Additional fixes for postgres 15 bump

Joseph Palermo · Joseph Palermo · commit 2bb0bd649428 · 2023-08-13T12:00:29.000-07:00
- The changes from tust to peer and md5 are a better security posture, but they break a lot of existing use cases
  and should probably instead be gated behind some sort of configuration flag. Co-located bbr relies upon passwordless
  connection to the database as vcap user, but runs a root. Many of the acceptance tests also try using the vcap user
  but run as root via ssh and fail with the changes.
- Postgres 15 no longer grants users access to the public schema. This prevents generated users from being able to create
  tables. Update the create_databases function to grant access to the public schema for each role on each database.
diff --git a/jobs/postgres/templates/pg_hba.conf.erb b/jobs/postgres/templates/pg_hba.conf.erb
@@ -1,18 +1,18 @@
-local   all             vcap                                    peer
-host    all             vcap            127.0.0.1/32            md5
-host    all             vcap            ::1/128                 md5
+local   all             vcap                                    trust
+host    all             vcap            127.0.0.1/32            trust
+host    all             vcap            ::1/128                 trust
 <% if !p("databases.trust_local_connections").nil? && !p("databases.trust_local_connections") %>
 local   all             all                                     md5
 <% else %>
-local   all             all                                     peer
-host    all             all             127.0.0.1/32            md5
-host    all             all             ::1/128                 md5
+local   all             all                                     trust
+host    all             all             127.0.0.1/32            trust
+host    all             all             ::1/128                 trust
 <% end %>
 <% p("databases.roles", []).each do |role| %>
 <%=
 	line=nil
 	unless role["password"]
-		line = "hostssl all  #{role["name"]} 0.0.0.0/0 cert clientcert=1 "
+		line = "hostssl all  #{role["name"]} 0.0.0.0/0 cert clientcert=verify-full "
 		line << 'map=cnmap' if role["common_name"]
 	end
 	line
diff --git a/jobs/postgres/templates/utils.sh.erb b/jobs/postgres/templates/utils.sh.erb
@@ -52,6 +52,14 @@ function create_databases() {
       echo "Enabling pg_stat_statements extension..."
       pgexec "<%= database["name"] %>" "CREATE EXTENSION IF NOT EXISTS pg_stat_statements"
     <% end %>
+    <% p("databases.roles", []).each do |role| %>
+      echo "Granting public schema access to <%= role["name"] %> on <%= database["name"] %>"
+      "${PACKAGE_DIR}/bin/psql" \
+            -U "vcap" \
+            -p "${PORT}" \
+            -d "<%= database["name"] %>" \
+            -c "GRANT ALL ON schema public TO \"<%= role["name"] %>\""
+    <% end %>
 
   <% end %>
 }
