X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=3rdparty%2Fmodules%2Fpostgresql%2Fmanifests%2Fserver%2Fpasswd.pp;fp=3rdparty%2Fmodules%2Fpostgresql%2Fmanifests%2Fserver%2Fpasswd.pp;h=bb922eea1032612d92ae79318877a4ef02b22941;hb=a69999e580f8b3abd12446c2d6ad59e517651813;hp=0000000000000000000000000000000000000000;hpb=e7b6b352165009c385c52fcfe5a1055690dbfa4b;p=mirror%2Fdsa-puppet.git

diff --git a/3rdparty/modules/postgresql/manifests/server/passwd.pp b/3rdparty/modules/postgresql/manifests/server/passwd.pp
new file mode 100644
index 000000000..bb922eea1
--- /dev/null
+++ b/3rdparty/modules/postgresql/manifests/server/passwd.pp
@@ -0,0 +1,46 @@
+# PRIVATE CLASS: do not call directly
+class postgresql::server::passwd {
+  $postgres_password = $postgresql::server::postgres_password
+  $user              = $postgresql::server::user
+  $group             = $postgresql::server::group
+  $psql_path         = $postgresql::server::psql_path
+  $port              = $postgresql::server::port
+  $database          = $postgresql::server::default_database
+  $module_workdir    = $postgresql::server::module_workdir
+
+  # psql will default to connecting as $user if you don't specify name
+  $_datbase_user_same = $database == $user
+  $_dboption = $_datbase_user_same ? {
+    false => " --dbname ${database}",
+    default => ''
+  }
+
+  if ($postgres_password != undef) {
+    # NOTE: this password-setting logic relies on the pg_hba.conf being
+    #  configured to allow the postgres system user to connect via psql
+    #  without specifying a password ('ident' or 'trust' security). This is
+    #  the default for pg_hba.conf.
+    $escaped = postgresql_escape($postgres_password)
+    exec { 'set_postgres_postgrespw':
+      # This command works w/no password because we run it as postgres system
+      # user
+      command     => "${psql_path}${_dboption} -c \"ALTER ROLE \\\"${user}\\\" PASSWORD \${NEWPASSWD_ESCAPED}\"",
+      user        => $user,
+      group       => $group,
+      logoutput   => true,
+      cwd         => $module_workdir,
+      environment => [
+        "PGPASSWORD=${postgres_password}",
+        "PGPORT=${port}",
+        "NEWPASSWD_ESCAPED=${escaped}",
+      ],
+      # With this command we're passing -h to force TCP authentication, which
+      # does require a password.  We specify the password via the PGPASSWORD
+      # environment variable. If the password is correct (current), this
+      # command will exit with an exit code of 0, which will prevent the main
+      # command from running.
+      unless      => "${psql_path} -h localhost -p ${port} -c 'select 1' > /dev/null",
+      path        => '/usr/bin:/usr/local/bin:/bin',
+    }
+  }
+}