From 486be542410a04b879e56aa7fbaa3fe33ada7622 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Mon, 25 Aug 2025 16:32:09 +0200 Subject: [PATCH 01/23] feat: add gatekeeper --- flake.lock | 426 --------------------------------------- flake.nix | 16 +- nix/internal/default.nix | 40 ++++ 3 files changed, 55 insertions(+), 427 deletions(-) delete mode 100644 flake.lock create mode 100644 nix/internal/default.nix diff --git a/flake.lock b/flake.lock deleted file mode 100644 index 9d2865e1d..000000000 --- a/flake.lock +++ /dev/null @@ -1,426 +0,0 @@ -{ - "nodes": { - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1749398372, - "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { - "inputs": { - "nixpkgs-lib": [ - "nix-fast-build", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1749398372, - "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1705309234, - "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "git-hooks": { - "inputs": { - "flake-compat": "flake-compat", - "gitignore": "gitignore", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750779888, - "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, - "gitignore": { - "inputs": { - "nixpkgs": [ - "git-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "nix-editor": { - "inputs": { - "nixpkgs": "nixpkgs", - "utils": "utils" - }, - "locked": { - "lastModified": 1703105021, - "narHash": "sha256-Ne9NG7x45a8aJyAN+yYWbr/6mQHBVVkwZZ72EZHHRqw=", - "owner": "snowfallorg", - "repo": "nix-editor", - "rev": "b5017f8d61753ce6a3a1a2aa7e474d59146a8ae3", - "type": "github" - }, - "original": { - "owner": "snowfallorg", - "repo": "nix-editor", - "type": "github" - } - }, - "nix-fast-build": { - "inputs": { - "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_2", - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1749427739, - "narHash": "sha256-Nm0oMqFNRnJsiZYeNChmefmjeVCOzngikpSQhgs7iXI=", - "owner": "Mic92", - "repo": "nix-fast-build", - "rev": "b1dae483ab7d4139a6297e02b6de9e5d30e43d48", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "nix-fast-build", - "type": "github" - } - }, - "nix2container": { - "inputs": { - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_3" - }, - "locked": { - "lastModified": 1708764364, - "narHash": "sha256-+pOtDvmuVTg0Gi58hKDUyrNla5NbyUvt3Xs3gLR0Fws=", - "owner": "nlewo", - "repo": "nix2container", - "rev": "c891f90d2e3c48a6b33466c96e4851e0fc0cf455", - "type": "github" - }, - "original": { - "owner": "nlewo", - "repo": "nix2container", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1675673983, - "narHash": "sha256-8hzNh1jtiPxL5r3ICNzSmpSzV7kGb3KwX+FS5BWJUTo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "5a350a8f31bb7ef0c6e79aea3795a890cf7743d4", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-go124": { - "locked": { - "lastModified": 1754085309, - "narHash": "sha256-3RTSdhnqTcxS5wjKNEBpbt0hiSKfBZiQPlWHn90N1qQ=", - "owner": "Nixos", - "repo": "nixpkgs", - "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", - "type": "github" - }, - "original": { - "owner": "Nixos", - "repo": "nixpkgs", - "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", - "type": "github" - } - }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1750555020, - "narHash": "sha256-/MjivcZIz8dyLOTFdJzS5Yazt2QCePQBh8uZooODaYw=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "6fb7349157ee1bffd053b1fdd454aa74ff7b4aee", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1749411262, - "narHash": "sha256-gRBkeW9l5lb/90lv1waQFNT+18OhITs11HENarh6vNo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "0fc422d6c394191338c9d6a05786c63fc52a0f29", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1697269602, - "narHash": "sha256-dSzV7Ud+JH4DPVD9od53EgDrxUVQOcSj4KGjggCDVJI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9cb540e9c1910d74a7e10736277f6eb9dff51c81", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { - "locked": { - "lastModified": 1712666087, - "narHash": "sha256-WwjUkWsjlU8iUImbivlYxNyMB1L5YVqE8QotQdL9jWc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "a76c4553d7e741e17f289224eda135423de0491d", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_5": { - "locked": { - "lastModified": 