1 WHERE NOT EXISTS ( SELECT table_name FROM information_schema.role_table_grants WHERE grantee = '${role}' AND table_schema ='${schema}' - ) AS tbls HAVING tbls.count=0" + )" } else { # REVOKE $_privilege - $custom_unless = "SELECT 1 FROM + $custom_unless = "SELECT 1 WHERE NOT EXISTS ( SELECT table_name FROM information_schema.role_table_grants WHERE grantee = '${role}' AND table_schema ='${schema}' AND privilege_type = '${_privilege}' - ) AS tbls HAVING tbls.count=0" + )" } } diff --git a/spec/unit/defines/server/grant_spec.rb b/spec/unit/defines/server/grant_spec.rb index 23460b5bf7..a061e1d323 100644 --- a/spec/unit/defines/server/grant_spec.rb +++ b/spec/unit/defines/server/grant_spec.rb @@ -74,7 +74,7 @@ it { is_expected.to contain_postgresql_psql('grant:test').with( { 'command' => /GRANT USAGE ON ALL SEQUENCES IN SCHEMA "public" TO\s* "test"/m, - 'unless' => /SELECT 1 FROM \(\s*SELECT sequence_name\s* FROM information_schema\.sequences\s* WHERE sequence_schema='public'\s* EXCEPT DISTINCT\s* SELECT object_name as sequence_name\s* FROM .* WHERE .*grantee='test'\s* AND object_schema='public'\s* AND privilege_type='USAGE'\s*\) P\s* HAVING count\(P\.sequence_name\) = 0/m, + 'unless' => /SELECT 1 WHERE NOT EXISTS \(\s*SELECT sequence_name\s* FROM information_schema\.sequences\s* WHERE sequence_schema='public'\s* EXCEPT DISTINCT\s* SELECT object_name as sequence_name\s* FROM .* WHERE .*grantee='test'\s* AND object_schema='public'\s* AND privilege_type='USAGE'\s*\)/m, } ) } end