From 43c21aff1a1e07d8bdc2da211e3503a973ae4034 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Tue, 26 Mar 2024 15:29:25 +0100 Subject: [PATCH] Add a global password_encryption parameter The function postgresql::password() looks at the default for encryption. If you want to use SCRAM on PostgreSQL < 14 then the default must be overridden, or specified for every use. This parameter allows it to be globally overridden. --- manifests/globals.pp | 5 +++++ manifests/params.pp | 2 +- spec/functions/postgresql_default_spec.rb | 14 ++++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/manifests/globals.pp b/manifests/globals.pp index b9adfb4820..6cc149fc3f 100644 --- a/manifests/globals.pp +++ b/manifests/globals.pp @@ -81,6 +81,10 @@ # @param timezone # Sets the default timezone of the postgresql server. The postgresql built-in default is taking the systems timezone information. # +# @param password_encryption +# Specify the type of encryption set for the password. +# Defaults to scram-sha-256 for PostgreSQL >= 14, otherwise md5. +# # @param manage_pg_hba_conf Allow Puppet to manage the pg_hba.conf file. # @param manage_pg_ident_conf Allow Puppet to manage the pg_ident.conf file. # @param manage_recovery_conf Allow Puppet to manage the recovery.conf file. @@ -159,6 +163,7 @@ Optional[String[1]] $locale = undef, Optional[Boolean] $data_checksums = undef, Optional[String[1]] $timezone = undef, + Optional[Postgresql::Pg_password_encryption] $password_encryption = undef, Optional[Boolean] $manage_pg_hba_conf = undef, Optional[Boolean] $manage_pg_ident_conf = undef, diff --git a/manifests/params.pp b/manifests/params.pp index c777b0793c..8441aa829c 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -25,7 +25,7 @@ $manage_selinux = pick($manage_selinux, false) $package_ensure = 'present' $module_workdir = pick($module_workdir,'/tmp') - $password_encryption = versioncmp($version, '14') ? { -1 => 'md5', default => 'scram-sha-256' } + $password_encryption = pick($password_encryption, versioncmp($version, '14') ? { -1 => 'md5', default => 'scram-sha-256' }) $extra_systemd_config = undef $manage_datadir = true $manage_logdir = true diff --git a/spec/functions/postgresql_default_spec.rb b/spec/functions/postgresql_default_spec.rb index 12ecde207e..a1d0cd6d57 100644 --- a/spec/functions/postgresql_default_spec.rb +++ b/spec/functions/postgresql_default_spec.rb @@ -30,5 +30,19 @@ class { 'postgresql::server': # parameter in globals.pp only it { is_expected.to run.with_params('default_connect_settings').and_return({}) } + it { is_expected.to run.with_params('password_encryption').and_return('md5') } + it { is_expected.to run.with_params('a_parameter_that_does_not_exist').and_raise_error(Puppet::ParseError, %r{pick\(\): must receive at least one non empty value}) } + + context 'with overridden values' do + let(:pre_condition) do + <<~PUPPET + class { 'postgresql::globals': + password_encryption => 'scram-sha-256', + } + PUPPET + end + + it { is_expected.to run.with_params('password_encryption').and_return('scram-sha-256') } + end end