From 70ade3282f40322625b545288c746169f2277b0f Mon Sep 17 00:00:00 2001
From: Tobias Florek <tob@butter.sh>
Date: Mon, 26 Sep 2016 16:34:31 +0200
Subject: [PATCH 1/2] Get initial credentials also from secrets

Secrets are supposed to be mounted in subdirectories of /run/secrets/pgusers/.
They should have `username` and `password` keys.

Limitations: It does not check for duplicate user names or overlap with
(legacy) environment variables setting credentials.

Regarding startup works similar to the previous environment variable based logic.
It will only start if one or both of the following is true.

 * `/run/secrets/pguser/user` are valid credentials and POSTGRESQL_DATABASE is set
   (a database will be created).

 * `/run/secrets/pguser/admin` are valid credentials and the username is `postgres`.

`/run/secrets/pguser/master` is supposed to be the replication master user, if mounted.
---
 .../container-scripts/postgresql/common.sh    | 70 +++++++++++++++++--
 1 file changed, 65 insertions(+), 5 deletions(-)

diff --git a/9.5/root/usr/share/container-scripts/postgresql/common.sh b/9.5/root/usr/share/container-scripts/postgresql/common.sh
index 0fde554d..80d71b59 100644
--- a/9.5/root/usr/share/container-scripts/postgresql/common.sh
+++ b/9.5/root/usr/share/container-scripts/postgresql/common.sh
@@ -43,7 +43,7 @@ You must either specify the following environment variables:
   POSTGRESQL_DATABASE (regex: '$psql_identifier_regex')
 Or the following environment variable:
   POSTGRESQL_ADMIN_PASSWORD (regex: '$psql_password_regex')
-Or both.
+Or both (or mount secrets in /run/secrets/pgusers/user or /run/secrets/pgusers/admin).
 Optional settings:
   POSTGRESQL_MAX_CONNECTIONS (default: 100)
   POSTGRESQL_MAX_PREPARED_TRANSACTIONS (default: 0)
@@ -55,8 +55,17 @@ EOF
   exit 1
 }
 
+check_cred_secret() {
+    local credpath="$1"
+    [ -f "$credpath/username" ] && \
+    [ -f "$credpath/password" ] && \
+    [[ "$(<"$credpath/username")" =~ $psql_identifier_regex ]] && \
+    [[ "$(<"$credpath/password")" =~ $psql_password_regex ]] &&
+    [ "$(wc -c < "$credpath/username")" -le 63 ]
+}
+
 function check_env_vars() {
-  if [[ -v POSTGRESQL_USER || -v POSTGRESQL_PASSWORD || -v POSTGRESQL_DATABASE ]]; then
+  if [[ -v POSTGRESQL_USER || -v POSTGRESQL_PASSWORD ]]; then
     # one var means all three must be specified
     [[ -v POSTGRESQL_USER && -v POSTGRESQL_PASSWORD && -v POSTGRESQL_DATABASE ]] || usage
     [[ "$POSTGRESQL_USER"     =~ $psql_identifier_regex ]] || usage
@@ -65,6 +74,13 @@ function check_env_vars() {
     [ ${#POSTGRESQL_USER}     -le 63 ] || usage "PostgreSQL username too long (maximum 63 characters)"
     [ ${#POSTGRESQL_DATABASE} -le 63 ] || usage "Database name too long (maximum 63 characters)"
     postinitdb_actions+=",simple_db"
+  elif check_cred_secret "/run/secrets/pgusers/user" && [ -v POSTGRESQL_DATABASE ]; then
+    # one var means all three must be specified
+    [[ "$POSTGRESQL_DATABASE" =~ $psql_identifier_regex ]] || usage
+    [ ${#POSTGRESQL_DATABASE} -le 63 ] || usage "Database name too long (maximum 63 characters)"
+    POSTGRESQL_USER="$(</run/secrets/pgusers/user/username)"
+    POSTGRESQL_PASSWORD="$(</run/secrets/pgusers/user/password)"
+    postinitdb_actions+=",simple_db"
   fi
 
   if [ -v POSTGRESQL_ADMIN_PASSWORD ]; then
@@ -72,6 +88,17 @@ function check_env_vars() {
     postinitdb_actions+=",admin_pass"
   fi
 
+  if check_cred_secret "/run/secrets/pgusers/admin"; then
+    [ "$(<"/run/secrets/pgusers/admin/username")" = "postgres" ] || usage
+    POSTGRESQL_ADMIN_PASSWORD="$(<"/run/secrets/pgusers/admin/password")"
+    postinitdb_actions+=",admin_pass"
+  fi
+
+  if check_cred_secret "/run/secrets/pgusers/master"; then
+    POSTGRESQL_MASTER_USER="$(<"/run/secrets/pgusers/master/username")"
+    POSTGRESQL_MASTER_PASSWORD="$(<"/run/secrets/pgusers/master/password")"
+  fi
+
   case ",$postinitdb_actions," in
     *,admin_pass,*|*,simple_db,*) ;;
     *) usage ;;
@@ -172,19 +199,52 @@ function create_users() {
   fi
 }
 
