From 4cefa9e064d25a96b6aef2b175a82cf2ca1f497b Mon Sep 17 00:00:00 2001 From: Ben Morrice Date: Fri, 30 Aug 2024 11:31:48 +0200 Subject: [PATCH 1/4] define Enum on supported encryption types for postgresql_password function --- lib/puppet/functions/postgresql/postgresql_password.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/puppet/functions/postgresql/postgresql_password.rb b/lib/puppet/functions/postgresql/postgresql_password.rb index a444d5cd01..b03f9279ad 100644 --- a/lib/puppet/functions/postgresql/postgresql_password.rb +++ b/lib/puppet/functions/postgresql/postgresql_password.rb @@ -24,7 +24,7 @@ required_param 'Variant[String[1], Integer]', :username required_param 'Variant[String[1], Sensitive[String[1]], Integer]', :password optional_param 'Boolean', :sensitive - optional_param 'Optional[Postgresql::Pg_password_encryption]', :hash + optional_param 'Optional[Enum["md5", "scram-sha-256"]]', :hash optional_param 'Optional[Variant[String[1], Integer]]', :salt return_type 'Variant[String, Sensitive[String]]' end From 167412d339346eb0a173fb15359c17fb83ac6afb Mon Sep 17 00:00:00 2001 From: Ben Morrice Date: Thu, 24 Oct 2024 10:23:05 +0200 Subject: [PATCH 2/4] Add a comment referencing where this Enum is defined --- lib/puppet/functions/postgresql/postgresql_password.rb | 2 ++ types/pg_password_encryption.pp | 2 ++ 2 files changed, 4 insertions(+) diff --git a/lib/puppet/functions/postgresql/postgresql_password.rb b/lib/puppet/functions/postgresql/postgresql_password.rb index b03f9279ad..681ea1af4e 100644 --- a/lib/puppet/functions/postgresql/postgresql_password.rb +++ b/lib/puppet/functions/postgresql/postgresql_password.rb @@ -24,6 +24,8 @@ required_param 'Variant[String[1], Integer]', :username required_param 'Variant[String[1], Sensitive[String[1]], Integer]', :password optional_param 'Boolean', :sensitive + # Note that this Enum is also defined in: + # types/pg_password_encryption.pp optional_param 'Optional[Enum["md5", "scram-sha-256"]]', :hash optional_param 'Optional[Variant[String[1], Integer]]', :salt return_type 'Variant[String, Sensitive[String]]' diff --git a/types/pg_password_encryption.pp b/types/pg_password_encryption.pp index b2b5be66e5..7512174a89 100644 --- a/types/pg_password_encryption.pp +++ b/types/pg_password_encryption.pp @@ -1,2 +1,4 @@ # @summary the supported password_encryption +# Note that this Enum is also defined in: +# lib/puppet/functions/postgresql/postgresql_password.rb type Postgresql::Pg_password_encryption = Enum['md5', 'scram-sha-256'] From 63eebc354c0ee94c52ac13f21a0a922b1ad6339f Mon Sep 17 00:00:00 2001 From: Ben Morrice Date: Tue, 29 Oct 2024 15:49:28 +0100 Subject: [PATCH 3/4] Add a test for postgresql::server::db when using a Deferred password --- spec/acceptance/db_deferred_spec.rb | 46 +++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 spec/acceptance/db_deferred_spec.rb diff --git a/spec/acceptance/db_deferred_spec.rb b/spec/acceptance/db_deferred_spec.rb new file mode 100644 index 0000000000..6b63d5b879 --- /dev/null +++ b/spec/acceptance/db_deferred_spec.rb @@ -0,0 +1,46 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +describe 'postgresql::server::db' do + before(:all) do + LitmusHelper.instance.run_shell("cd /tmp; su 'postgres' -c 'pg_ctl stop -D /var/lib/pgsql/data/ -m fast'", acceptable_exit_codes: [0, 1]) unless os[:family].match?(%r{debian|ubuntu}) + end + + it 'creates a database with a deferred password' do + tmpdir = run_shell('mktemp').stdout + pp = <<-MANIFEST + class { 'postgresql::server': + postgres_password => 'space password', + } + postgresql::server::tablespace { 'postgresql-test-db': + location => '#{tmpdir}', + } -> + postgresql::server::db { 'postgresql-test-db': + comment => 'testcomment', + user => 'test-user', + password => Deferred('unwrap', ['test1']) + tablespace => 'postgresql-test-db', + } + MANIFEST + + idempotent_apply(pp) + + # Verify that the postgres password works + run_shell("echo 'localhost:*:*:postgres:'space