Merge pull request #1512 from cruelsmith/flexible_password_encryption_in_pg_hba_conf

Flexible password encryption in pg hba conf

Author: bastelfreak

REFERENCE.md

@@ -874,6 +874,7 @@ The following parameters are available in the `postgresql::server` class:
 * [`manage_logdir`](#-postgresql--server--manage_logdir)
 * [`manage_xlogdir`](#-postgresql--server--manage_xlogdir)
 * [`password_encryption`](#-postgresql--server--password_encryption)
+* [`pg_hba_auth_password_encryption`](#-postgresql--server--pg_hba_auth_password_encryption)
 * [`roles`](#-postgresql--server--roles)
 * [`config_entries`](#-postgresql--server--config_entries)
 * [`pg_hba_rules`](#-postgresql--server--pg_hba_rules)
@@ -1300,12 +1301,21 @@ Default value: `$postgresql::params::manage_xlogdir`
 
 ##### <a name="-postgresql--server--password_encryption"></a>`password_encryption`
 
-Data type: `Optional[Postgresql::Pg_password_encryption]`
+Data type: `Postgresql::Pg_password_encryption`
 
 Specify the type of encryption set for the password.
 
 Default value: `$postgresql::params::password_encryption`
 
+##### <a name="-postgresql--server--pg_hba_auth_password_encryption"></a>`pg_hba_auth_password_encryption`
+
+Data type: `Optional[Postgresql::Pg_password_encryption]`
+
+Specify the type of encryption set for the password in pg_hba_conf,
+this value is usefull if you want to start enforcing scram-sha-256, but give users transition time.
+
+Default value: `undef`
+
 ##### <a name="-postgresql--server--roles"></a>`roles`
 
 Data type: `Hash[String, Hash]`
@@ -2417,6 +2427,7 @@ The following parameters are available in the `postgresql::server::instance::con
 * [`log_line_prefix`](#-postgresql--server--instance--config--log_line_prefix)
 * [`timezone`](#-postgresql--server--instance--config--timezone)
 * [`password_encryption`](#-postgresql--server--instance--config--password_encryption)
+* [`pg_hba_auth_password_encryption`](#-postgresql--server--instance--config--pg_hba_auth_password_encryption)
 * [`extra_systemd_config`](#-postgresql--server--instance--config--extra_systemd_config)
 
 ##### <a name="-postgresql--server--instance--config--ip_mask_deny_postgres_user"></a>`ip_mask_deny_postgres_user`
@@ -2633,12 +2644,21 @@ Default value: `$postgresql::server::timezone`
 
 ##### <a name="-postgresql--server--instance--config--password_encryption"></a>`password_encryption`
 
-Data type: `Optional[Postgresql::Pg_password_encryption]`
+Data type: `Postgresql::Pg_password_encryption`
 
 Specify the type of encryption set for the password.
 
 Default value: `$postgresql::server::password_encryption`
 
+##### <a name="-postgresql--server--instance--config--pg_hba_auth_password_encryption"></a>`pg_hba_auth_password_encryption`
+
+Data type: `Optional[Postgresql::Pg_password_encryption]`
+
+Specify the type of encryption set for the password in pg_hba_conf,
+this value is usefull if you want to start enforcing scram-sha-256, but give users transition time.
+
+Default value: `$postgresql::server::pg_hba_auth_password_encryption`
+
 ##### <a name="-postgresql--server--instance--config--extra_systemd_config"></a>`extra_systemd_config`
 
 Data type: `Optional[String]`
@@ -4409,6 +4429,8 @@ Data type: `Optional[Optional[Postgresql::Pg_password_encryption]]`
 
 Set type for password hash
 
+Default value comes from `postgresql::params::password_encryption` and changes based on the `postgresql::globals::version`.
+
 ##### `salt`
 
 Data type: `Optional[Optional[Variant[String[1], Integer]]]`

lib/puppet/functions/postgresql/postgresql_password.rb

@@ -13,6 +13,8 @@
   #   If the Postgresql-Passwordhash should be of Datatype Sensitive[String]
   # @param hash
   #   Set type for password hash
+  #
+  #   Default value comes from `postgresql::params::password_encryption` and changes based on the `postgresql::globals::version`.
   # @param salt
   #   Use a specific salt value for scram-sha-256, default is username
   #
@@ -27,7 +29,8 @@
     return_type 'Variant[String, Sensitive[String]]'
   end
 
-  def default_impl(username, password, sensitive = false, hash = 'md5', salt = nil)
+  def default_impl(username, password, sensitive = false, hash = nil, salt = nil)
+    hash = call_function(:'postgresql::default', 'password_encryption') if hash.nil?
     password = password.unwrap if password.respond_to?(:unwrap)
     if password.is_a?(String) && password.match?(%r{^(md5[0-9a-f]{32}$|SCRAM-SHA-256\$)})
       return Puppet::Pops::Types::PSensitiveType::Sensitive.new(password) if sensitive

