opuppet/module-postgresql
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #225 from kbarber/ticket/master/GH-216-alter-role-not-idempotent

Browse source 
(GH-216) Alter role call not idempotent with cleartext passwords
This commit is contained in:
Ashley Penney 2013-08-01 05:53:15 -07:00
commit a1b9728dd1
4 changed files with 83 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
Gemfile
View file

@ -3,8 +3,7 @@ source 'https://rubygems.org'
group :development, :test do
gem 'rake'
gem 'puppetlabs_spec_helper', :require => false
gem 'rspec-system-puppet', '~>1.0'
gem 'rspec-system', '>=1.2.1'
gem 'rspec-system-puppet', '~>2.0'
gem 'puppet-lint', '~> 0.3.2'
end

26
manifests/role.pp
View file

@ -17,15 +17,15 @@
# limitations under the License.
define postgresql::role(
$password_hash = false,
$createdb = false,
$createrole = false,
$db = 'postgres',
$login = false,
$superuser = false,
$replication = false,
$connection_limit = '-1',
$username = $title
$password_hash = false,
$createdb = false,
$createrole = false,
$db = 'postgres',
$login = false,
$superuser = false,
$replication = false,
$connection_limit = '-1',
$username = $title
) {
include postgresql::params
@ -80,8 +80,14 @@ define postgresql::role(
}
if $password_hash {
if($password_hash =~ /^md5.+/) {
$pwd_hash_sql = $password_hash
} else {
$pwd_md5 = md5("${password_hash}${username}")
$pwd_hash_sql = "md5${pwd_md5}"
}
postgresql_psql {"ALTER ROLE \"${username}\" ${password_sql}":
unless => "SELECT usename FROM pg_shadow WHERE usename='${username}' and passwd='${password_hash}'",
unless => "SELECT usename FROM pg_shadow WHERE usename='${username}' and passwd='${pwd_hash_sql}'",
}
}
}

