module-postgresql/manifests/server/pg_hba_rule.pp

# This resource manages an individual rule that applies to the file defined in
# $target. See README.md for more details.
define postgresql::server::pg_hba_rule(
  $type,
  $database,
  $user,
  $auth_method,
  $address     = undef,
  $description = 'none',
  $auth_option = undef,
  $order       = '150',

  # Needed for testing primarily, support for multiple files is not really
  # working.
  $target      = $postgresql::server::pg_hba_conf_path
) {

  if $postgresql::server::manage_pg_hba_conf == false {
      fail('postgresql::server::manage_pg_hba_conf has been disabled, so this resource is now unused and redundant, either enable that option or remove this resource from your manifests')
  } else {
    validate_re($type, '^(local|host|hostssl|hostnossl)$',
    "The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl")

    if($type =~ /^host/ and $address == undef) {
      fail('You must specify an address property when type is host based')
    }

    $allowed_auth_methods = $postgresql::server::version ? {
      '9.3' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
      '9.2' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
      '9.1' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
      '9.0' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'],
      '8.4' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'],
      '8.3' => ['trust', 'reject', 'md5', 'sha1', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'],
      '8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'],
      '8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'],
      default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt']
    }

    $auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$'],'')
    validate_re($auth_method, $auth_method_regex,
    join(["The auth_method you specified [${auth_method}] must be one of: ", join($allowed_auth_methods, ', ')],''))

    # Create a rule fragment
    $fragname = "pg_hba_rule_${name}"
    concat::fragment { $fragname:
      target  => $target,
      content => template('postgresql/pg_hba_rule.conf'),
      order   => $order,
    }
  }
}
Provide new defined resources for managing pg_hba.conf This patch provides a more advanced way of managing pg_hba rules, by providing a defined resource to manage a pg_hba file, and a defined resource for managing rules within such a file (pg_hba_rule). These new resources are wrappers around ripinaar-concat, and utilise file assemblies instead of a template to compose the pg_hba.conf file. I've provided a function that interprets the old ip4\|6acl arrays and converts them to this new format for backwards compatibility as well. I slightly reformatted our documentation to allow for better documentation of defined resources in 'Usage' as well, and provided examples of how to use this new resource. This hopefully should go a long way to solving the PR's related to lack of full functionality for pg_hba.conf. Signed-off-by: Ken Barber <ken@bob.sh> 2013-02-10 01:36:12 +01:00			`# This resource manages an individual rule that applies to the file defined in`
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh> 2013-08-27 22:43:47 +02:00			`# $target. See README.md for more details.`
			`define postgresql::server::pg_hba_rule(`
Provide new defined resources for managing pg_hba.conf This patch provides a more advanced way of managing pg_hba rules, by providing a defined resource to manage a pg_hba file, and a defined resource for managing rules within such a file (pg_hba_rule). These new resources are wrappers around ripinaar-concat, and utilise file assemblies instead of a template to compose the pg_hba.conf file. I've provided a function that interprets the old ip4\|6acl arrays and converts them to this new format for backwards compatibility as well. I slightly reformatted our documentation to allow for better documentation of defined resources in 'Usage' as well, and provided examples of how to use this new resource. This hopefully should go a long way to solving the PR's related to lack of full functionality for pg_hba.conf. Signed-off-by: Ken Barber <ken@bob.sh> 2013-02-10 01:36:12 +01:00			`$type,`
			`$database,`
			`$user,`
			`$auth_method,`
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh> 2013-08-27 22:43:47 +02:00			`$address = undef,`
Provide new defined resources for managing pg_hba.conf This patch provides a more advanced way of managing pg_hba rules, by providing a defined resource to manage a pg_hba file, and a defined resource for managing rules within such a file (pg_hba_rule). These new resources are wrappers around ripinaar-concat, and utilise file assemblies instead of a template to compose the pg_hba.conf file. I've provided a function that interprets the old ip4\|6acl arrays and converts them to this new format for backwards compatibility as well. I slightly reformatted our documentation to allow for better documentation of defined resources in 'Usage' as well, and provided examples of how to use this new resource. This hopefully should go a long way to solving the PR's related to lack of full functionality for pg_hba.conf. Signed-off-by: Ken Barber <ken@bob.sh> 2013-02-10 01:36:12 +01:00			`$description = 'none',`
			`$auth_option = undef,`
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh> 2013-08-27 22:43:47 +02:00			`$order = '150',`

			`# Needed for testing primarily, support for multiple files is not really`
			`# working.`
			`$target = $postgresql::server::pg_hba_conf_path`
Provide new defined resources for managing pg_hba.conf This patch provides a more advanced way of managing pg_hba rules, by providing a defined resource to manage a pg_hba file, and a defined resource for managing rules within such a file (pg_hba_rule). These new resources are wrappers around ripinaar-concat, and utilise file assemblies instead of a template to compose the pg_hba.conf file. I've provided a function that interprets the old ip4\|6acl arrays and converts them to this new format for backwards compatibility as well. I slightly reformatted our documentation to allow for better documentation of defined resources in 'Usage' as well, and provided examples of how to use this new resource. This hopefully should go a long way to solving the PR's related to lack of full functionality for pg_hba.conf. Signed-off-by: Ken Barber <ken@bob.sh> 2013-02-10 01:36:12 +01:00			`) {`

