postgresql_user: add scram-sha-256 password support (#100)

* postgresql_user: add support for scram-sha-256 passwords

* postgresql_user: add support for scram-sha-256 passwords

* add changelog fragment

* fix
This commit is contained in:
Andrew Klychkov 2020-04-22 14:45:14 +03:00 committed by GitHub
commit bb459cb014
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 391 additions and 5 deletions

View file

@ -3,10 +3,12 @@
become_user: "{{ pg_user }}"
become: yes
register: result
postgresql_parameters: &parameters
postgresql_query_parameters: &query_parameters
db: postgres
name: "{{ db_user1 }}"
login_user: "{{ pg_user }}"
postgresql_parameters: &parameters
<<: *query_parameters
name: "{{ db_user1 }}"
block:
- name: 'Check that PGOPTIONS environment variable is effective (1/2)'
@ -300,6 +302,97 @@
when: encrypted == 'no'
# start of block scram-sha-256
# scram-sha-256 password encryption type is supported since PostgreSQL 10
- when: postgres_version_resp.stdout is version('10', '>=')
block:
- name: 'Using cleartext password with scram-sha-256: resetting password'
<<: *task_parameters
postgresql_user:
<<: *parameters
password: ""
encrypted: "{{ encrypted }}"
environment:
PGCLIENTENCODING: 'UTF8'
- name: 'Using cleartext password with scram-sha-256: check that password is changed when using cleartext password'
<<: *task_parameters
postgresql_user:
<<: *parameters
password: "{{ db_password1 }}"
encrypted: "{{ encrypted }}"
environment:
PGCLIENTENCODING: 'UTF8'
# ansible postgresql_user module interface does not (yet) support forcing password_encryption
# type value, we'll have to hack it in env variable to force correct encryption
PGOPTIONS: "-c password_encryption=scram-sha-256"
- <<: *changed
- name: 'Using cleartext password with scram-sha-256: ensure password is properly encrypted'
<<: *task_parameters
postgresql_query:
<<: *query_parameters
query: select * from pg_authid where rolname=%s and rolpassword like %s
positional_args:
- '{{ db_user1 }}'
- 'SCRAM-SHA-256$%'
- assert:
that:
- result.rowcount == 1
- name: 'Using cleartext password with scram-sha-256: check that password is not changed when using the same password'
<<: *task_parameters
postgresql_user:
<<: *parameters
password: "{{ db_password1 }}"
encrypted: "{{ encrypted }}"
environment:
PGCLIENTENCODING: 'UTF8'
PGOPTIONS: "-c password_encryption=scram-sha-256"
- <<: *not_changed
- name: 'Using cleartext password with scram-sha-256: check that password is changed when using another cleartext password'
<<: *task_parameters
postgresql_user:
<<: *parameters
password: "changed{{ db_password1 }}"
encrypted: "{{ encrypted }}"
environment:
PGCLIENTENCODING: 'UTF8'
PGOPTIONS: "-c password_encryption=scram-sha-256"
- <<: *changed
- name: 'Using cleartext password with scram-sha-256: check that password is changed when clearing the password'
<<: *task_parameters
postgresql_user:
<<: *parameters
password: ''
encrypted: "{{ encrypted }}"
environment:
PGCLIENTENCODING: 'UTF8'
PGOPTIONS: "-c password_encryption=scram-sha-256"
- <<: *changed
- name: 'Using cleartext password with scram-sha-256: check that password is not changed when clearing the password again'
<<: *task_parameters
postgresql_user:
<<: *parameters
password: ''
encrypted: "{{ encrypted }}"
environment:
PGCLIENTENCODING: 'UTF8'
PGOPTIONS: "-c password_encryption=scram-sha-256"
- <<: *not_changed
# end of block scram-sha-256
- name: Remove user
<<: *task_parameters
postgresql_user:

View file

@ -0,0 +1,55 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2019, Andrey Tuzhilin <andrei.tuzhilin@gmail.com>
# Copyright: (c) 2020, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru>
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
import pytest
from ansible_collections.community.general.plugins.module_utils.saslprep import saslprep
VALID = [
(u'', u''),
(u'\u00A0', u' '),
(u'a', u'a'),
(u'й', u'й'),
(u'\u30DE\u30C8\u30EA\u30C3\u30AF\u30B9', u'\u30DE\u30C8\u30EA\u30C3\u30AF\u30B9'),
(u'The\u00ADM\u00AAtr\u2168', u'TheMatrIX'),
(u'I\u00ADX', u'IX'),
(u'user', u'user'),
(u'USER', u'USER'),
(u'\u00AA', u'a'),
(u'\u2168', u'IX'),
(u'\u05BE\u00A0\u05BE', u'\u05BE\u0020\u05BE'),
]
INVALID = [
(None, TypeError),
(b'', TypeError),
(u'\u0221', ValueError),
(u'\u0007', ValueError),
(u'\u0627\u0031', ValueError),
(u'\uE0001', ValueError),
(u'\uE0020', ValueError),
(u'\uFFF9', ValueError),
(u'\uFDD0', ValueError),
(u'\u0000', ValueError),
(u'\u06DD', ValueError),
(u'\uFFFFD', ValueError),
(u'\uD800', ValueError),
(u'\u200E', ValueError),
(u'\u05BE\u00AA\u05BE', ValueError),
]
@pytest.mark.parametrize('source,target', VALID)
def test_saslprep_conversions(source, target):
assert saslprep(source) == target
@pytest.mark.parametrize('source,exception', INVALID)
def test_saslprep_exceptions(source, exception):
with pytest.raises(exception) as ex:
saslprep(source)