Create the pg_ident_rule defined type

This allows us to declare user map as easilly as pg_hba entries.
2014-07-24 15:04:02 -05:00 · 2014-07-24 15:04:02 -05:00 · e2b0bdd26f
commit e2b0bdd26f
parent 3ed43705cf
8 changed files with 141 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -240,6 +240,7 @@ Resources:
 * [postgresql::server::database](#resource-postgresqlserverdatabase)
 * [postgresql::server::database_grant](#resource-postgresqlserverdatabasegrant)
 * [postgresql::server::pg_hba_rule](#resource-postgresqlserverpghbarule)
+* [postgresql::server::pg_ident_rule](#resource-postgresqlserverpgidentrule)
 * [postgresql::server::role](#resource-postgresqlserverrole)
 * [postgresql::server::table_grant](#resource-postgresqlservertablegrant)
 * [postgresql::server::tablespace](#resource-postgresqlservertablespace)
@ -326,6 +327,9 @@ Path to the `psql` command.
 ####`pg_hba_conf_path`
 Path to your `pg\_hba.conf` file.

+####`pg_ident_conf_path`
+Path to your `pg\_ident.conf` file.
+
 ####`postgresql_conf_path`
 Path to your `postgresql.conf` file.

@ -434,6 +438,9 @@ Path to the `psql` command.
 ####`pg_hba_conf_path`
 Path to your `pg\_hba.conf` file.

+####`pg_ident_conf_path`
+Path to your `pg\_ident.conf` file.
+
 ####`postgresql_conf_path`
 Path to your `postgresql.conf` file.

@ -468,6 +475,8 @@ This value defaults to `false`. Many distros ship with a fairly restrictive fire
 ####`manage_pg_hba_conf`
 This value defaults to `true`. Whether or not manage the pg_hba.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file.

+####`manage_pg_ident_conf`
+This value defaults to `true`. Whether or not manage the pg_ident.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file.

 ###Class: postgresql::client

@ -667,6 +676,24 @@ This would create a ruleset in `pg_hba.conf` similar to:
    # Order: 150
    host  app  app  200.1.2.0/24  md5

+###Resource: postgresql::server::pg\_ident\_rule
+This defined type allows you to create user name maps for `pg_ident.conf`. For more details see the [PostgreSQL documentation](http://www.postgresql.org/docs/9.4/static/auth-username-maps.html).
+
+For example:
+
+    postgresql::server::pg_ident_rule{ 'Map the SSL certificate of the backup server as a replication user':
+      map_name          => 'sslrepli',
+      system_username   => 'repli1.example.com',
+      database_username => 'replication',
+    }
+
+This would create a user name map in `pg_ident.conf` similar to:
+
+    # Rule Name: Map the SSL certificate of the backup server as a replication user
+    # Description: none
+    # Order: 150
+    sslrepli	repli1.example.com	replication
+
 ####`namevar`
 A unique identifier or short description for this rule. The namevar doesn't provide any functional usage, but it is stored in the comments of the produced `pg_hba.conf` so the originating resource can be identified.

--- a/manifests/globals.pp
+++ b/manifests/globals.pp
@ -20,6 +20,7 @@ class postgresql::globals (
  $createdb_path        = undef,
  $psql_path            = undef,
  $pg_hba_conf_path     = undef,
+  $pg_ident_conf_path   = undef,
  $postgresql_conf_path = undef,

  $pg_hba_conf_defaults = undef,
@ -42,6 +43,7 @@ class postgresql::globals (

  $manage_firewall      = undef,
  $manage_pg_hba_conf   = undef,
+  $manage_pg_ident_conf = undef,
  $firewall_supported   = undef,

  $manage_package_repo  = undef
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -15,6 +15,7 @@ class postgresql::params inherits postgresql::globals {
  $service_provider           = $service_provider
  $manage_firewall            = $manage_firewall
  $manage_pg_hba_conf         = pick($manage_pg_hba_conf, true)
+  $manage_pg_ident_conf       = pick($manage_pg_ident_conf, true)
  $package_ensure             = 'present'

  # Amazon Linux's OS Family is 'Linux', operating system 'Amazon'.
@ -198,6 +199,7 @@ class postgresql::params inherits postgresql::globals {
  $createdb_path        = pick($createdb_path, "${bindir}/createdb")
  $pg_hba_conf_path     = pick($pg_hba_conf_path, "${confdir}/pg_hba.conf")
  $pg_hba_conf_defaults = pick($pg_hba_conf_defaults, true)
+  $pg_ident_conf_path   = pick($pg_ident_conf_path, "${confdir}/pg_ident.conf")
  $postgresql_conf_path = pick($postgresql_conf_path, "${confdir}/postgresql.conf")
  $default_database     = pick($default_database, 'postgres')
 }
--- a/manifests/server.pp
+++ b/manifests/server.pp
@ -26,6 +26,7 @@ class postgresql::server (
  $createdb_path              = $postgresql::params::createdb_path,
  $psql_path                  = $postgresql::params::psql_path,
  $pg_hba_conf_path           = $postgresql::params::pg_hba_conf_path,
+  $pg_ident_conf_path         = $postgresql::params::pg_ident_conf_path,
  $postgresql_conf_path       = $postgresql::params::postgresql_conf_path,

