From 197e5d2978ed1710d5aedebcf2bc60cc994a1666 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Fri, 23 Dec 2022 21:02:38 -0800 Subject: [PATCH 01/10] initial stab at an user update role and test --- Makefile | 49 +++++++++++++++++++-------------------- schema/sql/api.sql | 11 +++++++++ test/bats/test.bats | 36 +++++++++++++++++++++++++++- docker.mk => test/test.mk | 9 ++++--- 4 files changed, 76 insertions(+), 29 deletions(-) rename docker.mk => test/test.mk (92%) diff --git a/Makefile b/Makefile index 504a8d6..a53a47d 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,17 @@ -include docker.mk +include test/test.mk PG_DUMP ?= pg_dump PSQL ?= psql +SCHEMA_FILES := \ + schema/sql/schema.sql \ + schema/sql/access.sql \ + schema/sql/api.sql \ + schema/sql/metrics.sql \ + schema/sql/nss.sql \ + schema/sql/reserved.sql \ + schema/sql/stats.sql \ + schema/ext/json-schema/postgres-json-schema--0.1.0.sql \ + out/json-schemas.sql .PHONY: help help: @@ -15,19 +25,9 @@ help: @echo "" @$(MAKE) -s docker-help -out/json-schemas.sql: schema/sql/json-schemas.sql - mkdir -p $(@D) - ./scripts/build schema < "$<" > "$@" - .PHONY: build build: out/json-schemas.sql -schema/ext/json-schema/%: - git submodule update --init --recursive $(@D) - -test/sql/plpgunit/%: - git submodule update --init --recursive $(@D) - .PHONY: fetch fetch: schema/ext/json-schema/ test/sql/plpgunit/ @@ -35,24 +35,10 @@ fetch: schema/ext/json-schema/ test/sql/plpgunit/ fetch-latest: git submodule foreach 'git checkout master && git pull' -SCHEMA_FILES := \ - schema/sql/schema.sql \ - schema/sql/access.sql \ - schema/sql/api.sql \ - schema/sql/metrics.sql \ - schema/sql/nss.sql \ - schema/sql/reserved.sql \ - schema/sql/stats.sql \ - schema/ext/json-schema/postgres-json-schema--0.1.0.sql \ - out/json-schemas.sql - .PHONY: install install: $(SCHEMA_FILES) $(PSQL) -v ON_ERROR_STOP=1 $(foreach file,$(SCHEMA_FILES),-f $(file)); -schema-dump.psql: - $(PG_DUMP) -s > $@ - .PHONY: test test: \ docker-test-build \ @@ -70,3 +56,16 @@ test-shell: \ .PHONY: clean clean: rm -rf out + +out/json-schemas.sql: schema/sql/json-schemas.sql + mkdir -p $(@D) + ./scripts/build schema < "$<" > "$@" + +out/schema-dump.psql: + $(PG_DUMP) -s > $@ + +schema/ext/json-schema/%: + git submodule update --init --recursive $(@D) + +test/sql/plpgunit/%: + git submodule update --init --recursive $(@D) diff --git a/schema/sql/api.sql b/schema/sql/api.sql index 63c4a76..02972cd 100755 --- a/schema/sql/api.sql +++ b/schema/sql/api.sql @@ -31,6 +31,17 @@ grant usage on sequence "user_id" to "api-user-create"; grant "api-user-create" to "api"; grant "api-anon" to "api-user-create"; +create role "api-user-update"; +comment on role "api-user-update" is + $$Intended for use with user self-management systems$$; +grant usage on sequence "user_id" to "api-user-create"; +grant select,insert,update,delete on table + public."hosts", + public."passwd", + public."ssh_public_key", + public."openpgp_public_key" +to "api-user-update"; + create schema v1; grant create,usage on schema v1 to api; grant usage on schema v1 to "api-anon"; diff --git a/test/bats/test.bats b/test/bats/test.bats index bfd28e3..63e46b1 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -3,7 +3,7 @@ load test_helper @test "Can connect to userdb PostgreSQL" { sleep 1 - run pg_isready -U postgres -h userdb; + run pg_isready -U postgres -h userdb-postgres; [ "$status" -eq 0 ] echo "$output" | grep "accepting connections" } @@ -93,3 +93,37 @@ load test_helper run curl http://userdb-postgrest:3000/passwd?name=eq.testuser43 echo "$output" | grep "testuser43" } + +@test "Can update user with a valid update permissioned token" { + + run curl