use the correct value for clientcert in pg_hba.conf for Postgresql 12 and up

jhunt-steds · jhunt-steds · commit 290c3ba4d646 · 2024-02-05T10:05:33.000-06:00
diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp
@@ -116,7 +116,8 @@
         postgresql_ssl_key_path     => $postgresql_ssl_key_path,
         postgresql_ssl_cert_path    => $postgresql_ssl_cert_path,
         postgresql_ssl_ca_cert_path => $postgresql_ssl_ca_cert_path,
-        create_read_user_rule       => $create_read_user_rule,
+        postgres_version            => $postgres_version,
+        create_read_user_rule       => $create_read_user_rule
       }
     }
 
diff --git a/manifests/database/postgresql_ssl_rules.pp b/manifests/database/postgresql_ssl_rules.pp
@@ -4,18 +4,24 @@
 define puppetdb::database::postgresql_ssl_rules (
   String $database_name,
   String $database_username,
+  String $postgres_version,
   String $puppetdb_server,
 ) {
   $identity_map_key = "${database_name}-${database_username}-map"
 
+  $clientcert_value = Float($postgres_version) >= 12.0 ? {
+    true    => 'verify-full',
+    false   => '1',
+  }
+
   postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as ${database_username} (ipv4)":
     type        => 'hostssl',
     database    => $database_name,
     user        => $database_username,
     address     => '0.0.0.0/0',
     auth_method => 'cert',
     order       => 0,
-    auth_option => "map=${identity_map_key} clientcert=1",
+    auth_option => "map=${identity_map_key} clientcert=${clientcert_value}",
   }
 
   postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as ${database_username} (ipv6)":
@@ -25,7 +31,7 @@
     address     => '::0/0',
     auth_method => 'cert',
     order       => 0,
-    auth_option => "map=${identity_map_key} clientcert=1",
+    auth_option => "map=${identity_map_key} clientcert=${clientcert_value}",
   }
 
   postgresql::server::pg_ident_rule { "Map the SSL certificate of the server as a ${database_username} user":
diff --git a/manifests/database/ssl_configuration.pp b/manifests/database/ssl_configuration.pp
@@ -10,6 +10,7 @@
   $postgresql_ssl_key_path     = $puppetdb::params::postgresql_ssl_key_path,
   $postgresql_ssl_cert_path    = $puppetdb::params::postgresql_ssl_cert_path,
   $postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path,
+  $postgres_version            = $puppetdb::params::postgres_version,
   $create_read_user_rule       = false,
 ) inherits puppetdb::params {
   File {
@@ -56,13 +57,15 @@
   puppetdb::database::postgresql_ssl_rules { "Configure postgresql ssl rules for ${database_username}":
     database_name     => $database_name,
     database_username => $database_username,
+    postgres_version  => $postgres_version,
     puppetdb_server   => $puppetdb_server,
   }
 
   if $create_read_user_rule {
     puppetdb::database::postgresql_ssl_rules { "Configure postgresql ssl rules for ${read_database_username}":
       database_name     => $database_name,
       database_username => $read_database_username,
+      postgres_version  => $postgres_version,
       puppetdb_server   => $puppetdb_server,
     }
   }
diff --git a/spec/unit/classes/database/ssl_configuration_spec.rb b/spec/unit/classes/database/ssl_configuration_spec.rb
@@ -110,5 +110,37 @@
         end
       end
     end
+
+    context 'when the specified Postgresql version is 12 or later' do
+      let(:params) do
+        {
+          database_name: 'puppetdb',
+          database_username: 'puppetdb',
+          postgres_version: '12'
+        }
+      end
+
+      it 'has hba rule for puppetdb user ipv4' do
+        is_expected.to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:database_username]} (ipv4)")
+          .with_type('hostssl')
+          .with_database(params[:database_name])
+          .with_user(params[:database_username])
+          .with_address('0.0.0.0/0')
+          .with_auth_method('cert')
+          .with_order(0)
+          .with_auth_option("map=#{identity_map} clientcert=verify-full")
+      end
+
+      it 'has hba rule for puppetdb user ipv6' do
+        is_expected.to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:database_username]} (ipv6)")
+          .with_type('hostssl')
+          .with_database(params[:database_name])
+          .with_user(params[:database_username])
+          .with_address('::0/0')
+          .with_auth_method('cert')
+          .with_order(0)
+          .with_auth_option("map=#{identity_map} clientcert=verify-full")
+      end
+    end
   end
 end

Original file line number	Diff line number	Diff line change
`@@ -116,7 +116,8 @@`
`116`	`116`	`postgresql_ssl_key_path => $postgresql_ssl_key_path,`
`117`	`117`	`postgresql_ssl_cert_path => $postgresql_ssl_cert_path,`
`118`	`118`	`postgresql_ssl_ca_cert_path => $postgresql_ssl_ca_cert_path,`
`119`		`- create_read_user_rule => $create_read_user_rule,`
	`119`	`+ postgres_version => $postgres_version,`
	`120`	`+ create_read_user_rule => $create_read_user_rule`
`120`	`121`	`}`
`121`	`122`	`}`
`122`	`123`