manifests/params.pp

@@ -25,7 +25,7 @@
   $manage_selinux               = pick($manage_selinux, false)
   $package_ensure               = 'present'
   $module_workdir               = pick($module_workdir,'/tmp')
-  $password_encryption          = if versioncmp($version, '14') >= 0 { 'scram-sha-256' } else { undef }
+  $password_encryption          = versioncmp($version, '14') ? { -1 => 'md5', default => 'scram-sha-256' }
   $extra_systemd_config         = undef
   $manage_datadir               = true
   $manage_logdir                = true

manifests/server.pp

@@ -96,7 +96,9 @@
 # @param manage_logdir Set to false if you have file{ $logdir: } already defined
 # @param manage_xlogdir Set to false if you have file{ $xlogdir: } already defined
 # @param password_encryption Specify the type of encryption set for the password.
-#
+# @param pg_hba_auth_password_encryption
+#   Specify the type of encryption set for the password in pg_hba_conf,
+#   this value is usefull if you want to start enforcing scram-sha-256, but give users transition time.
 # @param roles Specifies a hash from which to generate postgresql::server::role resources.
 # @param config_entries Specifies a hash from which to generate postgresql::server::config_entry resources.
 # @param pg_hba_rules Specifies a hash from which to generate postgresql::server::pg_hba_rule resources.
@@ -178,7 +180,8 @@
   Boolean                                            $manage_datadir               = $postgresql::params::manage_datadir,
   Boolean                                            $manage_logdir                = $postgresql::params::manage_logdir,
   Boolean                                            $manage_xlogdir               = $postgresql::params::manage_xlogdir,
-  Optional[Postgresql::Pg_password_encryption]       $password_encryption          = $postgresql::params::password_encryption,
+  Postgresql::Pg_password_encryption                 $password_encryption          = $postgresql::params::password_encryption,
+  Optional[Postgresql::Pg_password_encryption]       $pg_hba_auth_password_encryption = undef,
   Optional[String]                                   $extra_systemd_config         = $postgresql::params::extra_systemd_config,
 
   Hash[String, Hash]                                 $roles                        = {},

manifests/server/instance/config.pp

@@ -42,6 +42,9 @@
 # @param log_line_prefix PostgreSQL log line prefix
 # @param timezone Set timezone for the PostgreSQL instance
 # @param password_encryption Specify the type of encryption set for the password.
+# @param pg_hba_auth_password_encryption
+#   Specify the type of encryption set for the password in pg_hba_conf,
+#   this value is usefull if you want to start enforcing scram-sha-256, but give users transition time.
 # @param extra_systemd_config
 #   Adds extra config to systemd config file, can for instance be used to add extra openfiles. This can be a multi line string
 define postgresql::server::instance::config (
@@ -70,9 +73,12 @@
   Boolean                                        $service_enable               = $postgresql::server::service_enable,
   Optional[String[1]]                            $log_line_prefix              = $postgresql::server::log_line_prefix,
   Optional[String[1]]                            $timezone                     = $postgresql::server::timezone,
-  Optional[Postgresql::Pg_password_encryption]   $password_encryption          = $postgresql::server::password_encryption,
+  Postgresql::Pg_password_encryption             $password_encryption          = $postgresql::server::password_encryption,
+  Optional[Postgresql::Pg_password_encryption]   $pg_hba_auth_password_encryption = $postgresql::server::pg_hba_auth_password_encryption,
   Optional[String]                               $extra_systemd_config         = $postgresql::server::extra_systemd_config,
 ) {
+  $_pg_hba_auth_password_encryption = pick($pg_hba_auth_password_encryption,$password_encryption)
+
   if ($manage_pg_hba_conf == true) {
     # Prepare the main pg_hba file
     concat { $pg_hba_conf_path:
@@ -105,7 +111,7 @@
           type        => 'host',
           user        => $user,
           address     => '127.0.0.1/32',
-          auth_method => 'md5',
+          auth_method => $_pg_hba_auth_password_encryption,
           order       => 3;
 
         "deny access to postgresql user for instance ${name}":
@@ -118,13 +124,13 @@
         "allow access to all users for instance ${name}":
           type        => 'host',
           address     => $ip_mask_allow_all_users,
-          auth_method => 'md5',
+          auth_method => $_pg_hba_auth_password_encryption,
           order       => 100;
 
         "allow access to ipv6 localhost for instance ${name}":
           type        => 'host',
           address     => '::1/128',
-          auth_method => 'md5',
+          auth_method => $_pg_hba_auth_password_encryption,
           order       => 101;
       }
     }

spec/acceptance/overridden_settings_spec.rb

@@ -26,7 +26,7 @@ class { 'postgresql::server':
           type        => 'host',
           database    => 'mydb',
           user        => 'myuser',
-          auth_method => 'md5',
+          auth_method => postgresql::default('password_encryption'),
           address     => '192.0.2.100/32',
         },
       },

spec/functions/postgresql_password_spec.rb

@@ -3,5 +3,7 @@
 require 'spec_helper'
 
 describe 'postgresql_password' do
+  include_examples 'Ubuntu 18.04'
+
   it_behaves_like 'postgresql_password function'
 end

spec/functions/postgresql_postgresql_password_spec.rb

@@ -3,5 +3,7 @@
 require 'spec_helper'
 
 describe 'postgresql::postgresql_password' do
+  include_examples 'Ubuntu 18.04'
+
   it_behaves_like 'postgresql_password function'
 end