From: Andrei Pavel <andrei@isc.org>
Date: Fri, 3 Sep 2021 12:00:03 +0000 (+0300)
Subject: [#2064] hammer: don't modify postgres entry in hba
X-Git-Tag: Kea-2.0.0~150
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bcecca9a2103111547478e040669ae5797eca873;p=thirdparty%2Fkea.git

[#2064] hammer: don't modify postgres entry in hba
---

diff --git a/doc/devel/unit-tests.dox b/doc/devel/unit-tests.dox
index a87b56c9ce..f49bb49934 100644
--- a/doc/devel/unit-tests.dox
+++ b/doc/devel/unit-tests.dox
@@ -298,7 +298,7 @@ keatest=>
   <tt>/var/lib/postgresql/data/pg_hba.conf</tt> or at
   <tt>/etc/postgresql/${version}/main/pg_hba.conf</tt>, but you can find out
   for sure by running
-  <tt>printf 'SHOW hba_file' | sudo -u postgres psql -t postgres</tt>. Make sure
+  <tt>sudo -u postgres psql -t -c 'SHOW hba_file'</tt>. Make sure
   that all the authentication methods are changed to "md5" like this:
 
 @verbatim
diff --git a/hammer.py b/hammer.py
index fbb3a204df..4a515ac0c6 100755
--- a/hammer.py
+++ b/hammer.py
@@ -1163,8 +1163,12 @@ def _restart_postgresql(system):
         execute('sudo systemctl restart postgresql.service')
 
 
+# Change authentication type for given connection type. Usual inputs for
+# connection type are 'host' or 'local'. Only affects entries with database
+# and user both set to 'all'. This is to not affect authentication of
+# `postgres` user which should have a separate entry.
 def _change_postgresql_auth_method(connection_type, auth_method, hba_file):
-    execute("sudo sed -i.bak 's/^{}\(.*\) [a-z0-9]*$/{}\\1 {}/g' '{}'".format(
+    execute("sudo sed -i.bak 's/^{}\(.*\)all\(.*\)all\(.*\) [a-z0-9]*$/{}\\1all\\2all\\3 {}/g' '{}'".format(
         connection_type, connection_type, auth_method, hba_file), cwd='/tmp')
 
 
@@ -1193,6 +1197,15 @@ def _configure_pgsql(system, features):
     _enable_postgresql(system)
     _restart_postgresql(system)
 
+    # Change auth-method to 'md5' on all connections.
+    cmd = "sudo -u postgres psql -t -c 'SHOW hba_file' | xargs"
+    _, output = execute(cmd, capture=True, cwd='/tmp')
+    hba_file = output.rstrip()
+    _change_postgresql_auth_method('host', 'md5', hba_file)
+    _change_postgresql_auth_method('local', 'md5', hba_file)
+
+    _restart_postgresql(system)
+
     cmd = """bash -c \"cat <<EOF | sudo -u postgres psql postgres
         DROP DATABASE IF EXISTS keatest;
         DROP USER IF EXISTS keatest;
@@ -1222,15 +1235,6 @@ def _configure_pgsql(system, features):
         cmd += "EOF\n\""
         execute(cmd, cwd='/tmp')
 
-    # Change auth-method to 'md5' on all connections.
-    cmd = "printf 'SHOW hba_file' | sudo -u postgres psql -t postgres | xargs"
-    _, output = execute(cmd, capture=True, cwd='/tmp')
-    hba_file = output.rstrip()
-    _change_postgresql_auth_method('host', 'md5', hba_file)
-    _change_postgresql_auth_method('local', 'md5', hba_file)
-
-    _restart_postgresql(system)
-
     log.info('postgresql just configured')