mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-07-22 21:00:22 -07:00
postgresql_user: add scram-sha-256 password support (#100)
* postgresql_user: add support for scram-sha-256 passwords * postgresql_user: add support for scram-sha-256 passwords * add changelog fragment * fix
This commit is contained in:
parent
dee5de23d7
commit
bb459cb014
5 changed files with 391 additions and 5 deletions
|
@ -3,10 +3,12 @@
|
|||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
register: result
|
||||
postgresql_parameters: ¶meters
|
||||
postgresql_query_parameters: &query_parameters
|
||||
db: postgres
|
||||
name: "{{ db_user1 }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
postgresql_parameters: ¶meters
|
||||
<<: *query_parameters
|
||||
name: "{{ db_user1 }}"
|
||||
|
||||
block:
|
||||
- name: 'Check that PGOPTIONS environment variable is effective (1/2)'
|
||||
|
@ -300,6 +302,97 @@
|
|||
|
||||
when: encrypted == 'no'
|
||||
|
||||
# start of block scram-sha-256
|
||||
# scram-sha-256 password encryption type is supported since PostgreSQL 10
|
||||
- when: postgres_version_resp.stdout is version('10', '>=')
|
||||
block:
|
||||
|
||||
- name: 'Using cleartext password with scram-sha-256: resetting password'
|
||||
<<: *task_parameters
|
||||
postgresql_user:
|
||||
<<: *parameters
|
||||
password: ""
|
||||
encrypted: "{{ encrypted }}"
|
||||
environment:
|
||||
PGCLIENTENCODING: 'UTF8'
|
||||
|
||||
- name: 'Using cleartext password with scram-sha-256: check that password is changed when using cleartext password'
|
||||
<<: *task_parameters
|
||||
postgresql_user:
|
||||
<<: *parameters
|
||||
password: "{{ db_password1 }}"
|
||||
encrypted: "{{ encrypted }}"
|
||||
environment:
|
||||
PGCLIENTENCODING: 'UTF8'
|
||||
# ansible postgresql_user module interface does not (yet) support forcing password_encryption
|
||||
# type value, we'll have to hack it in env variable to force correct encryption
|
||||
PGOPTIONS: "-c password_encryption=scram-sha-256"
|
||||
|
||||
- <<: *changed
|
||||
|
||||
- name: 'Using cleartext password with scram-sha-256: ensure password is properly encrypted'
|
||||
<<: *task_parameters
|
||||
postgresql_query:
|
||||
<<: *query_parameters
|
||||
query: select * from pg_authid where rolname=%s and rolpassword like %s
|
||||
positional_args:
|
||||
- '{{ db_user1 }}'
|
||||
- 'SCRAM-SHA-256$%'
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result.rowcount == 1
|
||||
|
||||
- name: 'Using cleartext password with scram-sha-256: check that password is not changed when using the same password'
|
||||
<<: *task_parameters
|
||||
postgresql_user:
|
||||
<<: *parameters
|
||||
password: "{{ db_password1 }}"
|
||||
encrypted: "{{ encrypted }}"
|
||||
environment:
|
||||
PGCLIENTENCODING: 'UTF8'
|
||||
PGOPTIONS: "-c password_encryption=scram-sha-256"
|
||||
|
||||
- <<: *not_changed
|
||||
|
||||
- name: 'Using cleartext password with scram-sha-256: check that password is changed when using another cleartext password'
|
||||
<<: *task_parameters
|
||||
postgresql_user:
|
||||
<<: *parameters
|
||||
password: "changed{{ db_password1 }}"
