From ae9d85a8da0a2a79f2d5b45ad80cd5c20f3cf7c8 Mon Sep 17 00:00:00 2001 From: Simon Hoenscheid Date: Fri, 27 Jan 2023 17:15:14 +0100 Subject: [PATCH] Add multi instance support, refactoring password.pp (5/x) This commit adds changes a class to add multi instance support to this module. The general idea is to first copy all classes which are used and create defines from them. These classes will use the defines as is. Necessary changes for the instances itself will be added to the classes and defined types at a later point. This ensures, the module will work as it does right now and there are no breaking changes. --- manifests/server/instance_passwd.pp | 63 ++++++++++++++++++++++++++ manifests/server/passwd.pp | 56 ++++------------------- spec/defines/server/instance_passwd.rb | 23 ++++++++++ 3 files changed, 94 insertions(+), 48 deletions(-) create mode 100644 manifests/server/instance_passwd.pp create mode 100644 spec/defines/server/instance_passwd.rb diff --git a/manifests/server/instance_passwd.pp b/manifests/server/instance_passwd.pp new file mode 100644 index 0000000000..c3ea8e218a --- /dev/null +++ b/manifests/server/instance_passwd.pp @@ -0,0 +1,63 @@ +# lint:ignore:140chars +# @param user Overrides the default PostgreSQL super user and owner of PostgreSQL related files in the file system. +# @param group Overrides the default postgres user group to be used for related files in the file system. +# Default value: 5432. Meaning the Postgres server listens on TCP port 5432. +# @param psql_path Specifies the path to the psql command. +# @param port Specifies the port for the PostgreSQL server to listen on. Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, changing the port causes the server to come to a full stop before being able to make the change. +# @param database Specifies the name of the database to connect with. On most systems this is 'postgres'. +# @param module_workdir Working directory for the PostgreSQL module +# @param postgres_password Sets the password for the postgres user to your specified value. By default, this setting uses the superuser account in the Postgres database, with a user called postgres and no password. +# lint:endignore:140chars +define postgresql::server::instance_passwd ( + $user = $postgresql::server::user, + $group = $postgresql::server::group, + $psql_path = $postgresql::server::psql_path, + $port = $postgresql::server::port, + $database = $postgresql::server::default_database, + $module_workdir = $postgresql::server::module_workdir, + $postgres_password = $postgresql::server::postgres_password, + +) { + $real_postgres_password = if $postgres_password =~ Sensitive { + $postgres_password.unwrap + } else { + $postgres_password + } + + # psql will default to connecting as $user if you don't specify name + $_datbase_user_same = $database == $user + $_dboption = $_datbase_user_same ? { + false => " --dbname ${shell_escape($database)}", + default => '' + } + + if $real_postgres_password { + # NOTE: this password-setting logic relies on the pg_hba.conf being + # configured to allow the postgres system user to connect via psql + # without specifying a password ('ident' or 'trust' security). This is + # the default for pg_hba.conf. + $escaped = postgresql::postgresql_escape($real_postgres_password) + $exec_command = "${shell_escape($psql_path)}${_dboption} -c \"ALTER ROLE \\\"${shell_escape($user)}\\\" PASSWORD \${NEWPASSWD_ESCAPED}\"" # lint:ignore:140chars + exec { 'set_postgres_postgrespw': + # This command works w/no password because we run it as postgres system + # user + command => $exec_command, + user => $user, + group => $group, + logoutput => true, + cwd => $module_workdir, + environment => [ + "PGPASSWORD=${real_postgres_password}", + "PGPORT=${port}", + "NEWPASSWD_ESCAPED=${escaped}", + ], + # With this command we're passing -h to force TCP authentication, which + # does require a password. We specify the password via the PGPASSWORD + # environment variable. If the password is correct (current), this + # command will exit with an exit code of 0, which will prevent the main + # command from running. + unless => "${psql_path} -h localhost -p ${port} -c 'select 1' > /dev/null", + path => '/usr/bin:/usr/local/bin:/bin', + } + } +} diff --git a/manifests/server/passwd.pp b/manifests/server/passwd.pp index d73a07ded9..3a7879bef4 100644 --- a/manifests/server/passwd.pp +++ b/manifests/server/passwd.pp @@ -1,52 +1,12 @@ # @api private class postgresql::server::passwd { - $postgres_password = if $postgresql::server::postgres_password =~ Sensitive { - $postgresql::server::postgres_password.unwrap - } else { - $postgresql::server::postgres_password - } - - $user = $postgresql::server::user - $group = $postgresql::server::group - $psql_path = $postgresql::server::psql_path - $port = $postgresql::server::port - $database = $postgresql::server::default_database - $module_workdir = $postgresql::server::module_workdir - - # psql will default to connecting as $user if you don't specify name - $_datbase_user_same = $database == $user - $_dboption = $_datbase_user_same ? { - false => " --dbname ${shell_escape($database)}", - default => '' - } - - if $postgres_password { - # NOTE: this password-setting logic relies on the pg_hba.conf being - # configured to allow the postgres system user to connect via psql - # without specifying a password ('ident' or 'trust' security). This is - # the default for pg_hba.conf. - $escaped = postgresql::postgresql_escape($postgres_password) - $exec_command = "${shell_escape($psql_path)}${_dboption} -c \"ALTER ROLE \\\"${shell_escape($user)}\\\" PASSWORD \${NEWPASSWD_ESCAPED}\"" - exec { 'set_postgres_postgrespw': - # This command works w/no password because we run it as postgres system - # user - command => $exec_command, - user => $user, - group => $group, - logoutput => true, - cwd => $module_workdir, - environment => [ - "PGPASSWORD=${postgres_password}", - "PGPORT=${port}", - "NEWPASSWD_ESCAPED=${escaped}", - ], - # With this command we're passing -h to force TCP authentication, which - # does require a password. We specify the password via the PGPASSWORD - # environment variable. If the password is correct (current), this - # command will exit with an exit code of 0, which will prevent the main - # command from running. - unless => "${psql_path} -h localhost -p ${port} -c 'select 1' > /dev/null", - path => '/usr/bin:/usr/local/bin:/bin', - } + postgresql::server::instance_passwd { 'main': + user => $postgresql::server::user, + group => $postgresql::server::group, + psql_path => $postgresql::server::psql_path, + port => $postgresql::server::port, + database => $postgresql::server::default_database, + module_workdir => $postgresql::server::module_workdir, + postgres_password => $postgresql::server::postgres_password, } } diff --git a/spec/defines/server/instance_passwd.rb b/spec/defines/server/instance_passwd.rb new file mode 100644 index 0000000000..4558b627e7 --- /dev/null +++ b/spec/defines/server/instance_passwd.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'postgresql::server::instance_passwd' do + let(:title) { 'main' } + + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let :facts do + os_facts + end + + let :pre_condition do + "class {'postgresql::server':}" + end + + context 'with defaults from passwd class' do + it { is_expected.to compile.with_all_deps } + end + end + end +end