Add scram hash to table for pgbouncer on cloud instance create (#1388)

michaeljguarino · web-flow · commit e6c1d34acb88 · 2024-12-16T10:07:25.000-05:00
diff --git a/.github/workflows/ai.yaml b/.github/workflows/ai.yaml
@@ -69,9 +69,9 @@ jobs:
           security-checks: 'vuln,secret'
           ignore-unfixed: true
            #severity: 'CRITICAL,HIGH'
-        env:
-          TRIVY_SKIP_DB_UPDATE: true
-          TRIVY_SKIP_JAVA_DB_UPDATE: true
+        # env:
+        #   TRIVY_SKIP_DB_UPDATE: true
+        #   TRIVY_SKIP_JAVA_DB_UPDATE: true
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -122,9 +122,9 @@ jobs:
           security-checks: 'vuln,secret'
           ignore-unfixed: true
           #severity: 'CRITICAL,HIGH'
-        env:
-          TRIVY_SKIP_DB_UPDATE: true
-          TRIVY_SKIP_JAVA_DB_UPDATE: true
+        # env:
+        #   TRIVY_SKIP_DB_UPDATE: true
+        #   TRIVY_SKIP_JAVA_DB_UPDATE: true
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:
diff --git a/.github/workflows/trivy-artifact-scan.yaml b/.github/workflows/trivy-artifact-scan.yaml
@@ -1,44 +1,44 @@
-name: Trivy Artifact Scanning
-on:
-  # push:
-  #   branches: [ master ]
-  #   paths:
-  #     - "plural/**"
-  #     - ".github/workflows/trivy-artifact-scan.yaml"
-  # pull_request:
-  #   branches: [ master ]
-  #   paths:
-  #     - "plural/**"
-  #     - ".github/workflows/trivy-artifact-scan.yaml"
-  # schedule:
-  #   - cron: '0 0 * * 1'
-  workflow_dispatch:
-jobs:
-  trivy-scan:
-    name: Trivy IaC scan
-    runs-on: ubuntu-20.04
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Run Trivy vulnerability scanner in IaC mode
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: 'fs'
-          scan-ref: 'plural'
-          hide-progress: false
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          security-checks: 'vuln,secret,config'
-          ignore-unfixed: true
-          #severity: 'CRITICAL,HIGH'
-        env:
-          TRIVY_SKIP_DB_UPDATE: true
-          TRIVY_SKIP_JAVA_DB_UPDATE: true
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: 'trivy-results.sarif'
+# name: Trivy Artifact Scanning
+# on:
+#   # push:
+#   #   branches: [ master ]
+#   #   paths:
+#   #     - "plural/**"
+#   #     - ".github/workflows/trivy-artifact-scan.yaml"
+#   # pull_request:
+#   #   branches: [ master ]
+#   #   paths:
+#   #     - "plural/**"
+#   #     - ".github/workflows/trivy-artifact-scan.yaml"
+#   # schedule:
+#   #   - cron: '0 0 * * 1'
+#   workflow_dispatch:
+# jobs:
+#   trivy-scan:
+#     name: Trivy IaC scan
+#     runs-on: ubuntu-20.04
+#     permissions:
+#       contents: read # for actions/checkout to fetch code
+#       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+#       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+#     steps:
+#       - name: Checkout code
+#         uses: actions/checkout@v3
+#       - name: Run Trivy vulnerability scanner in IaC mode
+#         uses: aquasecurity/trivy-action@master
+#         with:
+#           scan-type: 'fs'
+#           scan-ref: 'plural'
+#           hide-progress: false
+#           format: 'sarif'
+#           output: 'trivy-results.sarif'
+#           security-checks: 'vuln,secret,config'
+#           ignore-unfixed: true
+#           #severity: 'CRITICAL,HIGH'
+#         env:
+#           TRIVY_SKIP_DB_UPDATE: true
+#           TRIVY_SKIP_JAVA_DB_UPDATE: true
+#       - name: Upload Trivy scan results to GitHub Security tab
+#         uses: github/codeql-action/upload-sarif@v2
+#         with:
+#           sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/trivy-cache.yaml b/.github/workflows/trivy-cache.yaml
@@ -1,34 +1,34 @@
-name: Update Trivy Cache
+# name: Update Trivy Cache
 
-on:
-  schedule:
-    - cron: '0 0 * * *'
-  workflow_dispatch:
+# on:
+#   schedule:
+#     - cron: '0 0 * * *'
+#   workflow_dispatch:
 
-jobs:
-  update-trivy-db:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Get current date
-        id: date
-        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+# jobs:
+#   update-trivy-db:
+#     runs-on: ubuntu-latest
+#     steps:
+#       - name: Get current date
+#         id: date
+#         run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
 
-      - name: Download and extract the vulnerability DB
-        run: |
-          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
-          oras pull ghcr.io/aquasecurity/trivy-db:2
-          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
-          rm db.tar.gz
+#       - name: Download and extract the vulnerability DB
+#         run: |
+#           mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+#           oras pull ghcr.io/aquasecurity/trivy-db:2
+#           tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+#           rm db.tar.gz
 
-      - name: Download and extract the Java DB
-        run: |
-          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
-          oras pull ghcr.io/aquasecurity/trivy-java-db:1
-          tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
-          rm javadb.tar.gz
+#       - name: Download and extract the Java DB
+#         run: |
+#           mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+#           oras pull ghcr.io/aquasecurity/trivy-java-db:1
+#           tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+#           rm javadb.tar.gz
 
