Skip to content

Commit

Permalink
Add more sensitive protection and testing
Browse files Browse the repository at this point in the history
  • Loading branch information
@DavidS
DavidS committed Feb 19, 2021
1 parent c73a37b commit 08a1752
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 18 deletions.
6 changes: 3 additions & 3 deletions manifests/server/role.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@
}

postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****":
command => "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}",
command => Sensitive("CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}"),
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
require => undef,
sensitive => true,
Expand Down Expand Up @@ -132,8 +132,8 @@
$pwd_hash_sql = "md5${pwd_md5}"
}
postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****":
command => "ALTER ROLE \"${username}\" ${password_sql}",
unless => "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'",
command => Sensitive("ALTER ROLE \"${username}\" ${password_sql}"),
unless => Sensitive("SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'"),
sensitive => true,
}
}
Expand Down
30 changes: 15 additions & 15 deletions spec/unit/defines/server/role_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,16 +33,16 @@
it { is_expected.to contain_postgresql__server__role('test') }
it 'has create role for "test" user with password as ****' do
is_expected.to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****')
.with('command' => "CREATE ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1",
'environment' => 'NEWPGPASSWD=new-pa$s',
.with('command' => 'Sensitive [value redacted]',
'sensitive' => 'true',
'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'",
'port' => '5432')
end
it 'has alter role for "test" user with password as ****' do
is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
.with('command' => "ALTER ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD'",
'environment' => 'NEWPGPASSWD=new-pa$s',
'unless' => "SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'",
.with('command' => 'Sensitive [value redacted]',
'sensitive' => 'true',
'unless' => 'Sensitive [value redacted]',
'port' => '5432')
end

Expand All @@ -64,17 +64,17 @@
it { is_expected.to contain_postgresql__server__role('test') }
it 'has create role for "test" user with password as ****' do
is_expected.to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****')
.with_command("CREATE ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1")
.with_environment('NEWPGPASSWD=new-pa$s')
.with_command('Sensitive [value redacted]')
.with_sensitive('true')
.with_unless("SELECT 1 FROM pg_roles WHERE rolname = 'test'")
.with_port(5432)
.with_connect_settings('PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass')
.that_requires('Class[postgresql::server::service]')
end
it 'has alter role for "test" user with password as ****' do
is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
.with('command' => "ALTER ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD'", 'environment' => 'NEWPGPASSWD=new-pa$s',
'unless' => "SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'", 'port' => '5432',
.with('command' => 'Sensitive [value redacted]', 'sensitive' => 'true',
'unless' => 'Sensitive [value redacted]', 'port' => '5432',
'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1',
'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' })
end
Expand All @@ -99,15 +99,15 @@
it { is_expected.to contain_postgresql__server__role('test') }
it 'has create role for "test" user with password as ****' do
is_expected.to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****')
.with('command' => "CREATE ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1",
'environment' => 'NEWPGPASSWD=new-pa$s', 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'",
'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1',
'PGPORT' => '1234', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' })
.with('command' => 'Sensitive [value redacted]',
'sensitive' => 'true', 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'",
'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1',
'PGPORT' => '1234', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' })
end
it 'has alter role for "test" user with password as ****' do
is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
.with('command' => "ALTER ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD'", 'environment' => 'NEWPGPASSWD=new-pa$s',
'unless' => "SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'",
.with('command' => 'Sensitive [value redacted]', 'sensitive' => 'true',
'unless' => 'Sensitive [value redacted]',
'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1',
'PGPORT' => '1234', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' })
end
Expand Down

0 comments on commit 08a1752

Please sign in to comment.