From 72fbed2c61d2c38b1634d8c1db5bf7b90eff9229 Mon Sep 17 00:00:00 2001
From: Andrew Klychkov <aaklychkov@mail.ru>
Date: Thu, 23 Jan 2020 17:34:50 +0300
Subject: [PATCH] postgresql_user: add comment parameter (#66711)

* postgresql_user: add comment parameter

* add changelog

* fix CI
---
 ...-postgresql_user_add_comment_parameter.yml |  2 +
 .../database/postgresql/postgresql_user.py    | 40 ++++++++++++
 .../targets/postgresql_user/tasks/main.yml    |  2 +
 .../tasks/postgresql_user_general.yml         | 63 +++++++++++++++++++
 4 files changed, 107 insertions(+)
 create mode 100644 changelogs/fragments/66711-postgresql_user_add_comment_parameter.yml

diff --git a/changelogs/fragments/66711-postgresql_user_add_comment_parameter.yml b/changelogs/fragments/66711-postgresql_user_add_comment_parameter.yml
new file mode 100644
index 00000000000..bcdba652154
--- /dev/null
+++ b/changelogs/fragments/66711-postgresql_user_add_comment_parameter.yml
@@ -0,0 +1,2 @@
+minor_changes:
+- postgresql_user - add the comment parameter (https://github.com/ansible/ansible/pull/66711).
diff --git a/lib/ansible/modules/database/postgresql/postgresql_user.py b/lib/ansible/modules/database/postgresql/postgresql_user.py
index 29e35356c50..b7fdb7e7dc6 100644
--- a/lib/ansible/modules/database/postgresql/postgresql_user.py
+++ b/lib/ansible/modules/database/postgresql/postgresql_user.py
@@ -152,6 +152,11 @@ options:
     type: list
     elements: str
     version_added: '2.9'
+  comment:
+    description:
+    - Add a comment on the user (equal to the COMMENT ON ROLE statement result).
+    type: str
+    version_added: '2.10'
 notes:
 - The module creates a user (role) with login privilege by default.
   Use NOLOGIN role_attr_flags to change this behaviour.
@@ -178,6 +183,12 @@ EXAMPLES = r'''
     priv: "CONNECT/products:ALL"
     expires: "Jan 31 2020"
 
+- name: Add a comment on django user
+  postgresql_user:
+    db: acme
+    name: django
+    comment: This is a test user
+
 # Connect to default database, create rails user, set its password (MD5-hashed),
 # and grant privilege to create other databases and demote rails from super user status if user exists
 - name: Create rails user, set MD5-hashed password, grant privs
@@ -768,6 +779,26 @@ def get_valid_flags_by_version(cursor):
     ]
 
 
+def get_comment(cursor, user):
+    """Get user's comment."""
+    query = ("SELECT pg_catalog.shobj_description(r.oid, 'pg_authid') "
+             "FROM pg_catalog.pg_roles r "
+             "WHERE r.rolname = %(user)s")
+    cursor.execute(query, {'user': user})
+    return cursor.fetchone()[0]
+
+
+def add_comment(cursor, user, comment):
+    """Add comment on user."""
+    if comment != get_comment(cursor, user):
+        query = 'COMMENT ON ROLE "%s" IS ' % user
+        cursor.execute(query + '%(comment)s', {'comment': comment})
+        executed_queries.append(cursor.mogrify(query + '%(comment)s', {'comment': comment}))
+        return True
+    else:
+        return False
+
+
 # ===========================================
 # Module execution.
 #
@@ -788,6 +819,7 @@ def main():
         conn_limit=dict(type='int', default=None),
         session_role=dict(type='str'),
         groups=dict(type='list'),
+        comment=dict(type='str', default=None),
     )
     module = AnsibleModule(
         argument_spec=argument_spec,
@@ -812,6 +844,7 @@ def main():
     groups = module.params["groups"]
     if groups:
         groups = [e.strip() for e in groups]
+    comment = module.params["comment"]
 
     conn_params = get_conn_params(module, module.params, warn_db_default=False)
     db_connection = connect_to_db(module, conn_params)
@@ -855,6 +888,13 @@ def main():
             changed = pg_membership.grant() or changed
             executed_queries.extend(pg_membership.executed_queries)
 
+        if comment is not None:
+            try:
+                changed = add_comment(cursor, user, comment) or changed
+            except Exception as e:
+                module.fail_json(msg='Unable to add comment on role: %s' % to_native(e),
+                                 exception=traceback.format_exc())
+
     else:
         if user_exists(cursor, user):
             if module.check_mode:
diff --git a/test/integration/targets/postgresql_user/tasks/main.yml b/test/integration/targets/postgresql_user/tasks/main.yml
index 04fbeff86b6..d59ae63502b 100644
--- a/test/integration/targets/postgresql_user/tasks/main.yml
+++ b/test/integration/targets/postgresql_user/tasks/main.yml
@@ -1,5 +1,7 @@
 # Initial CI tests of postgresql_user module
 - import_tasks: postgresql_user_initial.yml
+  when: postgres_version_resp.stdout is version('9.4', '>=')
 
 # General tests:
 - import_tasks: postgresql_user_general.yml
+  when: postgres_version_resp.stdout is version('9.4', '>=')
diff --git a/test/integration/targets/postgresql_user/tasks/postgresql_user_general.yml b/test/integration/targets/postgresql_user/tasks/postgresql_user_general.yml
index 6d304302535..963f58ac1ae 100644
--- a/test/integration/targets/postgresql_user/tasks/postgresql_user_general.yml
+++ b/test/integration/targets/postgresql_user/tasks/postgresql_user_general.yml
@@ -8,6 +8,8 @@
     test_group1: group1
     test_group2: group2
     test_table: test
+    test_comment1: 'comment1'
+    test_comment2: 'comment2'
     task_parameters: &task_parameters
       become_user: '{{ pg_user }}'
       become: yes
@@ -63,6 +65,67 @@
       that:
       - result.rowcount == 1
 
+  - name: Add a comment on the user
+    <<: *task_parameters
+    postgresql_user:
+      <<: *pg_parameters
+      name: '{{ test_user }}'
+      comment: '{{ test_comment1 }}'
+
+  - assert:
+      that:
+      - result is changed
+      - result.queries == ["COMMENT ON ROLE \"{{ test_user }}\" IS '{{ test_comment1 }}'"]
+
+  - name: check the comment
+    <<: *task_parameters
+    postgresql_query:
+      <<: *pg_parameters
+      query: >
+        SELECT pg_catalog.shobj_description(r.oid, 'pg_authid') AS comment
+        FROM pg_catalog.pg_roles r WHERE r.rolname = '{{ test_user }}'
+
+  - assert:
+      that:
+      - result.rowcount == 1
+      - result.query_result[0].comment == '{{ test_comment1 }}'
+
+  - name: Try to add the same comment on the user
+    <<: *task_parameters
+    postgresql_user:
+      <<: *pg_parameters
+      name: '{{ test_user }}'
+      comment: '{{ test_comment1 }}'
+
+  - assert:
+      that:
+      - result is not changed
+
+  - name: Try to add another comment on the user
+    <<: *task_parameters
+    postgresql_user:
+      <<: *pg_parameters
+      name: '{{ test_user }}'
+      comment: '{{ test_comment2 }}'
+
+  - assert:
+      that:
+      - result is changed
+      - result.queries == ["COMMENT ON ROLE \"{{ test_user }}\" IS '{{ test_comment2 }}'"]
+
+  - name: check the comment
+    <<: *task_parameters
+    postgresql_query:
+      <<: *pg_parameters
+      query: >
+        SELECT pg_catalog.shobj_description(r.oid, 'pg_authid') AS comment
+        FROM pg_catalog.pg_roles r WHERE r.rolname = '{{ test_user }}'
+
+  - assert:
+      that:
+      - result.rowcount == 1
+      - result.query_result[0].comment == '{{ test_comment2 }}'
+
   - name: Try to create role again in check_mode
     <<: *task_parameters
     check_mode: yes