(FM-8971) WIP-allow deferred function for pwd

tvpartytonight · tvpartytonight · commit 661deaeed537 · 2022-06-27T16:46:16.000-07:00
diff --git a/functions/create_role.pp b/functions/create_role.pp
@@ -0,0 +1,32 @@
+function postgresql::create_role (
+  $db,
+  $port,
+  $psql_user,
+  $psql_group,
+  $psql_path,
+  $connect_settings,
+  $cwd,
+  $username,
+  $password_sql,
+  $login_sql,
+  $createrole_sql,
+  $createdb_sql,
+  $superuser_sql,
+  $replication_sql,
+  $connection_limit
+
+) {
+  postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****":
+    db               => $db,
+    port             => $port,
+    psql_user        => $psql_user,
+    psql_group       => $psql_group,
+    psql_path        => $psql_path,
+    connect_settings => $connect_settings,
+    cwd              => $cwd,
+    command          => Sensitive("CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}"),
+    unless           => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
+    require          => undef,
+    sensitive        => true,
+  }
+}
diff --git a/functions/pwd_hash_sql.pp b/functions/pwd_hash_sql.pp
@@ -0,0 +1,22 @@
+function postgresql::pwd_hash_sql (
+  $password_hash_unsensitive,
+  $password_hash,
+  $update_password,
+  $username,
+  $hash,
+  $salt,
+) {
+  if $password_hash_unsensitive and $update_password {
+    if($password_hash_unsensitive =~ /^(md5|SCRAM-SHA-256).+/) {
+      $pwd_hash_sql = $password_hash_unsensitive
+    } else {
+      $pwd_hash_sql = postgresql::postgresql_password(
+        $username,
+        $password_hash,
+        $password_hash =~ Sensitive[String],
+        $hash,
+        $salt,
+      )
+    }
+  }
+}
diff --git a/functions/update_psql.pp b/functions/update_psql.pp
@@ -0,0 +1,25 @@
+function postgresql::update_psql (
+  $db,
+  $port,
+  $psql_user,
+  $psql_group,
+  $psql_path,
+  $connect_settings,
+  $cwd,
+  $username,
+  $pwd_hash_sql,
+) {
+  postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****":
+    db               => $db,
+    port             => $port,
+    psql_user        => $psql_user,
+    psql_group       => $psql_group,
+    psql_path        => $psql_path,
+    connect_settings => $connect_settings,
+    cwd              => $cwd,
+    require          => Postgresql_psql["CREATE ROLE ${username} ENCRYPTED PASSWORD ****"],
+    command          => Sensitive("ALTER ROLE \"${username}\" ENCRYPTED PASSWORD '${pwd_hash_sql}'"),
+    unless           => Sensitive("SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'"),
+    sensitive        => true,
+  }
+}
diff --git a/manifests/server/role.pp b/manifests/server/role.pp
@@ -74,7 +74,7 @@
     psql_path  => $psql_path,
     connect_settings => $connect_settings,
     cwd        => $module_workdir,
-    require    => Postgresql_psql["CREATE ROLE ${username} ENCRYPTED PASSWORD ****"],
+    # require    => Postgresql_psql["CREATE ROLE ${username} ENCRYPTED PASSWORD ****"],
   }
 
   if $ensure == 'present' {
@@ -84,17 +84,47 @@
     $createdb_sql    = $createdb    ? { true => 'CREATEDB',    default => 'NOCREATEDB' }
     $superuser_sql   = $superuser   ? { true => 'SUPERUSER',   default => 'NOSUPERUSER' }
     $replication_sql = $replication ? { true => 'REPLICATION', default => '' }
-    if ($password_hash_unsensitive != false) {
+
+    if (type($password_hash_unsensitive) =~ Type[Deferred]) {
+      $password_sql = Deferred('new', [String, $password_hash_unsensitive])
+    } elsif ($password_hash_unsensitive != false) {
       $password_sql = "ENCRYPTED PASSWORD '${password_hash_unsensitive}'"
     } else {
       $password_sql = ''
     }
 
-    postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****":
-      command   => Sensitive("CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}"),
-      unless    => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
-      require   => undef,
-      sensitive => true,
+    if type($password_sql) =~ Type[Deferred] {
+      Deferred('postgresql::create_role', [$db,
+          $port_override,
+          $psql_user,
+          $psql_group,
+          $psql_path,
+          $connect_settings,
+          $module_workdir,
+          $username,
+          $password_sql,
+          $login_sql,
+          $createrole_sql,
+          $createdb_sql,
+          $superuser_sql,
+          $replication_sql,
+          $connection_limit])
+    } else {
+      postgresql::create_role($db,
+        $port_override,
+        $psql_user,
+        $psql_group,
+        $psql_path,
+        $connect_settings,
+        $module_workdir,
+        $username,
+        $password_sql,
+        $login_sql,
+        $createrole_sql,
+        $createdb_sql,
+        $superuser_sql,
+        $replication_sql,
+        $connection_limit)
     }
 
     postgresql_psql { "ALTER ROLE \"${username}\" ${superuser_sql}":
@@ -133,23 +163,37 @@
       unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolconnlimit = ${connection_limit}",
     }
 
-    if $password_hash_unsensitive and $update_password {
-      if($password_hash_unsensitive =~ /^(md5|SCRAM-SHA-256).+/) {
-        $pwd_hash_sql = $password_hash_unsensitive
-      } else {
-        $pwd_hash_sql = postgresql::postgresql_password(
-          $username,
-          $password_hash,
-          $password_hash =~ Sensitive[String],
-          $hash,
-          $salt,
-        )
-      }
-      postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****":
-        command   => Sensitive("ALTER ROLE \"${username}\" ENCRYPTED PASSWORD '${pwd_hash_sql}'"),
-        unless    => Sensitive("SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'"),
-        sensitive => true,
-      }
+    if type($password_hash_unsensitive) =~ Type[Deferred] {
+      $pwd_hash_sql = Deferred('postgresql::pwd_hash_sql', [$password_hash_unsensitive, $password_hash, $update_password, $username, $hash, $salt])
+    } else {
+      $pwd_hash_sql = postgresql::pwd_hash_sql(
+        $password_hash_unsensitive,
+        $password_hash,
+        $update_password,
+        $username,
+        $hash,
+        $salt)
+    }
+    if (type($pwd_hash_sql) =~ Type[Deferred]) {
+      Deferred('postgresql::update_psql', [$db,
+        $port_override,
+        $psql_user,
+        $psql_group,
+        $psql_path,
+        $connect_settings,
+        $module_workdir,
+        $username,
+        $pwd_hash_sql])
+    } elsif $pwd_hash_sql {
+      postgresql::update_psql($db,
+        $port_override,
+        $psql_user,
+        $psql_group,
+        $psql_path,
+        $connect_settings,
+        $module_workdir,
+        $username,
+        $pwd_hash_sql)
     }
   } else {
     # ensure == absent
