From 1ec55e0b960f0a752b458a944e09076283e55715 Mon Sep 17 00:00:00 2001
From: Denys Havrysh <denis.gavrysh@zoomdata.com>
Date: Tue, 6 Sep 2016 12:34:17 +0300
Subject: [PATCH] Better ACL handling in the `pg_hba.conf` file

---
 pillar.example                    | 31 +++++++++++++++++------
 postgres/defaults.yaml            | 20 ++++++++++-----
 postgres/init.sls                 | 10 +++-----
 postgres/pg_hba.conf              | 31 -----------------------
 postgres/templates/pg_hba.conf.j2 | 42 +++++++++++++++++++++++++++++++
 5 files changed, 83 insertions(+), 51 deletions(-)
 delete mode 100644 postgres/pg_hba.conf
 create mode 100644 postgres/templates/pg_hba.conf.j2

diff --git a/pillar.example b/pillar.example
index 42d71c8..43ffac9 100644
--- a/pillar.example
+++ b/pillar.example
@@ -4,7 +4,7 @@ postgres:
   # Version to install from upstream repository
   version: '9.3'
 
-  # This is Debian/Ubuntu specific package names
+  # These are Debian/Ubuntu specific package names
   pkg: 'postgresql-9.3'
   pkg_client: 'postgresql-client-9.3'
 
@@ -13,7 +13,28 @@ postgres:
     - postgresql-contrib
     - postgresql-plpython
 
-  pg_hba.conf: salt://postgres/pg_hba.conf
+  # Path to the `pg_hba.conf` file Jinja template on Salt Fileserver
+  pg_hba.conf: salt://postgres/templates/pg_hba.conf.j2
+
+  # This section covers ACL management in the `pg_hba.conf` file.
+  # acls list controls: which hosts are allowed to connect, how clients
+  # are authenticated, which PostgreSQL user names they can use, which
+  # databases they can access. Records take one of these forms:
+  #
+  #acls:
+  #  - ['local', 'DATABASE',  'USER',  'METHOD']
+  #  - ['host', 'DATABASE',  'USER',  'ADDRESS', 'METHOD']
+  #  - ['hostssl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
+  #  - ['hostnossl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
+  #
+  # The uppercase items must be replaced by actual values.
+  # METHOD could be omitted, 'md5' will be appended by default.
+  acls:
+    - ['local', 'db1', 'localUser']
+    - ['host', 'db2', 'remoteUser', '123.123.0.0/24']
+
+  # PostgreSQL service name
+  service: postgresql
 
   users:
     localUser:
@@ -43,12 +64,6 @@ postgres:
       inherit: True
       replication: False
 
-  # This section cover this ACL management of the pg_hba.conf file.
-  # <type>, <database>, <user>, [host], <method>
-  acls:
-    - ['local', 'db1', 'localUser']
-    - ['host', 'db2', 'remoteUser', '123.123.0.0/24']
-
   tablespaces:
     my_space:
       directory: /srv/my_tablespace
diff --git a/postgres/defaults.yaml b/postgres/defaults.yaml
index f4f79c6..16cf50b 100644
--- a/postgres/defaults.yaml
+++ b/postgres/defaults.yaml
@@ -1,21 +1,29 @@
 postgres:
+  use_upstream_repo: False
   pkg: postgresql
   pkg_dev: postgresql-devel
   pkg_libpq_dev: postgresql-libs
   pkg_client: postgresql-client
+  pkgs_extra: []
   python: python-psycopg2
-  service: postgresql
+  user: postgres
+  group: postgres
   conf_dir: /var/lib/pgsql/data
-  use_upstream_repo: False
+  pg_hba.conf: salt://postgres/templates/pg_hba.conf.j2
+  acls:
+    # "local" is for Unix domain socket connections only
+    - ['local', 'all', 'all', 'peer']
+    # IPv4 local connections:
+    - ['host', 'all', 'all', '127.0.0.1/32', 'md5']
+    # IPv6 local connections:
+    - ['host', 'all', 'all', '::1/128', 'md5']
+  service: postgresql
   users: {}
-  acls: []
   databases: {}
   tablespaces: {}
   postgresconf_backup: True
   postgresconf: ""
-  pg_hba.conf: salt://postgres/pg_hba.conf
-  user: postgres
-  group: postgres
+
   # if prepare_cluster is over-ridden in any of:
   # - osmap.yaml
   # - oscodenamemap.yaml
diff --git a/postgres/init.sls b/postgres/init.sls
index 102fe53..accb3a6 100644
--- a/postgres/init.sls
+++ b/postgres/init.sls
@@ -1,6 +1,6 @@
 # -*- mode: yaml -*-
 
