From 6db5691127ef633e78f7dece939d250e0b91d25d Mon Sep 17 00:00:00 2001 From: Simon Hoenscheid Date: Mon, 28 Aug 2023 23:16:35 +0200 Subject: [PATCH 1/2] flexible value for auth_method in pg_hba.conf if passwords are used --- REFERENCE.md | 24 +++++++++++++++++++-- manifests/params.pp | 2 +- manifests/server.pp | 7 ++++-- manifests/server/instance/config.pp | 14 ++++++++---- spec/acceptance/overridden_settings_spec.rb | 2 +- 5 files changed, 39 insertions(+), 10 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index f96f38e548..f4e078778b 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -874,6 +874,7 @@ The following parameters are available in the `postgresql::server` class: * [`manage_logdir`](#-postgresql--server--manage_logdir) * [`manage_xlogdir`](#-postgresql--server--manage_xlogdir) * [`password_encryption`](#-postgresql--server--password_encryption) +* [`pg_hba_auth_password_encryption`](#-postgresql--server--pg_hba_auth_password_encryption) * [`roles`](#-postgresql--server--roles) * [`config_entries`](#-postgresql--server--config_entries) * [`pg_hba_rules`](#-postgresql--server--pg_hba_rules) @@ -1300,12 +1301,21 @@ Default value: `$postgresql::params::manage_xlogdir` ##### `password_encryption` -Data type: `Optional[Postgresql::Pg_password_encryption]` +Data type: `Postgresql::Pg_password_encryption` Specify the type of encryption set for the password. Default value: `$postgresql::params::password_encryption` +##### `pg_hba_auth_password_encryption` + +Data type: `Optional[Postgresql::Pg_password_encryption]` + +Specify the type of encryption set for the password in pg_hba_conf, +this value is usefull if you want to start enforcing scram-sha-256, but give users transition time. + +Default value: `undef` + ##### `roles` Data type: `Hash[String, Hash]` @@ -2417,6 +2427,7 @@ The following parameters are available in the `postgresql::server::instance::con * [`log_line_prefix`](#-postgresql--server--instance--config--log_line_prefix) * [`timezone`](#-postgresql--server--instance--config--timezone) * [`password_encryption`](#-postgresql--server--instance--config--password_encryption) +* [`pg_hba_auth_password_encryption`](#-postgresql--server--instance--config--pg_hba_auth_password_encryption) * [`extra_systemd_config`](#-postgresql--server--instance--config--extra_systemd_config) ##### `ip_mask_deny_postgres_user` @@ -2633,12 +2644,21 @@ Default value: `$postgresql::server::timezone` ##### `password_encryption` -Data type: `Optional[Postgresql::Pg_password_encryption]` +Data type: `Postgresql::Pg_password_encryption` Specify the type of encryption set for the password. Default value: `$postgresql::server::password_encryption` +##### `pg_hba_auth_password_encryption` + +Data type: `Optional[Postgresql::Pg_password_encryption]` + +Specify the type of encryption set for the password in pg_hba_conf, +this value is usefull if you want to start enforcing scram-sha-256, but give users transition time. + +Default value: `$postgresql::server::pg_hba_auth_password_encryption` + ##### `extra_systemd_config` Data type: `Optional[String]` diff --git a/manifests/params.pp b/manifests/params.pp index a6d3d6f370..3a64384fe9 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -25,7 +25,7 @@ $manage_selinux = pick($manage_selinux, false) $package_ensure = 'present' $module_workdir = pick($module_workdir,'/tmp') - $password_encryption = if versioncmp($version, '14') >= 0 { 'scram-sha-256' } else { undef } + $password_encryption = versioncmp($version, '14') ? { -1 => 'md5', default => 'scram-sha-256' } $extra_systemd_config = undef $manage_datadir = true $manage_logdir = true diff --git a/manifests/server.pp b/manifests/server.pp index fcd31bfce7..89d45fb7d5 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -96,7 +96,9 @@ # @param manage_logdir Set to false if you have file{ $logdir: } already defined # @param manage_xlogdir Set to false if you have file{ $xlogdir: } already defined # @param password_encryption Specify the type of encryption set for the password. -# +# @param pg_hba_auth_password_encryption +# Specify the type of encryption set for the password in pg_hba_conf, +# this value is usefull if you want to start enforcing scram-sha-256, but give users transition time. # @param roles Specifies a hash from which to generate postgresql::server::role resources. # @param config_entries Specifies a hash from which to generate postgresql::server::config_entry resources. # @param pg_hba_rules Specifies a hash from which to generate postgresql::server::pg_hba_rule resources. @@ -178,7 +180,8 @@ Boolean $manage_datadir = $postgresql::params::manage_datadir, Boolean $manage_logdir = $postgresql::params::manage_logdir, Boolean $manage_xlogdir = $postgresql::params::manage_xlogdir, - Optional[Postgresql::Pg_password_encryption] $password_encryption = $postgresql::params::password_encryption, + Postgresql::Pg_password_encryption $password_encryption = $postgresql::params::password_encryption, + Optional[Postgresql::Pg_password_encryption] $pg_hba_auth_password_encryption = undef, Optional[String] $extra_systemd_config = $postgresql::params::extra_systemd_config, Hash[String, Hash] $roles = {}, diff --git a/manifests/server/instance/config.pp b/manifests/server/instance/config.pp index 4b049a8a00..c35928163a 100644 --- a/manifests/server/instance/config.pp +++ b/manifests/server/instance/config.pp @@ -42,6 +42,9 @@ # @param log_line_prefix PostgreSQL log line prefix # @param timezone Set timezone for the PostgreSQL instance # @param password_encryption Specify the type of encryption set for the password. +# @param pg_hba_auth_password_encryption +# Specify the type of encryption set for the password in pg_hba_conf, +# this value is usefull if you want to start enforcing scram-sha-256, but give users transition time. # @param extra_systemd_config # Adds extra config to systemd config file, can for instance be used to add extra openfiles. This can be a multi line string define postgresql::server::instance::config ( @@ -70,9 +73,12 @@ Boolean $service_enable = $postgresql::server::service_enable, Optional[String[1]] $log_line_prefix = $postgresql::server::log_line_prefix, Optional[String[1]] $timezone = $postgresql::server::timezone, - Optional[Postgresql::Pg_password_encryption] $password_encryption = $postgresql::server::password_encryption, + Postgresql::Pg_password_encryption $password_encryption = $postgresql::server::password_encryption, + Optional[Postgresql::Pg_password_encryption] $pg_hba_auth_password_encryption = $postgresql::server::pg_hba_auth_password_encryption, Optional[String] $extra_systemd_config = $postgresql::server::extra_systemd_config, ) { + $_pg_hba_auth_password_encryption = pick($pg_hba_auth_password_encryption,$password_encryption) + if ($manage_pg_hba_conf == true) { # Prepare the main pg_hba file concat { $pg_hba_conf_path: @@ -105,7 +111,7 @@ type => 'host', user => $user, address => '127.0.0.1/32', - auth_method => 'md5', + auth_method => $_pg_hba_auth_password_encryption, order => 3; "deny access to postgresql user for instance ${name}": @@ -118,13 +124,13 @@ "allow access to all users for instance ${name}": type => 'host', address => $ip_mask_allow_all_users, - auth_method => 'md5', + auth_method => $_pg_hba_auth_password_encryption, order => 100; "allow access to ipv6 localhost for instance ${name}": type => 'host', address => '::1/128', - auth_method => 'md5', + auth_method => $_pg_hba_auth_password_encryption, order => 101; } } diff --git a/spec/acceptance/overridden_settings_spec.rb b/spec/acceptance/overridden_settings_spec.rb index 74695a49e2..225f5c7a78 100644 --- a/spec/acceptance/overridden_settings_spec.rb +++ b/spec/acceptance/overridden_settings_spec.rb @@ -26,7 +26,7 @@ class { 'postgresql::server': type => 'host', database => 'mydb', user => 'myuser', - auth_method => 'md5', + auth_method => postgresql::default('password_encryption'), address => '192.0.2.100/32', }, }, From 3e04518d530ea2dac475ae47536f6bae5a831109 Mon Sep 17 00:00:00 2001 From: cruelsmith <92088441+cruelsmith@users.noreply.github.com> Date: Thu, 7 Sep 2023 01:11:27 +0200 Subject: [PATCH 2/2] Fix default password_encryption in postgresql_password based on params --- REFERENCE.md | 2 ++ lib/puppet/functions/postgresql/postgresql_password.rb | 5 ++++- spec/functions/postgresql_password_spec.rb | 2 ++ spec/functions/postgresql_postgresql_password_spec.rb | 2 ++ 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/REFERENCE.md b/REFERENCE.md index f4e078778b..a0e6a924df 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -4429,6 +4429,8 @@ Data type: `Optional[Optional[Postgresql::Pg_password_encryption]]` Set type for password hash +Default value comes from `postgresql::params::password_encryption` and changes based on the `postgresql::globals::version`. + ##### `salt` Data type: `Optional[Optional[Variant[String[1], Integer]]]` diff --git a/lib/puppet/functions/postgresql/postgresql_password.rb b/lib/puppet/functions/postgresql/postgresql_password.rb index 68be8b7374..ef899254da 100644 --- a/lib/puppet/functions/postgresql/postgresql_password.rb +++ b/lib/puppet/functions/postgresql/postgresql_password.rb @@ -13,6 +13,8 @@ # If the Postgresql-Passwordhash should be of Datatype Sensitive[String] # @param hash # Set type for password hash + # + # Default value comes from `postgresql::params::password_encryption` and changes based on the `postgresql::globals::version`. # @param salt # Use a specific salt value for scram-sha-256, default is username # @@ -27,7 +29,8 @@ return_type 'Variant[String, Sensitive[String]]' end - def default_impl(username, password, sensitive = false, hash = 'md5', salt = nil) + def default_impl(username, password, sensitive = false, hash = nil, salt = nil) + hash = call_function(:'postgresql::default', 'password_encryption') if hash.nil? password = password.unwrap if password.respond_to?(:unwrap) if password.is_a?(String) && password.match?(%r{^(md5[0-9a-f]{32}$|SCRAM-SHA-256\$)}) return Puppet::Pops::Types::PSensitiveType::Sensitive.new(password) if sensitive diff --git a/spec/functions/postgresql_password_spec.rb b/spec/functions/postgresql_password_spec.rb index 0cd765d6b8..1c75c9b6f8 100644 --- a/spec/functions/postgresql_password_spec.rb +++ b/spec/functions/postgresql_password_spec.rb @@ -3,5 +3,7 @@ require 'spec_helper' describe 'postgresql_password' do + include_examples 'Ubuntu 18.04' + it_behaves_like 'postgresql_password function' end diff --git a/spec/functions/postgresql_postgresql_password_spec.rb b/spec/functions/postgresql_postgresql_password_spec.rb index d70feaf15b..d66e5afea9 100644 --- a/spec/functions/postgresql_postgresql_password_spec.rb +++ b/spec/functions/postgresql_postgresql_password_spec.rb @@ -3,5 +3,7 @@ require 'spec_helper' describe 'postgresql::postgresql_password' do + include_examples 'Ubuntu 18.04' + it_behaves_like 'postgresql_password function' end