pub fn inject_password_changes(
changes: Vec<Change>,
resolved_passwords: &BTreeMap<String, String>,
) -> Vec<Change>Expand description
Inject SetPassword changes into a plan for roles that declare passwords.
For newly created roles, the SetPassword is inserted immediately after the
CreateRole. For existing roles with a password source, a SetPassword is
appended after all creates/alters (ensuring the role exists).
Cleartext passwords are converted to SCRAM-SHA-256 verifiers before being
placed in SetPassword changes, so the cleartext never appears in generated
SQL. PostgreSQL detects the SCRAM-SHA-256$ prefix and stores the verifier
directly.
This function should be called after diff() and apply_role_retirements().