-{%- from "postgres/map.jinja" import postgres with context %}
+{%- from "postgres/map.jinja" import postgres with context -%}
 
 {%- if postgres.use_upstream_repo %}
 
@@ -46,9 +46,7 @@ postgresql-conf:
         {{ postgres.postgresconf|indent(8) }}
     - show_changes: True
     - append_if_not_found: True
-    {% if not postgres.postgresconf_backup|default(True) -%}
-    - backup: False
-    {% endif -%}
+    - backup: {{ postgres.postgresconf_backup }}
     - watch_in:
        - service: postgresql-running
     - require:
@@ -63,7 +61,7 @@ postgresql-pg_hba:
     - template: jinja
     - user: {{ postgres.user }}
     - group: {{ postgres.group }}
-    - mode: 644
+    - mode: 600
     - require:
       - file: postgresql-config-dir
 
@@ -77,7 +75,7 @@ postgresql-running:
 
 postgresql-extra-pkgs-installed:
   pkg.installed:
-    - pkgs: {{ postgres.pkgs_extra|default([], True) }}
+    - pkgs: {{ postgres.pkgs_extra }}
 
 {% for name, user in postgres.users.items()  %}
 postgresql-user-{{ name }}:
diff --git a/postgres/pg_hba.conf b/postgres/pg_hba.conf
deleted file mode 100644
index dac1014..0000000
--- a/postgres/pg_hba.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# This section is managed by SaltStack, DO NOT EDIT
-#
-# SALTSTACK
-# TYPE		DATABASE	USER		ADDRESS		METHOD
-{% if 'acls' in pillar.get('postgres', {}) %}
-{% for acl in salt['pillar.get']('postgres:acls') %}
-{% if acl[0] == 'local' %}
-{{ acl[0] }}	{{ acl[1] }}	{{ acl[2] }}	{{ acl[3] if acl|length > 3 else 'md5' }}
-{% else %}
-{{ acl[0] }}	{{ acl[1] }}	{{ acl[2] }}	{{ acl[3] }}	{{ acl[4] if acl|length > 4 else 'md5' }}
-{% endif %}
-{% endfor %}
-{% endif %}
-# /SALTSTACK
-
-# DO NOT DISABLE!
-# If you change this first entry you will need to make sure that the
-# database superuser can access the database using some other method.
-# Noninteractive access to all databases is required during automatic
-# maintenance (custom daily cronjobs, replication, and similar tasks).
-#
-# Database administrative login by Unix domain socket
-local   all             postgres                                peer
-
-
-# "local" is for Unix domain socket connections only
-local   all             all                                     peer
-# IPv4 local connections:
-host    all             all             127.0.0.1/32            md5
-# IPv6 local connections:
-host    all             all             ::1/128                 md5
diff --git a/postgres/templates/pg_hba.conf.j2 b/postgres/templates/pg_hba.conf.j2
new file mode 100644
index 0000000..00fbb7f
--- /dev/null
+++ b/postgres/templates/pg_hba.conf.j2
@@ -0,0 +1,42 @@
+{%- from "postgres/map.jinja" import postgres with context -%}
+
+######################################################################
+# ATTENTION! Managed by SaltStack.                                   #
+# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN! #
+######################################################################
+#
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the PostgreSQL
+# documentation for a complete description of this file.
+
+# DO NOT DISABLE!
+# If you change this first entry you will need to make sure that the
+# database superuser can access the database using some other method.
+# Noninteractive access to all databases is required during automatic
+# maintenance (custom daily cronjobs, replication, and similar tasks).
+
+# Database administrative login by Unix domain socket
+local   all             postgres                                peer
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+{%- for acl in postgres.acls %}
+  {%- if acl|first() == 'local' %}
+
+    {%- if acl|length() == 3 %}
+      {%- do acl.extend(['', 'md5']) %}
+    {%- elif acl|length() == 4 %}
+      {%- do acl.insert(3, '') %}
+    {%- endif %}
+
+  {%- else %}
+
+    {%- if acl|length() == 4 %}
+      {%- do acl.append('md5') %}
+    {%- endif %}
+
+  {%- endif %}
+{{ '{:<8}{:<16}{:<16}{:<24}{}'.format(*acl) -}}
+{% endfor %}