opuppet/module-postgresql
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
module-postgresql/manifests/role.pp
Ken Barber 9c2dab95aa (GH-216) Alter role call not idempotent with cleartext passwords 
The postgresql::role defined type was not idempotent when passed cleartext
passwords. This is because we were comparing it with its md5 equivalent in
the db.

This patch converts any cleartext passwords to md5 before comparison, but
only if they are cleartext (ie. not starting with md5).

I also bumped the version of rspec-system-puppet to get use of the refresh
method, plus did some cleanup because the old tests were a bit dusty, again
taking advantage of refresh plus changing some matchers for clarity.

Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-01 03:18:46 +01:00

93 lines
3.7 KiB
Puppet
Raw Blame History

# puppet-postgresql
# For all details and documentation:
# http://github.com/inkling/puppet-postgresql
#
# Copyright 2012- Inkling Systems, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
define postgresql::role(
$password_hash = false,
$createdb = false,
$createrole = false,
$db = 'postgres',
$login = false,
$superuser = false,
$replication = false,
$connection_limit = '-1',
$username = $title
) {
include postgresql::params
$login_sql = $login ? { true => 'LOGIN' , default => 'NOLOGIN' }
$createrole_sql = $createrole ? { true => 'CREATEROLE' , default => 'NOCREATEROLE' }
$createdb_sql = $createdb ? { true => 'CREATEDB' , default => 'NOCREATEDB' }
$superuser_sql = $superuser ? { true => 'SUPERUSER' , default => 'NOSUPERUSER' }
$replication_sql = $replication ? { true => 'REPLICATION' , default => '' }
if ($password_hash != false) {
$password_sql = "ENCRYPTED PASSWORD '${password_hash}'"
} else {
$password_sql = ""
}
Postgresql_psql {
db => $db,
psql_user => $postgresql::params::user,
psql_group => $postgresql::params::group,
psql_path => $postgresql::params::psql_path,
require => Postgresql_psql["CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}"],
}
postgresql_psql {"CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}":
unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}'",
require => undef,
}
postgresql_psql {"ALTER ROLE \"${username}\" ${superuser_sql}":
unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolsuper=${superuser}",
}
postgresql_psql {"ALTER ROLE \"${username}\" ${createdb_sql}":
unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolcreatedb=${createdb}",
}
postgresql_psql {"ALTER ROLE \"${username}\" ${createrole_sql}":
unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolcreaterole=${createrole}",
}
postgresql_psql {"ALTER ROLE \"${username}\" ${login_sql}":
unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolcanlogin=${login}",
}
if(versioncmp($postgresql::params::version, '9.1') >= 0) {
postgresql_psql {"ALTER ROLE \"${username}\" ${replication_sql}":
unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolreplication=${replication}",
}
}
postgresql_psql {"ALTER ROLE \"${username}\" CONNECTION LIMIT ${connection_limit}":
unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolconnlimit=${connection_limit}",
}
if $password_hash {
if($password_hash =~ /^md5.+/) {
$pwd_hash_sql = $password_hash
} else {
$pwd_md5 = md5("${password_hash}${username}")
$pwd_hash_sql = "md5${pwd_md5}"
}
postgresql_psql {"ALTER ROLE \"${username}\" ${password_sql}":
unless => "SELECT usename FROM pg_shadow WHERE usename='${username}' and passwd='${pwd_hash_sql}'",
}
}
}
Reference in a new issue View git blame Copy permalink