From 696bcf12aaec0b877334ced5a0ba602519d83c8c Mon Sep 17 00:00:00 2001 From: Ian Ballou Date: Fri, 4 Oct 2024 16:03:03 -0400 Subject: [PATCH] Fixes #37883 - halt if remote DB does not own EVR --- .../42-evr_extension_permissions.rb | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 hooks/pre_commit/42-evr_extension_permissions.rb diff --git a/hooks/pre_commit/42-evr_extension_permissions.rb b/hooks/pre_commit/42-evr_extension_permissions.rb new file mode 100644 index 00000000..c807a143 --- /dev/null +++ b/hooks/pre_commit/42-evr_extension_permissions.rb @@ -0,0 +1,25 @@ +database = param_value('foreman', 'db_database') || 'foreman' +username = param_value('foreman', 'db_username') || 'foreman' +password = param_value('foreman', 'db_password') +host = param_value('foreman', 'db_host') +port = param_value('foreman', 'db_port') || 5432 + +# if postgres is the owner of the DB, then the permissions will not matter. +return if username == 'postgres' + +check_evr_owner_sql = "SELECT CASE" \ + " WHEN r.rolname = 'postgres' THEN 1" \ + " ELSE 0" \ + " END AS evr_owned_by_postgres" \ + " FROM pg_extension e" \ + " JOIN pg_roles r ON e.extowner = r.oid" \ + " WHERE e.extname = 'evr';" + +command = "PGPASSWORD='#{password}' psql -U #{username} -h #{host} -p #{port} -d #{database} -t -c \"#{check_evr_owner_sql}\"" +logger.debug "Checking if the evr extension is owned by the postgres user via #{command}" +output = execute!(command, false, true).strip +if output != '0' + fail_and_exit("The evr extension is owned by postgres and not the foreman DB owner. Please run the following on the foreman DB to fix it: " \ + "UPDATE pg_extension SET extowner = (SELECT oid FROM pg_authid WHERE rolname='#{username}');") +end +