postgresql_user: add scram-sha-256 password support (#100)

* postgresql_user: add support for scram-sha-256 passwords

* postgresql_user: add support for scram-sha-256 passwords

* add changelog fragment

* fix

tests/integration/targets/postgresql_user/tasks/test_password.yml

@@ -3,10 +3,12 @@
       become_user: "{{ pg_user }}"
       become: yes
       register: result
-    postgresql_parameters: &parameters
+    postgresql_query_parameters: &query_parameters
       db: postgres
-      name: "{{ db_user1 }}"
       login_user: "{{ pg_user }}"
+    postgresql_parameters: &parameters
+      <<: *query_parameters
+      name: "{{ db_user1 }}"
 
   block:
   - name: 'Check that PGOPTIONS environment variable is effective (1/2)'
@@ -300,6 +302,97 @@
 
     when: encrypted == 'no'
 
+  # start of block scram-sha-256
+  # scram-sha-256 password encryption type is supported since PostgreSQL 10
+  - when: postgres_version_resp.stdout is version('10', '>=')
+    block:
+
+    - name: 'Using cleartext password with scram-sha-256: resetting password'
+      <<: *task_parameters
+      postgresql_user:
+        <<: *parameters
+        password: ""
+        encrypted: "{{ encrypted }}"
+      environment:
+        PGCLIENTENCODING: 'UTF8'
+
+    - name: 'Using cleartext password with scram-sha-256: check that password is changed when using cleartext password'
+      <<: *task_parameters
+      postgresql_user:
+        <<: *parameters
+        password: "{{ db_password1 }}"
+        encrypted: "{{ encrypted }}"
+      environment:
+        PGCLIENTENCODING: 'UTF8'
+        # ansible postgresql_user module interface does not (yet) support forcing password_encryption
+        # type value, we'll have to hack it in env variable to force correct encryption
+        PGOPTIONS: "-c password_encryption=scram-sha-256"
+
+    - <<: *changed
+
+    - name: 'Using cleartext password with scram-sha-256: ensure password is properly encrypted'
+      <<: *task_parameters
+      postgresql_query:
+        <<: *query_parameters
+        query: select * from pg_authid where rolname=%s and rolpassword like %s
+        positional_args:
+          - '{{ db_user1 }}'
+          - 'SCRAM-SHA-256$%'
+
+    - assert:
+        that:
+          - result.rowcount == 1
+
+    - name: 'Using cleartext password with scram-sha-256: check that password is not changed when using the same password'
+      <<: *task_parameters
+      postgresql_user:
+        <<: *parameters
+        password: "{{ db_password1 }}"
+        encrypted: "{{ encrypted }}"
+      environment:
+        PGCLIENTENCODING: 'UTF8'
+        PGOPTIONS: "-c password_encryption=scram-sha-256"
+
+    - <<: *not_changed
+
+    - name: 'Using cleartext password with scram-sha-256: check that password is changed when using another cleartext password'
+      <<: *task_parameters
+      postgresql_user:
+        <<: *parameters
+        password: "changed{{ db_password1 }}"
+        encrypted: "{{ encrypted }}"
+      environment:
+        PGCLIENTENCODING: 'UTF8'
+        PGOPTIONS: "-c password_encryption=scram-sha-256"
+
+    - <<: *changed
+
+    - name: 'Using cleartext password with scram-sha-256: check that password is changed when clearing the password'
+      <<: *task_parameters
+      postgresql_user:
+        <<: *parameters
+        password: ''
+        encrypted: "{{ encrypted }}"
+      environment:
+        PGCLIENTENCODING: 'UTF8'
+        PGOPTIONS: "-c password_encryption=scram-sha-256"
+
+    - <<: *changed
+
+    - name: 'Using cleartext password with scram-sha-256: check that password is not changed when clearing the password again'
+      <<: *task_parameters
+      postgresql_user:
+        <<: *parameters
+        password: ''
+        encrypted: "{{ encrypted }}"
+      environment:
+        PGCLIENTENCODING: 'UTF8'
+        PGOPTIONS: "-c password_encryption=scram-sha-256"
+
+    - <<: *not_changed
+
+  # end of block scram-sha-256
+
   - name: Remove user
     <<: *task_parameters
     postgresql_user: