Fixes #37883 - halt if remote DB does not own EVR

theforeman · Oct 7, 2024 · 01803e4 · 01803e4
1 parent 67702be
commit 01803e4
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/hooks/pre_commit/42-evr_extension_permissions.rb b/hooks/pre_commit/42-evr_extension_permissions.rb
@@ -0,0 +1,24 @@
+database = param_value('foreman', 'db_database') || 'foreman'
+username = param_value('foreman', 'db_username') || 'foreman'
+password = param_value('foreman', 'db_password')
+host = param_value('foreman', 'db_host')
+port = param_value('foreman', 'db_port') || 5432
+
+# if postgres is the owner of the DB, then the permissions will not matter.
+return if username == 'postgres'
+
+check_evr_owner_sql = "SELECT CASE" \
+                      " WHEN r.rolname = 'postgres' THEN 1" \
+                      " ELSE 0" \
+                      " END AS evr_owned_by_postgres" \
+                      " FROM pg_extension e" \
+                      " JOIN pg_roles r ON e.extowner = r.oid" \
+                      " WHERE e.extname = 'evr';"
+
+command = "PGPASSWORD='#{password}' psql -U #{username} -h #{host} -p #{port} -d #{database} -t -c \"#{check_evr_owner_sql}\""
+logger.debug "Checking if the evr extension is owned by the postgres user via #{command}"
+output = execute!(command, false, true).strip
+if output != '0'
+  fail_and_exit("The evr extension is owned by postgres and not the foreman DB owner. Please run the following on the foreman DB to fix it: " \
+                "UPDATE pg_extension SET extowner = (SELECT oid FROM pg_authid WHERE rolname='#{username}');")
+end