diff --git a/cdist/conf/type/__postgres_database/explorer/postgres_user b/cdist/conf/type/__postgres_database/explorer/postgres_user
new file mode 120000
index 00000000..714e7237
--- /dev/null
+++ b/cdist/conf/type/__postgres_database/explorer/postgres_user
@@ -0,0 +1 @@
+../../__postgres_conf/explorer/postgres_user
\ No newline at end of file
diff --git a/cdist/conf/type/__postgres_database/explorer/state b/cdist/conf/type/__postgres_database/explorer/state
index d68d4120..6a25df86 100755
--- a/cdist/conf/type/__postgres_database/explorer/state
+++ b/cdist/conf/type/__postgres_database/explorer/state
@@ -1,6 +1,7 @@
#!/bin/sh
#
# 2011 Steven Armstrong (steven-cdist at armstrong.cc)
+# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
@@ -18,25 +19,18 @@
# along with cdist. If not, see .
#
-case "$("${__explorer}/os")"
-in
- netbsd)
- postgres_user='pgsql'
- ;;
- openbsd)
- postgres_user='_postgresql'
- ;;
- *)
- postgres_user='postgres'
- ;;
-esac
+postgres_user=$("${__type_explorer:?}/postgres_user")
+dbname=${__object_id:?}
-name="$__object_id"
+quote() { printf '%s\n' "$*" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/'/"; }
+psql_exec() {
+ su - "${postgres_user}" -c "psql $(quote "$1") -twAc $(quote "$2")"
+}
-if test -n "$(su - "$postgres_user" -c "psql postgres -twAc \"SELECT 1 FROM pg_database WHERE datname='$name'\"")"
+if psql_exec postgres "SELECT datname FROM pg_database" | grep -qFx "${dbname}"
then
- echo 'present'
+ echo 'present'
else
- echo 'absent'
+ echo 'absent'
fi
diff --git a/cdist/conf/type/__postgres_database/gencode-remote b/cdist/conf/type/__postgres_database/gencode-remote
index 0f11cff4..7d7d6fa2 100755
--- a/cdist/conf/type/__postgres_database/gencode-remote
+++ b/cdist/conf/type/__postgres_database/gencode-remote
@@ -1,6 +1,7 @@
#!/bin/sh -e
#
# 2011 Steven Armstrong (steven-cdist at armstrong.cc)
+# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
@@ -18,60 +19,63 @@
# along with cdist. If not, see .
#
-case "$(cat "${__global}/explorer/os")"
-in
- netbsd)
- postgres_user='pgsql'
- ;;
- openbsd)
- postgres_user='_postgresql'
- ;;
- *)
- postgres_user='postgres'
- ;;
-esac
+quote() {
+ for _arg
+ do
+ shift
+ if test -n "$(printf '%s' "${_arg}" | tr -d -c '\t\n \042-\047\050-\052\073-\077\133\\`|~' | tr -c '' '.')"
+ then
+ # needs quoting
+ set -- "$@" "'$(printf '%s' "${_arg}" | sed -e "s/'/'\\\\''/g")'"
+ else
+ set -- "$@" "${_arg}"
+ fi
+ done
+ unset _arg
+ # NOTE: Use printf because POSIX echo interprets escape sequences
+ printf '%s' "$*"
+}
-name="$__object_id"
-state_should="$(cat "$__object/parameter/state")"
-state_is="$(cat "$__object/explorer/state")"
+postgres_user=$(cat "${__object:?}/explorer/postgres_user")
-if [ "$state_should" != "$state_is" ]; then
- case "$state_should" in
- present)
- owner=""
- if [ -f "$__object/parameter/owner" ]; then
- owner="-O \"$(cat "$__object/parameter/owner")\""
- fi
+dbname=${__object_id:?}
+state_should=$(cat "${__object:?}/parameter/state")
+state_is=$(cat "${__object:?}/explorer/state")
- template=""
- if [ -f "$__object/parameter/template" ]; then
- template="--template \"$(cat "$__object/parameter/template")\""
- fi
-
- encoding=""
- if [ -f "$__object/parameter/encoding" ]; then
- encoding="--encoding \"$(cat "$__object/parameter/encoding")\""
- fi
-
- lc_collate=""
- if [ -f "$__object/parameter/lc-collate" ]; then
- lc_collate="--lc-collate \"$(cat "$__object/parameter/lc-collate")\""
- fi
-
- lc_ctype=""
- if [ -f "$__object/parameter/lc-ctype" ]; then
- lc_ctype="--lc-ctype \"$(cat "$__object/parameter/lc-ctype")\""
- fi
-
- cat << EOF
-su - '$postgres_user' -c "createdb $owner \"$name\" $template $encoding $lc_collate $lc_ctype"
