1 require 'spec_helper_acceptance'
3 describe 'postgresql::server::grant_role:', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
5 let(:db) { 'grant_role_test' }
6 let(:user) { 'psql_grant_role_tester' }
7 let(:group) { 'test_group' }
8 let(:password) { 'psql_grant_role_pw' }
10 if fact('osfamily') == 'RedHat' and fact('operatingsystemrelease') =~ /5/
15 it 'should grant a role to a user' do
21 $password = #{password}
22 $version = '#{version}'
24 class { 'postgresql::server': }
26 # Since we are not testing pg_hba or any of that, make a local user for ident auth
31 postgresql::server::role { $user:
32 password_hash => postgresql_password($user, $password),
35 postgresql::server::database { $db:
37 require => Postgresql::Server::Role[$user],
40 # Lets setup the base rules
41 $local_auth_option = $version ? {
46 # Create a rule for the user
47 postgresql::server::pg_hba_rule { "allow ${user}":
51 auth_method => 'ident',
52 auth_option => $local_auth_option,
56 # Create a role to grant to the user
57 postgresql::server::role { $group:
60 require => Postgresql::Server::Database[$db],
63 # Grant the role to the user
64 postgresql::server::grant_role { "grant_role ${group} to ${user}":
70 apply_manifest(pp, :catch_failures => true)
71 apply_manifest(pp, :catch_changes => true)
73 ## Check that the role was granted to the user
74 psql('--command="SELECT 1 WHERE pg_has_role(\'psql_grant_role_tester\', \'test_group\', \'MEMBER\') = true" grant_role_test', 'psql_grant_role_tester') do |r|
75 expect(r.stdout).to match(/\(1 row\)/)
76 expect(r.stderr).to eq('')
81 it 'should grant a role to a superuser' do
87 $password = #{password}
88 $version = '#{version}'
90 class { 'postgresql::server': }
92 # Since we are not testing pg_hba or any of that, make a local user for ident auth
97 postgresql::server::role { $user:
98 password_hash => postgresql_password($user, $password),
102 postgresql::server::database { $db:
104 require => Postgresql::Server::Role[$user],
107 # Lets setup the base rules
108 $local_auth_option = $version ? {
113 # Create a rule for the user
114 postgresql::server::pg_hba_rule { "allow ${user}":
118 auth_method => 'ident',
119 auth_option => $local_auth_option,
123 # Create a role to grant to the user
124 postgresql::server::role { $group:
127 require => Postgresql::Server::Database[$db],
130 # Grant the role to the user
131 postgresql::server::grant_role { "grant_role ${group} to ${user}":
137 apply_manifest(pp, :catch_failures => true)
138 apply_manifest(pp, :catch_changes => true)
140 ## Check that the role was granted to the user
141 psql('--command="SELECT 1 FROM pg_roles AS r_role JOIN pg_auth_members AS am ON r_role.oid = am.member JOIN pg_roles AS r_group ON r_group.oid = am.roleid WHERE r_group.rolname = \'test_group\' AND r_role.rolname = \'psql_grant_role_tester\'" grant_role_test', 'psql_grant_role_tester') do |r|
142 expect(r.stdout).to match(/\(1 row\)/)
143 expect(r.stderr).to eq('')
148 it 'should revoke a role from a user' do
155 $password = #{password}
156 $version = '#{version}'
158 class { 'postgresql::server': }
160 # Since we are not testing pg_hba or any of that, make a local user for ident auth
165 postgresql::server::role { $user:
166 password_hash => postgresql_password($user, $password),
169 postgresql::server::database { $db:
171 require => Postgresql::Server::Role[$user],
174 # Lets setup the base rules
175 $local_auth_option = $version ? {
180 # Create a rule for the user
181 postgresql::server::pg_hba_rule { "allow ${user}":
185 auth_method => 'ident',
186 auth_option => $local_auth_option,
190 # Create a role to grant to the user
191 postgresql::server::role { $group:
194 require => Postgresql::Server::Database[$db],
197 # Grant the role to the user
198 postgresql::server::grant_role { "grant_role ${group} to ${user}":
203 postgresql::server::grant_role {"revoke ${group} from ${user}":
209 apply_manifest(pp, :catch_failures => true)
210 apply_manifest(pp, :expect_changes => true)
212 psql('--command="SELECT 1 WHERE pg_has_role(\'psql_grant_role_tester\', \'test_group\', \'MEMBER\') = true" grant_role_test', 'psql_grant_role_tester') do |r|
213 expect(r.stdout).to match(/\(0 rows\)/)
214 expect(r.stderr).to eq('')
219 it 'should not grant permission to a nonexistent user' do
226 $password = #{password}
228 class { 'postgresql::server': }
230 # Since we are not testing pg_hba or any of that, make a local user for ident auth
235 postgresql::server::database { $db:
238 # Create a role to grant to the nonexistent user
239 postgresql::server::role { $group:
242 require => Postgresql::Server::Database[$db],
245 # Grant the role to the nonexistent user
246 postgresql::server::grant_role { "grant_role ${group} to ${user}":
251 apply_manifest(pp, :expect_failures => true)
253 psql('--command="SELECT 1 WHERE pg_has_role(\'psql_grant_role_tester\', \'test_group\', \'MEMBER\') = true" grant_role_test', 'psql_grant_role_tester') do |r|
254 expect(r.stdout).to match(/\(0 rows\)/)
255 expect(r.stderr).to eq('')