Alter escaping in postgresql::config::afterservice

This allows non-standard users (pe-postgres) to change passwords. Also
added a function to do escaping of the password, added system tests
and rspec tests for the function.

lib/puppet/parser/functions/postgresql_escape.rb

@@ -0,0 +1,25 @@
+require 'digest/md5'
+
+module Puppet::Parser::Functions
+  newfunction(:postgresql_escape, :type => :rvalue, :doc => <<-EOS
+    Safely escapes a string using $$ using a random tag which should be consistent
+    EOS
+  ) do |args|
+
+    raise(Puppet::ParseError, "postgresql_escape(): Wrong number of arguments " +
+      "given (#{args.size} for 1)") if args.size != 1
+
+    password = args[0]
+
+    if password !~ /\$\$/ 
+      retval = "$$#{password}$$"
+    else
+      escape = Digest::MD5.hexdigest(password)[0..5].gsub(/\d/,'')
+      until password !~ /#{escape}/
+        escape = Digest::MD5.hexdigest(escape)[0..5].gsub(/\d/,'')
+      end
+      retval = "$#{escape}$#{password}$#{escape}$"
+    end
+    retval 
+  end
+end

manifests/config/afterservice.pp

@@ -26,9 +26,10 @@ class postgresql::config::afterservice(
     #  to allow the postgres system user to connect via psql without specifying
     #  a password ('ident' or 'trust' security).  This is the default
     #  for pg_hba.conf.
+    $escapedpassword = postgresql_escape($postgres_password)
     exec { 'set_postgres_postgrespw':
         # This command works w/no password because we run it as postgres system user
-        command     => "psql -c \"ALTER ROLE ${postgresql::params::user} PASSWORD '${postgres_password}'\"",
+        command     => "psql -c 'ALTER ROLE \"${postgresql::params::user}\" PASSWORD ${escapedpassword}'",
         user        => $postgresql::params::user,
         group       => $postgresql::params::group,
         logoutput   => true,
@@ -38,7 +39,7 @@ class postgresql::config::afterservice(
         #  the password is correct (current), this command will exit with an exit code of 0,
         #  which will prevent the main command from running.
         unless      => "env PGPASSWORD=\"${postgres_password}\" psql -h localhost -c 'select 1' > /dev/null",
-        path        => '/usr/bin:/usr/local/bin:/bin',
+        path        => '/usr/bin:/usr/local/bin:/bin:/opt/puppet/bin',
     }
   }
 }

spec/system/install_spec.rb

@@ -97,6 +97,39 @@ describe 'install:' do
     end
   end
 
+  describe 'custom postgres password' do
+    it 'should install and successfully adjust the password' do
+      pp = <<-EOS
+        class { "postgresql::server":
+          config_hash => {
+            'postgres_password' => 'TPSReports!',
+          },
+        }
+      EOS
+
+      puppet_apply(pp) do |r|
+        r.exit_code.should == 2
+        r.stdout.should =~ /\[set_postgres_postgrespw\]\/returns: executed successfully/
+      end
+      puppet_apply(pp) do |r|
+        r.exit_code.should == 0
+      end
+
+      pp = <<-EOS
+        class { "postgresql::server":
+          config_hash => {
+            'postgres_password' => 'TPSR$$eports!',
+          },
+        }
+      EOS
+      puppet_apply(pp) do |r|
+        r.exit_code.should == 2
+        r.stdout.should =~ /\[set_postgres_postgrespw\]\/returns: executed successfully/
+      end
+
+    end
+  end
+
   describe 'postgresql::psql' do
     it 'should work but emit a deprecation warning' do
       pp = <<-EOS

spec/unit/functions/postgresql_escape_spec.rb

@@ -0,0 +1,10 @@
+require 'spec_helper'
+
+describe 'postgresql_escape', :type => :puppet_function do
+  it { should run.with_params('foo').
+    and_return('$$foo$$') }
+end
+describe 'postgresql_escape', :type => :puppet_function do
+  it { should run.with_params('fo$$o').
+    and_return('$ed$fo$$o$ed$') }
+end