119
spec/system/install_spec.rb
View file

@ -37,9 +37,7 @@ describe 'install:' do
puppet_apply(pp) do |r|
r.exit_code.should_not == 1
end
puppet_apply(pp) do |r|
r.refresh
r.exit_code.should == 0
end
@ -78,9 +76,7 @@ describe 'install:' do
puppet_apply(pp) do |r|
r.exit_code.should_not == 1
end
puppet_apply(pp) do |r|
r.refresh
r.exit_code.should == 0
end
@ -111,9 +107,7 @@ describe 'install:' do
puppet_apply(pp) do |r|
r.exit_code.should_not == 1
end
puppet_apply(pp) do |r|
r.refresh
r.exit_code.should == 0
end
@ -146,9 +140,7 @@ describe 'install:' do
puppet_apply(pp) do |r|
r.exit_code.should_not == 1
end
puppet_apply(pp) do |r|
r.refresh
r.exit_code.should == 0
end
@ -182,9 +174,7 @@ describe 'install:' do
puppet_apply(pp) do |r|
r.exit_code.should_not == 1
r.stdout.should =~ /postgresql::psql is deprecated/
end
puppet_apply(pp) do |r|
r.refresh
r.exit_code.should == 2
r.stdout.should =~ /postgresql::psql is deprecated/
end
@ -207,9 +197,7 @@ describe 'install:' do
puppet_apply(pp) do |r|
r.exit_code.should_not == 1
end
puppet_apply(pp) do |r|
r.refresh
r.exit_code.should == 2
end
end
@ -229,15 +217,13 @@ describe 'install:' do
puppet_apply(pp) do |r|
r.exit_code.should_not == 1
end
puppet_apply(pp) do |r|
r.exit_code.should be_zero
r.refresh
r.exit_code.should == 0
end
end
end
describe 'postgresql::user' do
describe 'postgresql::database_user' do
it 'should idempotently create a user who can log in' do
pp = <<-EOS
$user = "postgresql_test_user"
@ -259,16 +245,14 @@ describe 'install:' do
puppet_apply(pp) do |r|
r.exit_code.should_not == 1
end
puppet_apply(pp) do |r|
r.exit_code.should be_zero
r.refresh
r.exit_code.should == 0
end
# Check that the user can log in
psql('--command="select datname from pg_database" postgres', 'postgresql_test_user') do |r|
r.stdout.should =~ /template1/
r.stderr.should be_empty
r.stderr.should == ''
r.exit_code.should == 0
end
end
@ -294,16 +278,47 @@ describe 'install:' do
puppet_apply(pp) do |r|
r.exit_code.should_not == 1
end
puppet_apply(pp) do |r|
r.exit_code.should be_zero
r.refresh
r.exit_code.should == 0
end
# Check that the user can log in
psql('--command="select datname from pg_database" postgres', 'postgresql_test_user') do |r|
r.stdout.should =~ /template1/
r.stderr.should be_empty
r.stderr.should == ''
r.exit_code.should == 0
end
end
it 'should idempotently create a user with a cleartext password' do
pp = <<-EOS
$user = "postgresql_test_user2"
$password = "postgresql_test_password2"
include postgresql::server
# Since we are not testing pg_hba or any of that, make a local user for ident auth
user { $user:
ensure => present,
}
postgresql::database_user { $user:
password_hash => $password,
require => [ Class['postgresql::server'],
User[$user] ],
}
EOS
puppet_apply(pp) do |r|
r.exit_code.should_not == 1
r.refresh
r.exit_code.should == 0
end
# Check that the user can log in
psql('--command="select datname from pg_database" postgres', 'postgresql_test_user2') do |r|
r.stdout.should =~ /template1/
r.stderr.should == ''
r.exit_code.should == 0
end
end
@ -349,16 +364,14 @@ describe 'install:' do
puppet_apply(pp) do |r|
r.exit_code.should_not == 1
end
puppet_apply(pp) do |r|
r.exit_code.should be_zero
r.refresh
r.exit_code.should == 0
end
# Check that the user can create a table in the database
psql('--command="create table foo (foo int)" postgres', 'psql_grant_tester') do |r|
r.stdout.should =~ /CREATE TABLE/
r.stderr.should be_empty
r.stderr.should == ''
r.exit_code.should == 0
end
ensure
@ -416,10 +429,8 @@ describe 'install:' do
puppet_apply(pp) do |r|
r.exit_code.should_not == 1
end
puppet_apply(pp) do |r|
r.exit_code.should be_zero
r.refresh
r.exit_code.should == 0
end
## Check that the user can create a table in the database
@ -448,10 +459,8 @@ describe 'install:' do
puppet_apply(pp) do |r|
r.exit_code.should_not == 1
end
puppet_apply(pp) do |r|
r.exit_code.should be_zero
r.refresh
r.exit_code.should == 0
end
pp = <<-EOS
@ -464,7 +473,7 @@ describe 'install:' do
EOS
puppet_apply(pp) do |r|
r.exit_code.should be_zero
r.exit_code.should == 0
end
end
@ -537,22 +546,20 @@ describe 'install:' do
puppet_apply(pp) do |r|
r.exit_code.should_not == 1
end
puppet_apply(pp) do |r|
r.refresh
r.exit_code.should == 0
end
# Check that databases use correct tablespaces
psql('--command="select ts.spcname from pg_database db, pg_tablespace ts where db.dattablespace = ts.oid and db.datname = \'"\'tablespacedb1\'"\'"') do |r|
r.stdout.should =~ /tablespace1/
r.stderr.should be_empty
r.stderr.should == ''
r.exit_code.should == 0
end
psql('--command="select ts.spcname from pg_database db, pg_tablespace ts where db.dattablespace = ts.oid and db.datname = \'"\'tablespacedb3\'"\'"') do |r|
r.stdout.should =~ /tablespace2/
r.stderr.should be_empty
r.stderr.should == ''
r.exit_code.should == 0
end
end
@ -633,16 +640,14 @@ describe 'install:' do
puppet_apply(pp) do |r|
r.exit_code.should_not == 1
end
puppet_apply(pp) do |r|
r.refresh
r.exit_code.should be_zero
end
psql('--command="show max_connections" -t') do |r|
r.stdout.should =~ /123/
r.stderr.should be_empty
r.exit_code.should be_zero
r.stderr.should == ''
r.exit_code.should == 0
end
pp = <<-EOS

8
spec/system/non_defaults_spec.rb
View file

@ -56,9 +56,9 @@ describe 'non defaults:' do
# Currently puppetlabs/apt shows deprecated messages
#r.stderr.should be_empty
[2,6].should include(r.exit_code)
end
puppet_apply(pp) do |r|
r.refresh
# Currently puppetlabs/apt shows deprecated messages
#r.stderr.should be_empty
# It also returns a 4
@ -90,9 +90,9 @@ describe 'non defaults:' do
#r.stderr.should be_empty
# It also returns a 6
[2,6].should include(r.exit_code)
end
puppet_apply(pp) do |r|
r.refresh
# Currently puppetlabs/apt shows deprecated messages
#r.stderr.should be_empty
# It also returns a 2