Support target_role in default_privileges

ALTER DEFAULT PRIVILEGES supports the FOR ROLE <target_role> argument,
without which the statement applies only to objects created by the
*current* role, which may not be most useful.

Support specifying the target role.

Author: fish-face

manifests/server/default_privileges.pp

@@ -1,5 +1,6 @@
 # @summary Manage a database defaults privileges. Only works with PostgreSQL version 9.6 and above.
 #
+# @param target_role Target role whose created objects will receive the default privileges. Defaults to the current user.
 # @param ensure Specifies whether to grant or revoke the privilege.
 # @param role Specifies the role or user whom you are granting access to.
 # @param db Specifies the database to which you are granting access.
@@ -13,6 +14,7 @@
 # @param connect_settings Specifies a hash of environment variables used when connecting to a remote server.
 # @param psql_path Specifies the path to the psql command.
 define postgresql::server::default_privileges (
+  Optional[String] $target_role    = undef,
   String $role,
   String $db,
   String $privilege,
@@ -50,11 +52,11 @@
   case $ensure {
     default: {
       # default is 'present'
-      $sql_command = 'ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT %s ON %s TO "%s"'
+      $sql_command = 'ALTER DEFAULT PRIVILEGES%s IN SCHEMA %s GRANT %s ON %s TO "%s"'
       $unless_is = true
     }
     'absent': {
-      $sql_command = 'ALTER DEFAULT PRIVILEGES IN SCHEMA %s REVOKE %s ON %s FROM "%s"'
+      $sql_command = 'ALTER DEFAULT PRIVILEGES%s IN SCHEMA %s REVOKE %s ON %s FROM "%s"'
       $unless_is = false
     }
   }
@@ -70,6 +72,14 @@
     $port_override = $postgresql::server::port
   }
 
+  if $target_role != undef {
+    $_target_role = " FOR ROLE $target_role"
+    $_check_target_role = "/$target_role"
+  } else {
+    $_target_role = ''
+    $_check_target_role = ''
+  }
+
   ## Munge the input values
   $_object_type = upcase($object_type)
   $_privilege   = upcase($privilege)
@@ -128,12 +138,12 @@
   }
 
   $_unless = $ensure ? {
-    'absent' => "SELECT 1 WHERE NOT EXISTS (SELECT * FROM pg_default_acl AS da JOIN pg_namespace AS n ON da.defaclnamespace = n.oid WHERE '%s=%s' = ANY (defaclacl) AND nspname = '%s' and defaclobjtype = '%s')",
-    default  => "SELECT 1 WHERE EXISTS (SELECT * FROM pg_default_acl AS da JOIN pg_namespace AS n ON da.defaclnamespace = n.oid WHERE '%s=%s' = ANY (defaclacl) AND nspname = '%s' and defaclobjtype = '%s')"
+    'absent' => "SELECT 1 WHERE NOT EXISTS (SELECT * FROM pg_default_acl AS da JOIN pg_namespace AS n ON da.defaclnamespace = n.oid WHERE '%s=%s%s' = ANY (defaclacl) AND nspname = '%s' and defaclobjtype = '%s')",
+    default  => "SELECT 1 WHERE EXISTS (SELECT * FROM pg_default_acl AS da JOIN pg_namespace AS n ON da.defaclnamespace = n.oid WHERE '%s=%s%s' = ANY (defaclacl) AND nspname = '%s' and defaclobjtype = '%s')"
   }
 
-  $unless_cmd = sprintf($_unless, $role, $_check_privilege, $schema, $_check_type)
-  $grant_cmd = sprintf($sql_command, $schema, $_privilege, $_object_type, $role)
+  $unless_cmd = sprintf($_unless, $role, $_check_privilege, $_check_target_role, $schema, $_check_type)
+  $grant_cmd = sprintf($sql_command, $_target_role, $schema, $_privilege, $_object_type, $role)
 
   postgresql_psql { "default_privileges:${name}":
     command          => $grant_cmd,

spec/unit/defines/server/default_privileges_spec.rb

@@ -253,6 +253,36 @@ class {'postgresql::server':}
     end
   end
 
+  context 'with a target role' do
+    let :params do
+      {
+        target_role: 'target',
+        db: 'test',
+        role: 'test',
+        privilege: 'all',
+        object_type: 'tables',
+      }
+    end
+
+    let :pre_condition do
+      <<-EOS
+      class {'postgresql::server':}
+      postgresql::server::role { 'target': }
+      EOS
+    end
+
+    it { is_expected.to compile.with_all_deps }
+    it { is_expected.to contain_postgresql__server__default_privileges('test') }
+    it { is_expected.to contain_postgresql__server__role('target') }
+    it do
+      # rubocop:disable Layout/LineLength
+      is_expected.to contain_postgresql_psql('default_privileges:test')
+        .with_command('ALTER DEFAULT PRIVILEGES FOR ROLE target IN SCHEMA public GRANT ALL ON TABLES TO "test"')
+        .with_unless("SELECT 1 WHERE EXISTS (SELECT * FROM pg_default_acl AS da JOIN pg_namespace AS n ON da.defaclnamespace = n.oid WHERE 'test=arwdDxt/target' = ANY (defaclacl) AND nspname = 'public' and defaclobjtype = 'r')")
+      # rubocop:enable Layout/LineLength
+    end
+  end
+
   context 'standalone not managing server' do
     let :params do
       {