diff --git a/manifests/server/role.pp b/manifests/server/role.pp index b7f2be8..c4a8f10 100644 --- a/manifests/server/role.pp +++ b/manifests/server/role.pp @@ -1,124 +1,124 @@ # Define for creating a database role. See README.md for more information define postgresql::server::role( $password_hash = false, $createdb = false, $createrole = false, $db = $postgresql::server::default_database, $port = undef, $login = true, $inherit = true, $superuser = false, $replication = false, $connection_limit = '-1', $username = $title, $connect_settings = $postgresql::server::default_connect_settings, ) { $psql_user = $postgresql::server::user $psql_group = $postgresql::server::group $psql_path = $postgresql::server::psql_path $module_workdir = $postgresql::server::module_workdir # # Port, order of precedence: $port parameter, $connect_settings[PGPORT], $postgresql::server::port # if $port != undef { $port_override = $port } elsif $connect_settings != undef and has_key( $connect_settings, 'PGPORT') { $port_override = undef } else { $port_override = $postgresql::server::port } # If possible use the version of the remote database, otherwise # fallback to our local DB version if $connect_settings != undef and has_key( $connect_settings, 'DBVERSION') { $version = $connect_settings['DBVERSION'] } else { $version = $postgresql::server::_version } $login_sql = $login ? { true => 'LOGIN', default => 'NOLOGIN' } $inherit_sql = $inherit ? { true => 'INHERIT', default => 'NOINHERIT' } $createrole_sql = $createrole ? { true => 'CREATEROLE', default => 'NOCREATEROLE' } $createdb_sql = $createdb ? { true => 'CREATEDB', default => 'NOCREATEDB' } $superuser_sql = $superuser ? { true => 'SUPERUSER', default => 'NOSUPERUSER' } $replication_sql = $replication ? { true => 'REPLICATION', default => '' } if ($password_hash != false) { $environment = "NEWPGPASSWD=${password_hash}" $password_sql = "ENCRYPTED PASSWORD '\$NEWPGPASSWD'" } else { $password_sql = '' $environment = [] } Postgresql_psql { db => $db, port => $port_override, psql_user => $psql_user, psql_group => $psql_group, psql_path => $psql_path, connect_settings => $connect_settings, cwd => $module_workdir, require => [ Postgresql_psql["CREATE ROLE ${username} ENCRYPTED PASSWORD ****"], Class['postgresql::server'], ], } postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****": command => "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}", - unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}'", + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'", environment => $environment, require => Class['Postgresql::Server'], } postgresql_psql {"ALTER ROLE \"${username}\" ${superuser_sql}": - unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolsuper=${superuser}", + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolsuper = ${superuser}", } postgresql_psql {"ALTER ROLE \"${username}\" ${createdb_sql}": - unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolcreatedb=${createdb}", + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreatedb = ${createdb}", } postgresql_psql {"ALTER ROLE \"${username}\" ${createrole_sql}": - unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolcreaterole=${createrole}", + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreaterole = ${createrole}", } postgresql_psql {"ALTER ROLE \"${username}\" ${login_sql}": - unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolcanlogin=${login}", + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcanlogin = ${login}", } postgresql_psql {"ALTER ROLE \"${username}\" ${inherit_sql}": - unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolinherit=${inherit}", + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolinherit = ${inherit}", } if(versioncmp($version, '9.1') >= 0) { if $replication_sql == '' { postgresql_psql {"ALTER ROLE \"${username}\" NOREPLICATION": - unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolreplication=${replication}", + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}", } } else { postgresql_psql {"ALTER ROLE \"${username}\" ${replication_sql}": - unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolreplication=${replication}", + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}", } } } postgresql_psql {"ALTER ROLE \"${username}\" CONNECTION LIMIT ${connection_limit}": - unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolconnlimit=${connection_limit}", + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolconnlimit = ${connection_limit}", } if $password_hash { if($password_hash =~ /^md5.