http://userdb-postgrest:3000/signup \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $(jwt_token 'api-user-create')" \ + -X POST \ + --data-binary @- <<-EOF + { + "name": "testuser43", + "host": "test.hashbang.sh", + "shell": "/bin/zsh", + "keys": ["$(cat bats/keys/id_ed25519.pub)"] + } + EOF + [ "$status" -eq 0 ] + + run curl http://userdb-postgrest:3000/passwd?name=eq.testuser43 + echo "$output" | grep "test.hashbang.sh" + + run curl http://userdb-postgrest:3000/passwd?name=eq.testuser43 \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $(jwt_token 'api')" \ + -X PATCH \ + --data-binary @- <<-EOF + { + "host": "test2.hashbang.sh", + } + EOF + [ "$status" -eq 0 ] + + run curl http://userdb-postgrest:3000/passwd?name=eq.testuser43 + echo "$output" | grep "test2.hashbang.sh" +} diff --git a/docker.mk b/test/test.mk similarity index 92% rename from docker.mk rename to test/test.mk index f87badb..9c0d8a9 100644 --- a/docker.mk +++ b/test/test.mk @@ -1,7 +1,7 @@ NAMESPACE ?= userdb POSTGRES_USER ?= postgres POSTGRES_DB ?= postgres -IMAGE_POSTGRES ?= postgres:latest +IMAGE_POSTGRES ?= postgres@sha256:3657548977d593c9ab6d70d1ffc43ceb3b5164ae07ac0f542d2ea139664eb6b3 IMAGE_POSTGREST ?= postgrest/postgrest:v7.0.1@sha256:2a10713acc388f9a64320443e949eb87a0424ab280e68c4ed4a6d0653c001586 .PHONY: docker-help @@ -21,7 +21,8 @@ docker-start: docker network inspect $(NAMESPACE) \ || docker network create $(NAMESPACE) # Start database - docker run \ + docker inspect -f '{{.State.Running}}' $(NAMESPACE)-postgres 2>/dev/null \ + || docker run \ --detach=true \ --name=$(NAMESPACE)-postgres \ --network=$(NAMESPACE) \ @@ -53,7 +54,8 @@ docker-start: $(IMAGE_POSTGRES) psql" \ install # Start web API - docker run \ + docker inspect -f '{{.State.Running}}' $(NAMESPACE)-postgrest 2>/dev/null \ + || docker run \ --rm \ --detach=true \ --name $(NAMESPACE)-postgrest \ @@ -121,3 +123,4 @@ docker-test-shell: docker-stop docker-start docker-test-build .PHONY: docker-test-build docker-test-build: docker build -t local/$(NAMESPACE)-test test/ + From 79d260b5b0c7ea8a2b5c4a097df6462f3576f78b Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Sat, 24 Dec 2022 01:42:09 -0800 Subject: [PATCH 02/10] another attempt at working management token --- schema/sql/api.sql | 13 ++++++------- test/bats/test.bats | 2 +- test/bats/test_helper.bash | 1 + 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/schema/sql/api.sql b/schema/sql/api.sql index 02972cd..4c7ca81 100755 --- a/schema/sql/api.sql +++ b/schema/sql/api.sql @@ -31,16 +31,15 @@ grant usage on sequence "user_id" to "api-user-create"; grant "api-user-create" to "api"; grant "api-anon" to "api-user-create"; -create role "api-user-update"; -comment on role "api-user-update" is - $$Intended for use with user self-management systems$$; -grant usage on sequence "user_id" to "api-user-create"; -grant select,insert,update,delete on table - public."hosts", +create role "api-user-manage"; +comment on role "api-user-manage" is + $$Intended for use with user management systems$$; +grant usage on sequence "user_id" to "api-user-manage"; +grant select,insert,update on table public."passwd", public."ssh_public_key", public."openpgp_public_key" -to "api-user-update"; +to "api-user-manage"; create schema v1; grant create,usage on schema v1 to api; diff --git a/test/bats/test.bats b/test/bats/test.bats index 63e46b1..3ff8976 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -115,7 +115,7 @@ load test_helper run curl http://userdb-postgrest:3000/passwd?name=eq.testuser43 \ -H "Content-Type: application/json" \ - -H "Authorization: Bearer $(jwt_token 'api')" \ + -H "Authorization: Bearer $(jwt_token 'api-user-manage')" \ -X PATCH \ --data-binary @- <<-EOF { diff --git a/test/bats/test_helper.bash b/test/bats/test_helper.bash index 77efce7..b4be3a0 100644 --- a/test/bats/test_helper.bash +++ b/test/bats/test_helper.bash @@ -2,6 +2,7 @@ setup(){ psql -c "insert into hosts (name,maxusers) values ('test.hashbang.sh','500');"; + psql -c "insert into hosts (name,maxusers) values ('test2.hashbang.sh','500');"; } teardown(){ From a40c351b3f854c3882a518afd24bc35f067d8a48 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Sat, 24 Dec 2022 01:57:44 -0800 Subject: [PATCH 03/10] add new role to api --- schema/sql/api.sql | 1 + 1 file changed, 1 insertion(+) diff --git a/schema/sql/api.sql b/schema/sql/api.sql index 4c7ca81..b2ceae2 100755 --- a/schema/sql/api.sql +++ b/schema/sql/api.sql @@ -40,6 +40,7 @@ grant select,insert,update on table public."ssh_public_key", public."openpgp_public_key" to "api-user-manage"; +grant "api-user-manage" to "api"; create schema v1; grant create,usage on schema v1 to api; From 752c1d8eb52e64a28874d92a4728f69f4ff4aef6 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Sat, 24 Dec 2022 02:16:04 -0800 Subject: [PATCH 04/10] working user updating --- schema/sql/api.sql | 6 ++++++ test/bats/test.bats | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/schema/sql/api.sql b/schema/sql/api.sql index b2ceae2..9d54a16 100755 --- a/schema/sql/api.sql +++ b/schema/sql/api.sql @@ -41,10 +41,13 @@ grant select,insert,update on table public."openpgp_public_key" to "api-user-manage"; grant "api-user-manage" to "api"; +grant "api-anon" to "api-user-manage"; +grant "api-user-create" to "api-user-manage"; create schema v1; grant create,usage on schema v1 to api; grant usage on schema v1 to "api-anon"; +grant create,usage on schema v1 to "api-user-manage"; create view v1.hosts as select @@ -84,6 +87,7 @@ comment on column v1.passwd.data is alter view v1."passwd" owner to api; grant select on table v1."passwd" to "api-anon"; grant insert("name","host","data") on table v1."passwd" to "api-user-create"; +grant update("host","data") on table v1."passwd" to "api-user-manage"; create view v1."group" as select @@ -138,6 +142,7 @@ comment on column v1.ssh_public_key.uid is $$User ID the key is currently linked to$$; alter view v1."ssh_public_key" owner to api; grant select on table v1."ssh_public_key" to "api-anon"; +grant update,insert on table v1."ssh_public_key" to "api-user-manage"; -- PGP Key create view v1.openpgp_public_key as @@ -155,6 +160,7 @@ comment on column v1.openpgp_public_key.ascii_armoured_public_key is comment on column v1.openpgp_public_key.uid is $$User ID the key is currently linked to$$; grant insert("uid", "ascii_armoured_public_key") on table v1."openpgp_public_key" to "api-user-create"; +grant update("uid", "ascii_armoured_public_key") on table v1."openpgp_public_key" to "api-user-manage"; create function insert_pgp_key() returns trigger as $$ begin diff --git a/test/bats/test.bats b/test/bats/test.bats index 3ff8976..8107fd9 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -119,7 +119,7 @@ load test_helper -X PATCH \ --data-binary @- <<-EOF { - "host": "test2.hashbang.sh", + "host": "test2.hashbang.sh" } EOF [ "$status" -eq 0 ] From 023fafee73254ddbc022e88d75a57b749367cca4 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Sat, 24 Dec 2022 02:25:35 -0800 Subject: [PATCH 05/10] add more JWT tests --- test/bats/test.bats | 68 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/test/bats/test.bats b/test/bats/test.bats index 8107fd9..6d7873c 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -127,3 +127,71 @@ load test_helper run curl http://userdb-postgrest:3000/passwd?name=eq.testuser43 echo "$output" | grep "test2.hashbang.sh" } + +@test "Can not update user with a JWT with an invalid role" { + + run curl http://userdb-postgrest:3000/signup \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $(jwt_token 'api-user-create')" \ + -X POST \ + --data-binary @- <<-EOF + { + "name": "testuser43", + "host": "test.hashbang.sh", + "shell": "/bin/zsh", + "keys": ["$(cat bats/keys/id_ed25519.pub)"] + } + EOF + [ "$status" -eq 0 ] + + run curl http://userdb-postgrest:3000/passwd?name=eq.testuser43 + echo "$output" | grep "test.hashbang.sh" + + run curl http://userdb-postgrest:3000/passwd?name=eq.testuser43 \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $(jwt_token 'api-derp')" \ + -X PATCH \ + --data-binary @- <<-EOF + { + "host": "test2.hashbang.sh" + } + EOF + echo "$output" | grep "does not exist" + + run curl http://userdb-postgrest:3000/passwd?name=eq.testuser43 + echo "$output" | grep "test.hashbang.sh" +} + +@test "Can not update user with a JWT with the wrong role" { + + run curl http://userdb-postgrest:3000/signup \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $(jwt_token 'api-user-create')" \ + -X POST \ + --data-binary @- <<-EOF + { + "name": "testuser43", + "host": "test.hashbang.sh", + "shell": "/bin/zsh", + "keys": ["$(cat bats/keys/id_ed25519.pub)"] + } + EOF + [ "$status" -eq 0 ] + + run curl http://userdb-postgrest:3000/passwd?name=eq.testuser43 + echo "$output" | grep "test.hashbang.sh" + + run curl http://userdb-postgrest:3000/passwd?name=eq.testuser43 \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $(jwt_token 'api-anon')" \ + -X PATCH \ + --data-binary @- <<-EOF + { + "host": "test2.hashbang.sh" + } + EOF + echo "$output" | grep "permission denied" + + run curl http://userdb-postgrest:3000/passwd?name=eq.testuser43 + echo "$output" | grep "test.hashbang.sh" +} From 329c8bf3d20d1b7d14a91ffb79701f6b268a06b3 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Sat, 24 Dec 2022 02:29:01 -0800 Subject: [PATCH 06/10] remove newline --- test/test.mk | 1 - 1 file changed, 1 deletion(-) diff --git a/test/test.mk b/test/test.mk index 9c0d8a9..3f5ec04 100644 --- a/test/test.mk +++ b/test/test.mk @@ -123,4 +123,3 @@ docker-test-shell: docker-stop docker-start docker-test-build .PHONY: docker-test-build docker-test-build: docker build -t local/$(NAMESPACE)-test test/ - From fb1590eda8be2ed273b13d7f8b1232e49a372214 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Mon, 2 Jan 2023 01:17:19 -0800 Subject: [PATCH 07/10] detach api-user-create from api-user-manage --- schema/sql/api.sql | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/schema/sql/api.sql b/schema/sql/api.sql index 9d54a16..7b83015 100755 --- a/schema/sql/api.sql +++ b/schema/sql/api.sql @@ -35,14 +35,13 @@ create role "api-user-manage"; comment on role "api-user-manage" is $$Intended for use with user management systems$$; grant usage on sequence "user_id" to "api-user-manage"; +grant "api-user-manage" to "api"; +grant "api-anon" to "api-user-manage"; grant select,insert,update on table public."passwd", public."ssh_public_key", public."openpgp_public_key" to "api-user-manage"; -grant "api-user-manage" to "api"; -grant "api-anon" to "api-user-manage"; -grant "api-user-create" to "api-user-manage"; create schema v1; grant create,usage on schema v1 to api; @@ -87,6 +86,7 @@ comment on column v1.passwd.data is alter view v1."passwd" owner to api; grant select on table v1."passwd" to "api-anon"; grant insert("name","host","data") on table v1."passwd" to "api-user-create"; +grant insert("name","host","data") on table v1."passwd" to "api-user-manage"; grant update("host","data") on table v1."passwd" to "api-user-manage"; create view