-EOF
- ;;
- absent)
- cat << EOF
-su - '$postgres_user' -c "dropdb \"$name\""
-EOF
- ;;
- esac
+if test "${state_should}" = "$state_is"
+then
+ exit 0
fi
+
+case ${state_should}
+in
+ (present)
+ set --
+
+ while read -r param_name opt
+ do
+ if test -f "${__object:?}/parameter/${param_name}"
+ then
+ set -- "$@" "${opt}" "$(cat "${__object:?}/parameter/${param_name}")"
+ fi
+ done <<-'EOF'
+ owner -O
+ template --template
+ encoding --encoding
+ lc_collate --lc-collate
+ lc_ctype --lc-ctype
+ EOF
+
+ set -- "$@" "${dbname}"
+
+ cat <<-EOF
+ su - $(quote "${postgres_user}") -c $(quote "$(quote createdb "$@")")
+ EOF
+ ;;
+ (absent)
+ cat <<-EOF
+ su - $(quote "${postgres_user}") -c $(quote "$(quote dropdb "${dbname}")")
+ EOF
+ ;;
+esac
diff --git a/cdist/conf/type/__postgres_extension/explorer/postgres_user b/cdist/conf/type/__postgres_extension/explorer/postgres_user
new file mode 120000
index 00000000..714e7237
--- /dev/null
+++ b/cdist/conf/type/__postgres_extension/explorer/postgres_user
@@ -0,0 +1 @@
+../../__postgres_conf/explorer/postgres_user
\ No newline at end of file
diff --git a/cdist/conf/type/__postgres_extension/explorer/state b/cdist/conf/type/__postgres_extension/explorer/state
new file mode 100644
index 00000000..9d156be7
--- /dev/null
+++ b/cdist/conf/type/__postgres_extension/explorer/state
@@ -0,0 +1,41 @@
+#!/bin/sh -e
+# -*- mode: sh; indent-tabs-mode: t -*-
+#
+# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see .
+#
+# Prints "present" if the extension is currently installed.
+# "absent" otherwise.
+
+quote() { printf '%s\n' "$*" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/'/"; }
+
+postgres_user=$("${__type_explorer:?}/postgres_user")
+
+IFS=: read -r dbname extname <.
#
-case "$(cat "${__global}/explorer/os")"
+postgres_user=$(cat "${__object:?}/explorer/postgres_user")
+
+quote() { printf '%s\n' "$*" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/'/"; }
+psql_cmd() {
+ printf 'su - %s -c %s\n' \
+ "$(quote "${postgres_user}")" \
+ "$(quote psql "$(quote "$1")" -c "$(quote "$2")")"
+}
+
+
+IFS=: read -r dbname extname <&2
+ exit 1
+ ;;
esac
diff --git a/cdist/conf/type/__postgres_extension/man.rst b/cdist/conf/type/__postgres_extension/man.rst
index 79645b2b..442239f6 100644
--- a/cdist/conf/type/__postgres_extension/man.rst
+++ b/cdist/conf/type/__postgres_extension/man.rst
@@ -3,32 +3,36 @@ cdist-type__postgres_extension(7)
NAME
----
-cdist-type__postgres_extension - manage postgres extensions
+cdist-type__postgres_extension - Manage PostgreSQL extensions
DESCRIPTION
-----------
-This cdist type allows you to create or drop postgres extensions.
+This cdist type allows you to manage PostgreSQL extensions.
-The object you need to pass to __postgres_extension consists of
-the database name and the extension name joined by a colon in the
-following form:
-
-.. code-block:: sh
-
- dbname:extension
-
-f.ex.
+The ``__object_id`` to pass to ``__postgres_extension`` is of the form
+``dbname:extension``, e.g.:
.. code-block:: sh
rails_test:unaccent
+**CAUTION!** Be careful when installing extensions from (untrusted) third-party
+sources:
+
+ | Installing an extension as superuser requires trusting that the extension's
+ author wrote the extension installation script in a secure fashion. It is
+ not terribly difficult for a malicious user to create trojan-horse objects
+ that will compromise later execution of a carelessly-written extension
+ script, allowing that user to acquire superuser privileges.
+ | – ``_
+
+
OPTIONAL PARAMETERS
-------------------
state
- either "present" or "absent", defaults to "present"
+ either ``present`` or ``absent``, defaults to ``present``.
