Passing in a Sensitive to postgresql::server::db as "password" causes broken user

[laugmanuel]

Describe the Bug

When passing in a Sensitive[String] to postgresql::server::db, the resulting user has a broken password.
Also each Puppet run resets the password to a different, but still broken, string.

This bug surfaced in #1313

Expected Behavior

The password should be set correctly and only once.

Steps to Reproduce

Steps to reproduce the behavior:

1. Use the following code to trigger this problem:

postgresql::server::db { $database_name:
  user     => "testuser",
  password => Sensitive("testpassword"),
  grant    => 'all',
}

Environment

• Version v8.2.1

Additional Context

The reason for this problem is, that the above mentioned MR started using the postgres_password function to generate the password hash.
There the password is returned as a Sensitive whenever the input was also a Sensitive (or more precisely: when sensitive was set to true). Then the ALTER ROLE SQL query gets constructed, converted to a Sensitive (again!!) and passed to postgresql_psql (see https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/server/role.pp#L186-L187).

Basically the logic constructs a Sensitive inside Sensitive which never gets unwrapped resulting in the following SQL query (yes exactly like that):

ALTER ROLE "<username>" ENCRYPTED PASSWORD 'Sensitive [value redacted]'

[vchepkov]

I am not sure if these warnings during each agent run are related or I should submit a separate bug?

Warning: /Postgresql_psql[ALTER ROLE puppetdb ENCRYPTED PASSWORD ****]: Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.
Warning: /Postgresql_psql[ALTER ROLE puppetdb-read ENCRYPTED PASSWORD ****]: Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.

[deemon87]

I am not sure if these warnings during each agent run are related or I should submit a separate bug?

Warning: /Postgresql_psql[ALTER ROLE puppetdb ENCRYPTED PASSWORD ****]: Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.
Warning: /Postgresql_psql[ALTER ROLE puppetdb-read ENCRYPTED PASSWORD ****]: Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.

I have the same issue

[cruelsmith]

Duplicate of #1402, or not?

[laugmanuel]

Duplicate of #1402, or not?

That's true. I would leave it up to the maintainers to decide which PR will be chosen and close the other issue and PR as duplicate. I'm ok with both.

[torstenfohrer]

Please either remove unusable feature or pull/commit/do something about this.

[smortex]

Duplicate of #1402 that got fixed in #1404. Closing.