From 6af0eb374e5565520937e5b3d8fda086d336fe9d Mon Sep 17 00:00:00 2001 From: Steve Baker Date: Mon, 2 Aug 2021 11:42:44 +1200 Subject: [PATCH] Set postgresql password encryption for FIPS compliance This is part of the work to add jobs which confirm ironic works with FIPS enabled, but this change is also appropriate non-FIPS jobs. Change-Id: I4af4e811104088d28d7be6df53c26e72db039e08 --- tools/test-setup.sh | 27 +++++++++++++++++---------- zuul.d/ironic-jobs.yaml | 1 - 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/tools/test-setup.sh b/tools/test-setup.sh index dc2a130b99..16974adb52 100755 --- a/tools/test-setup.sh +++ b/tools/test-setup.sh @@ -48,9 +48,25 @@ DB_ROOT_PW=${POSTGRES_ROOT_PW:-insecure_slave} # which it can't when executed as the postgres user, which is required # as same user as process for initial administrative authentication to # the postgres database - cd /tmp +# Identify and update the postgres hba file which can be in +# a version specific path. +PG_HBA=$(sudo -H -u postgres psql -t -c "show hba_file") +PG_CONF=$(sudo -H -u postgres psql -t -c "show config_file") + +# setup postgres encryption algorithm and authentication +sudo sed -i 's/ident$/scram-sha-256/g' $PG_HBA +sudo sed -i 's/md5$/scram-sha-256/g' $PG_HBA +sudo sed -i 's/^.*password_encryption =.*/password_encryption = scram-sha-256/' $PG_CONF + +sudo cat $PG_HBA +sudo cat $PG_CONF + +# restart postgres fo new HBA file is loaded +sudo systemctl stop postgresql || true +sudo systemctl start postgresql || true + # Setup user root_roles=$(sudo -H -u postgres psql -t -c " SELECT 'HERE' from pg_roles where rolname='$DB_USER'") @@ -60,15 +76,6 @@ else sudo -H -u postgres psql -c "CREATE ROLE $DB_USER WITH SUPERUSER LOGIN PASSWORD '$DB_PW'" fi -# Identify and update the postgres hba file which can be in -# a version specific path. -PG_HBA=$(sudo -H -u postgres psql -t -c "show hba_file") -sudo sed -i 's/ident/trust/g' $PG_HBA -sudo cat $PG_HBA -# restart postgres fo new HBA file is loaded and our user trusted. -sudo systemctl stop postgresql || true -sudo systemctl start postgresql || true - # Store password for tests cat << EOF > $HOME/.pgpass *:*:*:$DB_USER:$DB_PW diff --git a/zuul.d/ironic-jobs.yaml b/zuul.d/ironic-jobs.yaml index 3e9291db6f..4ced3dcbd9 100644 --- a/zuul.d/ironic-jobs.yaml +++ b/zuul.d/ironic-jobs.yaml @@ -23,7 +23,6 @@ - ^releasenotes/.*$ - ^setup.cfg$ - ^test-requirements.txt$ - - ^tools/.*$ - ^tox.ini$ vars: tox_envlist: all