(maint) Make sure the ssl rules for the read user are created only when it's needed.

Author: Filipovici-Andrei

manifests/database/postgresql.pp

@@ -16,7 +16,8 @@
   $postgresql_ssl_cert_path    = $puppetdb::params::postgresql_ssl_cert_path,
   $postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path,
   $read_database_username      = $puppetdb::params::read_database_username,
-  $read_database_password      = $puppetdb::params::read_database_password
+  $read_database_password      = $puppetdb::params::read_database_password,
+  $read_database_host          = $puppetdb::params::read_database_host
 ) inherits puppetdb::params {
 
   if $manage_server {
@@ -31,6 +32,15 @@
       port                    => scanf($database_port, '%i')[0],
     }
 
+    # We need to create the ssl connection for the read user, when
+    # manage_database is set to true, or when read_database_host is defined.
+    # Otherwise we don't create it.
+    if $manage_database or $read_database_host != undef{
+      $create_read_user_rule = true
+    } else {
+      $create_read_user_rule = false
+    }
+
     # configure PostgreSQL communication with Puppet Agent SSL certificates if
     # postgresql_ssl_on is set to true
     if $postgresql_ssl_on {
@@ -41,7 +51,8 @@
         puppetdb_server             => $puppetdb_server,
         postgresql_ssl_key_path     => $postgresql_ssl_key_path,
         postgresql_ssl_cert_path    => $postgresql_ssl_cert_path,
-        postgresql_ssl_ca_cert_path => $postgresql_ssl_ca_cert_path
+        postgresql_ssl_ca_cert_path => $postgresql_ssl_ca_cert_path,
+        create_read_user_rule       => $create_read_user_rule
       }
     }
 

manifests/database/ssl_configuration.pp

@@ -4,10 +4,12 @@
   $database_name               = $puppetdb::params::database_name,
   $database_username           = $puppetdb::params::database_username,
   $read_database_username      = $puppetdb::params::read_database_username,
+  $read_database_host          = $puppetdb::params::read_database_host,
   $puppetdb_server             = $puppetdb::params::puppetdb_server,
   $postgresql_ssl_key_path     = $puppetdb::params::postgresql_ssl_key_path,
   $postgresql_ssl_cert_path    = $puppetdb::params::postgresql_ssl_cert_path,
-  $postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path
+  $postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path,
+  $create_read_user_rule       = false,
 ) inherits puppetdb::params {
   File {
     ensure  => present,
@@ -56,9 +58,11 @@
     puppetdb_server   => $puppetdb_server,
   }
 
-  puppetdb::database::postgresql_ssl_rules { "Configure postgresql ssl rules for ${read_database_username}":
-    database_name     => $database_name,
-    database_username => $read_database_username,
-    puppetdb_server   => $puppetdb_server,
+  if $create_read_user_rule {
+    puppetdb::database::postgresql_ssl_rules { "Configure postgresql ssl rules for ${read_database_username}":
+      database_name     => $database_name,
+      database_username => $read_database_username,
+      puppetdb_server   => $puppetdb_server,
+    }
   }
 }

manifests/init.pp

@@ -200,6 +200,7 @@
       postgresql_ssl_ca_cert_path => $postgresql_ssl_ca_cert_path,
       read_database_username      => $read_database_username,
       read_database_password      => $read_database_password,
+      read_database_host          => $read_database_host,
       before                      => $database_before
     }
   }

spec/unit/classes/database/ssl_configuration_spec.rb

@@ -103,15 +103,8 @@
         .with_auth_option("map=#{identity_map} clientcert=1")
     end
 
-    it 'has hba rule for puppetdb-read user ipv4' do
-      is_expected.to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:read_database_username]} (ipv4)")
-        .with_type('hostssl')
-        .with_database(params[:database_name])
-        .with_user(params[:read_database_username])
-        .with_address('0.0.0.0/0')
-        .with_auth_method('cert')
-        .with_order(0)
-        .with_auth_option("map=#{read_identity_map} clientcert=1")
+    it 'does not create hba rule for puppetdb-read user ipv4' do
+      is_expected.not_to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:read_database_username]} (ipv4)")
     end
 
     it 'has hba rule for puppetdb user ipv6' do
@@ -125,15 +118,8 @@
         .with_auth_option("map=#{identity_map} clientcert=1")
     end
 
-    it 'has hba rule for puppetdb-read user ipv6' do
-      is_expected.to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:read_database_username]} (ipv6)")
-        .with_type('hostssl')
-        .with_database(params[:database_name])
-        .with_user(params[:read_database_username])
-        .with_address('::0/0')
-        .with_auth_method('cert')
-        .with_order(0)
-        .with_auth_option("map=#{read_identity_map} clientcert=1")
+    it 'does not create hba rule for puppetdb-read user ipv6' do
+      is_expected.not_to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:read_database_username]} (ipv6)")
     end
 
     it 'has ident rule' do
@@ -143,11 +129,8 @@
         .with_database_username(params[:database_name])
     end
 
-    it 'has read ident rule' do
-      is_expected.to contain_postgresql__server__pg_ident_rule("Map the SSL certificate of the server as a #{params[:read_database_username]} user")
-        .with_map_name(read_identity_map)
-        .with_system_username(facts[:fqdn])
-        .with_database_username(params[:read_database_username])
+    it 'does not create read ident rule' do
+      is_expected.not_to contain_postgresql__server__pg_ident_rule("Map the SSL certificate of the server as a #{params[:read_database_username]} user")
     end
 
     context 'when the puppetdb_server is set' do
@@ -166,5 +149,44 @@
           .with_database_username(params[:database_name])
       end
     end
+
+    context 'when the create_read_user_rule is set to true' do
+      let(:params) do
+        {
+          database_name: 'puppetdb',
+          read_database_username: 'puppetdb-read',
+          create_read_user_rule: true,
+        }
+      end
+
+      it 'has hba rule for puppetdb-read user ipv4' do
+        is_expected.to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:read_database_username]} (ipv4)")
+          .with_type('hostssl')
+          .with_database(params[:database_name])
+          .with_user(params[:read_database_username])
+          .with_address('0.0.0.0/0')
+          .with_auth_method('cert')
+          .with_order(0)
+          .with_auth_option("map=#{read_identity_map} clientcert=1")
+      end
+
+      it 'has hba rule for puppetdb-read user ipv6' do
+        is_expected.to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:read_database_username]} (ipv6)")
+          .with_type('hostssl')
+          .with_database(params[:database_name])
+          .with_user(params[:read_database_username])
+          .with_address('::0/0')
+          .with_auth_method('cert')
+          .with_order(0)
+          .with_auth_option("map=#{read_identity_map} clientcert=1")
+      end
+
+      it 'has read ident rule' do
+        is_expected.to contain_postgresql__server__pg_ident_rule("Map the SSL certificate of the server as a #{params[:read_database_username]} user")
+          .with_map_name(read_identity_map)
+          .with_system_username(facts[:fqdn])
+          .with_database_username(params[:read_database_username])
+      end
+    end
   end
 end