Merge pull request puppetlabs#1266 from opus-codium/revoke-public

MODULES-11047 - Allow managing rights for PUBLIC role

Author: adrianiurca

manifests/server/grant.pp

@@ -52,17 +52,23 @@
   case $ensure {
     default: {
       # default is 'present'
-      $sql_command = 'GRANT %s ON %s "%s%s" TO "%s"'
-      $sql_command_unquoted = 'GRANT %s ON %s %s%s TO "%s"'
+      $sql_command = 'GRANT %s ON %s "%s%s" TO %s'
+      $sql_command_unquoted = 'GRANT %s ON %s %s%s TO %s'
       $unless_is = true
     }
     'absent': {
-      $sql_command = 'REVOKE %s ON %s "%s%s" FROM "%s"'
-      $sql_command_unquoted = 'REVOKE %s ON %s %s%s FROM "%s"'
+      $sql_command = 'REVOKE %s ON %s "%s%s" FROM %s'
+      $sql_command_unquoted = 'REVOKE %s ON %s %s%s FROM %s'
       $unless_is = false
     }
   }
 
+  # Quote the role if not PUBLIC
+  $_query_role = $role ? {
+    'PUBLIC' => 'PUBLIC',
+    default => "\"${role}\""
+  }
+
   if ! $object_name {
     $_object_name = $db
   } else {
@@ -453,8 +459,8 @@
   }
 
   $grant_cmd = $_enquote_object ? {
-    false   => sprintf($sql_command_unquoted, $_privilege, $_object_type, $_togrant_object, $arguments, $role),
-    default => sprintf($sql_command, $_privilege, $_object_type, $_togrant_object, $arguments, $role),
+    false   => sprintf($sql_command_unquoted, $_privilege, $_object_type, $_togrant_object, $arguments, $_query_role),
+    default => sprintf($sql_command, $_privilege, $_object_type, $_togrant_object, $arguments, $_query_role),
   }
 
   postgresql_psql { "grant:${name}":

spec/unit/defines/server/grant_spec.rb

@@ -240,7 +240,7 @@ class {'postgresql::server':}
     it { is_expected.to contain_postgresql__server__role('test') }
     it do
       is_expected.to contain_postgresql_psql('grant:test')
-        .with_command(%r{GRANT ALL ON TABLE "myschema"."mytable" TO\s* "PUBLIC"}m)
+        .with_command(%r{GRANT ALL ON TABLE "myschema"."mytable" TO\s* PUBLIC}m)
         .with_unless(%r{SELECT 1 WHERE has_table_privilege\('public',\s*'myschema.mytable', 'INSERT'\)}m)
     end
   end