Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add scram hash to table for pgbouncer on cloud instance create #1388

Merged
merged 1 commit into from
Dec 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/ai.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -69,9 +69,9 @@ jobs:
security-checks: 'vuln,secret'
ignore-unfixed: true
#severity: 'CRITICAL,HIGH'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
# env:
# TRIVY_SKIP_DB_UPDATE: true
# TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -122,9 +122,9 @@ jobs:
security-checks: 'vuln,secret'
ignore-unfixed: true
#severity: 'CRITICAL,HIGH'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
# env:
# TRIVY_SKIP_DB_UPDATE: true
# TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
Expand Down
88 changes: 44 additions & 44 deletions .github/workflows/trivy-artifact-scan.yaml
Original file line number Diff line number Diff line change
@@ -1,44 +1,44 @@
name: Trivy Artifact Scanning
on:
# push:
# branches: [ master ]
# paths:
# - "plural/**"
# - ".github/workflows/trivy-artifact-scan.yaml"
# pull_request:
# branches: [ master ]
# paths:
# - "plural/**"
# - ".github/workflows/trivy-artifact-scan.yaml"
# schedule:
# - cron: '0 0 * * 1'
workflow_dispatch:
jobs:
trivy-scan:
name: Trivy IaC scan
runs-on: ubuntu-20.04
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: 'plural'
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
security-checks: 'vuln,secret,config'
ignore-unfixed: true
#severity: 'CRITICAL,HIGH'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
# name: Trivy Artifact Scanning
# on:
# # push:
# # branches: [ master ]
# # paths:
# # - "plural/**"
# # - ".github/workflows/trivy-artifact-scan.yaml"
# # pull_request:
# # branches: [ master ]
# # paths:
# # - "plural/**"
# # - ".github/workflows/trivy-artifact-scan.yaml"
# # schedule:
# # - cron: '0 0 * * 1'
# workflow_dispatch:
# jobs:
# trivy-scan:
# name: Trivy IaC scan
# runs-on: ubuntu-20.04
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# steps:
# - name: Checkout code
# uses: actions/checkout@v3
# - name: Run Trivy vulnerability scanner in IaC mode
# uses: aquasecurity/trivy-action@master
# with:
# scan-type: 'fs'
# scan-ref: 'plural'
# hide-progress: false
# format: 'sarif'
# output: 'trivy-results.sarif'
# security-checks: 'vuln,secret,config'
# ignore-unfixed: true
# #severity: 'CRITICAL,HIGH'
# env:
# TRIVY_SKIP_DB_UPDATE: true
# TRIVY_SKIP_JAVA_DB_UPDATE: true
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: 'trivy-results.sarif'
58 changes: 29 additions & 29 deletions .github/workflows/trivy-cache.yaml
Original file line number Diff line number Diff line change
@@ -1,34 +1,34 @@
name: Update Trivy Cache
# name: Update Trivy Cache

on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
# on:
# schedule:
# - cron: '0 0 * * *'
# workflow_dispatch:

jobs:
update-trivy-db:
runs-on: ubuntu-latest
steps:
- name: Get current date
id: date
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
# jobs:
# update-trivy-db:
# runs-on: ubuntu-latest
# steps:
# - name: Get current date
# id: date
# run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT

- name: Download and extract the vulnerability DB
run: |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
oras pull ghcr.io/aquasecurity/trivy-db:2
tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
rm db.tar.gz
# - name: Download and extract the vulnerability DB
# run: |
# mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
# oras pull ghcr.io/aquasecurity/trivy-db:2
# tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
# rm db.tar.gz

- name: Download and extract the Java DB
run: |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
oras pull ghcr.io/aquasecurity/trivy-java-db:1
tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
rm javadb.tar.gz
# - name: Download and extract the Java DB
# run: |
# mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
# oras pull ghcr.io/aquasecurity/trivy-java-db:1
# tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
# rm javadb.tar.gz

