From 88b294ae85c18c41dbbe066307fdef3070e44a0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tinus=20M=C3=B8rch=20Abell?= Date: Mon, 18 Mar 2024 12:44:13 +0100 Subject: [PATCH] Delete password not just login from user when password removed from CR (#286) --- pkg/postgres/database.go | 4 ++-- pkg/postgres/database_test.go | 29 +++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/pkg/postgres/database.go b/pkg/postgres/database.go index f4dea5d..6090591 100644 --- a/pkg/postgres/database.go +++ b/pkg/postgres/database.go @@ -195,9 +195,9 @@ func createServiceRole(log logr.Logger, db *sql.DB, user, password string) error } if password != "" { - err = execf(db, "ALTER ROLE %s LOGIN PASSWORD '%s' NOCREATEROLE VALID UNTIL 'infinity'", user, password) + err = execf(db, "ALTER ROLE %s LOGIN PASSWORD '%s' VALID UNTIL 'infinity'", user, password) } else { - err = execf(db, "ALTER ROLE %s NOLOGIN NOCREATEROLE", user) + err = execf(db, "ALTER ROLE %s NOLOGIN PASSWORD NULL", user) } return err } diff --git a/pkg/postgres/database_test.go b/pkg/postgres/database_test.go index 4f427a7..7b65e7d 100644 --- a/pkg/postgres/database_test.go +++ b/pkg/postgres/database_test.go @@ -112,6 +112,7 @@ func TestDatabase_sunshine(t *testing.T) { } assert.True(t, roleCanLogin(t, db, name)) + assert.True(t, hasPassword(t, log, postgresqlHost, name)) newDB, err := postgres.Connect(log, postgres.ConnectionString{ Host: postgresqlHost, @@ -200,6 +201,7 @@ func TestDatabase_switchFromLoginToNoLoginAndBack(t *testing.T) { postgresqlHost := test.Integration(t) log := test.SetLogger(t) managerRole := "postgres_role_name" + db, err := postgres.Connect(log, postgres.ConnectionString{ Host: postgresqlHost, Database: "postgres", @@ -232,6 +234,7 @@ func TestDatabase_switchFromLoginToNoLoginAndBack(t *testing.T) { } assert.True(t, roleCanLogin(t, db, name)) + assert.True(t, hasPassword(t, log, postgresqlHost, name)) // Invoke again with same name but no password err = postgres.Database(log, postgresqlHost, postgres.Credentials{ @@ -246,6 +249,7 @@ func TestDatabase_switchFromLoginToNoLoginAndBack(t *testing.T) { t.Fatalf("Second Database failed: %v", err) } assert.False(t, roleCanLogin(t, db, name)) + assert.False(t, hasPassword(t, log, postgresqlHost, name)) // Invoke again with same name with password err = postgres.Database(log, postgresqlHost, postgres.Credentials{ @@ -261,6 +265,7 @@ func TestDatabase_switchFromLoginToNoLoginAndBack(t *testing.T) { t.Fatalf("Second Database failed: %v", err) } assert.True(t, roleCanLogin(t, db, name)) + assert.True(t, hasPassword(t, log, postgresqlHost, name)) newDB, err := postgres.Connect(log, postgres.ConnectionString{ Host: postgresqlHost, @@ -634,6 +639,30 @@ func TestDatabase_idempotency(t *testing.T) { } } +func hasPassword(t *testing.T, log logr.Logger, host, username string) bool { + db, err := postgres.Connect(log, postgres.ConnectionString{ + Host: host, + Database: "postgres", + User: "admin", + Password: "admin", + }) + if err != nil { + t.Fatalf("connect to database as admin failed: %v", err) + } + + row := db.QueryRow("SELECT passwd FROM pg_shadow WHERE usename = $1", username) + if row.Err() != nil { + t.Fatalf("get password failed: %v", row.Err()) + } + + var password string + err = row.Scan(&password) + if err != nil { + return false + } + return true +} + func roleCanLogin(t *testing.T, db *sql.DB, role string) bool { t.Helper() row := db.QueryRow("SELECT rolcanlogin FROM pg_roles WHERE rolname = $1", role)