# Resource postgresql::grant
#
# TODO: in mysql module, the grant resource name might look like this: 'user@host/dbname';
#  I think that the API for the resource type should split these up, because it's
#  easier / safer to recombine them for mysql than it is to parse them for other
#  databases.  Also, in the mysql module, the hostname portion of that string
#  affects the user's ability to connect from remote hosts.  In postgres this is
#  managed via pg_hba.conf; not sure if we want to try to reconcile that difference
#  in the modules or not.
define postgresql::grant (
  $role,
  $db,
  # TODO: mysql supports an array of privileges here.  We should do that if we
  #  port this to ruby.
  $privilege   = undef,
  $object_type = 'database',
  $object_name = $db,
  $psql_db     = $postgresql::params::user,
  $psql_user   = $postgresql::params::user
) {

  ## Munge the input values
  $_object_type = upcase($object_type)
  $_privilege   = upcase($privilege)

  ## Validate that the object type is known
  validate_string($_object_type,
    #'COLUMN',
    'DATABASE',
    #'FOREIGN SERVER',
    #'FOREIGN DATA WRAPPER',
    #'FUNCTION',
    #'PROCEDURAL LANGUAGE',
    #'SCHEMA',
    #'SEQUENCE',
    'TABLE',
    #'TABLESPACE',
    #'VIEW',
  )

  ## Validate that the object type's privilege is acceptable
  case $_object_type {
    'DATABASE': {
      validate_string($_privilege,'CREATE','CONNECT','TEMPORARY','TEMP','ALL','ALL PRIVILEGES')
      $unless_function = 'has_database_privilege'
      $on_db = $psql_db
    }
    'TABLE': {
      validate_string($_privilege,'SELECT','INSERT','UPDATE','REFERENCES','ALL','ALL PRIVILEGES')
      $unless_function = 'has_table_privilege'
      $on_db = $db
    }
    default: {
      fail("Missing privilege validation for object type ${_object_type}")
    }
  }

  # TODO: this is a terrible hack; if they pass "ALL" as the desired privilege,
  #  we need a way to test for it--and has_database_privilege does not recognize
  #  'ALL' as a valid privilege name.  So we probably need to hard-code a mapping
  #  between 'ALL' and the list of actual privileges that it entails, and loop
  #  over them to check them.  That sort of thing will probably need to wait until
  #  we port this over to ruby, so, for now, we're just going to assume that if
  #  they have "CREATE" privileges on a database, then they have "ALL".  (I told
  #  you that it was terrible!)
  $unless_privilege = $_privilege ? {
    'ALL'   => 'CREATE',
    default => $_privilege,
  }
  postgresql_psql { "GRANT ${_privilege} ON ${_object_type} \"${object_name}\" TO \"${role}\"":
    db         => $on_db,
    psql_user  => $psql_user,
    psql_group => $postgresql::params::group,
    psql_path  => $postgresql::params::psql_path,
    unless     => "SELECT 1 WHERE ${unless_function}('${role}', '${object_name}', '${unless_privilege}')",
  }
}