allow more mappings per mapname

It is perfectly fine have more mappings per mapname, [ref](https://www.postgresql.org/docs/current/auth-username-maps.html).

The current implementation doesn't allow repetitions of mapnames in
`pg_ident.conf`, with this change an entry is unique based on map_name,
system_username and database_username.

This allows for multiple system users to be mapped to a single database
user.

Author: kristofvandam

CHANGELOG.md

@@ -4,6 +4,8 @@ This file is used to list changes made in the last 3 major versions of the postg
 
 ## Unreleased
 
+- Fix where only a single mapname was being set in the `pg_hba.conf` file when multiple were specified
+
 ## 12.1.0 - *2025-05-17*
 
 - Cast `server_config` keys to strings in `postgresql_config` to avoid unnecessary converges

libraries/ident.rb

@@ -79,15 +79,15 @@ def initialize
           def add(entry)
             raise unless entry.is_a?(PgIdentFileEntry)
 
-            return false if entry?(entry.map_name)
+            return false if entry?(entry.map_name, entry.system_username, entry.database_username)
 
             @entries.push(entry)
 
             sort!
           end
 
-          def entry(map_name)
-            entry = @entries.filter { |e| e.map_name.eql?(map_name) }
+          def entry(map_name, system_username, database_username)
+            entry = @entries.filter { |e| e.map_name.eql?(map_name) && e.system_username.eql?(system_username) && e.database_username.eql?(database_username) }
 
             return if nil_or_empty?(entry)
 
@@ -96,8 +96,8 @@ def entry(map_name)
             entry.pop
           end
 
-          def entry?(map_name)
-            !@entries.filter { |e| e.map_name.eql?(map_name) }.empty?
+          def entry?(map_name, system_username, database_username)
+          !@entries.filter { |e| e.map_name.eql?(map_name) && e.system_username.eql?(system_username) && e.database_username.eql?(database_username) }.empty?
           end
 
           def include?(entry)
@@ -120,17 +120,8 @@ def read!(file = 'pg_ident.conf', sort: true)
             sort! if sort
           end
 
-          def remove(entry)
-            raise unless entry.is_a?(PgIdentFileEntry) || entry.is_a?(String)
-
-            remove_name = case entry
-                          when PgIdentFileEntry
-                            entry.map_name
-                          when String
-                            entry
-                          end
-
-            @entries.reject! { |e| e.map_name.eql?(remove_name) }
+          def remove(map_name, system_username, database_username)
+            @entries.reject! { |e| e.map_name.eql?(map_name) && e.system_username.eql?(system_username) && e.database_username.eql?(database_username) }
           end
 
           def sort!

resources/ident.rb

@@ -52,9 +52,9 @@
 
   ident_file = PostgreSQL::Cookbook::IdentHelpers::PgIdent::PgIdentFile.read(new_resource.config_file)
 
-  current_value_does_not_exist! unless ident_file.entry?(new_resource.map_name)
+  current_value_does_not_exist! unless ident_file.entry?(new_resource.map_name, new_resource.system_username, new_resource.database_username)
 
-  entry = ident_file.entry(new_resource.map_name)
+  entry = ident_file.entry(new_resource.map_name, new_resource.system_username, new_resource.database_username)
   %i(map_name system_username database_username comment).each { |p| send(p, entry.send(p)) }
 end
 
@@ -65,7 +65,7 @@
 action :create do
   converge_if_changed do
     config_resource_init
-    entry = config_resource.variables[:pg_ident].entry(new_resource.map_name)
+    entry = config_resource.variables[:pg_ident].entry(new_resource.map_name, new_resource.system_username, new_resource.database_username)
 
     if nil_or_empty?(entry)
       resource_properties = %i(map_name system_username database_username comment).map { |p| [ p, new_resource.send(p) ] }.to_h.compact
@@ -80,7 +80,7 @@
 action :update do
   converge_if_changed(:system_username, :database_username, :comment) do
     config_resource_init
-    entry = config_resource.variables[:pg_ident].entry(new_resource.map_name)
+    entry = config_resource.variables[:pg_ident].entry(new_resource.map_name, new_resource.system_username, new_resource.database_username)
 
     raise Chef::Exceptions::CurrentValueDoesNotExist, "Cannot update ident entry for '#{new_resource.map_name}' as it does not exist" if nil_or_empty?(entry)
 
@@ -91,7 +91,7 @@
 action :delete do
   config_resource_init
 
-  converge_by("Remove ident entry with map_name: #{new_resource.map_name}") do
-    config_resource.variables[:pg_ident].remove(new_resource.map_name)
-  end if config_resource.variables[:pg_ident].entry?(new_resource.map_name)
+converge_by("Remove ident entry where map_name: #{new_resource.map_name}, system_username: #{new_resource.system_username}, database_username: #{new_resource.database_username}") do
+    config_resource.variables[:pg_ident].remove(new_resource.map_name, new_resource.system_username, new_resource.database_username)
+  end if config_resource.variables[:pg_ident].entry?(new_resource.map_name, new_resource.system_username, new_resource.database_username)
 end

test/cookbooks/test/recipes/ident.rb

@@ -18,6 +18,7 @@
 end
 
 user 'shef'
+user 'shef2'
 
 postgresql_ident 'postgresl mapping' do
   map_name 'testmap1'
@@ -36,6 +37,14 @@
   notifies :reload, 'postgresql_service[postgresql]', :delayed
 end
 
+postgresql_ident 'shef2 mapping' do
+  map_name 'testmap2'
+  system_username 'shef2'
+  database_username 'sous_chef'
+
+  notifies :reload, 'postgresql_service[postgresql]', :delayed
+end
+
 postgresql_ident 'shef remove mapping' do
   map_name 'testmap3'
   system_username 'shef_remove'

test/integration/ident/controls/ident_map.rb

@@ -7,6 +7,19 @@
   end
 end
 
+control 'postgresql-ident-multi-map' do
+  impact 1.0
+  desc 'This test ensures postgres configures ident access with multiple mappings correctly'
+
+  describe command("sudo -u shef bash -c \"psql -U sous_chef -d test1 -c 'SELECT 1;'\"") do
+    its('exit_status') { should eq 0 }
+  end
+
+  describe command("sudo -u shef2 bash -c \"psql -U sous_chef -d test1 -c 'SELECT 1;'\"") do
+    its('exit_status') { should eq 0 }
+  end
+end
+
 control 'shef and postgres roles should exist' do
   impact 1.0
   desc 'The shef & postgres database user role should exist'