Support schema privileges in default_privileges

fish-face · fish-face · commit b53234f24cab · 2021-09-22T12:22:41.000+01:00
diff --git a/manifests/server/default_privileges.pp b/manifests/server/default_privileges.pp
@@ -21,7 +21,8 @@
     /(?i:^ROUTINES$)/,
     /(?i:^SEQUENCES$)/,
     /(?i:^TABLES$)/,
-    /(?i:^TYPES$)/
+    /(?i:^TYPES$)/,
+    /(?i:^SCHEMAS$)/
   ] $object_type,
   String $schema                   = 'public',
   String $psql_db                  = $postgresql::server::default_database,
@@ -129,6 +130,18 @@
       }
       $_check_type = 'T'
     }
+    'SCHEMAS': {
+      if $schema != '' {
+        fail('Cannot alter default schema permissions within a schema')
+      }
+      case $_privilege {
+        /^ALL$/: { $_check_privilege = 'UC' }
+        /^USAGE$/: { $_check_privilege = 'U' }
+        /^CREATE$/: { $_check_privilege = 'C' }
+        default: { fail('Illegal value for $privilege parameter') }
+      }
+      $_check_type = 'n'
+    }
     default: {
       fail("Missing privilege validation for object type ${_object_type}")
     }
diff --git a/spec/unit/defines/server/default_privileges_spec.rb b/spec/unit/defines/server/default_privileges_spec.rb
@@ -133,6 +133,50 @@
 
       it { is_expected.to compile.and_raise_error(%r{Illegal value for \$privilege parameter}) }
     end
+
+    context 'schemas' do
+      let :params do
+        {
+          db: 'test',
+          role: 'test',
+          privilege: 'all',
+          object_type: 'schemas',
+          schema: '',
+        }
+      end
+
+      let :pre_condition do
+        "class {'postgresql::server':}"
+      end
+
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_postgresql__server__default_privileges('test') }
+      it do
+        # rubocop:disable Layout/LineLength
+        is_expected.to contain_postgresql_psql('default_privileges:test')
+          .with_command('ALTER DEFAULT PRIVILEGES GRANT ALL ON SCHEMAS TO "test"')
+          .with_unless("SELECT 1 WHERE EXISTS (SELECT * FROM pg_default_acl AS da LEFT JOIN pg_namespace AS n ON da.defaclnamespace = n.oid WHERE 'test=UC' = ANY (defaclacl) and defaclobjtype = 'n')")
+        # rubocop:enable Layout/LineLength
+      end
+    end
+
+    context 'nested schemas are invalid' do
+      let :params do
+        {
+          db: 'test',
+          role: 'test',
+          privilege: 'all',
+          object_type: 'schemas',
+          schema: 'public',
+        }
+      end
+
+      let :pre_condition do
+        "class {'postgresql::server':}"
+      end
+
+      it { is_expected.to compile.and_raise_error(%r{Cannot alter default schema permissions within a schema}) }
+    end
   end
 
   context 'with specific db connection settings - default port' do
