Skip to content

Commit

Permalink
Merge pull request #795 from ArmMbedCloud/hide-passwords-from-logs
Browse files Browse the repository at this point in the history
keeper: hide root & replication users password from postgres logs
  • Loading branch information
sgotti authored Sep 9, 2021
2 parents dc942da + 5658c3c commit d743ed5
Showing 1 changed file with 51 additions and 6 deletions.
57 changes: 51 additions & 6 deletions internal/postgresql/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,23 @@ func setPassword(ctx context.Context, connParams ConnParams, username, password
}
defer db.Close()

_, err = dbExec(ctx, db, fmt.Sprintf(`alter role "%s" with password '%s';`, username, password))
return err
tx, err := db.Begin()
if err != nil {
return err
}

query := fmt.Sprintf("set local log_statement = %s", pq.QuoteLiteral("none"))
if _, err = tx.ExecContext(ctx, query); err != nil {
_ = tx.Rollback()
return err
}

query = fmt.Sprintf("alter role %s with encrypted password %s", pq.QuoteIdentifier(username), pq.QuoteLiteral(password))
if _, err = tx.ExecContext(ctx, query); err != nil {
_ = tx.Rollback()
return err
}
return tx.Commit()
}

func createRole(ctx context.Context, connParams ConnParams, roles []string, username, password string) error {
Expand All @@ -79,8 +94,23 @@ func createRole(ctx context.Context, connParams ConnParams, roles []string, user
}
defer db.Close()

_, err = dbExec(ctx, db, fmt.Sprintf(`create role "%s" with login replication encrypted password '%s';`, username, password))
return err
tx, err := db.Begin()
if err != nil {
return err
}

query := fmt.Sprintf("set local log_statement = %s", pq.QuoteLiteral("none"))
if _, err = tx.ExecContext(ctx, query); err != nil {
_ = tx.Rollback()
return err
}

query = fmt.Sprintf("create role %s with login replication encrypted password %s", pq.QuoteIdentifier(username), pq.QuoteLiteral(password))
if _, err = tx.ExecContext(ctx, query); err != nil {
_ = tx.Rollback()
return err
}
return tx.Commit()
}

func createPasswordlessRole(ctx context.Context, connParams ConnParams, roles []string, username string) error {
Expand All @@ -101,8 +131,23 @@ func alterRole(ctx context.Context, connParams ConnParams, roles []string, usern
}
defer db.Close()

_, err = dbExec(ctx, db, fmt.Sprintf(`alter role "%s" with login replication encrypted password '%s';`, username, password))
return err
tx, err := db.Begin()
if err != nil {
return err
}

query := fmt.Sprintf("set local log_statement = %s", pq.QuoteLiteral("none"))
if _, err = tx.ExecContext(ctx, query); err != nil {
_ = tx.Rollback()
return err
}

query = fmt.Sprintf("alter role %s with login replication encrypted password %s", pq.QuoteIdentifier(username), pq.QuoteLiteral(password))
if _, err = tx.ExecContext(ctx, query); err != nil {
_ = tx.Rollback()
return err
}
return tx.Commit()
}

func alterPasswordlessRole(ctx context.Context, connParams ConnParams, roles []string, username string) error {
Expand Down

0 comments on commit d743ed5

Please sign in to comment.