1744536153, - "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "18dd725c29603f582cf1900e0d25f9f1063dbf11", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "flake-parts": "flake-parts", - "flake-utils": "flake-utils", - "git-hooks": "git-hooks", - "nix-editor": "nix-editor", - "nix-fast-build": "nix-fast-build", - "nix2container": "nix2container", - "nixpkgs": "nixpkgs_4", - "nixpkgs-go124": "nixpkgs-go124", - "rust-overlay": "rust-overlay", - "treefmt-nix": "treefmt-nix_2" - } - }, - "rust-overlay": { - "inputs": { - "nixpkgs": "nixpkgs_5" - }, - "locked": { - "lastModified": 1749609482, - "narHash": "sha256-R+Y3tXIUAMosrgo/ynhIUPEONZ+cM0ScbgN7KA8OkoE=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "a17da8deb943e7c8b4151914abbfe33d5a4e5b0d", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "nix-fast-build", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1749194973, - "narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_2": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750931469, - "narHash": "sha256-0IEdQB1nS+uViQw4k3VGUXntjkDp7aAlqcxdewb/hAc=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "ac8e6f32e11e9c7f153823abc3ab007f2a65d3e1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/flake.nix b/flake.nix index db14dac9a..ca5d080f2 100644 --- a/flake.nix +++ b/flake.nix @@ -14,17 +14,20 @@ git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; nixpkgs-go124.url = "github:Nixos/nixpkgs/d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0"; + gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=dev"; }; outputs = { flake-utils, ... }@inputs: - inputs.flake-parts.lib.mkFlake { inherit inputs; } (_: { + inputs.flake-parts.lib.mkFlake { inherit inputs; } (args: let systems = with flake-utils.lib; [ system.x86_64-linux system.aarch64-linux system.aarch64-darwin ]; + in { + systems = systems; imports = [ nix/apps.nix nix/checks.nix @@ -37,5 +40,16 @@ nix/packages nix/overlays ]; + + packages = builtins.listToAttrs (map (system: + let + pkgs = import inputs.nixpkgs { inherit system; }; + in { + name = system; + value = { + pamModule = inputs.gatekeeper.packages.${system}.default; + }; + }) systems ); + }); } diff --git a/nix/internal/default.nix b/nix/internal/default.nix new file mode 100644 index 000000000..faa96e082 --- /dev/null +++ b/nix/internal/default.nix @@ -0,0 +1,40 @@ +{ + description = "Gatekeeper PAM"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + + gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper"; + }; + + outputs = { self, nixpkgs, gatekeeper }: + let + pkgs = import nixpkgs { system = "x86_64-linux"; }; + in { + packages.x86_64-linux.default = pkgs.stdenv.mkDerivation { + pname = "gatekeeper"; + version = "0.1.0"; + + # Use lib/include from your module + buildInputs = [ gatekeeper.packages.x86_64-linux.default ]; + + src = ./.; + }; + }; +} + +{ stdenv, go, gcc, pamModulePackage, ... }: + +stdenv.mkDerivation { + pname = "consumer"; + version = "0.1.0"; + + buildInputs = [ + pamModulePackage # this brings in the .so, headers, etc. + ]; + + buildPhase = '' + echo "Building consumer project..." + ls -lh ${pamModulePackage}/lib/security + ''; +} \ No newline at end of file From b53d931e417883a31792f1bf8970046b73d8ca1e Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Mon, 25 Aug 2025 17:24:07 +0200 Subject: [PATCH 02/23] test: custom flake --- flake.lock | 429 +++++++++++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 10 +- 2 files changed, 434 insertions(+), 5 deletions(-) create mode 100644 flake.lock diff --git a/flake.lock b/flake.lock new file mode 100644 index 000000000..e688331a7 --- /dev/null +++ b/flake.lock @@ -0,0 +1,429 @@ +{ + "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1754487366, + "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "nix-fast-build", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1754487366, + "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gatekeeper": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1756134452, + "narHash": "sha256-h66I9Fdr59Vs9J03yFIo2ie98y9Ftgq6u6zHyxHnLU0=", + "ref": "dev", + "rev": "b62c6be7385048488c5a73b749ff7346188ca941", + "revCount": 18, + "type": "git", + "url": "ssh://git@github.com/supabase/jit-db-gatekeeper" + }, + "original": { + "ref": "dev", + "rev": "b62c6be7385048488c5a73b749ff7346188ca941", + "type": "git", + "url": "ssh://git@github.com/supabase/jit-db-gatekeeper" + } + }, + "git-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1755960406, + "narHash": "sha256-RF7j6C1TmSTK9tYWO6CdEMtg6XZaUKcvZwOCD2SICZs=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "e891a93b193fcaf2fc8012d890dc7f0befe86ec2", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "nix-editor": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "utils": "utils" + }, + "locked": { + "lastModified": 1703105021, + "narHash": "sha256-Ne9NG7x45a8aJyAN+yYWbr/6mQHBVVkwZZ72EZHHRqw=", + "owner": "snowfallorg", + "repo": "nix-editor", + "rev": "b5017f8d61753ce6a3a1a2aa7e474d59146a8ae3", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "nix-editor", + "type": "github" + } + }, + "nix-fast-build": { + "inputs": { + "flake-parts": "flake-parts_2", + "nixpkgs": "nixpkgs_3", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1756006459, + "narHash": "sha256-J+ogyZPv0myEH32pCn4U2nWbfZs0wGDmJSWoebjChmA=", + "owner": "Mic92", + "repo": "nix-fast-build", + "rev": "d669000b43097c4d1d237be9f32500cd00a5a0a0", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "nix-fast-build", + "type": "github" + } + }, + "nix2container": { + "inputs": { + "nixpkgs": "nixpkgs_4" + }, + "locked": { + "lastModified": 1752002763, + "narHash": "sha256-JYAkdZvpdSx9GUoHPArctYMypSONob4DYKRkOubUWtY=", + "owner": "nlewo", + "repo": "nix2container", + "rev": "4f2437f6a1844b843b380d483087ae6d461240ee", + "type": "github" + }, + "original": { + "owner": "nlewo", + "repo": "nix2container", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1753939845, + "narHash": "sha256-K2ViRJfdVGE8tpJejs8Qpvvejks1+A4GQej/lBk5y7I=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "94def634a20494ee057c76998843c015909d6311", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-go124": { + "locked": { + "lastModified": 1754085309, + "narHash": "sha256-3RTSdhnqTcxS5wjKNEBpbt0hiSKfBZiQPlWHn90N1qQ=", + "owner": "Nixos", + "repo": "nixpkgs", + "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", + "type": "github" + }, + "original": { + "owner": "Nixos", + "repo": "nixpkgs", + "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1753579242, + "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1675673983, + "narHash": "sha256-8hzNh1jtiPxL5r3ICNzSmpSzV7kGb3KwX+FS5BWJUTo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "5a350a8f31bb7ef0c6e79aea3795a890cf7743d4", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1755963616, + "narHash": "sha256-6yD0ww/S8n+U2uPYcJZ3DRURP8Kx036GRpR2uPNZroE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "73e96df7cff5783f45e21342a75a1540c4eddce4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1748984911, + "narHash": "sha256-fih/mdPI8f1CR+FKMhcsyfFzbARoVDrlxwoa694XIkw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3731ffed14674a8567af4b05575a87adf0b38030", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1756035328, + "narHash": "sha256-vC7SslUBCtdT3T37ZH3PLIWYmTkSeppL5BJJByUjYCM=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "6b0b1559e918d4f7d1df398ee1d33aeac586d4d6", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { + "locked": { + "lastModified": 1744536153, + "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "18dd725c29603f582cf1900e0d25f9f1063dbf11", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "gatekeeper": "gatekeeper", + "git-hooks": "git-hooks", + "nix-editor": "nix-editor", + "nix-fast-build": "nix-fast-build", + "nix2container": "nix2container", + "nixpkgs": "nixpkgs_5", + "nixpkgs-go124": "nixpkgs-go124", + "rust-overlay": "rust-overlay", + "treefmt-nix": "treefmt-nix_2" + } + }, + "rust-overlay": { + "inputs": { + "nixpkgs": "nixpkgs_6" + }, + "locked": { + "lastModified": 1756089517, + "narHash": "sha256-KGinVKturJFPrRebgvyUB1BUNqf1y9FN+tSJaTPlnFE=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "44774c8c83cd392c50914f86e1ff75ef8619f1cd", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nix-fast-build", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1755934250, + "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1755934250, + "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index ca5d080f2..af277c789 100644 --- a/flake.nix +++ b/flake.nix @@ -14,20 +14,20 @@ git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; nixpkgs-go124.url = "github:Nixos/nixpkgs/d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0"; - gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=dev"; + gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=dev&rev=b62c6be7385048488c5a73b749ff7346188ca941"; }; outputs = { flake-utils, ... }@inputs: - inputs.flake-parts.lib.mkFlake { inherit inputs; } (args: let + inputs.flake-parts.lib.mkFlake { inherit inputs; } (_args: let systems = with flake-utils.lib; [ system.x86_64-linux system.aarch64-linux system.aarch64-darwin ]; - in { + in rec { + - systems = systems; imports = [ nix/apps.nix nix/checks.nix @@ -47,7 +47,7 @@ in { name = system; value = { - pamModule = inputs.gatekeeper.packages.