Wrong parameter name: manage_pg_conf -> manage_pg_hba_conf 2013-12-04 21:09:56 +01:00			`if $postgresql::server::manage_pg_hba_conf == false {`
			`fail('postgresql::server::manage_pg_hba_conf has been disabled, so this resource is now unused and redundant, either enable that option or remove this resource from your manifests')`
Add a parameter to (un)manage pg_hba.conf 2013-10-02 14:43:21 +02:00			`} else {`
			`validate_re($type, '^(local\|host\|hostssl\|hostnossl)$',`
Provide new defined resources for managing pg_hba.conf This patch provides a more advanced way of managing pg_hba rules, by providing a defined resource to manage a pg_hba file, and a defined resource for managing rules within such a file (pg_hba_rule). These new resources are wrappers around ripinaar-concat, and utilise file assemblies instead of a template to compose the pg_hba.conf file. I've provided a function that interprets the old ip4\|6acl arrays and converts them to this new format for backwards compatibility as well. I slightly reformatted our documentation to allow for better documentation of defined resources in 'Usage' as well, and provided examples of how to use this new resource. This hopefully should go a long way to solving the PR's related to lack of full functionality for pg_hba.conf. Signed-off-by: Ken Barber <ken@bob.sh> 2013-02-10 01:36:12 +01:00			`"The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl")`

Add a parameter to (un)manage pg_hba.conf 2013-10-02 14:43:21 +02:00			`if($type =~ /^host/ and $address == undef) {`
			`fail('You must specify an address property when type is host based')`
			`}`
Provide new defined resources for managing pg_hba.conf This patch provides a more advanced way of managing pg_hba rules, by providing a defined resource to manage a pg_hba file, and a defined resource for managing rules within such a file (pg_hba_rule). These new resources are wrappers around ripinaar-concat, and utilise file assemblies instead of a template to compose the pg_hba.conf file. I've provided a function that interprets the old ip4\|6acl arrays and converts them to this new format for backwards compatibility as well. I slightly reformatted our documentation to allow for better documentation of defined resources in 'Usage' as well, and provided examples of how to use this new resource. This hopefully should go a long way to solving the PR's related to lack of full functionality for pg_hba.conf. Signed-off-by: Ken Barber <ken@bob.sh> 2013-02-10 01:36:12 +01:00
Add a parameter to (un)manage pg_hba.conf 2013-10-02 14:43:21 +02:00			`$allowed_auth_methods = $postgresql::server::version ? {`
			`'9.3' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],`
			`'9.2' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],`
			`'9.1' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],`
			`'9.0' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'],`
			`'8.4' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'],`
			`'8.3' => ['trust', 'reject', 'md5', 'sha1', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'],`
			`'8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'],`
			`'8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'],`
			`default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt']`
			`}`
Validate authentication method against server version 2013-09-22 22:35:18 +02:00
Add zero length string to join() function The stdlib join() function takes an array and a string as parameters, it then joins all the elements of the array using the string as a separator. On Centos 6.4 the join() function fails if given just an array but not a string. 2013-10-19 18:04:04 +02:00			`$auth_method_regex = join(['^(', join($allowed_auth_methods, '\|'), ')$'],'')`
Add a parameter to (un)manage pg_hba.conf 2013-10-02 14:43:21 +02:00			`validate_re($auth_method, $auth_method_regex,`
Add zero length string to join() function The stdlib join() function takes an array and a string as parameters, it then joins all the elements of the array using the string as a separator. On Centos 6.4 the join() function fails if given just an array but not a string. 2013-10-19 18:04:04 +02:00			`join(["The auth_method you specified [${auth_method}] must be one of: ", join($allowed_auth_methods, ', ')],''))`
Validate authentication method against server version 2013-09-22 22:35:18 +02:00
Add a parameter to (un)manage pg_hba.conf 2013-10-02 14:43:21 +02:00			`# Create a rule fragment`
			`$fragname = "pg_hba_rule_${name}"`
			`concat::fragment { $fragname:`
			`target => $target,`
			`content => template('postgresql/pg_hba_rule.conf'),`
			`order => $order,`
			`}`
Provide new defined resources for managing pg_hba.conf This patch provides a more advanced way of managing pg_hba rules, by providing a defined resource to manage a pg_hba file, and a defined resource for managing rules within such a file (pg_hba_rule). These new resources are wrappers around ripinaar-concat, and utilise file assemblies instead of a template to compose the pg_hba.conf file. I've provided a function that interprets the old ip4\|6acl arrays and converts them to this new format for backwards compatibility as well. I slightly reformatted our documentation to allow for better documentation of defined resources in 'Usage' as well, and provided examples of how to use this new resource. This hopefully should go a long way to solving the PR's related to lack of full functionality for pg_hba.conf. Signed-off-by: Ken Barber <ken@bob.sh> 2013-02-10 01:36:12 +01:00			`}`
			`}`