Merge pull request #1366 from david22swan/maint/codebase_hardening

(maint) Codebase Hardening

Author: LukasAud

manifests/server/config.pp

@@ -142,8 +142,11 @@
 
     ensure_packages([$package_name])
 
+    $exec_command = ['/usr/sbin/semanage', 'port', '-a', '-t', 'postgresql_port_t', '-p', 'tcp', $port]
+    $exec_unless = "/usr/sbin/semanage port -l | grep -qw ${port}"
     exec { "/usr/sbin/semanage port -a -t postgresql_port_t -p tcp ${port}":
-      unless  => "/usr/sbin/semanage port -l | grep -qw ${port}",
+      command => $exec_command,
+      unless  => $exec_unless,
       before  => Postgresql::Server::Config_entry['port'],
       require => Package[$package_name],
     }
@@ -218,8 +221,9 @@
     #
     # This can be removed when Puppet < 6.1 support is dropped *and* the file
     # old-systemd-override is removed.
+    $systemd_command = ['systemctl', 'daemon-reload']
     exec { 'restart-systemd':
-      command     => 'systemctl daemon-reload',
+      command     => $systemd_command,
       refreshonly => true,
       path        => '/bin:/usr/bin:/usr/local/bin',
       before      => Class['postgresql::server::service'],

manifests/server/config_entry.pp

@@ -98,10 +98,13 @@
   # is managed for us in postgresql::server::config.
   if $facts['os']['name'] == 'Debian' or $facts['os']['name'] == 'Ubuntu' {
     if $name == 'data_directory' {
+      $stop_command = ['service', $postgresql::server::service_name, 'stop']
+      $stop_onlyif = ['service', $postgresql::server::service_name, 'status']
+      $stop_unless = [['grep', "data_directory = '${value}'", $postgresql::server::postgresql_conf_path]]
       exec { "postgresql_stop_${name}":
-        command => "service ${postgresql::server::service_name} stop",
-        onlyif  => "service ${postgresql::server::service_name} status",
-        unless  => "grep \"data_directory = '${value}'\" ${postgresql::server::postgresql_conf_path}",
+        command => $stop_command,
+        onlyif  => $stop_onlyif,
+        unless  => $stop_unless,
         path    => '/usr/sbin:/sbin:/bin:/usr/bin:/usr/local/bin',
         before  => Postgresql_conf[$name],
       }
@@ -111,10 +114,13 @@
       # We need to force postgresql to stop before updating the port
       # because puppet becomes confused and is unable to manage the
       # service appropriately.
+      $stop_command = ['service', $postgresql::server::service_name, 'stop']
+      $stop_onlyif = ['service', $postgresql::server::service_name, 'status']
+      $stop_unless = "grep 'PGPORT=${shell_escape($value)}' /etc/sysconfig/pgsql/postgresql"
       exec { "postgresql_stop_${name}":
-        command => "service ${postgresql::server::service_name} stop",
-        onlyif  => "service ${postgresql::server::service_name} status",
-        unless  => "grep 'PGPORT=${value}' /etc/sysconfig/pgsql/postgresql",
+        command => $stop_command,
+        onlyif  => $stop_onlyif,
+        unless  => $stop_unless,
         path    => '/sbin:/bin:/usr/bin:/usr/local/bin',
         require => File['/etc/sysconfig/pgsql/postgresql'],
       }
@@ -130,10 +136,13 @@
     } elsif $name == 'data_directory' {
       # We need to force postgresql to stop before updating the data directory
       # otherwise init script breaks
+      $stop_command = ['service', $postgresql::server::service_name, 'stop']
+      $stop_onlyif = ['service', $postgresql::server::service_name, 'status']
+      $stop_unless = [['grep', "PGDATA=${value}", '/etc/sysconfig/pgsql/postgresql']]
       exec { "postgresql_${name}":
-        command => "service ${postgresql::server::service_name} stop",
-        onlyif  => "service ${postgresql::server::service_name} status",
-        unless  => "grep 'PGDATA=${value}' /etc/sysconfig/pgsql/postgresql",
+        command => $stop_command,
+        onlyif  => $stop_onlyif,
+        unless  => $stop_unless,
         path    => '/sbin:/bin:/usr/bin:/usr/local/bin',
         require => File['/etc/sysconfig/pgsql/postgresql'],
       }

manifests/server/passwd.pp

@@ -16,7 +16,7 @@
   # psql will default to connecting as $user if you don't specify name
   $_datbase_user_same = $database == $user
   $_dboption = $_datbase_user_same ? {
-    false => " --dbname ${database}",
+    false => " --dbname ${shell_escape($database)}",
     default => ''
   }
 
@@ -26,10 +26,11 @@
     #  without specifying a password ('ident' or 'trust' security). This is
     #  the default for pg_hba.conf.
     $escaped = postgresql::postgresql_escape($postgres_password)
+    $exec_command = "${shell_escape($psql_path)}${_dboption} -c \"ALTER ROLE \\\"${shell_escape($user)}\\\" PASSWORD \${NEWPASSWD_ESCAPED}\""
     exec { 'set_postgres_postgrespw':
       # This command works w/no password because we run it as postgres system
       # user
-      command     => "${psql_path}${_dboption} -c \"ALTER ROLE \\\"${user}\\\" PASSWORD \${NEWPASSWD_ESCAPED}\"",
+      command     => $exec_command,
       user        => $user,
       group       => $group,
       logoutput   => true,

manifests/validate_db_connection.pp

@@ -44,29 +44,29 @@
   $module_workdir = $postgresql::params::module_workdir
   $validcon_script_path = $postgresql::client::validcon_script_path
 
