[type/__postgres_role] Handle password changes

This commit is contained in:
Dennis Camera 2020-12-16 19:06:50 +01:00
parent c36df82882
commit 7b7ca4d385
2 changed files with 88 additions and 11 deletions

View file

@ -34,9 +34,23 @@ esac
rolename=${__object_id:?} rolename=${__object_id:?}
psql_query() {
su -l "${postgres_user}" -c "$(
printf "psql -F '\034' -R '\036' -wAc '%s'" \
"$(printf %s "$*" | sed "s/'/'\\\\''/g")"
)"
}
password_check_login() (
PGPASSWORD=$(cat "${__object:?}/parameter/password"; printf .)
PGPASSWORD=${PGPASSWORD%?.}
export PGPASSWORD
psql -w -h localhost -U "${rolename}" template1 -c '\q' >/dev/null 2>&1
)
role_properties=$( role_properties=$(
cmd=$(printf "psql -F '\034' -R '\036' -wAc \"SELECT * FROM pg_roles WHERE rolname='%s'\"" "${rolename}") psql_query "SELECT * FROM pg_roles WHERE rolname = '${rolename}'" \
su -l "${postgres_user}" -c "${cmd}" \
| awk ' | awk '
BEGIN { RS = "\036"; FS = "\034" } BEGIN { RS = "\036"; FS = "\034" }
/^\([0-9]+ rows?\)/ { exit } /^\([0-9]+ rows?\)/ { exit }
@ -69,12 +83,62 @@ then
) )
test "${bool_is}" = "${bool_should}" || { test "${bool_is}" = "${bool_should}" || {
echo 'different' state='different properties'
exit 0
} }
done done
echo 'present' # Check password
else passwd_stored=$(
echo 'absent' psql_query "SELECT rolpassword FROM pg_authid WHERE rolname = '${rolename}'" \
| awk 'BEGIN { RS = "\036" } NR == 2'
printf .
)
passwd_stored=${passwd_stored%?.}
passwd_should=$(cat "${__object}/parameter/password"; printf .)
passwd_should=${passwd_should%?.}
if expr "${passwd_stored}" : 'SCRAM-SHA-256\$.*$' >/dev/null
then
# SCRAM-SHA-256 "encrypted" password
# NOTE: There is currently no easy way to check SCRAM passwords
password_check_login || state="${state:-different} password"
elif expr "${passwd_stored}" : 'md5[0-9a-f]\{32\}$' >/dev/null
then
# MD5 "encrypted" password
if command -v md5sum >/dev/null 2>&1
then
should_md5=$(
printf '%s%s' "${passwd_should}" "${rolename}" \
| md5sum - | sed -e 's/[^0-9a-f]*$//')
elif command -v gmd5sum >/dev/null 2>&1
then
should_md5=$(
printf '%s%s' "${passwd_should}" "${rolename}" \
| gmd5sum - | sed -e 's/[^0-9a-f]*$//')
elif command -v openssl >/dev/null 2>&1
then
should_md5=$(
printf '%s%s' "${passwd_should}" "${rolename}" \
| openssl dgst -md5 | sed 's/^.* //')
fi fi
if test -n "${should_md5}"
then
test "${passwd_stored}" = "md5${should_md5}" \
|| state="${state:-different} password"
else
password_check_login || state="${state:-different} password"
fi
else
# unencrypted password (unsupported since PostgreSQL 10)
test "${passwd_stored}" = "${passwd_should}" \
|| state="${state:-different} password"
fi
test -n "${state}" || state='present'
else
state='absent'
fi
echo "${state}"

View file

@ -58,7 +58,9 @@ in
then then
quoted_password=$( quoted_password=$(
delim='$$' delim='$$'
while grep -q -F "${delim}" "${__object:?}/parameter/password" # NOTE: Strip away trailing $ because with it the check breaks
# if the password ends with $ + random value.
while grep -q -F "${delim%$}" "${__object:?}/parameter/password"
do do
delim="\$$(LC_ALL=C tr -cd '[:alpha:]' </dev/urandom | dd bs=1 count=4 2>/dev/null)$" delim="\$$(LC_ALL=C tr -cd '[:alpha:]' </dev/urandom | dd bs=1 count=4 2>/dev/null)$"
done done
@ -88,12 +90,23 @@ in
query=$(printf 'CREATE ROLE "%s" WITH %s PASSWORD %s;' \ query=$(printf 'CREATE ROLE "%s" WITH %s PASSWORD %s;' \
"${rolename}" "${booleans}" "${quoted_password:-NULL}") "${rolename}" "${booleans}" "${quoted_password:-NULL}")
;; ;;
(different) (different*)
query=$(printf 'ALTER ROLE "%s" WITH %s PASSWORD %s;' \ query="ALTER ROLE \"${rolename}\" WITH"
"${rolename}" "${booleans}" "${quoted_password:-NULL}")
if expr "${state_is}" : 'different.*properties' >/dev/null
then
query="${query} ${booleans}"
fi
if expr "${state_is}" : 'different.*password' >/dev/null
then
query="${query} PASSWORD ${quoted_password:-NULL}"
fi
query="${query};"
;; ;;
(*) (*)
exit 1 # TODO: error msg printf 'Invalid state reported by state explorer: %s\n' "${state_is}" >&2
exit 1
;; ;;
esac esac