From 60cc787b16da6a8e42bd1cdb3b2d2a3668f3258e Mon Sep 17 00:00:00 2001
From: Gilles Dartiguelongue <g.dartiguelongue@lexfo.fr>
Date: Tue, 16 Jan 2018 19:17:44 +0100
Subject: [PATCH] Add support for configure pg_ident.conf

---
 postgres/defaults.yaml              |  3 ++
 postgres/server/init.sls            | 28 ++++++++++++++++
 postgres/templates/pg_ident.conf.j2 | 51 +++++++++++++++++++++++++++++
 3 files changed, 82 insertions(+)
 create mode 100644 postgres/templates/pg_ident.conf.j2

diff --git a/postgres/defaults.yaml b/postgres/defaults.yaml
index 4a21fa9..4d575cc 100644
--- a/postgres/defaults.yaml
+++ b/postgres/defaults.yaml
@@ -47,6 +47,9 @@ postgres:
     # IPv6 local connections:
     - ['host', 'all', 'all', '::1/128', 'md5']
 
+  pg_ident.conf: salt://postgres/templates/pg_ident.conf.j2
+  identity_map: []
+
   config_backup: '.bak'
 
   service: postgresql
diff --git a/postgres/server/init.sls b/postgres/server/init.sls
index 3c26f36..6e2b23b 100644
--- a/postgres/server/init.sls
+++ b/postgres/server/init.sls
@@ -129,6 +129,33 @@ postgresql-pg_hba:
     - require:
       - file: postgresql-config-dir
 
+{%- set pg_ident_path = salt['file.join'](postgres.conf_dir, 'pg_ident.conf') %}
+
+postgresql-pg_ident:
+  file.managed:
+    - name: {{ pg_ident_path }}
+    - user: {{ postgres.user }}
+    - group: {{ postgres.group }}
+    - mode: 600
+{%- if postgres.identity_map %}
+    - source: {{ postgres['pg_ident.conf'] }}
+    - template: jinja
+    - defaults:
+        mappings: {{ postgres.identity_map }}
+  {%- if postgres.config_backup %}
+    # Create the empty file before managing to overcome the limitation of check_cmd
+    - onlyif: test -f {{ pg_ident_path }} || touch {{ pg_ident_path }}
+    # Make a local backup before the file modification
+    - check_cmd: >-
+        salt-call --local file.copy
+        {{ pg_ident_path }} {{ pg_ident_path ~ postgres.config_backup }} remove_existing=true
+  {%- endif %}
+{%- else %}
+    - replace: False
+{%- endif %}
+    - require:
+      - file: postgresql-config-dir
+
 {%- for name, tblspace in postgres.tablespaces|dictsort() %}
 
 postgresql-tablespace-dir-{{ name }}:
@@ -158,5 +185,6 @@ postgresql-running:
    {% endif %}
     - watch:
       - file: postgresql-pg_hba
+      - file: postgresql-pg_ident
 
 {%- endif %}
diff --git a/postgres/templates/pg_ident.conf.j2 b/postgres/templates/pg_ident.conf.j2
new file mode 100644
index 0000000..1d4696b
--- /dev/null
+++ b/postgres/templates/pg_ident.conf.j2
@@ -0,0 +1,51 @@
+######################################################################
+# ATTENTION! Managed by SaltStack.                                   #
+# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN! #
+######################################################################
+#
+# PostgreSQL User Name Maps
+# =========================
+#
+# Refer to the PostgreSQL documentation, chapter "Client
+# Authentication" for a complete description.  A short synopsis
+# follows.
+#
+# This file controls PostgreSQL user name mapping.  It maps external
+# user names to their corresponding PostgreSQL user names.  Records
+# are of the form:
+#
+# MAPNAME  SYSTEM-USERNAME  PG-USERNAME
+#
+# (The uppercase quantities must be replaced by actual values.)
+#
+# MAPNAME is the (otherwise freely chosen) map name that was used in
+# pg_hba.conf.  SYSTEM-USERNAME is the detected user name of the
+# client.  PG-USERNAME is the requested PostgreSQL user name.  The
+# existence of a record specifies that SYSTEM-USERNAME may connect as
+# PG-USERNAME.
+#
+# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a
+# regular expression.  Optionally this can contain a capture (a
+# parenthesized subexpression).  The substring matching the capture
+# will be substituted for \1 (backslash-one) if present in
+# PG-USERNAME.
+#
+# Multiple maps may be specified in this file and used by pg_hba.conf.
+#
+# No map names are defined in the default configuration.  If all
+# system user names and PostgreSQL user names are the same, you don't
+# need anything in this file.
+#
+# This file is read on server startup and when the postmaster receives
+# a SIGHUP signal.  If you edit the file on a running system, you have
+# to SIGHUP the postmaster for the changes to take effect.  You can
+# use "pg_ctl reload" to do that.
+
+# Put your actual configuration here
+# ----------------------------------
+
+# MAPNAME       SYSTEM-USERNAME         PG-USERNAME
+
+{%- for mapping in mappings %}
+{{ '{0:<15} {1:<22} {2}'.format(mapping) -}}
+{% endfor %}