ldapbindpasswd in options which includes '#' creates faulty pg_hba lines

[stelb]

SUMMARY

ldapbindpasswd in options which includes '#' creates faulty pg_hba lines While a hashmark in a password might be ugly I cannot change this

ISSUE TYPE

• Bug Report

COMPONENT NAME

postgresql_pg_hba

ANSIBLE VERSION

ansible [core 2.11.12]
  config file = None
  configured module search path = ['/home/USER/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/USER/.local/lib/python3.6/site-packages/ansible
  ansible collection location = /home/USER/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/USER/.local/bin/ansible
  python version = 3.6.8 (default, Aug 13 2020, 07:46:32) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
  jinja version = 3.0.1
  libyaml = True

COLLECTION VERSION

Collection           Version
-------------------- -------
community.postgresql 2.3.2

CONFIGURATION

OS / ENVIRONMENT

STEPS TO REPRODUCE

---
- hosts: localhost
  tasks:
    - name: line 1
      community.postgresql.postgresql_pg_hba:
        dest: pg_hba.conf
        create: yes
        users: bug
        databases: bug
        source: 66.66.66.66/32
        contype: hostssl
        method: ldap
        options: ldapbindpasswd ="#BROKEN"
        keep_comments_at_rules: true
        comment: messed up
    - name: line 2 breaks line 1
      community.postgresql.postgresql_pg_hba:
        dest: pg_hba.conf
        create: yes
        users: bug2
        databases: bug
        source: 66.66.66.66/32
        contype: hostssl
        method: ldap
        options: ldapbindpasswd ="#BROKEN"
        keep_comments_at_rules: true

EXPECTED RESULTS

file pg_hba should be:

hostssl bug     bug     66.66.66.66/32  ldap    ldapbindpasswd ="#BROKEN"        #messed up
hostssl bug     bug2    66.66.66.66/32  ldap    ldapbindpasswd ="#BROKEN"

ACTUAL RESULTS

pg_hba.conf generated is:

hostssl bug     bug     66.66.66.66/32  ldap    ldapbindpasswd ="    #BROKEN"        #messed up
hostssl bug     bug2    66.66.66.66/32  ldap    ldapbindpasswd ="#BROKEN"

PLAY [localhost] *****************************************************************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [line 1] ********************************************************************************************************************************************************************************************************************************************************************************
--- before
+++ after
@@ -1,4 +1,6 @@
 {
     "file": "pg_hba.conf",
-    "pg_hba": []
+    "pg_hba": [
+        "hostssl\tbug\tbug\t66.66.66.66/32\tldap\tldapbindpasswd =\"#BROKEN\""
+    ]
 }

changed: [localhost]

TASK [line 2 breaks line 1] ******************************************************************************************************************************************************************************************************************************************************************
--- before
+++ after
@@ -1,4 +1,6 @@
 {
     "file": "pg_hba.conf",
-    "pg_hba": []
+    "pg_hba": [
+        "hostssl\tbug\tbug2\t66.66.66.66/32\tldap\tldapbindpasswd =\"#BROKEN\""
+    ]
 }

changed: [localhost]

PLAY RECAP ***********************************************************************************************************************************************************************************************************************************************************************************
localhost                  : ok=3    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[hunleyd]

thx for the report @stelb! do you feel up to digging in and submitting a patch? if not, that's fine.

[stelb]

I think I found where that's happening, I had no idea right away how to fix. I'll try tomorrow

[stelb]

here is a stupid quickfix, to make it work for me right now https://github.com/ansible-collections/community.postgresql/compare/main...stelb:community.postgresql:dumbfix

the code assumes that any # starts a comment, it only affects the second line, because pg_hba is parsed and rewritten for each line. I'm not a regexp master, I was not yet successful to create something that matches every possibility. I am not even sure if it's possible.

[stelb]

there is a pg_hba parser by dalibo https://github.com/dalibo/pgtoolkit/blob/fe8db18923e934fc29b1393e0234976b346623f7/pgtoolkit/hba.py#L140 implementing this is not a 2-liner, and it's just a bordercase affecting only me .)

[betanummeric]

We should implement proper quote parsing, the ldapbindpasswd is not the only value that can contain arbitrary characters. The existing implementation of using '#' in line is pretty naive.

[stelb]

I got a regexp for parsing respecting any quoted string and it works for me

https://github.com/ansible-collections/community.postgresql/compare/main...stelb:community.postgresql:pg_hba_re_comment_parsing

[stelb]

Well escaped quotes are not handled..

[stelb]

fixed that too https://github.com/ansible-collections/community.postgresql/compare/main...stelb:community.postgresql:pg_hba_re_comment_parsing

[Andersson007]

hello folks, i put the help wanted label. For volunteers who wanna fix it, there were two attempts you can base your work on:

• the latest: https://github.com/ansible-collections/community.postgresql/pull/458
• the original: https://github.com/ansible-collections/community.postgresql/pull/423

Vacant:)