(FM-8971) WIP-allow deferred function for pwd

Author: tvpartytonight

lib/puppet/functions/postgresql/postgresql_password.rb

@@ -28,6 +28,9 @@
   end
 
   def default_impl(username, password, sensitive = false, hash = 'md5', salt = nil)
+    if password.is_a?(String) && password.match?(%r{^(md5|SCRAM-SHA-256).+})
+      return password
+    end
     password = password.unwrap if password.respond_to?(:unwrap)
     pass = if hash == 'md5'
              'md5' + Digest::MD5.hexdigest(password.to_s + username.to_s)

lib/puppet/functions/postgresql/prepend_sql_password.rb

@@ -0,0 +1,9 @@
+Puppet::Functions.create_function(:'postgresql::prepend_sql_password') do
+  dispatch :default_impl do
+    required_param 'String', :password
+    return_type 'String'
+  end
+  def default_impl(password)
+    "ENCRYPTED PASSWORD #{password}"
+  end
+end

manifests/server/role.pp

@@ -84,14 +84,25 @@
     $createdb_sql    = $createdb    ? { true => 'CREATEDB',    default => 'NOCREATEDB' }
     $superuser_sql   = $superuser   ? { true => 'SUPERUSER',   default => 'NOSUPERUSER' }
     $replication_sql = $replication ? { true => 'REPLICATION', default => '' }
-    if ($password_hash_unsensitive != false) {
-      $password_sql = "ENCRYPTED PASSWORD '${password_hash_unsensitive}'"
+
+    if (type($password_hash_unsensitive) =~ Type[Deferred]) {
+      $password_sql = Deferred('postgresql::prepend_sql_password', [$password_hash_unsensitive])
+    } elsif ($password_hash_unsensitive != false) {
+      $password_sql = postgresql::prepend_sql_password($password_hash_unsensitive)
     } else {
       $password_sql = ''
     }
 
+    if type($password_sql) =~ Type[Deferred] {
+      $command = Deferred('sprintf', ["CREATE ROLE \"%s\" %s %s %s %s %s %s CONNECTION LIMIT %s",
+                                      $username, $password_sql, $login_sql, $createrole_sql, $createdb_sql,
+                                      $superuser_sql, $replication_sql, $connection_limit])
+    } else {
+      $command = "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}"
+    }
+
     postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****":
-      command   => Sensitive("CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}"),
+      command   => Sensitive($command),
       unless    => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
       require   => undef,
       sensitive => true,
@@ -134,9 +145,14 @@
     }
 
     if $password_hash_unsensitive and $update_password {
-      if($password_hash_unsensitive =~ /^(md5|SCRAM-SHA-256).+/) {
-        $pwd_hash_sql = $password_hash_unsensitive
-      } else {
+      if type($password_hash_unsensitive) =~ Type[Deferred] {
+        $pwd_hash_sql = Deferred('postgresql::postgresql_password',[$username,
+                                                                    $password_hash,
+                                                                    $password_hash =~ Sensitive[String],
+                                                                    $hash,
+                                                                    $salt])
+      }
+      else {
         $pwd_hash_sql = postgresql::postgresql_password(
           $username,
           $password_hash,
@@ -145,9 +161,18 @@
           $salt,
         )
       }
+      if type($pwd_hash_sql) =~ Type[Deferred] {
+        $pw_command = Deferred('sprintf', ["ALTER ROLE \"%s\" ENCRYPTED PASSWORD '%s'", $username, $pwd_hash_sql])
+        $unless_pw_command = Deferred('sprintf', ["SELECT 1 FROM pg_shadow WHERE usename = '%s' AND passwd = '%s'",
+                                                  $username,
+                                                  $pwd_hash_sql])
+      } else {
+        $pw_command = "ALTER ROLE \"${username}\" ENCRYPTED PASSWORD '${pwd_hash_sql}'"
+        $unless_pw_command = "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'"
+      }
       postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****":
-        command   => Sensitive("ALTER ROLE \"${username}\" ENCRYPTED PASSWORD '${pwd_hash_sql}'"),
-        unless    => Sensitive("SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'"),
+        command   => Sensitive($pw_command),
+        unless    => Sensitive($unless_pw_command),
         sensitive => true,
       }
     }