Merge pull request #1267 from opus-codium/default-privileges

MODULES-11049 - Implement default privileges changes

Author: sheenaajay

README.md

@@ -131,6 +131,19 @@ This applies to objects within the nominated database, 'test_db' only.
 
 For Postgresql >= 9.3, the ownership of the database is also updated.
 
+### Manage default permissions (PostgreSQL >= 9.6)
+
+To change default permissions for newly created objects using ALTER DEFAULT PRIVILEGES:
+
+```puppet
+postgresql::server::default_privileges { 'marmot access to new tables on test_db':
+  db          => 'test_db',
+  role        => 'marmot',
+  privilege   => 'ALL',
+  object_type => 'TABLES',
+}
+```
+
 ### Override defaults
 
 The `postgresql::globals` class allows you to configure the main settings for this module globally, so that other classes and defined resources can use them. By itself, it does nothing.

manifests/server/default_privileges.pp

@@ -0,0 +1,157 @@
+# @summary Manage a database defaults privileges. Only works with PostgreSQL version 9.6 and above.
+#
+# @param ensure Specifies whether to grant or revoke the privilege.
+# @param role Specifies the role or user whom you are granting access to.
+# @param db Specifies the database to which you are granting access.
+# @param object_type Specify target object type: 'FUNCTIONS', 'ROUTINES', 'SEQUENCES', 'TABLES', 'TYPES'.
+# @param privilege Specifies comma-separated list of privileges to grant. Valid options: depends on object type.
+# @param schema Target schema. Defaults to 'public'.
+# @param psql_db Defines the database to execute the grant against. This should not ordinarily be changed from the default.
+# @param psql_user Specifies the OS user for running psql. Default value: The default user for the module, usually 'postgres'.
+# @param psql_path Specifies the OS user for running psql. Default value: The default user for the module, usually 'postgres'.
+# @param port Specifies the port to access the server. Default value: The default user for the module, usually '5432'.
+# @param connect_settings Specifies a hash of environment variables used when connecting to a remote server.
+# @param psql_path Specifies the path to the psql command.
+define postgresql::server::default_privileges (
+  String $role,
+  String $db,
+  String $privilege,
+  Pattern[
+    /(?i:^FUNCTIONS$)/,
+    /(?i:^ROUTINES$)/,
+    /(?i:^SEQUENCES$)/,
+    /(?i:^TABLES$)/,
+    /(?i:^TYPES$)/
+  ] $object_type,
+  String $schema                   = 'public',
+  String $psql_db                  = $postgresql::server::default_database,
+  String $psql_user                = $postgresql::server::user,
+  Integer $port                    = $postgresql::server::port,
+  Hash $connect_settings           = $postgresql::server::default_connect_settings,
+  Enum['present',
+    'absent'
+  ] $ensure                        = 'present',
+  String $group                    = $postgresql::server::group,
+  String $psql_path                = $postgresql::server::psql_path,
+) {
+
+  # If possible use the version of the remote database, otherwise
+  # fallback to our local DB version
+  if $connect_settings != undef and has_key( $connect_settings, 'DBVERSION') {
+    $version = $connect_settings['DBVERSION']
+  } else {
+    $version = $postgresql::server::_version
+  }
+
+  if (versioncmp($version, '9.6') == -1) {
+    fail 'Default_privileges is only useable with PostgreSQL >= 9.6'
+  }
+
+  case $ensure {
+    default: {
+      # default is 'present'
+      $sql_command = 'ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT %s ON %s TO "%s"'
+      $unless_is = true
+    }
+    'absent': {
+      $sql_command = 'ALTER DEFAULT PRIVILEGES IN SCHEMA %s REVOKE %s ON %s FROM "%s"'
+      $unless_is = false
+    }
+  }
+
+  #
+  # Port, order of precedence: $port parameter, $connect_settings[PGPORT], $postgresql::server::port
+  #
+  if $port != undef {
+    $port_override = $port
+  } elsif $connect_settings != undef and has_key( $connect_settings, 'PGPORT') {
+    $port_override = undef
+  } else {
+    $port_override = $postgresql::server::port
+  }
+
+  ## Munge the input values
+  $_object_type = upcase($object_type)
+  $_privilege   = upcase($privilege)
+
+  case $_object_type {
+    # Routines and functions ends up with the same definition
+    Pattern[
+      /^ROUTINES$/,
+      /^FUNCTIONS$/,
+    ]: {
+      case $_privilege {
+        Pattern[
+          /^ALL$/,
+          /^EXECUTE$/,
+        ]: {
+          $_check_privilege = 'X'
+        }
+        default: { fail('Illegal value for $privilege parameter') }
+      }
+      $_check_type = 'f'
+    }
+    'SEQUENCES': {
+      case $_privilege {
+        /^(ALL)$/: { $_check_privilege = 'rwU' }
+        /^SELECT$/: { $_check_privilege = 'r'}
+        /^UPDATE$/: { $_check_privilege = 'w'}
+        /^USAGE$/: { $_check_privilege = 'U'}
+        default: { fail('Illegal value for $privilege parameter') }
+      }
+      $_check_type = 'S'
+    }
+    'TABLES': {
+      case $_privilege {
+        /^ALL$/: { $_check_privilege = 'arwdDxt' }
+        /^DELETE$/: { $_check_privilege = 'd' }
+        /^INSERT$/: { $_check_privilege = 'a' }
+        /^REFERENCES$/: { $_check_privilege = 'x' }
+        /^SELECT$/: { $_check_privilege = 'r' }
+        /^TRIGGER$/: { $_check_privilege = 'd' }
+        /^TRUNCATE$/: { $_check_privilege = 'D' }
+        /^UPDATE$/: { $_check_privilege = 'w' }
+        default: { fail('Illegal value for $privilege parameter') }
+      }
+      $_check_type = 'r'
+    }
+    'TYPES': {
+      case $_privilege {
+        /^(ALL|USAGE)$/: { $_check_privilege = 'U'}
+        default: { fail('Illegal value for $privilege parameter') }
+      }
+      $_check_type = 'T'
+    }
+    default: {
+      fail("Missing privilege validation for object type ${_object_type}")
+    }
+  }
+
+  $_unless = $ensure ? {
+    'absent' => "SELECT 1 WHERE NOT EXISTS (SELECT * FROM pg_default_acl AS da JOIN pg_namespace AS n ON da.defaclnamespace = n.oid WHERE '%s=%s' = ANY (defaclacl) AND nspname = '%s' and defaclobjtype = '%s')",
+    default  => "SELECT 1 WHERE EXISTS (SELECT * FROM pg_default_acl AS da JOIN pg_namespace AS n ON da.defaclnamespace = n.oid WHERE '%s=%s' = ANY (defaclacl) AND nspname = '%s' and defaclobjtype = '%s')"
+  }
+
+  $unless_cmd = sprintf($_unless, $role, $_check_privilege, $schema, $_check_type)
+  $grant_cmd = sprintf($sql_command, $schema, $_privilege, $_object_type, $role)
+
+  postgresql_psql { "default_privileges:${name}":
+    command          => $grant_cmd,
+    db               => $db,
+    port             => $port_override,
+    connect_settings => $connect_settings,
+    psql_user        => $psql_user,
+    psql_group       => $group,
+    psql_path        => $psql_path,
+    unless           => $unless_cmd,
+    environment      => "PGOPTIONS=--client-min-messages=error"
+  }
+
+  if($role != undef and defined(Postgresql::Server::Role[$role])) {
+    Postgresql::Server::Role[$role]->Postgresql_psql["default_privileges:${name}"]
+  }
+
+  if($db != undef and defined(Postgresql::Server::Database[$db])) {
+    Postgresql::Server::Database[$db]->Postgresql_psql["default_privileges:${name}"]
+  }
+}