+create_user_if_not_exists() {
+    local username="$1"
+    psql <<EOF
+DO
+\$body$
+BEGIN
+    IF NOT EXISTS (
+        SELECT * FROM pg_catalog.pg_user
+        WHERE usename = '${username}')
+    THEN
+        CREATE USER "${username}" LOGIN;
+    END IF;
+END
+\$body$
+EOF
+}
+
+function set_password() {
+    local user="$1" password="$2"
+    psql --command "ALTER USER \"${user}\" WITH ENCRYPTED PASSWORD '${password}';"
+}
+
 function set_passwords() {
   if [[ ",$postinitdb_actions," = *,simple_db,* ]]; then
-    psql --command "ALTER USER \"${POSTGRESQL_USER}\" WITH ENCRYPTED PASSWORD '${POSTGRESQL_PASSWORD}';"
+    set_password "$POSTGRESQL_USER" "$POSTGRESQL_PASSWORD"
   fi
 
   if [ -v POSTGRESQL_MASTER_USER ]; then
     psql --command "ALTER USER \"${POSTGRESQL_MASTER_USER}\" WITH REPLICATION;"
-    psql --command "ALTER USER \"${POSTGRESQL_MASTER_USER}\" WITH ENCRYPTED PASSWORD '${POSTGRESQL_MASTER_PASSWORD}';"
+    set_password "$POSTGRESQL_MASTER_USER" "$POSTGRESQL_MASTER_PASSWORD"
   fi
 
   if [ -v POSTGRESQL_ADMIN_PASSWORD ]; then
-    psql --command "ALTER USER \"postgres\" WITH ENCRYPTED PASSWORD '${POSTGRESQL_ADMIN_PASSWORD}';"
+    set_password postgres "$POSTGRESQL_ADMIN_PASSWORD"
   fi
+
+  # This does not check for recurring user names nor overlaps with passwords
+  # set above
+  for cred in /run/secrets/pgusers/*; do
+      if check_cred_secret "$cred"; then
+          local username; username="$(< "$cred/username" )"
+          local password; password="$(< "$cred/password" )"
+          create_user_if_not_exists "$username"
+          set_password "$username" "$password"
+      fi
+  done
 }
 
 function set_pgdata ()

From 28ec49675c7397060f6ac0953a5678086b4b73a6 Mon Sep 17 00:00:00 2001
From: Tobias Florek <tob@butter.sh>
Date: Thu, 29 Sep 2016 17:16:13 +0200
Subject: [PATCH 2/2] use variables to prohibit sql injection

---
 .../share/container-scripts/postgresql/common.sh   | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/9.5/root/usr/share/container-scripts/postgresql/common.sh b/9.5/root/usr/share/container-scripts/postgresql/common.sh
index 80d71b59..ce918c73 100644
--- a/9.5/root/usr/share/container-scripts/postgresql/common.sh
+++ b/9.5/root/usr/share/container-scripts/postgresql/common.sh
@@ -200,16 +200,15 @@ function create_users() {
 }
 
 create_user_if_not_exists() {
-    local username="$1"
-    psql <<EOF
+    psql --set user="$1" <<EOF
 DO
 \$body$
 BEGIN
     IF NOT EXISTS (
         SELECT * FROM pg_catalog.pg_user
-        WHERE usename = '${username}')
+        WHERE usename = :'user' )
     THEN
-        CREATE USER "${username}" LOGIN;
+        CREATE USER :"user" LOGIN;
     END IF;
 END
 \$body$
@@ -217,8 +216,8 @@ EOF
 }
 
 function set_password() {
-    local user="$1" password="$2"
-    psql --command "ALTER USER \"${user}\" WITH ENCRYPTED PASSWORD '${password}';"
+    psql --set user="$1" --set pass="$2" \
+        --command "ALTER USER :\"user\" WITH ENCRYPTED PASSWORD :'pass';"
 }
 
 function set_passwords() {
@@ -227,7 +226,8 @@ function set_passwords() {
   fi
 
   if [ -v POSTGRESQL_MASTER_USER ]; then
-    psql --command "ALTER USER \"${POSTGRESQL_MASTER_USER}\" WITH REPLICATION;"
+    psql --set user="$POSTGRESQL_MASTER_USER" \
+        --command "ALTER USER :\"user\" WITH REPLICATION;"
     set_password "$POSTGRESQL_MASTER_USER" "$POSTGRESQL_MASTER_PASSWORD"
   fi