Merge pull request #1584 from ekohl/globally-configurable-password-encryption

bastelfreak · web-flow · commit 5eb169016d0e · 2024-03-26T17:31:19.000+01:00
Add a global password_encryption parameter
diff --git a/manifests/globals.pp b/manifests/globals.pp
@@ -81,6 +81,10 @@
 # @param timezone
 #   Sets the default timezone of the postgresql server. The postgresql built-in default is taking the systems timezone information.
 #
+# @param password_encryption
+#   Specify the type of encryption set for the password.
+#   Defaults to scram-sha-256 for PostgreSQL >= 14, otherwise md5.
+#
 # @param manage_pg_hba_conf Allow Puppet to manage the pg_hba.conf file.
 # @param manage_pg_ident_conf Allow Puppet to manage the pg_ident.conf file.
 # @param manage_recovery_conf Allow Puppet to manage the recovery.conf file.
@@ -159,6 +163,7 @@
   Optional[String[1]] $locale                      = undef,
   Optional[Boolean] $data_checksums                = undef,
   Optional[String[1]] $timezone                    = undef,
+  Optional[Postgresql::Pg_password_encryption] $password_encryption = undef,
 
   Optional[Boolean] $manage_pg_hba_conf            = undef,
   Optional[Boolean] $manage_pg_ident_conf          = undef,
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -25,7 +25,7 @@
   $manage_selinux               = pick($manage_selinux, false)
   $package_ensure               = 'present'
   $module_workdir               = pick($module_workdir,'/tmp')
-  $password_encryption          = versioncmp($version, '14') ? { -1 => 'md5', default => 'scram-sha-256' }
+  $password_encryption          = pick($password_encryption, versioncmp($version, '14') ? { -1 => 'md5', default => 'scram-sha-256' })
   $extra_systemd_config         = undef
   $manage_datadir               = true
   $manage_logdir                = true
diff --git a/spec/functions/postgresql_default_spec.rb b/spec/functions/postgresql_default_spec.rb
@@ -30,5 +30,19 @@ class { 'postgresql::server':
   # parameter in globals.pp only
   it { is_expected.to run.with_params('default_connect_settings').and_return({}) }
 
+  it { is_expected.to run.with_params('password_encryption').and_return('md5') }
+
   it { is_expected.to run.with_params('a_parameter_that_does_not_exist').and_raise_error(Puppet::ParseError, %r{pick\(\): must receive at least one non empty value}) }
+
+  context 'with overridden values' do
+    let(:pre_condition) do
+      <<~PUPPET
+      class { 'postgresql::globals':
+        password_encryption => 'scram-sha-256',
+      }
+      PUPPET
+    end
+
+    it { is_expected.to run.with_params('password_encryption').and_return('scram-sha-256') }
+  end
 end
