Skip to content

Commit

Permalink
Merge pull request #757 from bdunne/scramsha
Browse files Browse the repository at this point in the history
Add a migration to encrypt database password using scram-sha-256

(cherry picked from commit 3762bf5)
  • Loading branch information
Fryguy committed Oct 24, 2024
1 parent c16b8eb commit 37e87fa
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 0 deletions.
13 changes: 13 additions & 0 deletions db/migrate/20241017013023_reencrypt_password_scramsha.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
class ReencryptPasswordScramsha < ActiveRecord::Migration[6.1]
def up
say_with_time('Reencrypting database user password with scram-sha-256') do
db_config = ActiveRecord::Base.connection_db_config.configuration_hash
username = db_config[:username]
password = connection.raw_connection.encrypt_password(db_config[:password], username, "scram-sha-256")

connection.execute <<-SQL
ALTER ROLE #{username} WITH PASSWORD '#{password}';
SQL
end
end
end
22 changes: 22 additions & 0 deletions spec/migrations/20241017013023_reencrypt_password_scramsha_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
require_migration

# This is mostly necessary for data migrations, so feel free to delete this
# file if you do no need it.
describe ReencryptPasswordScramsha do
migration_context :up do
it "Ensures that the user password is stored as scram-sha-256" do
migrate

username = ActiveRecord::Base.connection_db_config.configuration_hash[:username]

users_and_passwords = ActiveRecord::Base.connection.execute <<-SQL
SELECT rolname, rolpassword FROM pg_authid WHERE rolcanlogin;
SQL

record = users_and_passwords.to_a.detect { |i| i["rolname"] == username }

expect(record["rolname"]).to eq(username)
expect(record["rolpassword"]).to match(/^SCRAM-SHA-256.*/)
end
end
end

0 comments on commit 37e87fa

Please sign in to comment.