Merge pull request puppetlabs#218 from fiddyspence/set_postgres_postgrespw

Alter escaping in postgresql::config::afterservice

Author: hunner

lib/puppet/parser/functions/postgresql_escape.rb

@@ -0,0 +1,25 @@
+require 'digest/md5'
+
+module Puppet::Parser::Functions
+  newfunction(:postgresql_escape, :type => :rvalue, :doc => <<-EOS
+    Safely escapes a string using $$ using a random tag which should be consistent
+    EOS
+  ) do |args|
+
+    raise(Puppet::ParseError, "postgresql_escape(): Wrong number of arguments " +
+      "given (#{args.size} for 1)") if args.size != 1
+
+    password = args[0]
+
+    if password !~ /\$\$/ 
+      retval = "$$#{password}$$"
+    else
+      escape = Digest::MD5.hexdigest(password)[0..5].gsub(/\d/,'')
+      until password !~ /#{escape}/
+        escape = Digest::MD5.hexdigest(escape)[0..5].gsub(/\d/,'')
+      end
+      retval = "$#{escape}$#{password}$#{escape}$"
+    end
+    retval 
+  end
+end

manifests/config/afterservice.pp

@@ -26,9 +26,10 @@
     #  to allow the postgres system user to connect via psql without specifying
     #  a password ('ident' or 'trust' security).  This is the default
     #  for pg_hba.conf.
+    $escapedpassword = postgresql_escape($postgres_password)
     exec { 'set_postgres_postgrespw':
         # This command works w/no password because we run it as postgres system user
-        command     => "psql -c \"ALTER ROLE ${postgresql::params::user} PASSWORD '${postgres_password}'\"",
+        command     => "psql -c 'ALTER ROLE \"${postgresql::params::user}\" PASSWORD ${escapedpassword}'",
         user        => $postgresql::params::user,
         group       => $postgresql::params::group,
         logoutput   => true,
@@ -37,7 +38,7 @@
         #  a password.  We specify the password via the PGPASSWORD environment variable.  If
         #  the password is correct (current), this command will exit with an exit code of 0,
         #  which will prevent the main command from running.
-        unless      => "env PGPASSWORD=\"${postgres_password}\" psql -h localhost -c 'select 1' > /dev/null",
+        unless      => "env PGPASSWORD='${postgres_password}' psql -h localhost -c 'select 1' > /dev/null",
         path        => '/usr/bin:/usr/local/bin:/bin',
     }
   }

spec/system/install_spec.rb

@@ -157,6 +157,45 @@ class { 'postgresql::server': }
     end
   end
 
+  describe 'custom postgres password' do
+    it 'should install and successfully adjust the password' do
+      pp = <<-EOS
+        class { "postgresql::server":
+          config_hash => {
+            'postgres_password'          => 'TPSReports!',
+            'ip_mask_deny_postgres_user' => '0.0.0.0/32',
+          },
+        }
+      EOS
+
+      puppet_apply(pp) do |r|
+        [0,2].should include(r.exit_code)
+        r.stdout.should =~ /\[set_postgres_postgrespw\]\/returns: executed successfully/
+      end
+      puppet_apply(pp) do |r|
+        r.exit_code.should == 0
+      end
+
+      pp = <<-EOS
+        class { "postgresql::server":
+          config_hash => {
+            'postgres_password'          => 'TPSR$$eports!',
+            'ip_mask_deny_postgres_user' => '0.0.0.0/32',
+          },
+        }
+      EOS
+
+      puppet_apply(pp) do |r|
+        [0,2].should include(r.exit_code)
+        r.stdout.should =~ /\[set_postgres_postgrespw\]\/returns: executed successfully/
+      end
+      puppet_apply(pp) do |r|
+        r.exit_code.should == 0
+      end
+
+    end
+  end
+
   describe 'postgresql::psql' do
     it 'should work but emit a deprecation warning' do
       pp = <<-EOS

spec/unit/functions/postgresql_escape_spec.rb

@@ -0,0 +1,10 @@
+require 'spec_helper'
+
+describe 'postgresql_escape', :type => :puppet_function do
+  it { should run.with_params('foo').
+    and_return('$$foo$$') }
+end
+describe 'postgresql_escape', :type => :puppet_function do
+  it { should run.with_params('fo$$o').
+    and_return('$ed$fo$$o$ed$') }
+end