require 'spec_helper_acceptance'

describe 'postgresql::server::grant:', unless: UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
  let(:db) { 'grant_priv_test' }
  let(:owner) { 'psql_grant_priv_owner' }
  let(:user) { 'psql_grant_priv_tester' }
  let(:password) { 'psql_grant_role_pw' }
  let(:pp_install) { "class {'postgresql::server': }" }
  let(:pp_setup) do
    <<-MANIFEST.unindent
      $db = #{db}
      $owner = #{owner}
      $user = #{user}
      $password = #{password}

      class { 'postgresql::server': }

      postgresql::server::role { $owner:
        password_hash => postgresql_password($owner, $password),
      }

      # Since we are not testing pg_hba or any of that, make a local user for ident auth
      user { $owner:
        ensure => present,
      }

      postgresql::server::database { $db:
        owner   => $owner,
        require => Postgresql::Server::Role[$owner],
      }

      # Create a user to grant privileges to
      postgresql::server::role { $user:
        db      => $db,
        require => Postgresql::Server::Database[$db],
      }

      # Make a local user for ident auth
      user { $user:
        ensure => present,
      }

      # Grant them connect to the database
      postgresql::server::database_grant { "allow connect for ${user}":
        privilege => 'CONNECT',
        db        => $db,
        role      => $user,
      }
    MANIFEST
  end

  context 'LANGUAGE' do
    describe 'GRANT * ON LANGUAGE' do
      # testing grants on language requires a superuser
      let(:superuser) { 'postgres' }
      let(:pp_lang) do
        pp_setup + <<-MANIFEST.unindent
          postgresql_psql { 'make sure plpgsql exists':
            command   => 'CREATE LANGUAGE plpgsql',
            db        => $db,
            psql_user => '#{superuser}',
            unless    => "SELECT 1 from pg_language where lanname = 'plpgsql'",
            require   => Postgresql::Server::Database[$db],
          }

          postgresql::server::grant { 'grant usage on plpgsql':
            psql_user     => '#{superuser}',
            privilege     => 'USAGE',
            object_type   => 'LANGUAGE',
            object_name   => 'plpgsql',
            role          => $user,
            db            => $db,
            require       => [ Postgresql_psql['make sure plpgsql exists'],
                               Postgresql::Server::Role[$user], ]
        }
        MANIFEST
      end
      let(:pp_onlyif) do
        pp_setup + <<-MANIFEST.unindent
          postgresql::server::grant { 'grant usage on BSql':
            psql_user     => '#{superuser}',
            privilege     => 'USAGE',
            object_type   => 'LANGUAGE',
            object_name   => 'bsql',
            role          => $user,
            db            => $db,
            onlyif_exists => true,
        }
        MANIFEST
      end

      it 'is expected to run idempotently' do
        apply_manifest(pp_install)

        # postgres version
        result = shell('psql --version')
        version = result.stdout.match(%r{\s(\d{1,2}\.\d)})[1]

        if version >= '8.4.0'
          apply_manifest(pp_lang, catch_failures: true)
          apply_manifest(pp_lang, catch_changes: true)
        end
      end

      it 'is expected to GRANT USAGE ON LANGUAGE plpgsql to ROLE' do
        result = shell('psql --version')
        version = result.stdout.match(%r{\s(\d{1,2}\.\d)})[1]

        if version >= '8.4.0'
          ## Check that the privilege was granted to the user
          psql("-d #{db} --command=\"SELECT 1 WHERE has_language_privilege('#{user}', 'plpgsql', 'USAGE')\"", superuser) do |r|
            expect(r.stdout).to match(%r{\(1 row\)})
            expect(r.stderr).to eq('')
          end
        end
      end

      # test onlyif_exists function
      it 'is expected to not GRANT USAGE ON (dummy)LANGUAGE BSql to ROLE' do
        apply_manifest(pp_install)

        # postgres version
        result = shell('psql --version')
        version = result.stdout.match(%r{\s(\d{1,2}\.\d)})[1]

        if version >= '8.4.0'
          apply_manifest(pp_onlyif, catch_failures: true)
          apply_manifest(pp_onlyif, catch_changes: true)
        end
      end
    end
  end

