From 8bc7bad9d304e4388e2a7472126fd23eb17ac1f0 Mon Sep 17 00:00:00 2001
From: cruelsmith <92088441+cruelsmith@users.noreply.github.com>
Date: Mon, 11 Sep 2023 21:26:41 +0200
Subject: [PATCH 1/2] Fix password_encryption for DBVERSION in server::role

---
 manifests/server/role.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifests/server/role.pp b/manifests/server/role.pp
index dacdbf7701..91d07e7798 100644
--- a/manifests/server/role.pp
+++ b/manifests/server/role.pp
@@ -142,7 +142,7 @@
     $_hash = if $hash {
       $hash
     } elsif $connect_settings != undef and 'DBVERSION' in $connect_settings {
-      if (versioncmp($version, '14') >= 0) { 'scram-sha-256' } else { undef }
+      versioncmp($version, '14') ? { -1 => 'md5', default => 'scram-sha-256' }
     } else {
       $postgresql::server::password_encryption
     }

From b26a4cc237b733142a59d8c41bba2f8cf97acc86 Mon Sep 17 00:00:00 2001
From: cruelsmith <92088441+cruelsmith@users.noreply.github.com>
Date: Tue, 12 Sep 2023 00:37:45 +0200
Subject: [PATCH 2/2] Add unit test for role with DBVERSION in connect_settings

---
 spec/acceptance/server/role_spec.rb | 34 +++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 spec/acceptance/server/role_spec.rb

diff --git a/spec/acceptance/server/role_spec.rb b/spec/acceptance/server/role_spec.rb
new file mode 100644
index 0000000000..8050653951
--- /dev/null
+++ b/spec/acceptance/server/role_spec.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'spec_helper_acceptance'
+
+describe 'postgresql::server::role' do
+  let(:user) { 'foo' }
+  let(:password) { 'bar' }
+
+  it 'with different DBVERSION in connect_settings' do
+    pp_role = <<-MANIFEST
+      $user = '#{user}'
+      $password = '#{password}'
+
+      class { 'postgresql::server': }
+
+      postgresql::server::role { $user:
+        password_hash    => $password,
+        connect_settings => {
+          'DBVERSION' => '13',
+        },
+      }
+    MANIFEST
+
+    if Gem::Version.new(postgresql_version) >= Gem::Version.new('14')
+      idempotent_apply(pp_role)
+
+      # verify that password_encryption selectio is based on 'DBVERSION' and not on postgresql::serverglobals::version
+      psql("--command=\"SELECT 1 FROM pg_shadow WHERE usename = '#{user}' AND passwd = 'md596948aad3fcae80c08a35c9b5958cd89'\"") do |r|
+        expect(r.stdout).to match(%r{\(1 row\)})
+        expect(r.stderr).to eq('')
+      end
+    end
+  end
+end