From 6f8eb6e52733f15c3c4b428aa1448c3fcb09eb0e Mon Sep 17 00:00:00 2001
From: John Kristensen <john@jerrykan.com>
Date: Fri, 27 Jan 2017 23:25:33 +1100
Subject: [PATCH] feat(acls): allow merging of acls from multiple pillar files

It would be useful to be able to define acls in multiple different
pillar files. This is not possible using a list because lists can not be
merged. If we use a dict then salt can merge all the acls together. The
key name for the lists is only used for sorting the groupings of acls.

For backwards compatibility we check to see if postgres:acls is a list
and handle it properly.
---
 pillar.example                    | 20 ++++++++++++--------
 postgres/templates/pg_hba.conf.j2 | 31 ++++++++++++++++++-------------
 2 files changed, 30 insertions(+), 21 deletions(-)

diff --git a/pillar.example b/pillar.example
index 040537a7..476c1360 100644
--- a/pillar.example
+++ b/pillar.example
@@ -68,10 +68,11 @@ postgres:
   # databases they can access. Records take one of these forms:
   #
   # acls:
-  #  - ['local', 'DATABASE',  'USER',  'METHOD']
-  #  - ['host', 'DATABASE',  'USER',  'ADDRESS', 'METHOD']
-  #  - ['hostssl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
-  #  - ['hostnossl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
+  #   group:
+  #     - ['local', 'DATABASE',  'USER',  'METHOD']
+  #     - ['host', 'DATABASE',  'USER',  'ADDRESS', 'METHOD']
+  #     - ['hostssl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
+  #     - ['hostnossl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
   #
   # The uppercase items must be replaced by actual values.
   # METHOD could be omitted, 'md5' will be appended by default.
@@ -81,10 +82,13 @@ postgres:
   # If ``acls`` item value is empty ('', [], null), then the contents of
   # ``pg_hba.conf`` file will not be touched at all.
   acls:
-    - ['local', 'db0', 'connuser', 'peer map=users_as_appuser']
-    - ['local', 'db1', 'localUser']
-    - ['host', 'db2', 'remoteUser', '192.168.33.0/24']
-    - ['host', 'all', 'all', '127.0.0.1/32', 'md5']
+    db1:
+      - ['local', 'db0', 'connuser', 'peer map=users_as_appuser']
+      - ['local', 'db1', 'localUser']
+    db2:
+      - ['host', 'db2', 'remoteUser', '192.168.33.0/24']
+    all:
+      - ['host', 'all', 'all', '127.0.0.1/32', 'md5']
 
   identity_map:
     - ['users_as_appuser', 'jdoe', 'connuser']
diff --git a/postgres/templates/pg_hba.conf.j2 b/postgres/templates/pg_hba.conf.j2
index 0dfcc4e4..52f2a4e8 100644
--- a/postgres/templates/pg_hba.conf.j2
+++ b/postgres/templates/pg_hba.conf.j2
@@ -20,21 +20,26 @@ local   all             postgres                                peer
 
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 
-{% for acl in acls %}
-  {%- if acl|first() == 'local' %}
+{%- if acls is list -%}
+  {%- set acls = {'_all': acls} %}
+{%- endif %}
+{%- for _, group in acls|dictsort %}
+  {%- for acl in group %}
+    {%- if acl|first() == 'local' %}
 
-    {%- if acl|length() == 3 %}
-      {%- do acl.extend(['', 'md5']) %}
-    {%- elif acl|length() == 4 %}
-      {%- do acl.insert(3, '') %}
-    {%- endif %}
+      {%- if acl|length() == 3 %}
+        {%- do acl.extend(['', 'md5']) %}
+      {%- elif acl|length() == 4 %}
+        {%- do acl.insert(3, '') %}
+      {%- endif %}
 
-  {%- else %}
+    {%- else %}
 
-    {%- if acl|length() == 4 %}
-      {%- do acl.append('md5') %}
-    {%- endif %}
+      {%- if acl|length() == 4 %}
+        {%- do acl.append('md5') %}
+      {%- endif %}
 
-  {%- endif %}
+    {%- endif %}
 {{ '{0:<7} {1:<15} {2:<15} {3:<23} {4}'.format(*acl) }}
-{% endfor %}
+  {%- endfor %}
+{%- endfor %}