Skip to content

Commit

Permalink
Add scram hash to table for pgbouncer on cloud instance create
Browse files Browse the repository at this point in the history
  • Loading branch information
michaeljguarino committed Dec 15, 2024
1 parent d6939fe commit 6e58f4f
Show file tree
Hide file tree
Showing 6 changed files with 105 additions and 74 deletions.
88 changes: 44 additions & 44 deletions .github/workflows/trivy-artifact-scan.yaml
Original file line number Diff line number Diff line change
@@ -1,44 +1,44 @@
name: Trivy Artifact Scanning
on:
# push:
# branches: [ master ]
# paths:
# - "plural/**"
# - ".github/workflows/trivy-artifact-scan.yaml"
# pull_request:
# branches: [ master ]
# paths:
# - "plural/**"
# - ".github/workflows/trivy-artifact-scan.yaml"
# schedule:
# - cron: '0 0 * * 1'
workflow_dispatch:
jobs:
trivy-scan:
name: Trivy IaC scan
runs-on: ubuntu-20.04
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: 'plural'
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
security-checks: 'vuln,secret,config'
ignore-unfixed: true
#severity: 'CRITICAL,HIGH'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
# name: Trivy Artifact Scanning
# on:
# # push:
# # branches: [ master ]
# # paths:
# # - "plural/**"
# # - ".github/workflows/trivy-artifact-scan.yaml"
# # pull_request:
# # branches: [ master ]
# # paths:
# # - "plural/**"
# # - ".github/workflows/trivy-artifact-scan.yaml"
# # schedule:
# # - cron: '0 0 * * 1'
# workflow_dispatch:
# jobs:
# trivy-scan:
# name: Trivy IaC scan
# runs-on: ubuntu-20.04
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# steps:
# - name: Checkout code
# uses: actions/checkout@v3
# - name: Run Trivy vulnerability scanner in IaC mode
# uses: aquasecurity/trivy-action@master
# with:
# scan-type: 'fs'
# scan-ref: 'plural'
# hide-progress: false
# format: 'sarif'
# output: 'trivy-results.sarif'
# security-checks: 'vuln,secret,config'
# ignore-unfixed: true
# #severity: 'CRITICAL,HIGH'
# env:
# TRIVY_SKIP_DB_UPDATE: true
# TRIVY_SKIP_JAVA_DB_UPDATE: true
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: 'trivy-results.sarif'
58 changes: 29 additions & 29 deletions .github/workflows/trivy-cache.yaml
Original file line number Diff line number Diff line change
@@ -1,34 +1,34 @@
name: Update Trivy Cache
# name: Update Trivy Cache

on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
# on:
# schedule:
# - cron: '0 0 * * *'
# workflow_dispatch:

jobs:
update-trivy-db:
runs-on: ubuntu-latest
steps:
- name: Get current date
id: date
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
# jobs:
# update-trivy-db:
# runs-on: ubuntu-latest
# steps:
# - name: Get current date
# id: date
# run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT

- name: Download and extract the vulnerability DB
run: |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
oras pull ghcr.io/aquasecurity/trivy-db:2
tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
rm db.tar.gz
# - name: Download and extract the vulnerability DB
# run: |
# mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
# oras pull ghcr.io/aquasecurity/trivy-db:2
# tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
# rm db.tar.gz

- name: Download and extract the Java DB
run: |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
oras pull ghcr.io/aquasecurity/trivy-java-db:1
tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
rm javadb.tar.gz
# - name: Download and extract the Java DB
# run: |
# mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
# oras pull ghcr.io/aquasecurity/trivy-java-db:1
# tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
# rm javadb.tar.gz

