From 10b327fafe5f9d5c5be8203771a6303db929be91 Mon Sep 17 00:00:00 2001 From: Tsiry Sandratraina Date: Fri, 30 Aug 2024 20:04:09 +0200 Subject: [PATCH] fix(postgres): don't connect with root user --- Cargo.lock | 2 +- postgres/src/lib.rs | 28 +++++++++++++++++++++------- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 97b8e1e..b3eb2a1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -574,7 +574,7 @@ dependencies = [ [[package]] name = "postgres" -version = "0.1.6" +version = "0.1.7" dependencies = [ "anyhow", "extism-pdk", diff --git a/postgres/src/lib.rs b/postgres/src/lib.rs index 6710141..1de6c9a 100644 --- a/postgres/src/lib.rs +++ b/postgres/src/lib.rs @@ -11,6 +11,15 @@ pub fn start(_args: String) -> FnResult { let pg_user = dag().get_env("POSTGRES_USER")?; let pg_password = dag().get_env("POSTGRES_PASSWORD")?; let pg_database = dag().get_env("POSTGRES_DB")?; + let is_root = dag() + .pkgx()? + .with_exec(vec!["whoami"])? + .stdout()? + .contains("root"); + let user = match is_root { + true => "fluentci", + false => "`whoami`", + }; if pg_user.is_empty() { dag().set_envs(vec![("POSTGRES_USER".into(), "postgres".into())])?; @@ -38,19 +47,24 @@ pub fn start(_args: String) -> FnResult { ])? .wait_on(port.parse()?, None)? .with_exec(vec![ - "psql --host=localhost -d postgres -U `whoami` -c \"CREATE DATABASE $POSTGRES_DB;\" || true", + &format!("psql --host=localhost -d postgres -U {} -c \"CREATE DATABASE $POSTGRES_DB;\" || true", user), ])? .with_exec(vec![ &format!( - "psql --host=localhost -d postgres -U `whoami` -c \"CREATE USER $POSTGRES_USER {} CREATEDB CREATEROLE;\" || true", + "psql --host=localhost -d postgres -U {} -c \"CREATE USER $POSTGRES_USER {} CREATEDB CREATEROLE;\" || true", + user, with_password ) ])? - .with_exec(vec!["psql --host=localhost -d $POSTGRES_DB -U `whoami` -c \"GRANT ALL PRIVILEGES ON DATABASE $POSTGRES_DB TO $POSTGRES_USER;\""])? - .with_exec(vec!["psql --host=localhost -d $POSTGRES_DB -U `whoami` -c \"GRANT ALL ON SCHEMA public TO $POSTGRES_USER;\""])? - .with_exec(vec!["psql --host=localhost -d $POSTGRES_DB -U `whoami` -c \"GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO $POSTGRES_USER;\""])? - .with_exec(vec!["psql --host=localhost -d $POSTGRES_DB -U `whoami` -c \"ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO $POSTGRES_USER;\""])? - .with_exec(vec!["psql --host=localhost -d $POSTGRES_DB -U `whoami` -c \"ALTER DATABASE $POSTGRES_DB OWNER TO $POSTGRES_USER;\""])? + .with_exec(vec![ + &format!("psql --host=localhost -d $POSTGRES_DB -U {} -c \"GRANT ALL PRIVILEGES ON DATABASE $POSTGRES_DB TO $POSTGRES_USER;\"", user)])? + .with_exec( + vec![ + &format!("psql --host=localhost -d $POSTGRES_DB -U {} -c \"GRANT ALL ON SCHEMA public TO $POSTGRES_USER;\"", user)])? + .with_exec(vec![ + &format!("psql --host=localhost -d $POSTGRES_DB -U {} -c \"GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO $POSTGRES_USER;\"", user)])? + .with_exec(vec![&format!("psql --host=localhost -d $POSTGRES_DB -U {} -c \"ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO $POSTGRES_USER;\"", user)])? + .with_exec(vec![&format!("psql --host=localhost -d $POSTGRES_DB -U {} -c \"ALTER DATABASE $POSTGRES_DB OWNER TO $POSTGRES_USER;\"", user)])? .with_exec(vec!["overmind", "status"])? .stdout()?; Ok(stdout)