-  $cmd_init = "${psql_path} --tuples-only --quiet "
+  $cmd_init = "${psql_path} --tuples-only --quiet"
   $cmd_host = $database_host ? {
     undef   => '',
-    default => "-h ${database_host} ",
+    default => "-h ${database_host}",
   }
   $cmd_user = $database_username ? {
     undef   => '',
-    default => "-U ${database_username} ",
+    default => "-U ${database_username}",
   }
   $cmd_port = $database_port ? {
     undef   => '',
-    default => "-p ${database_port} ",
+    default => "-p ${database_port}",
   }
   $cmd_dbname = $database_name ? {
-    undef   => "--dbname ${postgresql::params::default_database} ",
-    default => "--dbname ${database_name} ",
+    undef   => "--dbname ${postgresql::params::default_database}",
+    default => "--dbname ${database_name}",
   }
   $pass_env = $database_password_unsensitive ? {
     undef   => undef,
     default => "PGPASSWORD=${database_password_unsensitive}",
   }
   $cmd = join([$cmd_init, $cmd_host, $cmd_user, $cmd_port, $cmd_dbname], ' ')
-  $validate_cmd = "${validcon_script_path} ${sleep} ${tries} '${cmd}'"
+  $validate_cmd = [$validcon_script_path, $sleep, $tries, $cmd]
 
   # This is more of a safety valve, we add a little extra to compensate for the
   # time it takes to run each psql command.
@@ -86,9 +86,10 @@
   }
 
   $exec_name = "validate postgres connection for ${database_username}@${database_host}:${database_port}/${database_name}"
+  $exec_command = "echo 'Unable to connect to defined database using: ${shell_escape($cmd)}' && false"
 
   exec { $exec_name:
-    command     => "echo 'Unable to connect to defined database using: ${cmd}' && false",
+    command     => $exec_command,
     unless      => $validate_cmd,
     cwd         => $module_workdir,
     environment => $env,

spec/classes/server/config_spec.rb

@@ -41,7 +41,7 @@
 
       it 'has systemctl restart command' do
         is_expected.to contain_exec('restart-systemd').with(
-          command: 'systemctl daemon-reload',
+          command: ['systemctl', 'daemon-reload'],
           refreshonly: true,
           path: '/bin:/usr/bin:/usr/local/bin',
         )

spec/classes/server_spec.rb

@@ -83,7 +83,7 @@ class { 'postgresql::globals':
       is_expected.to contain_postgresql_conn_validator('validate_service_is_running')
     end
     it 'sets postgres password' do
-      is_expected.to contain_exec('set_postgres_postgrespw').with('command' => '/usr/bin/psql -c "ALTER ROLE \"postgres\" PASSWORD ${NEWPASSWD_ESCAPED}"',
+      is_expected.to contain_exec('set_postgres_postgrespw').with('command' => ['/usr/bin/psql -c "ALTER ROLE \"postgres\" PASSWORD ${NEWPASSWD_ESCAPED}"'],
                                                                   'user'        => 'postgres',
                                                                   'environment' => ['PGPASSWORD=new-p@s$word-to-set', 'PGPORT=5432', 'NEWPASSWD_ESCAPED=$$new-p@s$word-to-set$$'],
                                                                   'unless' => "/usr/bin/psql -h localhost -p 5432 -c 'select 1' > /dev/null")

spec/defines/validate_db_connection_spec.rb

@@ -30,7 +30,10 @@
     it { is_expected.to contain_postgresql__validate_db_connection('test') }
 
     it 'has proper path for validate command' do
-      is_expected.to contain_exec('validate postgres connection for test@test:5432/test').with(unless: %r{^/usr/local/bin/validate_postgresql_connection.sh\s+\d+})
+      is_expected.to contain_exec('validate postgres connection for test@test:5432/test').with(unless: ['/usr/local/bin/validate_postgresql_connection.sh',
+                                                                                                        4,
+                                                                                                        30,
+                                                                                                        '/usr/bin/psql --tuples-only --quiet -h test -U test -p 5432 --dbname test'])
     end
   end
 
@@ -55,7 +58,10 @@ class { 'postgresql::client': validcon_script_path => '/opt/something/validate.s
     end
 
     it 'has proper path for validate command and correct cwd' do
-      is_expected.to contain_exec('validate postgres connection for test@test:5432/test').with(unless: %r{^/opt/something/validate.sh\s+\d+},
+      is_expected.to contain_exec('validate postgres connection for test@test:5432/test').with(unless: ['/opt/something/validate.sh',
+                                                                                                        2,
+                                                                                                        10,
+                                                                                                        '/usr/bin/psql --tuples-only --quiet -h test -U test -p 5432 --dbname test'],
                                                                                                cwd: '/var/tmp')
     end
   end