Merge pull request #103 from hoxu/hashed-password-support

winglot · web-flow · commit 4bbf6288310b · 2023-01-17T08:18:09.000+01:00
Support hashed user passwords
diff --git a/docs/resources/user.md b/docs/resources/user.md
@@ -37,7 +37,7 @@ resource "redshift_user" "user_with_unrestricted_syslog" {
 - **connection_limit** (Number) The maximum number of database connections the user is permitted to have open concurrently. The limit isn't enforced for superusers.
 - **create_database** (Boolean) Allows the user to create new databases. By default user can't create new databases.
 - **id** (String) The ID of this resource.
-- **password** (String, Sensitive) Sets the user's password. Users can change their own passwords, unless the password is disabled. To disable password, omit this parameter or set it to `null`.
+- **password** (String, Sensitive) Sets the user's password. Users can change their own passwords, unless the password is disabled. To disable password, omit this parameter or set it to `null`. Can also be a hashed password rather than the plaintext password. Please refer to the Redshift [CREATE USER documentation](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_USER.html) for information on creating a password hash.
 - **session_timeout** (Number) The maximum time in seconds that a session remains inactive or idle. The range is 60 seconds (one minute) to 1,728,000 seconds (20 days). If no session timeout is set for the user, the cluster setting applies.
 - **superuser** (Boolean) Determine whether the user is a superuser with all database privileges.
 - **syslog_access** (String) A clause that specifies the level of access that the user has to the Amazon Redshift system tables and views. If `RESTRICTED` (default) is specified, the user can see only the rows generated by that user in user-visible system tables and views. If `UNRESTRICTED` is specified, the user can see all rows in user-visible system tables and views, including rows generated by another user. `UNRESTRICTED` doesn't give a regular user access to superuser-visible tables. Only superusers can see superuser-visible tables.
diff --git a/redshift/resource_redshift_user.go b/redshift/resource_redshift_user.go
@@ -2,7 +2,6 @@ package redshift
 
 import (
 	"context"
-	"crypto/md5"
 	"database/sql"
 	"fmt"
 	"log"
@@ -87,7 +86,7 @@ Amazon Redshift user accounts can only be created and dropped by a database supe
 				Type:        schema.TypeString,
 				Optional:    true,
 				Sensitive:   true,
-				Description: "Sets the user's password. Users can change their own passwords, unless the password is disabled. To disable password, omit this parameter or set it to `null`.",
+				Description: "Sets the user's password. Users can change their own passwords, unless the password is disabled. To disable password, omit this parameter or set it to `null`. Can also be a hashed password rather than the plaintext password. Please refer to the Redshift [CREATE USER documentation](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_USER.html) for information on creating a password hash.",
 			},
 			userValidUntilAttr: {
 				Type:        schema.TypeString,
@@ -187,7 +186,6 @@ func resourceRedshiftUserCreate(db *DBConnection, d *schema.ResourceData) error
 		{userCreateDBAttr, "CREATEDB", "NOCREATEDB"},
 	}
 
-	userName := d.Get(userNameAttr).(string)
 	createOpts := make([]string, 0, len(stringOpts)+len(intOpts)+len(boolOpts))
 	for _, opt := range stringOpts {
 		v, ok := d.GetOk(opt.hclKey)
@@ -211,7 +209,7 @@ func resourceRedshiftUserCreate(db *DBConnection, d *schema.ResourceData) error
 		if val != "" {
 			switch {
 			case opt.hclKey == userPasswordAttr:
-				createOpts = append(createOpts, fmt.Sprintf("%s '%s'", opt.sqlKey, md5Password(userName, val)))
+				createOpts = append(createOpts, fmt.Sprintf("%s '%s'", opt.sqlKey, pqQuoteLiteral(val)))
 			case opt.hclKey == userValidUntilAttr:
 				switch {
 				case v.(string) == "", strings.ToLower(v.(string)) == "infinity":
@@ -245,6 +243,7 @@ func resourceRedshiftUserCreate(db *DBConnection, d *schema.ResourceData) error
 		createOpts = append(createOpts, valStr)
 	}
 
+	userName := d.Get(userNameAttr).(string)
 	createStr := strings.Join(createOpts, " ")
 	sql := fmt.Sprintf("CREATE USER %s WITH %s", pq.QuoteIdentifier(userName), createStr)
 
@@ -654,13 +653,3 @@ func getDefaultSyslogAccess(d *schema.ResourceData) string {
 
 	return defaultUserSyslogAccess
 }
-
-// Generates an md5 password for the user.
-// Per https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_USER.html,
-// the process is:
-// 1. concatenate the password and username
-// 2. convert the concatenated string to an md5 hash in hex format
-// 3. prefix the result with 'md5' (unquoted)
-func md5Password(userName string, password string) string {
-	return fmt.Sprintf("md5%x", md5.Sum([]byte(fmt.Sprintf("%s%s", password, userName))))
-}
diff --git a/redshift/resource_redshift_user_test.go b/redshift/resource_redshift_user_test.go
@@ -31,6 +31,9 @@ func TestAccRedshiftUser_Basic(t *testing.T) {
 					resource.TestCheckResourceAttr("redshift_user.with_email", "name", "John-and-Jane.doe@example.com"),
 					testAccCheckRedshiftUserCanLogin("John-and-Jane.doe@example.com", "Foobarbaz1"),
 
+					testAccCheckRedshiftUserExists("hashed_password"),
+					testAccCheckRedshiftUserCanLogin("hashed_password", "Foobarbaz2"),
+
 					testAccCheckRedshiftUserExists("user_defaults"),
 					resource.TestCheckResourceAttr("redshift_user.user_with_defaults", "name", "user_defaults"),
 					resource.TestCheckResourceAttr("redshift_user.user_with_defaults", "superuser", "false"),
@@ -80,6 +83,15 @@ resource "redshift_user" "update_user" {
   syslog_access = "UNRESTRICTED"
   create_database = true
 }
+`
+	var configUpdate2 = `
+resource "redshift_user" "update_user" {
+  name = "update_user2"
+  connection_limit = 5
+  password = "md508d5d11f1f947091b312fb36b25e621f"
+  syslog_access = "UNRESTRICTED"
+  create_database = true
+}
 `
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@@ -112,6 +124,14 @@ resource "redshift_user" "update_user" {
 					resource.TestCheckResourceAttr("redshift_user.update_user", "create_database", "true"),
 				),
 			},
+			{
+				Config: configUpdate2,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckRedshiftUserExists("update_user2"),
+					testAccCheckRedshiftUserCanLogin("update_user2", "Foobarbaz6"),
+					resource.TestCheckResourceAttr("redshift_user.update_user", "password", "md508d5d11f1f947091b312fb36b25e621f"),
+				),
+			},
 			// apply the first one again to check if all parameters roll back properly
 			{
 				Config: configCreate,
@@ -413,6 +433,11 @@ resource "redshift_user" "with_email" {
   password = "Foobarbaz1"
 }
 
+resource "redshift_user" "with_hashed_password" {
+  name = "hashed_password"
+  password = "md5ad3b897bab2474bc7e408326cb18c42f"
+}
+
 resource "redshift_user" "user_with_defaults" {
   name = "user_defaults"
   valid_until = "infinity"