${system}.default; + gatekeeper = inputs.gatekeeper.packages.${system}.default; }; }) systems ); From 183256ffb976e5bc0748707ba46784a150cfe287 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Mon, 25 Aug 2025 15:24:52 -0400 Subject: [PATCH 03/23] feat: use gatekeeper package from upstream private repo --- flake.lock | 206 +++++++++++++++++++++++------------- flake.nix | 18 +--- nix/internal/default.nix | 40 ------- nix/packages/default.nix | 5 +- nix/packages/gatekeeper.nix | 11 ++ 5 files changed, 148 insertions(+), 132 deletions(-) delete mode 100644 nix/internal/default.nix create mode 100644 nix/packages/gatekeeper.nix diff --git a/flake.lock b/flake.lock index e688331a7..e7cd62b51 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -21,11 +21,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1754487366, - "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", + "lastModified": 1749398372, + "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", + "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", "type": "github" }, "original": { @@ -42,11 +42,11 @@ ] }, "locked": { - "lastModified": 1754487366, - "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", + "lastModified": 1749398372, + "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", + "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", "type": "github" }, "original": { @@ -59,6 +59,24 @@ "inputs": { "systems": "systems" }, + "locked": { + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, "locked": { "lastModified": 1731533236, "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", @@ -73,22 +91,43 @@ "type": "github" } }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "gatekeeper": { "inputs": { - "nixpkgs": "nixpkgs" + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { - "lastModified": 1756134452, - "narHash": "sha256-h66I9Fdr59Vs9J03yFIo2ie98y9Ftgq6u6zHyxHnLU0=", - "ref": "dev", - "rev": "b62c6be7385048488c5a73b749ff7346188ca941", - "revCount": 18, + "lastModified": 1756149255, + "narHash": "sha256-WRD0VUjACeXkhlCXtiR+8NCs+lk03DA4wCooxCiqgRg=", + "ref": "sam/add-flake-parts", + "rev": "34ba4a222c15b2480b837bbb3076508f36c9296f", + "revCount": 21, "type": "git", "url": "ssh://git@github.com/supabase/jit-db-gatekeeper" }, "original": { - "ref": "dev", - "rev": "b62c6be7385048488c5a73b749ff7346188ca941", + "ref": "sam/add-flake-parts", + "rev": "34ba4a222c15b2480b837bbb3076508f36c9296f", "type": "git", "url": "ssh://git@github.com/supabase/jit-db-gatekeeper" } @@ -102,11 +141,11 @@ ] }, "locked": { - "lastModified": 1755960406, - "narHash": "sha256-RF7j6C1TmSTK9tYWO6CdEMtg6XZaUKcvZwOCD2SICZs=", + "lastModified": 1750779888, + "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "e891a93b193fcaf2fc8012d890dc7f0befe86ec2", + "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", "type": "github" }, "original": { @@ -138,7 +177,7 @@ }, "nix-editor": { "inputs": { - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "utils": "utils" }, "locked": { @@ -158,15 +197,15 @@ "nix-fast-build": { "inputs": { "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_2", "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1756006459, - "narHash": "sha256-J+ogyZPv0myEH32pCn4U2nWbfZs0wGDmJSWoebjChmA=", + "lastModified": 1749427739, + "narHash": "sha256-Nm0oMqFNRnJsiZYeNChmefmjeVCOzngikpSQhgs7iXI=", "owner": "Mic92", "repo": "nix-fast-build", - "rev": "d669000b43097c4d1d237be9f32500cd00a5a0a0", + "rev": "b1dae483ab7d4139a6297e02b6de9e5d30e43d48", "type": "github" }, "original": { @@ -177,14 +216,15 @@ }, "nix2container": { "inputs": { - "nixpkgs": "nixpkgs_4" + "flake-utils": "flake-utils_3", + "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1752002763, - "narHash": "sha256-JYAkdZvpdSx9GUoHPArctYMypSONob4DYKRkOubUWtY=", + "lastModified": 