From c382e678c5926540c27b37ff39dca8aa94981a0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Denis=20Krienb=C3=BChl?= <denis.krienbuehl@cloudscale.ch>
Date: Mon, 30 Dec 2024 13:54:42 +0100
Subject: [PATCH 1/3] [postgresql] Avoid unnecessary password lookup

When a password is defined for a role, the lookup of the password should
be completely avoided. The previous default construct was evaluated in
a way that would still access the password lookup, and potentially
generate the password, even if one was explicitly provided.

The result was correct, but since the password lookup can have
side effects, even in check-mode (it creates files), it should not
be run if it is not needed.
---
 ansible/roles/postgresql/tasks/main.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ansible/roles/postgresql/tasks/main.yml b/ansible/roles/postgresql/tasks/main.yml
index fcdc092503..66ee4feb11 100644
--- a/ansible/roles/postgresql/tasks/main.yml
+++ b/ansible/roles/postgresql/tasks/main.yml
@@ -98,11 +98,11 @@
   community.postgresql.postgresql_user:
     name: '{{ item.name | d(item.role) }}'
     port: '{{ item.port | d(postgresql__port if postgresql__port else omit) }}'
-    password: '{{ item.password | d(lookup("password",
+    password: '{{ item.password if item.password is defined else lookup("password",
                   secret + "/postgresql/" + postgresql__password_hostname +
                   "/" + (item.port | d(postgresql__port)) +
                   "/credentials/" + item.name | d(item.role) + "/password " +
-                  "length=" + postgresql__password_length + " chars=" + postgresql__password_characters)) }}'
+                  "length=" + postgresql__password_length + " chars=" + postgresql__password_characters) }}'
     encrypted: '{{ item.encrypted | d(True) }}'
     expires: '{{ item.expires | d(omit) }}'
     role_attr_flags: '{{ (item.flags | d() | join(",")) | d(omit) }}'
@@ -268,11 +268,11 @@
                (item.port | d(postgresql__port)),
                (item.database | d("*")),
                (item.role | d(item.owner)),
-               (item.password | d(lookup("password",
+               (item.password if item.password is defined else lookup("password",
                                   secret + "/postgresql/" + (item.server | d(postgresql__password_hostname))
                                   + "/" + (item.port | d(postgresql__port)) + "/credentials/"
                                   + item.name | d(item.role | d(item.owner))
-                                  + "/password length=" + postgresql__password_length))
+                                  + "/password length=" + postgresql__password_length)
                                  | regex_replace("\\", "\\\\") | regex_replace(":", "\:"))]
               | join(":") }}'
     state: 'present'

From e3e87ab805424f2e3877dd96575dd6eee181978a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Denis=20Krienb=C3=BChl?= <denis.krienbuehl@cloudscale.ch>
Date: Wed, 1 Jan 2025 11:48:14 +0100
Subject: [PATCH 2/3] [rabbitmq_server] Avoid unnecessary password lookup

Avoids a password lookup, when it is not necessary:

- When an account specifices a password, no lookup should be made.
- When an account is to be removed, no lookup should be made.

This makes it possible to override the password without accidentally
calling the default password lookup.
---
 ansible/roles/rabbitmq_server/tasks/main.yml | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/ansible/roles/rabbitmq_server/tasks/main.yml b/ansible/roles/rabbitmq_server/tasks/main.yml
index 0b069c5de0..b536494bfc 100644
--- a/ansible/roles/rabbitmq_server/tasks/main.yml
+++ b/ansible/roles/rabbitmq_server/tasks/main.yml
@@ -211,11 +211,20 @@
     write_priv:     '{{ item.write_priv | d(omit) }}'
     state:          '{{ item.state | d("present") }}'
     vhost:          '{{ item.vhost | d(omit) }}'
-    password:       '{{ item.password | d(lookup("password",
-                        secret + "/rabbitmq_server/accounts/"
-                        + (item.user | d(item.name | d(item)))
-                        + "/password length="
-                        + rabbitmq_server__account_password_length)) }}'
+
+    # Avoid a password lookup if the password is defined, or if the account
+    # is meant to be absent (in which case the password is ommitted).
+    password:       '{{ item.password | d(omit) if (
+                            (item.password is defined)
+                            or
+                            (item.state | d("present") == "absent")
+                        ) else lookup("password",
+                          secret + "/rabbitmq_server/accounts/"
+                          + (item.user | d(item.name | d(item)))
+                          + "/password length="
+                          + rabbitmq_server__account_password_length
+                        )
+                    }}'
     tags:           '{{ (((item.tags.split(",") | list)
                           if (item.tags | d() and item.tags is string)
                           else item.tags) | join(","))

From 2be1b44b25be8d4f61712cc7f9e9d1857fa92192 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Denis=20Krienb=C3=BChl?= <denis.krienbuehl@cloudscale.ch>
Date: Thu, 2 Jan 2025 14:33:34 +0100
Subject: [PATCH 3/3] [mariadb] Avoid unnecessary password lookup

---
 ansible/roles/mariadb/tasks/manage_contents.yml | 4 ++--
 ansible/roles/mariadb/templates/home/my.cnf.j2  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ansible/roles/mariadb/tasks/manage_contents.yml b/ansible/roles/mariadb/tasks/manage_contents.yml
index a70e568cb8..e0c9d6965f 100644
--- a/ansible/roles/mariadb/tasks/manage_contents.yml
+++ b/ansible/roles/mariadb/tasks/manage_contents.yml
@@ -88,10 +88,10 @@
     name: '{{ item.user | d(item.name) }}'
     host: '{{ item.host | default(mariadb__client) }}'
     state: 'present'
-    password: '{{ item.password | default(lookup("password",
+    password: '{{ item.password if item.password is defined else lookup("password",
                   secret + "/mariadb/" + mariadb__delegate_to +
                   "/credentials/" + item.user | d(item.name) + "/password " +
-                  "length=" + mariadb__password_length)) }}'
+                  "length=" + mariadb__password_length) }}'
     login_unix_socket: '/run/mysqld/mysqld.sock'
   loop: '{{ q("flattened", mariadb__users + mariadb__dependent_users + mariadb_users | d([])) }}'
   delegate_to: '{{ mariadb__delegate_to }}'
diff --git a/ansible/roles/mariadb/templates/home/my.cnf.j2 b/ansible/roles/mariadb/templates/home/my.cnf.j2
index 425b114d94..c930aa46bc 100644
--- a/ansible/roles/mariadb/templates/home/my.cnf.j2
+++ b/ansible/roles/mariadb/templates/home/my.cnf.j2
@@ -15,7 +15,7 @@ port={{ item.server_port | d(mariadb__port) }}
 # port={{ item.server_port | d(mariadb__port) }}
 {% endif %}
 user={{ item.user | d(item.name) }}
-password="{{ item.password | default(lookup('password', secret + '/mariadb/' + mariadb__delegate_to | d('undefined') + '/credentials/' + item.user | d(item.name) + '/password ' + 'length=' + mariadb__password_length)) }}"
+password="{{ item.password if item.password is defined else lookup('password', secret + '/mariadb/' + mariadb__delegate_to | d('undefined') + '/credentials/' + item.user | d(item.name) + '/password ' + 'length=' + mariadb__password_length) }}"
 {% if item.database | d(False) %}
 database={{ item.database }}
 {% endif %}