From patchwork Sun Apr 27 15:12:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Giacomo Leidi X-Patchwork-Id: 42084 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 9D71227BC4B; Sun, 27 Apr 2025 16:14:22 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 84EEE27BC49 for ; Sun, 27 Apr 2025 16:14:21 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u93hk-00023F-BT; Sun, 27 Apr 2025 11:14:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u93hi-00022e-VR for guix-patches@gnu.org; Sun, 27 Apr 2025 11:14:03 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u93hi-0003mN-Lo; Sun, 27 Apr 2025 11:14:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:In-Reply-To:References:Subject; bh=mKDxSHxmZGJCZWsYRzzNhb7XqhXNi8pYhhhVAvJnGqQ=; b=QWDZMr9DN6F9DiLLN1IH4OCgtzk2EHUOEGsf6lIJ8mOOCoL9OqkuPOALQc1IYx0d4E26OYpA967wWFH0nGE1MfrX2Zyk8E3XW7ll2N6AV96xNaw6Ls5M0pDF7sxz6SnuTplcVMQflg25AlQvIKAxNl9Bb39/7CZZRPnZOTYJ9jy7lJDQXUwym8eRxQY4wWBF8j4nfsgNRtXPqgfvuNyRtDxGJmFvmp9i1tp8h22K6DIr27z6RcUZSJXvKQQXvwJfoWt6w6CO+ieFXn7hW4DxaTB5u7yZ73P+UwTnGTAa1wIycNt3GePaspEByH6XtPUdHwcqdE3SukJVoIroTh1x9w==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u93hi-0007K5-Dh; Sun, 27 Apr 2025 11:14:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#73196] [PATCH v7] services: postgresql-role: Add support for password files. References: <98e22806482f6ce257decf5e1d3097fc08925212.1726140263.git.goodoldpaul@autistici.org> In-Reply-To: <98e22806482f6ce257decf5e1d3097fc08925212.1726140263.git.goodoldpaul@autistici.org> Resent-From: Giacomo Leidi Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Sun, 27 Apr 2025 15:14:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73196 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 73196@debbugs.gnu.org Cc: Giacomo Leidi , Ludovic =?utf-8?q?Court=C3=A8?= =?utf-8?q?s?= , Maxim Cournoyer X-Debbugs-Original-Xcc: Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by 73196-submit@debbugs.gnu.org id=B73196.174576680028057 (code B ref 73196); Sun, 27 Apr 2025 15:14:02 +0000 Received: (at 73196) by debbugs.gnu.org; 27 Apr 2025 15:13:20 +0000 Received: from localhost ([127.0.0.1]:43566 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u93h1-0007IS-79 for submit@debbugs.gnu.org; Sun, 27 Apr 2025 11:13:20 -0400 Received: from latitanza.investici.org ([82.94.249.234]:48279) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u93gx-0007IG-U6 for 73196@debbugs.gnu.org; Sun, 27 Apr 2025 11:13:16 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1745766795; bh=mKDxSHxmZGJCZWsYRzzNhb7XqhXNi8pYhhhVAvJnGqQ=; h=From:To:Cc:Subject:Date:From; b=iLMJa3ZGGk3O3oQixp24rHE5K7Q8dmV/GzXctkVzt93e43d3FG1ZDL+FzcmdeFMvd YPtomOpx3YlOJSQpR6NxxQ/HL+NZRMkX85Fsz45Vtwi55kKD2PNG+MqQenYAAjUvvf 3Rq1FhOhbW69qcQfp3gvIocdhZuxXeTY0emD5kK0= Received: from mx3.investici.org (unknown [127.0.0.1]) by latitanza.investici.org (Postfix) with ESMTP id 4ZlqpM117CzGp40; Sun, 27 Apr 2025 15:13:15 +0000 (UTC) Received: from [82.94.249.234] (mx3.investici.org [82.94.249.234]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4ZlqpD2jPkzGp2d; Sun, 27 Apr 2025 15:13:07 +0000 (UTC) Date: Sun, 27 Apr 2025 17:12:54 +0200 Message-ID: <3109ae6152f4f40edb8722b82b57040ef7b383e3.1745766774.git.goodoldpaul@autistici.org> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Giacomo Leidi X-ACL-Warn: , Giacomo Leidi via Guix-patches X-Patchwork-Original-From: Giacomo Leidi via Guix-patches via From: Giacomo Leidi Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches This commit adds a password-file to the postgresql-role field. It allows users to provision Postgres roles with a set password. * gnu/services/databases.scm (postgresql-role): Add password-file field. (postgresql-role-configuration): Add requirement field. (postgresql-create-roles): Add support for setting passwords from a file without leaking passwords to the command line. (postgresql-role-shepherd-service): Add support for customizable requirements. * gnu/tests/databases.scm: Test it. * doc/guix.texi: