[type/__postgres_role] Fix setting password

We need to make sure that the password does not end up in ~/.psql_history.
This commit is contained in:
Dennis Camera 2020-12-17 16:58:32 +01:00
parent 4859c27900
commit 1180f13ed6

View file

@ -51,27 +51,29 @@ then
exit 0 exit 0
fi fi
if test -s "${__object:?}/parameter/password"
then
quoted_password=$(
delim='$$'
# NOTE: Strip away trailing $ because with it the check breaks
# if the password ends with $ + random value.
while grep -q -F "${delim%$}" "${__object:?}/parameter/password"
do
delim="\$$(LC_ALL=C tr -cd '[:alpha:]' </dev/urandom | dd bs=1 count=4 2>/dev/null)$"
done
psql_query() { psql_query() {
printf 'su -l %s -c %s\n' \ printf 'su -l %s -c %s\n' \
"$(quote "${postgres_user}")" \ "$(quote "${postgres_user}")" \
"$(quote "psql postgres -wc $(quote "$1")")" "$(quote "psql postgres -wc $(quote "$1")")"
} }
raw_passwd=$(cat "${__object:?}/parameter/password"; printf .) psql_set_password() {
# shellcheck disable=SC2016 # NOTE: Always make sure that the password does not end up in psql_history!
printf '%s%s%s' "${delim}" "${raw_passwd%?.}" "${delim}" if test -s "${__object:?}/parameter/password"
) then
fi cat <<-EOF
exec 3< "\${__object:?}/parameter/password"
su -l '${postgres_user}' -c 'psql -q postgres -w' <<'SQL'
\set HISTFILE /dev/null
\set pw \`cat <&3\`
ALTER ROLE "${rolename}" WITH PASSWORD :'pw';
SQL
exec 3<&-
EOF
else
psql_query "ALTER ROLE \"${rolename}\" WITH PASSWORD NULL;"
fi
}
role_properties_should() { role_properties_should() {
_props= _props=
@ -96,8 +98,8 @@ in
case ${state_is} case ${state_is}
in in
(absent) (absent)
psql_query "$(printf 'CREATE ROLE "%s" WITH %s PASSWORD %s;' \ psql_query "CREATE ROLE \"${rolename}\" WITH $(role_properties_should);"
"${rolename}" "$(role_properties_should)" "${quoted_password:-NULL}")" psql_set_password
;; ;;
(different*) (different*)
if expr "${state_is}" : 'different.*properties' >/dev/null if expr "${state_is}" : 'different.*properties' >/dev/null
@ -107,7 +109,7 @@ in
if expr "${state_is}" : 'different.*password' >/dev/null if expr "${state_is}" : 'different.*password' >/dev/null
then then
psql_query "ALTER ROLE \"${rolename}\" WITH PASSWORD ${quoted_password:-NULL};" psql_set_password
fi fi
;; ;;
(*) (*)