Merge pull request #228 from kbarber/ticket/master/pdb-2571-fix-perms-of-config-files

(PDB-2571) Ensure puppetdb.ini file has correct permissions

Author: ajroetker

.gitignore

@@ -1,9 +1,23 @@
+# Final publish location for module build
 pkg/
+
+# VIM files
 *.swp
+
+# Mac files
 .DS_Store
+
+# Generated directory for coverage results
 coverage/
-spec/fixtures/modules/*
+
+# Gem & bundler related files we do not want persisted to the repository
 Gemfile.lock
 .bundle
 vendor/
-.rspec_system/
+
+# Used by rake spec, for temp modules and other test requirements
+spec/fixtures/
+
+# RVM files that are specific to developers implementation
+.ruby-version
+.ruby-gemset

manifests/server.pp

@@ -135,6 +135,14 @@
     }
   }
 
+  class { 'puppetdb::server::global':
+    vardir         => $vardir,
+    confdir        => $confdir,
+    puppetdb_user  => $puppetdb_user,
+    puppetdb_group => $puppetdb_group,
+    notify         => Service[$puppetdb_service],
+  }
+
   class { 'puppetdb::server::command_processing':
     command_threads => $command_threads,
     store_usage     => $store_usage,
@@ -163,6 +171,8 @@
     conn_keep_alive        => $conn_keep_alive,
     conn_lifetime          => $conn_lifetime,
     confdir                => $confdir,
+    puppetdb_user          => $puppetdb_user,
+    puppetdb_group         => $puppetdb_group,
     notify                 => Service[$puppetdb_service],
   }
 
@@ -181,6 +191,8 @@
     conn_keep_alive     => $read_conn_keep_alive,
     conn_lifetime       => $read_conn_lifetime,
     confdir             => $confdir,
+    puppetdb_user       => $puppetdb_user,
+    puppetdb_group      => $puppetdb_group,
     notify              => Service[$puppetdb_service],
   }
 
@@ -193,7 +205,7 @@
 
   if str2bool($ssl_deploy_certs) == true {
     validate_absolute_path($ssl_dir)
-    file{
+    file {
       $ssl_dir:
         ensure  => directory,
         owner   => $puppetdb_user,
@@ -238,12 +250,16 @@
     confdir            => $confdir,
     max_threads        => $max_threads,
     notify             => Service[$puppetdb_service],
+    puppetdb_user      => $puppetdb_user,
+    puppetdb_group     => $puppetdb_group,
   }
 
   class { 'puppetdb::server::puppetdb':
     certificate_whitelist_file => $certificate_whitelist_file,
     certificate_whitelist      => $certificate_whitelist,
     confdir                    => $confdir,
+    puppetdb_user              => $puppetdb_user,
+    puppetdb_group             => $puppetdb_group,
     notify                     => Service[$puppetdb_service],
   }
 

manifests/server/command_processing.pp

@@ -6,12 +6,6 @@
   $confdir         = $puppetdb::params::confdir,
 ) inherits puppetdb::params {
 
-
-  file { "${confdir}/config.ini":
-    ensure => 'present',
-    mode   => '0644',
-  }
-
   # Set the defaults
   Ini_setting {
     path    => "${confdir}/config.ini",

manifests/server/database.pp

@@ -19,6 +19,8 @@
   $conn_keep_alive        = $puppetdb::params::conn_keep_alive,
   $conn_lifetime          = $puppetdb::params::conn_lifetime,
   $confdir                = $puppetdb::params::confdir,
+  $puppetdb_user          = $puppetdb::params::puppetdb_user,
+  $puppetdb_group         = $puppetdb::params::puppetdb_group,
 ) inherits puppetdb::params {
 
   if str2bool($database_validate) {
@@ -40,9 +42,17 @@
     }
   }
 
+  file { "${confdir}/database.ini":
+    ensure => file,
+    owner => $puppetdb_user,
+    group => $puppetdb_group,
+    mode => '0600',
+  }
+
+  $file_require = File["${confdir}/database.ini"]
   $ini_setting_require = str2bool($database_validate) ? {
-    false => undef,
-    default  => Class['puppetdb::server::validate_db'],
+    false => $file_require,
+    default  => [$file_require, Class['puppetdb::server::validate_db']],
   }
   # Set the defaults
   Ini_setting {

manifests/server/global.pp

@@ -1,9 +1,18 @@
 # PRIVATE CLASS - do not use directly
 class puppetdb::server::global (
-  $vardir  = $puppetdb::params::vardir,
-  $confdir = $puppetdb::params::confdir,
+  $vardir         = $puppetdb::params::vardir,
+  $confdir        = $puppetdb::params::confdir,
+  $puppetdb_user  = $puppetdb::params::puppetdb_user,
+  $puppetdb_group = $puppetdb::params::puppetdb_group,
 ) inherits puppetdb::params {
 
