Merge pull request #392 from h0tw1r3/fix-database-port

Fix custom database port support

Author: h0tw1r3

manifests/database/default_read_grant.pp

@@ -6,9 +6,11 @@
   String $schema,
   String $database_username,
   String $database_read_only_username,
+  Optional[Stdlib::Port] $database_port = undef,
 ) {
   postgresql_psql { "grant default select permission for ${database_read_only_username}":
     db      => $database_name,
+    port    => $database_port,
     command => "ALTER DEFAULT PRIVILEGES
                   FOR USER \"${database_username}\"
                   IN SCHEMA \"${schema}\"
@@ -26,6 +28,7 @@
 
   postgresql_psql { "grant default usage permission for ${database_read_only_username}":
     db      => $database_name,
+    port    => $database_port,
     command => "ALTER DEFAULT PRIVILEGES
                   FOR USER \"${database_username}\"
                   IN SCHEMA \"${schema}\"
@@ -43,6 +46,7 @@
 
   postgresql_psql { "grant default execute permission for ${database_read_only_username}":
     db      => $database_name,
+    port    => $database_port,
     command => "ALTER DEFAULT PRIVILEGES
                   FOR USER \"${database_username}\"
                   IN SCHEMA \"${schema}\"

manifests/database/postgresql.pp

@@ -84,6 +84,8 @@
   $read_database_password      = $puppetdb::params::read_database_password,
   $read_database_host          = $puppetdb::params::read_database_host
 ) inherits puppetdb::params {
+  $port = scanf($database_port, '%i')[0]
+
   if $manage_server {
     class { 'postgresql::globals':
       manage_package_repo => $manage_package_repo,
@@ -93,7 +95,7 @@
     class { 'postgresql::server':
       ip_mask_allow_all_users => '0.0.0.0/0',
       listen_addresses        => $listen_addresses,
-      port                    => scanf($database_port, '%i')[0],
+      port                    => $port,
     }
 
     # We need to create the ssl connection for the read user, when
@@ -129,6 +131,7 @@
       postgresql::server::extension { 'pg_trgm':
         database => $database_name,
         require  => Postgresql::Server::Db[$database_name],
+        port     => $port,
       }
     }
   }
@@ -139,10 +142,12 @@
       user     => $database_username,
       password => $database_password,
       grant    => 'all',
+      port     => $port,
     }
 
     -> postgresql_psql { 'revoke all access on public schema':
       db      => $database_name,
+      port    => $port,
       command => 'REVOKE CREATE ON SCHEMA public FROM public',
       unless  => "SELECT * FROM
                   (SELECT has_schema_privilege('public', 'public', 'create') can_create) privs
@@ -151,6 +156,7 @@
 
     -> postgresql_psql { "grant all permissions to ${database_username}":
       db      => $database_name,
+      port    => $port,
       command => "GRANT CREATE ON SCHEMA public TO \"${database_username}\"",
       unless  => "SELECT * FROM
                   (SELECT has_schema_privilege('${database_username}', 'public', 'create') can_create) privs
@@ -162,10 +168,12 @@
       database_name          => $database_name,
       password_hash          => postgresql::postgresql_password($read_database_username, $read_database_password),
       database_owner         => $database_username,
+      database_port          => $port,
     }
 
     -> postgresql_psql { "grant ${read_database_username} role to ${database_username}":
       db      => $database_name,
+      port    => $port,
       command => "GRANT \"${read_database_username}\" TO \"${database_username}\"",
       unless  => "SELECT oid, rolname FROM pg_roles WHERE
                    pg_has_role( '${database_username}', oid, 'member') and rolname = '${read_database_username}'";

manifests/database/read_grant.pp

@@ -5,9 +5,11 @@
   String $database_name,
   String $schema,
   String $database_read_only_username,
+  Optional[Stdlib::Port] $database_port = undef,
 ) {
   postgresql_psql { "grant select permission for ${database_read_only_username}":
     db      => $database_name,
+    port    => $database_port,
     command => "GRANT SELECT
                 ON ALL TABLES IN SCHEMA \"${schema}\"
                 TO \"${database_read_only_username}\"",
@@ -22,6 +24,7 @@
 
