Defaulting password_encryption to scram-sha-256 with version >= 14

cruelsmith · bastelfreak · commit 985309e2df83 · 2023-07-31T15:20:45.000+02:00
* Fix missing handling of allowed undef value of parameter hash of postgresql::postgresql_password * Fix edgecase where passwords starting with md5 but are not followed by 32 base64 chars will not be hashed by postgresql::postgresql_password * Fix case of postgresql::postgresql_password where sensitive hashes are wrongly handled * Extend spec tests for 'postgresql_password function' to cover this * Add respecting password_encryption for all internal postgresql::postgresql_password calls * Add respecting password_encryption for postgresql::backup::pg_dump * Add spec tests for new hash type handling of postgresql::server::role See https://www.postgresql.org/docs/14/runtime-config-connection.html#GUC-PASSWORD-ENCRYPTION
diff --git a/lib/puppet/functions/postgresql/postgresql_password.rb b/lib/puppet/functions/postgresql/postgresql_password.rb
@@ -22,19 +22,25 @@
     required_param 'Variant[String[1], Integer]', :username
     required_param 'Variant[String[1], Sensitive[String[1]], Integer]', :password
     optional_param 'Boolean', :sensitive
-    optional_param "Optional[Enum['md5', 'scram-sha-256']]", :hash
+    optional_param 'Optional[Postgresql::Pg_password_encryption]', :hash
     optional_param 'Optional[Variant[String[1], Integer]]', :salt
     return_type 'Variant[String, Sensitive[String]]'
   end
 
   def default_impl(username, password, sensitive = false, hash = 'md5', salt = nil)
-    return password if password.is_a?(String) && password.match?(%r{^(md5|SCRAM-SHA-256).+})
-
     password = password.unwrap if password.respond_to?(:unwrap)
-    pass = if hash == 'md5'
+    if password.is_a?(String) && password.match?(%r{^(md5[0-9a-f]{32}$|SCRAM-SHA-256\$)})
+      return Puppet::Pops::Types::PSensitiveType::Sensitive.new(password) if sensitive
+
+      return password
+    end
+    pass = case hash
+           when 'md5', nil # ensure default value when definded with nil
              "md5#{Digest::MD5.hexdigest(password.to_s + username.to_s)}"
-           else
+           when 'scram-sha-256'
              pg_sha256(password, (salt || username))
+           else
+             raise(Puppet::ParseError, "postgresql::postgresql_password(): got unkown hash type '#{hash}'")
            end
     if sensitive
       Puppet::Pops::Types::PSensitiveType::Sensitive.new(pass)
diff --git a/manifests/backup/pg_dump.pp b/manifests/backup/pg_dump.pp
@@ -83,7 +83,7 @@
     # Create user with superuser privileges
     postgresql::server::role { $db_user:
       ensure        => $ensure,
-      password_hash => postgresql::postgresql_password($db_user, $db_password),
+      password_hash => postgresql::postgresql_password($db_user, $db_password, true, pick($postgresql::server::password_encryption, 'md5')),
       superuser     => true,
     }
 
@@ -92,7 +92,7 @@
       type        => 'local',
       database    => 'all',
       user        => $db_user,
-      auth_method => 'md5',
+      auth_method => pick($postgresql::server::password_encryption, 'md5'),
       order       => 1,
     }
   }
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -25,7 +25,7 @@
   $manage_selinux               = pick($manage_selinux, false)
   $package_ensure               = 'present'
   $module_workdir               = pick($module_workdir,'/tmp')
-  $password_encryption          = undef
+  $password_encryption          = if versioncmp($version, '14') >= 0 { 'scram-sha-256' } else { undef }
   $extra_systemd_config         = undef
   $manage_datadir               = true
   $manage_logdir                = true
@@ -298,7 +298,7 @@
       # Since we can't determine defaults on our own, we rely on users setting
       # parameters with the postgresql::globals class. Here we are checking
       # that the mandatory minimum is set for the module to operate.
-      $err_prefix = "Module ${module_name} does not provide defaults for osfamily: ${facts['os']['family']} operatingsystem: ${facts['os']['name']}; please specify a value for ${module_name}::globals::"
+      $err_prefix = "Module ${module_name} does not provide defaults for osfamily: ${facts['os']['family']} operatingsystem: ${facts['os']['name']}; please specify a value for ${module_name}::globals::" # lint:ignore:140chars
       if ($needs_initdb == undef) { fail("${err_prefix}needs_initdb") }
       if ($service_name == undef) { fail("${err_prefix}service_name") }
       if ($client_package_name == undef) { fail("${err_prefix}client_package_name") }
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -95,7 +95,7 @@
 class postgresql::server (
   Optional[Variant[String[1], Sensitive[String[1]], Integer]] $postgres_password = undef,
 
