[DPE-5116] Add pgAudit (#688)

* Add pgAudit

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

* Fix extensions enablement on database request

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

* Make pgAudit work and add integration test

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

* Split integration tests

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

* Fix integration test

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

* Add unit tests

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

* Enable pgAudit by default

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

* Fix test_no_password_exposed_on_logs

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

* Enable/disable the plugin at the unit test

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

---------

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

Author: marceloneppel

config.yaml

@@ -303,6 +303,10 @@ options:
     default: false
     type: boolean
     description: Enable timescaledb extension
+  plugin_audit_enable:
+    default: true
+    type: boolean
+    description: Enable pgAudit extension
   profile:
    description: |
       Profile representing the scope of deployment, and used to tune resource allocation.

lib/charms/postgresql_k8s/v0/postgresql.py

@@ -36,7 +36,7 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 34
+LIBPATCH = 35
 
 INVALID_EXTRA_USER_ROLE_BLOCKING_MESSAGE = "invalid role(s) for extra user roles"
 
@@ -114,6 +114,25 @@ def __init__(
         self.database = database
         self.system_users = system_users
 
+    def _configure_pgaudit(self, enable: bool) -> None:
+        connection = None
+        try:
+            connection = self._connect_to_database()
+            connection.autocommit = True
+            with connection.cursor() as cursor:
+                if enable:
+                    cursor.execute("ALTER SYSTEM SET pgaudit.log = 'ROLE,DDL,MISC,MISC_SET';")
+                    cursor.execute("ALTER SYSTEM SET pgaudit.log_client TO off;")
+                    cursor.execute("ALTER SYSTEM SET pgaudit.log_parameter TO off")
+                else:
+                    cursor.execute("ALTER SYSTEM RESET pgaudit.log;")
+                    cursor.execute("ALTER SYSTEM RESET pgaudit.log_client;")
+                    cursor.execute("ALTER SYSTEM RESET pgaudit.log_parameter;")
+                cursor.execute("SELECT pg_reload_conf();")
+        finally:
+            if connection is not None:
+                connection.close()
+
     def _connect_to_database(
         self, database: str = None, database_host: str = None
     ) -> psycopg2.extensions.connection:
@@ -325,6 +344,7 @@ def enable_disable_extensions(self, extensions: Dict[str, bool], database: str =
                             if enable
                             else f"DROP EXTENSION IF EXISTS {extension};"
                         )
+            self._configure_pgaudit(ordered_extensions.get("pgaudit", False))
         except psycopg2.errors.UniqueViolation:
             pass
         except psycopg2.errors.DependentObjectsStillExist:

src/charm.py

@@ -91,13 +91,15 @@
     MONITORING_USER,
     PATRONI_PASSWORD_KEY,
     PEER,
+    PLUGIN_OVERRIDES,
     POSTGRES_LOG_FILES,
     REPLICATION_PASSWORD_KEY,
     REPLICATION_USER,
     REWIND_PASSWORD_KEY,
     SECRET_DELETED_LABEL,
     SECRET_INTERNAL_LABEL,
     SECRET_KEY_OVERRIDES,
+    SPI_MODULE,
     SYSTEM_USERS,
     TLS_CA_FILE,
     TLS_CERT_FILE,
@@ -663,8 +665,6 @@ def enable_disable_extensions(self, database: str = None) -> None:
         if self._patroni.get_primary() is None:
             logger.debug("Early exit enable_disable_extensions: standby cluster")
             return
-        spi_module = ["refint", "autoinc", "insert_username", "moddatetime"]
-        plugins_exception = {"uuid_ossp": '"uuid-ossp"'}
         original_status = self.unit.status
         extensions = {}
         # collect extensions
@@ -674,10 +674,10 @@ def enable_disable_extensions(self, database: str = None) -> None:
             # Enable or disable the plugin/extension.
             extension = "_".join(plugin.split("_")[1:-1])
             if extension == "spi":
-                for ext in spi_module:
+                for ext in SPI_MODULE:
                     extensions[ext] = enable
                 continue
-            extension = plugins_exception.get(extension, extension)
+            extension = PLUGIN_OVERRIDES.get(extension, extension)
             if self._check_extension_dependencies(extension, enable):
                 self.unit.status = BlockedStatus(EXTENSIONS_DEPENDENCY_MESSAGE)
                 return
@@ -2132,6 +2132,20 @@ def log_pitr_last_transaction_time(self) -> None:
         else:
             logger.error("Can't tell last completed transaction time")
 