  $datadir                    = $postgresql::params::datadir,
@ -43,6 +44,7 @@ class postgresql::server (

  $manage_firewall            = $postgresql::params::manage_firewall,
  $manage_pg_hba_conf         = $postgresql::params::manage_pg_hba_conf,
+  $manage_pg_ident_conf       = $postgresql::params::manage_pg_ident_conf,
  $firewall_supported         = $postgresql::params::firewall_supported,

  #Deprecated
--- a/manifests/server/config.pp
+++ b/manifests/server/config.pp
@ -7,12 +7,14 @@ class postgresql::server::config {
  $ipv4acls                   = $postgresql::server::ipv4acls
  $ipv6acls                   = $postgresql::server::ipv6acls
  $pg_hba_conf_path           = $postgresql::server::pg_hba_conf_path
+  $pg_ident_conf_path         = $postgresql::server::pg_ident_conf_path
  $postgresql_conf_path       = $postgresql::server::postgresql_conf_path
  $pg_hba_conf_defaults       = $postgresql::server::pg_hba_conf_defaults
  $user                       = $postgresql::server::user
  $group                      = $postgresql::server::group
  $version                    = $postgresql::server::version
  $manage_pg_hba_conf         = $postgresql::server::manage_pg_hba_conf
+  $manage_pg_ident_conf       = $postgresql::server::manage_pg_hba_conf

  if ($manage_pg_hba_conf == true) {
    # Prepare the main pg_hba file
@ -107,4 +109,15 @@ class postgresql::server::config {
      replace => false,
    }
  }
+
+  if ($manage_pg_ident_conf == true) {
+    concat { $pg_ident_conf_path:
+      owner  => $user,
+      group  => $group,
+      force   => true, # do not crash if there is no pg_ident_rules
+      mode   => '0640',
+      warn   => true,
+      notify => Class['postgresql::server::reload'],
+    }
+  }
 }
--- a/manifests/server/pg_ident_rule.pp
+++ b/manifests/server/pg_ident_rule.pp
@ -0,0 +1,27 @@
+# This resource manages an individual rule that applies to the file defined in
+# $target. See README.md for more details.
+define postgresql::server::pg_ident_rule(
+  $map_name,
+  $system_username,
+  $database_username,
+  $description = 'none',
+  $order       = '150',
+
+  # Needed for testing primarily, support for multiple files is not really
+  # working.
+  $target      = $postgresql::server::pg_ident_conf_path
+) {
+
+  if $postgresql::server::manage_pg_ident_conf == false {
+      fail('postgresql::server::manage_pg_ident_conf has been disabled, so this resource is now unused and redundant, either enable that option or remove this resource from your manifests')
+  } else {
+
+    # Create a rule fragment
+    $fragname = "pg_ident_rule_${name}"
+    concat::fragment { $fragname:
+      target  => $target,
+      content => template('postgresql/pg_ident_rule.conf'),
+      order   => $order,
+    }
+  }
+}
--- a/spec/unit/defines/server/pg_ident_rule_spec.rb
+++ b/spec/unit/defines/server/pg_ident_rule_spec.rb
@ -0,0 +1,63 @@
+require 'spec_helper'
+
+describe 'postgresql::server::pg_ident_rule', :type => :define do
+  let :facts do
+    {
+      :osfamily => 'Debian',
+      :operatingsystem => 'Debian',
+      :operatingsystemrelease => '6.0',
+      :kernel => 'Linux',
+      :concat_basedir => tmpfilename('pg_ident'),
+      :id => 'root',
+      :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+    }
+  end
+  let :title do
+    'test'
+  end
+  let :target do
+    tmpfilename('pg_ident_rule')
+  end
+
+  context 'test template 1' do
+    let :pre_condition do
+      <<-EOS
+        class { 'postgresql::server': }
+      EOS
+    end
+
+    let :params do
+      {
+        :map_name => 'thatsmymap',
+        :system_username => 'systemuser',
+        :database_username => 'dbuser',
+      }
+    end
+    it do
+      is_expected.to contain_concat__fragment('pg_ident_rule_test').with({
+        :content => /thatsmymap\s+systemuser\s+dbuser/
+      })
+    end
+  end
+  context 'not managing pg_ident' do
+    let :pre_condition do
+      <<-EOS
+        class { 'postgresql::globals':
+          manage_pg_ident_conf => false,
+        }
+        class { 'postgresql::server': }
+      EOS
+    end
+    let :params do
+      {
+          :map_name => 'thatsmymap',
+          :system_username => 'systemuser',
+          :database_username => 'dbuser',
+      }
+    end
+    it 'should fail because $manage_pg_ident_conf is false' do
+      expect {subject}.to raise_error(Puppet::Error,
+                                      /postgresql::server::manage_pg_ident_conf has been disabled/)
+    end
+  end
+end
--- a/templates/pg_ident_rule.conf
+++ b/templates/pg_ident_rule.conf
@ -0,0 +1,5 @@
+
+# Rule Name: <%=@name%>
+# Description: <%=@description%>
+# Order: <%=@order%>
+<%=@map_name%>	<%=@system_username%>	<%=@database_username%>