#!/bin/sh -e # # 2011 Steven Armstrong (steven-cdist at armstrong.cc) # 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch) # # This file is part of cdist. # # cdist is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # cdist is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with cdist. If not, see . # quote() { if test $# -gt 0 then printf '%s' "$*" else cat - fi | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/'/" } case $(cat "${__global:?}/explorer/os") in (netbsd) postgres_user='pgsql' ;; (openbsd) postgres_user='_postgresql' ;; (*) postgres_user='postgres' ;; esac rolename=${__object_id:?} state_is=$(cat "${__object:?}/explorer/state") state_should=$(cat "${__object:?}/parameter/state") if test "${state_is}" = "${state_should}" then exit 0 fi psql_query() { printf 'su -l %s -c %s\n' \ "$(quote "${postgres_user}")" \ "$(quote "psql postgres -q -w -c $(quote "$1")")" } psql_set_password() { # NOTE: Always make sure that the password does not end up in psql_history! # NOTE: Never set an empty string as the password, because they can be # interpreted differently by different tooling. if test -s "${__object:?}/parameter/password" then cat <<-EOF exec 3< "\${__object:?}/parameter/password" su -l '${postgres_user}' -c 'psql -q -w postgres' <<'SQL' \set HISTFILE /dev/null \set pw \`cat <&3\` ALTER ROLE "${rolename}" WITH PASSWORD :'pw'; SQL exec 3<&- EOF else psql_query "ALTER ROLE \"${rolename}\" WITH PASSWORD NULL;" fi } role_properties_should() { _props= for _prop in login createdb createrole superuser do _props="${_props}${_props:+ }$( if test -f "${__object:?}/parameter/${_prop}" then echo "${_prop}" else echo "no${_prop}" fi \ | tr '[:lower:]' '[:upper:]')" done printf '%s\n' "${_props}" unset _prop _props } case ${state_should} in (present) case ${state_is} in (absent) psql_query "CREATE ROLE \"${rolename}\" WITH $(role_properties_should);" psql_set_password ;; (different*) if expr "${state_is}" : 'different.*properties' >/dev/null then psql_query "ALTER ROLE \"${rolename}\" WITH $(role_properties_should);" fi if expr "${state_is}" : 'different.*password' >/dev/null then psql_set_password fi ;; (*) printf 'Invalid state reported by state explorer: %s\n' "${state_is}" >&2 exit 1 ;; esac ;; (absent) printf 'su -l %s -c %s\n' \ "$(quote "${postgres_user}")" \ "$(quote "dropuser $(quote "${rolename}")")" ;; esac