- name: Cache DBs
uses: actions/cache/save@v4
with:
path: ${{ github.workspace }}/.cache/trivy
key: cache-trivy-${{ steps.date.outputs.date }}
# - name: Cache DBs
# uses: actions/cache/save@v4
# with:
# path: ${{ github.workspace }}/.cache/trivy
# key: cache-trivy-${{ steps.date.outputs.date }}
15 changes: 15 additions & 0 deletions apps/core/lib/core/services/cloud/scram.ex
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
defmodule Core.Services.Cloud.Scram do
alias Plug.Crypto.KeyGenerator
@salt_size 16
@digest_len 32
@iterations 4096

def encrypt(pwd) do
salt = :crypto.strong_rand_bytes(@salt_size)
pbkdf = KeyGenerator.generate(pwd, salt, iterations: @iterations, length: @digest_len)
client = :crypto.mac(:hmac, :sha256, pbkdf, "Client Key")
stored = :crypto.hash(:sha256, client)
server = :crypto.mac(:hmac, :sha256, pbkdf, "Server Key")
"SCRAM-SHA-256$#{@iterations}:#{Base.encode64(salt)}$#{Base.encode64(stored)}:#{Base.encode64(server)}"
end
end
15 changes: 14 additions & 1 deletion apps/core/lib/core/services/cloud/workflow/shared.ex
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,25 @@ defmodule Core.Services.Cloud.Workflow.Shared do

alias Core.Clients.Console
alias Core.Services.{Cloud, Users}
alias Core.Services.Cloud.{Poller, Configuration}
alias Core.Services.Cloud.{Poller, Configuration, Scram}
alias Core.Schema.{ConsoleInstance, PostgresCluster, User}
alias Core.Repo

require Logger

@behaviour Core.Services.Cloud.Workflow

@table """
CREATE TABLE IF NOT EXISTS console_users (
usename VARCHAR(255) NOT NULL PRIMARY KEY,
passwd VARCHAR(500) NOT NULL
)
"""

@user_insert """
INSERT INTO console_users (usename, passwd) values ($1, $2) ON CONFLICT (usename) DO UPDATE SET passwd = EXCLUDED.passwd
"""

def sync(%ConsoleInstance{external_id: id} = instance) when is_binary(id) do
instance = Repo.preload(instance, [:cluster, :postgres])
Console.update_service(console(), id, %{
Expand Down Expand Up @@ -42,6 +53,8 @@ defmodule Core.Services.Cloud.Workflow.Shared do
with {:ok, pid} <- connect(pg),
{:ok, _} <- Postgrex.query(pid, "CREATE DATABASE #{conf.database}", []),
{:ok, _} <- Postgrex.transaction(pid, fn conn ->
Postgrex.query!(conn, @table, [])
Postgrex.query!(conn, @user_insert, [conf.dbuser, Scram.encrypt(conf.dbpassword)])
Postgrex.query!(conn, "CREATE USER #{conf.dbuser} WITH PASSWORD '#{conf.dbpassword}'", [])
Postgrex.query!(conn, "GRANT ALL ON DATABASE #{conf.database} TO #{conf.dbuser}", [])
end) do
Expand Down
1 change: 1 addition & 0 deletions apps/core/mix.exs
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ defmodule Core.MixProject do
{:mojito, "~> 0.7.0"},
{:nebulex, "== 2.4.2"},
{:castore, "~> 0.1.7"},
{:plug_crypto, "~> 1.2"},
{:req, "~> 0.4.14", override: true},
{:mint, "~> 1.4.0", override: true},
{:finch, "~> 0.17.0", override: true},
Expand Down
2 changes: 2 additions & 0 deletions apps/worker/lib/worker/conduit/subscribers/cloud.ex
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@ defmodule Worker.Conduit.Subscribers.Cloud do
use Worker.Conduit.Subscribers.Base
alias Core.Services.Cloud.Workflow
alias Core.PubSub
require Logger

def process(%Conduit.Message{body: body} = msg, _) do
Logger.info "handling #{body.__struct__} for #{body.item.name}"
case handle(body) do
{:ok, _} -> ack(msg)
_ -> nack(msg)
Expand Down

0 comments on commit 6e58f4f

Please sign in to comment.