password'' > /root/.pgpass") + run_shell('chmod 600 /root/.pgpass') + run_shell("psql -U postgres -h localhost --command='\\l'") + + result = psql('--command="select datname from pg_database" "postgresql-test-db"') + expect(result.stdout).to match(%r{postgresql-test-db}) + expect(result.stderr).to eq('') + + result = psql('--command="SELECT 1 FROM pg_roles WHERE rolname=\'test-user\'"') + expect(result.stdout).to match(%r{\(1 row\)}) + + result = psql("--dbname postgresql-test-db --command=\"SELECT pg_catalog.shobj_description(d.oid, 'pg_database') FROM pg_catalog.pg_database d WHERE datname = 'postgresql-test-db' AND pg_catalog.shobj_description(d.oid, 'pg_database') = 'testcomment'\"") # rubocop:disable Layout/LineLength + expect(result.stdout).to match(%r{\(1 row\)}) + ensure + psql('--command=\'drop database "postgresql-test-db"\'') + end +end From f4cc38a7c91939919a077da5d6e76a36e63f397d Mon Sep 17 00:00:00 2001 From: Ben Morrice Date: Wed, 30 Oct 2024 09:25:02 +0100 Subject: [PATCH 4/4] Simplify Deferred postgresql::server::db Deferred test --- spec/acceptance/db_deferred_spec.rb | 61 ++++++++++++----------------- 1 file changed, 24 insertions(+), 37 deletions(-) diff --git a/spec/acceptance/db_deferred_spec.rb b/spec/acceptance/db_deferred_spec.rb index 6b63d5b879..d7e1f64fe3 100644 --- a/spec/acceptance/db_deferred_spec.rb +++ b/spec/acceptance/db_deferred_spec.rb @@ -2,45 +2,32 @@ require 'spec_helper_acceptance' -describe 'postgresql::server::db' do - before(:all) do - LitmusHelper.instance.run_shell("cd /tmp; su 'postgres' -c 'pg_ctl stop -D /var/lib/pgsql/data/ -m fast'", acceptable_exit_codes: [0, 1]) unless os[:family].match?(%r{debian|ubuntu}) - end - - it 'creates a database with a deferred password' do - tmpdir = run_shell('mktemp').stdout - pp = <<-MANIFEST - class { 'postgresql::server': - postgres_password => 'space password', - } - postgresql::server::tablespace { 'postgresql-test-db': - location => '#{tmpdir}', - } -> - postgresql::server::db { 'postgresql-test-db': - comment => 'testcomment', - user => 'test-user', - password => Deferred('unwrap', ['test1']) - tablespace => 'postgresql-test-db', +describe 'postgresql::server::db:' do + let(:user) { 'user_test' } + let(:password) { 'deferred_password_test' } + let(:database) { 'test_database' } + + let(:pp_one) do + <<-MANIFEST.unindent + $user = #{user} + $password = #{password} + $database = #{database} + + include postgresql::server + postgresql::server::db { $database: + user => $user, + password => Deferred('unwrap', [$password]), } MANIFEST + end - idempotent_apply(pp) - - # Verify that the postgres password works - run_shell("echo 'localhost:*:*:postgres:'space password'' > /root/.pgpass") - run_shell('chmod 600 /root/.pgpass') - run_shell("psql -U postgres -h localhost --command='\\l'") - - result = psql('--command="select datname from pg_database" "postgresql-test-db"') - expect(result.stdout).to match(%r{postgresql-test-db}) - expect(result.stderr).to eq('') - - result = psql('--command="SELECT 1 FROM pg_roles WHERE rolname=\'test-user\'"') - expect(result.stdout).to match(%r{\(1 row\)}) - - result = psql("--dbname postgresql-test-db --command=\"SELECT pg_catalog.shobj_description(d.oid, 'pg_database') FROM pg_catalog.pg_database d WHERE datname = 'postgresql-test-db' AND pg_catalog.shobj_description(d.oid, 'pg_database') = 'testcomment'\"") # rubocop:disable Layout/LineLength - expect(result.stdout).to match(%r{\(1 row\)}) - ensure - psql('--command=\'drop database "postgresql-test-db"\'') + it 'creates a database with with the password in the deferred function' do + if run_shell('puppet --version').stdout[0].to_i < 7 + skip # Deferred function fixes only in puppet 7, see https://tickets.puppetlabs.com/browse/PUP-11518 + end + apply_manifest(pp_one) + psql_cmd = "PGPASSWORD=#{password} PGUSER=#{user} PGDATABASE=#{database} psql -h 127.0.0.1 -d postgres -c '\\q'" + run_shell("cd /tmp; su #{shellescape('postgres')} -c #{shellescape(psql_cmd)}", + acceptable_exit_codes: [0]) end end