Support for alternative auth_types in pgbouncer

* Adds support for auth_types besides md5 for pgbouncer to connect to a
  PostgreSQL server

files/gitlab-cookbooks/gitlab-ee/libraries/pgbouncer_helper.rb

@@ -26,6 +26,15 @@ class PgbouncerHelper < BaseHelper
     results
   end
+  def pg_auth_type_prefix(type)
+    case type.downcase
+    when 'md5'
+      'md5'
+    when 'scram-sha-256'
+      'SCRAM-SHA-256$'
+    end
+  end
+
   def create_pgbouncer_user?(db)
     # As part of https://gitlab.com/gitlab-org/omnibus-gitlab/issues/2078 services are
     # being split to their own dedicated cookbooks, and attributes are being moved from

files/gitlab-cookbooks/gitlab-ee/recipes/pgbouncer.rb

@@ -44,6 +44,7 @@ end
 template "#{node['gitlab']['pgbouncer']['data_directory']}/pg_auth" do
   source "pg_auth.erb"
+  variables(node['gitlab']['pgbouncer'])
   helper(:pgb_helper) { pgb_helper }
 end

files/gitlab-cookbooks/gitlab-ee/templates/default/pg_auth.erb

 <% pgb_helper.pg_auth_users.each do |user, settings| %>
-"<%= user %>" "md5<%= settings['password'] %>"
+"<%= user %>" "<%= pgb_helper.pg_auth_type_prefix(@auth_type) %><%= settings['password'] %>"
 <% end %>

spec/chef/gitlab-ee/recipes/pgbouncer_spec.rb

@@ -243,68 +243,90 @@ RSpec.describe 'gitlab-ee::pgbouncer' do
     end
   end
-  it 'sets up auth_hba when attributes are set' do
-    stub_gitlab_rb(
-      {
-        pgbouncer: {
-          enable: true,
-          auth_hba_file: '/fake/hba_file',
-          auth_query: 'SELECT * FROM FAKETABLE'
+  context 'authentication' do
+    it 'sets up auth_hba when attributes are set' do
+      stub_gitlab_rb(
+        {
+          pgbouncer: {
+            enable: true,
+            auth_hba_file: '/fake/hba_file',
+            auth_query: 'SELECT * FROM FAKETABLE'
+          }
         }
+      )
+      expect(chef_run).to render_file(pgbouncer_ini).with_content { |content|
+        expect(content).to match(%r{^auth_hba_file = /fake/hba_file$})
+        expect(content).to match(/^auth_query = SELECT \* FROM FAKETABLE$/)
       }
-    )
-    expect(chef_run).to render_file(pgbouncer_ini).with_content { |content|
-      expect(content).to match(%r{^auth_hba_file = /fake/hba_file$})
-      expect(content).to match(/^auth_query = SELECT \* FROM FAKETABLE$/)
-    }
-  end
-  it 'does not create the user file by default' do
-    expect(chef_run).not_to render_file('/var/opt/gitlab/pgbouncer/pg_auth')
-  end
-  it 'creates the user file when the attributes are set' do
-    stub_gitlab_rb(
-      {
-        pgbouncer: {
-          enable: true,
-          databases: {
-            gitlabhq_production: {
-              password: 'fakemd5password',
-              user: 'fakeuser',
-              host: '127.0.0.1',
-              port: 5432
+    end
+    it 'does not create the user file by default' do
+      expect(chef_run).not_to render_file('/var/opt/gitlab/pgbouncer/pg_auth')
+    end
+    it 'creates the user file when the attributes are set' do
+      stub_gitlab_rb(
+        {
+          pgbouncer: {
+            enable: true,
+            databases: {
+              gitlabhq_production: {
+                password: 'fakemd5password',
+                user: 'fakeuser',
+                host: '127.0.0.1',
+                port: 5432
+              }
             }
           }
         }
-      }
-    )
-    expect(chef_run).to render_file('/var/opt/gitlab/pgbouncer/pg_auth')
-      .with_content(%r{^"fakeuser" "md5fakemd5password"$})
-  end
-  it 'creates arbitrary user' do
-    stub_gitlab_rb(
-      {
+      )
+      expect(chef_run).to render_file('/var/opt/gitlab/pgbouncer/pg_auth')
+        .with_content(%r{^"fakeuser" "md5fakemd5password"$})
+    end
+    it 'creates arbitrary user' do
+      stub_gitlab_rb(
+        {
+          pgbouncer: {
+            enable: true,
+            users: {
+              'fakeuser': {
+                'password': 'fakehash'
+              }
+            }
+          }
+        }
+      )
+      expect(chef_run).to render_file('/var/opt/gitlab/pgbouncer/pg_auth')
+        .with_content(%r{^"fakeuser" "md5fakehash"})
+    end
+
+    it 'supports SCRAM secrets' do
+      stub_gitlab_rb(
         pgbouncer: {
           enable: true,
+          auth_type: 'scram-sha-256',
           users: {
             'fakeuser': {
-              'password': 'fakehash'
+              'password': 'REALLYFAKEHASH'
             }
           }
         }
-      }
-    )
-    expect(chef_run).to render_file('/var/opt/gitlab/pgbouncer/pg_auth')
-      .with_content(%r{^"fakeuser" "md5fakehash"})
-  end
-  context 'when disabled by default' do
-    it_behaves_like 'disabled runit service', 'pgbouncer'
-    it 'includes the pgbouncer_disable recipe' do
-      expect(chef_run).to include_recipe('gitlab-ee::pgbouncer_disable')
+      )
+      expect(chef_run).to render_file('/var/opt/gitlab/pgbouncer/pg_auth')
+        .with_content(%r{^"fakeuser" "SCRAM-SHA-256\$REALLYFAKEHASH"})
+    end
+    it 'supports a default auth type'
+    it 'supports per user auth types'
+
+    context 'when disabled by default' do
+      it_behaves_like 'disabled runit service', 'pgbouncer'
+
+      it 'includes the pgbouncer_disable recipe' do
+        expect(chef_run).to include_recipe('gitlab-ee::pgbouncer_disable')
+      end
     end
   end
 end

spec/libraries/helpers/pgbouncer_helper_spec.rb

@@ -16,4 +16,22 @@ RSpec.describe PgbouncerHelper do
       expect(subject.running?).to be_falsey
     end
   end
+
+  describe '#pg_auth_type_prefix' do
+    using RSpec::Parameterized::TableSyntax
+    where(:type, :prefix) do
+      'md5' | 'md5'
+      'scram-sha-256' | 'SCRAM-SHA-256$'
+      'MD5' | 'md5'
+      'SCRAM-SHA-256' | 'SCRAM-SHA-256$'
+      'plain' | nil
+      'ScRaM-ShA-256' | 'SCRAM-SHA-256$'
+    end
+
+    with_them do
+      it 'responds to default values' do
+        expect(subject.pg_auth_type_prefix(type)).to eq(prefix)
+      end
+    end
+  end
 end