Add postgresql::db convenience type, improve security

This commit adds a postgresql::db type for convenience;
it mirrors the 'db' type from the mysql module, which
allows you to create a database instance and user plus
grant privileges to that user all in one succint
resource.

This commit also improves security in the following ways:

* Revoke "CONNECT" privilege from the 'public' role for
  newly created databases; without this, any database
  created via this module will allow connections from
  any database user, and will allow them to do things
  like create tables.

* Change to a 'reject'-based policy for dealing with
  remote connections by the postgres user in pg_hba.conf.
  Prior to this commit, if you tried to restrict access
  to the postgres user by IP, the rule would simply not
  match for disallowed IPs; then it would fall through
  to the rule for "all" users, which could still match
  and thus allow the postgres user to connect remotely.

Author: cprice404

manifests/config.pp

@@ -2,18 +2,19 @@
 #
 # Parameters:
 #
-#   [*postgres_password*]       - postgres db user password.
-#   [*ip_mask_postgres_user*]   - ip mask for allowing remote access for postgres user; defaults to '127.0.0.1/32'
-#   [*ip_mask_all_users*]       - ip mask for allowing remote access for other users (besides postgres);
-#                                    defaults to '127.0.0.1/32'
-#   [*listen_addresses*]        - what IP address(es) to listen on; comma-separated list of addresses; defaults to
-#                                    'localhost', '*' = all
-#   [*pg_hba_conf_path*]        - path to pg_hba.conf file
-#   [*postgresql_conf_path*]    - path to postgresql.conf file
-#   [*manage_redhat_firewall*]  - boolean indicating whether or not the module should open a port in the firewall on
-#                                    redhat-based systems; this parameter is likely to change in future versions.  Possible
-#                                    changes include support for non-RedHat systems and finer-grained control over the
-#                                    firewall rule (currently, it simply opens up the postgres port to all TCP connections).
+#   [*postgres_password*]            - postgres db user password.
+#   [*ip_mask_deny_postgres_user*]   - ip mask for denying remote access for postgres user; defaults to '0.0.0.0/0',
+#                                       meaning that all TCP access for postgres user is denied.
+#   [*ip_mask_allow_all_users*]      - ip mask for allowing remote access for other users (besides postgres);
+#                                       defaults to '127.0.0.1/32', meaning only allow connections from localhost
+#   [*listen_addresses*]             - what IP address(es) to listen on; comma-separated list of addresses; defaults to
+#                                       'localhost', '*' = all
+#   [*pg_hba_conf_path*]             - path to pg_hba.conf file
+#   [*postgresql_conf_path*]         - path to postgresql.conf file
+#   [*manage_redhat_firewall*]       - boolean indicating whether or not the module should open a port in the firewall on
+#                                       redhat-based systems; this parameter is likely to change in future versions.  Possible
+#                                       changes include support for non-RedHat systems and finer-grained control over the
+#                                       firewall rule (currently, it simply opens up the postgres port to all TCP connections).
 #
 #
 # Actions:
@@ -23,31 +24,31 @@
 # Usage:
 #
 #   class { 'postgresql::config':
-#     postgres_password     => 'postgres',
-#     ip_mask_other_user    => '127.0.0.1/32',
+#     postgres_password         => 'postgres',
+#     ip_mask_allow_all_users   => '0.0.0.0/0',
 #   }
 #
 class postgresql::config(
-  $postgres_password        = undef,
-  $ip_mask_postgres_user    = $postgresql::params::ip_mask_postgres_user,
-  $ip_mask_all_users        = $postgresql::params::ip_mask_all_users,
-  $listen_addresses         = $postgresql::params::listen_addresses,
-  $pg_hba_conf_path         = $postgresql::params::pg_hba_conf_path,
-  $postgresql_conf_path     = $postgresql::params::postgresql_conf_path,
-  $manage_redhat_firewall   = $postgresql::params::manage_redhat_firewall,
+  $postgres_password            = undef,
+  $ip_mask_deny_postgres_user   = $postgresql::params::ip_mask_postgres_user,
+  $ip_mask_allow_all_users      = $postgresql::params::ip_mask_all_users,
+  $listen_addresses             = $postgresql::params::listen_addresses,
+  $pg_hba_conf_path             = $postgresql::params::pg_hba_conf_path,
+  $postgresql_conf_path         = $postgresql::params::postgresql_conf_path,
+  $manage_redhat_firewall       = $postgresql::params::manage_redhat_firewall,
 ) inherits postgresql::params {
 