- name: Cache DBs
uses: actions/cache/save@v4
with:
path: ${{ github.workspace }}/.cache/trivy
key: cache-trivy-${{ steps.date.outputs.date }}
# - name: Cache DBs
# uses: actions/cache/save@v4
# with:
# path: ${{ github.workspace }}/.cache/trivy
# key: cache-trivy-${{ steps.date.outputs.date }}
12 changes: 6 additions & 6 deletions .github/workflows/www.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,9 +63,9 @@ jobs:
security-checks: 'vuln,secret'
ignore-unfixed: true
#severity: 'CRITICAL,HIGH'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
# env:
# TRIVY_SKIP_DB_UPDATE: true
# TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
Expand All @@ -91,9 +91,9 @@ jobs:
security-checks: 'vuln,secret'
ignore-unfixed: true
#severity: 'CRITICAL,HIGH'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
# env:
# TRIVY_SKIP_DB_UPDATE: true
# TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
Expand Down
15 changes: 15 additions & 0 deletions apps/core/lib/core/services/cloud/scram.ex
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
defmodule Core.Services.Cloud.Scram do
alias Plug.Crypto.KeyGenerator
@salt_size 16
@digest_len 32
@iterations 4096

def encrypt(pwd) do
salt = :crypto.strong_rand_bytes(@salt_size)
pbkdf = KeyGenerator.generate(pwd, salt, iterations: @iterations, length: @digest_len)
client = :crypto.mac(:hmac, :sha256, pbkdf, "Client Key")
stored = :crypto.hash(:sha256, client)
server = :crypto.mac(:hmac, :sha256, pbkdf, "Server Key")
"SCRAM-SHA-256$#{@iterations}:#{Base.encode64(salt)}$#{Base.encode64(stored)}:#{Base.encode64(server)}"
end
end
15 changes: 14 additions & 1 deletion apps/core/lib/core/services/cloud/workflow/shared.ex
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,25 @@ defmodule Core.Services.Cloud.Workflow.Shared do

alias Core.Clients.Console
alias Core.Services.{Cloud, Users}
alias Core.Services.Cloud.{Poller, Configuration}
alias Core.Services.Cloud.{Poller, Configuration, Scram}
alias Core.Schema.{ConsoleInstance, PostgresCluster, User}
alias Core.Repo

require Logger

@behaviour Core.Services.Cloud.Workflow

@table """
CREATE TABLE IF NOT EXISTS console_users (
usename VARCHAR(255) NOT NULL PRIMARY KEY,
passwd VARCHAR(500) NOT NULL
)
"""

@user_insert """
INSERT INTO console_users (usename, passwd) values ($1, $2) ON CONFLICT (usename) DO UPDATE SET passwd = EXCLUDED.passwd
"""

def sync(%ConsoleInstance{external_id: id} = instance) when is_binary(id) do
instance = Repo.preload(instance, [:cluster, :postgres])
Console.update_service(console(), id, %{
Expand Down Expand Up @@ -42,6 +53,8 @@ defmodule Core.Services.Cloud.Workflow.Shared do
with {:ok, pid} <- connect(pg),
{:ok, _} <- Postgrex.query(pid, "CREATE DATABASE #{conf.database}", []),
{:ok, _} <- Postgrex.transaction(pid, fn conn ->
Postgrex.query!(conn, @table, [])
Postgrex.query!(conn, @user_insert, [conf.dbuser, Scram.encrypt(conf.dbpassword)])
Postgrex.query!(conn, "CREATE USER #{conf.dbuser} WITH PASSWORD '#{conf.dbpassword}'", [])
Postgrex.query!(conn, "GRANT ALL ON DATABASE #{conf.database} TO #{conf.dbuser}", [])
end) do
Expand Down
1 change: 1 addition & 0 deletions apps/core/mix.exs
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ defmodule Core.MixProject do
{:mojito, "~> 0.7.0"},
{:nebulex, "== 2.4.2"},
{:castore, "~> 0.1.7"},
{:plug_crypto, "~> 1.2"},
{:req, "~> 0.4.14", override: true},
{:mint, "~> 1.4.0", override: true},
{:finch, "~> 0.17.0", override: true},
Expand Down
2 changes: 2 additions & 0 deletions apps/worker/lib/worker/conduit/subscribers/cloud.ex
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@ defmodule Worker.Conduit.Subscribers.Cloud do
use Worker.Conduit.Subscribers.Base
alias Core.Services.Cloud.Workflow
alias Core.PubSub
require Logger

def process(%Conduit.Message{body: body} = msg, _) do
Logger.info "handling #{body.__struct__} for #{body.item.name}"
case handle(body) do
{:ok, _} -> ack(msg)
_ -> nack(msg)
Expand Down
Loading