allow more mappings per mapname (#786)

feat: Support multiple mappings per map name in pg_ident.conf

- Make entries unique based on map_name + system_username + database_username
  combination, allowing multiple system users to share the same map name
- Fix spacing issues with long map names that previously caused invalid formatting
- Resolve markdown linting errors with non-clickable URLs

Refs:
- https://www.postgresql.org/docs/current/auth-username-maps.html
- #733
---------

Co-authored-by: Dan Webb <[email protected]>

Author: kristofvandam

CHANGELOG.md

@@ -4,7 +4,8 @@ This file is used to list changes made in the last 3 major versions of the postg
 
 ## Unreleased
 
-Standardise files with files in sous-chefs/repo-management
+- Fix where only a single mapname was being set in the `pg_hba.conf` file when multiple were specified
+- Standardise files with files in sous-chefs/repo-management
 
 ## 12.1.0 - *2025-05-17*
 

documentation/postgresql_install.md

@@ -17,30 +17,32 @@
 
 ## Properties
 
-| Name                               | Name? | Type            | Default           | Description                                      | Allowed Values |
-| ---------------------------------- | ----- | --------------- | ----------------- | ------------------------------------------------ | -------------- |
-| `sensitive`                        |       | true, false     | `true`            |                                                  |                |
-| `version`                          |       | String, Integer | `'17'`            | Version to install                               |                |
-| `source`                           |       | String, Symbol  | `:repo`           | Installation source                              | repo, os       |
-| `client_packages`                  |       | String, Array   | platform specific | Client packages to install                       |                |
-| `server_packages`                  |       | String, Array   | platform specific | Server packages to install                       |                |
-| `repo_pgdg`                        |       | true, false     | `true`            | Create pgdg repo                                 |                |
-| `setup_repo_pgdg`                  |       | true, false     | value of previous | Whether or not to manage the pgdg repo           |                |
-| `repo_pgdg_common`                 |       | true, false     | `true`            | Create pgdg-common repo                          |                |
-| `setup_repo_pgdg_common`           |       | true, false     | value of previous | Whether or not to manage the pgdg_common repo    |                |
-| `repo_pgdg_source`                 |       | true, false     | `false`           | Create pgdg-source repo                          |                |
-| `setup_repo_pgdg_source`           |       | true, false     | value of previous | Whether or not to manage the pgdg_source repo    |                |
-| `repo_pgdg_updates_testing`        |       | true, false     | `false`           | Create pgdg-updates-testing repo                 |                |
-| `setup_repo_pgdg_updates_testing`  |       | true, false     | value of previous | Whether or not to manage the pgdg_updates_testing repo |          |
-| `repo_pgdg_source_updates_testing` |       | true, false     | `false`           | Create pgdg-source-updates-testing repo          |                |
-| `setup_repo_pgdg_source_updates_testing` | | true, false     | value of previous | Whether or not to manage the pgdg_source_updates_testing repo |   |
-| `yum_gpg_key_uri`                  |       | String          | platform specific | YUM/DNF GPG key URL                              |                |
-| `apt_repository_uri`               |       | String          | [https://download.postgresql.org/pub/repos/apt/](https://download.postgresql.org/pub/repos/apt/) | apt repository URL  |                |
-| `apt_gpg_key_uri`                  |       | String          | [https://download.postgresql.org/pub/repos/apt/ACCC4CF8.asc](https://download.postgresql.org/pub/repos/apt/ACCC4CF8.asc) | apt GPG key URL |        |
-| `initdb_additional_options`        |       | String          |                   | Additional options to pass to the initdb command |                |
-| `initdb_locale`                    |       | String          |                   | Locale to use for the initdb command             |                |
-| `initdb_encoding`                  |       | String          |                   | Encoding to use for the initdb command           |                |
-| `initdb_user`                      |       | String          | `'postgres'`      | User to run the initdb command as                |                |
+<!-- markdownlint-disable MD034 -->
+| Name                                     | Name? | Type            | Default           | Description                                      | Allowed Values |
+| ---------------------------------------- | ----- | --------------- | ----------------- | ------------------------------------------------ | -------------- |
+| `sensitive`                              |       | true, false     | `true`            |                                                  |                |
+| `version`                                |       | String, Integer | `'17'`            | Version to install                               |                |
+| `source`                                 |       | String, Symbol  | `:repo`           | Installation source                              | repo, os       |
+| `client_packages`                        |       | String, Array   | platform specific | Client packages to install                       |                |
+| `server_packages`                        |       | String, Array   | platform specific | Server packages to install                       |                |
+| `repo_pgdg`                              |       | true, false     | `true`            | Create pgdg repo                                 |                |
+| `setup_repo_pgdg`                        |       | true, false     | value of previous | Whether or not to manage the pgdg repo           |                |
+| `repo_pgdg_common`                       |       | true, false     | `true`            | Create pgdg-common repo                          |                |
+| `setup_repo_pgdg_common`                 |       | true, false     | value of previous | Whether or not to manage the pgdg_common repo    |                |
+| `repo_pgdg_source`                       |       | true, false     | `false`           | Create pgdg-source repo                          |                |
+| `setup_repo_pgdg_source`                 |       | true, false     | value of previous | Whether or not to manage the pgdg_source repo    |                |
+| `repo_pgdg_updates_testing`              |       | true, false     | `false`           | Create pgdg-updates-testing repo                 |                |
+| `setup_repo_pgdg_updates_testing`        |       | true, false     | value of previous | Whether or not to manage the pgdg_updates_testing repo |          |
+| `repo_pgdg_source_updates_testing`       |       | true, false     | `false`           | Create pgdg-source-updates-testing repo          |                |
+| `setup_repo_pgdg_source_updates_testing` |       | true, false     | value of previous | Whether or not to manage the pgdg_source_updates_testing repo |   |
+| `yum_gpg_key_uri`                        |       | String          | platform specific | YUM/DNF GPG key URL                              |                |
+| `apt_repository_uri`                     |       | String          | https://download.postgresql.org/pub/repos/apt/ | apt repository URL  |                |
+| `apt_gpg_key_uri`                        |       | String          | https://download.postgresql.org/pub/repos/apt/ACCC4CF8.asc | apt GPG key URL |        |
+| `initdb_additional_options`              |       | String          |                   | Additional options to pass to the initdb command |                |
+| `initdb_locale`                          |       | String          |                   | Locale to use for the initdb command             |                |
+| `initdb_encoding`                        |       | String          |                   | Encoding to use for the initdb command           |                |
+| `initdb_user`                            |       | String          | `'postgres'`      | User to run the initdb command as                |                |
+<!-- markdownlint-enable MD034 -->
 
