Passing in a Sensitive to postgresql::server::db as "password" causes broken user

Question

Passing in a Sensitive to postgresql::server::db as "password" causes broken user

laugmanuel opened this issue 2 years ago · 6 comments

Describe the Bug

When passing in a Sensitive[String] to postgresql::server::db, the resulting user has a broken password.
Also each Puppet run resets the password to a different, but still broken, string.

This bug surfaced in #1313

Expected Behavior

The password should be set correctly and only once.

Steps to Reproduce

Steps to reproduce the behavior:

Use the following code to trigger this problem:

postgresql::server::db { $database_name:
  user     => "testuser",
  password => Sensitive("testpassword"),
  grant    => 'all',
}

Environment

Version v8.2.1

Additional Context

The reason for this problem is, that the above mentioned MR started using the postgres_password function to generate the password hash.
There the password is returned as a Sensitive whenever the input was also a Sensitive (or more precisely: when sensitive was set to true). Then the ALTER ROLE SQL query gets constructed, converted to a Sensitive (again!!) and passed to postgresql_psql (see https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/server/role.pp#L186-L187).

Basically the logic constructs a Sensitive inside Sensitive which never gets unwrapped resulting in the following SQL query (yes exactly like that):

ALTER ROLE "<username>" ENCRYPTED PASSWORD 'Sensitive [value redacted]'

Answer 1 · 2023-04-23T12:31:48.000Z

I am not sure if these warnings during each agent run are related or I should submit a separate bug?

Warning: /Postgresql_psql[ALTER ROLE puppetdb ENCRYPTED PASSWORD ****]: Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.
Warning: /Postgresql_psql[ALTER ROLE puppetdb-read ENCRYPTED PASSWORD ****]: Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.

Answer 2 · 2023-04-24T13:19:30.000Z

I am not sure if these warnings during each agent run are related or I should submit a separate bug?

Warning: /Postgresql_psql[ALTER ROLE puppetdb ENCRYPTED PASSWORD ****]: Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.
Warning: /Postgresql_psql[ALTER ROLE puppetdb-read ENCRYPTED PASSWORD ****]: Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.

I have the same issue

Answer 3 · 2023-04-26T14:33:56.000Z

Duplicate of #1402, or not?

Answer 4 · 2023-04-28T05:10:17.000Z

Duplicate of #1402, or not?

That's true. I would leave it up to the maintainers to decide which PR will be chosen and close the other issue and PR as duplicate. I'm ok with both.

Answer 5 · 2023-07-10T10:55:38.000Z

Please either remove unusable feature or pull/commit/do something about this.

Answer 6 · 2023-07-25T00:10:04.000Z

Duplicate of #1402 that got fixed in #1404. Closing.