Remove invalid characters from a Postgres user spec

cbandy · cbandy · commit 88ac6e61813e · 2024-04-25T08:43:01.000-05:00
This uses a Postgres SQL parser to remove the PASSWORD option and any
SQL comments. These values will be rejected in the future.

Issue: PGO-1094
diff --git a/go.mod b/go.mod
@@ -10,6 +10,7 @@ require (
 	github.com/google/uuid v1.3.1
 	github.com/onsi/ginkgo/v2 v2.0.0
 	github.com/onsi/gomega v1.18.1
+	github.com/pganalyze/pg_query_go/v5 v5.1.0
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/xdg-go/stringprep v1.0.2
diff --git a/go.sum b/go.sum
@@ -401,6 +401,8 @@ github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFSt
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
+github.com/pganalyze/pg_query_go/v5 v5.1.0 h1:MlxQqHZnvA3cbRQYyIrjxEjzo560P6MyTgtlaf3pmXg=
+github.com/pganalyze/pg_query_go/v5 v5.1.0/go.mod h1:FsglvxidZsVN+Ltw3Ai6nTgPVcK2BPukH3jCDEqc1Ug=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -956,6 +958,7 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
diff --git a/internal/postgres/users.go b/internal/postgres/users.go
@@ -19,11 +19,43 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"strings"
+
+	pg_query "github.com/pganalyze/pg_query_go/v5"
 
 	"github.com/crunchydata/postgres-operator/internal/logging"
 	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
 )
 
+func sanitizeAlterRoleOptions(options string) string {
+	const AlterRolePrefix = `ALTER ROLE "any" WITH `
+
+	// Parse the options and discard them completely when incoherent.
+	parsed, err := pg_query.Parse(AlterRolePrefix + options)
+	if err != nil || len(parsed.GetStmts()) != 1 {
+		return ""
+	}
+
+	// Rebuild the options list without invalid options. TODO(go1.21) TODO(slices)
+	orig := parsed.GetStmts()[0].GetStmt().GetAlterRoleStmt().GetOptions()
+	next := make([]*pg_query.Node, 0, len(orig))
+	for i, option := range orig {
+		if strings.EqualFold(option.GetDefElem().GetDefname(), "password") {
+			continue
+		}
+		next = append(next, orig[i])
+	}
+	if len(next) > 0 {
+		parsed.GetStmts()[0].GetStmt().GetAlterRoleStmt().Options = next
+	} else {
+		return ""
+	}
+
+	// Turn the modified statement back into SQL and remove the ALTER ROLE portion.
+	sql, _ := pg_query.Deparse(parsed)
+	return strings.TrimPrefix(sql, AlterRolePrefix)
+}
+
 // WriteUsersInPostgreSQL calls exec to create users that do not exist in
 // PostgreSQL. Once they exist, it updates their options and passwords and
 // grants them access to their specified databases. The databases must already
@@ -56,7 +88,7 @@ CREATE TEMPORARY TABLE input (id serial, data json);
 		spec := users[i]
 
 		databases := spec.Databases
-		options := spec.Options
+		options := sanitizeAlterRoleOptions(spec.Options)
 
 		// The "postgres" user must always be a superuser that can login to
 		// the "postgres" database.
diff --git a/internal/postgres/users_test.go b/internal/postgres/users_test.go
@@ -28,6 +28,24 @@ import (
 	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
 )
 
+func TestSanitizeAlterRoleOptions(t *testing.T) {
+	assert.Equal(t, sanitizeAlterRoleOptions(""), "")
+	assert.Equal(t, sanitizeAlterRoleOptions(" login  other stuff"), "",
+		"expected non-options to be removed")
+
+	t.Run("RemovesPassword", func(t *testing.T) {
+		assert.Equal(t, sanitizeAlterRoleOptions("password 'anything'"), "")
+		assert.Equal(t, sanitizeAlterRoleOptions("password $wild$ dollar quoting $wild$ login"), "LOGIN")
+		assert.Equal(t, sanitizeAlterRoleOptions(" login password '' replication "), "LOGIN REPLICATION")
+	})
+
+	t.Run("RemovesComments", func(t *testing.T) {
+		assert.Equal(t, sanitizeAlterRoleOptions("login -- asdf"), "LOGIN")
+		assert.Equal(t, sanitizeAlterRoleOptions("login /*"), "")
+		assert.Equal(t, sanitizeAlterRoleOptions("login /* createdb */ createrole"), "LOGIN CREATEROLE")
+	})
+}
+
 func TestWriteUsersInPostgreSQL(t *testing.T) {
 	ctx := context.Background()
 
@@ -108,8 +126,9 @@ COMMIT;`))
 			assert.Assert(t, cmp.Contains(string(b), `
 \copy input (data) from stdin with (format text)
 {"databases":["db1"],"options":"","username":"user-no-options","verifier":""}
-{"databases":null,"options":"some options here","username":"user-no-databases","verifier":""}
+{"databases":null,"options":"CREATEDB CREATEROLE","username":"user-no-databases","verifier":""}
 {"databases":null,"options":"","username":"user-with-verifier","verifier":"some$verifier"}
+{"databases":null,"options":"LOGIN","username":"user-invalid-options","verifier":""}
 \.
 `))
 			return nil
@@ -123,11 +142,15 @@ COMMIT;`))
 				},
 				{
 					Name:    "user-no-databases",
-					Options: "some options here",
+					Options: "createdb createrole",
 				},
 				{
 					Name: "user-with-verifier",
 				},
+				{
+					Name:    "user-invalid-options",
+					Options: "login password 'doot' --",
+				},
 			},
 			map[string]string{
 				"no-user":            "ignored",
