Backport 57507 postgresql_pg_hba bugfix (#58384)

* Merge authentication options back into a single field to prevent losing options beyond the first (#57507)

* Merge authentication options back into a single field to prevent losing options beyond the first

* Add integration test and changelog

* Fix multiple options for local type connections. Also fix sorting errors between local type connections that lack a src

* Build again because of github problems?

* Add spaces before comments

(cherry picked from commit 5cc6486a2b)
This commit is contained in:
Andrey Klychkov 2019-06-26 18:32:46 +03:00 committed by Toshio Kuratomi
parent 084283233a
commit a6ecc6c243
3 changed files with 40 additions and 14 deletions

View file

@ -0,0 +1,4 @@
bugfixes:
- postgresql_pg_hba - After splitting fields, merge authentication options back into a single field to prevent losing options beyond the first (https://github.com/ansible/ansible/issues/57505)
- postgresql_pg_hba - Fix multiple options for local type connections
- postgresql_pg_hba - Fix sorting errors between local type connections that lack a src

View file

@ -484,20 +484,19 @@ class PgHbaRule(dict):
msg = "Rule {0} has unknown type: {1}." msg = "Rule {0} has unknown type: {1}."
raise PgHbaValueError(msg.format(line, cols[0])) raise PgHbaValueError(msg.format(line, cols[0]))
if cols[0] == 'local': if cols[0] == 'local':
if cols[3] not in PG_HBA_METHODS: cols.insert(3, None) # No address
raise PgHbaValueError("Rule {0} of 'local' type has invalid auth-method {1}" cols.insert(3, None) # No IP-mask
"on 4th column ".format(line, cols[3]))
cols.insert(3, None)
cols.insert(3, None)
else:
if len(cols) < 6: if len(cols) < 6:
cols.insert(4, None) cols.insert(4, None) # No IP-mask
elif cols[5] not in PG_HBA_METHODS: elif cols[5] not in PG_HBA_METHODS:
cols.insert(4, None) cols.insert(4, None) # No IP-mask
if len(cols) < 7:
cols.insert(7, None)
if cols[5] not in PG_HBA_METHODS: if cols[5] not in PG_HBA_METHODS:
raise PgHbaValueError("Rule {0} has no valid method.".format(line)) raise PgHbaValueError("Rule {0} of '{1}' type has invalid auth-method '{2}'".format(line, cols[0], cols[5]))
if len(cols) < 7:
cols.insert(6, None) # No auth-options
else:
cols[6] = " ".join(cols[6:]) # combine all auth-options
rule = dict(zip(PG_HBA_HDR, cols[:7])) rule = dict(zip(PG_HBA_HDR, cols[:7]))
for key, value in rule.items(): for key, value in rule.items():
if value: if value:
@ -580,7 +579,7 @@ class PgHbaRule(dict):
try: try:
return self['src'] < other['src'] return self['src'] < other['src']
except TypeError: except (TypeError, KeyError):
return self.source_type_weight() < other.source_type_weight() return self.source_type_weight() < other.source_type_weight()
errormessage = 'We have two rules ({1}, {2})'.format(self, other) errormessage = 'We have two rules ({1}, {2})'.format(self, other)
@ -631,6 +630,9 @@ class PgHbaRule(dict):
Basically make sure that IPv6Networks are sorted higher than IPv4Networks. Basically make sure that IPv6Networks are sorted higher than IPv4Networks.
This is a 'when all else fails' solution in __lt__. This is a 'when all else fails' solution in __lt__.
""" """
if self['type'] == 'local':
return 3
sourceobj = self.source() sourceobj = self.source()
if isinstance(sourceobj, ipaddress.IPv4Network): if isinstance(sourceobj, ipaddress.IPv4Network):
return 2 return 2

View file

@ -58,6 +58,22 @@
register: pg_hba_change register: pg_hba_change
with_items: "{{pg_hba_test_ips}}" with_items: "{{pg_hba_test_ips}}"
- name: Retain options even if they contain spaces
postgresql_pg_hba:
dest: "/tmp/pg_hba.conf"
users: "+some"
order: "sud"
state: "present"
contype: "{{ item.contype }}"
method: "{{ item.method }}"
options: "{{ item.options }}"
address: "{{ item.address }}"
with_items:
- { address: "", contype: "local", method: "ldap", options: "ldapserver=example.com ldapport=389 ldapprefix=\"cn=\"" }
- { address: "red", contype: "hostssl", method: "cert", options: "clientcert=1 map=mymap" }
- { address: "blue", contype: "hostssl", method: "cert", options: "clientcert=1 map=mymap" }
register: pg_hba_options
- name: read pg_hba rules - name: read pg_hba rules
postgresql_pg_hba: postgresql_pg_hba:
dest: /tmp/pg_hba.conf dest: /tmp/pg_hba.conf
@ -128,7 +144,10 @@
that: that:
- 'pg_hba.pg_hba == [ - 'pg_hba.pg_hba == [
{ "db": "all", "method": "md5", "type": "local", "usr": "postgres" }, { "db": "all", "method": "md5", "type": "local", "usr": "postgres" },
{ "db": "all", "method": "ldap", "type": "local", "usr": "+some", "options": "ldapserver=example.com ldapport=389 ldapprefix=\"cn=\"" },
{ "db": "all", "method": "md5", "type": "local", "usr": "all" }, { "db": "all", "method": "md5", "type": "local", "usr": "all" },
{ "db": "all", "method": "cert", "src": "blue", "type": "hostssl", "usr": "+some", "options": "clientcert=1 map=mymap" },
{ "db": "all", "method": "cert", "src": "red", "type": "hostssl", "usr": "+some", "options": "clientcert=1 map=mymap" },
{ "db": "all", "method": "md5", "src": "127.0.0.1/32", "type": "host", "usr": "all" }, { "db": "all", "method": "md5", "src": "127.0.0.1/32", "type": "host", "usr": "all" },
{ "db": "all", "method": "md5", "src": "::1/128", "type": "host", "usr": "all" }, { "db": "all", "method": "md5", "src": "::1/128", "type": "host", "usr": "all" },
{ "db": "all", "method": "scram-sha-256", "src": "0:ff00::/120", "type": "host", "usr": "all" }, { "db": "all", "method": "scram-sha-256", "src": "0:ff00::/120", "type": "host", "usr": "all" },
@ -146,3 +165,4 @@
- 'prebackupstat.stat.checksum == postbackupstat.stat.checksum' - 'prebackupstat.stat.checksum == postbackupstat.stat.checksum'
- 'pg_hba_fail_src_all_with_netmask is failed' - 'pg_hba_fail_src_all_with_netmask is failed'
- 'not netmask_sameas_prefix_check is changed' - 'not netmask_sameas_prefix_check is changed'
- 'pg_hba_options is changed'