  ### SEQUENCE grants
  context 'sequence' do
    let(:pp_one) do
      pp_setup + <<-MANIFEST.unindent
          postgresql_psql { 'create test sequence':
            command   => 'CREATE SEQUENCE test_seq',
            db        => $db,
            psql_user => $owner,
            unless    => "SELECT 1 FROM information_schema.sequences WHERE sequence_name = 'test_seq'",
            require   => Postgresql::Server::Database[$db],
          }

          postgresql::server::grant { 'grant usage on test_seq':
            privilege   => 'USAGE',
            object_type => 'SEQUENCE',
            object_name => 'test_seq',
            db          => $db,
            role        => $user,
            require     => [ Postgresql_psql['create test sequence'],
                             Postgresql::Server::Role[$user], ]
          }
      MANIFEST
    end
    let(:pp_two) do
      pp_setup + <<-MANIFEST.unindent
          postgresql_psql { 'create test sequence':
            command   => 'CREATE SEQUENCE test_seq',
            db        => $db,
            psql_user => $owner,
            unless    => "SELECT 1 FROM information_schema.sequences WHERE sequence_name = 'test_seq'",
            require   => Postgresql::Server::Database[$db],
          }

          postgresql::server::grant { 'grant update on test_seq':
            privilege   => 'UPDATE',
            object_type => 'SEQUENCE',
            object_name => 'test_seq',
            db          => $db,
            role        => $user,
            require     => [ Postgresql_psql['create test sequence'],
                             Postgresql::Server::Role[$user], ]
          }
      MANIFEST
    end
    let(:result) do
      shell('psql --version')
    end
    let(:version) do
      result.stdout.match(%r{\s(\d{1,2}\.\d)})[1]
    end

    before(:each) do
      apply_manifest(pp_install, catch_failures: true)
    end

    it 'grants usage on a sequence to a user' do
      begin
        if version >= '9.0'
          apply_manifest(pp_one, catch_failures: true)
          apply_manifest(pp_one, catch_changes: true)

          ## Check that the privilege was granted to the user
          psql("-d #{db} --command=\"SELECT 1 WHERE has_sequence_privilege('#{user}', 'test_seq', 'USAGE')\"", user) do |r|
            expect(r.stdout).to match(%r{\(1 row\)})
            expect(r.stderr).to eq('')
          end
        end
      end
    end

    it 'grants update on a sequence to a user' do
      begin
        if version >= '9.0'
          apply_manifest(pp_two, catch_failures: true)
          apply_manifest(pp_two, catch_changes: true)

          ## Check that the privilege was granted to the user
          psql("-d #{db} --command=\"SELECT 1 WHERE has_sequence_privilege('#{user}', 'test_seq', 'UPDATE')\"", user) do |r|
            expect(r.stdout).to match(%r{\(1 row\)})
            expect(r.stderr).to eq('')
          end
        end
      end
    end
  end

  context 'all sequences' do
    let(:pp_one) do
      pp_setup + <<-MANIFEST.unindent

          postgresql_psql { 'create test sequences':
            command   => 'CREATE SEQUENCE test_seq2; CREATE SEQUENCE test_seq3;',
            db        => $db,
            psql_user => $owner,
            unless    => "SELECT 1 FROM information_schema.sequences WHERE sequence_name = 'test_seq2'",
            require   => Postgresql::Server::Database[$db],
          }

          postgresql::server::grant { 'grant usage on all sequences':
            privilege   => 'USAGE',
            object_type => 'ALL SEQUENCES IN SCHEMA',
            object_name => 'public',
            db          => $db,
            role        => $user,
            require     => [ Postgresql_psql['create test sequences'],
                             Postgresql::Server::Role[$user], ]
          }
      MANIFEST
    end
    let(:pp_two) do
      pp_setup + <<-MANIFEST.unindent

          postgresql_psql { 'create test sequences':
            command   => 'CREATE SEQUENCE test_seq2; CREATE SEQUENCE test_seq3;',
            db        => $db,
            psql_user => $owner,
            unless    => "SELECT 1 FROM information_schema.sequences WHERE sequence_name = 'test_seq2'",
            require   => Postgresql::Server::Database[$db],
          }

          postgresql::server::grant { 'grant usage on all sequences':
            privilege   => 'UPDATE',
            object_type => 'ALL SEQUENCES IN SCHEMA',
            object_name => 'public',
            db          => $db,
            role        => $user,
            require     => [ Postgresql_psql['create test sequences'],
                             Postgresql::Server::Role[$user], ]
          }
      MANIFEST
    end
    let(:result) do
      shell('psql --version')
    end
    let(:version) do
      result.stdout.match(%r{\s(\d{1,2}\.\d)})[1]
    end

    before(:each) do
      apply_manifest(pp_install, catch_failures: true)
    end

    it 'grants usage on all sequences to a user' do
      begin
        if version >= '9.0'
          apply_manifest(pp_one, catch_failures: true)
          apply_manifest(pp_one, catch_changes: true)