Document the new field and fix the extension point example. Change-Id: I3aabaa10b0c5e826c5aa874e5649e25a3508a585 --- doc/guix.texi | 15 ++++++++--- gnu/services/databases.scm | 52 +++++++++++++++++++++++++++++++++----- gnu/tests/databases.scm | 38 +++++++++++++++++++++++++--- 3 files changed, 93 insertions(+), 12 deletions(-) base-commit: 97ea59b846c5267098a019f36c84dcaa55fb123e diff --git a/doc/guix.texi b/doc/guix.texi index 7b418a4089..ca690c8ace 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -27741,9 +27741,10 @@ Database Services @lisp (service-extension postgresql-role-service-type - (const (postgresql-role - (name "alice") - (create-database? #t)))) + (const (list + (postgresql-role + (name "alice") + (create-database? #t))))) @end lisp @end defvar @@ -27766,6 +27767,10 @@ Database Services @item @code{create-database?} (default: @code{#f}) whether to create a database with the same name as the role. +@item @code{password-file} (default: @code{#f}) +A string representing the path of a file that contains the password to be set +for the role. + @item @code{encoding} (default: @code{"UTF8"}) The character set to use for storing text in the database. @@ -27794,6 +27799,10 @@ Database Services @item @code{log} (default: @code{"/var/log/postgresql_roles.log"}) File name of the log file. +@item @code{requirement} (default: @code{'(user-processes postgres)}) (type: list-of-symbols) +Set additional Shepherd services dependencies to the provisioned +Shepherd service. + @item @code{roles} (default: @code{'()}) The initial PostgreSQL roles to create. @end table diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm index edc3198ad5..86d4ecb739 100644 --- a/gnu/services/databases.scm +++ b/gnu/services/databases.scm @@ -9,6 +9,7 @@ ;;; Copyright © 2020, 2022 Marius Bakke ;;; Copyright © 2021 David Larsson ;;; Copyright © 2021 Aljosha Papsch +;;; Copyright © 2025 Giacomo Leidi ;;; ;;; This file is part of GNU Guix. ;;; @@ -32,6 +33,7 @@ (define-module (gnu services databases) #:autoload (gnu system accounts) (default-shell) #:use-module (gnu packages admin) #:use-module (gnu packages base) + #:use-module (gnu packages bash) #:use-module (gnu packages databases) #:use-module (guix build-system trivial) #:use-module (guix build union) @@ -68,14 +70,18 @@ (define-module (gnu services databases) postgresql-service postgresql-service-type + %postgresql-role-shepherd-requirement + postgresql-role postgresql-role? postgresql-role-name + postgresql-role-password-file postgresql-role-permissions postgresql-role-create-database? postgresql-role-configuration postgresql-role-configuration? postgresql-role-configuration-host + postgresql-role-configuration-requirement postgresql-role-configuration-roles postgresql-role-service-type @@ -390,6 +396,8 @@ (define-record-type* postgresql-role make-postgresql-role postgresql-role? (name postgresql-role-name) ;string + (password-file postgresql-role-password-file ;string + (default #f)) (permissions postgresql-role-permissions (default '(createdb login))) ;list (create-database? postgresql-role-create-database? ;boolean @@ -403,11 +411,16 @@ (define-record-type* (template postgresql-role-template ;string (default "template1"))) +(define %postgresql-role-shepherd-requirement + '(user-processes postgres)) + (define-record-type* postgresql-role-configuration make-postgresql-role-configuration postgresql-role-configuration? (host postgresql-role-configuration-host ;string (default "/var/run/postgresql")) + (requirement postgresql-role-configuration-requirement ;list-of-symbols + (default %postgresql-role-shepherd-requirement)) (log postgresql-role-configuration-log ;string (default "/var/log/postgresql_roles.log")) (roles postgresql-role-configuration-roles @@ -425,19 +438,35 @@ (define (postgresql-create-roles config) permissions) " "))) + (define (password-value role) + (string-append "password_" (postgresql-role-name role))) + + (define (role->password-variable role) + (let ((file-name (postgresql-role-password-file role))) + (if (string? file-name) + ;; This way passwords do not leak to the command line. + #~(string-append "-v \"" #$(password-value role) + "=$(" #$coreutils "/bin/cat " #$file-name ")\"") + ""))) + (define (roles->queries roles) (apply mixed-text-file "queries" (append-map (lambda (role) (match-record role (name permissions create-database? encoding collation ctype - template) + template password-file) `("SELECT NOT(EXISTS(SELECT 1 FROM pg_catalog.pg_roles WHERE \ rolname = '" ,name "')) as not_exists;\n" "\\gset\n" "\\if :not_exists\n" "CREATE ROLE \"" ,name "\"" " WITH " ,(format-permissions permissions) +,(if (and (string? password-file) + (not (string-null? password-file))) + (string-append + "\nPASSWORD :'" (password-value role) "'") + "") ";\n" ,@(if create-database? `("CREATE DATABASE \"" ,name "\"" @@ -452,20 +481,30 @@ (define (postgresql-create-roles config) (let ((host (postgresql-role-configuration-host config)) (roles (postgresql-role-configuration-roles config))) - #~(let ((psql #$(file-append postgresql "/bin/psql"))) - (list psql "-a" "-h" #$host "-f" #$(roles->queries roles))))) + (program-file "run-queries" + #~(let ((bash #$(file-append bash-minimal "/bin/bash")) + (psql #$(file-append postgresql "/bin/psql"))) + (define command + (string-append + "set -e; exec " psql " -a -h " #$host " -f " + #$(roles->queries roles) " " + (string-join + (list + #$@(map role->password-variable roles)) + " "))) + (execlp bash bash "-c" command))))) (define (postgresql-role-shepherd-service config) (match-record config - (log) + (log requirement) (list (shepherd-service - (requirement '(user-processes postgres)) + (requirement requirement) (provision '(postgres-roles)) (one-shot? #t) (start #~(lambda args (zero? (spawn-command - #$(postgresql-create-roles config) + (list #$(postgresql-create-roles config)) #:user "postgres" #:group "postgres" ;; XXX: As of Shepherd 1.0.2, #:log-file is not @@ -484,6 +523,7 @@ (define postgresql-role-service-type (match-record config (host roles) (postgresql-role-configuration + (inherit config) (host host) (roles (append roles extended-roles)))))) (default-value (postgresql-role-configuration)) diff --git a/gnu/tests/databases.scm b/gnu/tests/databases.scm index fd5041344b..c5da603565 100644 --- a/gnu/tests/databases.scm +++ b/gnu/tests/databases.scm @@ -142,6 +142,8 @@ (define %role-log-file (define %postgresql-os (simple-operating-system + (extra-special-file "/password" + (plain-file "password" "hello")) (service postgresql-service-type (postgresql-configuration (postgresql postgresql) @@ -158,6 +160,10 @@ (define %postgresql-os (roles (list (postgresql-role (name "root") + (create-database? #t)) + (postgresql-role + (name "alice") + (password-file "/password") (create-database? #t)))))))) (define (run-postgresql-test) @@ -230,14 +236,40 @@ (define (run-postgresql-test) (marionette-eval '(begin (use-modules (gnu services herd) + (srfi srfi-1) (ice-9 popen)) (current-output-port (open-file "/dev/console" "w0")) + (every + (lambda (role) + (let* ((port (open-pipe* + OPEN_READ + #$(file-append postgresql "/bin/psql") + "-tA" "-c" + (string-append + "SELECT 1 FROM pg_database WHERE" + " datname='" role "'"))) + (output (get-string-all port))) + (close-pipe port) + (string-contains output "1"))) + '("root" "alice"))) + marionette)) + + (test-assert "database passwords are set" + (marionette-eval + '(begin + (use-modules (gnu services herd) + (ice-9 match) + (ice-9 popen)) + (current-output-port + (open-file "/dev/console" "w0")) + (setgid (passwd:gid (getpwnam "alice"))) + (setuid (passwd:uid (getpw "alice"))) + (setenv "PGPASSWORD" "hello") (let* ((port (open-pipe* OPEN_READ - #$(file-append postgresql "/bin/psql") - "-tA" "-c" "SELECT 1 FROM pg_database WHERE - datname='root'")) + #$(file-append postgresql "/bin/psql") "-tA" "-c" + "SELECT 1 FROM pg_database WHERE datname='alice'")) (output (get-string-all port))) (close-pipe port) (string-contains output "1")))