Add ability to use hex hash with caching_sha2_password plugin

C24-AK · C24-AK · commit e1856382aa6c · 2023-12-28T13:55:30.000+01:00
diff --git a/lib/puppet/functions/mysql/password.rb b/lib/puppet/functions/mysql/password.rb
@@ -19,10 +19,10 @@
     return_type 'Variant[String, Sensitive[String]]'
   end
 
-  def password(password, sensitive = false)
+  def password(password, sensitive = false) # rubocop:disable Style/OptionalBooleanParameter
     password = password.unwrap if password.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
 
-    result_string = if %r{\*[A-F0-9]{40}$}.match?(password)
+    result_string = if %r{\*[A-F0-9]{40}$}.match?(password) or %r{0x[A-F0-9]+$}.match?(password)
                       password
                     elsif password.empty?
                       ''
diff --git a/lib/puppet/provider/mysql_user/mysql.rb b/lib/puppet/provider/mysql_user/mysql.rb
@@ -23,6 +23,11 @@ def self.instances
       # rubocop:enable Layout/LineLength
       @max_user_connections, @max_connections_per_hour, @max_queries_per_hour, @max_updates_per_hour, ssl_type, ssl_cipher,
       x509_issuer, x509_subject, @password, @plugin, @authentication_string = mysql_caller(query, 'regular').chomp.split(%r{\t})
+      
+      if @plugin == 'caching_sha2_password'
+        @password = mysql_caller("SELECT CONCAT('0x',HEX('#{@password}'))", 'regular').chomp
+      end
+
       @tls_options = parse_tls_options(ssl_type, ssl_cipher, x509_issuer, x509_subject)
       if (newer_than('mariadb' => '10.1.21') && (@plugin == 'ed25519' || @plugin == 'mysql_native_password')) ||
          (newer_than('mariadb' => '10.2.16') && older_than('mariadb' => '10.2.19')) ||
@@ -76,6 +81,8 @@ def create
     if !plugin.nil?
       if password_hash.nil?
         self.class.mysql_caller("CREATE USER '#{merged_name}' IDENTIFIED WITH '#{plugin}'", 'system')
+      elsif plugin.eql? "caching_sha2_password"
+        self.class.mysql_caller("CREATE USER '#{merged_name}' IDENTIFIED WITH '#{plugin}' AS X'#{password_hash[2..-1]}'", 'system')
       else
         self.class.mysql_caller("CREATE USER '#{merged_name}' IDENTIFIED WITH '#{plugin}' AS '#{password_hash}'", 'system')
       end
@@ -159,9 +166,11 @@ def password_hash=(string)
       end
       self.class.mysql_caller(sql, 'system')
     elsif !mysqld_version.nil? && newer_than('mysql' => '5.7.6', 'percona' => '5.7.6', 'mariadb' => '10.2.0')
-      raise ArgumentError, _('Only mysql_native_password (*ABCD...XXX) hashes are supported.') unless %r{^\*|^$}.match?(string)
+      raise ArgumentError, _('Only mysql_native_password (*ABCD...XXX) or caching_sha2_password (0x1234ABC...XXX) hashes are supported.') unless %r{^\*|^$}.match?(string) || %r{0x[A-F0-9]+$}.match?(string)
 
-      self.class.mysql_caller("ALTER USER #{merged_name} IDENTIFIED WITH mysql_native_password AS '#{string}'", 'system')
+      sql = "ALTER USER #{merged_name} IDENTIFIED WITH"
+      plugin == 'caching_sha2_password' ? sql += " '#{plugin}' AS X'#{@resource[:password_hash][2..-1]}'" : sql += " 'mysql_native_password' AS '#{@resource[:password_hash]}'"
+      self.class.mysql_caller(sql, 'system')
     else
       # default ... if mysqld_version does not work
       self.class.mysql_caller("SET PASSWORD FOR #{merged_name} = '#{string}'", 'system')
