pg_hba_rule: Validate userinput in postgresql::server

bastelfreak · bastelfreak · commit 82936665fd50 · 2022-10-18T09:33:21.000+02:00
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -152,9 +152,9 @@
   $password_encryption                             = $postgresql::params::password_encryption,
   $extra_systemd_config                            = $postgresql::params::extra_systemd_config,
 
-  Hash[String, Hash] $roles         = {},
-  Hash[String, Any] $config_entries = {},
-  Hash[String, Hash] $pg_hba_rules  = {},
+  Hash[String, Hash] $roles              = {},
+  Hash[String, Any] $config_entries      = {},
+  Postgresql::Pg_hba_rules $pg_hba_rules = {},
 
   Boolean $backup_enable = $postgresql::params::backup_enable,
   Hash $backup_options = {},
@@ -204,7 +204,7 @@
     }
   }
 
-  $pg_hba_rules.each |$rule_name, $rule| {
+  $pg_hba_rules.each |String[1] $rule_name, Postgresql::Pg_hba_rule $rule| {
     postgresql::server::pg_hba_rule { $rule_name:
       * => $rule,
     }
diff --git a/spec/type_aliases/pg_hba_rule_spec.rb b/spec/type_aliases/pg_hba_rule_spec.rb
@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Postgresql::Pg_hba_rule' do
+  context 'base valid required data' do
+    let :data do
+      {
+        description: 'pc',
+        type: 'host',
+        database: 'all',
+        user: 'all',
+        address: '127.0.0.1/32',
+        auth_method: 'md5',
+        target: '/foo.conf',
+        postgresql_version: '14',
+        order: 3
+      }
+    end
+
+    it { is_expected.to allow_value(data) }
+  end
+  context 'invalid data' do
+    let :data do
+      {
+        description: 'pc',
+        type: 'host',
+        database: 'all',
+        user: 'all',
+        address: '/32',
+        auth_method: 'md5',
+        target: '/foo.conf',
+        postgres_version: '14'
+      }
+    end
+
+    it { is_expected.not_to allow_value(data) }
+  end
+  context 'empty data' do
+    let :data do
+      {}
+    end
+
+    it { is_expected.not_to allow_value(data) }
+  end
+end
diff --git a/spec/type_aliases/pg_hba_rules_spec.rb b/spec/type_aliases/pg_hba_rules_spec.rb
@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Postgresql::Pg_hba_rules' do
+  context 'base valid required data' do
+    let :data do
+      {
+        foo: {
+          description: 'pc',
+          type: 'host',
+          database: 'all',
+          user: 'all',
+          address: '127.0.0.1/32',
+          auth_method: 'md5',
+          target: '/foo.conf',
+          postgresql_version: '14',
+          order: 1,
+        },
+        foo2: {
+          description: 'pc',
+          type: 'host',
+          database: 'all',
+          user: 'all',
+          address: '127.0.0.1/32',
+          auth_method: 'md5',
+          target: '/foo.conf',
+          postgresql_version: '14',
+          order: 2
+        }
+      }
+    end
+
+    it { is_expected.to allow_value(data) }
+  end
+  context 'empty' do
+    let :data do
+      {}
+    end
+
+    it { is_expected.to allow_value(data) }
+  end
+  context 'invalid data' do
+    let :data do
+      {
+        description: 'pc',
+        type: 'host',
+        database: 'all',
+        user: 'all',
+        address: '/32',
+        auth_method: 'md5'
+      }
+    end
+
+    it { is_expected.not_to allow_value(data) }
+  end
+  context 'empty value' do
+    let :data do
+      {
+        foo: {}
+      }
+    end
+
+    it { is_expected.not_to allow_value(data) }
+  end
+end
diff --git a/types/pg_hba_rule.pp b/types/pg_hba_rule.pp
@@ -0,0 +1,14 @@
+# @summary type for all parameters in the postgresql::server::hba_rule defined resource
+# @see https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/server/pg_hba_rule.pp
+type Postgresql::Pg_hba_rule = Struct[{
+    Optional[description]        => String,
+    type                         => Postgresql::Pg_hba_rule_type,
+    database                     => String,
+    user                         => String,
+    Optional[address]            => Optional[Postgresql::Pg_hba_rule_address],
+    auth_method                  => String,
+    Optional[auth_option]        => Optional[String],
+    Optional[order]              => Variant[String,Integer],
+    Optional[target]             => Stdlib::Absolutepath,
+    Optional[postgresql_version] => String,
+}]
diff --git a/types/pg_hba_rules.pp b/types/pg_hba_rules.pp
@@ -0,0 +1,3 @@
+# @summary validates a hash of entries for postgresql::server::pg_hab_conf
+# @see https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/server/pg_hba_rule.pp
+type Postgresql::Pg_hba_rules = Hash[String[1], Postgresql::Pg_hba_rule]

Original file line number	Diff line number	Diff line change
`@@ -152,9 +152,9 @@`
`152`	`152`	`$password_encryption = $postgresql::params::password_encryption,`
`153`	`153`	`$extra_systemd_config = $postgresql::params::extra_systemd_config,`
`154`	`154`
`155`		`- Hash[String, Hash] $roles = {},`
`156`		`- Hash[String, Any] $config_entries = {},`
`157`		`- Hash[String, Hash] $pg_hba_rules = {},`
	`155`	`+ Hash[String, Hash] $roles = {},`
	`156`	`+ Hash[String, Any] $config_entries = {},`
	`157`	`+ Postgresql::Pg_hba_rules $pg_hba_rules = {},`
`158`	`158`
`159`	`159`	`Boolean $backup_enable = $postgresql::params::backup_enable,`
`160`	`160`	`Hash $backup_options = {},`
`@@ -204,7 +204,7 @@`
`204`	`204`	`}`
`205`	`205`	`}`
`206`	`206`
`207`		`- $pg_hba_rules.each \|$rule_name, $rule\| {`
	`207`	`+ $pg_hba_rules.each \|String[1] $rule_name, Postgresql::Pg_hba_rule $rule\| {`
`208`	`208`	`postgresql::server::pg_hba_rule { $rule_name:`
`209`	`209`	`* => $rule,`
`210`	`210`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# @summary validates a hash of entries for postgresql::server::pg_hab_conf`
	`2`	`+# @see https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/server/pg_hba_rule.pp`
	`3`	`+type Postgresql::Pg_hba_rules = Hash[String[1], Postgresql::Pg_hba_rule]`