opuppet/module-postgresql
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #251 from kamilszymanski/authentication_method_validation

Browse source 
Validate authentication method against server version
This commit is contained in:
Ashley Penney 2013-09-23 12:19:28 -07:00
commit 5ac999b72c
2 changed files with 71 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
manifests/server/pg_hba_rule.pp
View file

@ -17,13 +17,27 @@ define postgresql::server::pg_hba_rule(
validate_re($type, '^(local|host|hostssl|hostnossl)$', validate_re($type, '^(local|host|hostssl|hostnossl)$',
"The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl") "The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl")
validate_re($auth_method, '^(trust|reject|md5|crypt|password|gss|sspi|krb5|ident|peer|ldap|radius|cert|pam)$',
"The auth_method you specified [${auth_method}] must be one of: trust, reject, md5, crypt, password, krb5, ident, ldap, pam")
if($type =~ /^host/ and $address == undef) { if($type =~ /^host/ and $address == undef) {
fail('You must specify an address property when type is host based') fail('You must specify an address property when type is host based')
} }
$allowed_auth_methods = $postgresql::server::version ? {
'9.3' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
'9.2' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
'9.1' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
'9.0' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'],
'8.4' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'],
'8.3' => ['trust', 'reject', 'md5', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'],
'8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'],
'8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'],
default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt']
}
$auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$'])
validate_re($auth_method, $auth_method_regex,
join(["The auth_method you specified [${auth_method}] must be one of: ", join($allowed_auth_methods, ', ')]))
# Create a rule fragment # Create a rule fragment
$fragname = "pg_hba_rule_${name}" $fragname = "pg_hba_rule_${name}"
concat::fragment { $fragname: concat::fragment { $fragname:

55
spec/unit/defines/server/pg_hba_rule_spec.rb
View file

@ -102,5 +102,60 @@ describe 'postgresql::server::pg_hba_rule', :type => :define do
/The auth_method you specified \[invalid\] must be one of/) /The auth_method you specified \[invalid\] must be one of/)
end end
end end
context 'validate unsupported auth_method' do
let :pre_condition do
<<-EOS
class { 'postgresql::globals':
version => '9.0',
}
class { 'postgresql::server': }
EOS
end
let :params do
{
:type => 'local',
:database => 'all',
:user => 'all',
:address => '0.0.0.0/0',
:auth_method => 'peer',
:target => target,
}
end
it 'should fail parsing when auth_method is not valid' do
expect {subject}.to raise_error(Puppet::Error,
/The auth_method you specified \[peer\] must be one of: trust, reject, md5, password, gss, sspi, krb5, ident, ldap, radius, cert, pam/)
end
end
context 'validate supported auth_method' do
let :pre_condition do
<<-EOS
class { 'postgresql::globals':
version => '9.2',
}
class { 'postgresql::server': }
EOS
end
let :params do
{
:type => 'local',
:database => 'all',
:user => 'all',
:address => '0.0.0.0/0',
:auth_method => 'peer',
:target => target,
}
end
it do
content = param('concat::fragment', 'pg_hba_rule_test', 'content')
content.should =~ /local\s+all\s+all\s+0\.0\.0\.0\/0\s+peer/
end
end
end end
end end