supabase / supavisor / 22145415097
75%

DEFAULT BRANCH: main
Ran
Jobs 2
Files 73
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 75.129% (+1.4%) from 73.729%
22145415097

push

github

web-flow 
feat: support jit access in supavisor (#725)

## What kind of change does this PR introduce?

Feature

Introduces support for Just-in-time (JIT) access via a Personal Access
Token (PAT) or JWT, which is validated against a remote API. This is
implemented as a separate tenant feature, since it is not a standard
postgres feature. The upstream tenant must also be configured for JIT,
which requires a PAM to be installed and configured in the pg_hba.

With JIT in use, a disconnect happens between what the server expects
for auth (pg_hba.conf) and what `pg_authid` stores for user auth. In
most cases pg_authid will have the credentials saved as scram-sha-256,
but with the use of PAM for authentication, the database uses
`AuthenticationCleartext_password`. For this reason, the Supavisor must
be made aware of the tenants changed auth, and we use a new `use_jit`
configuration value for the tenant. When this is active, the pooler will
use AuthenticationCleartext_password, and support either logging in with
the valid user password (which will be checked against the scram-sha-256
retrieved from pg_authid) or a PAT/JWT that is validated against the
upstream API server configured via `jit_api_url`.

Cached credentials keep working as before, except in the case of the
PAT/JWT, the check is always performed against the upstream API server.
This ensures that any revocation of JIT access is respected, alongside
the expiration/revocation of the auth tokens, something that happens
outside of the database.

## What is the current behavior?

Doesn't support JIT.

## What is the new behavior?

Supports JIT, allowing login with:

JWT:
```
psql 'postgresql://postgres.dev_tenant2:eyJhbGciOiJSUzI1NiIsImtpZCI6IjcyYjY2NjA1IiwidHlwIjoiSldUIn0.eyJhYWwiOiJhYWwyIiwiYW1yIjpbeyJtZXRob2QiOiJ0b3RwIiwidGltZXN0YW1wIjOnt9fQ.XbOq_XWg@localhost:6543/postgres'
```

PAT:
```
psql 'postgresql://postgres.dev_tenant2:sbp_39wBdIEXAMPLESdMIg@localhost:6543/postgres'
```

Password:

```
psql 'postgres... (continued)

87 of 102 new or added lines in 7 files covered. (85.29%)

4 existing lines in 3 files now uncovered.

2190 of 2915 relevant lines covered (75.13%)

4241.22 hits per line

New Missed Lines in Diff

Lines Coverage File
1
39.47
 -0.53% lib/supavisor/client_handler/error.ex
1
93.62
 8.22% lib/supavisor/secret_checker.ex
3
87.62
 4.02% lib/supavisor/db_handler.ex
3
59.15
 3.25% lib/supavisor/helpers.ex
7
79.66
 3.76% lib/supavisor/client_handler/auth.ex

Uncovered Existing Lines

Lines Coverage File
1
81.12
 0.91% lib/supavisor/client_handler.ex
1
70.37
 -3.7% lib/supavisor/metrics_cleaner.ex
2
79.66
 3.76% lib/supavisor/client_handler/auth.ex
Jobs
ID Job ID Ran Files Coverage
1 run-tests - 22145415097.1 73
71.97
 GitHub Action Run
2 run-integration - 22145415097.2 73
45.66
 GitHub Action Run
Source Files on build 22145415097