idempotent when password is scram hashed (#302) (#325)

* idempotent when password is scram hashed Add a test to user_should_we_change_password to check if the password parameter is a SCRAM-256 hash, and if it is the same as the stored password. Fixes #301 * Update plugins/modules/postgresql_user.py Co-authored-by: Andrew Klychkov <[email protected]> (cherry picked from commit bfa3677) Co-authored-by: Ben Formosa <[email protected]>
ansible-collections · Aug 2, 2022 · 8c60b49 · 8c60b49
1 parent f77532e
commit 8c60b49
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/plugins/modules/postgresql_user.py b/plugins/modules/postgresql_user.py
@@ -421,6 +421,10 @@ def user_should_we_change_password(current_role_attrs, user, password, encrypted
         if password == '':
             if current_role_attrs['rolpassword'] is not None:
                 pwchanging = True
+        # If the provided password is a SCRAM hash, compare it directly to the current password
+        elif re.match(SCRAM_SHA256_REGEX, password):
+            if password != current_role_attrs['rolpassword']:
+                pwchanging = True
 
         # SCRAM hashes are represented as a special object, containing hash data:
         # `SCRAM-SHA-256$<iteration count>:<salt>$<StoredKey>:<ServerKey>`