check that role exists for REVOKE...ON DATABASE...

George Hansper · George Hansper · commit 7d5fb577632a · 2017-07-12T17:08:45.000+10:00
diff --git a/manifests/server/grant.pp b/manifests/server/grant.pp
@@ -90,7 +90,10 @@
         '^ALL$','^ALL PRIVILEGES$' ])
       $unless_function = 'has_database_privilege'
       $on_db = $psql_db
-      $onlyif_function = undef
+      $onlyif_function = $ensure ? {
+        default  => undef,
+        'absent' =>  'role_exists',
+      }
     }
     'SCHEMA': {
       $unless_privilege = $_privilege ? {
@@ -339,6 +342,7 @@
   $_onlyif = $onlyif_function ? {
     'table_exists'    => "SELECT true FROM pg_tables WHERE tablename = '${_togrant_object}'",
     'language_exists' => "SELECT true from pg_language WHERE lanname = '${_togrant_object}'",
+    'role_exists'     => "SELECT 1 FROM pg_roles WHERE rolname = '${role}'",
     default           => undef,
   }
 
diff --git a/spec/acceptance/server/grant_spec.rb b/spec/acceptance/server/grant_spec.rb
@@ -496,5 +496,26 @@ class { 'postgresql::server': }
       end
     end
   end
+  context 'database' do
+    describe 'REVOKE ... ON DATABASE...' do
+      it 'should not fail on revoke connect from non-existant user' do
+        begin
+          apply_manifest(pp_setup, :catch_failures => true)
+          pp = pp_setup + <<-EOS.unindent
+            postgresql::server::grant { 'revoke connect on db from norole':
+              ensure      => absent,
+              privilege   => 'CONNECT',
+              object_type => 'DATABASE',
+              db          => '#{db}',
+              role        => '#{user}_does_not_exist',
+            }
+          EOS
+          apply_manifest(pp, :catch_changes => true)
+          apply_manifest(pp, :catch_failures => true)
+
+        end
+      end
+    end
+  end
   #####################
 end
