update reference.md, fix enum values, fix condition, add test

voxpupuli · Feb 5, 2024 · 5bf9c83 · 5bf9c83
1 parent 4b10348
commit 5bf9c83
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 21 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -1695,12 +1695,7 @@ Default value: `'icinga'`
 
 ##### <a name="-icinga2--feature--idopgsql--ssl_mode"></a>`ssl_mode`
 
-Data type:
-
-```puppet
-Optional[Enum['disable', 'allow', 'prefer',
-  'verify-full', 'verify-ca', 'require']]
-```
+Data type: `Optional[Enum['verify-full', 'verify-ca']]`
 
 Enable SSL connection mode.
 
@@ -5603,8 +5598,7 @@ with or without TLS information.
       database => String,
       username => String,
       password => Optional[Variant[String, Sensitive[String]]],
-  }] $db, Hash[String, Any] $tls, Optional[Boolean] $use_tls = undef, Optional[Enum['disable', 'allow', 'prefer',
-  'verify-full', 'verify-ca', 'require']] $ssl_mode = undef)`
+  }] $db, Hash[String, Any] $tls, Optional[Boolean] $use_tls = undef, Optional[Enum['verify-full', 'verify-ca']] $ssl_mode = undef)`
 
 The icinga2::db::connect function.
 
@@ -5641,12 +5635,7 @@ Wether or not to use TLS encryption.
 
 ##### `ssl_mode`
 
-Data type:
-
-```puppet
-Optional[Enum['disable', 'allow', 'prefer',
-  'verify-full', 'verify-ca', 'require']]
-```
+Data type: `Optional[Enum['verify-full', 'verify-ca']]`
 
 Enable SSL connection mode.
 

diff --git a/functions/db/connect.pp b/functions/db/connect.pp
@@ -28,14 +28,14 @@ function icinga2::db::connect(
   }]                   $db,
   Hash[String, Any]    $tls,
   Optional[Boolean]    $use_tls = undef,
-  Optional[Enum['disable', 'allow', 'prefer',
-  'verify-full', 'verify-ca', 'require']] $ssl_mode = undef,
+  Optional[Enum['verify-full', 'verify-ca']] $ssl_mode = undef,
 ) >> String {
   if $use_tls {
     case $db['type'] {
       'pgsql': {
+        $real_ssl_mode = if $ssl_mode { $ssl_mode } else { 'verify-full' }
         $tls_options = regsubst(join(any2array(delete_undef_values({
-                  'sslmode='     => if $tls['noverify'] { 'require' } else { $ssl_mode },
+                  'sslmode='     => if $tls['noverify'] { 'require' } else { $real_ssl_mode },
                   'sslcert='     => $tls['cert_file'],
                   'sslkey='      => $tls['key_file'],
                   'sslrootcert=' => $tls['cacert_file'],

diff --git a/manifests/feature/idopgsql.pp b/manifests/feature/idopgsql.pp
@@ -88,8 +88,7 @@
   Optional[Stdlib::Port::Unprivileged]         $port                 = undef,
   String                                       $user                 = 'icinga',
   String                                       $database             = 'icinga',
-  Optional[Enum['disable', 'allow', 'prefer',
-  'verify-full', 'verify-ca', 'require']]      $ssl_mode             = undef,
+  Optional[Enum['verify-full', 'verify-ca']]   $ssl_mode             = undef,
   Optional[Stdlib::Absolutepath]               $ssl_key_path         = undef,
   Optional[Stdlib::Absolutepath]               $ssl_cert_path        = undef,
   Optional[Stdlib::Absolutepath]               $ssl_cacert_path      = undef,

diff --git a/spec/functions/db_connect_spec.rb b/spec/functions/db_connect_spec.rb
@@ -80,8 +80,8 @@
       { 'type' => 'pgsql', 'host' => '192.168.0.1', 'database' => 'foo', 'username' => 'bar', 'password' => 'supersecret' },
       { 'cacert_file' => '/etc/pki/ca-trust/source/anchors/mycacert.crt' },
       true,
-      'ssl_mode' => 'verify-ca',
-    ).and_return('host=db.example.org user=bar dbname=foo sslmode=verify-ca sslrootcert=/etc/pki/ca-trust/source/anchors/mycacert.crt')
+      'verify-ca',
+    ).and_return('host=192.168.0.1 user=bar dbname=foo sslmode=verify-ca sslrootcert=/etc/pki/ca-trust/source/anchors/mycacert.crt')
   end
 
   it 'with PostgreSQL TLS (insecure) on db.example.org and password' do