     # Basically, all this class needs to handle is passing parameters on
     #  to the "beforeservice" and "afterservice" classes, and ensure
     #  the proper ordering.
 
     class { "postgresql::config::beforeservice":
-      ip_mask_postgres_user    => $ip_mask_postgres_user,
-      ip_mask_all_users        => $ip_mask_all_users,
-      listen_addresses         => $listen_addresses,
-      pg_hba_conf_path         => $pg_hba_conf_path,
-      postgresql_conf_path     => $postgresql_conf_path,
-      manage_redhat_firewall   => $manage_redhat_firewall,
+      ip_mask_deny_postgres_user    => $ip_mask_deny_postgres_user,
+      ip_mask_allow_all_users       => $ip_mask_allow_all_users,
+      listen_addresses              => $listen_addresses,
+      pg_hba_conf_path              => $pg_hba_conf_path,
+      postgresql_conf_path          => $postgresql_conf_path,
+      manage_redhat_firewall        => $manage_redhat_firewall,
     }
 
     class { "postgresql::config::afterservice":

manifests/config/beforeservice.pp

@@ -2,9 +2,10 @@
 #
 # Parameters:
 #
-#   [*ip_mask_postgres_user*]   - ip mask for allowing remote access for postgres user; defaults to '127.0.0.1/32'
-#   [*ip_mask_all_users*]       - ip mask for allowing remote access for other users (besides postgres);
-#                                    defaults to '127.0.0.1/32'
+#   [*ip_mask_deny_postgres_user*]   - ip mask for denying remote access for postgres user; defaults to '0.0.0.0/0',
+#                                       meaning that all TCP access for postgres user is denied.
+#   [*ip_mask_allow_all_users*]      - ip mask for allowing remote access for other users (besides postgres);
+#                                       defaults to '127.0.0.1/32', meaning only allow connections from localhost
 #   [*listen_addresses*]        - what IP address(es) to listen on; comma-separated list of addresses; defaults to
 #                                    'localhost', '*' = all
 #   [*pg_hba_conf_path*]        - path to pg_hba.conf file
@@ -25,16 +26,16 @@
 #   has been started up.
 #
 #   class { 'postgresql::config::before_service':
-#     ip_mask_other_user    => '127.0.0.1/32',
+#     ip_mask_allow_all_users    => '0.0.0.0/0',
 #   }
 #
 class postgresql::config::beforeservice(
-  $ip_mask_postgres_user    = $postgresql::params::ip_mask_postgres_user,
-  $ip_mask_all_users        = $postgresql::params::ip_mask_all_users,
-  $listen_addresses         = $postgresql::params::listen_addresses,
-  $pg_hba_conf_path         = $postgresql::params::pg_hba_conf_path,
-  $postgresql_conf_path     = $postgresql::params::postgresql_conf_path,
-  $manage_redhat_firewall   = $postgresql::params::manage_redhat_firewall,
+  $ip_mask_deny_postgres_user   = $postgresql::params::ip_mask_deny_postgres_user,
+  $ip_mask_allow_all_users      = $postgresql::params::ip_mask_allow_all_users,
+  $listen_addresses             = $postgresql::params::listen_addresses,
+  $pg_hba_conf_path             = $postgresql::params::pg_hba_conf_path,
+  $postgresql_conf_path         = $postgresql::params::postgresql_conf_path,
+  $manage_redhat_firewall       = $postgresql::params::manage_redhat_firewall,
 ) inherits postgresql::params {
 
   File {

manifests/database.pp

@@ -25,9 +25,21 @@
 {
   require postgresql::params
 
+  $createdb_command = "${postgresql::params::createdb_path} --template=template0 --encoding '$charset' --locale=C '$dbname'"
 
