Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: check for active RLS on db application user #775

Merged
merged 2 commits into from
Nov 6, 2023
Merged

fix: check for active RLS on db application user #775

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
32b6074
fix: check for active RLS after db migrations
Nov 3, 2023
450e94b
format code
Nov 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions connect/lib/sql-doobie/src/main/scala/io/iohk/atala/connect/sql/repository/Migrations.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ package io.iohk.atala.connect.sql.repository
import doobie.*
import doobie.implicits.*
import doobie.util.transactor.Transactor
import io.iohk.atala.shared.db.ContextAwareTask
import io.iohk.atala.shared.db.DbConfig
import io.iohk.atala.shared.db.Implicits.*
import org.flywaydb.core.Flyway
import zio.*
import zio.interop.catz.*
Expand Down Expand Up @@ -35,6 +37,23 @@ object Migrations {
val layer: URLayer[DbConfig, Migrations] =
ZLayer.fromFunction(Migrations.apply _)

/** Fail if the RLS is not enabled from a sample table */
def validateRLS: RIO[Transactor[ContextAwareTask], Unit] = {
val cxnIO = sql"""
| SELECT row_security_active('public.connection_records');
""".stripMargin
.query[Boolean]
.unique

for {
xa <- ZIO.service[Transactor[ContextAwareTask]]
isRlsActive <- cxnIO.transactWithoutContext(xa)
_ <- ZIO
.fail(Exception("The RLS policy is not active for Connect DB application user"))
.unless(isRlsActive)
} yield ()
}

def initDbPrivileges(appUser: String): RIO[Transactor[Task], Unit] = {
val cxnIO = for {
_ <- doobie.free.connection.createStatement.map { stm =>
Expand Down
2 changes: 1 addition & 1 deletion pollux/lib/core/src/main/scala/io/iohk/atala/pollux/core/service/MockCredentialService.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import io.iohk.atala.mercury.model.DidId
import io.iohk.atala.mercury.protocol.issuecredential.{IssueCredential, OfferCredential, RequestCredential}
import io.iohk.atala.pollux.core.model.error.CredentialServiceError
import io.iohk.atala.pollux.core.model.{DidCommID, IssueCredentialRecord}
import io.iohk.atala.pollux.vc.jwt.{Issuer, W3cCredentialPayload}
import io.iohk.atala.pollux.vc.jwt.W3cCredentialPayload
import io.iohk.atala.prism.crypto.MerkleInclusionProof
import io.iohk.atala.shared.models.WalletAccessContext
import zio.mock.{Mock, Proxy}
Expand Down
19 changes: 19 additions & 0 deletions pollux/lib/sql-doobie/src/main/scala/io/iohk/atala/pollux/sql/repository/Migrations.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ package io.iohk.atala.pollux.sql.repository
import doobie.*
import doobie.implicits.*
import doobie.util.transactor.Transactor
import io.iohk.atala.shared.db.ContextAwareTask
import io.iohk.atala.shared.db.DbConfig
import io.iohk.atala.shared.db.Implicits.*
import org.flywaydb.core.Flyway
import zio.*
import zio.interop.catz.*
Expand Down Expand Up @@ -36,6 +38,23 @@ object Migrations {
val layer: URLayer[DbConfig, Migrations] =
ZLayer.fromFunction(Migrations.apply _)

/** Fail if the RLS is not enabled from a sample table */
def validateRLS: RIO[Transactor[ContextAwareTask], Unit] = {
val cxnIO = sql"""
| SELECT row_security_active('public.credential_schema');
""".stripMargin
.query[Boolean]
.unique

for {
xa <- ZIO.service[Transactor[ContextAwareTask]]
isRlsActive <- cxnIO.transactWithoutContext(xa)
_ <- ZIO
.fail(Exception("The RLS policy is not active for Pollux DB application user"))
.unless(isRlsActive)
} yield ()
}

def initDbPrivileges(appUser: String): RIO[Transactor[Task], Unit] = {
val cxnIO = for {
_ <- doobie.free.connection.createStatement.map { stm =>
Expand Down
4 changes: 4 additions & 0 deletions prism-agent/service/server/src/main/scala/io/iohk/atala/agent/server/Main.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,10 @@ object MainApp extends ZIOAppDefault {
_ <- ZIO.serviceWithZIO[PolluxMigrations](_.migrate)
_ <- ZIO.serviceWithZIO[ConnectMigrations](_.migrate)
_ <- ZIO.serviceWithZIO[AgentMigrations](_.migrate)
_ <- ZIO.logInfo("Running post-migration RLS checks for DB application users")
_ <- PolluxMigrations.validateRLS.provide(RepoModule.polluxContextAwareTransactorLayer)
_ <- ConnectMigrations.validateRLS.provide(RepoModule.connectContextAwareTransactorLayer)
_ <- AgentMigrations.validateRLS.provide(RepoModule.agentContextAwareTransactorLayer)
} yield ()

override def run: ZIO[Any, Throwable, Unit] = {
Expand Down
1 change: 0 additions & 1 deletion prism-agent/service/server/src/main/scala/io/iohk/atala/agent/server/Modules.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ import io.iohk.atala.agent.walletapi.vault.{
VaultWalletSecretStorage
}
import io.iohk.atala.castor.core.service.DIDService
import io.iohk.atala.iam.authentication.DefaultAuthenticator
import io.iohk.atala.iam.authentication.admin.AdminApiKeyAuthenticator
import io.iohk.atala.iam.authentication.admin.AdminApiKeyAuthenticatorImpl
import io.iohk.atala.iam.authentication.admin.AdminConfig
Expand Down
1 change: 0 additions & 1 deletion ...-agent/service/server/src/main/scala/io/iohk/atala/agent/server/http/ZHttpEndpoints.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
package io.iohk.atala.agent.server.http

import io.iohk.atala.iam.authentication.oidc.JwtSecurityLogic
import sttp.apispec.SecurityScheme
import sttp.apispec.openapi.{OpenAPI, Server}
import sttp.model.headers.AuthenticationScheme
Expand Down
19 changes: 19 additions & 0 deletions prism-agent/service/server/src/main/scala/io/iohk/atala/agent/server/sql/Migrations.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ package io.iohk.atala.agent.server.sql
import doobie.*
import doobie.implicits.*
import doobie.util.transactor.Transactor
import io.iohk.atala.shared.db.ContextAwareTask
import io.iohk.atala.shared.db.DbConfig
import io.iohk.atala.shared.db.Implicits.*
import org.flywaydb.core.Flyway
import zio.*
import zio.interop.catz.*
Expand Down Expand Up @@ -35,6 +37,23 @@ object Migrations {
val layer: URLayer[DbConfig, Migrations] =
ZLayer.fromFunction(Migrations.apply _)

/** Fail if the RLS is not enabled from a sample table */
def validateRLS: RIO[Transactor[ContextAwareTask], Unit] = {
val cxnIO = sql"""
| SELECT row_security_active('public.peer_did');
""".stripMargin
.query[Boolean]
.unique

for {
xa <- ZIO.service[Transactor[ContextAwareTask]]
isRlsActive <- cxnIO.transactWithoutContext(xa)
_ <- ZIO
.fail(Exception("The RLS policy is not active for Agent DB application user"))
.unless(isRlsActive)
} yield ()
}

def initDbPrivileges(appUser: String): RIO[Transactor[Task], Unit] = {
val cxnIO = for {
_ <- doobie.free.connection.createStatement.map { stm =>
Expand Down
Loading