-      - name: Cache DBs
-        uses: actions/cache/save@v4
-        with:
-          path: ${{ github.workspace }}/.cache/trivy
-          key: cache-trivy-${{ steps.date.outputs.date }}
+#       - name: Cache DBs
+#         uses: actions/cache/save@v4
+#         with:
+#           path: ${{ github.workspace }}/.cache/trivy
+#           key: cache-trivy-${{ steps.date.outputs.date }}
diff --git a/.github/workflows/www.yaml b/.github/workflows/www.yaml
@@ -63,9 +63,9 @@ jobs:
           security-checks: 'vuln,secret'
           ignore-unfixed: true
            #severity: 'CRITICAL,HIGH'
-        env:
-          TRIVY_SKIP_DB_UPDATE: true
-          TRIVY_SKIP_JAVA_DB_UPDATE: true
+        # env:
+        #   TRIVY_SKIP_DB_UPDATE: true
+        #   TRIVY_SKIP_JAVA_DB_UPDATE: true
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:
@@ -91,9 +91,9 @@ jobs:
           security-checks: 'vuln,secret'
           ignore-unfixed: true
           #severity: 'CRITICAL,HIGH'
-        env:
-          TRIVY_SKIP_DB_UPDATE: true
-          TRIVY_SKIP_JAVA_DB_UPDATE: true
+        # env:
+        #   TRIVY_SKIP_DB_UPDATE: true
+        #   TRIVY_SKIP_JAVA_DB_UPDATE: true
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:
diff --git a/apps/core/lib/core/services/cloud/scram.ex b/apps/core/lib/core/services/cloud/scram.ex
@@ -0,0 +1,15 @@
+defmodule Core.Services.Cloud.Scram do
+  alias Plug.Crypto.KeyGenerator
+  @salt_size 16
+  @digest_len 32
+  @iterations 4096
+
+  def encrypt(pwd) do
+    salt   = :crypto.strong_rand_bytes(@salt_size)
+    pbkdf  = KeyGenerator.generate(pwd, salt, iterations: @iterations, length: @digest_len)
+    client = :crypto.mac(:hmac, :sha256, pbkdf, "Client Key")
+    stored = :crypto.hash(:sha256, client)
+    server = :crypto.mac(:hmac, :sha256, pbkdf, "Server Key")
+    "SCRAM-SHA-256$#{@iterations}:#{Base.encode64(salt)}$#{Base.encode64(stored)}:#{Base.encode64(server)}"
+  end
+end
diff --git a/apps/core/lib/core/services/cloud/workflow/shared.ex b/apps/core/lib/core/services/cloud/workflow/shared.ex
@@ -4,14 +4,25 @@ defmodule Core.Services.Cloud.Workflow.Shared do
 
   alias Core.Clients.Console
   alias Core.Services.{Cloud, Users}
-  alias Core.Services.Cloud.{Poller, Configuration}
+  alias Core.Services.Cloud.{Poller, Configuration, Scram}
   alias Core.Schema.{ConsoleInstance, PostgresCluster, User}
   alias Core.Repo
 
   require Logger
 
   @behaviour Core.Services.Cloud.Workflow
 
+  @table """
+  CREATE TABLE IF NOT EXISTS console_users (
+    usename VARCHAR(255) NOT NULL PRIMARY KEY,
+    passwd VARCHAR(500) NOT NULL
+  )
+  """
+
+  @user_insert """
+  INSERT INTO console_users (usename, passwd) values ($1, $2) ON CONFLICT (usename) DO UPDATE SET passwd = EXCLUDED.passwd
+  """
+
   def sync(%ConsoleInstance{external_id: id} = instance) when is_binary(id) do
     instance = Repo.preload(instance, [:cluster, :postgres])
     Console.update_service(console(), id, %{
@@ -42,6 +53,8 @@ defmodule Core.Services.Cloud.Workflow.Shared do
     with {:ok, pid} <- connect(pg),
          {:ok, _} <- Postgrex.query(pid, "CREATE DATABASE #{conf.database}", []),
          {:ok, _} <- Postgrex.transaction(pid, fn conn ->
+                       Postgrex.query!(conn, @table, [])
+                       Postgrex.query!(conn, @user_insert, [conf.dbuser, Scram.encrypt(conf.dbpassword)])
                        Postgrex.query!(conn, "CREATE USER #{conf.dbuser} WITH PASSWORD '#{conf.dbpassword}'", [])
                        Postgrex.query!(conn, "GRANT ALL ON DATABASE #{conf.database} TO #{conf.dbuser}", [])
                      end) do
diff --git a/apps/core/mix.exs b/apps/core/mix.exs
@@ -92,6 +92,7 @@ defmodule Core.MixProject do
       {:mojito, "~> 0.7.0"},
       {:nebulex, "== 2.4.2"},
       {:castore, "~> 0.1.7"},
+      {:plug_crypto, "~> 1.2"},
       {:req, "~> 0.4.14", override: true},
       {:mint, "~> 1.4.0", override: true},
       {:finch, "~> 0.17.0", override: true},
diff --git a/apps/worker/lib/worker/conduit/subscribers/cloud.ex b/apps/worker/lib/worker/conduit/subscribers/cloud.ex
@@ -2,8 +2,10 @@ defmodule Worker.Conduit.Subscribers.Cloud do
   use Worker.Conduit.Subscribers.Base
   alias Core.Services.Cloud.Workflow
   alias Core.PubSub
+  require Logger
 
   def process(%Conduit.Message{body: body} = msg, _) do
+    Logger.info "handling #{body.__struct__} for #{body.item.name}"
     case handle(body) do
       {:ok, _} -> ack(msg)
       _ -> nack(msg)