EXAMPLES
@@ -36,24 +40,29 @@ EXAMPLES
.. code-block:: sh
- __postgres_extension rails_test:unaccent
- __postgres_extension --present rails_test:unaccent
- __postgres_extension --absent rails_test:unaccent
+ # Install extension unaccent into database rails_test
+ __postgres_extension rails_test:unaccent
+
+ # Drop extension unaccent from database fails_test
+ __postgres_extension rails_test:unaccent --state absent
SEE ALSO
--------
-:strong:`cdist-type__postgre_database`\ (7)
+- :strong:`cdist-type__postgres_database`\ (7)
+- PostgreSQL "CREATE EXTENSION" documentation at:
+ ``_.
-Postgres "Create Extension" documentation at: .
-AUTHOR
+AUTHORS
-------
-Tomas Pospisek
+| Tomas Pospisek
+| Dennis Camera
+
COPYING
-------
-Copyright \(C) 2014 Tomas Pospisek. You can redistribute it
-and/or modify it under the terms of the GNU General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
+Copyright \(C) 2014 Tomas Pospisek, 2021 Dennis Camera.
+You can redistribute it and/or modify it under the terms of the GNU General
+Public License as published by the Free Software Foundation, either version 3 of
+the License, or (at your option) any later version.
diff --git a/cdist/conf/type/__postgres_role/explorer/postgres_user b/cdist/conf/type/__postgres_role/explorer/postgres_user
new file mode 120000
index 00000000..714e7237
--- /dev/null
+++ b/cdist/conf/type/__postgres_role/explorer/postgres_user
@@ -0,0 +1 @@
+../../__postgres_conf/explorer/postgres_user
\ No newline at end of file
diff --git a/cdist/conf/type/__postgres_role/explorer/state b/cdist/conf/type/__postgres_role/explorer/state
index 34069de9..822816c1 100755
--- a/cdist/conf/type/__postgres_role/explorer/state
+++ b/cdist/conf/type/__postgres_role/explorer/state
@@ -19,19 +19,7 @@
# along with cdist. If not, see .
#
-case $("${__explorer:?}/os")
-in
- (netbsd)
- postgres_user='pgsql'
- ;;
- (openbsd)
- postgres_user='_postgresql'
- ;;
- (*)
- postgres_user='postgres'
- ;;
-esac
-
+postgres_user=$("${__type_explorer:?}/postgres_user")
rolename=${__object_id:?}
@@ -55,8 +43,7 @@ role_properties=$(
BEGIN { RS = "\036"; FS = "\034" }
/^\([0-9]+ rows?\)/ { exit }
NR == 1 { for (i = 1; i <= NF; i++) cols[i] = $i; next }
- NR == 2 { for (i = 1; i <= NF; i++) printf "%s=%s\n", cols[i], $i }
- '
+ NR == 2 { for (i = 1; i <= NF; i++) printf "%s=%s\n", cols[i], $i }'
)
if test -n "${role_properties}"
@@ -90,12 +77,10 @@ then
# Check password
passwd_stored=$(
psql_query "SELECT rolpassword FROM pg_authid WHERE rolname = '${rolename}'" \
- | awk 'BEGIN { RS = "\036" } NR == 2'
- printf .
- )
- passwd_stored=${passwd_stored%?.}
+ | awk 'BEGIN { RS = "\036" } NR == 2 { printf "%s.", $0 }')
+ passwd_stored=${passwd_stored%.}
- if test -f "${__object:?}/parameter/password"
+ if test -s "${__object:?}/parameter/password"
then
passwd_should=$(cat "${__object:?}/parameter/password"; printf .)
fi
diff --git a/cdist/conf/type/__postgres_role/gencode-remote b/cdist/conf/type/__postgres_role/gencode-remote
index d7631fbd..4cb78330 100755
--- a/cdist/conf/type/__postgres_role/gencode-remote
+++ b/cdist/conf/type/__postgres_role/gencode-remote
@@ -28,20 +28,7 @@ quote() {
fi | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/'/"
}
-case $(cat "${__global:?}/explorer/os")
-in
- (netbsd)
- postgres_user='pgsql'
- ;;
- (openbsd)
- postgres_user='_postgresql'
- ;;
- (*)
- postgres_user='postgres'
- ;;
-esac
-
-
+postgres_user=$(cat "${__object:?}/explorer/postgres_user")
rolename=${__object_id:?}
state_is=$(cat "${__object:?}/explorer/state")
state_should=$(cat "${__object:?}/parameter/state")
@@ -59,7 +46,7 @@ psql_query() {
psql_set_password() {
# NOTE: Always make sure that the password does not end up in psql_history!
- # NOTE: Never set an empty string as the password, because they can be
+ # NOTE: Never set an empty string as the password, because it can be
# interpreted differently by different tooling.
if test -s "${__object:?}/parameter/password"
then