postgresql_user: add scram-sha-256 password support (#100)

* postgresql_user: add support for scram-sha-256 passwords * postgresql_user: add support for scram-sha-256 passwords * add changelog fragment * fix
2025-07-28 07:31:23 -07:00 · 2020-04-22 14:45:14 +03:00 · 2020-04-22 14:45:14 +03:00 · bb459cb014
commit bb459cb014
parent dee5de23d7
5 changed files with 391 additions and 5 deletions
--- a/tests/integration/targets/postgresql_user/tasks/test_password.yml
+++ b/tests/integration/targets/postgresql_user/tasks/test_password.yml
@ -3,10 +3,12 @@
      become_user: "{{ pg_user }}"
      become: yes
      register: result
-    postgresql_parameters: &parameters
+    postgresql_query_parameters: &query_parameters
      db: postgres
-      name: "{{ db_user1 }}"
      login_user: "{{ pg_user }}"
+    postgresql_parameters: &parameters
+      <<: *query_parameters
+      name: "{{ db_user1 }}"

  block:
  - name: 'Check that PGOPTIONS environment variable is effective (1/2)'
@ -300,6 +302,97 @@

    when: encrypted == 'no'

+  # start of block scram-sha-256
+  # scram-sha-256 password encryption type is supported since PostgreSQL 10
+  - when: postgres_version_resp.stdout is version('10', '>=')
+    block:
+
+    - name: 'Using cleartext password with scram-sha-256: resetting password'
+      <<: *task_parameters
+      postgresql_user:
+        <<: *parameters
+        password: ""
+        encrypted: "{{ encrypted }}"
+      environment:
+        PGCLIENTENCODING: 'UTF8'
+
+    - name: 'Using cleartext password with scram-sha-256: check that password is changed when using cleartext password'
+      <<: *task_parameters
+      postgresql_user:
+        <<: *parameters
+        password: "{{ db_password1 }}"
+        encrypted: "{{ encrypted }}"
+      environment:
+        PGCLIENTENCODING: 'UTF8'
+        # ansible postgresql_user module interface does not (yet) support forcing password_encryption
+        # type value, we'll have to hack it in env variable to force correct encryption
+        PGOPTIONS: "-c password_encryption=scram-sha-256"
+
+    - <<: *changed
+
+    - name: 'Using cleartext password with scram-sha-256: ensure password is properly encrypted'
+      <<: *task_parameters
+      postgresql_query:
+        <<: *query_parameters
+        query: select * from pg_authid where rolname=%s and rolpassword like %s
+        positional_args:
+          - '{{ db_user1 }}'
+          - 'SCRAM-SHA-256$%'
+
+    - assert:
+        that:
+          - result.rowcount == 1
+
+    - name: 'Using cleartext password with scram-sha-256: check that password is not changed when using the same password'
+      <<: *task_parameters
+      postgresql_user:
+        <<: *parameters
+        password: "{{ db_password1 }}"
+        encrypted: "{{ encrypted }}"
+      environment:
+        PGCLIENTENCODING: 'UTF8'
+        PGOPTIONS: "-c password_encryption=scram-sha-256"
+
+    - <<: *not_changed
+
+    - name: 'Using cleartext password with scram-sha-256: check that password is changed when using another cleartext password'
+      <<: *task_parameters
+      postgresql_user:
+        <<: *parameters
+        password: "changed{{ db_password1 }}"
+        encrypted: "{{ encrypted }}"
+      environment:
+        PGCLIENTENCODING: 'UTF8'
+        PGOPTIONS: "-c password_encryption=scram-sha-256"
+
+    - <<: *changed
+
+    - name: 'Using cleartext password with scram-sha-256: check that password is changed when clearing the password'
+      <<: *task_parameters
+      postgresql_user:
+        <<: *parameters
+        password: ''
+        encrypted: "{{ encrypted }}"
+      environment:
+        PGCLIENTENCODING: 'UTF8'
+        PGOPTIONS: "-c password_encryption=scram-sha-256"
+
+    - <<: *changed
+
+    - name: 'Using cleartext password with scram-sha-256: check that password is not changed when clearing the password again'
+      <<: *task_parameters
+      postgresql_user:
+        <<: *parameters
+        password: ''
+        encrypted: "{{ encrypted }}"
+      environment:
+        PGCLIENTENCODING: 'UTF8'
+        PGOPTIONS: "-c password_encryption=scram-sha-256"
+
+    - <<: *not_changed
+
+  # end of block scram-sha-256
+
  - name: Remove user
    <<: *task_parameters
    postgresql_user:
--- a/tests/unit/module_utils/test_saslprep.py
+++ b/tests/unit/module_utils/test_saslprep.py
@ -0,0 +1,55 @@
+# -*- coding: utf-8 -*-
+# Copyright: (c) 2019, Andrey Tuzhilin <andrei.tuzhilin@gmail.com>
+# Copyright: (c) 2020, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru>
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import pytest
+
+from ansible_collections.community.general.plugins.module_utils.saslprep import saslprep
+
+
+VALID = [
+    (u'', u''),
+    (u'\u00A0', u' '),
+    (u'a', u'a'),
+    (u'й', u'й'),
+    (u'\u30DE\u30C8\u30EA\u30C3\u30AF\u30B9', u'\u30DE\u30C8\u30EA\u30C3\u30AF\u30B9'),
+    (u'The\u00ADM\u00AAtr\u2168', u'TheMatrIX'),
+    (u'I\u00ADX', u'IX'),
+    (u'user', u'user'),
+    (u'USER', u'USER'),
+    (u'\u00AA', u'a'),
+    (u'\u2168', u'IX'),
+    (u'\u05BE\u00A0\u05BE', u'\u05BE\u0020\u05BE'),
+]
+
+INVALID = [
+    (None, TypeError),
+    (b'', TypeError),
+    (u'\u0221', ValueError),
+    (u'\u0007', ValueError),
+    (u'\u0627\u0031', ValueError),
+    (u'\uE0001', ValueError),
+    (u'\uE0020', ValueError),
+    (u'\uFFF9', ValueError),
+    (u'\uFDD0', ValueError),
+    (u'\u0000', ValueError),
+    (u'\u06DD', ValueError),
+    (u'\uFFFFD', ValueError),
+    (u'\uD800', ValueError),
+    (u'\u200E', ValueError),
+    (u'\u05BE\u00AA\u05BE', ValueError),
+]
+
+
+@pytest.mark.parametrize('source,target', VALID)
+def test_saslprep_conversions(source, target):
+    assert saslprep(source) == target
+
+
+@pytest.mark.parametrize('source,exception', INVALID)
+def test_saslprep_exceptions(source, exception):
+    with pytest.raises(exception) as ex:
+        saslprep(source)