From 3ac239b282b5efd4b09f21b7e923e53553e11799 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20H=C3=BCgel?= <christian.huegel@stonebyte.de>
Date: Sun, 9 Jul 2023 14:10:56 +0200
Subject: [PATCH 1/2] make sure only pgbouncer can use this function

---
 roles/pgbouncer/config/tasks/main.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/pgbouncer/config/tasks/main.yml b/roles/pgbouncer/config/tasks/main.yml
index b81c39536..d1e223998 100644
--- a/roles/pgbouncer/config/tasks/main.yml
+++ b/roles/pgbouncer/config/tasks/main.yml
@@ -60,6 +60,8 @@
         SELECT usename, passwd FROM pg_shadow WHERE usename=$1;
         $$
         LANGUAGE sql SECURITY DEFINER;
+        REVOKE ALL ON FUNCTION user_search(uname TEXT) FROM public;
+        GRANT EXECUTE ON FUNCTION user_search(uname TEXT) TO pgbouncer;
       '; done
   args:
     executable: /bin/bash

From 3eb1e7a6f1a67430d2f01a864b99d62d11020e62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20H=C3=BCgel?= <christian.huegel@stonebyte.de>
Date: Sun, 9 Jul 2023 15:00:45 +0200
Subject: [PATCH 2/2] replaced hard coded username with pgbouncer_auth_username
 variable

---
 roles/pgbouncer/config/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/pgbouncer/config/tasks/main.yml b/roles/pgbouncer/config/tasks/main.yml
index d1e223998..42a52df71 100644
--- a/roles/pgbouncer/config/tasks/main.yml
+++ b/roles/pgbouncer/config/tasks/main.yml
@@ -61,7 +61,7 @@
         $$
         LANGUAGE sql SECURITY DEFINER;
         REVOKE ALL ON FUNCTION user_search(uname TEXT) FROM public;
-        GRANT EXECUTE ON FUNCTION user_search(uname TEXT) TO pgbouncer;
+        GRANT EXECUTE ON FUNCTION user_search(uname TEXT) TO {{ pgbouncer_auth_username }};
       '; done
   args:
     executable: /bin/bash