v1."group" as @@ -233,3 +233,4 @@ create trigger signup alter view v1."signup" owner to api; grant select on table v1."signup" to "api-anon"; grant insert("name", "host", "shell", "keys") on table v1."signup" to "api-user-create"; +grant insert("name", "host", "shell", "keys") on table v1."signup" to "api-user-manage"; From 0970a3b1ecb9fb08bbce67ef651a7b2354db037b Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Mon, 2 Jan 2023 01:53:26 -0800 Subject: [PATCH 08/10] remove needless create on schema v1 --- schema/sql/api.sql | 2 +- test/bats/test.bats | 22 +++++++++++++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/schema/sql/api.sql b/schema/sql/api.sql index 7b83015..6bed1a2 100755 --- a/schema/sql/api.sql +++ b/schema/sql/api.sql @@ -46,7 +46,7 @@ to "api-user-manage"; create schema v1; grant create,usage on schema v1 to api; grant usage on schema v1 to "api-anon"; -grant create,usage on schema v1 to "api-user-manage"; +grant usage on schema v1 to "api-user-manage"; create view v1.hosts as select diff --git a/test/bats/test.bats b/test/bats/test.bats index 6d7873c..22b32d1 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -74,7 +74,7 @@ load test_helper echo "$output" | grep "testuser42" } -@test "Can create user with a valid host and and SSH key via PostgREST" { +@test "Can create user with the api-user-create JWT token" { run curl http://userdb-postgrest:3000/signup \ -H "Content-Type: application/json" \ @@ -94,6 +94,26 @@ load test_helper echo "$output" | grep "testuser43" } +@test "Can create user with the api-user-manage JWT token" { + + run curl http://userdb-postgrest:3000/signup \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $(jwt_token 'api-user-manage')" \ + -X POST \ + --data-binary @- <<-EOF + { + "name": "testuser43", + "host": "test.hashbang.sh", + "shell": "/bin/zsh", + "keys": ["$(cat bats/keys/id_ed25519.pub)"] + } + EOF + [ "$status" -eq 0 ] + + run curl http://userdb-postgrest:3000/passwd?name=eq.testuser43 + echo "$output" | grep "testuser43" +} + @test "Can update user with a valid update permissioned token" { run curl http://userdb-postgrest:3000/signup \ From a10b9e052478d23c568417a3cb7fad3d1ea12864 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Mon, 2 Jan 2023 01:57:01 -0800 Subject: [PATCH 09/10] grant delete on ssh_public_key to api-user-manage --- schema/sql/api.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/sql/api.sql b/schema/sql/api.sql index 6bed1a2..b0e76a6 100755 --- a/schema/sql/api.sql +++ b/schema/sql/api.sql @@ -142,7 +142,7 @@ comment on column v1.ssh_public_key.uid is $$User ID the key is currently linked to$$; alter view v1."ssh_public_key" owner to api; grant select on table v1."ssh_public_key" to "api-anon"; -grant update,insert on table v1."ssh_public_key" to "api-user-manage"; +grant update,delete,insert on table v1."ssh_public_key" to "api-user-manage"; -- PGP Key create view v1.openpgp_public_key as From dc867af9df8b7120ff3671569309a15bb891d1a7 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Mon, 2 Jan 2023 03:13:53 -0800 Subject: [PATCH 10/10] remove redundant grants --- schema/sql/api.sql | 5 ----- 1 file changed, 5 deletions(-) diff --git a/schema/sql/api.sql b/schema/sql/api.sql index b0e76a6..879179c 100755 --- a/schema/sql/api.sql +++ b/schema/sql/api.sql @@ -37,11 +37,6 @@ comment on role "api-user-manage" is grant usage on sequence "user_id" to "api-user-manage"; grant "api-user-manage" to "api"; grant "api-anon" to "api-user-manage"; -grant select,insert,update on table - public."passwd", - public."ssh_public_key", - public."openpgp_public_key" -to "api-user-manage"; create schema v1; grant create,usage on schema v1 to api;