diff --git a/manifests/server/role.pp b/manifests/server/role.pp index 1b37ce282c..f71ecf599c 100644 --- a/manifests/server/role.pp +++ b/manifests/server/role.pp @@ -11,6 +11,7 @@ # @param inherit Specifies whether to grant inherit capability for the new role. # @param superuser Specifies whether to grant super user capability for the new role. # @param replication Provides provides replication capabilities for this role if set to true. +# @param valid_until Specifies whether to set a valid until date for the role. # @param connection_limit Specifies how many concurrent connections the role can make. Default value: '-1', meaning no limit. # @param username Defines the username of the role to create. # @param connect_settings Specifies a hash of environment variables used when connecting to a remote server. @@ -35,6 +36,7 @@ Boolean $inherit = true, Boolean $superuser = false, Boolean $replication = false, + Optional[String[1]] $valid_until = undef, String[1] $connection_limit = '-1', String[1] $username = $title, Hash $connect_settings = $postgresql::server::default_connect_settings, @@ -126,6 +128,12 @@ unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolinherit = ${inherit}", } + if $valid_until { + postgresql_psql { "ALTER ROLE \"${username}\" VALID UNTIL '${valid_until}'": + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolvaliduntil = '${valid_until}'", + } + } + if(versioncmp($version, '9.1') >= 0) { if $replication_sql == '' { postgresql_psql { "ALTER ROLE \"${username}\" NOREPLICATION": diff --git a/spec/defines/server_instance_spec.rb b/spec/defines/server_instance_spec.rb index 89eadb06c8..ea63146fe4 100644 --- a/spec/defines/server_instance_spec.rb +++ b/spec/defines/server_instance_spec.rb @@ -73,7 +73,9 @@ class { 'postgresql::server': 'app_test1': { 'login' => true }, 'rep_test1': { 'replication' => true, 'login' => true }, - 'rou_test1': { 'login' => true }, }, + 'rou_test1': { 'login' => true }, + 'val_test1': { 'login' => true, + 'valid_until' => '2030-01-01 00:00:00+00' }, }, 'pg_hba_rules': { 'local all INSTANCE user': { 'type' => 'local', 'database' => 'all', 'user' => 'ins_test1', @@ -214,10 +216,19 @@ class { 'postgresql::server': it { is_expected.to contain_postgresql_psql('ALTER ROLE "rou_test1" NOCREATEROLE') } it { is_expected.to contain_postgresql_psql('ALTER ROLE "rou_test1" NOREPLICATION') } it { is_expected.to contain_postgresql_psql('ALTER ROLE "rou_test1" NOSUPERUSER') } + it { is_expected.to contain_postgresql_psql('ALTER ROLE "val_test1" CONNECTION LIMIT -1') } + it { is_expected.to contain_postgresql_psql('ALTER ROLE "val_test1" INHERIT') } + it { is_expected.to contain_postgresql_psql('ALTER ROLE "val_test1" LOGIN') } + it { is_expected.to contain_postgresql_psql('ALTER ROLE "val_test1" NOCREATEDB') } + it { is_expected.to contain_postgresql_psql('ALTER ROLE "val_test1" NOCREATEROLE') } + it { is_expected.to contain_postgresql_psql('ALTER ROLE "val_test1" NOREPLICATION') } + it { is_expected.to contain_postgresql_psql('ALTER ROLE "val_test1" NOSUPERUSER') } + it { is_expected.to contain_postgresql_psql('ALTER ROLE "val_test1" VALID UNTIL \'2030-01-01 00:00:00+00\'') } it { is_expected.to contain_postgresql_psql('CREATE ROLE app_test1 ENCRYPTED PASSWORD ****') } it { is_expected.to contain_postgresql_psql('CREATE ROLE dba_test1 ENCRYPTED PASSWORD ****') } it { is_expected.to contain_postgresql_psql('CREATE ROLE ins_test1 ENCRYPTED PASSWORD ****') } it { is_expected.to contain_postgresql_psql('CREATE ROLE rep_test1 ENCRYPTED PASSWORD ****') } it { is_expected.to contain_postgresql_psql('CREATE ROLE rou_test1 ENCRYPTED PASSWORD ****') } + it { is_expected.to contain_postgresql_psql('CREATE ROLE val_test1 ENCRYPTED PASSWORD ****') } end end