   postgresql_psql { "grant usage permission for ${database_read_only_username}":
     db      => $database_name,
+    port    => $database_port,
     command => "GRANT USAGE
                 ON ALL SEQUENCES IN SCHEMA \"${schema}\"
                 TO \"${database_read_only_username}\"",
@@ -36,6 +39,7 @@
 
   postgresql_psql { "grant execution permission for ${database_read_only_username}":
     db      => $database_name,
+    port    => $database_port,
     command => "GRANT EXECUTE
                 ON ALL FUNCTIONS IN SCHEMA \"${schema}\"
                 TO \"${database_read_only_username}\"",

manifests/database/read_only_user.pp

@@ -20,29 +20,34 @@
   String $database_name,
   String $database_owner,
   Variant[String, Boolean] $password_hash = false,
+  Optional[Stdlib::Port] $database_port = undef,
 ) {
   postgresql::server::role { $read_database_username:
     password_hash => $password_hash,
+    port          => $database_port,
   }
 
   -> postgresql::server::database_grant { "${database_name} grant connection permission to ${read_database_username}":
     privilege => 'CONNECT',
     db        => $database_name,
     role      => $read_database_username,
+    port      => $database_port,
   }
 
   -> puppetdb::database::default_read_grant {
     "${database_name} grant read permission on new objects from ${database_owner} to ${read_database_username}":
       database_username           => $database_owner,
       database_read_only_username => $read_database_username,
       database_name               => $database_name,
+      database_port               => $database_port,
       schema                      => 'public',
   }
 
   -> puppetdb::database::read_grant {
     "${database_name} grant read-only permission on existing objects to ${read_database_username}":
       database_read_only_username => $read_database_username,
       database_name               => $database_name,
+      database_port               => $database_port,
       schema                      => 'public',
   }
 }

spec/acceptance/standalone_spec.rb

@@ -105,4 +105,23 @@
       it { is_expected.to be_running }
     end
   end
+
+  describe 'supports changing database port', :change do
+    let(:puppetdb_params) do
+      <<~EOS
+        database_port           => '5433',
+        read_database_port      => '5433',
+      EOS
+    end
+
+    it_behaves_like 'puppetdb'
+
+    describe port(5433), :status do
+      it { is_expected.to be_listening }
+    end
+
+    describe service('puppetdb') do
+      it { is_expected.to be_running }
+    end
+  end
 end

spec/defines/database/default_read_grant_spec.rb

@@ -3,13 +3,15 @@
 require 'spec_helper'
 
 describe 'puppetdb::database::default_read_grant' do
+  defaults = {
+    database_name:               'puppetdb',
+    schema:                      'public',
+    database_username:           'puppetdb',
+    database_read_only_username: 'puppetdb-read',
+  }
   valid = {
-    'standard': {
-      database_name:               'puppetdb',
-      schema:                      'public',
-      database_username:           'puppetdb',
-      database_read_only_username: 'puppetdb-read',
-    }
+    'standard': defaults,
+    'standard with port': defaults.merge({ database_port: 5433 }),
   }
 
   invalid = {
@@ -18,7 +20,8 @@
       schema:                      'public',
       database_username:           'puppetdb',
       database_read_only_username: 'puppetdb-read',
-    }
+    },
+    'invalid data type': defaults.merge({ database_port: '5433' }),
   }
 
   let(:facts) { on_supported_os.take(1).first[1] }

spec/defines/database/read_grant_spec.rb

@@ -2,16 +2,20 @@
 
 require 'spec_helper'
 
