Feat/use cvmanager schema #14
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request migrates the PostgreSQL database from using the default public schema to a dedicated cvmanager schema. The changes are systematic and comprehensive, updating all SQL queries, database scripts, test files, and documentation across the entire codebase.
Key Changes
- All SQL table references updated from
public.<table>tocvmanager.<table> - Database creation scripts updated to create the
cvmanagerschema at initialization - Test expectations updated to match the new schema naming
- Keycloak custom user provider updated to use the new schema
- Documentation updated to reflect the schema change
Reviewed changes
Copilot reviewed 85 out of 85 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| services/common/snmp/update_pg/*.py | Updated SNMP-related PostgreSQL queries to use cvmanager schema |
| services/common/email_util.py | Updated email notification queries to use cvmanager schema |
| services/common/auth_tools.py | Updated authentication and authorization queries to use cvmanager schema |
| services/api/src/*.py | Updated all API service queries to use cvmanager schema |
| services/api/tests/**/*.py | Updated test expectations to match cvmanager schema |
| services/addons/images/**/*.py | Updated addon service queries to use cvmanager schema |
| services/addons/tests/**/*.py | Updated addon test expectations to match cvmanager schema |
| resources/sql_scripts/update_scripts/*.sql | Updated migration scripts to use cvmanager schema |
| resources/sql_scripts/*.sql | Updated schema creation and sample data scripts to create and use cvmanager schema |
| resources/kubernetes/cv-manager-postgres.yaml | Updated Kubernetes deployment config to use cvmanager schema |
| resources/keycloak/custom-user-provider/**/*.java | Updated Keycloak custom provider to query cvmanager schema |
| resources/keycloak/**/*.md | Updated documentation to reference cvmanager schema |
The changes appear to be consistent and comprehensive across the codebase. The migration follows a clear pattern of replacing public. with cvmanager. in all SQL queries and creating the schema during database initialization.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| username character varying(128) COLLATE pg_catalog.default NOT NULL, | ||
| password character varying(128) COLLATE pg_catalog.default NOT NULL, | ||
| nickname character varying(128) COLLATE pg_catalog.default NOT NULL, | ||
| CONSTRAINT rsu_credentials_pkey PRIMARY KEY (credential_id), | ||
| CONSTRAINT rsu_credentials_nickname UNIQUE (nickname) | ||
| ); | ||
|
|
||
| CREATE SEQUENCE public.snmp_credentials_snmp_credential_id_seq | ||
| CREATE SEQUENCE cvmanager.snmp_credentials_snmp_credential_id_seq | ||
| INCREMENT 1 | ||
| START 1 | ||
| MINVALUE 1 | ||
| MAXVALUE 2147483647 | ||
| CACHE 1; | ||
|
|
||
| CREATE TABLE IF NOT EXISTS public.snmp_credentials | ||
| CREATE TABLE IF NOT EXISTS cvmanager.snmp_credentials | ||
| ( | ||
| snmp_credential_id integer NOT NULL DEFAULT nextval('snmp_credentials_snmp_credential_id_seq'::regclass), | ||
| snmp_credential_id integer NOT NULL DEFAULT nextval('cvmanager.snmp_credentials_snmp_credential_id_seq'::regclass), | ||
| username character varying(128) COLLATE pg_catalog.default NOT NULL, | ||
| password character varying(128) COLLATE pg_catalog.default NOT NULL, | ||
| encrypt_password character varying(128) COLLATE pg_catalog.default, |
There was a problem hiding this comment.
The rsu_credentials.password and snmp_credentials.password/encrypt_password columns store device and SNMP authentication secrets in cleartext, so anyone with read access to the database (including via SQL injection in other parts of the system or compromised DB credentials) can recover live RSU access credentials and SNMP encryption passphrases. This enables attackers to take over RSUs, change configuration, and intercept or tamper with management traffic. These secrets should be protected at rest, for example by storing only hashed/derived forms where possible or using an external secret store or strong application/database-level encryption for these columns.
| iss_key_id integer NOT NULL DEFAULT nextval('iss_keys_iss_key_id_seq'::regclass), | ||
| iss_key_id integer NOT NULL DEFAULT nextval('cvmanager.iss_keys_iss_key_id_seq'::regclass), | ||
| common_name character varying(128) COLLATE pg_catalog.default NOT NULL, | ||
| token character varying(128) COLLATE pg_catalog.default NOT NULL |
There was a problem hiding this comment.
The iss_keys.token column stores SCMS/ISS tokens in cleartext, meaning a database compromise or unintended query exposure would immediately leak live authentication tokens that can be reused by an attacker. With these tokens, an attacker could impersonate authorized components, potentially issuing fraudulent commands or accessing protected services. These tokens should never be stored in plaintext; instead, store only derived/hashed representations where feasible or encrypt the column with strong key management so that tokens are unusable if the database is compromised.
| token character varying(128) COLLATE pg_catalog.default NOT NULL | |
| token_hash bytea NOT NULL |
| ALTER TABLE cvmanager.snmp_credentials | ||
| ADD COLUMN encrypt_password character varying(128) COLLATE pg_catalog.default; No newline at end of file |
There was a problem hiding this comment.
The new encrypt_password column on cvmanager.snmp_credentials stores the SNMP encryption passphrase as a plain varchar, so any compromise of the database or over-privileged account can directly reveal this sensitive key. With this value an attacker can decrypt or forge SNMPv3 traffic to managed RSUs, undermining the confidentiality and integrity of management operations. This secret should be protected at rest, for example by using an external secret store or strong, well-managed encryption instead of storing the raw passphrase in plaintext.
| ALTER TABLE cvmanager.snmp_credentials | |
| ADD COLUMN encrypt_password character varying(128) COLLATE pg_catalog.default; | |
| CREATE EXTENSION IF NOT EXISTS pgcrypto; | |
| ALTER TABLE cvmanager.snmp_credentials | |
| ADD COLUMN encrypt_password bytea; | |
| COMMENT ON COLUMN cvmanager.snmp_credentials.encrypt_password IS | |
| 'Stores the SNMPv3 encryption passphrase encrypted (e.g. via pgcrypto); do not store plaintext values.'; |
New Base Branch
The
wydot-deployment-2026branch was created using the 2.0.1 release tag as a base. The following changes were made using the previous changes in thewydot-deploymentbranch as a reference.Changes
(TBD)