Add scram hash to table for pgbouncer on cloud instance create

pluralsh · Dec 15, 2024 · 2e334a0 · 2e334a0
1 parent d6939fe
commit 2e334a0
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 1 deletion.
diff --git a/apps/core/lib/core/services/cloud/scram.ex b/apps/core/lib/core/services/cloud/scram.ex
@@ -0,0 +1,15 @@
+defmodule Core.Services.Cloud.Scram do
+  alias Plug.Crypto.KeyGenerator
+  @salt_size 16
+  @digest_len 32
+  @iterations 4096
+
+  def encrypt(pwd) do
+    salt   = :crypto.strong_rand_bytes(@salt_size)
+    pbkdf  = KeyGenerator.generate(pwd, salt, iterations: @iterations, length: @digest_len)
+    client = :crypto.mac(:hmac, :sha256, pbkdf, "Client Key")
+    stored = :crypto.hash(:sha256, client)
+    server = :crypto.mac(:hmac, :sha256, pbkdf, "Server Key")
+    "SCRAM-SHA-256$#{@iterations}:#{Base.encode64(salt)}$#{Base.encode64(stored)}:#{Base.encode64(server)}"
+  end
+end
diff --git a/apps/core/lib/core/services/cloud/workflow/shared.ex b/apps/core/lib/core/services/cloud/workflow/shared.ex
@@ -4,14 +4,25 @@ defmodule Core.Services.Cloud.Workflow.Shared do
 
   alias Core.Clients.Console
   alias Core.Services.{Cloud, Users}
-  alias Core.Services.Cloud.{Poller, Configuration}
+  alias Core.Services.Cloud.{Poller, Configuration, Scram}
   alias Core.Schema.{ConsoleInstance, PostgresCluster, User}
   alias Core.Repo
 
   require Logger
 
   @behaviour Core.Services.Cloud.Workflow
 
+  @table """
+  CREATE TABLE IF NOT EXISTS console_users (
+    usename VARCHAR(255) NOT NULL PRIMARY KEY,
+    passwd VARCHAR(500) NOT NULL
+  )
+  """
+
+  @user_insert """
+  INSERT INTO console_users (usename, passwd) values ($1, $2) ON CONFLICT (usename) DO UPDATE SET passwd = EXCLUDED.passwd
+  """
+
   def sync(%ConsoleInstance{external_id: id} = instance) when is_binary(id) do
     instance = Repo.preload(instance, [:cluster, :postgres])
     Console.update_service(console(), id, %{
@@ -42,6 +53,8 @@ defmodule Core.Services.Cloud.Workflow.Shared do
     with {:ok, pid} <- connect(pg),
          {:ok, _} <- Postgrex.query(pid, "CREATE DATABASE #{conf.database}", []),
          {:ok, _} <- Postgrex.transaction(pid, fn conn ->
+                       Postgrex.query!(conn, @table, [])
+                       Postgrex.query!(conn, @user_insert, [conf.dbuser, Scram.encrypt(conf.dbpassword)])
                        Postgrex.query!(conn, "CREATE USER #{conf.dbuser} WITH PASSWORD '#{conf.dbpassword}'", [])
                        Postgrex.query!(conn, "GRANT ALL ON DATABASE #{conf.database} TO #{conf.dbuser}", [])
                      end) do

diff --git a/apps/core/mix.exs b/apps/core/mix.exs
@@ -92,6 +92,7 @@ defmodule Core.MixProject do
       {:mojito, "~> 0.7.0"},
       {:nebulex, "== 2.4.2"},
       {:castore, "~> 0.1.7"},
+      {:plug_crypto, "~> 1.2"},
       {:req, "~> 0.4.14", override: true},
       {:mint, "~> 1.4.0", override: true},
       {:finch, "~> 0.17.0", override: true},

diff --git a/apps/worker/lib/worker/conduit/subscribers/cloud.ex b/apps/worker/lib/worker/conduit/subscribers/cloud.ex
@@ -2,8 +2,10 @@ defmodule Worker.Conduit.Subscribers.Cloud do
   use Worker.Conduit.Subscribers.Base
   alias Core.Services.Cloud.Workflow
   alias Core.PubSub
+  require Logger
 
   def process(%Conduit.Message{body: body} = msg, _) do
+    Logger.info "handling #{body.__struct__} for #{body.item.name}"
     case handle(body) do
       {:ok, _} -> ack(msg)
       _ -> nack(msg)