From: Tom Hughes <tom@compton.nu>
Date: Sun, 15 Oct 2023 10:16:01 +0000 (+0100)
Subject: Add support for granting roles to postgres users
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/2b4843ace5d011913f8e72df157ffd127e9da4a9?hp=0e7cbacd906cb3ec345a7fdfbd7be0519529720e

Add support for granting roles to postgres users
---

diff --git a/cookbooks/postgresql/libraries/postgresql.rb b/cookbooks/postgresql/libraries/postgresql.rb
index ab8ea6fbe..1a39da25a 100644
--- a/cookbooks/postgresql/libraries/postgresql.rb
+++ b/cookbooks/postgresql/libraries/postgresql.rb
@@ -76,12 +76,13 @@ module OpenStreetMap
     end
 
     def users
-      @users ||= query("SELECT * FROM pg_user").each_with_object({}) do |user, users|
+      @users ||= query("SELECT *, ARRAY(SELECT groname FROM pg_group WHERE usesysid = ANY(grolist)) AS roles FROM pg_user").each_with_object({}) do |user, users|
         users[user[:usename]] = {
           :superuser => user[:usesuper] == "t",
           :createdb => user[:usercreatedb] == "t",
           :createrole => user[:usecatupd] == "t",
-          :replication => user[:userepl] == "t"
+          :replication => user[:userepl] == "t",
+          :roles => parse_array(user[:roles] || "{}")
         }
       end
     end
@@ -140,8 +141,12 @@ module OpenStreetMap
 
     private
 
+    def parse_array(array)
+      array.sub(/^\{(.*)\}$/, "\\1").split(",")
+    end
+
     def parse_acl(acl)
-      acl.sub(/^\{(.*)\}$/, "\\1").split(",").each_with_object({}) do |entry, permissions|
+      parse_array(acl).each_with_object({}) do |entry, permissions|
         entry = entry.sub(/^"(.*)"$/) { Regexp.last_match[1].gsub(/\\"/, '"') }.sub(%r{/.*$}, "")
         user, privileges = entry.split("=")
 
diff --git a/cookbooks/postgresql/resources/user.rb b/cookbooks/postgresql/resources/user.rb
index 35ff5aa8b..31194fedc 100644
--- a/cookbooks/postgresql/resources/user.rb
+++ b/cookbooks/postgresql/resources/user.rb
@@ -30,6 +30,7 @@ property :superuser, :kind_of => [TrueClass, FalseClass], :default => false
 property :createdb, :kind_of => [TrueClass, FalseClass], :default => false
 property :createrole, :kind_of => [TrueClass, FalseClass], :default => false
 property :replication, :kind_of => [TrueClass, FalseClass], :default => false
+property :roles, :kind_of => [String, Array]
 
 action :create do
   password = new_resource.password ? "ENCRYPTED PASSWORD '#{new_resource.password.shellescape}'" : ""
@@ -70,6 +71,24 @@ action :create do
         end
       end
     end
+
+    roles = Array(new_resource.roles)
+
+    roles.each do |role|
+      next if current_user[:roles].include?(role)
+
+      converge_by "grant #{role} to #{new_resource.user}" do
+        cluster.execute(:command => "GRANT \"#{role}\" TO \"#{new_resource.user}\"")
+      end
+    end
+
+    current_user[:roles].each do |role|
+      next if roles.include?(role)
+
+      converge_by "revoke #{role} from #{new_resource.user}" do
+        cluster.execute(:command => "REVOKE \"#{role}\" FROM \"#{new_resource.user}\"")
+      end
+    end
   end
 end