Skip to content

Commit 10aabda

Browse files
angeloskyratzakosangeloskyratzakos
authored
Update password creation to be scram-sha-256 instead of md5 (#1119)
* changes to pgbouncer for FIPS * change passwords creation to be scram, add some tests * changes to makefile and to docker compose
1 parent 526b58b commit 10aabda

File tree

9 files changed

+682
-16
lines changed

9 files changed

+682
-16
lines changed

Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -132,7 +132,7 @@ goformat:
132132

133133
.PHONY: dev-start
134134
dev-start:
135-
docker-compose up -d
135+
docker compose up -d
136136

137137
## Checks if imports are formatted correctly.
138138
.PHONY: goimports

docker-compose.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,3 @@
1-
version: "3.7"
21
services:
32
postgres:
43
image: "postgres:14.8"
@@ -24,4 +23,4 @@ networks:
2423
# used by Tailscale on Linux. Tailscale's use of these addresses
2524
# meant no traffic reached the local container.
2625
- subnet: 192.168.255.0/24
27-
ip_range: 192.168.255.0/24
26+
ip_range: 192.168.255.0/24

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,7 @@ require (
5454
github.com/spf13/viper v1.19.0
5555
github.com/stretchr/testify v1.10.0
5656
github.com/vrischmann/envconfig v1.4.1
57+
golang.org/x/crypto v0.39.0
5758
golang.org/x/oauth2 v0.27.0
5859
golang.org/x/tools v0.33.0
5960
gopkg.in/yaml.v2 v2.4.0
@@ -152,7 +153,6 @@ require (
152153
github.com/x448/float16 v0.8.4 // indirect
153154
github.com/xanzy/ssh-agent v0.3.3 // indirect
154155
go.uber.org/multierr v1.11.0 // indirect
155-
golang.org/x/crypto v0.39.0 // indirect
156156
golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
157157
golang.org/x/mod v0.25.0 // indirect
158158
golang.org/x/net v0.41.0 // indirect

internal/provisioner/pgbouncer/pgbouncer.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ listen_addr = *
2424
listen_port = 5432
2525
auth_file = /etc/userlist/userlist.txt
2626
auth_query = SELECT usename, passwd FROM pgbouncer.pgbouncer_users WHERE usename=$1
27+
auth_type = scram-sha-256
2728
admin_users = admin
2829
ignore_startup_parameters = extra_float_digits
2930
tcp_keepalive = 1

internal/tools/aws/database_multitenant_pgbouncer.go

Lines changed: 17 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,6 @@ package aws
66

77
import (
88
"context"
9-
"crypto/md5"
109
"database/sql"
1110
"fmt"
1211
"strings"
@@ -350,7 +349,13 @@ func (d *RDSMultitenantPGBouncerDatabase) provisionPGBouncerDatabase(vpcID strin
350349
ctx, cancel := context.WithDeadline(context.Background(), time.Now().Add(DefaultMySQLContextTimeSeconds*time.Second))
351350
defer cancel()
352351

353-
err = ensureDatabaseUserIsCreated(ctx, d.db, authUserSecret.MasterUsername, authUserSecret.MasterPassword)
352+
// Generate SCRAM-SHA-256 hash for the auth user password
353+
authScramHash, err := generateSCRAMSHA256Hash(authUserSecret.MasterPassword)
354+
if err != nil {
355+
return errors.Wrap(err, "failed to generate SCRAM-SHA-256 hash for auth user")
356+
}
357+
358+
err = ensureDatabaseUserIsCreatedWithHash(ctx, d.db, authUserSecret.MasterUsername, authScramHash)
354359
if err != nil {
355360
return errors.Wrap(err, "failed to ensure pgbouncer user was created")
356361
}
@@ -456,12 +461,18 @@ func (d *RDSMultitenantPGBouncerDatabase) ensureLogicalDatabaseSetup(databaseNam
456461
return errors.Wrap(err, "failed to get a secret for installation")
457462
}
458463

459-
err = ensureDatabaseUserIsCreated(ctx, d.db, installationSecret.MasterUsername, installationSecret.MasterPassword)
464+
// Generate SCRAM-SHA-256 hash once to ensure consistency between PostgreSQL user and PGBouncer entry
465+
scramHash, err := generateSCRAMSHA256Hash(installationSecret.MasterPassword)
466+
if err != nil {
467+
return errors.Wrap(err, "failed to generate SCRAM-SHA-256 hash")
468+
}
469+
470+
err = ensureDatabaseUserIsCreatedWithHash(ctx, d.db, installationSecret.MasterUsername, scramHash)
460471
if err != nil {
461472
return errors.Wrap(err, "failed to create Mattermost database user")
462473
}
463474

464-
err = d.ensureInstallationUserAddedToUsersTable(ctx, installationSecret.MasterUsername, installationSecret.MasterPassword)
475+
err = d.ensureInstallationUserAddedToUsersTableWithHash(ctx, installationSecret.MasterUsername, scramHash)
465476
if err != nil {
466477
return errors.Wrap(err, "failed to create Mattermost user entry for PGBouncer")
467478
}
@@ -479,7 +490,7 @@ func (d *RDSMultitenantPGBouncerDatabase) ensureLogicalDatabaseSetup(databaseNam
479490
return nil
480491
}
481492

482-
func (d *RDSMultitenantPGBouncerDatabase) ensureInstallationUserAddedToUsersTable(ctx context.Context, username, password string) error {
493+
func (d *RDSMultitenantPGBouncerDatabase) ensureInstallationUserAddedToUsersTableWithHash(ctx context.Context, username, scramHash string) error {
483494
query := fmt.Sprintf("SELECT usename FROM pgbouncer.pgbouncer_users WHERE usename = '%s';", username)
484495
rows, err := d.db.QueryContext(ctx, query)
485496
if err != nil {
@@ -489,7 +500,7 @@ func (d *RDSMultitenantPGBouncerDatabase) ensureInstallationUserAddedToUsersTabl
489500
return nil
490501
}
491502

492-
query = fmt.Sprintf(`INSERT INTO pgbouncer.pgbouncer_users (usename, passwd) VALUES ('%s', 'md5%x')`, username, md5.Sum([]byte(password+username)))
503+
query = fmt.Sprintf(`INSERT INTO pgbouncer.pgbouncer_users (usename, passwd) VALUES ('%s', '%s')`, username, scramHash)
493504
_, err = d.db.QueryContext(ctx, query)
494505
if err != nil {
495506
return errors.Wrap(err, "failed to run create pgbouncer installation user SQL command")

0 commit comments

Comments
 (0)