+    def get_plugins(self) -> List[str]:
+        """Return a list of installed plugins."""
+        plugins = [
+            "_".join(plugin.split("_")[1:-1])
+            for plugin in self.config.plugin_keys()
+            if self.config[plugin]
+        ]
+        plugins = [PLUGIN_OVERRIDES.get(plugin, plugin) for plugin in plugins]
+        if "spi" in plugins:
+            plugins.remove("spi")
+            for ext in SPI_MODULE:
+                plugins.append(ext)
+        return plugins
+
 
 if __name__ == "__main__":
     main(PostgresqlOperatorCharm, use_juju_for_storage=True)

src/config.py

@@ -34,6 +34,7 @@ class CharmConfig(BaseConfigModel):
     optimizer_join_collapse_limit: Optional[int]
     profile: str
     profile_limit_memory: Optional[int]
+    plugin_audit_enable: bool
     plugin_citext_enable: bool
     plugin_debversion_enable: bool
     plugin_hstore_enable: bool

src/constants.py

@@ -42,6 +42,9 @@
 
 SECRET_KEY_OVERRIDES = {"ca": "cauth"}
 BACKUP_TYPE_OVERRIDES = {"full": "full", "differential": "diff", "incremental": "incr"}
+PLUGIN_OVERRIDES = {"audit": "pgaudit", "uuid_ossp": '"uuid-ossp"'}
+
+SPI_MODULE = ["refint", "autoinc", "insert_username", "moddatetime"]
 
 TRACING_RELATION_NAME = "tracing"
 TRACING_PROTOCOL = "otlp_http"

src/relations/db.py

@@ -22,7 +22,11 @@
 from ops.model import ActiveStatus, BlockedStatus, Relation, Unit
 from pgconnstr import ConnectionString
 
-from constants import ALL_LEGACY_RELATIONS, DATABASE_PORT, ENDPOINT_SIMULTANEOUSLY_BLOCKING_MESSAGE
+from constants import (
+    ALL_LEGACY_RELATIONS,
+    DATABASE_PORT,
+    ENDPOINT_SIMULTANEOUSLY_BLOCKING_MESSAGE,
+)
 from utils import new_password
 
 logger = logging.getLogger(__name__)
@@ -176,11 +180,7 @@ def set_up_relation(self, relation: Relation) -> bool:
             user = f"relation_id_{relation.id}"
             password = unit_relation_databag.get("password", new_password())
             self.charm.postgresql.create_user(user, password, self.admin)
-            plugins = [
-                "_".join(plugin.split("_")[1:-1])
-                for plugin in self.charm.config.plugin_keys()
-                if self.charm.config[plugin]
-            ]
+            plugins = self.charm.get_plugins()
 
             self.charm.postgresql.create_database(
                 database, user, plugins=plugins, client_relations=self.charm.client_relations

src/relations/postgresql_provider.py

@@ -20,7 +20,10 @@
 from ops.framework import Object
 from ops.model import ActiveStatus, BlockedStatus, Relation
 
-from constants import DATABASE_PORT, ENDPOINT_SIMULTANEOUSLY_BLOCKING_MESSAGE
+from constants import (
+    DATABASE_PORT,
+    ENDPOINT_SIMULTANEOUSLY_BLOCKING_MESSAGE,
+)
 from utils import new_password
 
 logger = logging.getLogger(__name__)
@@ -87,11 +90,7 @@ def _on_database_requested(self, event: DatabaseRequestedEvent) -> None:
             user = f"relation_id_{event.relation.id}"
             password = new_password()
             self.charm.postgresql.create_user(user, password, extra_user_roles=extra_user_roles)
-            plugins = [
-                "_".join(plugin.split("_")[1:-1])
-                for plugin in self.charm.config.plugin_keys()
-                if self.charm.config[plugin]
-            ]
+            plugins = self.charm.get_plugins()
 
             self.charm.postgresql.create_database(
                 database, user, plugins=plugins, client_relations=self.charm.client_relations

templates/patroni.yml.j2

@@ -40,7 +40,7 @@ bootstrap:
         log_truncate_on_rotation: 'on'
         logging_collector: 'on'
         wal_level: logical
-        shared_preload_libraries: 'timescaledb'
+        shared_preload_libraries: 'timescaledb,pgaudit'
         {%- if pg_parameters %}
         {%- for key, value in pg_parameters.items() %}
         {{key}}: {{value}}

