From 01803e4b8cfa4e44571a8a79e3be52ea541859b1 Mon Sep 17 00:00:00 2001
From: Ian Ballou <ianballou67@gmail.com>
Date: Fri, 4 Oct 2024 16:03:03 -0400
Subject: [PATCH] Fixes #37883 - halt if remote DB does not own EVR

---
 .../42-evr_extension_permissions.rb           | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 hooks/pre_commit/42-evr_extension_permissions.rb

diff --git a/hooks/pre_commit/42-evr_extension_permissions.rb b/hooks/pre_commit/42-evr_extension_permissions.rb
new file mode 100644
index 00000000..c67ee3b9
--- /dev/null
+++ b/hooks/pre_commit/42-evr_extension_permissions.rb
@@ -0,0 +1,24 @@
+database = param_value('foreman', 'db_database') || 'foreman'
+username = param_value('foreman', 'db_username') || 'foreman'
+password = param_value('foreman', 'db_password')
+host = param_value('foreman', 'db_host')
+port = param_value('foreman', 'db_port') || 5432
+
+# if postgres is the owner of the DB, then the permissions will not matter.
+return if username == 'postgres'
+
+check_evr_owner_sql = "SELECT CASE" \
+                      " WHEN r.rolname = 'postgres' THEN 1" \
+                      " ELSE 0" \
+                      " END AS evr_owned_by_postgres" \
+                      " FROM pg_extension e" \
+                      " JOIN pg_roles r ON e.extowner = r.oid" \
+                      " WHERE e.extname = 'evr';"
+
+command = "PGPASSWORD='#{password}' psql -U #{username} -h #{host} -p #{port} -d #{database} -t -c \"#{check_evr_owner_sql}\""
+logger.debug "Checking if the evr extension is owned by the postgres user via #{command}"
+output = execute!(command, false, true).strip
+if output != '0'
+  fail_and_exit("The evr extension is owned by postgres and not the foreman DB owner. Please run the following on the foreman DB to fix it: " \
+                "UPDATE pg_extension SET extowner = (SELECT oid FROM pg_authid WHERE rolname='#{username}');")
+end