Merge pull request #251 from kamilszymanski/authentication_method_validation
Validate authentication method against server version
This commit is contained in:
commit
5ac999b72c
2 changed files with 71 additions and 2 deletions
|
@ -17,13 +17,27 @@ define postgresql::server::pg_hba_rule(
|
|||
|
||||
validate_re($type, '^(local|host|hostssl|hostnossl)$',
|
||||
"The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl")
|
||||
validate_re($auth_method, '^(trust|reject|md5|crypt|password|gss|sspi|krb5|ident|peer|ldap|radius|cert|pam)$',
|
||||
"The auth_method you specified [${auth_method}] must be one of: trust, reject, md5, crypt, password, krb5, ident, ldap, pam")
|
||||
|
||||
if($type =~ /^host/ and $address == undef) {
|
||||
fail('You must specify an address property when type is host based')
|
||||
}
|
||||
|
||||
$allowed_auth_methods = $postgresql::server::version ? {
|
||||
'9.3' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
||||
'9.2' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
||||
'9.1' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
||||
'9.0' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'],
|
||||
'8.4' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'],
|
||||
'8.3' => ['trust', 'reject', 'md5', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'],
|
||||
'8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'],
|
||||
'8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'],
|
||||
default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt']
|
||||
}
|
||||
|
||||
$auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$'])
|
||||
validate_re($auth_method, $auth_method_regex,
|
||||
join(["The auth_method you specified [${auth_method}] must be one of: ", join($allowed_auth_methods, ', ')]))
|
||||
|
||||
# Create a rule fragment
|
||||
$fragname = "pg_hba_rule_${name}"
|
||||
concat::fragment { $fragname:
|
||||
|
|
|
@ -102,5 +102,60 @@ describe 'postgresql::server::pg_hba_rule', :type => :define do
|
|||
/The auth_method you specified \[invalid\] must be one of/)
|
||||
end
|
||||
end
|
||||
|
||||
context 'validate unsupported auth_method' do
|
||||
let :pre_condition do
|
||||
<<-EOS
|
||||
class { 'postgresql::globals':
|
||||
version => '9.0',
|
||||
}
|
||||
class { 'postgresql::server': }
|
||||
EOS
|
||||
end
|
||||
|
||||
let :params do
|
||||
{
|
||||
:type => 'local',
|
||||
:database => 'all',
|
||||
:user => 'all',
|
||||
:address => '0.0.0.0/0',
|
||||
:auth_method => 'peer',
|
||||
:target => target,
|
||||
}
|
||||
end
|
||||
|
||||
it 'should fail parsing when auth_method is not valid' do
|
||||
expect {subject}.to raise_error(Puppet::Error,
|
||||
/The auth_method you specified \[peer\] must be one of: trust, reject, md5, password, gss, sspi, krb5, ident, ldap, radius, cert, pam/)
|
||||
end
|
||||
end
|
||||
|
||||
context 'validate supported auth_method' do
|
||||
let :pre_condition do
|
||||
<<-EOS
|
||||
class { 'postgresql::globals':
|
||||
version => '9.2',
|
||||
}
|
||||
class { 'postgresql::server': }
|
||||
EOS
|
||||
end
|
||||
|
||||
let :params do
|
||||
{
|
||||
:type => 'local',
|
||||
:database => 'all',
|
||||
:user => 'all',
|
||||
:address => '0.0.0.0/0',
|
||||
:auth_method => 'peer',
|
||||
:target => target,
|
||||
}
|
||||
end
|
||||
|
||||
it do
|
||||
content = param('concat::fragment', 'pg_hba_rule_test', 'content')
|
||||
content.should =~ /local\s+all\s+all\s+0\.0\.0\.0\/0\s+peer/
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue