Validate authentication method against server version

2013-09-22 22:35:18 +02:00 · 2013-09-22 22:35:18 +02:00 · 71e0236659
commit 71e0236659
parent 1a53de99d5
2 changed files with 71 additions and 2 deletions
--- a/manifests/server/pg_hba_rule.pp
+++ b/manifests/server/pg_hba_rule.pp
@ -17,13 +17,27 @@ define postgresql::server::pg_hba_rule(

  validate_re($type, '^(local|host|hostssl|hostnossl)$',
    "The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl")
-  validate_re($auth_method, '^(trust|reject|md5|crypt|password|gss|sspi|krb5|ident|peer|ldap|radius|cert|pam)$',
-    "The auth_method you specified [${auth_method}] must be one of: trust, reject, md5, crypt, password, krb5, ident, ldap, pam")

  if($type =~ /^host/ and $address == undef) {
    fail('You must specify an address property when type is host based')
  }

+  $allowed_auth_methods = $postgresql::server::version ? {
+    '9.3' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
+    '9.2' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
+    '9.1' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
+    '9.0' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'],
+    '8.4' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'],
+    '8.3' => ['trust', 'reject', 'md5', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'],
+    '8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'],
+    '8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'],
+    default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt']
+  }
+
+  $auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$'])
+  validate_re($auth_method, $auth_method_regex,
+    join(["The auth_method you specified [${auth_method}] must be one of: ", join($allowed_auth_methods, ', ')]))
+
  # Create a rule fragment
  $fragname = "pg_hba_rule_${name}"
  concat::fragment { $fragname:
--- a/spec/unit/defines/server/pg_hba_rule_spec.rb
+++ b/spec/unit/defines/server/pg_hba_rule_spec.rb
@ -102,5 +102,60 @@ describe 'postgresql::server::pg_hba_rule', :type => :define do
          /The auth_method you specified \[invalid\] must be one of/)
      end
    end
+
+    context 'validate unsupported auth_method' do
+      let :pre_condition do
+        <<-EOS
+          class { 'postgresql::globals':
+            version => '9.0',
+          }
+          class { 'postgresql::server': }
+        EOS
+      end
+
+      let :params do
+        {
+          :type => 'local',
+          :database => 'all',
+          :user => 'all',
+          :address => '0.0.0.0/0',
+          :auth_method => 'peer',
+          :target => target,
+        }
+      end
+
+      it 'should fail parsing when auth_method is not valid' do
+        expect {subject}.to raise_error(Puppet::Error,
+          /The auth_method you specified \[peer\] must be one of: trust, reject, md5, password, gss, sspi, krb5, ident, ldap, radius, cert, pam/)
+      end
+    end
+
+    context 'validate supported auth_method' do
+      let :pre_condition do
+        <<-EOS
+          class { 'postgresql::globals':
+            version => '9.2',
+          }
+          class { 'postgresql::server': }
+        EOS
+      end
+
+      let :params do
+        {
+          :type => 'local',
+          :database => 'all',
+          :user => 'all',
+          :address => '0.0.0.0/0',
+          :auth_method => 'peer',
+          :target => target,
+        }
+      end
+
+      it do
+        content = param('concat::fragment', 'pg_hba_rule_test', 'content')
+        content.should =~ /local\s+all\s+all\s+0\.0\.0\.0\/0\s+peer/
+      end
+    end
+
  end
 end