Merge pull request #1406 from cruelsmith/defaulting_password_encryption_for_version_above_14

Defaulting password encryption for version above 14

Author: bastelfreak

REFERENCE.md

@@ -22,19 +22,25 @@
     required_param 'Variant[String[1], Integer]', :username
     required_param 'Variant[String[1], Sensitive[String[1]], Integer]', :password
     optional_param 'Boolean', :sensitive
-    optional_param "Optional[Enum['md5', 'scram-sha-256']]", :hash
+    optional_param 'Optional[Postgresql::Pg_password_encryption]', :hash
     optional_param 'Optional[Variant[String[1], Integer]]', :salt
     return_type 'Variant[String, Sensitive[String]]'
   end
 
   def default_impl(username, password, sensitive = false, hash = 'md5', salt = nil)
-    return password if password.is_a?(String) && password.match?(%r{^(md5|SCRAM-SHA-256).+})
-
     password = password.unwrap if password.respond_to?(:unwrap)
-    pass = if hash == 'md5'
+    if password.is_a?(String) && password.match?(%r{^(md5[0-9a-f]{32}$|SCRAM-SHA-256\$)})
+      return Puppet::Pops::Types::PSensitiveType::Sensitive.new(password) if sensitive
+
+      return password
+    end
+    pass = case hash
+           when 'md5', nil # ensure default value when definded with nil
              "md5#{Digest::MD5.hexdigest(password.to_s + username.to_s)}"
-           else
+           when 'scram-sha-256'
              pg_sha256(password, (salt || username))
+           else
+             raise(Puppet::ParseError, "postgresql::postgresql_password(): got unkown hash type '#{hash}'")
            end
     if sensitive
       Puppet::Pops::Types::PSensitiveType::Sensitive.new(pass)

lib/puppet/functions/postgresql/postgresql_password.rb

@@ -26,7 +26,8 @@
 # @param manage_user
 #   Manage creation of the backup user.
 # @param optional_args
-#   Specifies an array of optional arguments which should be passed through to the backup tool. These options are not validated, unsupported options may break the backup.
+#   Specifies an array of optional arguments which should be passed through to the backup tool. These options are not validated,
+#   unsupported options may break the backup.
 # @param post_script
 #   One or more scripts that are executed when the backup is finished. This could be used to sync the backup to a central store.
 # @param pre_script
@@ -39,7 +40,6 @@
 #   An array of two elements to set the backup time. Allows `['23', '5']` (i.e., 23:05) or `['3', '45']` (i.e., 03:45) for HH:MM times.
 # @param weekday
 #   Weekdays on which the backup job should run. Defaults to `*`. This parameter is passed directly to the cron resource.
-#
 class postgresql::backup::pg_dump (
   String[1]                                    $dir,
   Variant[Enum['present', 'absent', 'purged', 'disabled', 'installed', 'latest'], String[1]] $ensure = 'present',
@@ -83,7 +83,7 @@
     # Create user with superuser privileges
     postgresql::server::role { $db_user:
       ensure        => $ensure,
-      password_hash => postgresql::postgresql_password($db_user, $db_password),
+      password_hash => postgresql::postgresql_password($db_user, $db_password, true, pick($postgresql::server::password_encryption, 'md5')),
       superuser     => true,
     }
 
@@ -92,7 +92,7 @@
       type        => 'local',
       database    => 'all',
       user        => $db_user,
-      auth_method => 'md5',
+      auth_method => pick($postgresql::server::password_encryption, 'md5'),
       order       => 1,
     }
   }

