New postgres_hba_conf resource #1964
Conversation
Signed-off-by: Rony Xavier <[email protected]>
Signed-off-by: Rony Xavier <[email protected]>
… into al/pg_hba_conf
… into al/pg_hba_conf
… into al/pg_hba_conf
… into al/pg_hba_conf
Signed-off-by: Aaron Lippold <[email protected]>
Signed-off-by: Aaron Lippold <[email protected]>
added test and doc files Signed-off-by: Rony Xavier <[email protected]>
updated test files and docs Signed-off-by: Rony Xavier <[email protected]>
Signed-off-by: Rony Xavier <[email protected]>
aaronlippold
force-pushed
the
al/pg_hba_conf
branch
5 times, most recently
from
23b4288 to
8179e8c
Compare
|
@arlimus @chris-rock Appveyor seems to be running tests on windows targets even though I have a |
aaronlippold
force-pushed
the
al/pg_hba_conf
branch
5 times, most recently
from
bc6753f to
bdbb378
Compare
|
See #1965 for an example of the issue we were having |
There was a problem hiding this comment.
@aaronlippold thanks for this PR as well.
A lot of my feedback in #1963 applies to this resource so I'd like to ask you to apply the same feedback to this PR before I do a full review. Thank you!
lib/resources/pg_hba_conf.rb
Outdated
|
|
||
| # @todo add checks to ensure that we have data in our file | ||
| def initialize(hba_conf_path = nil) | ||
| if inspec.os.linux? |
There was a problem hiding this comment.
This is better written as:
return skip_resource "blah blah" unless inspec.os.linux?
# rest of method hereThis will avoid unnecessary indenting.
There was a problem hiding this comment.
Thank you Adam. I have made all the corrections to both the postgres PRs.
Please review them when you get a chance.
Thank you again.
There was a problem hiding this comment.
Hi @rx294 I haven't seen an update to this PR but you mentioned you made corrections to both. Just wanted you to be aware in case you forgot to push up your changes. Thanks! I also left another change request on #1963 to help clean that up to get it ready. You'll likely have to make a similar change to this one in order to mock/stub the calls to the postgres resource.
There was a problem hiding this comment.
Hey @adamleff , I am sorry about that, this push contains all the corrections and the test code fix.
Please take a look when you get chance.
Thank you
lib/resources/pg_hba_conf.rb
Outdated
| # @todo add checks to ensure that we have data in our file | ||
| def initialize(hba_conf_path = nil) | ||
| if inspec.os.linux? | ||
| @conf_dir = inspec.postgres.conf_dir |
There was a problem hiding this comment.
Why do we need this as an instance variable, and why expose it to the user via attr_reader?
There was a problem hiding this comment.
I guess we don't have to. Just habit really
www/Gemfile.lock
Outdated
| @@ -1,7 +1,7 @@ | |||
| PATH | |||
There was a problem hiding this comment.
Your change should not include any www-related changes, please. Please revert this file in your next commit.
There was a problem hiding this comment.
how do we do that?
lib/inspec/resource.rb
Outdated
| @@ -122,6 +122,7 @@ def self.validate_resource_dsl_version!(version) | |||
| require 'resources/packages' | |||
| require 'resources/parse_config' | |||
| require 'resources/passwd' | |||
| require 'resources/pg_hba_conf' | |||
There was a problem hiding this comment.
Just like I mentioned in #1963, I'd like to suggest this resource be named postgres_hba_conf to keep all PostgreSQL-related resourced prefixed the same. While I know the file is named pg_hba.conf in practice, it's more important for the InSpec UX to be consistent.
There was a problem hiding this comment.
Ok. I agree that works.
rx294
force-pushed
the
al/pg_hba_conf
branch
2 times, most recently
from
8d1d78d to
0089b70
Compare
aaronlippold
force-pushed
the
al/pg_hba_conf
branch
from
0089b70 to
bdbb378
Compare
rx294
force-pushed
the
al/pg_hba_conf
branch
3 times, most recently
from
656de4d to
8a5f227
Compare
Signed-off-by: Rony Xavier <[email protected]>
Signed-off-by: Rony Xavier <[email protected]>
Signed-off-by: Rony Xavier <[email protected]>
rx294
force-pushed
the
al/pg_hba_conf
branch
2 times, most recently
from
f9766d0 to
977d471
Compare
Signed-off-by: Rony Xavier <[email protected]>
'cmp' matcher instead of 'eq' Signed-off-by: Rony Xavier <[email protected]>
adamleff
changed the title
pg_hba_conf resource.
There was a problem hiding this comment.
@rx294 @aaronlippold this is a great addition. I added some comments. Once resolved, we're ready for merge.
|
|
||
| An `postgres_hba_conf` InSpec audit resource block declares client authentication data that should be tested: | ||
|
|
||
| describe postgres_hba_conf.where { pg_username == 'filter_value' } do |
There was a problem hiding this comment.
Should we use pg_username here? Shouldn't we use the more generic version here as you use in code?
describe postgres_hba_conf.where { type == 'local' } do
its('auth_method') { should eq ['peer'] }
end
lib/resources/postgres_hba_conf.rb
Outdated
| if raw_conf.empty? && !file.empty? | ||
| return skip_resource("Can't read the contents of \"#{@conf_file}\"") | ||
| end | ||
| @content = clean_conf_file(@conf_file) |
There was a problem hiding this comment.
Was there a specific reason why we haven't used simpleconfig https://github.com/chef/inspec/blob/master/lib/utils/simpleconfig.rb here?
There was a problem hiding this comment.
This is not a blocker for merge, but I would like us to re-use as much as possible.
lib/resources/postgres_hba_conf.rb
Outdated
| @@ -0,0 +1,95 @@ | |||
| # encoding: utf-8 | |||
| # copyright: 2017 | |||
There was a problem hiding this comment.
Lets remove the copyright header here, since everything is Apache licensed
…ater. Signed-off-by: Aaron Lippold <[email protected]>
This is a resource for parsing and processing the pg_ident.conf file for a postgres database.