cdist/cdist/conf/type/__postgres_role/explorer/state

#!/bin/sh -e
#
# 2011 Steven Armstrong (steven-cdist at armstrong.cc)
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#

case $("${__explorer:?}/os")
in
	(netbsd)
		postgres_user='pgsql'
		;;
	(openbsd)
		postgres_user='_postgresql'
		;;
	(*)
		postgres_user='postgres'
		;;
esac

rolename=${__object_id:?}


psql_query() {
	su -l "${postgres_user}" -c "$(
		printf "psql -q -F '\034' -R '\036' -wAc '%s'" \
		"$(printf %s "$*" | sed "s/'/'\\\\''/g")"
	)"
}

password_check_login() (
	PGPASSWORD=$(cat "${__object:?}/parameter/password"; printf .)
	PGPASSWORD=${PGPASSWORD%?.}
	export PGPASSWORD
	psql -q -w -h localhost -U "${rolename}" template1 -c '\q' >/dev/null 2>&1
)

role_properties=$(
	psql_query "SELECT * FROM pg_roles WHERE rolname = '${rolename}'" \
	| awk '
	  BEGIN { RS = "\036"; FS = "\034" }
	  /^\([0-9]+ rows?\)/ { exit }
	  NR == 1 { for (i = 1; i <= NF; i++) cols[i] = $i; next }
	  NR == 2 { for (i = 1; i <= NF; i++) printf "%s=%s\n", cols[i], $i }
	  '
)

if test -n "${role_properties}"
then
	# Check if the user's properties match the parameters
	for prop in login createdb createrole superuser
	do
		bool_should=$(test -f "${__object:?}/parameter/${prop}" && echo 't' || echo 'f')
		bool_is=$(
			printf '%s\n' "${role_properties}" |
			awk -F '=' -v key="${prop}" '
			BEGIN {
				if (key == "login")
					key = "canlogin"
				else if (key == "superuser")
					key = "super"
				key = "rol" key
			}
			$1 == key {
				sub(/^[^=]*=/, "")
				print
			}
			'
		)

		test "${bool_is}" = "${bool_should}" || {
			state='different properties'
		}
	done

	# Check password
	passwd_stored=$(
		psql_query "SELECT rolpassword FROM pg_authid WHERE rolname = '${rolename}'" \
		| awk 'BEGIN { RS = "\036" } NR == 2'
		printf .
	)
	passwd_stored=${passwd_stored%?.}

	if test -f "${__object:?}/parameter/password"
	then
		passwd_should=$(cat "${__object:?}/parameter/password"; printf .)
	fi
	passwd_should=${passwd_should%?.}

	if test -z "${passwd_stored}"
	then
		test -z "${passwd_should}" || state="${state:-different} password"
	elif expr "${passwd_stored}" : 'SCRAM-SHA-256\$.*$' >/dev/null
	then
		# SCRAM-SHA-256 "encrypted" password
		# NOTE: There is currently no easy way to check SCRAM passwords without
		#       logging in
		password_check_login || state="${state:-different} password"
	elif expr "${passwd_stored}" : 'md5[0-9a-f]\{32\}$' >/dev/null
	then
		# MD5 "encrypted" password
		if command -v md5sum >/dev/null 2>&1
		then
			should_md5=$(
				printf '%s%s' "${passwd_should}" "${rolename}" \
				| md5sum - | sed -e 's/[^0-9a-f]*$//')
		elif command -v gmd5sum >/dev/null 2>&1
		then
			should_md5=$(
				printf '%s%s' "${passwd_should}" "${rolename}" \
				| gmd5sum - | sed -e 's/[^0-9a-f]*$//')
		elif command -v openssl >/dev/null 2>&1
		then
			should_md5=$(
				printf '%s%s' "${passwd_should}" "${rolename}" \
				| openssl dgst -md5 | sed 's/^.* //')
		fi

		if test -n "${should_md5}"
		then
			test "${passwd_stored}" = "md5${should_md5}" \
			|| state="${state:-different} password"
		else
			password_check_login || state="${state:-different} password"
		fi
	else
		# unencrypted password (unsupported since PostgreSQL 10)
		test "${passwd_stored}" = "${passwd_should}" \
		|| state="${state:-different} password"
	fi

	test -n "${state}" || state='present'
else
	state='absent'
fi

echo "${state}"