idempotent when password is scram hashed (#302)

* idempotent when password is scram hashed Add a test to user_should_we_change_password to check if the password parameter is a SCRAM-256 hash, and if it is the same as the stored password. Fixes #301 * Update plugins/modules/postgresql_user.py Co-authored-by: Andrew Klychkov <[email protected]>
ansible-collections · Aug 2, 2022 · bfa3677 · bfa3677
1 parent a7428b1
commit bfa3677
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/plugins/modules/postgresql_user.py b/plugins/modules/postgresql_user.py
@@ -423,6 +423,10 @@ def user_should_we_change_password(current_role_attrs, user, password, encrypted
         if password == '':
             if current_role_attrs['rolpassword'] is not None:
                 pwchanging = True
+        # If the provided password is a SCRAM hash, compare it directly to the current password
+        elif re.match(SCRAM_SHA256_REGEX, password):
+            if password != current_role_attrs['rolpassword']:
+                pwchanging = True
 
         # SCRAM hashes are represented as a special object, containing hash data:
         # `SCRAM-SHA-256$<iteration count>:<salt>$<StoredKey>:<ServerKey>`