[mirror/dsa-puppet.git] / 3rdparty / modules / postgresql / spec / acceptance / server / grant_role_spec.rb

require 'spec_helper_acceptance'

describe 'postgresql::server::grant_role:', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do

  let(:db) { 'grant_role_test' }
  let(:user) { 'psql_grant_role_tester' }
  let(:group) { 'test_group' }
  let(:password) { 'psql_grant_role_pw' }
  let(:version) do
    if fact('osfamily') == 'RedHat' and fact('operatingsystemrelease') =~ /5/
      '8.1'
    end
  end

  it 'should grant a role to a user' do
    begin
      pp = <<-EOS.unindent
        $db = #{db}
        $user = #{user}
        $group = #{group}
        $password = #{password}
        $version = '#{version}'

        class { 'postgresql::server': }

        # Since we are not testing pg_hba or any of that, make a local user for ident auth
        user { $user:
          ensure => present,
        }

        postgresql::server::role { $user:
          password_hash => postgresql_password($user, $password),
        }

        postgresql::server::database { $db:
          owner   => $user,
          require => Postgresql::Server::Role[$user],
        }

        # Lets setup the base rules
        $local_auth_option = $version ? {
          '8.1'   => 'sameuser',
          default => undef,
        }

        # Create a rule for the user
        postgresql::server::pg_hba_rule { "allow ${user}":
          type        => 'local',
          database    => $db,
          user        => $user,
          auth_method => 'ident',
          auth_option => $local_auth_option,
          order       => 1,
        }

        # Create a role to grant to the user
        postgresql::server::role { $group:
          db      => $db,
          login   => false,
          require => Postgresql::Server::Database[$db],
        }

        # Grant the role to the user
        postgresql::server::grant_role { "grant_role ${group} to ${user}":
          role  => $user,
          group => $group,
        }
      EOS

      apply_manifest(pp, :catch_failures => true)
      apply_manifest(pp, :catch_changes => true)

      ## Check that the role was granted to the user
      psql('--command="SELECT 1 WHERE pg_has_role(\'psql_grant_role_tester\', \'test_group\', \'MEMBER\') = true" grant_role_test', 'psql_grant_role_tester') do |r|
        expect(r.stdout).to match(/\(1 row\)/)
        expect(r.stderr).to eq('')
      end
    end
  end

  it 'should grant a role to a superuser' do
    begin
      pp = <<-EOS.unindent
        $db = "#{db}"
        $user = "#{user}"
        $group = "#{group}"
        $password = #{password}
        $version = '#{version}'

        class { 'postgresql::server': }

        # Since we are not testing pg_hba or any of that, make a local user for ident auth
        user { $user:
          ensure => present,
        }

        postgresql::server::role { $user:
          password_hash => postgresql_password($user, $password),
          superuser     => true,
        }

        postgresql::server::database { $db:
          owner   => $user,
          require => Postgresql::Server::Role[$user],
        }

        # Lets setup the base rules
        $local_auth_option = $version ? {
          '8.1'   => 'sameuser',
          default => undef,
        }

        # Create a rule for the user
        postgresql::server::pg_hba_rule { "allow ${user}":
          type        => 'local',
          database    => $db,
          user        => $user,
          auth_method => 'ident',
          auth_option => $local_auth_option,
          order       => 1,
        }

        # Create a role to grant to the user
        postgresql::server::role { $group:
          db      => $db,
          login   => false,
          require => Postgresql::Server::Database[$db],
        }

        # Grant the role to the user
        postgresql::server::grant_role { "grant_role ${group} to ${user}":
          role  => $user,
          group => $group,
        }
      EOS

      apply_manifest(pp, :catch_failures => true)
      apply_manifest(pp, :catch_changes => true)

      ## Check that the role was granted to the user
      psql('--command="SELECT 1 FROM pg_roles AS r_role JOIN pg_auth_members AS am ON r_role.oid = am.member JOIN pg_roles AS r_group ON r_group.oid = am.roleid WHERE r_group.rolname = \'test_group\' AND r_role.rolname = \'psql_grant_role_tester\'" grant_role_test', 'psql_grant_role_tester') do |r|
        expect(r.stdout).to match(/\(1 row\)/)
        expect(r.stderr).to eq('')
      end
    end
  end

  it 'should revoke a role from a user' do
    begin
      pp = <<-EOS

        $db = "#{db}"
        $user = "#{user}"
        $group = "#{group}"
        $password = #{password}
        $version = '#{version}'

        class { 'postgresql::server': }

        # Since we are not testing pg_hba or any of that, make a local user for ident auth
        user { $user:
          ensure => present,
        }

        postgresql::server::role { $user:
          password_hash => postgresql_password($user, $password),
        }

        postgresql::server::database { $db:
          owner   => $user,
          require => Postgresql::Server::Role[$user],
        }

        # Lets setup the base rules
        $local_auth_option = $version ? {
          '8.1'   => 'sameuser',
          default => undef,
        }

        # Create a rule for the user
        postgresql::server::pg_hba_rule { "allow ${user}":
          type        => 'local',
          database    => $db,
          user        => $user,
          auth_method => 'ident',
          auth_option => $local_auth_option,
          order       => 1,
        }

        # Create a role to grant to the user
        postgresql::server::role { $group:
          db      => $db,
          login   => false,
          require => Postgresql::Server::Database[$db],
        }

        # Grant the role to the user
        postgresql::server::grant_role { "grant_role ${group} to ${user}":
          role  => $user,
          group => $group,
        }

        postgresql::server::grant_role {"revoke ${group} from ${user}":
          ensure => absent,
          role   => $user,
          group  => $group,
        }
      EOS
      apply_manifest(pp, :catch_failures => true)
      apply_manifest(pp, :expect_changes => true)

      psql('--command="SELECT 1 WHERE pg_has_role(\'psql_grant_role_tester\', \'test_group\', \'MEMBER\') = true" grant_role_test', 'psql_grant_role_tester') do |r|
        expect(r.stdout).to match(/\(0 rows\)/)
        expect(r.stderr).to eq('')
      end
    end
  end

  it 'should not grant permission to a nonexistent user' do
     begin
       pp = <<-EOS

         $db = "#{db}"
         $user = "#{user}"
         $group = "#{group}"
         $password = #{password}

         class { 'postgresql::server': }

         # Since we are not testing pg_hba or any of that, make a local user for ident auth
           user { $user:
           ensure => absent,
         }

         postgresql::server::database { $db:
         }

         # Create a role to grant to the nonexistent user
         postgresql::server::role { $group:
           db      => $db,
           login   => false,
           require => Postgresql::Server::Database[$db],
         }

         # Grant the role to the nonexistent user
         postgresql::server::grant_role { "grant_role ${group} to ${user}":
           role  => $user
           group => $group,
         }
       EOS
       apply_manifest(pp, :expect_failures => true)

       psql('--command="SELECT 1 WHERE pg_has_role(\'psql_grant_role_tester\', \'test_group\', \'MEMBER\') = true" grant_role_test', 'psql_grant_role_tester') do |r|
         expect(r.stdout).to match(/\(0 rows\)/)
         expect(r.stderr).to eq('')
       end
     end
   end
end