summaryrefslogtreecommitdiff
path: root/tools
diff options
context:
space:
mode:
authorSteve Baker <sbaker@redhat.com>2021-08-02 11:42:44 +1200
committerSteve Baker <sbaker@redhat.com>2021-08-05 11:47:11 +1200
commit6af0eb374e5565520937e5b3d8fda086d336fe9d (patch)
treedc8b2c7649e873371ffc053c5c4bc1ab0e5a71fe /tools
parent512364df9dca4e9b85c67a8e708857327e673892 (diff)
downloadironic-6af0eb374e5565520937e5b3d8fda086d336fe9d.tar.gz
Set postgresql password encryption for FIPS compliance
This is part of the work to add jobs which confirm ironic works with FIPS enabled, but this change is also appropriate non-FIPS jobs. Change-Id: I4af4e811104088d28d7be6df53c26e72db039e08
Diffstat (limited to 'tools')
-rwxr-xr-xtools/test-setup.sh27
1 files changed, 17 insertions, 10 deletions
diff --git a/tools/test-setup.sh b/tools/test-setup.sh
index dc2a130b9..16974adb5 100755
--- a/tools/test-setup.sh
+++ b/tools/test-setup.sh
@@ -48,9 +48,25 @@ DB_ROOT_PW=${POSTGRES_ROOT_PW:-insecure_slave}
# which it can't when executed as the postgres user, which is required
# as same user as process for initial administrative authentication to
# the postgres database
-
cd /tmp
+# Identify and update the postgres hba file which can be in
+# a version specific path.
+PG_HBA=$(sudo -H -u postgres psql -t -c "show hba_file")
+PG_CONF=$(sudo -H -u postgres psql -t -c "show config_file")
+
+# setup postgres encryption algorithm and authentication
+sudo sed -i 's/ident$/scram-sha-256/g' $PG_HBA
+sudo sed -i 's/md5$/scram-sha-256/g' $PG_HBA
+sudo sed -i 's/^.*password_encryption =.*/password_encryption = scram-sha-256/' $PG_CONF
+
+sudo cat $PG_HBA
+sudo cat $PG_CONF
+
+# restart postgres fo new HBA file is loaded
+sudo systemctl stop postgresql || true
+sudo systemctl start postgresql || true
+
# Setup user
root_roles=$(sudo -H -u postgres psql -t -c "
SELECT 'HERE' from pg_roles where rolname='$DB_USER'")
@@ -60,15 +76,6 @@ else
sudo -H -u postgres psql -c "CREATE ROLE $DB_USER WITH SUPERUSER LOGIN PASSWORD '$DB_PW'"
fi
-# Identify and update the postgres hba file which can be in
-# a version specific path.
-PG_HBA=$(sudo -H -u postgres psql -t -c "show hba_file")
-sudo sed -i 's/ident/trust/g' $PG_HBA
-sudo cat $PG_HBA
-# restart postgres fo new HBA file is loaded and our user trusted.
-sudo systemctl stop postgresql || true
-sudo systemctl start postgresql || true
-
# Store password for tests
cat << EOF > $HOME/.pgpass
*:*:*:$DB_USER:$DB_PW