Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add groups #559

Merged
merged 19 commits into from
May 14, 2024
Merged
Show file tree
Hide file tree
Changes from 10 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Empty file added .clion.source.upload.marker
Empty file.
1 change: 0 additions & 1 deletion config-examples/odyssey-dev-with-watchdog.conf
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@ listen {
compression yes
}


storage "postgres_server" {
type "remote"
host "localhost"
Expand Down
2 changes: 1 addition & 1 deletion config-examples/odyssey-dev.conf
Original file line number Diff line number Diff line change
Expand Up @@ -111,4 +111,4 @@ locks_dir "/tmp/odyssey"

graceful_die_on_errors yes
enable_online_restart no
bindwith_reuseport yes
bindwith_reuseport yes
1 change: 1 addition & 0 deletions docker/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ COPY ./docker/ldap /ldap
COPY ./docker/lagpolling /lagpolling
COPY ./docker/shell-test /shell-test
COPY ./docker/tsa /tsa
COPY ./docker/group /group

COPY ./docker/entrypoint.sh /usr/local/bin/entrypoint.sh

Expand Down
10 changes: 9 additions & 1 deletion docker/bin/setup
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ sudo -u postgres /usr/bin/pg_basebackup -D /var/lib/postgresql/14/repl -R -h loc
sudo -u postgres /usr/lib/postgresql/14/bin/pg_ctl -D /var/lib/postgresql/14/repl/ -o '-p 5433' start

# Create databases
for database_name in db scram_db ldap_db auth_query_db db1 hba_db tsa_db; do
for database_name in db scram_db ldap_db auth_query_db db1 hba_db tsa_db group_db; do
sudo -u postgres createdb $database_name >> "$SETUP_LOG" 2>&1 || {
echo "ERROR: 'createdb $database_name' failed, examine the log"
cat "$SETUP_LOG"
Expand All @@ -63,6 +63,14 @@ mkdir /var/cores
sudo sysctl -w kernel.core_pattern=/var/cores/core.%p.%e
pgbench -i -h localhost -p 5432 -U postgres postgres

# Create users
psql -h localhost -p 5432 -U postgres -c "create role group1; create role group2; create user group_checker; create user group_user1; create user group_user2; create user group_user3; create user group_user4; create user group_user5; create user group_checker1; create user group_checker2;" -d group_db >> $SETUP_LOG 2>&1 || {
echo "ERROR: users creation failed, examine the log"
cat "$SETUP_LOG"
cat "$PG_LOG"
exit 1
}

# Create users
psql -h localhost -p 5432 -U postgres -c "set password_encryption = 'scram-sha-256'; create user scram_user password 'scram_user_password';" -d scram_db >> $SETUP_LOG 2>&1 || {
echo "ERROR: users creation failed, examine the log"
Expand Down
7 changes: 7 additions & 0 deletions docker/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,13 @@ cd /test_dir/test && /usr/bin/odyssey_test

setup

# group
/group/test_group.sh
if [ $? -eq 1 ]
then
exit 1
fi

# odyssey target session attrs test
/tsa/tsa.sh
if [ $? -eq 1 ]
Expand Down
122 changes: 122 additions & 0 deletions docker/group/config.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
listen {
host "*"
port 6432
}

storage "postgres_server" {
type "remote"

host "localhost"
port 5432
}

database "group_db" {
user "group_user1" {
authentication "none"
storage "postgres_server"
pool "session"
}

group "group1" {
authentication "md5"
password "password1"

storage "postgres_server"
storage_db "postgres"
storage_user "postgres"

pool_routing "internal"
pool "session"
group_query "select pg_has_role('%s', 'group1', 'MEMBER')"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think %s is an injection

Copy link
Collaborator

@mialinx mialinx Mar 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to specify group_query at all ?
We may just set as default during configuration, using group name for current route.
Is there any alternatives to this one ^^

