postgresql::server::grant use SELECT 1 WHERE NOT EXISTS in preference to HAVING count(*)=0

George Hansper · George Hansper · commit 92f48427158b · 2017-06-28T14:22:08.000+10:00
diff --git a/manifests/server/grant.pp b/manifests/server/grant.pp
@@ -139,7 +139,7 @@
       # the role does not have the specified privilege, making it necessary to
       # execute the GRANT statement.
       if $ensure == 'present' {
-        $custom_unless = "SELECT 1 FROM (
+        $custom_unless = "SELECT 1 WHERE NOT EXISTS (
           SELECT sequence_name
           FROM information_schema.sequences
           WHERE sequence_schema='${schema}'
@@ -174,11 +174,10 @@
           WHERE grantee='${role}'
           AND object_schema='${schema}'
           AND privilege_type='${custom_privilege}'
-          ) P
-          HAVING count(P.sequence_name) = 0"
+          )"
       } else {
         # ensure == absent
-        $custom_unless = "SELECT 1 FROM (
+        $custom_unless = "SELECT 1 WHERE NOT EXISTS (
           SELECT object_name as sequence_name
           FROM (
             SELECT object_schema,
@@ -209,8 +208,7 @@
           WHERE grantee='${role}'
           AND object_schema='${schema}'
           AND privilege_type='${custom_privilege}'
-          ) P
-          HAVING count(P.sequence_name) = 0"
+          )"
       }
     }
     'TABLE': {
@@ -251,7 +249,7 @@
       if $ensure == 'present' {
         if $_privilege == 'ALL' or $_privilege == 'ALL PRIVILEGES' {
           # GRANT ALL
-          $custom_unless = "SELECT 1 FROM
+          $custom_unless = "SELECT 1 WHERE NOT EXISTS
              ( SELECT 1 FROM pg_catalog.pg_tables AS t,
                (VALUES ('SELECT'), ('UPDATE'), ('INSERT'), ('DELETE'), ('TRIGGER'), ('REFERENCES'), ('TRUNCATE')) AS p(privilege_type)
                WHERE t.schemaname = '${schema}'
@@ -261,11 +259,11 @@
                      AND g.table_schema = '${schema}'
                      AND g.privilege_type = p.privilege_type
                    )
-             ) AS privs_missing HAVING privs_missing.count=0"
+             )"
 
         } else {
           # GRANT $_privilege
-          $custom_unless = "SELECT 1 FROM
+          $custom_unless = "SELECT 1 WHERE NOT EXISTS
              ( SELECT 1 FROM pg_catalog.pg_tables AS t
                WHERE t.schemaname = '${schema}'
                  AND NOT EXISTS (
@@ -274,22 +272,22 @@
                      AND g.table_schema = '${schema}'
                      AND g.privilege_type = '${_privilege}'
                    )
-             ) AS tbls HAVING tbls.count=0"
+             )"
         }
       } else {
         if $_privilege == 'ALL' or $_privilege == 'ALL PRIVILEGES' {
           # REVOKE ALL
-          $custom_unless = "SELECT 1 FROM
+          $custom_unless = "SELECT 1 WHERE NOT EXISTS
              ( SELECT table_name FROM information_schema.role_table_grants
                WHERE grantee = '${role}' AND table_schema ='${schema}'
-             ) AS tbls HAVING tbls.count=0"
+             )"
         } else {
           # REVOKE $_privilege
-          $custom_unless = "SELECT 1 FROM
+          $custom_unless = "SELECT 1 WHERE NOT EXISTS
              ( SELECT table_name FROM information_schema.role_table_grants
                WHERE grantee = '${role}' AND table_schema ='${schema}'
                AND privilege_type = '${_privilege}'
-             ) AS tbls HAVING tbls.count=0"
+             )"
         }
       }
 
diff --git a/spec/unit/defines/server/grant_spec.rb b/spec/unit/defines/server/grant_spec.rb
@@ -74,7 +74,7 @@
     it { is_expected.to contain_postgresql_psql('grant:test').with(
       {
         'command' => /GRANT USAGE ON ALL SEQUENCES IN SCHEMA "public" TO\s* "test"/m,
-        'unless'  => /SELECT 1 FROM \(\s*SELECT sequence_name\s* FROM information_schema\.sequences\s* WHERE sequence_schema='public'\s* EXCEPT DISTINCT\s* SELECT object_name as sequence_name\s* FROM .* WHERE .*grantee='test'\s* AND object_schema='public'\s* AND privilege_type='USAGE'\s*\) P\s* HAVING count\(P\.sequence_name\) = 0/m,
+        'unless'  => /SELECT 1 WHERE NOT EXISTS \(\s*SELECT sequence_name\s* FROM information_schema\.sequences\s* WHERE sequence_schema='public'\s* EXCEPT DISTINCT\s* SELECT object_name as sequence_name\s* FROM .* WHERE .*grantee='test'\s* AND object_schema='public'\s* AND privilege_type='USAGE'\s*\)/m,
       }
     ) }
   end

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@`
`74`	`74`	`it { is_expected.to contain_postgresql_psql('grant:test').with(`
`75`	`75`	`{`
`76`	`76`	`'command' => /GRANT USAGE ON ALL SEQUENCES IN SCHEMA "public" TO\s* "test"/m,`
`77`		`- 'unless' => /SELECT 1 FROM \(\sSELECT sequence_name\s FROM information_schema\.sequences\s* WHERE sequence_schema='public'\s* EXCEPT DISTINCT\s* SELECT object_name as sequence_name\s* FROM .* WHERE .grantee='test'\s AND object_schema='public'\s* AND privilege_type='USAGE'\s\) P\s HAVING count\(P\.sequence_name\) = 0/m,`
	`77`	`+ 'unless' => /SELECT 1 WHERE NOT EXISTS \(\sSELECT sequence_name\s FROM information_schema\.sequences\s* WHERE sequence_schema='public'\s* EXCEPT DISTINCT\s* SELECT object_name as sequence_name\s* FROM .* WHERE .grantee='test'\s AND object_schema='public'\s* AND privilege_type='USAGE'\s*\)/m,`
`78`	`78`	`}`
`79`	`79`	`) }`
`80`	`80`	`end`