From 52706c0386c797b479d7b45cc105307fb1611596 Mon Sep 17 00:00:00 2001
From: Ben Formosa <ben.formosa@gmail.com>
Date: Tue, 2 Aug 2022 18:01:01 +1000
Subject: [PATCH] idempotent when password is scram hashed (#302)

* idempotent when password is scram hashed

Add a test to user_should_we_change_password to check if the password parameter is a SCRAM-256 hash, and if it is the same as the stored password.

Fixes #301

* Update plugins/modules/postgresql_user.py

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
(cherry picked from commit bfa3677f822edf339fe9bae6cd793734eef49564)
---
 plugins/modules/postgresql_user.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/plugins/modules/postgresql_user.py b/plugins/modules/postgresql_user.py
index 641d71ff..d10d1c05 100644
--- a/plugins/modules/postgresql_user.py
+++ b/plugins/modules/postgresql_user.py
@@ -421,6 +421,10 @@ def user_should_we_change_password(current_role_attrs, user, password, encrypted
         if password == '':
             if current_role_attrs['rolpassword'] is not None:
                 pwchanging = True
+        # If the provided password is a SCRAM hash, compare it directly to the current password
+        elif re.match(SCRAM_SHA256_REGEX, password):
+            if password != current_role_attrs['rolpassword']:
+                pwchanging = True
 
         # SCRAM hashes are represented as a special object, containing hash data:
         # `SCRAM-SHA-256$<iteration count>:<salt>$<StoredKey>:<ServerKey>`