postgresql: fix setting password for username with special chars

This commit is contained in:
ibizaman 2025-12-29 09:24:17 +01:00
parent 21bf3dad20
commit 954fae00b5
2 changed files with 60 additions and 56 deletions

View file

@ -162,7 +162,7 @@ in
{ username, passwordFile, ... }:
''
password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
EXECUTE format('ALTER ROLE "${username}" WITH PASSWORD '''%s''';', password);
'';
cfgsWithPasswords = builtins.filter (cfg: cfg.passwordFile != null) ensureCfgs;
in

View file

@ -22,8 +22,8 @@ in
shb.postgresql.ensures = [
{
username = "me";
database = "me";
username = "me-with-special-chars";
database = "me-with-special-chars";
}
];
};
@ -39,13 +39,13 @@ in
return "sudo -u me psql -U {user} {db} --command \"\"".format(user=user, db=database)
with subtest("cannot login because of missing user"):
machine.fail(peer_cmd("me", "me"), timeout=10)
machine.fail(peer_cmd("me-with-special-chars", "me-with-special-chars"), timeout=10)
with subtest("cannot login with unknown user"):
machine.fail(peer_cmd("notme", "me"), timeout=10)
machine.fail(peer_cmd("notme", "me-with-other-chars"), timeout=10)
with subtest("cannot login to unknown database"):
machine.fail(peer_cmd("me", "notmine"), timeout=10)
machine.fail(peer_cmd("me-with-special-chars", "notmine"), timeout=10)
'';
};
@ -145,59 +145,63 @@ in
'';
};
tcpIPPasswordAuth = shb.test.runNixOSTest {
name = "postgresql-tcpIPPasswordAuth";
tcpIPPasswordAuth =
let
username = "me-with-special-chars";
in
shb.test.runNixOSTest {
name = "postgresql-tcpIPPasswordAuth";
nodes.machine =
{ config, pkgs, ... }:
{
imports = [
(pkgs'.path + "/nixos/modules/profiles/headless.nix")
(pkgs'.path + "/nixos/modules/profiles/qemu-guest.nix")
../../modules/blocks/postgresql.nix
];
nodes.machine =
{ config, pkgs, ... }:
{
imports = [
(pkgs'.path + "/nixos/modules/profiles/headless.nix")
(pkgs'.path + "/nixos/modules/profiles/qemu-guest.nix")
../../modules/blocks/postgresql.nix
];
users.users.me = {
isSystemUser = true;
group = "me";
extraGroups = [ "sudoers" ];
users.users.${username} = {
isSystemUser = true;
group = username;
extraGroups = [ "sudoers" ];
};
users.groups.${username} = { };
system.activationScripts.secret = ''
echo secretpw > /run/dbsecret
'';
shb.postgresql.enableTCPIP = true;
shb.postgresql.ensures = [
{
username = username;
database = username;
passwordFile = "/run/dbsecret";
}
];
};
users.groups.me = { };
system.activationScripts.secret = ''
echo secretpw > /run/dbsecret
testScript =
{ nodes, ... }:
''
start_all()
machine.wait_for_unit("postgresql.service")
machine.wait_for_open_port(5432)
def peer_cmd(user, database):
return "sudo -u ${username} psql -U {user} {db} --command \"\"".format(user=user, db=database)
def tcpip_cmd(user, database, port, password):
return "PGPASSWORD={password} psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port, password=password)
with subtest("can peer login with provisioned user and database"):
machine.succeed(peer_cmd("${username}", "${username}"), timeout=10)
with subtest("can tcpip login with provisioned user and database"):
machine.succeed(tcpip_cmd("${username}", "${username}", "5432", "secretpw"), timeout=10)
with subtest("cannot tcpip login with wrong password"):
machine.fail(tcpip_cmd("${username}", "${username}", "5432", "oops"), timeout=10)
'';
shb.postgresql.enableTCPIP = true;
shb.postgresql.ensures = [
{
username = "me";
database = "me";
passwordFile = "/run/dbsecret";
}
];
};
testScript =
{ nodes, ... }:
''
start_all()
machine.wait_for_unit("postgresql.service")
machine.wait_for_open_port(5432)
def peer_cmd(user, database):
return "sudo -u me psql -U {user} {db} --command \"\"".format(user=user, db=database)
def tcpip_cmd(user, database, port, password):
return "PGPASSWORD={password} psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port, password=password)
with subtest("can peer login with provisioned user and database"):
machine.succeed(peer_cmd("me", "me"), timeout=10)
with subtest("can tcpip login with provisioned user and database"):
machine.succeed(tcpip_cmd("me", "me", "5432", "secretpw"), timeout=10)
with subtest("cannot tcpip login with wrong password"):
machine.fail(tcpip_cmd("me", "me", "5432", "oops"), timeout=10)
'';
};
};
}