-  Variant[Enum['present', 'absent', 'purged', 'disabled', 'installed', 'latest'], String[1]] $package_ensure = $postgresql::params::package_ensure,
+  Variant[Enum['present', 'absent', 'purged', 'disabled', 'installed', 'latest'], String[1]] $package_ensure = $postgresql::params::package_ensure, # lint:ignore:140chars
   String[1]                                          $package_name                 = $postgresql::params::server_package_name,
 
   Optional[String[1]]                                $plperl_package_name          = $postgresql::params::plperl_package_name,
@@ -159,7 +159,7 @@
   Boolean                                            $manage_datadir               = $postgresql::params::manage_datadir,
   Boolean                                            $manage_logdir                = $postgresql::params::manage_logdir,
   Boolean                                            $manage_xlogdir               = $postgresql::params::manage_xlogdir,
-  Optional[String]                                   $password_encryption          = $postgresql::params::password_encryption,
+  Optional[Postgresql::Pg_password_encryption]       $password_encryption          = $postgresql::params::password_encryption,
   Optional[String]                                   $extra_systemd_config         = $postgresql::params::extra_systemd_config,
 
   Hash[String, Hash]                                 $roles                        = {},
diff --git a/manifests/server/instance/config.pp b/manifests/server/instance/config.pp
@@ -60,7 +60,7 @@
   Boolean                                        $service_enable               = $postgresql::server::service_enable,
   Optional[String[1]]                            $log_line_prefix              = $postgresql::server::log_line_prefix,
   Optional[String[1]]                            $timezone                     = $postgresql::server::timezone,
-  Optional[String]                               $password_encryption          = $postgresql::server::password_encryption,
+  Optional[Postgresql::Pg_password_encryption]   $password_encryption          = $postgresql::server::password_encryption,
   Optional[String]                               $extra_systemd_config         = $postgresql::server::extra_systemd_config,
 ) {
   if ($manage_pg_hba_conf == true) {
diff --git a/manifests/server/role.pp b/manifests/server/role.pp
@@ -21,26 +21,26 @@
 # @param hash Specify the hash method for pg password
 # @param salt Specify the salt use for the scram-sha-256 encoding password (default username)
 define postgresql::server::role (
-  Boolean                                               $update_password  = true,
-  Variant[Boolean, String, Sensitive[String]]           $password_hash    = false,
-  Boolean                                               $createdb         = false,
-  Boolean                                               $createrole       = false,
-  String[1]                                             $db               = $postgresql::server::default_database,
-  Optional[Variant[String[1], Stdlib::Port, Integer]]  $port             = undef,
-  Boolean                                               $login            = true,
-  Boolean                                               $inherit          = true,
-  Boolean                                               $superuser        = false,
-  Boolean                                               $replication      = false,
-  String[1]                                             $connection_limit = '-1',
-  String[1]                                             $username         = $title,
-  Hash                                                  $connect_settings = $postgresql::server::default_connect_settings,
-  String[1]                                             $psql_user        = $postgresql::server::user,
-  String[1]                                             $psql_group       = $postgresql::server::group,
-  Variant[String[1], Stdlib::Absolutepath]              $psql_path        = $postgresql::server::psql_path,
-  String[1]                                             $module_workdir   = $postgresql::server::module_workdir,
-  Enum['present', 'absent']                             $ensure           = 'present',
-  Enum['md5', 'scram-sha-256']                          $hash             = 'md5',
-  Optional[Variant[String[1], Integer]]                 $salt             = undef,
+  Boolean                                             $update_password  = true,
+  Variant[Boolean, String, Sensitive[String]]         $password_hash    = false,
+  Boolean                                             $createdb         = false,
+  Boolean                                             $createrole       = false,
+  String[1]                                           $db               = $postgresql::server::default_database,
+  Optional[Variant[String[1], Stdlib::Port, Integer]] $port             = undef,
+  Boolean                                             $login            = true,
+  Boolean                                             $inherit          = true,
+  Boolean                                             $superuser        = false,
+  Boolean                                             $replication      = false,
+  String[1]                                           $connection_limit = '-1',
+  String[1]                                           $username         = $title,
+  Hash                                                $connect_settings = $postgresql::server::default_connect_settings,
+  String[1]                                           $psql_user        = $postgresql::server::user,
+  String[1]                                           $psql_group       = $postgresql::server::group,
+  Variant[String[1], Stdlib::Absolutepath]            $psql_path        = $postgresql::server::psql_path,
+  String[1]                                           $module_workdir   = $postgresql::server::module_workdir,
+  Enum['present', 'absent']                           $ensure           = 'present',
+  Optional[Enum['md5', 'scram-sha-256']]              $hash             = undef,
+  Optional[Variant[String[1], Integer]]               $salt             = undef,
 ) {
   $password_hash_unsensitive = if $password_hash =~ Sensitive[String] {
     $password_hash.unwrap
@@ -106,7 +106,7 @@
         ]
       )
     } else {
-      $create_role_command = "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}"
+      $create_role_command = "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}" # lint:ignore:140chars
     }
 
     postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****":
@@ -152,22 +152,29 @@
       unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolconnlimit = ${connection_limit}",
     }
 
+    $_hash = if $hash {
+      $hash
+    } elsif $connect_settings != undef and 'DBVERSION' in $connect_settings {
+      if (versioncmp($version, '14') >= 0) { 'scram-sha-256' } else { undef }
+    } else {
+      $postgresql::server::password_encryption
+    }
     if $password_hash_unsensitive and $update_password {
       if $password_hash_unsensitive =~ Deferred {
-        $pwd_hash_sql = Deferred ( 'postgresql::postgresql_password', [$username,
-            $password_hash,
+        $pwd_hash_sql = Deferred ( 'postgresql::postgresql_password', [
+            $username,
+            $password_hash_unsensitive,
             false,
-            $hash,
+            $_hash,
             $salt,
           ]
         )
-      }
-      else {
+      } else {
         $pwd_hash_sql = postgresql::postgresql_password(
           $username,
-          $password_hash,
+          $password_hash_unsensitive,
           false,
-          $hash,
+          $_hash,
           $salt,
         )
       }
diff --git a/spec/defines/server/role_spec.rb b/spec/defines/server/role_spec.rb
diff --git a/spec/spec_helper_local.rb b/spec/spec_helper_local.rb
diff --git a/types/pg_password_encryption.pp b/types/pg_password_encryption.pp

Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@`
`83`	`83`	`# Create user with superuser privileges`
`84`	`84`	`postgresql::server::role { $db_user:`
`85`	`85`	`ensure => $ensure,`
`86`		`- password_hash => postgresql::postgresql_password($db_user, $db_password),`
	`86`	`+ password_hash => postgresql::postgresql_password($db_user, $db_password, true, pick($postgresql::server::password_encryption, 'md5')),`
`87`	`87`	`superuser => true,`
`88`	`88`	`}`
`89`	`89`
`@@ -92,7 +92,7 @@`
`92`	`92`	`type => 'local',`
`93`	`93`	`database => 'all',`
`94`	`94`	`user => $db_user,`
`95`		`- auth_method => 'md5',`
	`95`	`+ auth_method => pick($postgresql::server::password_encryption, 'md5'),`
`96`	`96`	`order => 1,`
`97`	`97`	`}`
`98`	`98`	`}`