          ## Check that the privileges were granted to the user, this check is not available on version < 9.0
          psql("-d #{db} --command=\"SELECT 1 WHERE has_sequence_privilege('#{user}', 'test_seq2', 'USAGE') AND has_sequence_privilege('#{user}', 'test_seq3', 'USAGE')\"", user) do |r|
            expect(r.stdout).to match(%r{\(1 row\)})
            expect(r.stderr).to eq('')
          end
        end
      end
    end

    it 'grants update on all sequences to a user' do
      begin
        if version >= '9.0'
          apply_manifest(pp_two, catch_failures: true)
          apply_manifest(pp_two, catch_changes: true)

          ## Check that the privileges were granted to the user
          psql("-d #{db} --command=\"SELECT 1 WHERE has_sequence_privilege('#{user}', 'test_seq2', 'UPDATE') AND has_sequence_privilege('#{user}', 'test_seq3', 'UPDATE')\"", user) do |r|
            expect(r.stdout).to match(%r{\(1 row\)})
            expect(r.stderr).to eq('')
          end
        end
      end
    end
  end
  ### TABLE grants
  context 'table' do
    describe 'GRANT ... ON TABLE' do
      let(:pp_create_table) do
        pp_setup + <<-EOS.unindent
          postgresql_psql { 'create test table':
            command   => 'CREATE TABLE test_tbl (col1 integer)',
            db        => $db,
            psql_user => $owner,
            unless    => "SELECT table_name FROM information_schema.tables WHERE table_name = 'test_tbl'",
            require   => Postgresql::Server::Database[$db],
          }
        EOS
      end

      it 'grant select on a table to a user' do
        begin
          pp = pp_create_table + <<-EOS.unindent

            postgresql::server::grant { 'grant select on test_tbl':
              privilege   => 'SELECT',
              object_type => 'TABLE',
              object_name => 'test_tbl',
              db          => $db,
              role        => $user,
              require     => [ Postgresql_psql['create test table'],
                               Postgresql::Server::Role[$user], ]
            }
          EOS

          pp_revoke = pp_create_table + <<-EOS.unindent

            postgresql::server::grant { 'revoke select on test_tbl':
              ensure      => absent,
              privilege   => 'SELECT',
              object_type => 'TABLE',
              object_name => 'test_tbl',
              db          => $db,
              role        => $user,
              require     => [ Postgresql_psql['create test table'],
                               Postgresql::Server::Role[$user], ]
            }
          EOS

          apply_manifest(pp_install, catch_failures: true)

          # postgres version
          result = shell('psql --version')
          version = result.stdout.match(%r{\s(\d{1,2}\.\d)})[1]

          if version >= '9.0'
            apply_manifest(pp, catch_failures: true)
            apply_manifest(pp, catch_changes: true)

            ## Check that the privilege was granted to the user
            psql("-d #{db} --tuples-only --command=\"SELECT * FROM has_table_privilege('#{user}', 'test_tbl', 'SELECT')\"", user) do |r|
              expect(r.stdout).to match(%r{t})
              expect(r.stderr).to eq('')
            end

            apply_manifest(pp_revoke, catch_failures: true)
            apply_manifest(pp_revoke, catch_changes: true)

            ## Check that the privilege was revoked from the user
            psql("-d #{db} --tuples-only --command=\"SELECT * FROM has_table_privilege('#{user}', 'test_tbl', 'SELECT')\"", user) do |r|
              expect(r.stdout).to match(%r{f})
              expect(r.stderr).to eq('')
            end
          end
        end
      end

      it 'grant update on all tables to a user' do
        begin
          pp = pp_create_table + <<-EOS.unindent

            postgresql::server::grant { 'grant update on all tables':
              privilege   => 'UPDATE',
              object_type => 'ALL TABLES IN SCHEMA',
              object_name => 'public',
              db          => $db,
              role        => $user,
              require     => [ Postgresql_psql['create test table'],
                               Postgresql::Server::Role[$user], ]
            }
          EOS

          pp_revoke = pp_create_table + <<-EOS.unindent

            postgresql::server::grant { 'revoke update on all tables':
              ensure      => absent,
              privilege   => 'UPDATE',
              object_type => 'ALL TABLES IN SCHEMA',
              object_name => 'public',
              db          => $db,
              role        => $user,
              require     => [ Postgresql_psql['create test table'],
                               Postgresql::Server::Role[$user], ]
            }
          EOS

          apply_manifest(pp_install, catch_failures: true)

          # postgres version
          result = shell('psql --version')
          version = result.stdout.match(%r{\s(\d{1,2}\.\d)})[1]

          if version >= '9.0'
            apply_manifest(pp, catch_failures: true)
            apply_manifest(pp, catch_changes: true)

            ## Check that all privileges were granted to the user
            psql("-d #{db} --command=\"SELECT table_name,privilege_type FROM information_schema.role_table_grants
                  WHERE grantee = '#{user}' AND table_schema = 'public'\"", user) do |r|
              expect(r.stdout).to match(%r{test_tbl[ |]*UPDATE\s*\(1 row\)})
              expect(r.stderr).to eq('')
            end

            apply_manifest(pp_revoke, catch_failures: true)
            apply_manifest(pp_revoke, catch_changes: true)

