From 6367e359ea3a3be327b7c756bdc1a0810e717d93 Mon Sep 17 00:00:00 2001
From: Brett Porter <brett@apache.org>
Date: Fri, 14 Dec 2012 23:02:18 +1100
Subject: [PATCH 1/2] add optional cwd to the postgres_psql command

When the psql command runs from a directory it does not have permission to
access, it outputs an error. This error trips up the unless SQL command,
causing the other SQL commands to run even if not needed. Rather than ignore
stderr (which might hide something else), or use an arbitrary directory like
/tmp, this code sets the cwd to the data directory, which will exist and be
owned by the postgres user. If someone uses the postgres_psql type and
customises the psql_user parameter, they should also set an appropriate cwd.
---
 lib/puppet/provider/postgresql_psql/ruby.rb | 12 +++++++++---
 lib/puppet/type/postgresql_psql.rb          |  6 +++++-
 manifests/database.pp                       |  3 +++
 manifests/database_grant.pp                 |  2 ++
 manifests/role.pp                           |  2 ++
 5 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/lib/puppet/provider/postgresql_psql/ruby.rb b/lib/puppet/provider/postgresql_psql/ruby.rb
index a875d6d..ac61628 100644
--- a/lib/puppet/provider/postgresql_psql/ruby.rb
+++ b/lib/puppet/provider/postgresql_psql/ruby.rb
@@ -51,8 +51,14 @@ Puppet::Type.type(:postgresql_psql).provide(:ruby) do
   end
 
   def run_sql_command(sql)
-    Puppet::Util::SUIDManager.
-        run_and_capture('psql -t -c "' << sql.gsub('"', '\"') << '"', resource[:psql_user], resource[:psql_group])
+    command = 'psql -t -c "' << sql.gsub('"', '\"') << '"'
+    if resource[:cwd]
+      Dir.chdir resource[:cwd] do
+        Puppet::Util::SUIDManager.run_and_capture(command, resource[:psql_user], resource[:psql_group])
+      end
+    else
+      Puppet::Util::SUIDManager.run_and_capture(command, resource[:psql_user], resource[:psql_group])
+    end
   end
 
-end
\ No newline at end of file
+end
diff --git a/lib/puppet/type/postgresql_psql.rb b/lib/puppet/type/postgresql_psql.rb
index fd7826b..8671986 100644
--- a/lib/puppet/type/postgresql_psql.rb
+++ b/lib/puppet/type/postgresql_psql.rb
@@ -59,6 +59,10 @@ Puppet::Type.newtype(:postgresql_psql) do
     defaultto("postgres")
   end
 
+  newparam(:cwd) do
+    desc "The working directory under which the psql command should be executed."
+  end
+
   newparam(:refreshonly) do
     desc "If 'true', then the SQL will only be executed via a notify/subscribe event."
 
@@ -71,4 +75,4 @@ Puppet::Type.newtype(:postgresql_psql) do
     self.property(:command).sync(true)
   end
 
-end
\ No newline at end of file
+end
diff --git a/manifests/database.pp b/manifests/database.pp
index e4ac665..560dc9d 100644
--- a/manifests/database.pp
+++ b/manifests/database.pp
@@ -34,11 +34,13 @@ define postgresql::database(
   postgresql_psql { "Check for existence of db '$dbname'":
     command => "SELECT 1",
     unless  => "SELECT datname FROM pg_database WHERE datname='$dbname'",
+    cwd     => $postgresql::params::datadir,
   } ~>
 
   exec { $createdb_command :
     refreshonly => true,
     user    => 'postgres',
+    cwd     => $postgresql::params::datadir,
   } ~>
 
   # This will prevent users from connecting to the database unless they've been
@@ -46,6 +48,7 @@ define postgresql::database(
   postgresql_psql {"REVOKE CONNECT ON DATABASE $dbname FROM public":
     db          => 'postgres',
     refreshonly => true,
+    cwd         => $postgresql::params::datadir,
   }
 
 }
diff --git a/manifests/database_grant.pp b/manifests/database_grant.pp
index 1415415..6904e71 100644
--- a/manifests/database_grant.pp
+++ b/manifests/database_grant.pp
@@ -33,6 +33,7 @@ define postgresql::database_grant(
     $psql_db   = 'postgres',
     $psql_user ='postgres'
 ) {
+  include postgresql::params
 
   # TODO: FIXME: only works on databases, due to using has_database_privilege
 
@@ -53,6 +54,7 @@ define postgresql::database_grant(
     db           => $psql_db,
     psql_user    => $psql_user,
     unless       => "SELECT 1 WHERE has_database_privilege('$role', '$db', '$unless_privilege')",
+    cwd          => $postgresql::params::datadir,
   }
 }
 
diff --git a/manifests/role.pp b/manifests/role.pp
index 8926fe7..031a797 100644
--- a/manifests/role.pp
+++ b/manifests/role.pp
@@ -25,6 +25,7 @@ define postgresql::role(
     $superuser  = false,
     $username   = $title
 ) {
+  include postgresql::params
 
   $login_sql      = $login      ? { true => 'LOGIN'     , default => 'NOLOGIN' }
   $createrole_sql = $createrole ? { true => 'CREATEROLE', default => 'NOCREATEROLE' }
@@ -36,5 +37,6 @@ define postgresql::role(
     db           => $db,
     psql_user    => 'postgres',
     unless       => "SELECT rolname FROM pg_roles WHERE rolname='$username'",
+    cwd          => $postgresql::params::datadir,
   }
 }

From 6b53c07da0b6fdd63b7828a220bb8636989bb311 Mon Sep 17 00:00:00 2001
From: Brett Porter <brett@apache.org>
Date: Fri, 14 Dec 2012 23:22:38 +1100
Subject: [PATCH 2/2] set an appropriate parent for the parameter

---
 lib/puppet/type/postgresql_psql.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/puppet/type/postgresql_psql.rb b/lib/puppet/type/postgresql_psql.rb
index 8671986..df5df1e 100644
--- a/lib/puppet/type/postgresql_psql.rb
+++ b/lib/puppet/type/postgresql_psql.rb
@@ -59,7 +59,7 @@ Puppet::Type.newtype(:postgresql_psql) do
     defaultto("postgres")
   end
 
-  newparam(:cwd) do
+  newparam(:cwd, :parent => Puppet::Parameter::Path) do
     desc "The working directory under which the psql command should be executed."
   end