Merge pull request #20 from dharwood/dharwood/pg_hba_acls

Defining ACLs in pg_hba.conf

README.md

@@ -39,6 +39,7 @@ class { 'postgresql::server':
         'ip_mask_deny_postgres_user' => '0.0.0.0/32',
         'ip_mask_allow_all_users'    => '0.0.0.0/0',
         'listen_addresses'           => '*',
+        'ipv4acls'                   => ['hostssl all johndoe 192.168.0.0/24 cert'],
         'manage_redhat_firewall'     => true,
         'postgres_password'          => 'TPSrep0rt!',
     },

manifests/config.pp

@@ -9,6 +9,10 @@
 #                                       defaults to '127.0.0.1/32', meaning only allow connections from localhost
 #   [*listen_addresses*]             - what IP address(es) to listen on; comma-separated list of addresses; defaults to
 #                                       'localhost', '*' = all
+#   [*ipv4acls*]                     - list of strings for access control for connection method, users, databases, IPv4
+#                                       addresses; see postgresql documentation about pg_hba.conf for information
+#   [*ipv6acls*]                     - list of strings for access control for connection method, users, databases, IPv6
+#                                       addresses; see postgresql documentation about pg_hba.conf for information
 #   [*pg_hba_conf_path*]             - path to pg_hba.conf file
 #   [*postgresql_conf_path*]         - path to postgresql.conf file
 #   [*manage_redhat_firewall*]       - boolean indicating whether or not the module should open a port in the firewall on
@@ -33,6 +37,8 @@ class postgresql::config(
   $ip_mask_deny_postgres_user   = $postgresql::params::ip_mask_deny_postgres_user,
   $ip_mask_allow_all_users      = $postgresql::params::ip_mask_allow_all_users,
   $listen_addresses             = $postgresql::params::listen_addresses,
+  $ipv4acls                     = $postgresql::params::ipv4acls,
+  $ipv6acls                     = $postgresql::params::ipv6acls,
   $pg_hba_conf_path             = $postgresql::params::pg_hba_conf_path,
   $postgresql_conf_path         = $postgresql::params::postgresql_conf_path,
   $manage_redhat_firewall       = $postgresql::params::manage_redhat_firewall
@@ -46,6 +52,8 @@ class postgresql::config(
       ip_mask_deny_postgres_user    => $ip_mask_deny_postgres_user,
       ip_mask_allow_all_users       => $ip_mask_allow_all_users,
       listen_addresses              => $listen_addresses,
+      ipv4acls                      => $ipv4acls,
+      ipv6acls                      => $ipv6acls,
       pg_hba_conf_path              => $pg_hba_conf_path,
       postgresql_conf_path          => $postgresql_conf_path,
       manage_redhat_firewall        => $manage_redhat_firewall,

manifests/config/beforeservice.pp

@@ -8,6 +8,10 @@
 #                                       defaults to '127.0.0.1/32', meaning only allow connections from localhost
 #   [*listen_addresses*]        - what IP address(es) to listen on; comma-separated list of addresses; defaults to
 #                                    'localhost', '*' = all
+#   [*ipv4acls*]                - list of strings for access control for connection method, users, databases, IPv4
+#                                    addresses; see postgresql documentation about pg_hba.conf for information
+#   [*ipv6acls*]                - list of strings for access control for connection method, users, databases, IPv6
+#                                    addresses; see postgresql documentation about pg_hba.conf for information
 #   [*pg_hba_conf_path*]        - path to pg_hba.conf file
 #   [*postgresql_conf_path*]    - path to postgresql.conf file
 #   [*manage_redhat_firewall*]  - boolean indicating whether or not the module should open a port in the firewall on
@@ -33,6 +37,8 @@ class postgresql::config::beforeservice(
   $ip_mask_deny_postgres_user   = $postgresql::params::ip_mask_deny_postgres_user,
   $ip_mask_allow_all_users      = $postgresql::params::ip_mask_allow_all_users,
   $listen_addresses             = $postgresql::params::listen_addresses,
+  $ipv4acls                     = $postgresql::params::ipv4acls,
+  $ipv6acls                     = $postgresql::params::ipv6acls,
   $pg_hba_conf_path             = $postgresql::params::pg_hba_conf_path,
   $postgresql_conf_path         = $postgresql::params::postgresql_conf_path,
   $manage_redhat_firewall       = $postgresql::params::manage_redhat_firewall

manifests/params.pp

@@ -16,6 +16,8 @@ class postgresql::params {
   $ip_mask_deny_postgres_user   = '0.0.0.0/0'
   $ip_mask_allow_all_users      = '127.0.0.1/32'
   $listen_addresses             = 'localhost'
+  $ipv4acls                     = []
+  $ipv6acls                     = []
   # TODO: figure out a way to make this not platform-specific
   $manage_redhat_firewall       = false
 

templates/pg_hba.conf.erb

@@ -83,6 +83,12 @@ local   all         all                               ident <%= "sameuser" if @p
 # IPv4 local connections:
 host    all         postgres    <%= @ip_mask_deny_postgres_user + "\t" %>      reject
 host    all         all         <%= @ip_mask_allow_all_users + "\t" %>      md5
+<% @ipv4acls.each do |acl|; parts = acl.split -%>
+<%= parts[0] + "\t" + parts[1] + "\t" + parts[2] + "\t\t" + parts[3] + "\t\t" + parts[4] + "\t" + parts.last(parts.length - 5).join(" ") %>
+<% end -%>
 # IPv6 local connections:
 host    all         all         ::1/128               md5
+<% @ipv6acls.each do |acl|; parts = acl.split -%>
+<%= parts[0] + "\t" + parts[1] + "\t" + parts[2] + "\t\t" + parts[3] + "\t\t" + parts[4] + "\t" + parts.last(parts.length - 5).join(" ") %>
+<% end -%>
 

tests/server.pp

@@ -3,6 +3,7 @@ class { 'postgresql::server':
         'ip_mask_deny_postgres_user' => '0.0.0.0/32',
         'ip_mask_allow_all_users' => '0.0.0.0/0',
         'listen_addresses' => '*',
+        'ipv4acls' => ['hostssl all all johndoe 192.168.0.0/24 cert'],
         'manage_redhat_firewall' => true,
         'postgres_password' => 'postgres',
     },