From 7b295fbae0f5f4977390839b0062b8198e47b80c Mon Sep 17 00:00:00 2001
From: Manuel Tancoigne <manu@opus-labs.fr>
Date: Tue, 30 Mar 2021 10:36:46 +0200
Subject: [PATCH] Support grants and revokes for PUBLIC pseudo role

---
 manifests/server/grant.pp              | 18 ++++++++++++------
 spec/unit/defines/server/grant_spec.rb |  2 +-
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/manifests/server/grant.pp b/manifests/server/grant.pp
index 4382c6b396..64be3ad617 100644
--- a/manifests/server/grant.pp
+++ b/manifests/server/grant.pp
@@ -52,17 +52,23 @@
   case $ensure {
     default: {
       # default is 'present'
-      $sql_command = 'GRANT %s ON %s "%s%s" TO "%s"'
-      $sql_command_unquoted = 'GRANT %s ON %s %s%s TO "%s"'
+      $sql_command = 'GRANT %s ON %s "%s%s" TO %s'
+      $sql_command_unquoted = 'GRANT %s ON %s %s%s TO %s'
       $unless_is = true
     }
     'absent': {
-      $sql_command = 'REVOKE %s ON %s "%s%s" FROM "%s"'
-      $sql_command_unquoted = 'REVOKE %s ON %s %s%s FROM "%s"'
+      $sql_command = 'REVOKE %s ON %s "%s%s" FROM %s'
+      $sql_command_unquoted = 'REVOKE %s ON %s %s%s FROM %s'
       $unless_is = false
     }
   }
 
+  # Quote the role if not PUBLIC
+  $_query_role = $role ? {
+    'PUBLIC' => 'PUBLIC',
+    default => "\"${role}\""
+  }
+
   if ! $object_name {
     $_object_name = $db
   } else {
@@ -453,8 +459,8 @@
   }
 
   $grant_cmd = $_enquote_object ? {
-    false   => sprintf($sql_command_unquoted, $_privilege, $_object_type, $_togrant_object, $arguments, $role),
-    default => sprintf($sql_command, $_privilege, $_object_type, $_togrant_object, $arguments, $role),
+    false   => sprintf($sql_command_unquoted, $_privilege, $_object_type, $_togrant_object, $arguments, $_query_role),
+    default => sprintf($sql_command, $_privilege, $_object_type, $_togrant_object, $arguments, $_query_role),
   }
 
   postgresql_psql { "grant:${name}":
diff --git a/spec/unit/defines/server/grant_spec.rb b/spec/unit/defines/server/grant_spec.rb
index 510e063703..fa61e48ebc 100644
--- a/spec/unit/defines/server/grant_spec.rb
+++ b/spec/unit/defines/server/grant_spec.rb
@@ -240,7 +240,7 @@ class {'postgresql::server':}
     it { is_expected.to contain_postgresql__server__role('test') }
     it do
       is_expected.to contain_postgresql_psql('grant:test')
-        .with_command(%r{GRANT ALL ON TABLE "myschema"."mytable" TO\s* "PUBLIC"}m)
+        .with_command(%r{GRANT ALL ON TABLE "myschema"."mytable" TO\s* PUBLIC}m)
         .with_unless(%r{SELECT 1 WHERE has_table_privilege\('public',\s*'myschema.mytable', 'INSERT'\)}m)
     end
   end