-  exec {"${postgresql::params::createdb_path} --template=template0 --encoding '$charset' --locale=C '$dbname'":
+  exec { $createdb_command :
     unless  => "${postgresql::params::psql_path} --command=\"SELECT datname FROM pg_database WHERE datname=\'$dbname\' \" --pset=tuples_only | grep -q $dbname",
     user    => 'postgres',
   }
+
+  # This will prevent users from connecting to the database unless they've been
+  #  granted privileges.
+  postgresql::psql {"REVOKE CONNECT ON DATABASE $dbname FROM public":
+    db          => 'postgres',
+    user        => 'postgres',
+    unless      => 'SELECT 1 where 1 = 0',
+    refreshonly => true,
+    subscribe   => Exec[$createdb_command],
+  }
+
 }

manifests/database_grant.pp

@@ -38,7 +38,7 @@
 
   # TODO: this is a terrible hack; if they pass "ALL" as the desired privilege,
   #  we need a way to test for it--and has_database_privilege does not recognize
-  #  'ALL' as a valid privelege name.  So we probably need to hard-code a mapping
+  #  'ALL' as a valid privilege name.  So we probably need to hard-code a mapping
   #  between 'ALL' and the list of actual privileges that it entails, and loop
   #  over them to check them.  That sort of thing will probably need to wait until
   #  we port this over to ruby, so, for now, we're just going to assume that if

manifests/database_user.pp

@@ -16,15 +16,36 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# Define: mysql::db
+#
+# This type creates a postgres database user.
+#
+# Parameters:
+#   [*user*]             - username to create.
+#   [*password_hash*]    - user's password; this may be clear text, or an md5 hash as returned by the
+#                           "postgresql_password" function in this module.
+#
+# Actions:
+#
+# Requires:
+#
+#
+# Sample Usage:
+#
+#  postgresql::database_user { 'frank':
+#    password_hash => postgresql_passowrd('password'),
+#  }
+#
+
 define postgresql::database_user(
-    $username=$title,
+    $user=$title,
     $password_hash,
     $db = 'postgres',
     $createdb=false,
     $superuser=false,
     $createrole=false
 ) {
-  postgresql::role {$username:
+  postgresql::role {$user:
     db              => $db,
     password_hash   => $password_hash,
     login           => true,

manifests/db.pp

@@ -0,0 +1,65 @@
+# Define: postgresql::db
+#
+# This module creates database instances, a user, and grants that user
+# privileges to the database.
+#
+# Since it requires class postgresql::server, we assume to run all commands as the
+# postgresql user against the local postgresql server.
+#
+# TODO: support an array of privileges for "grant"; currently only supports a single
+#  privilege, which is pretty useless unless that privilege is "ALL"
+#
+# Parameters:
+#   [*title*]       - postgresql database name.
+#   [*user*]        - username to create and grant access.
+#   [*password*]    - user's password.  may be md5-encoded, in the format returned by the "postgresql_password"
+#                            function in this module
+#   [*charset*]     - database charset.
+#   [*grant*]       - privilege to grant user.
+#
+# Actions:
+#
+# Requires:
+#
+#   class postgresql::server
+#
+# Sample Usage:
+#
+#  postgresql::db { 'mydb':
+#    user     => 'my_user',
+#    password => 'password',
+#    grant    => 'all'
+#  }
+#
+define postgresql::db (
+  $user,
+  $password,
+  $charset     = 'utf8',
+  $grant       = 'ALL'
+) {
+
+  postgresql::database { $name:
+    # TODO: ensure is not yet supported
+    #ensure     => present,
+    charset     => $charset,
+    #provider   => 'postgresql',
+    require     => Class['postgresql::server'],
+  }
+
+  postgresql::database_user { "${user}":
+    # TODO: ensure is not yet supported
+    #ensure         => present,
+    password_hash   => $password,
+    #provider       => 'postgresql',
+    require         => Postgresql::Database[$name],
+  }
+
+  postgresql::database_grant { "GRANT ${user} - ${grant} - ${name}":
+    privilege       => $grant,
+    db              => $name,
+    role            => $user,
+    #provider       => 'postgresql',
+    require         => Postgresql::Database_user["${user}"],
+  }
+
+}

manifests/params.pp

@@ -11,13 +11,13 @@
 # Sample Usage:
 #
 class postgresql::params {
-  $user                     = 'postgres'
-  $group                    = 'postgres'
-  $ip_mask_postgres_user    = '127.0.0.1/32'
-  $ip_mask_all_users        = '127.0.0.1/32'
-  $listen_addresses         = 'localhost'
+  $user                         = 'postgres'
+  $group                        = 'postgres'
+  $ip_mask_deny_postgres_user   = '0.0.0.0/0'
+  $ip_mask_allow_all_users      = '127.0.0.1/32'
+  $listen_addresses             = 'localhost'
   # TODO: figure out a way to make this not platform-specific
-  $manage_redhat_firewall   = false
+  $manage_redhat_firewall       = false
 
