Passing in a Sensitive to postgresql::server::db as "password" causes broken user #1417
Description
Describe the Bug
When passing in a Sensitive[String] to postgresql::server::db, the resulting user has a broken password.
Also each Puppet run resets the password to a different, but still broken, string.
This bug surfaced in #1313
Expected Behavior
The password should be set correctly and only once.
Steps to Reproduce
Steps to reproduce the behavior:
- Use the following code to trigger this problem:
postgresql::server::db { $database_name:
user => "testuser",
password => Sensitive("testpassword"),
grant => 'all',
}Environment
- Version v8.2.1
Additional Context
The reason for this problem is, that the above mentioned MR started using the postgres_password function to generate the password hash.
There the password is returned as a Sensitive whenever the input was also a Sensitive (or more precisely: when sensitive was set to true). Then the ALTER ROLE SQL query gets constructed, converted to a Sensitive (again!!) and passed to postgresql_psql (see https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/server/role.pp#L186-L187).
Basically the logic constructs a Sensitive inside Sensitive which never gets unwrapped resulting in the following SQL query (yes exactly like that):
ALTER ROLE "<username>" ENCRYPTED PASSWORD 'Sensitive [value redacted]'