#!/bin/sh -e # # 2011 Steven Armstrong (steven-cdist at armstrong.cc) # 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch) # # This file is part of cdist. # # cdist is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # cdist is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with cdist. If not, see . # case $("${__explorer:?}/os") in (netbsd) postgres_user='pgsql' ;; (openbsd) postgres_user='_postgresql' ;; (*) postgres_user='postgres' ;; esac rolename=${__object_id:?} psql_query() { su -l "${postgres_user}" -c "$( printf "psql -q -F '\034' -R '\036' -wAc '%s'" \ "$(printf %s "$*" | sed "s/'/'\\\\''/g")" )" } password_check_login() ( PGPASSWORD=$(cat "${__object:?}/parameter/password"; printf .) PGPASSWORD=${PGPASSWORD%?.} export PGPASSWORD psql -q -w -h localhost -U "${rolename}" template1 -c '\q' >/dev/null 2>&1 ) role_properties=$( psql_query "SELECT * FROM pg_roles WHERE rolname = '${rolename}'" \ | awk ' BEGIN { RS = "\036"; FS = "\034" } /^\([0-9]+ rows?\)/ { exit } NR == 1 { for (i = 1; i <= NF; i++) cols[i] = $i; next } NR == 2 { for (i = 1; i <= NF; i++) printf "%s=%s\n", cols[i], $i } ' ) if test -n "${role_properties}" then # Check if the user's properties match the parameters for prop in login createdb createrole superuser do bool_should=$(test -f "${__object:?}/parameter/${prop}" && echo 't' || echo 'f') bool_is=$( printf '%s\n' "${role_properties}" | awk -F '=' -v key="${prop}" ' BEGIN { if (key == "login") key = "canlogin" else if (key == "superuser") key = "super" key = "rol" key } $1 == key { sub(/^[^=]*=/, "") print } ' ) test "${bool_is}" = "${bool_should}" || { state='different properties' } done # Check password passwd_stored=$( psql_query "SELECT rolpassword FROM pg_authid WHERE rolname = '${rolename}'" \ | awk 'BEGIN { RS = "\036" } NR == 2' printf . ) passwd_stored=${passwd_stored%?.} if test -f "${__object:?}/parameter/password" then passwd_should=$(cat "${__object:?}/parameter/password"; printf .) fi passwd_should=${passwd_should%?.} if test -z "${passwd_stored}" then test -z "${passwd_should}" || state="${state:-different} password" elif expr "${passwd_stored}" : 'SCRAM-SHA-256\$.*$' >/dev/null then # SCRAM-SHA-256 "encrypted" password # NOTE: There is currently no easy way to check SCRAM passwords without # logging in password_check_login || state="${state:-different} password" elif expr "${passwd_stored}" : 'md5[0-9a-f]\{32\}$' >/dev/null then # MD5 "encrypted" password if command -v md5sum >/dev/null 2>&1 then should_md5=$( printf '%s%s' "${passwd_should}" "${rolename}" \ | md5sum - | sed -e 's/[^0-9a-f]*$//') elif command -v gmd5sum >/dev/null 2>&1 then should_md5=$( printf '%s%s' "${passwd_should}" "${rolename}" \ | gmd5sum - | sed -e 's/[^0-9a-f]*$//') elif command -v openssl >/dev/null 2>&1 then should_md5=$( printf '%s%s' "${passwd_should}" "${rolename}" \ | openssl dgst -md5 | sed 's/^.* //') fi if test -n "${should_md5}" then test "${passwd_stored}" = "md5${should_md5}" \ || state="${state:-different} password" else password_check_login || state="${state:-different} password" fi else # unencrypted password (unsupported since PostgreSQL 10) test "${passwd_stored}" = "${passwd_should}" \ || state="${state:-different} password" fi test -n "${state}" || state='present' else state='absent' fi echo "${state}"