|
||||
encrypted: "{{ encrypted }}"
|
||||
environment:
|
||||
PGCLIENTENCODING: 'UTF8'
|
||||
PGOPTIONS: "-c password_encryption=scram-sha-256"
|
||||
|
||||
- <<: *changed
|
||||
|
||||
- name: 'Using cleartext password with scram-sha-256: check that password is changed when clearing the password'
|
||||
<<: *task_parameters
|
||||
postgresql_user:
|
||||
<<: *parameters
|
||||
password: ''
|
||||
encrypted: "{{ encrypted }}"
|
||||
environment:
|
||||
PGCLIENTENCODING: 'UTF8'
|
||||
PGOPTIONS: "-c password_encryption=scram-sha-256"
|
||||
|
||||
- <<: *changed
|
||||
|
||||
- name: 'Using cleartext password with scram-sha-256: check that password is not changed when clearing the password again'
|
||||
<<: *task_parameters
|
||||
postgresql_user:
|
||||
<<: *parameters
|
||||
password: ''
|
||||
encrypted: "{{ encrypted }}"
|
||||
environment:
|
||||
PGCLIENTENCODING: 'UTF8'
|
||||
PGOPTIONS: "-c password_encryption=scram-sha-256"
|
||||
|
||||
- <<: *not_changed
|
||||
|
||||
# end of block scram-sha-256
|
||||
|
||||
- name: Remove user
|
||||
<<: *task_parameters
|
||||
postgresql_user:
|
||||
|
|
55
tests/unit/module_utils/test_saslprep.py
Normal file
55
tests/unit/module_utils/test_saslprep.py
Normal file
|
@ -0,0 +1,55 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
# Copyright: (c) 2019, Andrey Tuzhilin <andrei.tuzhilin@gmail.com>
|
||||
# Copyright: (c) 2020, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru>
|
||||
|
||||
from __future__ import (absolute_import, division, print_function)
|
||||
__metaclass__ = type
|
||||
|
||||
import pytest
|
||||
|
||||
from ansible_collections.community.general.plugins.module_utils.saslprep import saslprep
|
||||
|
||||
|
||||
VALID = [
|
||||
(u'', u''),
|
||||
(u'\u00A0', u' '),
|
||||
(u'a', u'a'),
|
||||
(u'й', u'й'),
|
||||
(u'\u30DE\u30C8\u30EA\u30C3\u30AF\u30B9', u'\u30DE\u30C8\u30EA\u30C3\u30AF\u30B9'),
|
||||
(u'The\u00ADM\u00AAtr\u2168', u'TheMatrIX'),
|
||||
(u'I\u00ADX', u'IX'),
|
||||
(u'user', u'user'),
|
||||
(u'USER', u'USER'),
|
||||
(u'\u00AA', u'a'),
|
||||
(u'\u2168', u'IX'),
|
||||
(u'\u05BE\u00A0\u05BE', u'\u05BE\u0020\u05BE'),
|
||||
]
|
||||
|
||||
INVALID = [
|
||||
(None, TypeError),
|
||||
(b'', TypeError),
|
||||
(u'\u0221', ValueError),
|
||||
(u'\u0007', ValueError),
|
||||
(u'\u0627\u0031', ValueError),
|
||||
(u'\uE0001', ValueError),
|
||||
(u'\uE0020', ValueError),
|
||||
(u'\uFFF9', ValueError),
|
||||
(u'\uFDD0', ValueError),
|
||||
(u'\u0000', ValueError),
|
||||
(u'\u06DD', ValueError),
|
||||
(u'\uFFFFD', ValueError),
|
||||
(u'\uD800', ValueError),
|
||||
(u'\u200E', ValueError),
|
||||
(u'\u05BE\u00AA\u05BE', ValueError),
|
||||
]
|
||||
|
||||
|
||||
@pytest.mark.parametrize('source,target', VALID)
|
||||
def test_saslprep_conversions(source, target):
|
||||
assert saslprep(source) == target
|
||||
|
||||
|
||||
@pytest.mark.parametrize('source,exception', INVALID)
|
||||
def test_saslprep_exceptions(source, exception):
|
||||
with pytest.raises(exception) as ex:
|
||||
saslprep(source)
|
Loading…
Add table
Add a link
Reference in a new issue