            ## Check that all privileges were revoked from the user
            psql("-d #{db} --command=\"SELECT table_name,privilege_type FROM information_schema.role_table_grants
                  WHERE grantee = '#{user}' AND table_schema = 'public'\"", user) do |r|
              expect(r.stdout).to match(%r{\(0 rows\)})
              expect(r.stderr).to eq('')
            end
          end
        end
      end

      it 'grant insert on single table test' do
        begin
          # postgres version
          result = shell('psql --version')
          version = result.stdout.match(%r{\s(\d{1,2}\.\d)})[1]

          if version >= '9.0'
            pp = pp_create_table + <<-EOS.unindent
            postgresql::server::table_grant { 'INSERT priviledge to table':
              privilege => 'INSERT',
              table     => 'test_tbl',
              db        => $db,
              role      => $user,
              }
            EOS
            result = apply_manifest(pp, catch_failures: true)
            expect(result.stdout).to match(%r{GRANT INSERT ON TABLE \"test_tbl\" TO \"psql_grant_priv_tester\"})

            ## Check that the privilege was granted to the user
            psql("-d #{db} --tuples-only --command=\"SELECT * FROM has_table_privilege('#{user}', 'test_tbl', 'INSERT')\"", user) do |r|
              expect(r.stdout).to match(%r{t})
            end
          end
        end
      end

      it 'grant all on all tables to a user' do
        begin
          pp = pp_create_table + <<-EOS.unindent

            postgresql::server::grant { 'grant all on all tables':
              privilege   => 'ALL',
              object_type => 'ALL TABLES IN SCHEMA',
              object_name => 'public',
              db          => $db,
              role        => $user,
              require     => [ Postgresql_psql['create test table'],
                               Postgresql::Server::Role[$user], ]
            }
          EOS

          pp_revoke = pp_create_table + <<-EOS.unindent

            postgresql::server::grant { 'revoke all on all tables':
              ensure      => absent,
              privilege   => 'ALL',
              object_type => 'ALL TABLES IN SCHEMA',
              object_name => 'public',
              db          => $db,
              role        => $user,
              require     => [ Postgresql_psql['create test table'],
                               Postgresql::Server::Role[$user], ]
            }
          EOS

          apply_manifest(pp_install, catch_failures: true)

          # postgres version
          result = shell('psql --version')
          version = result.stdout.match(%r{\s(\d{1,2}\.\d)})[1]

          if version >= '9.0'
            apply_manifest(pp, catch_failures: true)
            apply_manifest(pp, catch_changes: true)

            ## Check that all privileges were granted to the user
            psql("-d #{db} --tuples-only --command=\"SELECT table_name,count(privilege_type) FROM information_schema.role_table_grants
                  WHERE grantee = '#{user}' AND table_schema = 'public'
                  AND privilege_type IN ('SELECT','UPDATE','INSERT','DELETE','TRIGGER','REFERENCES','TRUNCATE')
                  GROUP BY table_name\"", user) do |r|
              expect(r.stdout).to match(%r{test_tbl[ |]*7$})
              expect(r.stderr).to eq('')
            end

            apply_manifest(pp_revoke, catch_failures: true)
            apply_manifest(pp_revoke, catch_changes: true)

            ## Check that all privileges were revoked from the user
            psql("-d #{db} --command=\"SELECT table_name FROM information_schema.role_table_grants
                  WHERE grantee = '#{user}' AND table_schema = 'public'\"", user) do |r|
              expect(r.stdout).to match(%r{\(0 rows\)})
              expect(r.stderr).to eq('')
            end
          end
        end
      end
    end
  end
  context 'database' do
    describe 'REVOKE ... ON DATABASE...' do
      it 'do not fail on revoke connect from non-existant user' do
        begin
          # Test fail's on postgresql versions earlier than 9.1.24
          # postgres version
          result = shell('psql --version')
          version = result.stdout.match(%r{\s(\d{1,2}\.\d)})[1]

          if version >= '9.1.24'
            apply_manifest(pp_setup, catch_failures: true)
            pp = pp_setup + <<-EOS.unindent
              postgresql::server::grant { 'revoke connect on db from norole':
                ensure      => absent,
                privilege   => 'CONNECT',
                object_type => 'DATABASE',
                db          => '#{db}',
                role        => '#{user}_does_not_exist',
              }
            EOS
            apply_manifest(pp, catch_changes: true)
            apply_manifest(pp, catch_failures: true)
          end
        end
      end
    end
  end
  #####################
end