tests/integration/test_audit.py

@@ -0,0 +1,97 @@
+#!/usr/bin/env python3
+# Copyright 2024 Canonical Ltd.
+# See LICENSE file for licensing details.
+import asyncio
+import logging
+
+import psycopg2 as psycopg2
+import pytest as pytest
+from pytest_operator.plugin import OpsTest
+from tenacity import Retrying, stop_after_delay, wait_fixed
+
+from .helpers import (
+    APPLICATION_NAME,
+    DATABASE_APP_NAME,
+    build_and_deploy,
+    run_command_on_unit,
+)
+from .new_relations.helpers import build_connection_string
+
+logger = logging.getLogger(__name__)
+
+RELATION_ENDPOINT = "database"
+
+
+@pytest.mark.group(1)
+@pytest.mark.abort_on_fail
+async def test_audit_plugin(ops_test: OpsTest) -> None:
+    """Test the audit plugin."""
+    await asyncio.gather(build_and_deploy(ops_test, 1), ops_test.model.deploy(APPLICATION_NAME))
+    await ops_test.model.relate(f"{APPLICATION_NAME}:{RELATION_ENDPOINT}", DATABASE_APP_NAME)
+    async with ops_test.fast_forward():
+        await ops_test.model.wait_for_idle(
+            apps=[APPLICATION_NAME, DATABASE_APP_NAME], status="active"
+        )
+
+    logger.info("Checking that the audit plugin is enabled")
+    connection_string = await build_connection_string(
+        ops_test, APPLICATION_NAME, RELATION_ENDPOINT
+    )
+    connection = None
+    try:
+        connection = psycopg2.connect(connection_string)
+        with connection.cursor() as cursor:
+            cursor.execute("CREATE TABLE test2(value TEXT);")
+            cursor.execute("GRANT SELECT ON test2 TO PUBLIC;")
+            cursor.execute("SET TIME ZONE 'Europe/Rome';")
+    finally:
+        if connection is not None:
+            connection.close()
+    unit_name = f"{DATABASE_APP_NAME}/0"
+    for attempt in Retrying(stop=stop_after_delay(90), wait=wait_fixed(10), reraise=True):
+        with attempt:
+            try:
+                logs = await run_command_on_unit(
+                    ops_test,
+                    unit_name,
+                    "grep AUDIT /var/log/postgresql/postgresql-*.log",
+                )
+                assert "MISC,BEGIN,,,BEGIN" in logs
+                assert (
+                    "DDL,CREATE TABLE,TABLE,public.test2,CREATE TABLE test2(value TEXT);" in logs
+                )
+                assert "ROLE,GRANT,TABLE,,GRANT SELECT ON test2 TO PUBLIC;" in logs
+                assert "MISC,SET,,,SET TIME ZONE 'Europe/Rome';" in logs
+            except Exception:
+                assert False, "Audit logs were not found when the plugin is enabled."
+
+    logger.info("Disabling the audit plugin")
+    await ops_test.model.applications[DATABASE_APP_NAME].set_config({
+        "plugin_audit_enable": "False"
+    })
+    await ops_test.model.wait_for_idle(apps=[DATABASE_APP_NAME], status="active")
+
+    logger.info("Removing the previous logs")
+    await run_command_on_unit(ops_test, unit_name, "rm /var/log/postgresql/postgresql-*.log")
+
+    logger.info("Checking that the audit plugin is disabled")
+    try:
+        connection = psycopg2.connect(connection_string)
+        with connection.cursor() as cursor:
+            cursor.execute("CREATE TABLE test1(value TEXT);")
+            cursor.execute("GRANT SELECT ON test1 TO PUBLIC;")
+            cursor.execute("SET TIME ZONE 'Europe/Rome';")
+    finally:
+        if connection is not None:
+            connection.close()
+    try:
+        logs = await run_command_on_unit(
+            ops_test,
+            unit_name,
+            "grep AUDIT /var/log/postgresql/postgresql-*.log",
+        )
+    except Exception:
+        pass
+    else:
+        logger.info(f"Logs: {logs}")
+        assert False, "Audit logs were found when the plugin is disabled."

tests/integration/test_password_rotation.py

@@ -2,6 +2,7 @@
 # Copyright 2022 Canonical Ltd.
 # See LICENSE file for licensing details.
 import json
+import re
 import time
 
 import psycopg2
@@ -180,4 +181,8 @@ async def test_no_password_exposed_on_logs(ops_test: OpsTest) -> None:
             )
         except Exception:
             continue
-        assert len(logs) == 0, f"Sensitive information detected on {unit.name} logs"
+        regex = re.compile("(PASSWORD )(?!<REDACTED>)")
+        logs_without_false_positives = regex.findall(logs)
+        assert (
+            len(logs_without_false_positives) == 0
+        ), f"Sensitive information detected on {unit.name} logs"