+/) { $pwd_hash_sql = $password_hash } else { $pwd_md5 = md5("${password_hash}${username}") $pwd_hash_sql = "md5${pwd_md5}" } postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****": command => "ALTER ROLE \"${username}\" ${password_sql}", - unless => "SELECT usename FROM pg_shadow WHERE usename='${username}' and passwd='${pwd_hash_sql}'", + unless => "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'", environment => $environment, } } } diff --git a/spec/unit/defines/server/role_spec.rb b/spec/unit/defines/server/role_spec.rb index 88833a1..5c608cf 100644 --- a/spec/unit/defines/server/role_spec.rb +++ b/spec/unit/defines/server/role_spec.rb @@ -1,135 +1,135 @@ require 'spec_helper' describe 'postgresql::server::role', :type => :define do let :facts do { :osfamily => 'Debian', :operatingsystem => 'Debian', :operatingsystemrelease => '6.0', :kernel => 'Linux', :concat_basedir => tmpfilename('contrib'), :id => 'root', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', } end let :title do 'test' end let :params do { :password_hash => 'new-pa$s', } end let :pre_condition do "class {'postgresql::server':}" end it { is_expected.to contain_postgresql__server__role('test') } it 'should have create role for "test" user with password as ****' do is_expected.to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****').with({ 'command' => "CREATE ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1", 'environment' => "NEWPGPASSWD=new-pa$s", - 'unless' => "SELECT rolname FROM pg_roles WHERE rolname='test'", + 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'", 'port' => "5432", }) end it 'should have alter role for "test" user with password as ****' do is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****').with({ 'command' => "ALTER ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD'", 'environment' => "NEWPGPASSWD=new-pa$s", - 'unless' => "SELECT usename FROM pg_shadow WHERE usename='test' and passwd='md5b6f7fcbbabb4befde4588a26c1cfd2fa'", + 'unless' => "SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'", 'port' => "5432", }) end context "with specific db connection settings - default port" do let :params do { :password_hash => 'new-pa$s', :connect_settings => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' }, } end let :pre_condition do "class {'postgresql::server':}" end it { is_expected.to contain_postgresql__server__role('test') } it 'should have create role for "test" user with password as ****' do is_expected.to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****').with({ 'command' => "CREATE ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1", 'environment' => "NEWPGPASSWD=new-pa$s", - 'unless' => "SELECT rolname FROM pg_roles WHERE rolname='test'", + 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'", 'port' => "5432", 'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' }, }) end it 'should have alter role for "test" user with password as ****' do is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****').with({ 'command' => "ALTER ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD'", 'environment' => "NEWPGPASSWD=new-pa$s", - 'unless' => "SELECT usename FROM pg_shadow WHERE usename='test' and passwd='md5b6f7fcbbabb4befde4588a26c1cfd2fa'", + 'unless' => "SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'", 'port' => "5432", 'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' }, }) end end context "with specific db connection settings - including port" do let :params do { :password_hash => 'new-pa$s', :connect_settings => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', 'PGPORT' => '1234', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' }, } end let :pre_condition do "class {'postgresql::server':}" end it { is_expected.to contain_postgresql__server__role('test') } it 'should have create role for "test" user with password as ****' do is_expected.to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****').with({ 'command' => "CREATE ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1", 'environment' => "NEWPGPASSWD=new-pa$s", - 'unless' => "SELECT rolname FROM pg_roles WHERE rolname='test'", + 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'", 'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', 'PGPORT' => '1234', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' }, }) end it 'should have alter role for "test" user with password as ****' do is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****').with({ 'command' => "ALTER ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD'", 'environment' => "NEWPGPASSWD=new-pa$s", - 'unless' => "SELECT usename FROM pg_shadow WHERE usename='test' and passwd='md5b6f7fcbbabb4befde4588a26c1cfd2fa'", + 'unless' => "SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'", 'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', 'PGPORT' => '1234', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' }, }) end end end