Skip to content

Commit

Permalink
[bitnami/postgresql-pgpool] encrypt health check passwords inside pgp…
Browse files Browse the repository at this point in the history
…ool.conf

Signed-off-by: Yukha Dharmeswara <[email protected]>
  • Loading branch information
yukha-dw committed Oct 31, 2024
1 parent f2d24d8 commit 08cfb6b
Showing 1 changed file with 30 additions and 27 deletions.
57 changes: 30 additions & 27 deletions bitnami/pgpool/4/debian-12/rootfs/opt/bitnami/scripts/libpgpool.sh
Original file line number Diff line number Diff line change
Expand Up @@ -548,6 +548,32 @@ pgpool_create_config() {
fi
}

########################
# Execute postgresql encrypt command
# Globals:
# PGPOOL_*
# Arguments:
# None
# Returns:
# None
#########################
pgpool_encrypt_execute() {
local -a password_encryption_cmd=("pg_md5")

if [[ "$PGPOOL_AUTHENTICATION_METHOD" = "scram-sha-256" ]]; then

if is_file_writable "$PGPOOLKEYFILE"; then
# Creating a PGPOOLKEYFILE as it is writeable
echo "$PGPOOL_AES_KEY" > "$PGPOOLKEYFILE"
# Fix permissions for PGPOOLKEYFILE
chmod 0600 "$PGPOOLKEYFILE"
fi
password_encryption_cmd=("pg_enc" "--key-file=${PGPOOLKEYFILE}")
fi

"${password_encryption_cmd[@]}" "$@"
}

########################
# Generates a password file for local authentication
# Globals:
Expand All @@ -561,28 +587,15 @@ pgpool_generate_password_file() {
if is_boolean_yes "$PGPOOL_ENABLE_POOL_PASSWD"; then
info "Generating password file for local authentication..."

local -a password_encryption_cmd=("pg_md5")

if [[ "$PGPOOL_AUTHENTICATION_METHOD" = "scram-sha-256" ]]; then

if is_file_writable "$PGPOOLKEYFILE"; then
# Creating a PGPOOLKEYFILE as it is writeable
echo "$PGPOOL_AES_KEY" > "$PGPOOLKEYFILE"
# Fix permissions for PGPOOLKEYFILE
chmod 0600 "$PGPOOLKEYFILE"
fi
password_encryption_cmd=("pg_enc" "--key-file=${PGPOOLKEYFILE}")
fi

debug_execute "${password_encryption_cmd[@]}" -m --config-file="$PGPOOL_CONF_FILE" -u "$PGPOOL_POSTGRES_USERNAME" "$PGPOOL_POSTGRES_PASSWORD"
debug_execute pgpool_encrypt_execute -m --config-file="$PGPOOL_CONF_FILE" -u "$PGPOOL_POSTGRES_USERNAME" "$PGPOOL_POSTGRES_PASSWORD"

if [[ -n "${PGPOOL_POSTGRES_CUSTOM_USERS}" ]]; then
read -r -a custom_users_list <<<"$(tr ',;' ' ' <<<"${PGPOOL_POSTGRES_CUSTOM_USERS}")"
read -r -a custom_passwords_list <<<"$(tr ',;' ' ' <<<"${PGPOOL_POSTGRES_CUSTOM_PASSWORDS}")"

local index=0
for user in "${custom_users_list[@]}"; do
debug_execute "${password_encryption_cmd[@]}" -m --config-file="$PGPOOL_CONF_FILE" -u "$user" "${custom_passwords_list[$index]}"
debug_execute pgpool_encrypt_execute -m --config-file="$PGPOOL_CONF_FILE" -u "$user" "${custom_passwords_list[$index]}"
((index += 1))
done
fi
Expand All @@ -603,20 +616,10 @@ pgpool_generate_password_file() {
pgpool_encrypt_password() {
local -r password="${1:?missing password}"

local -a password_encryption_cmd=("pg_md5")

if [[ "$PGPOOL_AUTHENTICATION_METHOD" = "scram-sha-256" ]]; then

if is_file_writable "$PGPOOLKEYFILE"; then
# Creating a PGPOOLKEYFILE as it is writeable
echo "$PGPOOL_AES_KEY" > "$PGPOOLKEYFILE"
# Fix permissions for PGPOOLKEYFILE
chmod 0600 "$PGPOOLKEYFILE"
fi
password_encryption_cmd=("pg_enc" "--key-file=${PGPOOLKEYFILE}")
debug_execute "${password_encryption_cmd[@]}" "$password" | grep -o -E "AES.+" | tr -d '\n'
pgpool_encrypt_execute "$password" | grep -o -E "AES.+" | tr -d '\n'
else
debug_execute "${password_encryption_cmd[@]}" "$password" | tr -d '\n'
pgpool_encrypt_execute "$password" | tr -d '\n'
fi
}

Expand Down

0 comments on commit 08cfb6b

Please sign in to comment.