postgresql::server::role with sensitive passwords and enabled update_password are not working

[cruelsmith]

Describe the Bug

From the Datatype definition password_hash is allowed to be Sensitive but when setting it as one the password is set wrongly and ALTER password runs always.

Problem is https://github.com/puppetlabs/puppetlabs-postgresql/blob/v8.2.1/manifests/server/role.pp#L165 because is merged with string here https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/server/role.pp#L182-L183

Resulting that $pwd_hash_sql will always replaced with Sensitive [value redacted] because it has not been unwrapped before.

Expected Behavior

postgresql::server::role should be allowed to be used with a Sensitive password_hash and with update_password enabled.

Steps to Reproduce

• Manifest with

postgresql::server::role { 'marmot':
  password_hash => postgresql::postgresql_password('marmot', 'mypasswd',true),
}

• run puppet
• run puppet again
  • shows that the password has been changed again
• try to login

psql --host=localhost --username=marmot --password

• does not work because the password is not accepted

Environment

• puppetlabs-postgresql v8.2.1
• postgresql 12.14
• CentOS 8 Stream

Additional Context

POC of the problem:

$password = Sensitive('Password')
$command = "/usr/bin/echo \"The password is: '${password}'\" > /tmp/data.txt"

exec { 'test':
  command => $command,
}

[cruelsmith]

Mhm ok tested again and found out that the problem is with the Sensitive handling in postgresql::server::role and it does not only apply to a pre-hashed password but also to a Sensitive cleartext password.

Like that is working

postgresql::server::role { 'marmot':
  password_hash => postgresql::postgresql_password('marmot', Sensitive('mypasswd'), false),
}

or

postgresql::server::role { 'marmot':
  password_hash => 'mypasswd',
}

And that does not

postgresql::server::role { 'marmot':
  password_hash => postgresql::postgresql_password('marmot', Sensitive('mypasswd'), true),
}

or

postgresql::server::role { 'marmot':
  password_hash => Sensitive('mypasswd'),
}

🤷

[cruelsmith]

Oh wait a Sensitive in a Sensitive does not work or?
So $pwd_hash_sql should be again a Sensitive when it was one before: https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/server/role.pp#L169
And also the full command of the exec will be Sensitive as well: https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/server/role.pp#L187

---

The merge of the Sensitive into the String is here the issue. See following POC of the Problem

$password = Sensitive('Password')
$command = "/usr/bin/echo \"The password is: '${password}'\" > /tmp/data.txt"

exec { 'test':
  command => $command,
}

will create the file /tmp/data.txt containing

The password is: 'Sensitive [value redacted]'

Yes i used here the exec intentionally here to exclude other Sensitive handling of the type itself.