diff --git a/manifests/server/pg_hba_rule.pp b/manifests/server/pg_hba_rule.pp index 7fce879..5c0742c 100644 --- a/manifests/server/pg_hba_rule.pp +++ b/manifests/server/pg_hba_rule.pp @@ -17,13 +17,27 @@ define postgresql::server::pg_hba_rule( validate_re($type, '^(local|host|hostssl|hostnossl)$', "The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl") - validate_re($auth_method, '^(trust|reject|md5|crypt|password|gss|sspi|krb5|ident|peer|ldap|radius|cert|pam)$', - "The auth_method you specified [${auth_method}] must be one of: trust, reject, md5, crypt, password, krb5, ident, ldap, pam") if($type =~ /^host/ and $address == undef) { fail('You must specify an address property when type is host based') } + $allowed_auth_methods = $postgresql::server::version ? { + '9.3' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], + '9.2' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], + '9.1' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], + '9.0' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'], + '8.4' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'], + '8.3' => ['trust', 'reject', 'md5', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'], + '8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'], + '8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'], + default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt'] + } + + $auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$']) + validate_re($auth_method, $auth_method_regex, + join(["The auth_method you specified [${auth_method}] must be one of: ", join($allowed_auth_methods, ', ')])) + # Create a rule fragment $fragname = "pg_hba_rule_${name}" concat::fragment { $fragname: diff --git a/spec/unit/defines/server/pg_hba_rule_spec.rb b/spec/unit/defines/server/pg_hba_rule_spec.rb index 8bb040b..13a9e5f 100644 --- a/spec/unit/defines/server/pg_hba_rule_spec.rb +++ b/spec/unit/defines/server/pg_hba_rule_spec.rb @@ -102,5 +102,60 @@ describe 'postgresql::server::pg_hba_rule', :type => :define do /The auth_method you specified \[invalid\] must be one of/) end end + + context 'validate unsupported auth_method' do + let :pre_condition do + <<-EOS + class { 'postgresql::globals': + version => '9.0', + } + class { 'postgresql::server': } + EOS + end + + let :params do + { + :type => 'local', + :database => 'all', + :user => 'all', + :address => '0.0.0.0/0', + :auth_method => 'peer', + :target => target, + } + end + + it 'should fail parsing when auth_method is not valid' do + expect {subject}.to raise_error(Puppet::Error, + /The auth_method you specified \[peer\] must be one of: trust, reject, md5, password, gss, sspi, krb5, ident, ldap, radius, cert, pam/) + end + end + + context 'validate supported auth_method' do + let :pre_condition do + <<-EOS + class { 'postgresql::globals': + version => '9.2', + } + class { 'postgresql::server': } + EOS + end + + let :params do + { + :type => 'local', + :database => 'all', + :user => 'all', + :address => '0.0.0.0/0', + :auth_method => 'peer', + :target => target, + } + end + + it do + content = param('concat::fragment', 'pg_hba_rule_test', 'content') + content.should =~ /local\s+all\s+all\s+0\.0\.0\.0\/0\s+peer/ + end + end + end end