From 71f57c9fe36fe1da764482190419629bf3673e0b Mon Sep 17 00:00:00 2001
From: Oleksii Kliukin <oleksii.kliukin@zalando.de>
Date: Mon, 6 Nov 2017 13:04:36 +0100
Subject: [PATCH] Fix escaping of parameter values and extra spaces.

- document the newly introduced option (for now in the main README)
- make query error output more readable.
---
 README.md                 |  8 ++++++++
 pkg/util/config/config.go |  2 +-
 pkg/util/users/users.go   | 23 ++++++++++++++++-------
 3 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index baa17ef87..1ad9fbffd 100644
--- a/README.md
+++ b/README.md
@@ -201,6 +201,14 @@ The following steps will get you the docker image built and deployed.
     $ make docker
     $ sed -e "s/\(image\:.*\:\).*$/\1$TAG/" manifests/postgres-operator.yaml|kubectl --context minikube create  -f -
 
+
+### Operator Configuration Parameters
+
+* api_roles_configuration - a map represented as *"key1:value1,key2:value2"*
+of configuration parameters applied to the roles fetched from the API.
+By default is set to *"log_statement:all"*. See [PostgreSQL documentation on ALTER ROLE .. SET](https://www.postgresql.org/docs/current/static/sql-alterrole.html) for to learn about the available options.
+
+
 ### Debugging the operator itself
 
 There is a web interface in the operator to observe its internal state. The operator listens on port 8080. It is possible to expose it to the localhost:8080 by doing:
diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go
index 4910017ac..9d66dc53a 100644
--- a/pkg/util/config/config.go
+++ b/pkg/util/config/config.go
@@ -71,7 +71,7 @@ type Config struct {
 	APIPort               int               `name:"api_port" default:"8080"`
 	RingLogLines          int               `name:"ring_log_lines" default:"100"`
 	ClusterHistoryEntries int               `name:"cluster_history_entries" default:"1000"`
-	APIRolesParameters    map[string]string `name:"api_roles_configuration" default:"log_statement:all"`
+	APIRolesParameters    map[string]string `name:"api_roles_configuration" default:"log_statement:'all'"`
 
 	PodTerminateGracePeriod time.Duration `name:"pod_terminate_grace_period" default:"5m"`
 }
diff --git a/pkg/util/users/users.go b/pkg/util/users/users.go
index 456b13a1a..d8a3eaf98 100644
--- a/pkg/util/users/users.go
+++ b/pkg/util/users/users.go
@@ -14,7 +14,7 @@ const (
 	createUserSQL    = `SET LOCAL synchronous_commit = 'local'; CREATE ROLE "%s" %s %s;`
 	alterUserSQL     = `ALTER ROLE "%s" %s`
 	alterRoleResetAllSQL = `ALTER ROLE "%s" RESET ALL`
-	alterRoleSetSQL	 = `ALTER ROLE "%s" SET "%s" TO "%s"`
+	alterRoleSetSQL	 = `ALTER ROLE "%s" SET %s TO %s`
 	grantToUserSQL   = `GRANT %s TO "%s"`
 	doBlockStmt      = `SET LOCAL synchronous_commit = 'local'; DO $$ BEGIN %s; END;$$;`
 	passwordTemplate = "ENCRYPTED PASSWORD '%s'"
@@ -96,7 +96,7 @@ func (strategy DefaultUserSyncStrategy) alterPgUserSet(user spec.PgUser, db *sql
 	queries := produceAlterRoleSetStmts(user)
 	query := fmt.Sprintf(doBlockStmt, strings.Join(queries, ";"))
 	if _, err = db.Query(query); err != nil {
-		err = fmt.Errorf("dB error: %v, query: %q", err, query)
+		err = fmt.Errorf("dB error: %v, query: %s", err, query)
 		return
 	}
 	return
@@ -122,7 +122,7 @@ func (s DefaultUserSyncStrategy) createPgUser(user spec.PgUser, db *sql.DB) (err
 
 	_, err = db.Query(query) // TODO: Try several times
 	if err != nil {
-		err = fmt.Errorf("dB error: %v, query: %q", err, query)
+		err = fmt.Errorf("dB error: %v, query: %s", err, query)
 		return
 	}
 
@@ -148,7 +148,7 @@ func (s DefaultUserSyncStrategy) alterPgUser(user spec.PgUser, db *sql.DB) (err
 
 	_, err = db.Query(query) // TODO: Try several times
 	if err != nil {
-		err = fmt.Errorf("dB error: %v query %q", err, query)
+		err = fmt.Errorf("dB error: %v query %s", err, query)
 		return
 	}
 
@@ -157,7 +157,7 @@ func (s DefaultUserSyncStrategy) alterPgUser(user spec.PgUser, db *sql.DB) (err
 
 func produceAlterStmt(user spec.PgUser) string {
 	// ALTER ROLE ... LOGIN ENCRYPTED PASSWORD ..
-	result := make([]string, 1)
+	result := make([]string, 0)
 	password := user.Password
 	flags := user.Flags
 
@@ -171,10 +171,10 @@ func produceAlterStmt(user spec.PgUser) string {
 }
 
 func produceAlterRoleSetStmts(user spec.PgUser) []string {
-	result := make([]string, 1)
+	result := make([]string, 0)
 	result = append(result, fmt.Sprintf(alterRoleResetAllSQL, user.Name))
 	for key, value := range(user.Parameters) {
-		result = append(result, fmt.Sprintf(alterRoleSetSQL, user.Name, key, value))
+		result = append(result, fmt.Sprintf(alterRoleSetSQL, user.Name, key, quoteValue(value)))
 	}
 	return result
 }
@@ -191,3 +191,12 @@ func quoteMemberList(user spec.PgUser) string {
 	}
 	return strings.Join(memberof, ",")
 }
+
+// quoteVal quotes values to be used at ALTER ROLE SET param = value if necessary
+func quoteValue(val string) string {
+	if (strings.HasPrefix(val, `"`) && strings.HasSuffix(val, `"`)) ||
+		(strings.HasPrefix(val, `'`) && strings.HasSuffix(val, `'`)) {
+			return val
+	}
+	return fmt.Sprintf(`"%s"`, strings.Trim(val," "))
+}