From ba87c8fdb72affc967bc731ab5293abb3e9e4a44 Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Mon, 9 Sep 2024 09:51:12 +0545 Subject: [PATCH 1/2] feat: connection_details view with sensitive fields masked --- views/027_connections.sql | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/views/027_connections.sql b/views/027_connections.sql index 4b6901c5..a62ea284 100644 --- a/views/027_connections.sql +++ b/views/027_connections.sql @@ -1,3 +1,4 @@ +-- A basic connection view free from any sensitive data. DROP VIEW IF EXISTS connections_list; CREATE OR REPLACE VIEW connections_list AS SELECT @@ -18,3 +19,37 @@ CREATE OR REPLACE VIEW connections_list AS deleted_at IS NULL ORDER BY created_at; + +-- +CREATE OR REPLACE FUNCTION mask_sensitive(field_value TEXT) +RETURNS TEXT AS $$ +BEGIN + RETURN CASE + WHEN field_value LIKE 'secret://%' OR + field_value LIKE 'configmap://%' OR + field_value LIKE 'helm://%' OR + field_value LIKE 'serviceaccount://%' OR + field_value = '' THEN field_value + ELSE '***' + END; +END; +$$ LANGUAGE plpgsql; +-- + +-- A connection view that masks sensitive fields. +DROP VIEW IF EXISTS connection_details; +CREATE OR REPLACE VIEW connection_details AS + SELECT + id, name, namespace, type, source, properties, insecure_tls, created_by, created_at, updated_at, + CASE + WHEN (string_to_array(url, '://'))[1] IN ('bark', 'discord', 'smtp', 'gotify', 'googlechat', 'ifttt', 'join', 'mattermost', 'matrix', 'ntfy', 'opsgenie', 'pushbullet', 'pushover', 'rocketchat', 'slack', 'teams', 'telegram', 'zulip') THEN 'notification' + ELSE '' + END AS category, + mask_sensitive(username) AS username, + mask_sensitive(PASSWORD) AS PASSWORD, + mask_sensitive(certificate) AS certificate + FROM connections + WHERE + deleted_at IS NULL + ORDER BY + created_at; From 144dcb6e2d18e4bcec83fb7c974516694df081d8 Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Mon, 9 Sep 2024 18:49:21 +0545 Subject: [PATCH 2/2] feat: connection before update trigger --- views/027_connections.sql | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/views/027_connections.sql b/views/027_connections.sql index a62ea284..a65e956f 100644 --- a/views/027_connections.sql +++ b/views/027_connections.sql @@ -53,3 +53,28 @@ CREATE OR REPLACE VIEW connection_details AS deleted_at IS NULL ORDER BY created_at; + +-- +CREATE OR REPLACE FUNCTION connection_before_update() +RETURNS TRIGGER AS $$ +BEGIN + IF NEW.username = '***' THEN + NEW.username = OLD.username; + END IF; + + IF NEW.password = '***' THEN + NEW.password = OLD.password; + END IF; + + IF NEW.certificate = '***' THEN + NEW.certificate = OLD.certificate; + END IF; + + RETURN NEW; +END; +$$ +LANGUAGE plpgsql; + +CREATE OR REPLACE TRIGGER connection_before_update +BEFORE UPDATE ON connections +FOR EACH ROW EXECUTE PROCEDURE connection_before_update();