Create the pg_ident_rule defined type

txaj · txaj · commit e2b0bdd26f00 · 2014-07-26T17:14:51.000-05:00
This allows us to declare user map as easilly as pg_hba entries.
diff --git a/README.md b/README.md
@@ -240,6 +240,7 @@ Resources:
 * [postgresql::server::database](#resource-postgresqlserverdatabase)
 * [postgresql::server::database_grant](#resource-postgresqlserverdatabasegrant)
 * [postgresql::server::pg_hba_rule](#resource-postgresqlserverpghbarule)
+* [postgresql::server::pg_ident_rule](#resource-postgresqlserverpgidentrule)
 * [postgresql::server::role](#resource-postgresqlserverrole)
 * [postgresql::server::table_grant](#resource-postgresqlservertablegrant)
 * [postgresql::server::tablespace](#resource-postgresqlservertablespace)
@@ -326,6 +327,9 @@ Path to the `psql` command.
 ####`pg_hba_conf_path`
 Path to your `pg\_hba.conf` file.
 
+####`pg_ident_conf_path`
+Path to your `pg\_ident.conf` file.
+
 ####`postgresql_conf_path`
 Path to your `postgresql.conf` file.
 
@@ -434,6 +438,9 @@ Path to the `psql` command.
 ####`pg_hba_conf_path`
 Path to your `pg\_hba.conf` file.
 
+####`pg_ident_conf_path`
+Path to your `pg\_ident.conf` file.
+
 ####`postgresql_conf_path`
 Path to your `postgresql.conf` file.
 
@@ -468,6 +475,8 @@ This value defaults to `false`. Many distros ship with a fairly restrictive fire
 ####`manage_pg_hba_conf`
 This value defaults to `true`. Whether or not manage the pg_hba.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file.
 
+####`manage_pg_ident_conf`
+This value defaults to `true`. Whether or not manage the pg_ident.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file.
 
 ###Class: postgresql::client
 
@@ -667,6 +676,24 @@ This would create a ruleset in `pg_hba.conf` similar to:
     # Order: 150
     host  app  app  200.1.2.0/24  md5
 
+###Resource: postgresql::server::pg\_ident\_rule
+This defined type allows you to create user name maps for `pg_ident.conf`. For more details see the [PostgreSQL documentation](http://www.postgresql.org/docs/9.4/static/auth-username-maps.html).
+
+For example:
+
+    postgresql::server::pg_ident_rule{ 'Map the SSL certificate of the backup server as a replication user':
+      map_name          => 'sslrepli',
+      system_username   => 'repli1.example.com',
+      database_username => 'replication',
+    }
+
+This would create a user name map in `pg_ident.conf` similar to:
+
+    # Rule Name: Map the SSL certificate of the backup server as a replication user
+    # Description: none
+    # Order: 150
+    sslrepli	repli1.example.com	replication
+
 ####`namevar`
 A unique identifier or short description for this rule. The namevar doesn't provide any functional usage, but it is stored in the comments of the produced `pg_hba.conf` so the originating resource can be identified.
 
diff --git a/manifests/globals.pp b/manifests/globals.pp
@@ -20,6 +20,7 @@
   $createdb_path        = undef,
   $psql_path            = undef,
   $pg_hba_conf_path     = undef,
+  $pg_ident_conf_path   = undef,
   $postgresql_conf_path = undef,
 
   $pg_hba_conf_defaults = undef,
@@ -42,6 +43,7 @@
 
   $manage_firewall      = undef,
   $manage_pg_hba_conf   = undef,
+  $manage_pg_ident_conf = undef,
   $firewall_supported   = undef,
 
   $manage_package_repo  = undef
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -15,6 +15,7 @@
   $service_provider           = $service_provider
   $manage_firewall            = $manage_firewall
   $manage_pg_hba_conf         = pick($manage_pg_hba_conf, true)
+  $manage_pg_ident_conf       = pick($manage_pg_ident_conf, true)
   $package_ensure             = 'present'
 
   # Amazon Linux's OS Family is 'Linux', operating system 'Amazon'.
@@ -198,6 +199,7 @@
   $createdb_path        = pick($createdb_path, "${bindir}/createdb")
   $pg_hba_conf_path     = pick($pg_hba_conf_path, "${confdir}/pg_hba.conf")
   $pg_hba_conf_defaults = pick($pg_hba_conf_defaults, true)
+  $pg_ident_conf_path   = pick($pg_ident_conf_path, "${confdir}/pg_ident.conf")
   $postgresql_conf_path = pick($postgresql_conf_path, "${confdir}/postgresql.conf")
   $default_database     = pick($default_database, 'postgres')
 }
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -26,6 +26,7 @@
   $createdb_path              = $postgresql::params::createdb_path,
   $psql_path                  = $postgresql::params::psql_path,
   $pg_hba_conf_path           = $postgresql::params::pg_hba_conf_path,
+  $pg_ident_conf_path         = $postgresql::params::pg_ident_conf_path,
   $postgresql_conf_path       = $postgresql::params::postgresql_conf_path,
 
