Skip to content

Commit

Permalink
Add a migration to encrypt database password using scram-sha-256
Browse files Browse the repository at this point in the history
CP4AIOPS-3003
  • Loading branch information
bdunne committed Oct 17, 2024
1 parent 0baa0eb commit b81ccc5
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 0 deletions.
17 changes: 17 additions & 0 deletions db/migrate/20241017013023_reencrypt_password_scramsha.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
class ReencryptPasswordScramsha < ActiveRecord::Migration[6.1]
def up
say_with_time('Reencrypting database user password with scram-sha-256') do
database_yml = YAML.load_file(Rails.root.join("config","database.yml"))
username = database_yml[Rails.env]["username"]
password = MiqPassword.try_decrypt(database_yml[Rails.env]["password"])

execute <<-SQL
SET password_encryption='scram-sha-256';
SQL

execute <<-SQL
ALTER ROLE #{username} WITH PASSWORD '#{password}';
SQL
end
end
end
23 changes: 23 additions & 0 deletions spec/migrations/20241017013023_reencrypt_password_scramsha_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
require_migration

# This is mostly necessary for data migrations, so feel free to delete this
# file if you do no need it.
describe ReencryptPasswordScramsha do
migration_context :up do
it "Ensures that the user password is stored as scram-sha-256" do
migrate

users_and_passwords = execute <<-SQL
SELECT rolname, rolpassword FROM pg_authid WHERE rolcanlogin;
SQL

database_yml = YAML.load_file(Rails.root.join("config","database.yml"))
username = database_yml[Rails.env]["username"]

record = users_and_passwords.to_a.detect { |i| i["rolname"] == username }

expect(record["rolname"]).to eq(username)
expect(record["rolpassword"]).to match(/^SCRAM-SHA-256.*/)
end
end
end

0 comments on commit b81ccc5

Please sign in to comment.