}

user "group_user2" {
authentication "none"
storage "postgres_server"
pool "session"
}

user "group_user3" {
authentication "none"
storage "postgres_server"
pool "session"
}

group "group2" {
authentication "md5"
password "password2"

storage "postgres_server"
storage_db "postgres"
storage_user "postgres"

pool_routing "internal"
pool "session"
group_query "select pg_has_role('%s', 'group2', 'MEMBER')"
}

user "group_user4" {
authentication "none"
storage "postgres_server"
pool "session"
}

user "group_user5" {
authentication "none"
storage "postgres_server"
pool "session"
}
}

database default {
user default {
authentication "none"

storage "postgres_server"
pool "session"
pool_size 0

pool_timeout 0

pool_ttl 1201

pool_discard no

pool_cancel yes

pool_rollback yes
# seconds
pool_client_idle_timeout 20
# seconds
pool_idle_in_transaction_timeout 20

client_fwd_error yes
application_name_add_host yes
server_lifetime 1901
log_debug no

quantiles "0.99,0.95,0.5"
client_max 107
}
}

unix_socket_dir "/tmp"
unix_socket_mode "0644"

log_file "/var/log/odyssey.log"
log_format "%p %t %l [%i %s] (%c) %m\n"
log_debug no
log_config yes
log_session no
log_query no
log_stats yes
daemonize yes

locks_dir "/tmp/odyssey"
graceful_die_on_errors yes
enable_online_restart yes
bindwith_reuseport yes

stats_interval 60

pid_file "/var/run/odyssey.pid"
76 changes: 76 additions & 0 deletions docker/group/test_group.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
#!/bin/bash -x

set -ex

/usr/bin/odyssey /group/config.conf

users=("group_user1" "group_user2" "group_user3" "group_user4" "group_user5")
for user in "${users[@]}"; do
psql -h localhost -p 6432 -U "$user" -c "SELECT 1" group_db >/dev/null 2>&1 || {
echo "ERROR: failed backend auth with correct user auth"

cat /var/log/odyssey.log
echo "

"
cat /var/log/postgresql/postgresql-14-main.log

exit 1
}
done

psql -h localhost -p 6432 -U postgres -c "GRANT group1 TO group_user1;" group_db
sleep 1
psql -h localhost -p 6432 -U group_user1 -c "SELECT 1" group_db >/dev/null 2>&1 || {
echo "ERROR: group auth apply for over user at config"

cat /var/log/odyssey.log
echo "

"
cat /var/log/postgresql/postgresql-14-main.log

exit 1
}

psql -h localhost -p 6432 -U postgres -c "GRANT group1 TO group_user2;" group_db
sleep 1
psql -h localhost -p 6432 -U group_user2 -c "SELECT 1" group_db >/dev/null 2>&1 && {
echo "ERROR: group auth not apply"

cat /var/log/odyssey.log
echo "

"
cat /var/log/postgresql/postgresql-14-main.log

exit 1
}

psql -h localhost -p 6432 -U postgres -c "GRANT group1 TO group_user4;" group_db
psql -h localhost -p 6432 -U postgres -c "GRANT group2 TO group_user4;" group_db
sleep 1
PGPASSWORD=password1 psql -h localhost -p 6432 -U group_user4 -c "SELECT 1" group_db >/dev/null 2>&1 && {
echo "ERROR: group auth not accepted down group"

cat /var/log/odyssey.log
echo "

"
cat /var/log/postgresql/postgresql-14-main.log

exit 1
}
PGPASSWORD=password2 psql -h localhost -p 6432 -U group_user4 -c "SELECT 1" group_db >/dev/null 2>&1 || {
echo "ERROR: group auth not apply"

cat /var/log/odyssey.log
echo "

"
cat /var/log/postgresql/postgresql-14-main.log

exit 1
}

ody-stop
3 changes: 2 additions & 1 deletion sources/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,8 @@ set(od_src
hashmap.c
hba.c
hba_reader.c
hba_rule.c)
hba_rule.c
group.c)

if (PAM_FOUND)
list(APPEND od_src pam.c)
Expand Down
Loading
Loading