Add a migration to encrypt database password using scram-sha-256

CP4AIOPS-3003
ManageIQ · Oct 22, 2024 · e5cb209 · e5cb209
1 parent 0baa0eb
commit e5cb209
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 0 deletions.
diff --git a/db/migrate/20241017013023_reencrypt_password_scramsha.rb b/db/migrate/20241017013023_reencrypt_password_scramsha.rb
@@ -0,0 +1,13 @@
+class ReencryptPasswordScramsha < ActiveRecord::Migration[6.1]
+  def up
+    say_with_time('Reencrypting database user password with scram-sha-256') do
+      db_config = ActiveRecord::Base.connection_db_config.configuration_hash
+      username = db_config[:username]
+      password = connection.raw_connection.encrypt_password(db_config[:password], username, "scram-sha-256")
+
+      connection.execute <<-SQL
+        ALTER ROLE #{username} WITH PASSWORD '#{password}';
+      SQL
+    end
+  end
+end
diff --git a/spec/migrations/20241017013023_reencrypt_password_scramsha_spec.rb b/spec/migrations/20241017013023_reencrypt_password_scramsha_spec.rb
@@ -0,0 +1,23 @@
+require_migration
+
+# This is mostly necessary for data migrations, so feel free to delete this
+# file if you do no need it.
+describe ReencryptPasswordScramsha do
+  migration_context :up do
+    it "Ensures that the user password is stored as scram-sha-256" do
+      migrate
+
+      users_and_passwords = execute <<-SQL
+        SELECT rolname, rolpassword FROM pg_authid WHERE rolcanlogin;
+      SQL
+
+      database_yml = YAML.safe_load(Rails.root.join("config", "database.yml"))
+      username = database_yml[Rails.env]["username"]
+
+      record = users_and_passwords.to_a.detect { |i| i["rolname"] == username }
+
+      expect(record["rolname"]).to eq(username)
+      expect(record["rolpassword"]).to match(/^SCRAM-SHA-256.*/)
+    end
+  end
+end