From 5646af7bd80028c67d116ebafc847ae3c4f026eb Mon Sep 17 00:00:00 2001
From: Fabricio Aguiar <fabricio.aguiar@gmail.com>
Date: Fri, 12 Feb 2021 16:27:28 -0300
Subject: [PATCH] Adding scram-sha-256 for FIPS

---
 defaults/main.yml     | 7 +++++--
 tasks/users.yml       | 3 +++
 tasks/users_props.yml | 2 ++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 0e2d503..4e16779 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -10,6 +10,9 @@ postgresql_python_library: python-psycopg2
 postgresql_user: postgres
 postgresql_group: postgres
 
+# `md5` or `scram-sha-256` (https://www.postgresql.org/docs/10/auth-methods.html)
+postgresql_auth_method: "{{ ansible_fips  | ternary('scram-sha-256', 'md5') }}"
+
 postgresql_unix_socket_directories:
   - /var/run/postgresql
 
@@ -26,8 +29,8 @@ postgresql_global_config_options:
 postgresql_hba_entries:
   - {type: local, database: all, user: postgres, auth_method: peer}
   - {type: local, database: all, user: all, auth_method: peer}
-  - {type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5}
-  - {type: host, database: all, user: all, address: '::1/128', auth_method: md5}
+  - {type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: "{{ postgresql_auth_method }}"}
+  - {type: host, database: all, user: all, address: '::1/128', auth_method: "{{ postgresql_auth_method }}"}
 
 # Debian only. Used to generate the locales used by PostgreSQL databases.
 postgresql_locales:
diff --git a/tasks/users.yml b/tasks/users.yml
index 4bc84bf..4d346a9 100644
--- a/tasks/users.yml
+++ b/tasks/users.yml
@@ -2,6 +2,7 @@
 - name: Ensure PostgreSQL users are present.
   postgresql_user:
     name: "{{ item.name }}"
+    password: "{{ item.password | default(omit) }}"
   with_items: "{{ postgresql_users }}"
   no_log: "{{ postgres_users_no_log }}"
   become: true
@@ -9,3 +10,5 @@
   # See: https://github.com/ansible/ansible/issues/16048#issuecomment-229012509
   vars:
     ansible_ssh_pipelining: true
+  environment:
+    PGOPTIONS: "{{ (postgresql_auth_method == 'scram-sha-256') | ternary('-c password_encryption=scram-sha-256', '') }}"
diff --git a/tasks/users_props.yml b/tasks/users_props.yml
index fa210ea..992ccf5 100644
--- a/tasks/users_props.yml
+++ b/tasks/users_props.yml
@@ -20,3 +20,5 @@
   # See: https://github.com/ansible/ansible/issues/16048#issuecomment-229012509
   vars:
     ansible_ssh_pipelining: true
+  environment:
+    PGOPTIONS: "{{ (postgresql_auth_method == 'scram-sha-256') | ternary('-c password_encryption=scram-sha-256', '') }}"