community.postgresql
community.postgresql copied to clipboard
ansible-collections
ldapbindpasswd in options which includes '#' creates faulty pg_hba lines
SUMMARY
ldapbindpasswd in options which includes '#' creates faulty pg_hba lines While a hashmark in a password might be ugly I cannot change this
ISSUE TYPE
- Bug Report
COMPONENT NAME
postgresql_pg_hba
ANSIBLE VERSION
ansible [core 2.11.12]
config file = None
configured module search path = ['/home/USER/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/USER/.local/lib/python3.6/site-packages/ansible
ansible collection location = /home/USER/.ansible/collections:/usr/share/ansible/collections
executable location = /home/USER/.local/bin/ansible
python version = 3.6.8 (default, Aug 13 2020, 07:46:32) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
jinja version = 3.0.1
libyaml = True
COLLECTION VERSION
Collection Version
-------------------- -------
community.postgresql 2.3.2
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
---
- hosts: localhost
tasks:
- name: line 1
community.postgresql.postgresql_pg_hba:
dest: pg_hba.conf
create: yes
users: bug
databases: bug
source: 66.66.66.66/32
contype: hostssl
method: ldap
options: ldapbindpasswd ="#BROKEN"
keep_comments_at_rules: true
comment: messed up
- name: line 2 breaks line 1
community.postgresql.postgresql_pg_hba:
dest: pg_hba.conf
create: yes
users: bug2
databases: bug
source: 66.66.66.66/32
contype: hostssl
method: ldap
options: ldapbindpasswd ="#BROKEN"
keep_comments_at_rules: true
EXPECTED RESULTS
file pg_hba should be:
hostssl bug bug 66.66.66.66/32 ldap ldapbindpasswd ="#BROKEN" #messed up
hostssl bug bug2 66.66.66.66/32 ldap ldapbindpasswd ="#BROKEN"
ACTUAL RESULTS
pg_hba.conf generated is:
hostssl bug bug 66.66.66.66/32 ldap ldapbindpasswd =" #BROKEN" #messed up
hostssl bug bug2 66.66.66.66/32 ldap ldapbindpasswd ="#BROKEN"
PLAY [localhost] *****************************************************************************************************************************************************************************************************************************************************************************
TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************************************************************
ok: [localhost]
TASK [line 1] ********************************************************************************************************************************************************************************************************************************************************************************
--- before
+++ after
@@ -1,4 +1,6 @@
{
"file": "pg_hba.conf",
- "pg_hba": []
+ "pg_hba": [
+ "hostssl\tbug\tbug\t66.66.66.66/32\tldap\tldapbindpasswd =\"#BROKEN\""
+ ]
}
changed: [localhost]
TASK [line 2 breaks line 1] ******************************************************************************************************************************************************************************************************************************************************************
--- before
+++ after
@@ -1,4 +1,6 @@
{
"file": "pg_hba.conf",
- "pg_hba": []
+ "pg_hba": [
+ "hostssl\tbug\tbug2\t66.66.66.66/32\tldap\tldapbindpasswd =\"#BROKEN\""
+ ]
}
changed: [localhost]
PLAY RECAP ***********************************************************************************************************************************************************************************************************************************************************************************
localhost : ok=3 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
thx for the report @stelb! do you feel up to digging in and submitting a patch? if not, that's fine.
I think I found where that's happening, I had no idea right away how to fix. I'll try tomorrow
here is a stupid quickfix, to make it work for me right now https://github.com/ansible-collections/community.postgresql/compare/main...stelb:community.postgresql:dumbfix
the code assumes that any # starts a comment, it only affects the second line, because pg_hba is parsed and rewritten for each line. I'm not a regexp master, I was not yet successful to create something that matches every possibility. I am not even sure if it's possible.
there is a pg_hba parser by dalibo https://github.com/dalibo/pgtoolkit/blob/fe8db18923e934fc29b1393e0234976b346623f7/pgtoolkit/hba.py#L140 implementing this is not a 2-liner, and it's just a bordercase affecting only me .)
We should implement proper quote parsing, the ldapbindpasswd is not the only value that can contain arbitrary characters.
The existing implementation of using '#' in line is pretty naive.
I got a regexp for parsing respecting any quoted string and it works for me
https://github.com/ansible-collections/community.postgresql/compare/main...stelb:community.postgresql:pg_hba_re_comment_parsing
fixed that too https://github.com/ansible-collections/community.postgresql/compare/main...stelb:community.postgresql:pg_hba_re_comment_parsing
hello folks, i put the help wanted label.
For volunteers who wanna fix it, there were two attempts you can base your work on:
- the latest: https://github.com/ansible-collections/community.postgresql/pull/458
- the original: https://github.com/ansible-collections/community.postgresql/pull/423
Vacant:)
