Merge pull request #400 from deric/scram-sha

Support scram-sha-256 password_encryption method

Author: bastelfreak

manifests/database/postgresql.pp

@@ -65,6 +65,11 @@
 #   `manage_database` is set to `true`, it will use the value of the `database_host`
 #   parameter. This option is supported in PuppetDB >= 1.6.
 #
+# @param password_sensitive
+#   Whether password should be of Datatype Sensitive[String]
+# @param password_encryption
+#   PostgreSQL password authentication method, either `md5` or `scram-sha-256`
+#
 class puppetdb::database::postgresql (
   $listen_addresses            = $puppetdb::params::database_host,
   $puppetdb_server             = $puppetdb::params::puppetdb_server,
@@ -82,7 +87,9 @@
   $postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path,
   $read_database_username      = $puppetdb::params::read_database_username,
   $read_database_password      = $puppetdb::params::read_database_password,
-  $read_database_host          = $puppetdb::params::read_database_host
+  $read_database_host          = $puppetdb::params::read_database_host,
+  Boolean $password_sensitive  = false,
+  Postgresql::Pg_password_encryption $password_encryption = $puppetdb::params::password_encryption,
 ) inherits puppetdb::params {
   $port = scanf($database_port, '%i')[0]
 
@@ -96,6 +103,7 @@
       ip_mask_allow_all_users => '0.0.0.0/0',
       listen_addresses        => $listen_addresses,
       port                    => $port,
+      password_encryption     => $password_encryption,
     }
 
     # We need to create the ssl connection for the read user, when
@@ -166,9 +174,11 @@
     -> puppetdb::database::read_only_user { $read_database_username:
       read_database_username => $read_database_username,
       database_name          => $database_name,
-      password_hash          => postgresql::postgresql_password($read_database_username, $read_database_password),
+      password_hash          => postgresql::postgresql_password(
+      $read_database_username, $read_database_password, $password_sensitive, $password_encryption),
       database_owner         => $database_username,
       database_port          => $port,
+      password_encryption    => $password_encryption,
     }
 
     -> postgresql_psql { "grant ${read_database_username} role to ${database_username}":

manifests/database/read_only_user.pp

@@ -13,18 +13,22 @@
 #   The user which owns the database (i.e. the migration user for the database).
 # @param password_hash
 #   The value of $_database_password in app_database.
+# @param password_encryption
+#   The hash method for postgresql password, since PostgreSQL 14 default is `scram-sha-256`.
 #
 # @api private
 define puppetdb::database::read_only_user (
   String $read_database_username,
   String $database_name,
   String $database_owner,
-  Variant[String, Boolean] $password_hash = false,
+  Variant[String, Boolean, Sensitive[String]] $password_hash = false,
   Optional[Stdlib::Port] $database_port = undef,
+  Optional[Postgresql::Pg_password_encryption] $password_encryption = undef,
 ) {
   postgresql::server::role { $read_database_username:
     password_hash => $password_hash,
     port          => $database_port,
+    hash          => $password_encryption,
   }
 
   -> postgresql::server::database_grant { "${database_name} grant connection permission to ${read_database_username}":

manifests/init.pp

@@ -342,6 +342,9 @@
 # @param java_bin
 #   java binary path for PuppetDB. If undef, default will be used.
 #
+# @param postgresql_password_encryption
+#   PostgreSQL password authentication method, either `md5` or `scram-sha-256`
+#
 class puppetdb (
   $listen_address                          = $puppetdb::params::listen_address,
   $listen_port                             = $puppetdb::params::listen_port,
@@ -424,6 +427,7 @@
   Boolean $automatic_dlo_cleanup           = $puppetdb::params::automatic_dlo_cleanup,
   String[1] $cleanup_timer_interval        = $puppetdb::params::cleanup_timer_interval,
   Integer[1] $dlo_max_age                  = $puppetdb::params::dlo_max_age,
+  Postgresql::Pg_password_encryption $postgresql_password_encryption = $puppetdb::params::password_encryption,
   Optional[Stdlib::Absolutepath] $java_bin = $puppetdb::params::java_bin,
 ) inherits puppetdb::params {
   class { 'puppetdb::server':
@@ -528,6 +532,7 @@
     read_database_username      => $read_database_username,
     read_database_password      => $read_database_password,
     read_database_host          => $read_database_host,
+    password_encryption         => $postgresql_password_encryption,
     before                      => $database_before,
   }
 }

manifests/params.pp

@@ -42,6 +42,7 @@
   $database_validate      = true
   $database_max_pool_size = undef
   $puppetdb_server        = fact('networking.fqdn')
+  $password_encryption    = 'scram-sha-256'
 
   # These settings manage the various auto-deactivation and auto-purge settings
   $node_ttl               = '7d'

metadata.json

@@ -14,7 +14,7 @@
     },
     {
       "name": "puppetlabs/postgresql",
-      "version_requirement": ">= 6.5.0 < 11.0.0"
+      "version_requirement": ">= 9.2.0 < 11.0.0"
     },
     {
       "name": "puppetlabs/firewall",

spec/unit/classes/init_spec.rb

@@ -67,6 +67,22 @@ class { 'postgresql::server':
         end
       end
 
+      context 'with password encryption' do
+        let :params do
+          {
+            postgresql_password_encryption: 'md5',
+          }
+        end
+
+        it do
+          is_expected.to contain_postgresql__server__pg_hba_rule('allow access to all users for instance main')
+            .with_type('host')
+            .with_database('all')
+            .with_user('all')
+            .with_auth_method('md5')
+        end
+      end
+
       context 'when using ssl certificates' do
         let(:params) do
           {