# An entry in pg_hba and the corresponding firewall rule if necessary
#
# This currently only supports a limited number of entry types.  Only
# what we need at the moment.
#
# See the upstream documentation at https://www.postgresql.org/docs/11/auth-pg-hba-conf.html
# for details.
#
# @param pg_port          port of the postgres cluster
# @param pg_cluster       cluster name
# @param pg_version       pg version of the cluster
# @param connection_type  connection type
# @param database         database (or all, sameuser, replication, etc.)
# @param user             user (or all, etc.)
# @param address          hosts that match
# @param method           auth method
# @param order            ordering of this entry in pg_hba.conf
define postgres::cluster::hba_entry (
  Integer $pg_port,
  String $pg_cluster,
  String $pg_version,
  Enum['local', 'hostssl'] $connection_type = 'hostssl',
  Variant[String,Array[String]] $database = 'sameuser',
  Variant[String,Array[String]] $user = 'all',
  Optional[Variant[Stdlib::IP::Address, Array[Stdlib::IP::Address]]] $address = undef,
  Enum['md5', 'trust'] $method = 'md5',
  String $order = '50',
) {
  $address_methods = ['md5']
  if $method in $address_methods {
    if !$address {
      fail("Authentication method ${method} needs an address")
    }
  } else {
    if !($method in $address_methods) {
      fail("Authentication method ${method} needs no address")
    }
  }

  if ($address) {
    ferm::rule::simple { "postgres::cluster::hba_entry::${name}":
      description => "allow access to pg${pg_version}/${pg_cluster}: ${name}",
      saddr       => $address,
      chain       => "pg-${pg_port}",
    }
  }

  $real_database = Array($database, true).sort().join(',')
  $real_user     = Array($user, true).sort().join(',')
  $real_address  = $address ? {
    undef   => [''],
    default => Array($address, true).map |$a| {
      if    $a =~ Stdlib::IP::Address::V4::CIDR     { $a }
      elsif $a =~ Stdlib::IP::Address::V4::Nosubnet { "${a}/32" }
      elsif $a =~ Stdlib::IP::Address::V6::CIDR     { $a }
      elsif $a =~ Stdlib::IP::Address::V6::Nosubnet { "${a}/128" }
      else { fail("Do not know address type for ${a}") }
    }
  }

  @concat::fragment { "postgres::cluster::pg_hba::${name}":
    tag     => "postgres::cluster::${pg_version}::${pg_cluster}::hba",
    target  => "postgres::cluster::${pg_version}::${pg_cluster}::hba",
    order   => $order,
    content => inline_template( @(EOF) ),
                  #
                  # rule <%= @name %>
                  <% @real_address.each do |addr| -%>
                  <%= [@connection_type, @real_database, @real_user, addr, @method].join(' ') %>
                  <% end -%>
                  #
                  | EOF
  }
}