diff --git a/manifests/server/pg_hba_rule.pp b/manifests/server/pg_hba_rule.pp index 3abd6c8..dce58a0 100644 --- a/manifests/server/pg_hba_rule.pp +++ b/manifests/server/pg_hba_rule.pp @@ -1,60 +1,61 @@ # This resource manages an individual rule that applies to the file defined in # $target. See README.md for more details. define postgresql::server::pg_hba_rule( Enum['local', 'host', 'hostssl', 'hostnossl'] $type, String $database, String $user, String $auth_method, Optional[String] $address = undef, String $description = 'none', Optional[String] $auth_option = undef, Variant[String, Integer] $order = 150, # Needed for testing primarily, support for multiple files is not really # working. Stdlib::Absolutepath $target = $postgresql::server::pg_hba_conf_path, String $postgresql_version = $postgresql::server::_version ) { #Allow users to manage pg_hba.conf even if they are not managing the whole PostgreSQL instance if !defined( 'postgresql::server' ) { $manage_pg_hba_conf = true } else { $manage_pg_hba_conf = $postgresql::server::manage_pg_hba_conf } if $manage_pg_hba_conf == false { fail('postgresql::server::manage_pg_hba_conf has been disabled, so this resource is now unused and redundant, either enable that option or remove this resource from your manifests') } else { if($type =~ /^host/ and $address == undef) { fail('You must specify an address property when type is host based') } $allowed_auth_methods = $postgresql_version ? { + '10' => ['trust', 'reject', 'scram-sha-256', 'md5', 'password', 'gss', 'sspi', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'bsd'], '9.6' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'bsd'], '9.5' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], '9.4' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], '9.3' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], '9.2' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], '9.1' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], '9.0' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'], '8.4' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'], '8.3' => ['trust', 'reject', 'md5', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'], '8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'], '8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'], - default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt', 'bsd'] + default => ['trust', 'reject', 'scram-sha-256', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt', 'bsd'] } assert_type(Enum[$allowed_auth_methods], $auth_method) # Create a rule fragment $fragname = "pg_hba_rule_${name}" concat::fragment { $fragname: target => $target, content => template('postgresql/pg_hba_rule.conf'), order => $order, } } } diff --git a/spec/unit/defines/server/pg_hba_rule_spec.rb b/spec/unit/defines/server/pg_hba_rule_spec.rb index f657589..24ead07 100644 --- a/spec/unit/defines/server/pg_hba_rule_spec.rb +++ b/spec/unit/defines/server/pg_hba_rule_spec.rb @@ -1,126 +1,156 @@ require 'spec_helper' describe 'postgresql::server::pg_hba_rule', :type => :define do let :facts do { :osfamily => 'Debian', :operatingsystem => 'Debian', :operatingsystemrelease => '6.0', :kernel => 'Linux', :concat_basedir => tmpfilename('pg_hba'), :id => 'root', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', } end let :title do 'test' end let :target do tmpfilename('pg_hba_rule') end context 'test template 1' do let :pre_condition do <<-EOS class { 'postgresql::server': } EOS end let :params do { :type => 'host', :database => 'all', :user => 'all', :address => '1.1.1.1/24', :auth_method => 'md5', :target => target, } end it do is_expected.to contain_concat__fragment('pg_hba_rule_test').with({ :content => /host\s+all\s+all\s+1\.1\.1\.1\/24\s+md5/ }) end end context 'test template 2' do let :pre_condition do <<-EOS class { 'postgresql::server': } EOS end let :params do { :type => 'local', :database => 'all', :user => 'all', :auth_method => 'ident', :target => target, } end it do is_expected.to contain_concat__fragment('pg_hba_rule_test').with({ :content => /local\s+all\s+all\s+ident/ }) end end context 'test template 3' do let :pre_condition do <<-EOS class { 'postgresql::server': } EOS end let :params do { :type => 'host', :database => 'all', :user => 'all', :address => '0.0.0.0/0', :auth_method => 'ldap', :auth_option => 'foo=bar', :target => target, } end it do is_expected.to contain_concat__fragment('pg_hba_rule_test').with({ :content => /host\s+all\s+all\s+0\.0\.0\.0\/0\s+ldap\s+foo=bar/ }) end end context 'validation' do context 'validate supported auth_method' do let :pre_condition do <<-EOS class { 'postgresql::globals': version => '9.2', } class { 'postgresql::server': } EOS end let :params do { :type => 'local', :database => 'all', :user => 'all', :address => '0.0.0.0/0', :auth_method => 'peer', :target => target, } end it do is_expected.to contain_concat__fragment('pg_hba_rule_test').with( { :content => /local\s+all\s+all\s+0\.0\.0\.0\/0\s+peer/ } ) end end + context 'allows scram-sha-256 on postgres 10' do + let :pre_condition do + <<-EOS + class { 'postgresql::globals': + version => '10', + } + class { 'postgresql::server': } + EOS + end + + let :params do + { + :type => 'local', + :database => 'all', + :user => 'all', + :address => '0.0.0.0/0', + :auth_method => 'scram-sha-256', + :target => target, + } + end + + it do + is_expected.to contain_concat__fragment('pg_hba_rule_test').with( + { + :content => /local\s+all\s+all\s+0\.0\.0\.0\/0\s+scram-sha-256/ + } + ) + end + end + end end