 ## Libraries
 

libraries/ident.rb

@@ -79,15 +79,15 @@ def initialize
           def add(entry)
             raise unless entry.is_a?(PgIdentFileEntry)
 
-            return false if entry?(entry.map_name)
+            return false if entry?(entry.map_name, entry.system_username, entry.database_username)
 
             @entries.push(entry)
 
             sort!
           end
 
-          def entry(map_name)
-            entry = @entries.filter { |e| e.map_name.eql?(map_name) }
+          def entry(map_name, system_username, database_username)
+            entry = @entries.filter { |e| e.map_name.eql?(map_name) && e.system_username.eql?(system_username) && e.database_username.eql?(database_username) }
 
             return if nil_or_empty?(entry)
 
@@ -96,8 +96,8 @@ def entry(map_name)
             entry.pop
           end
 
-          def entry?(map_name)
-            !@entries.filter { |e| e.map_name.eql?(map_name) }.empty?
+          def entry?(map_name, system_username, database_username)
+            !@entries.filter { |e| e.map_name.eql?(map_name) && e.system_username.eql?(system_username) && e.database_username.eql?(database_username) }.empty?
           end
 
           def include?(entry)
@@ -120,17 +120,8 @@ def read!(file = 'pg_ident.conf', sort: true)
             sort! if sort
           end
 
-          def remove(entry)
-            raise unless entry.is_a?(PgIdentFileEntry) || entry.is_a?(String)
-
-            remove_name = case entry
-                          when PgIdentFileEntry
-                            entry.map_name
-                          when String
-                            entry
-                          end
-
-            @entries.reject! { |e| e.map_name.eql?(remove_name) }
+          def remove(map_name, system_username, database_username)
+            @entries.reject! { |e| e.map_name.eql?(map_name) && e.system_username.eql?(system_username) && e.database_username.eql?(database_username) }
           end
 
           def sort!
@@ -193,6 +184,7 @@ def to_s
             ENTRY_FIELD_FORMAT.each do |field, ljust_count|
               field = respond_to?(field) ? send(field) : ''
               field_string = field.to_s.ljust(ljust_count)
+              field_string += ' ' unless field_string.include?(' ') || field == :comment
               entry_string.concat(field_string)
             end
 

resources/ident.rb

@@ -52,9 +52,9 @@
 
   ident_file = PostgreSQL::Cookbook::IdentHelpers::PgIdent::PgIdentFile.read(new_resource.config_file)
 
-  current_value_does_not_exist! unless ident_file.entry?(new_resource.map_name)
+  current_value_does_not_exist! unless ident_file.entry?(new_resource.map_name, new_resource.system_username, new_resource.database_username)
 