+  file { "${confdir}/config.ini":
+    ensure => file,
+    owner => $puppetdb_user,
+    group => $puppetdb_group,
+    mode => '0600',
+  }
+
   # Set the defaults
   Ini_setting {
     path    => "${confdir}/config.ini",

manifests/server/jetty.pp

@@ -13,13 +13,23 @@
   $ssl_protocols      = $puppetdb::params::ssl_protocols,
   $confdir            = $puppetdb::params::confdir,
   $max_threads        = $puppetdb::params::max_threads,
+  $puppetdb_user      = $puppetdb::params::puppetdb_user,
+  $puppetdb_group     = $puppetdb::params::puppetdb_group,
 ) inherits puppetdb::params {
 
+  file { "${confdir}/jetty.ini":
+    ensure => file,
+    owner => $puppetdb_user,
+    group => $puppetdb_group,
+    mode => '0600',
+  }
+
   # Set the defaults
   Ini_setting {
     path    => "${confdir}/jetty.ini",
     ensure  => present,
     section => 'jetty',
+    require => File["${confdir}/puppetdb.ini"],
   }
 
   $cleartext_setting_ensure = $disable_cleartext ? {

manifests/server/puppetdb.pp

@@ -3,13 +3,23 @@
   $certificate_whitelist_file = $puppetdb::params::certificate_whitelist_file,
   $certificate_whitelist      = $puppetdb::params::certificate_whitelist,
   $confdir                    = $puppetdb::params::confdir,
+  $puppetdb_user              = $puppetdb::params::puppetdb_user,
+  $puppetdb_group             = $puppetdb::params::puppetdb_group,
 ) inherits puppetdb::params {
 
+  file { "${confdir}/puppetdb.ini":
+    ensure => file,
+    owner => $puppetdb_user,
+    group => $puppetdb_group,
+    mode => '0600',
+  }
+
   # Set the defaults
   Ini_setting {
     path    => "${confdir}/puppetdb.ini",
     ensure  => present,
     section => 'puppetdb',
+    require => File["${confdir}/puppetdb.ini"],
   }
 
   $certificate_whitelist_setting_ensure = empty($certificate_whitelist) ? {

manifests/server/read_database.pp

@@ -43,12 +43,13 @@
       ensure => file,
       owner  => $puppetdb_user,
       group  => $puppetdb_group,
-      mode   => '0600';
+      mode   => '0600',
     }
 
+    $file_require = File["${confdir}/read_database.ini"]
     $ini_setting_require = str2bool($database_validate) ? {
-      false => undef,
-      default  => Class['puppetdb::server::validate_read_db'],
+      false   => $file_require,
+      default => [$file_require, Class['puppetdb::server::validate_read_db']],
     }
     # Set the defaults
     Ini_setting {
@@ -74,13 +75,13 @@
 
       $subname = "//${database_host}:${database_port}/${database_name}${database_suffix}"
 
-      ini_setting { 'puppetdb_read_psdatabase_username':
+      ini_setting { 'puppetdb_read_database_username':
         setting => 'username',
         value   => $database_username,
       }
 
       if $database_password != undef {
-        ini_setting { 'puppetdb_read_psdatabase_password':
+        ini_setting { 'puppetdb_read_database_password':
           setting => 'password',
           value   => $database_password,
         }

spec/unit/classes/init_spec.rb

@@ -22,6 +22,8 @@
 
     describe 'when using default values for puppetdb class' do
       it { should contain_class('puppetdb') }
+      it { should contain_class('puppetdb::server') }
+      it { should contain_class('puppetdb::database::postgresql') }
     end
   end
 

spec/unit/classes/server/database_ini_spec.rb

@@ -14,6 +14,13 @@
     it { should contain_class('puppetdb::server::database') }
 
     describe 'when using default values' do
+      it { should contain_file('/etc/puppetlabs/puppetdb/conf.d/database.ini').
+        with(
+             'ensure'  => 'file',
+             'owner'   => 'puppetdb',
+             'group'   => 'puppetdb',
+             'mode'    => '0600'
+             )}
       it { should contain_ini_setting('puppetdb_psdatabase_username').
         with(
              'ensure'  => 'present',