diff --git a/manifests/server/pg_hba_rule.pp b/manifests/server/pg_hba_rule.pp index 97a7aaa..3abd6c8 100644 --- a/manifests/server/pg_hba_rule.pp +++ b/manifests/server/pg_hba_rule.pp @@ -1,60 +1,60 @@ # This resource manages an individual rule that applies to the file defined in # $target. See README.md for more details. define postgresql::server::pg_hba_rule( Enum['local', 'host', 'hostssl', 'hostnossl'] $type, String $database, String $user, String $auth_method, - Optional[String] $address = undef, - String $description = 'none', - Optional[String] $auth_option = undef, - Integer $order = 150, + Optional[String] $address = undef, + String $description = 'none', + Optional[String] $auth_option = undef, + Variant[String, Integer] $order = 150, # Needed for testing primarily, support for multiple files is not really # working. Stdlib::Absolutepath $target = $postgresql::server::pg_hba_conf_path, String $postgresql_version = $postgresql::server::_version ) { #Allow users to manage pg_hba.conf even if they are not managing the whole PostgreSQL instance if !defined( 'postgresql::server' ) { $manage_pg_hba_conf = true } else { $manage_pg_hba_conf = $postgresql::server::manage_pg_hba_conf } if $manage_pg_hba_conf == false { fail('postgresql::server::manage_pg_hba_conf has been disabled, so this resource is now unused and redundant, either enable that option or remove this resource from your manifests') } else { if($type =~ /^host/ and $address == undef) { fail('You must specify an address property when type is host based') } $allowed_auth_methods = $postgresql_version ? { '9.6' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'bsd'], '9.5' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], '9.4' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], '9.3' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], '9.2' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], '9.1' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], '9.0' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'], '8.4' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'], '8.3' => ['trust', 'reject', 'md5', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'], '8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'], '8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'], default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt', 'bsd'] } assert_type(Enum[$allowed_auth_methods], $auth_method) # Create a rule fragment $fragname = "pg_hba_rule_${name}" concat::fragment { $fragname: target => $target, content => template('postgresql/pg_hba_rule.conf'), order => $order, } } } diff --git a/spec/unit/classes/server/config_spec.rb b/spec/unit/classes/server/config_spec.rb index 16e1aef..fbf5529 100644 --- a/spec/unit/classes/server/config_spec.rb +++ b/spec/unit/classes/server/config_spec.rb @@ -1,136 +1,171 @@ require 'spec_helper' describe 'postgresql::server::config', :type => :class do let (:pre_condition) do "include postgresql::server" end describe 'on RedHat 7' do let :facts do { :osfamily => 'RedHat', :operatingsystem => 'CentOS', :operatingsystemrelease => '7.0', :concat_basedir => tmpfilename('server'), :kernel => 'Linux', :id => 'root', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', :selinux => true, } end it 'should have the correct systemd-override file' do is_expected.to contain_file('systemd-override').with ({ :ensure => 'present', :path => '/etc/systemd/system/postgresql.service', :owner => 'root', :group => 'root', }) is_expected.to contain_file('systemd-override') \ .with_content(/.include \/usr\/lib\/systemd\/system\/postgresql.service/) end describe 'with manage_package_repo => true and a version' do let (:pre_condition) do <<-EOS class { 'postgresql::globals': manage_package_repo => true, version => '9.4', }-> class { 'postgresql::server': } EOS end it 'should have the correct systemd-override file' do is_expected.to contain_file('systemd-override').with ({ :ensure => 'present', :path => '/etc/systemd/system/postgresql-9.4.service', :owner => 'root', :group => 'root', }) is_expected.to contain_file('systemd-override') \ .with_content(/.include \/usr\/lib\/systemd\/system\/postgresql-9.4.service/) end end end describe 'on Fedora 21' do let :facts do { :osfamily => 'RedHat', :operatingsystem => 'Fedora', :operatingsystemrelease => '21', :concat_basedir => tmpfilename('server'), :kernel => 'Linux', :id => 'root', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', :selinux => true, } end it 'should have the correct systemd-override file' do is_expected.to contain_file('systemd-override').with ({ :ensure => 'present', :path => '/etc/systemd/system/postgresql.service', :owner => 'root', :group => 'root', }) is_expected.to contain_file('systemd-override') \ .with_content(/.include \/lib\/systemd\/system\/postgresql.service/) end describe 'with manage_package_repo => true and a version' do let (:pre_condition) do <<-EOS class { 'postgresql::globals': manage_package_repo => true, version => '9.4', }-> class { 'postgresql::server': } EOS end it 'should have the correct systemd-override file' do is_expected.to contain_file('systemd-override').with ({ :ensure => 'present', :path => '/etc/systemd/system/postgresql-9.4.service', :owner => 'root', :group => 'root', }) is_expected.to contain_file('systemd-override') \ .with_content(/.include \/lib\/systemd\/system\/postgresql-9.4.service/) end end end describe 'on Gentoo' do let (:pre_condition) do <<-EOS class { 'postgresql::globals': version => '9.5', }-> class { 'postgresql::server': } EOS end let :facts do { :osfamily => 'Gentoo', :operatingsystem => 'Gentoo', :operatingsystemrelease => 'unused', :concat_basedir => tmpfilename('server'), :kernel => 'Linux', :id => 'root', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', :selinux => false, } end it 'should have the correct systemd-override file' do is_expected.to contain_file('systemd-override').with ({ :ensure => 'present', :path => '/etc/systemd/system/postgresql-9.5.service', :owner => 'root', :group => 'root', }) is_expected.to contain_file('systemd-override') \ .with_content(/.include \/usr\/lib64\/systemd\/system\/postgresql-9.5.service/) end end + + describe 'with managed pg_hba_conf and ipv4acls' do + let (:pre_condition) do + <<-EOS + class { 'postgresql::globals': + version => '9.5', + }-> + class { 'postgresql::server': + manage_pg_hba_conf => true, + ipv4acls => [ + 'hostnossl all all 0.0.0.0/0 reject', + 'hostssl all all 0.0.0.0/0 md5' + ] + } + EOS + end + let :facts do + { + :osfamily => 'RedHat', + :operatingsystem => 'CentOS', + :operatingsystemrelease => '7.0', + :concat_basedir => tmpfilename('server'), + :kernel => 'Linux', + :id => 'root', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :selinux => true, + } + end + it 'should have hba rule default' do + is_expected.to contain_postgresql__server__pg_hba_rule('local access as postgres user') + end + it 'should have hba rule ipv4acls' do + is_expected.to contain_postgresql__server__pg_hba_rule('postgresql class generated rule ipv4acls 0') + end + end end