spec/acceptance/server/default_privileges_spec.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require 'spec_helper_acceptance'
+
+describe 'postgresql::server::default_privileges:' do
+  let(:db) { 'grant_role_test' }
+  let(:user) { 'psql_grant_role_tester' }
+  let(:group) { 'test_group' }
+  let(:password) { 'psql_grant_role_pw' }
+
+  # Check that the default privileges were revoked
+  let(:check_command) do
+    "SELECT * FROM pg_default_acl a JOIN pg_namespace b ON a.defaclnamespace = b.oid WHERE '#{user}=arwdDxt' = ANY (defaclacl) AND nspname = 'public' and defaclobjtype = 'r';"
+  end
+
+  let(:pp_one) do
+    <<-MANIFEST.unindent
+      $db = #{db}
+      $user = #{user}
+      $group = #{group}
+      $password = #{password}
+
+      class { 'postgresql::server': }
+
+      postgresql::server::role { $user:
+        password_hash => postgresql::postgresql_password($user, $password),
+      }
+
+      postgresql::server::database { $db:
+        require => Postgresql::Server::Role[$user],
+      }
+
+      # Set default privileges on tables
+      postgresql::server::default_privileges { "alter default privileges grant all on tables to ${user}":
+        db          => $db,
+        role        => $user,
+        privilege   => 'ALL',
+        object_type => 'TABLES',
+        require     => Postgresql::Server::Database[$db],
+      }
+    MANIFEST
+  end
+  let(:pp_two) do
+    <<-MANIFEST
+      $db = #{db}
+      $user = #{user}
+      $group = #{group}
+      $password = #{password}
+
+      class { 'postgresql::server': }
+
+      postgresql::server::role { $user:
+        password_hash => postgresql::postgresql_password($user, $password),
+      }
+      postgresql::server::database { $db:
+        require => Postgresql::Server::Role[$user],
+      }
+
+      # Removes default privileges on tables
+      postgresql::server::default_privileges { "alter default privileges revoke all on tables for ${user}":
+        db          => $db,
+        role        => $user,
+        privilege   => 'ALL',
+        object_type => 'TABLES',
+        ensure      => 'absent',
+        require     => Postgresql::Server::Database[$db],
+      }
+    MANIFEST
+  end
+
+  it 'grants default privileges to an user' do
+    if Gem::Version.new(postgresql_version) >= Gem::Version.new('9.6')
+      idempotent_apply(pp_one)
+
+      psql("--command=\"SET client_min_messages = 'error';#{check_command}\" --db=#{db}") do |r|
+        expect(r.stdout).to match(%r{\(1 row\)})
+        expect(r.stderr).to eq('')
+      end
+    end
+  end
+
+  it 'revokes default privileges for an user' do
+    if Gem::Version.new(postgresql_version) >= Gem::Version.new('9.6')
+      apply_manifest(pp_one, catch_failures: true)
+      apply_manifest(pp_two, expect_changes: true)
+
+      psql("--command=\"SET client_min_messages = 'error';#{check_command}\" --db=#{db}") do |r|
+        expect(r.stdout).to match(%r{\(0 rows\)})
+        expect(r.stderr).to eq('')
+      end
+    end
+  end
+end