forked from ungleich-public/cdist
[type/__postgres_role] Handle password changes
This commit is contained in:
parent
c36df82882
commit
7b7ca4d385
2 changed files with 88 additions and 11 deletions
|
@ -34,9 +34,23 @@ esac
|
||||||
|
|
||||||
rolename=${__object_id:?}
|
rolename=${__object_id:?}
|
||||||
|
|
||||||
|
|
||||||
|
psql_query() {
|
||||||
|
su -l "${postgres_user}" -c "$(
|
||||||
|
printf "psql -F '\034' -R '\036' -wAc '%s'" \
|
||||||
|
"$(printf %s "$*" | sed "s/'/'\\\\''/g")"
|
||||||
|
)"
|
||||||
|
}
|
||||||
|
|
||||||
|
password_check_login() (
|
||||||
|
PGPASSWORD=$(cat "${__object:?}/parameter/password"; printf .)
|
||||||
|
PGPASSWORD=${PGPASSWORD%?.}
|
||||||
|
export PGPASSWORD
|
||||||
|
psql -w -h localhost -U "${rolename}" template1 -c '\q' >/dev/null 2>&1
|
||||||
|
)
|
||||||
|
|
||||||
role_properties=$(
|
role_properties=$(
|
||||||
cmd=$(printf "psql -F '\034' -R '\036' -wAc \"SELECT * FROM pg_roles WHERE rolname='%s'\"" "${rolename}")
|
psql_query "SELECT * FROM pg_roles WHERE rolname = '${rolename}'" \
|
||||||
su -l "${postgres_user}" -c "${cmd}" \
|
|
||||||
| awk '
|
| awk '
|
||||||
BEGIN { RS = "\036"; FS = "\034" }
|
BEGIN { RS = "\036"; FS = "\034" }
|
||||||
/^\([0-9]+ rows?\)/ { exit }
|
/^\([0-9]+ rows?\)/ { exit }
|
||||||
|
@ -69,12 +83,62 @@ then
|
||||||
)
|
)
|
||||||
|
|
||||||
test "${bool_is}" = "${bool_should}" || {
|
test "${bool_is}" = "${bool_should}" || {
|
||||||
echo 'different'
|
state='different properties'
|
||||||
exit 0
|
|
||||||
}
|
}
|
||||||
done
|
done
|
||||||
|
|
||||||
echo 'present'
|
# Check password
|
||||||
|
passwd_stored=$(
|
||||||
|
psql_query "SELECT rolpassword FROM pg_authid WHERE rolname = '${rolename}'" \
|
||||||
|
| awk 'BEGIN { RS = "\036" } NR == 2'
|
||||||
|
printf .
|
||||||
|
)
|
||||||
|
passwd_stored=${passwd_stored%?.}
|
||||||
|
|
||||||
|
passwd_should=$(cat "${__object}/parameter/password"; printf .)
|
||||||
|
passwd_should=${passwd_should%?.}
|
||||||
|
|
||||||
|
if expr "${passwd_stored}" : 'SCRAM-SHA-256\$.*$' >/dev/null
|
||||||
|
then
|
||||||
|
# SCRAM-SHA-256 "encrypted" password
|
||||||
|
# NOTE: There is currently no easy way to check SCRAM passwords
|
||||||
|
password_check_login || state="${state:-different} password"
|
||||||
|
elif expr "${passwd_stored}" : 'md5[0-9a-f]\{32\}$' >/dev/null
|
||||||
|
then
|
||||||
|
# MD5 "encrypted" password
|
||||||
|
if command -v md5sum >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
should_md5=$(
|
||||||
|
printf '%s%s' "${passwd_should}" "${rolename}" \
|
||||||
|
| md5sum - | sed -e 's/[^0-9a-f]*$//')
|
||||||
|
elif command -v gmd5sum >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
should_md5=$(
|
||||||
|
printf '%s%s' "${passwd_should}" "${rolename}" \
|
||||||
|
| gmd5sum - | sed -e 's/[^0-9a-f]*$//')
|
||||||
|
elif command -v openssl >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
should_md5=$(
|
||||||
|
printf '%s%s' "${passwd_should}" "${rolename}" \
|
||||||
|
| openssl dgst -md5 | sed 's/^.* //')
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test -n "${should_md5}"
|
||||||
|
then
|
||||||
|
test "${passwd_stored}" = "md5${should_md5}" \
|
||||||
|
|| state="${state:-different} password"
|
||||||
|
else
|
||||||
|
password_check_login || state="${state:-different} password"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# unencrypted password (unsupported since PostgreSQL 10)
|
||||||
|
test "${passwd_stored}" = "${passwd_should}" \
|
||||||
|
|| state="${state:-different} password"
|
||||||
|
fi
|
||||||
|
|
||||||
|
test -n "${state}" || state='present'
|
||||||
else
|
else
|
||||||
echo 'absent'
|
state='absent'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
echo "${state}"
|
||||||
|
|
|
@ -58,7 +58,9 @@ in
|
||||||
then
|
then
|
||||||
quoted_password=$(
|
quoted_password=$(
|
||||||
delim='$$'
|
delim='$$'
|
||||||
while grep -q -F "${delim}" "${__object:?}/parameter/password"
|
# NOTE: Strip away trailing $ because with it the check breaks
|
||||||
|
# if the password ends with $ + random value.
|
||||||
|
while grep -q -F "${delim%$}" "${__object:?}/parameter/password"
|
||||||
do
|
do
|
||||||
delim="\$$(LC_ALL=C tr -cd '[:alpha:]' </dev/urandom | dd bs=1 count=4 2>/dev/null)$"
|
delim="\$$(LC_ALL=C tr -cd '[:alpha:]' </dev/urandom | dd bs=1 count=4 2>/dev/null)$"
|
||||||
done
|
done
|
||||||
|
@ -88,12 +90,23 @@ in
|
||||||
query=$(printf 'CREATE ROLE "%s" WITH %s PASSWORD %s;' \
|
query=$(printf 'CREATE ROLE "%s" WITH %s PASSWORD %s;' \
|
||||||
"${rolename}" "${booleans}" "${quoted_password:-NULL}")
|
"${rolename}" "${booleans}" "${quoted_password:-NULL}")
|
||||||
;;
|
;;
|
||||||
(different)
|
(different*)
|
||||||
query=$(printf 'ALTER ROLE "%s" WITH %s PASSWORD %s;' \
|
query="ALTER ROLE \"${rolename}\" WITH"
|
||||||
"${rolename}" "${booleans}" "${quoted_password:-NULL}")
|
|
||||||
|
if expr "${state_is}" : 'different.*properties' >/dev/null
|
||||||
|
then
|
||||||
|
query="${query} ${booleans}"
|
||||||
|
fi
|
||||||
|
if expr "${state_is}" : 'different.*password' >/dev/null
|
||||||
|
then
|
||||||
|
query="${query} PASSWORD ${quoted_password:-NULL}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
query="${query};"
|
||||||
;;
|
;;
|
||||||
(*)
|
(*)
|
||||||
exit 1 # TODO: error msg
|
printf 'Invalid state reported by state explorer: %s\n' "${state_is}" >&2
|
||||||
|
exit 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue