Skip to content

Commit

Permalink
Support changing password_encryption method
Browse files Browse the repository at this point in the history
  • Loading branch information
deric committed Apr 18, 2024
1 parent 143dc42 commit e3c0f4d
Show file tree
Hide file tree
Showing 6 changed files with 40 additions and 4 deletions.
14 changes: 12 additions & 2 deletions manifests/database/postgresql.pp
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,11 @@
# `manage_database` is set to `true`, it will use the value of the `database_host`
# parameter. This option is supported in PuppetDB >= 1.6.
#
# @param password_sensitive
# Whether password should be of Datatype Sensitive[String]
# @param password_encryption
# PostgreSQL password authentication method, either `md5` or `scram-sha-256`
#
class puppetdb::database::postgresql (
$listen_addresses = $puppetdb::params::database_host,
$puppetdb_server = $puppetdb::params::puppetdb_server,
Expand All @@ -82,7 +87,9 @@
$postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path,
$read_database_username = $puppetdb::params::read_database_username,
$read_database_password = $puppetdb::params::read_database_password,
$read_database_host = $puppetdb::params::read_database_host
$read_database_host = $puppetdb::params::read_database_host,
Boolean $password_sensitive = false,
Postgresql::Pg_password_encryption $password_encryption = $puppetdb::params::password_encryption,
) inherits puppetdb::params {
$port = scanf($database_port, '%i')[0]

Expand All @@ -96,6 +103,7 @@
ip_mask_allow_all_users => '0.0.0.0/0',
listen_addresses => $listen_addresses,
port => $port,
password_encryption => $password_encryption,
}

# We need to create the ssl connection for the read user, when
Expand Down Expand Up @@ -166,9 +174,11 @@
-> puppetdb::database::read_only_user { $read_database_username:
read_database_username => $read_database_username,
database_name => $database_name,
password_hash => postgresql::postgresql_password($read_database_username, $read_database_password),
password_hash => postgresql::postgresql_password(
$read_database_username, $read_database_password, $password_sensitive, $password_encryption),
database_owner => $database_username,
database_port => $port,
password_encryption => $password_encryption,
}

-> postgresql_psql { "grant ${read_database_username} role to ${database_username}":
Expand Down
6 changes: 5 additions & 1 deletion manifests/database/read_only_user.pp
Original file line number Diff line number Diff line change
Expand Up @@ -13,18 +13,22 @@
# The user which owns the database (i.e. the migration user for the database).
# @param password_hash
# The value of $_database_password in app_database.
# @param password_encryption
# The hash method for postgresql password, since PostgreSQL 14 default is `scram-sha-256`.
#
# @api private
define puppetdb::database::read_only_user (
String $read_database_username,
String $database_name,
String $database_owner,
Variant[String, Boolean] $password_hash = false,
Variant[String, Boolean, Sensitive[String]] $password_hash = false,
Optional[Stdlib::Port] $database_port = undef,
Optional[Postgresql::Pg_password_encryption] $password_encryption = undef,
) {
postgresql::server::role { $read_database_username:
password_hash => $password_hash,
port => $database_port,
hash => $password_encryption,
}

-> postgresql::server::database_grant { "${database_name} grant connection permission to ${read_database_username}":
Expand Down
5 changes: 5 additions & 0 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -374,6 +374,9 @@
# @param java_bin
# java binary path for PuppetDB. If undef, default will be used.
#
# @param postgresql_password_encryption
# PostgreSQL password authentication method, either `md5` or `scram-sha-256`
#
class puppetdb (
$listen_address = $puppetdb::params::listen_address,
$listen_port = $puppetdb::params::listen_port,
Expand Down Expand Up @@ -460,6 +463,7 @@
Boolean $automatic_dlo_cleanup = $puppetdb::params::automatic_dlo_cleanup,
String[1] $cleanup_timer_interval = $puppetdb::params::cleanup_timer_interval,
Integer[1] $dlo_max_age = $puppetdb::params::dlo_max_age,
Postgresql::Pg_password_encryption $postgresql_password_encryption = $puppetdb::params::password_encryption,
Optional[Stdlib::Absolutepath] $java_bin = $puppetdb::params::java_bin,
) inherits puppetdb::params {
class { 'puppetdb::server':
Expand Down Expand Up @@ -568,6 +572,7 @@
read_database_username => $read_database_username,
read_database_password => $read_database_password,
read_database_host => $read_database_host,
password_encryption => $postgresql_password_encryption,
before => $database_before,
}
}
1 change: 1 addition & 0 deletions manifests/params.pp
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
$database_validate = true
$database_max_pool_size = undef
$puppetdb_server = fact('networking.fqdn')
$password_encryption = 'scram-sha-256'

# These settings manage the various auto-deactivation and auto-purge settings
$node_ttl = '7d'
Expand Down
2 changes: 1 addition & 1 deletion metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
},
{
"name": "puppetlabs/postgresql",
"version_requirement": ">= 6.5.0 < 11.0.0"
"version_requirement": ">= 9.2.0 < 11.0.0"
},
{
"name": "puppetlabs/firewall",
Expand Down
16 changes: 16 additions & 0 deletions spec/unit/classes/init_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,22 @@ class { 'postgresql::server':
end
end

context 'with password encryption' do
let :params do
{
postgresql_password_encryption: 'md5',
}
end

it do
is_expected.to contain_postgresql__server__pg_hba_rule('allow access to all users for instance main')
.with_type('host')
.with_database('all')
.with_user('all')
.with_auth_method('md5')
end
end

context 'when using ssl certificates' do
let(:params) do
{
Expand Down

0 comments on commit e3c0f4d

Please sign in to comment.