[DPE-4369] SQL queries exposing passwords on postgresql logs (#506)

Lucas Gameiro · marceloneppel · web-flow · commit 5fef9c7ca07c · 2024-06-13T16:58:10.000-03:00
* add integration test * make create_user calls change log config * Pin redis-k8s charm revision * bump LIBPATCH * re-bump LIBPATCH * Revert "Pin redis-k8s charm revision" This reverts commit 2219fd6. * revert redis-k8s version 28 pinning --------- Co-authored-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
diff --git a/lib/charms/postgresql_k8s/v0/postgresql.py b/lib/charms/postgresql_k8s/v0/postgresql.py
@@ -36,7 +36,7 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 27
+LIBPATCH = 28
 
 INVALID_EXTRA_USER_ROLE_BLOCKING_MESSAGE = "invalid role(s) for extra user roles"
 
@@ -230,7 +230,10 @@ def create_user(
                 user_definition += f"WITH {'NOLOGIN' if user == 'admin' else 'LOGIN'}{' SUPERUSER' if admin else ''} ENCRYPTED PASSWORD '{password}'{'IN ROLE admin CREATEDB' if admin_role else ''}"
                 if privileges:
                     user_definition += f' {" ".join(privileges)}'
+                cursor.execute(sql.SQL("BEGIN;"))
+                cursor.execute(sql.SQL("SET LOCAL log_statement = 'none';"))
                 cursor.execute(sql.SQL(f"{user_definition};").format(sql.Identifier(user)))
+                cursor.execute(sql.SQL("COMMIT;"))
 
                 # Add extra user roles to the new user.
                 if roles:
@@ -519,11 +522,14 @@ def update_user_password(
             with self._connect_to_database(
                 database_host=database_host
             ) as connection, connection.cursor() as cursor:
+                cursor.execute(sql.SQL("BEGIN;"))
+                cursor.execute(sql.SQL("SET LOCAL log_statement = 'none';"))
                 cursor.execute(
                     sql.SQL("ALTER USER {} WITH ENCRYPTED PASSWORD '" + password + "';").format(
                         sql.Identifier(username)
                     )
                 )
+                cursor.execute(sql.SQL("COMMIT;"))
         except psycopg2.Error as e:
             logger.error(f"Failed to update user password: {e}")
             raise PostgreSQLUpdateUserPasswordError()
diff --git a/tests/integration/new_relations/test_new_relations.py b/tests/integration/new_relations/test_new_relations.py
@@ -590,13 +590,8 @@ async def test_discourse(ops_test: OpsTest):
     # Deploy Discourse and Redis.
     await gather(
         ops_test.model.deploy(DISCOURSE_APP_NAME, application_name=DISCOURSE_APP_NAME),
-        # Revision 28 is being used due to https://github.com/canonical/redis-k8s-operator/issues/87.
         ops_test.model.deploy(
-            REDIS_APP_NAME,
-            application_name=REDIS_APP_NAME,
-            channel="latest/edge",
-            revision=28,
-            series="jammy",
+            REDIS_APP_NAME, application_name=REDIS_APP_NAME, channel="latest/edge"
         ),
     )
 
diff --git a/tests/integration/test_password_rotation.py b/tests/integration/test_password_rotation.py
@@ -19,6 +19,7 @@
     get_primary,
     get_unit_address,
     restart_patroni,
+    run_command_on_unit,
     set_password,
 )
 
@@ -125,8 +126,8 @@ async def test_password_from_secret_same_as_cli(ops_test: OpsTest):
     I.e. we're manipulating the secret we think we're manipulating.
     """
     #
-    # No way to retrieve a secet by label for now (https://bugs.launchpad.net/juju/+bug/2037104)
-    # Therefore we take advantage of the fact, that we only have ONE single secret a this point
+    # No way to retrieve a secret by label for now (https://bugs.launchpad.net/juju/+bug/2037104)
+    # Therefore we take advantage of the fact, that we only have ONE single secret at this point
     # So we take the single member of the list
     # NOTE: This would BREAK if for instance units had secrets at the start...
     #
@@ -176,3 +177,18 @@ async def test_no_password_change_on_invalid_password(ops_test: OpsTest) -> None
     password2 = await get_password(ops_test, username="replication")
     # The password didn't change
     assert password1 == password2
+
+
+@pytest.mark.group(1)
+async def test_no_password_exposed_on_logs(ops_test: OpsTest) -> None:
+    """Test that passwords don't get exposed on postgresql logs."""
+    for unit in ops_test.model.applications[APP_NAME].units:
+        try:
+            logs = await run_command_on_unit(
+                ops_test,
+                unit.name,
+                "grep PASSWORD /var/log/postgresql/postgresql-*.log",
+            )
+        except Exception:
+            continue
+        assert len(logs) == 0, f"Sensitive information detected on {unit.name} logs"