   $datadir                    = $postgresql::params::datadir,
@@ -43,6 +44,7 @@
 
   $manage_firewall            = $postgresql::params::manage_firewall,
   $manage_pg_hba_conf         = $postgresql::params::manage_pg_hba_conf,
+  $manage_pg_ident_conf       = $postgresql::params::manage_pg_ident_conf,
   $firewall_supported         = $postgresql::params::firewall_supported,
 
   #Deprecated
diff --git a/manifests/server/config.pp b/manifests/server/config.pp
@@ -7,12 +7,14 @@
   $ipv4acls                   = $postgresql::server::ipv4acls
   $ipv6acls                   = $postgresql::server::ipv6acls
   $pg_hba_conf_path           = $postgresql::server::pg_hba_conf_path
+  $pg_ident_conf_path         = $postgresql::server::pg_ident_conf_path
   $postgresql_conf_path       = $postgresql::server::postgresql_conf_path
   $pg_hba_conf_defaults       = $postgresql::server::pg_hba_conf_defaults
   $user                       = $postgresql::server::user
   $group                      = $postgresql::server::group
   $version                    = $postgresql::server::version
   $manage_pg_hba_conf         = $postgresql::server::manage_pg_hba_conf
+  $manage_pg_ident_conf       = $postgresql::server::manage_pg_hba_conf
 
   if ($manage_pg_hba_conf == true) {
     # Prepare the main pg_hba file
@@ -107,4 +109,15 @@
       replace => false,
     }
   }
+
+  if ($manage_pg_ident_conf == true) {
+    concat { $pg_ident_conf_path:
+      owner  => $user,
+      group  => $group,
+      force   => true, # do not crash if there is no pg_ident_rules
+      mode   => '0640',
+      warn   => true,
+      notify => Class['postgresql::server::reload'],
+    }
+  }
 }
diff --git a/manifests/server/pg_ident_rule.pp b/manifests/server/pg_ident_rule.pp
@@ -0,0 +1,27 @@
+# This resource manages an individual rule that applies to the file defined in
+# $target. See README.md for more details.
+define postgresql::server::pg_ident_rule(
+  $map_name,
+  $system_username,
+  $database_username,
+  $description = 'none',
+  $order       = '150',
+
+  # Needed for testing primarily, support for multiple files is not really
+  # working.
+  $target      = $postgresql::server::pg_ident_conf_path
+) {
+
+  if $postgresql::server::manage_pg_ident_conf == false {
+      fail('postgresql::server::manage_pg_ident_conf has been disabled, so this resource is now unused and redundant, either enable that option or remove this resource from your manifests')
+  } else {
+
+    # Create a rule fragment
+    $fragname = "pg_ident_rule_${name}"
+    concat::fragment { $fragname:
+      target  => $target,
+      content => template('postgresql/pg_ident_rule.conf'),
+      order   => $order,
+    }
+  }
+}
diff --git a/spec/unit/defines/server/pg_ident_rule_spec.rb b/spec/unit/defines/server/pg_ident_rule_spec.rb
@@ -0,0 +1,63 @@
+require 'spec_helper'
+
+describe 'postgresql::server::pg_ident_rule', :type => :define do
+  let :facts do
+    {
+      :osfamily => 'Debian',
+      :operatingsystem => 'Debian',
+      :operatingsystemrelease => '6.0',
+      :kernel => 'Linux',
+      :concat_basedir => tmpfilename('pg_ident'),
+      :id => 'root',
+      :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+    }
+  end
+  let :title do
+    'test'
+  end
+  let :target do
+    tmpfilename('pg_ident_rule')
+  end
+
+  context 'test template 1' do
+    let :pre_condition do
+      <<-EOS
+        class { 'postgresql::server': }
+      EOS
+    end
+
+    let :params do
+      {
+        :map_name => 'thatsmymap',
+        :system_username => 'systemuser',
+        :database_username => 'dbuser',
+      }
+    end
+    it do
+      is_expected.to contain_concat__fragment('pg_ident_rule_test').with({
+        :content => /thatsmymap\s+systemuser\s+dbuser/
+      })
+    end
+  end
+  context 'not managing pg_ident' do
+    let :pre_condition do
+      <<-EOS
+        class { 'postgresql::globals':
+          manage_pg_ident_conf => false,
+        }
+        class { 'postgresql::server': }
+      EOS
+    end
+    let :params do
+      {
+          :map_name => 'thatsmymap',
+          :system_username => 'systemuser',
+          :database_username => 'dbuser',
+      }
+    end
+    it 'should fail because $manage_pg_ident_conf is false' do
+      expect {subject}.to raise_error(Puppet::Error,
+                                      /postgresql::server::manage_pg_ident_conf has been disabled/)
+    end
+  end
+end
diff --git a/templates/pg_ident_rule.conf b/templates/pg_ident_rule.conf
@@ -0,0 +1,5 @@
+
+# Rule Name: <%=@name%>
+# Description: <%=@description%>
+# Order: <%=@order%>
+<%=@map_name%>	<%=@system_username%>	<%=@database_username%>
