From 21c6d1b159d7b477e6e111298d0ee36fa89de5d1 Mon Sep 17 00:00:00 2001
From: madtibo <madtibo_git@tribu-ml.fr>
Date: Wed, 24 Jul 2019 16:11:07 +0200
Subject: [PATCH 1/3] change PostgreSQL -password' authentication to 'md5'

---
 data/helpers.d/postgresql | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/helpers.d/postgresql b/data/helpers.d/postgresql
index a76580b11..d252ae2dc 100644
--- a/data/helpers.d/postgresql
+++ b/data/helpers.d/postgresql
@@ -283,11 +283,11 @@ ynh_psql_test_if_first_run() {
 
 		sudo --login --user=postgres psql -c"ALTER user postgres WITH PASSWORD '$psql_root_password'" postgres
 
-		# force all user to connect to local database using passwords
+		# force all user to connect to local databases using hashed passwords
 		# https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html#EXAMPLE-PG-HBA.CONF
 		# Note: we can't use peer since YunoHost create users with nologin
 		#  See: https://github.com/YunoHost/yunohost/blob/unstable/data/helpers.d/user
-		ynh_replace_string --match_string="local\(\s*\)all\(\s*\)all\(\s*\)peer" --replace_string="local\1all\2all\3password" --target_file="$pg_hba"
+		ynh_replace_string --match_string="local\(\s*\)all\(\s*\)all\(\s*\)peer" --replace_string="local\1all\2all\3md5" --target_file="$pg_hba"
 
 		# Advertise service in admin panel
 		yunohost service add postgresql --log "$logfile"

From 2fc13a7af01a0c979386c571deadb68eeb3824db Mon Sep 17 00:00:00 2001
From: madtibo <madtibo_git@tribu-ml.fr>
Date: Fri, 26 Jul 2019 13:45:33 +0200
Subject: [PATCH 2/3] switch from password to md5 authentication in postgresql

---
 ...stgresql_password_to_md5_authentication.py | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 src/yunohost/data_migrations/0011_postgresql_password_to_md5_authentication.py

diff --git a/src/yunohost/data_migrations/0011_postgresql_password_to_md5_authentication.py b/src/yunohost/data_migrations/0011_postgresql_password_to_md5_authentication.py
new file mode 100644
index 000000000..19f6ada69
--- /dev/null
+++ b/src/yunohost/data_migrations/0011_postgresql_password_to_md5_authentication.py
@@ -0,0 +1,21 @@
+import glob
+import re
+from yunohost.tools import Migration
+from moulinette.utils.filesystem import chown
+
+
+class MyMigration(Migration):
+
+    "Force authentication in md5 for local connexions"
+
+    all_hba_files = glob.glob("/etc/postgresql/*/*/pg_hba.conf")
+
+    def forward(self):
+        for filename in self.all_hba_files:
+            pg_hba_in = read_file(filename)
+            write_to_file(filename, re.sub(r"local(\s*)all(\s*)all(\s*)password", "local\\1all\\2all\\3md5", pg_hba_in))
+
+    def backward(self):
+        for filename in self.all_hba_files:
+            pg_hba_in = read_file(filename)
+            write_to_file(filename, re.sub(r"local(\s*)all(\s*)all(\s*)md5", "local\\1all\\2all\\3password", pg_hba_in))

From fcae50a6e0e8ab5bcbd6f5e86462c7efd6d086d0 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Sat, 24 Aug 2019 18:14:16 +0200
Subject: [PATCH 3/3] Move / test / fix migration for postgresql auth

---
 locales/en.json                                                 | 1 +
 ...ion.py => 0012_postgresql_password_to_md5_authentication.py} | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)
 rename src/yunohost/data_migrations/{0011_postgresql_password_to_md5_authentication.py => 0012_postgresql_password_to_md5_authentication.py} (91%)

diff --git a/locales/en.json b/locales/en.json
index b45739149..903aa325a 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -331,6 +331,7 @@
     "migration_description_0009_decouple_regenconf_from_services": "Decouple the regen-conf mechanism from services",
     "migration_description_0010_migrate_to_apps_json": "Remove deprecated appslists and use the new unified 'apps.json' list instead",
     "migration_description_0011_setup_group_permission": "Setup user group and setup permission for apps and services",
+    "migration_description_0012_postgresql_password_to_md5_authentication": "Force postgresql authentication to use md5 for local connections",
     "migration_0003_backward_impossible": "The stretch migration cannot be reverted.",
     "migration_0003_start": "Starting migration to Stretch. The logs will be available in {logfile}.",
     "migration_0003_patching_sources_list": "Patching the sources.lists…",
diff --git a/src/yunohost/data_migrations/0011_postgresql_password_to_md5_authentication.py b/src/yunohost/data_migrations/0012_postgresql_password_to_md5_authentication.py
similarity index 91%
rename from src/yunohost/data_migrations/0011_postgresql_password_to_md5_authentication.py
rename to src/yunohost/data_migrations/0012_postgresql_password_to_md5_authentication.py
index 19f6ada69..5d36b3e23 100644
--- a/src/yunohost/data_migrations/0011_postgresql_password_to_md5_authentication.py
+++ b/src/yunohost/data_migrations/0012_postgresql_password_to_md5_authentication.py
@@ -1,7 +1,7 @@
 import glob
 import re
 from yunohost.tools import Migration
-from moulinette.utils.filesystem import chown
+from moulinette.utils.filesystem import read_file, write_to_file
 
 
 class MyMigration(Migration):