manifests/backup/pg_dump.pp

@@ -2,7 +2,8 @@
 #
 # @note
 #   Most server-specific defaults should be overridden in the postgresql::server class.
-#   This class should be used only if you are using a non-standard OS, or if you are changing elements that can only be changed here, such as version or manage_package_repo.
+#   This class should be used only if you are using a non-standard OS, or if you are changing elements that can only be changed here, such
+#   as version or manage_package_repo.
 #
 #
 # @param client_package_name  Overrides the default PostgreSQL client package name.
@@ -40,8 +41,10 @@
 #    Overrides the default PostgreSQL data directory for the target platform.
 #    Changing the datadir after installation causes the server to come to a full stop before making the change.
 #    For Red Hat systems, the data directory must be labeled appropriately for SELinux.
-#    On Ubuntu, you must explicitly set needs_initdb = true to allow Puppet to initialize the database in the new datadir (needs_initdb defaults to true on other systems).
-#    Warning! If datadir is changed from the default, Puppet does not manage purging of the original data directory, which causes it to fail if the data directory is changed back to the original
+#    On Ubuntu, you must explicitly set needs_initdb = true to allow Puppet to initialize the database in the new datadir (needs_initdb
+#    defaults to true on other systems).
+#    Warning! If datadir is changed from the default, Puppet does not manage purging of the original data directory, which causes it to fail
+#    if the data directory is changed back to the original
 #
 # @param confdir Overrides the default PostgreSQL configuration directory for the target platform.
 # @param bindir Overrides the default PostgreSQL binaries directory for the target platform.
@@ -59,20 +62,24 @@
 # @param repo_baseurl Sets the baseurl for the PostgreSQL repository. Useful if you host your own mirror of the repository.
 # @param yum_repo_commonurl Sets the url for the PostgreSQL common Yum repository. Useful if you host your own mirror of the YUM repository.
 #
-# @param needs_initdb Explicitly calls the initdb operation after the server package is installed and before the PostgreSQL service is started.
+# @param needs_initdb
+#   Explicitly calls the initdb operation after the server package is installed and before the PostgreSQL service is started.
 #
 # @param encoding
 #   Sets the default encoding for all databases created with this module.
-#   On certain operating systems, this is also used during the template1 initialization, so it becomes a default outside of the module as well.
+#   On certain operating systems, this is also used during the template1 initialization,
+#   so it becomes a default outside of the module as well.
 # @param locale
 #   Sets the default database locale for all databases created with this module.
-#   On certain operating systems, this is also used during the template1 initialization, so it becomes a default outside of the module as well.
+#   On certain operating systems, this is also used during the template1 initialization,
+#   so it becomes a default outside of the module as well.
 #   On Debian, you'll need to ensure that the 'locales-all' package is installed for full functionality of PostgreSQL.
 # @param data_checksums
 #   Use checksums on data pages to help detect corruption by the I/O system that would otherwise be silent.
 #   Warning: This option is used during initialization by initdb, and cannot be changed later.
 #
-# @param timezone Sets the default timezone of the postgresql server. The postgresql built-in default is taking the systems timezone information.
+# @param timezone
+#   Sets the default timezone of the postgresql server. The postgresql built-in default is taking the systems timezone information.
 #
 # @param manage_pg_hba_conf Allow Puppet to manage the pg_hba.conf file.
 # @param manage_pg_ident_conf Allow Puppet to manage the pg_ident.conf file.
@@ -92,8 +99,9 @@
 #   Manage the DNF module. This only makes sense on distributions that use DNF
 #   package manager, such as EL8 or Fedora. It also requires Puppet 5.5.20+ or
 #   Puppet 6.15.0+ since they ship the dnfmodule provider.
-# @param module_workdir Specifies working directory under which the psql command should be executed. May need to specify if '/tmp' is on volume mounted with noexec option.
-#
+# @param module_workdir
+#   Specifies working directory under which the psql command should be executed.
+#   May need to specify if '/tmp' is on volume mounted with noexec option.
 #
 class postgresql::globals (
   Optional[String[1]] $client_package_name         = undef,

manifests/globals.pp

@@ -1,11 +1,12 @@
-# @summary This class installs postgresql development libraries. 
+# @summary This class installs postgresql development libraries.
 #
 # @param package_name
 #   Override devel package name
 # @param package_ensure
 #   Ensure the development libraries are installed
 # @param link_pg_config
-#   If the bin directory used by the PostgreSQL page is not /usr/bin or /usr/local/bin, symlinks pg_config from the package's bin dir into usr/bin (not applicable to Debian systems). Set to false to disable this behavior.
+#   If the bin directory used by the PostgreSQL page is not /usr/bin or /usr/local/bin, symlinks pg_config from the package's bin dir
+#   into usr/bin (not applicable to Debian systems). Set to false to disable this behavior.
 #
 #
 class postgresql::lib::devel (

manifests/lib/devel.pp

@@ -1,4 +1,5 @@
-# @summary Installs PostgreSQL bindings for Postgres-Docs. Set the following parameters if you have a custom version you would like to install.
+# @summary
+#   Installs PostgreSQL bindings for Postgres-Docs. Set the following parameters if you have a custom version you would like to install.
 #
 # @note
 #   Make sure to add any necessary yum or apt repositories if specifying a custom version.
@@ -7,7 +8,7 @@
 #   Specifies the name of the PostgreSQL docs package.
 # @param package_ensure
 #   Whether the PostgreSQL docs package resource should be present.
-# 
+#
 #
 class postgresql::lib::docs (
   String $package_name = $postgresql::params::docs_package_name,

manifests/lib/docs.pp

@@ -25,7 +25,7 @@
   $manage_selinux               = pick($manage_selinux, false)
   $package_ensure               = 'present'
   $module_workdir               = pick($module_workdir,'/tmp')
-  $password_encryption          = undef
+  $password_encryption          = if versioncmp($version, '14') >= 0 { 'scram-sha-256' } else { undef }
   $extra_systemd_config         = undef
   $manage_datadir               = true
   $manage_logdir                = true
@@ -298,7 +298,7 @@
       # Since we can't determine defaults on our own, we rely on users setting
       # parameters with the postgresql::globals class. Here we are checking
       # that the mandatory minimum is set for the module to operate.
-      $err_prefix = "Module ${module_name} does not provide defaults for osfamily: ${facts['os']['family']} operatingsystem: ${facts['os']['name']}; please specify a value for ${module_name}::globals::"
+      $err_prefix = "Module ${module_name} does not provide defaults for osfamily: ${facts['os']['family']} operatingsystem: ${facts['os']['name']}; please specify a value for ${module_name}::globals::" # lint:ignore:140chars
       if ($needs_initdb == undef) { fail("${err_prefix}needs_initdb") }
       if ($service_name == undef) { fail("${err_prefix}service_name") }
       if ($client_package_name == undef) { fail("${err_prefix}client_package_name") }

manifests/params.pp

@@ -18,7 +18,7 @@
     }
 
     default: {
-      fail("Unsupported managed repository for osfamily: ${facts['os']['family']}, operatingsystem: ${facts['os']['name']}, module ${module_name} currently only supports managing repos for osfamily RedHat and Debian")
+      fail("Unsupported managed repository for osfamily: ${facts['os']['family']}, operatingsystem: ${facts['os']['name']}, module ${module_name} currently only supports managing repos for osfamily RedHat and Debian") # lint:ignore:140chars
     }
   }
 }