Support grants and revokes for PUBLIC pseudo role

mtancoigne · mtancoigne · commit ebdde201f4b9 · 2021-04-14T12:32:20.000+02:00
diff --git a/manifests/server/grant.pp b/manifests/server/grant.pp
@@ -53,12 +53,16 @@
     default: {
       # default is 'present'
       $sql_command = 'GRANT %s ON %s "%s%s" TO "%s"'
+      $sql_command_public = 'GRANT %s ON %s "%s%s" TO PUBLIC'
       $sql_command_unquoted = 'GRANT %s ON %s %s%s TO "%s"'
+      $sql_command_unquoted_public = 'GRANT %s ON %s %s%s TO PUBLIC'
       $unless_is = true
     }
     'absent': {
       $sql_command = 'REVOKE %s ON %s "%s%s" FROM "%s"'
+      $sql_command_public = 'REVOKE %s ON %s "%s%s" FROM PUBLIC'
       $sql_command_unquoted = 'REVOKE %s ON %s %s%s FROM "%s"'
+      $sql_command_unquoted_public = 'REVOKE %s ON %s %s%s FROM PUBLIC'
       $unless_is = false
     }
   }
@@ -452,9 +456,20 @@
     default           => undef,
   }
 
-  $grant_cmd = $_enquote_object ? {
-    false   => sprintf($sql_command_unquoted, $_privilege, $_object_type, $_togrant_object, $arguments, $role),
-    default => sprintf($sql_command, $_privilege, $_object_type, $_togrant_object, $arguments, $role),
+  case $role {
+    default: {
+      $grant_cmd = $_enquote_object ? {
+        false   => sprintf($sql_command_unquoted, $_privilege, $_object_type, $_togrant_object, $arguments, $role),
+        default => sprintf($sql_command, $_privilege, $_object_type, $_togrant_object, $arguments, $role),
+      }
+    }
+    'PUBLIC': {
+      # For internal PUBLIC role, we do not want to quote it
+      $grant_cmd = $_enquote_object ? {
+        false   => sprintf($sql_command_unquoted_public, $_privilege, $_object_type, $_togrant_object, $arguments, $role),
+        default => sprintf($sql_command_public, $_privilege, $_object_type, $_togrant_object, $arguments, $role),
+      }
+    }
   }
 
   postgresql_psql { "grant:${name}":
diff --git a/spec/unit/defines/server/grant_spec.rb b/spec/unit/defines/server/grant_spec.rb
@@ -240,7 +240,7 @@ class {'postgresql::server':}
     it { is_expected.to contain_postgresql__server__role('test') }
     it do
       is_expected.to contain_postgresql_psql('grant:test')
-        .with_command(%r{GRANT ALL ON TABLE "myschema"."mytable" TO\s* "PUBLIC"}m)
+        .with_command(%r{GRANT ALL ON TABLE "myschema"."mytable" TO\s* PUBLIC}m)
         .with_unless(%r{SELECT 1 WHERE has_table_privilege\('public',\s*'myschema.mytable', 'INSERT'\)}m)
     end
   end
