From 308b53bd07c44bf17dce687e4c6dd1a24bb07da7 Mon Sep 17 00:00:00 2001 From: Ian Ballou Date: Fri, 4 Oct 2024 16:03:03 -0400 Subject: [PATCH] Fixes #37883 - halt if remote DB does not own EVR --- .../42-evr_extension_permissions.rb | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 hooks/pre_commit/42-evr_extension_permissions.rb diff --git a/hooks/pre_commit/42-evr_extension_permissions.rb b/hooks/pre_commit/42-evr_extension_permissions.rb new file mode 100644 index 00000000..c655dcb7 --- /dev/null +++ b/hooks/pre_commit/42-evr_extension_permissions.rb @@ -0,0 +1,30 @@ +# Managed databases will be handled automatically. +return if local_postgresql? + +database = param_value('foreman', 'db_database') || 'foreman' +username = param_value('foreman', 'db_username') || 'foreman' +password = param_value('foreman', 'db_password') +host = param_value('foreman', 'db_host') +port = param_value('foreman', 'db_port') || 5432 + +# If postgres is the owner of the DB, then the permissions will not matter. +return if username == 'postgres' + +check_evr_owner_sql = "SELECT CASE" \ + " WHEN r.rolname = 'postgres' THEN 1" \ + " ELSE 0" \ + " END AS evr_owned_by_postgres" \ + " FROM pg_extension e" \ + " JOIN pg_roles r ON e.extowner = r.oid" \ + " WHERE e.extname = 'evr';" + +command = "PGPASSWORD='#{password}' psql -U #{username} -h #{host} -p #{port} -d #{database} -t -c \"#{check_evr_owner_sql}\"" +logger.debug "Checking if the evr extension is owned by the postgres user via #{command}" +output, _ = execute_command(command, false, true) +unless output.nil? + if output.strip == '1' + fail_and_exit("The evr extension is owned by postgres and not the foreman DB owner. Please run the following command to fix it: " \ + "UPDATE pg_extension SET extowner = (SELECT oid FROM pg_authid WHERE rolname='#{username}');") + end +end +