+defaults = {
+  database_read_only_username: 'puppetdb-read',
+  database_name:               'puppetdb',
+  schema:                      'public',
+}
+
 valid = {
-  'grant read on new objects from blah to blah': {
-    database_read_only_username: 'puppetdb-read',
-    database_name:               'puppetdb',
-    schema:                      'public',
-  },
+  'grant read on new objects from blah to blah': defaults,
+  'grant read on new objects from blah to blah with port': defaults.merge({ database_port: 5433 }),
 }
 
 invalid = {
   'no params': {},
+  'invalid data type': defaults.merge({ database_port: '5433' }),
 }
 
 describe 'puppetdb::database::read_grant' do

spec/defines/database/read_only_user_spec.rb

@@ -2,22 +2,25 @@
 
 require 'spec_helper'
 
+defaults = {
+  read_database_username: 'puppetdb-read',
+  database_name:          'puppetdb',
+  database_owner:         'puppetdb',
+}
+
 valid = {
-  'puppetdb-read': {
-    read_database_username: 'puppetdb-read',
-    database_name:          'puppetdb',
-    password_hash:          'blah',
-    database_owner:         'puppetdb',
-  },
+  'puppetdb-read': defaults.merge({ password_hash: 'blash' }),
   'spectest': {
     read_database_username: 'spectest-read',
     database_name:          'spectest',
     database_owner:         'spectest',
   },
+  'with port': defaults.merge({ database_port: 5433 }),
 }
 
 invalid = {
   'no params': {},
+  'invalid data type': defaults.merge({ database_port: '5433' }),
 }
 
 describe 'puppetdb::database::read_only_user', type: :define do

spec/support/acceptance/shared/puppetdb.rb

@@ -45,4 +45,8 @@ class { 'puppetdb':
   it 'applies idempotently' do
     idempotent_apply(pp, debug: ENV.key?('DEBUG'))
   end
+
+  it 'agent can puppetdb_query' do
+    apply_manifest("$envs = puppetdb_query('environments[name]{}')", expect_failures: false, debug: ENV.key?('DEBUG'))
+  end
 end

spec/unit/classes/database/postgresql_spec.rb

@@ -51,6 +51,7 @@
           database_password: 'puppetdb',
           read_database_username: 'puppetdb-read',
           read_database_password: 'puppetdb-read',
+          database_port: '5432',
         }
       end
 
@@ -60,6 +61,7 @@
             user:     params[:database_username],
             password: params[:database_password],
             grant:    'all',
+            port:     params[:database_port].to_i,
           )
       }
 
@@ -68,6 +70,7 @@
           .that_requires("Postgresql::Server::Db[#{params[:database_name]}]")
           .with(
             db:      params[:database_name],
+            port:    params[:database_port].to_i,
             command: 'REVOKE CREATE ON SCHEMA public FROM public',
             unless:  "SELECT * FROM
                   (SELECT has_schema_privilege('public', 'public', 'create') can_create) privs
@@ -81,6 +84,7 @@
           .that_comes_before("Puppetdb::Database::Read_only_user[#{params[:read_database_username]}]")
           .with(
             db:      params[:database_name],
+            port:    params[:database_port].to_i,
             command: "GRANT CREATE ON SCHEMA public TO \"#{params[:database_username]}\"",
             unless:  "SELECT * FROM
                   (SELECT has_schema_privilege('#{params[:database_username]}', 'public', 'create') can_create) privs
@@ -96,6 +100,7 @@
             database_name:          params[:database_name],
             password_hash:          %r{^(md5|SCRAM)}, # TODO: mock properly
             database_owner:         params[:database_username],
+            database_port:          params[:database_port].to_i,
           }
         end
       end
@@ -105,6 +110,7 @@
           .that_requires("Puppetdb::Database::Read_only_user[#{params[:read_database_username]}]")
           .with(
             db:      params[:database_name],
+            port:    params[:database_port].to_i,
             command: "GRANT \"#{params[:read_database_username]}\" TO \"#{params[:database_username]}\"",
             unless:  "SELECT oid, rolname FROM pg_roles WHERE
                    pg_has_role( '#{params[:database_username]}', oid, 'member') and rolname = '#{params[:read_database_username]}'",