use the correct value for clientcert in pg_hba.conf for Postgresql 12 and up

jhunt-steds · jhunt-steds · commit d3f343507918 · 2024-01-11T15:14:06.000-06:00
diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp
@@ -52,6 +52,7 @@
         postgresql_ssl_key_path     => $postgresql_ssl_key_path,
         postgresql_ssl_cert_path    => $postgresql_ssl_cert_path,
         postgresql_ssl_ca_cert_path => $postgresql_ssl_ca_cert_path,
+        postgres_version            => $postgres_version,
         create_read_user_rule       => $create_read_user_rule
       }
     }
diff --git a/manifests/database/postgresql_ssl_rules.pp b/manifests/database/postgresql_ssl_rules.pp
@@ -2,18 +2,24 @@
 define puppetdb::database::postgresql_ssl_rules (
   String $database_name,
   String $database_username,
+  String $postgres_version,
   String $puppetdb_server,
 ) {
   $identity_map_key = "${database_name}-${database_username}-map"
 
+  $clientcert_value = Float($postgres_version) >= 12.0 ? {
+    true    => 'verify-full',
+    false   => '1',
+  }
+
   postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as ${database_username} (ipv4)":
     type        => 'hostssl',
     database    => $database_name,
     user        => $database_username,
     address     => '0.0.0.0/0',
     auth_method => 'cert',
     order       => 0,
-    auth_option => "map=${identity_map_key} clientcert=1"
+    auth_option => "map=${identity_map_key} clientcert=${clientcert_value}",
   }
 
   postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as ${database_username} (ipv6)":
@@ -23,7 +29,7 @@
     address     => '::0/0',
     auth_method => 'cert',
     order       => 0,
-    auth_option => "map=${identity_map_key} clientcert=1"
+    auth_option => "map=${identity_map_key} clientcert=${clientcert_value}",
   }
 
   postgresql::server::pg_ident_rule { "Map the SSL certificate of the server as a ${database_username} user":
diff --git a/manifests/database/ssl_configuration.pp b/manifests/database/ssl_configuration.pp
@@ -9,6 +9,7 @@
   $postgresql_ssl_key_path     = $puppetdb::params::postgresql_ssl_key_path,
   $postgresql_ssl_cert_path    = $puppetdb::params::postgresql_ssl_cert_path,
   $postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path,
+  $postgres_version            = $puppetdb::params::postgres_version,
   $create_read_user_rule       = false,
 ) inherits puppetdb::params {
   File {
@@ -55,13 +56,15 @@
   puppetdb::database::postgresql_ssl_rules { "Configure postgresql ssl rules for ${database_username}":
     database_name     => $database_name,
     database_username => $database_username,
+    postgres_version  => $postgres_version,
     puppetdb_server   => $puppetdb_server,
   }
 
   if $create_read_user_rule {
     puppetdb::database::postgresql_ssl_rules { "Configure postgresql ssl rules for ${read_database_username}":
       database_name     => $database_name,
       database_username => $read_database_username,
+      postgres_version  => $postgres_version,
       puppetdb_server   => $puppetdb_server,
     }
   }
diff --git a/spec/unit/classes/database/ssl_configuration_spec.rb b/spec/unit/classes/database/ssl_configuration_spec.rb
@@ -188,5 +188,37 @@
           .with_database_username(params[:read_database_username])
       end
     end
+
+    context 'when the specified Postgresql version is 12 or later' do
+      let(:params) do
+        {
+          database_name: 'puppetdb',
+          database_username: 'puppetdb',
+          postgres_version: '12'
+        }
+      end
+
+      it 'has hba rule for puppetdb user ipv4' do
+        is_expected.to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:database_username]} (ipv4)")
+          .with_type('hostssl')
+          .with_database(params[:database_name])
+          .with_user(params[:database_username])
+          .with_address('0.0.0.0/0')
+          .with_auth_method('cert')
+          .with_order(0)
+          .with_auth_option("map=#{identity_map} clientcert=verify-full")
+      end
+
+      it 'has hba rule for puppetdb user ipv6' do
+        is_expected.to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:database_username]} (ipv6)")
+          .with_type('hostssl')
+          .with_database(params[:database_name])
+          .with_user(params[:database_username])
+          .with_address('::0/0')
+          .with_auth_method('cert')
+          .with_order(0)
+          .with_auth_option("map=#{identity_map} clientcert=verify-full")
+      end
+    end
   end
 end

Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,7 @@`
`52`	`52`	`postgresql_ssl_key_path => $postgresql_ssl_key_path,`
`53`	`53`	`postgresql_ssl_cert_path => $postgresql_ssl_cert_path,`
`54`	`54`	`postgresql_ssl_ca_cert_path => $postgresql_ssl_ca_cert_path,`
	`55`	`+ postgres_version => $postgres_version,`
`55`	`56`	`create_read_user_rule => $create_read_user_rule`
`56`	`57`	`}`
`57`	`58`	`}`