From 46275926773ebd2cc01fb6d0d7fd135cd2557014 Mon Sep 17 00:00:00 2001 From: michaeljguarino Date: Sat, 14 Dec 2024 20:33:24 -0500 Subject: [PATCH] Add scram hash to table for pgbouncer on cloud instance create --- .github/workflows/ai.yaml | 6 +- .github/workflows/test.yaml | 6 +- .github/workflows/trivy-artifact-scan.yaml | 88 +++++++++---------- .github/workflows/trivy-cache.yaml | 58 ++++++------ .github/workflows/www.yaml | 12 +-- apps/core/lib/core/services/cloud/scram.ex | 15 ++++ .../core/services/cloud/workflow/shared.ex | 15 +++- apps/core/mix.exs | 1 + .../lib/worker/conduit/subscribers/cloud.ex | 2 + 9 files changed, 117 insertions(+), 86 deletions(-) create mode 100644 apps/core/lib/core/services/cloud/scram.ex diff --git a/.github/workflows/ai.yaml b/.github/workflows/ai.yaml index 5436a12ea..1891f77d5 100644 --- a/.github/workflows/ai.yaml +++ b/.github/workflows/ai.yaml @@ -69,9 +69,9 @@ jobs: security-checks: 'vuln,secret' ignore-unfixed: true #severity: 'CRITICAL,HIGH' - env: - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true + # env: + # TRIVY_SKIP_DB_UPDATE: true + # TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index d2aaadd57..090bafbc9 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -122,9 +122,9 @@ jobs: security-checks: 'vuln,secret' ignore-unfixed: true #severity: 'CRITICAL,HIGH' - env: - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true + # env: + # TRIVY_SKIP_DB_UPDATE: true + # TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: diff --git a/.github/workflows/trivy-artifact-scan.yaml b/.github/workflows/trivy-artifact-scan.yaml index 49f490c00..87965d469 100644 --- a/.github/workflows/trivy-artifact-scan.yaml +++ b/.github/workflows/trivy-artifact-scan.yaml @@ -1,44 +1,44 @@ -name: Trivy Artifact Scanning -on: - # push: - # branches: [ master ] - # paths: - # - "plural/**" - # - ".github/workflows/trivy-artifact-scan.yaml" - # pull_request: - # branches: [ master ] - # paths: - # - "plural/**" - # - ".github/workflows/trivy-artifact-scan.yaml" - # schedule: - # - cron: '0 0 * * 1' - workflow_dispatch: -jobs: - trivy-scan: - name: Trivy IaC scan - runs-on: ubuntu-20.04 - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - steps: - - name: Checkout code - uses: actions/checkout@v3 - - name: Run Trivy vulnerability scanner in IaC mode - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - scan-ref: 'plural' - hide-progress: false - format: 'sarif' - output: 'trivy-results.sarif' - security-checks: 'vuln,secret,config' - ignore-unfixed: true - #severity: 'CRITICAL,HIGH' - env: - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results.sarif' +# name: Trivy Artifact Scanning +# on: +# # push: +# # branches: [ master ] +# # paths: +# # - "plural/**" +# # - ".github/workflows/trivy-artifact-scan.yaml" +# # pull_request: +# # branches: [ master ] +# # paths: +# # - "plural/**" +# # - ".github/workflows/trivy-artifact-scan.yaml" +# # schedule: +# # - cron: '0 0 * * 1' +# workflow_dispatch: +# jobs: +# trivy-scan: +# name: Trivy IaC scan +# runs-on: ubuntu-20.04 +# permissions: +# contents: read # for actions/checkout to fetch code +# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results +# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status +# steps: +# - name: Checkout code +# uses: actions/checkout@v3 +# - name: Run Trivy vulnerability scanner in IaC mode +# uses: aquasecurity/trivy-action@master +# with: +# scan-type: 'fs' +# scan-ref: 'plural' +# hide-progress: false +# format: 'sarif' +# output: 'trivy-results.sarif' +# security-checks: 'vuln,secret,config' +# ignore-unfixed: true +# #severity: 'CRITICAL,HIGH' +# env: +# TRIVY_SKIP_DB_UPDATE: true +# TRIVY_SKIP_JAVA_DB_UPDATE: true +# - name: Upload Trivy scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v2 +# with: +# sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/trivy-cache.yaml b/.github/workflows/trivy-cache.yaml index a4e4aef64..45d680430 100644 --- a/.github/workflows/trivy-cache.yaml +++ b/.github/workflows/trivy-cache.yaml @@ -1,34 +1,34 @@ -name: Update Trivy Cache +# name: Update Trivy Cache -on: - schedule: - - cron: '0 0 * * *' - workflow_dispatch: +# on: +# schedule: +# - cron: '0 0 * * *' +# workflow_dispatch: -jobs: - update-trivy-db: - runs-on: ubuntu-latest - steps: - - name: Get current date - id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT +# jobs: +# update-trivy-db: +# runs-on: ubuntu-latest +# steps: +# - name: Get current date +# id: date +# run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - name: Download and extract the vulnerability DB - run: | - mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db - oras pull ghcr.io/aquasecurity/trivy-db:2 - tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db - rm db.tar.gz +# - name: Download and extract the vulnerability DB +# run: | +# mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db +# oras pull ghcr.io/aquasecurity/trivy-db:2 +# tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db +# rm db.tar.gz - - name: