Merge pull request #380 from jhunt-steds/postgres-ssl-clientcert-fix

use the correct value for clientcert in pg_hba.conf for Postgresql 12

Author: h0tw1r3

manifests/database/postgresql.pp

@@ -116,6 +116,7 @@
         postgresql_ssl_key_path     => $postgresql_ssl_key_path,
         postgresql_ssl_cert_path    => $postgresql_ssl_cert_path,
         postgresql_ssl_ca_cert_path => $postgresql_ssl_ca_cert_path,
+        postgres_version            => $postgres_version,
         create_read_user_rule       => $create_read_user_rule,
       }
     }

manifests/database/postgresql_ssl_rules.pp

@@ -4,18 +4,24 @@
 define puppetdb::database::postgresql_ssl_rules (
   String $database_name,
   String $database_username,
+  String[2,3] $postgres_version,
   String $puppetdb_server,
 ) {
   $identity_map_key = "${database_name}-${database_username}-map"
 
+  $clientcert_value = Float($postgres_version) >= 12.0 ? {
+    true    => 'verify-full',
+    false   => '1',
+  }
+
   postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as ${database_username} (ipv4)":
     type        => 'hostssl',
     database    => $database_name,
     user        => $database_username,
     address     => '0.0.0.0/0',
     auth_method => 'cert',
     order       => 0,
-    auth_option => "map=${identity_map_key} clientcert=1",
+    auth_option => "map=${identity_map_key} clientcert=${clientcert_value}",
   }
 
   postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as ${database_username} (ipv6)":
@@ -25,7 +31,7 @@
     address     => '::0/0',
     auth_method => 'cert',
     order       => 0,
-    auth_option => "map=${identity_map_key} clientcert=1",
+    auth_option => "map=${identity_map_key} clientcert=${clientcert_value}",
   }
 
   postgresql::server::pg_ident_rule { "Map the SSL certificate of the server as a ${database_username} user":

manifests/database/ssl_configuration.pp

@@ -10,6 +10,7 @@
   $postgresql_ssl_key_path     = $puppetdb::params::postgresql_ssl_key_path,
   $postgresql_ssl_cert_path    = $puppetdb::params::postgresql_ssl_cert_path,
   $postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path,
+  $postgres_version            = $puppetdb::params::postgres_version,
   $create_read_user_rule       = false,
 ) inherits puppetdb::params {
   File {
@@ -56,13 +57,15 @@
   puppetdb::database::postgresql_ssl_rules { "Configure postgresql ssl rules for ${database_username}":
     database_name     => $database_name,
     database_username => $database_username,
+    postgres_version  => $postgres_version,
     puppetdb_server   => $puppetdb_server,
   }
 
   if $create_read_user_rule {
     puppetdb::database::postgresql_ssl_rules { "Configure postgresql ssl rules for ${read_database_username}":
       database_name     => $database_name,
       database_username => $read_database_username,
+      postgres_version  => $postgres_version,
       puppetdb_server   => $puppetdb_server,
     }
   }

spec/defines/database/postgresql_ssl_rules_spec.rb

@@ -6,11 +6,28 @@
   'puppetdb-read': {
     database_name:     'puppetdb',
     database_username: 'monitor',
+    postgres_version: '11',
     puppetdb_server:   'localhost',
   },
   'monitor': {
     database_name:     'opensesame',
     database_username: 'grover',
+    postgres_version: '11',
+    puppetdb_server:   'rainbow',
+  },
+}
+
+valid_12plus = {
+  'puppetdb-read': {
+    database_name:     'puppetdb',
+    database_username: 'monitor',
+    postgres_version: '12',
+    puppetdb_server:   'localhost',
+  },
+  'monitor': {
+    database_name:     'opensesame',
+    database_username: 'grover',
+    postgres_version: '12',
     puppetdb_server:   'rainbow',
   },
 }
@@ -34,6 +51,15 @@
     end
   end
 
+  valid_12plus.each do |name, params|
+    context "for valid_12plus #{name}" do
+      include_examples 'puppetdb::database::postgresql_ssl_rules' do
+        let(:title) { name.to_s }
+        let(:params) { params }
+      end
+    end
+  end
+
   invalid.each do |name, params|
     context "for invalid #{name}" do
       include_examples 'puppetdb::database::postgresql_ssl_rules', Puppet::Error do

spec/support/unit/shared/database.rb

@@ -227,6 +227,7 @@
     it { is_expected.to raise_error(error) }
   else
     let(:identity_map_key) { "#{with[:database_name]}-#{with[:database_username]}-map" }
+    let(:client_cert) { (with[:postgres_version].to_f >= 12.0) ? 'verify-full' : '1' }
 
     it { is_expected.to contain_puppetdb__database__postgresql_ssl_rules(name).with(with) }
 
@@ -239,7 +240,7 @@
           address:     '0.0.0.0/0',
           auth_method: 'cert',
           order:       0,
-          auth_option: "map=#{identity_map_key} clientcert=1",
+          auth_option: "map=#{identity_map_key} clientcert=#{client_cert}",
         )
     }
 
@@ -252,7 +253,7 @@
           address:     '::0/0',
           auth_method: 'cert',
           order:       0,
-          auth_option: "map=#{identity_map_key} clientcert=1",
+          auth_option: "map=#{identity_map_key} clientcert=#{client_cert}",
         )
     }