-  entry = ident_file.entry(new_resource.map_name)
+  entry = ident_file.entry(new_resource.map_name, new_resource.system_username, new_resource.database_username)
   %i(map_name system_username database_username comment).each { |p| send(p, entry.send(p)) }
 end
 
@@ -65,7 +65,7 @@
 action :create do
   converge_if_changed do
     config_resource_init
-    entry = config_resource.variables[:pg_ident].entry(new_resource.map_name)
+    entry = config_resource.variables[:pg_ident].entry(new_resource.map_name, new_resource.system_username, new_resource.database_username)
 
     if nil_or_empty?(entry)
       resource_properties = %i(map_name system_username database_username comment).map { |p| [ p, new_resource.send(p) ] }.to_h.compact
@@ -80,7 +80,7 @@
 action :update do
   converge_if_changed(:system_username, :database_username, :comment) do
     config_resource_init
-    entry = config_resource.variables[:pg_ident].entry(new_resource.map_name)
+    entry = config_resource.variables[:pg_ident].entry(new_resource.map_name, new_resource.system_username, new_resource.database_username)
 
     raise Chef::Exceptions::CurrentValueDoesNotExist, "Cannot update ident entry for '#{new_resource.map_name}' as it does not exist" if nil_or_empty?(entry)
 
@@ -91,7 +91,7 @@
 action :delete do
   config_resource_init
 
-  converge_by("Remove ident entry with map_name: #{new_resource.map_name}") do
-    config_resource.variables[:pg_ident].remove(new_resource.map_name)
-  end if config_resource.variables[:pg_ident].entry?(new_resource.map_name)
+  converge_by("Remove ident entry where map_name: #{new_resource.map_name}, system_username: #{new_resource.system_username}, database_username: #{new_resource.database_username}") do
+    config_resource.variables[:pg_ident].remove(new_resource.map_name, new_resource.system_username, new_resource.database_username)
+  end if config_resource.variables[:pg_ident].entry?(new_resource.map_name, new_resource.system_username, new_resource.database_username)
 end

test/cookbooks/test/recipes/ident.rb

@@ -18,6 +18,7 @@
 end
 
 user 'shef'
+user 'shef2'
 
 postgresql_ident 'postgresl mapping' do
   map_name 'testmap1'
@@ -36,6 +37,14 @@
   notifies :reload, 'postgresql_service[postgresql]', :delayed
 end
 
+postgresql_ident 'shef2 mapping' do
+  map_name 'testmap2'
+  system_username 'shef2'
+  database_username 'sous_chef'
+
+  notifies :reload, 'postgresql_service[postgresql]', :delayed
+end
+
 postgresql_ident 'shef remove mapping' do
   map_name 'testmap3'
   system_username 'shef_remove'
@@ -45,6 +54,14 @@
   action :delete
 end
 
+postgresql_ident 'map with very long name' do
+  map_name 'this_is_a_very_long_map_name_that_should_be_handled_correctly_by_the_postgresql_ident_resource'
+  system_username 'shef'
+  database_username 'sous_chef'
+
+  notifies :reload, 'postgresql_service[postgresql]', :delayed
+end
+
 postgresql_access 'postgresql host superuser' do
   type 'host'
   database 'all'

test/integration/ident/controls/ident_map.rb

@@ -7,6 +7,19 @@
   end
 end
 
+control 'postgresql-ident-multi-map' do
+  impact 1.0
+  desc 'This test ensures postgres configures ident access with multiple mappings correctly'
+
+  describe command("sudo -u shef bash -c \"psql -U sous_chef -d test1 -c 'SELECT 1;'\"") do
+    its('exit_status') { should eq 0 }
+  end
+
+  describe command("sudo -u shef2 bash -c \"psql -U sous_chef -d test1 -c 'SELECT 1;'\"") do
+    its('exit_status') { should eq 0 }
+  end
+end
+
 control 'shef and postgres roles should exist' do
   impact 1.0
   desc 'The shef & postgres database user role should exist'
@@ -18,3 +31,13 @@
     its('output') { should include 'sous_chef' }
   end
 end
+
+control 'postgresql-ident-long-map-name' do
+  impact 1.0
+  desc 'This test ensures postgres configures ident access with long map names correctly'
+
+  describe postgres_ident_conf.where { map_name == 'this_is_a_very_long_map_name_that_should_be_handled_correctly_by_the_postgresql_ident_resource' } do
+    its('system_username') { should cmp 'shef' }
+    its('pg_username') { should cmp 'sous_chef' }
+  end
+end