From 8d2162b72622502693d2d94335d42c351772a1ac Mon Sep 17 00:00:00 2001
From: Scott Koranda <skoranda@gmail.com>
Date: Fri, 27 Mar 2020 11:12:55 -0500
Subject: [PATCH] POSTGRES_PASSWORD required

The upstream PostgreSQL image now requires that POSTGRES_PASSWORD
be set. This commit sets POSTGRES_PASSWORD to be the value
of COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD if not set,
or uses the Dockerfile default of password.
---
 comanage-registry-postgres/Dockerfile         |  4 +++-
 comanage-registry-postgres/README.md          | 23 +++++++++----------
 .../comanage-registry-postgres-entrypoint.sh  |  5 ++++
 3 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/comanage-registry-postgres/Dockerfile b/comanage-registry-postgres/Dockerfile
index 06a3e0b..5e78d5b 100644
--- a/comanage-registry-postgres/Dockerfile
+++ b/comanage-registry-postgres/Dockerfile
@@ -36,7 +36,9 @@ ARG COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD
 
 ENV COMANAGE_REGISTRY_POSTGRES_DATABASE ${COMANAGE_REGISTRY_POSTGRES_DATABASE:-registry}
 ENV COMANAGE_REGISTRY_POSTGRES_USER ${COMANAGE_REGISTRY_POSTGRES_USER:-registry_user}
-ENV COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD ${COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD:-}
+ENV COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD ${COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD:-password}
+
+ENV POSTGRES_PASSWORD ${COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD:-password}
 
 ENTRYPOINT ["/usr/local/bin/comanage-registry-postgres-entrypoint.sh"]
 
diff --git a/comanage-registry-postgres/README.md b/comanage-registry-postgres/README.md
index 0adab5e..444816d 100644
--- a/comanage-registry-postgres/README.md
+++ b/comanage-registry-postgres/README.md
@@ -71,11 +71,9 @@ The image supports the environment variables below and the `_FILE`
 `POSTGRES_PASSWORD`
 
 * Description: password for superuser
-* Required: no
-* Default: none
+* Required: yes
+* Default: value of COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD
 * Example: `l7cX28O3mt03y41EndjM`
-* Note: If you do not set a password for the superuser then
-any client with access to the container may connect to the database.
 
 `COMANAGE_REGISTRY_POSTGRES_DATABASE`
 
@@ -94,16 +92,15 @@ any client with access to the container may connect to the database.
 `COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD`
 
 * Description: password for database user
-* Required: no
-* Default: none
+* Required: yes
+* Default: `password`
 * Example: `5Aw9SzS4xqYi7daHw57c`
-* Note: If you do not set a password for the COmanage Registry user then
-any client with access to the container may connect to the database.
 
 ## Authentication
 
-If you do not set a password for the superuser or the COmanage Registry user then
-any client with access to the container may connect to the database.
+Authentication is not required to connect from within the container,
+but any client connecting from another host/container must provide
+a password.
 
 ## Ports
 
@@ -166,12 +163,14 @@ An example is
 docker run \
     -it \
     --rm \
-    --network temp_default \
+    --network _default \
     comanage-registry-postgres \
+    bash -c \
+    'PGPASSWORD="password" \
     pg_dump \
         -h comanage-registry-database \
         -U registry_user \
-        registry
+        registry'
 ```
 
 The output from the `pg_dump` command is sent to the stdout of the temporary
diff --git a/comanage-registry-postgres/comanage-registry-postgres-entrypoint.sh b/comanage-registry-postgres/comanage-registry-postgres-entrypoint.sh
index 1652e74..43084e1 100755
--- a/comanage-registry-postgres/comanage-registry-postgres-entrypoint.sh
+++ b/comanage-registry-postgres/comanage-registry-postgres-entrypoint.sh
@@ -34,4 +34,9 @@ if [[ -f "${COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD_FILE}" ]]; then
     export COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD
 fi
 
+if [[ -z "${POSTGRES_PASSWORD}" && -z "${POSTGRES_PASSWORD_FILE}" ]]; then
+    POSTGRES_PASSWORD=${COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD:-password}
+    export POSTGRES_PASSWORD
+fi
+
 exec "/docker-entrypoint.sh" "$@"