   case $::operatingsystem {
     "Ubuntu": {

manifests/psql.pp

@@ -16,7 +16,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-define postgresql::psql($command = $title, $unless, $db, $user = 'postgres') {
+define postgresql::psql(
+    $command = $title,
+    $unless,
+    $db,
+    $user = 'postgres',
+    $refreshonly = false
+) {
 
   require postgresql::params
 
@@ -33,6 +39,7 @@
     user        => $user,
     returns     => 1,
     unless      => "/bin/echo \"$quoted_$unless\" | $psql | egrep -v -q '^$'",
+    refreshonly => $refreshonly,
   }
 }
 

templates/pg_hba.conf.erb

@@ -81,8 +81,8 @@ local   all         postgres                          ident
 # "local" is for Unix domain socket connections only
 local   all         all                               ident
 # IPv4 local connections:
-host    all         postgres    <%= @ip_mask_postgres_user + "\t" %>      md5
-host    all         all         <%= @ip_mask_all_users + "\t" %>      md5
+host    all         postgres    <%= @ip_mask_deny_postgres_user + "\t" %>      reject
+host    all         all         <%= @ip_mask_allow_all_users + "\t" %>      md5
 # IPv6 local connections:
 host    all         all         ::1/128               md5
 

tests/postgresql_database.pp

@@ -1,7 +1,7 @@
 class { 'postgresql::server':
     config_hash => {
-        'ip_mask_postgres_user' => '0.0.0.0/0',
-        'ip_mask_all_users' => '0.0.0.0/0',
+        'ip_mask_deny_postgres_user' => '0.0.0.0/32',
+        'ip_mask_allow_all_users' => '0.0.0.0/0',
         'listen_addresses' => '*',
         'manage_redhat_firewall' => true,
         'postgres_password' => 'postgres',

tests/postgresql_db.pp

@@ -0,0 +1,30 @@
+class { 'postgresql::server':
+  config_hash => {
+      'ip_mask_allow_all_users' => '0.0.0.0/0',
+      'listen_addresses' => '*',
+      'manage_redhat_firewall' => true,
+
+      #'ip_mask_deny_postgres_user' => '0.0.0.0/32',
+      #'postgres_password' => 'puppet',
+  },
+}
+
+postgresql::db{ 'test1':
+  user          => 'test1',
+  password      => 'test1',
+  grant         => 'all',
+}
+
+postgresql::db{ 'test2':
+  user          => 'test2',
+  password      => postgresql_password('test2', 'test2'),
+  grant         => 'all',
+}
+
+postgresql::db{ 'test3':
+  user          => 'test3',
+  # The password here is a copy/paste of the output of the 'postgresql_password'
+  #  function from this module, with a u/p of 'test3', 'test3'.
+  password      => 'md5e12234d4575a12bfd61d61294f32b086',
+  grant         => 'all',
+}

tests/postgresql_user.pp

@@ -1,7 +1,7 @@
 class { 'postgresql::server':
     config_hash => {
-        'ip_mask_postgres_user' => '0.0.0.0/0',
-        'ip_mask_all_users' => '0.0.0.0/0',
+        'ip_mask_deny_postgres_user' => '0.0.0.0/32',
+        'ip_mask_allow_all_users' => '0.0.0.0/0',
         'listen_addresses' => '*',
         'manage_redhat_firewall' => true,
         'postgres_password' => 'postgres',

tests/server.pp

@@ -1,7 +1,7 @@
 class { 'postgresql::server':
     config_hash => {
-        'ip_mask_postgres_user' => '0.0.0.0/0',
-        'ip_mask_all_users' => '0.0.0.0/0',
+        'ip_mask_deny_postgres_user' => '0.0.0.0/32',
+        'ip_mask_allow_all_users' => '0.0.0.0/0',
         'listen_addresses' => '*',
         'manage_redhat_firewall' => true,
         'postgres_password' => 'postgres',