Download and extract the Java DB - run: | - mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db - oras pull ghcr.io/aquasecurity/trivy-java-db:1 - tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db - rm javadb.tar.gz +# - name: Download and extract the Java DB +# run: | +# mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db +# oras pull ghcr.io/aquasecurity/trivy-java-db:1 +# tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db +# rm javadb.tar.gz - - name: Cache DBs - uses: actions/cache/save@v4 - with: - path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy-${{ steps.date.outputs.date }} \ No newline at end of file +# - name: Cache DBs +# uses: actions/cache/save@v4 +# with: +# path: ${{ github.workspace }}/.cache/trivy +# key: cache-trivy-${{ steps.date.outputs.date }} \ No newline at end of file diff --git a/.github/workflows/www.yaml b/.github/workflows/www.yaml index 2c6106b70..9dc97c3d4 100644 --- a/.github/workflows/www.yaml +++ b/.github/workflows/www.yaml @@ -63,9 +63,9 @@ jobs: security-checks: 'vuln,secret' ignore-unfixed: true #severity: 'CRITICAL,HIGH' - env: - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true + # env: + # TRIVY_SKIP_DB_UPDATE: true + # TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: @@ -91,9 +91,9 @@ jobs: security-checks: 'vuln,secret' ignore-unfixed: true #severity: 'CRITICAL,HIGH' - env: - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true + # env: + # TRIVY_SKIP_DB_UPDATE: true + # TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: diff --git a/apps/core/lib/core/services/cloud/scram.ex b/apps/core/lib/core/services/cloud/scram.ex new file mode 100644 index 000000000..2f8694590 --- /dev/null +++ b/apps/core/lib/core/services/cloud/scram.ex @@ -0,0 +1,15 @@ +defmodule Core.Services.Cloud.Scram do + alias Plug.Crypto.KeyGenerator + @salt_size 16 + @digest_len 32 + @iterations 4096 + + def encrypt(pwd) do + salt = :crypto.strong_rand_bytes(@salt_size) + pbkdf = KeyGenerator.generate(pwd, salt, iterations: @iterations, length: @digest_len) + client = :crypto.mac(:hmac, :sha256, pbkdf, "Client Key") + stored = :crypto.hash(:sha256, client) + server = :crypto.mac(:hmac, :sha256, pbkdf, "Server Key") + "SCRAM-SHA-256$#{@iterations}:#{Base.encode64(salt)}$#{Base.encode64(stored)}:#{Base.encode64(server)}" + end +end diff --git a/apps/core/lib/core/services/cloud/workflow/shared.ex b/apps/core/lib/core/services/cloud/workflow/shared.ex index 2732f4416..0d48f93d4 100644 --- a/apps/core/lib/core/services/cloud/workflow/shared.ex +++ b/apps/core/lib/core/services/cloud/workflow/shared.ex @@ -4,7 +4,7 @@ defmodule Core.Services.Cloud.Workflow.Shared do alias Core.Clients.Console alias Core.Services.{Cloud, Users} - alias Core.Services.Cloud.{Poller, Configuration} + alias Core.Services.Cloud.{Poller, Configuration, Scram} alias Core.Schema.{ConsoleInstance, PostgresCluster, User} alias Core.Repo @@ -12,6 +12,17 @@ defmodule Core.Services.Cloud.Workflow.Shared do @behaviour Core.Services.Cloud.Workflow + @table """ + CREATE TABLE IF NOT EXISTS console_users ( + usename VARCHAR(255) NOT NULL PRIMARY KEY, + passwd VARCHAR(500) NOT NULL + ) + """ + + @user_insert """ + INSERT INTO console_users (usename, passwd) values ($1, $2) ON CONFLICT (usename) DO UPDATE SET passwd = EXCLUDED.passwd + """ + def sync(%ConsoleInstance{external_id: id} = instance) when is_binary(id) do instance = Repo.preload(instance, [:cluster, :postgres]) Console.update_service(console(), id, %{ @@ -42,6 +53,8 @@ defmodule Core.Services.Cloud.Workflow.Shared do with {:ok, pid} <- connect(pg), {:ok, _} <- Postgrex.query(pid, "CREATE DATABASE #{conf.database}", []), {:ok, _} <- Postgrex.transaction(pid, fn conn -> + Postgrex.query!(conn, @table, []) + Postgrex.query!(conn, @user_insert, [conf.dbuser, Scram.encrypt(conf.dbpassword)]) Postgrex.query!(conn, "CREATE USER #{conf.dbuser} WITH PASSWORD '#{conf.dbpassword}'", []) Postgrex.query!(conn, "GRANT ALL ON DATABASE #{conf.database} TO #{conf.dbuser}", []) end) do diff --git a/apps/core/mix.exs b/apps/core/mix.exs index ea613ca7d..8def18bed 100644 --- a/apps/core/mix.exs +++ b/apps/core/mix.exs @@ -92,6 +92,7 @@ defmodule Core.MixProject do {:mojito, "~> 0.7.0"}, {:nebulex, "== 2.4.2"}, {:castore, "~> 0.1.7"}, + {:plug_crypto, "~> 1.2"}, {:req, "~> 0.4.14", override: true}, {:mint, "~> 1.4.0", override: true}, {:finch, "~> 0.17.0", override: true}, diff --git a/apps/worker/lib/worker/conduit/subscribers/cloud.ex b/apps/worker/lib/worker/conduit/subscribers/cloud.ex index 12ac4cbed..343fd9117 100644 --- a/apps/worker/lib/worker/conduit/subscribers/cloud.ex +++ b/apps/worker/lib/worker/conduit/subscribers/cloud.ex @@ -2,8 +2,10 @@ defmodule Worker.Conduit.Subscribers.Cloud do use Worker.Conduit.Subscribers.Base alias Core.Services.Cloud.Workflow alias Core.PubSub + require Logger def process(%Conduit.Message{body: body} = msg, _) do + Logger.info "handling #{body.__struct__} for #{body.item.name}" case handle(body) do {:ok, _} -> ack(msg) _ -> nack(msg)