1708764364, + "narHash": "sha256-+pOtDvmuVTg0Gi58hKDUyrNla5NbyUvt3Xs3gLR0Fws=", "owner": "nlewo", "repo": "nix2container", - "rev": "4f2437f6a1844b843b380d483087ae6d461240ee", + "rev": "c891f90d2e3c48a6b33466c96e4851e0fc0cf455", "type": "github" }, "original": { @@ -195,15 +235,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1753939845, - "narHash": "sha256-K2ViRJfdVGE8tpJejs8Qpvvejks1+A4GQej/lBk5y7I=", - "owner": "NixOS", + "lastModified": 1675673983, + "narHash": "sha256-8hzNh1jtiPxL5r3ICNzSmpSzV7kGb3KwX+FS5BWJUTo=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "94def634a20494ee057c76998843c015909d6311", + "rev": "5a350a8f31bb7ef0c6e79aea3795a890cf7743d4", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "nixos", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" @@ -227,11 +267,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1753579242, - "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=", + "lastModified": 1750555020, + "narHash": "sha256-/MjivcZIz8dyLOTFdJzS5Yazt2QCePQBh8uZooODaYw=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e", + "rev": "6fb7349157ee1bffd053b1fdd454aa74ff7b4aee", "type": "github" }, "original": { @@ -242,27 +282,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1675673983, - "narHash": "sha256-8hzNh1jtiPxL5r3ICNzSmpSzV7kGb3KwX+FS5BWJUTo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "5a350a8f31bb7ef0c6e79aea3795a890cf7743d4", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1755963616, - "narHash": "sha256-6yD0ww/S8n+U2uPYcJZ3DRURP8Kx036GRpR2uPNZroE=", + "lastModified": 1749411262, + "narHash": "sha256-gRBkeW9l5lb/90lv1waQFNT+18OhITs11HENarh6vNo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "73e96df7cff5783f45e21342a75a1540c4eddce4", + "rev": "0fc422d6c394191338c9d6a05786c63fc52a0f29", "type": "github" }, "original": { @@ -272,13 +296,13 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { - "lastModified": 1748984911, - "narHash": "sha256-fih/mdPI8f1CR+FKMhcsyfFzbARoVDrlxwoa694XIkw=", + "lastModified": 1697269602, + "narHash": "sha256-dSzV7Ud+JH4DPVD9od53EgDrxUVQOcSj4KGjggCDVJI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3731ffed14674a8567af4b05575a87adf0b38030", + "rev": "9cb540e9c1910d74a7e10736277f6eb9dff51c81", "type": "github" }, "original": { @@ -287,13 +311,13 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_4": { "locked": { - "lastModified": 1756035328, - "narHash": "sha256-vC7SslUBCtdT3T37ZH3PLIWYmTkSeppL5BJJByUjYCM=", + "lastModified": 1712666087, + "narHash": "sha256-WwjUkWsjlU8iUImbivlYxNyMB1L5YVqE8QotQdL9jWc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6b0b1559e918d4f7d1df398ee1d33aeac586d4d6", + "rev": "a76c4553d7e741e17f289224eda135423de0491d", "type": "github" }, "original": { @@ -303,7 +327,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_5": { "locked": { "lastModified": 1744536153, "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=", @@ -328,7 +352,7 @@ "nix-editor": "nix-editor", "nix-fast-build": "nix-fast-build", "nix2container": "nix2container", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_4", "nixpkgs-go124": "nixpkgs-go124", "rust-overlay": "rust-overlay", "treefmt-nix": "treefmt-nix_2" @@ -336,14 +360,14 @@ }, "rust-overlay": { "inputs": { - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1756089517, - "narHash": "sha256-KGinVKturJFPrRebgvyUB1BUNqf1y9FN+tSJaTPlnFE=", + "lastModified": 1749609482, + "narHash": "sha256-R+Y3tXIUAMosrgo/ynhIUPEONZ+cM0ScbgN7KA8OkoE=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "44774c8c83cd392c50914f86e1ff75ef8619f1cd", + "rev": "a17da8deb943e7c8b4151914abbfe33d5a4e5b0d", "type": "github" }, "original": { @@ -367,6 +391,36 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -375,11 +429,11 @@ ] }, "locked": { - "lastModified": 1755934250, - "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=", + "lastModified": 1749194973, + "narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5", + "rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5", "type": "github" }, "original": { @@ -395,11 +449,11 @@ ] }, "locked": { - "lastModified": 1755934250, - "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=", + "lastModified": 1750931469, + "narHash": "sha256-0IEdQB1nS+uViQw4k3VGUXntjkDp7aAlqcxdewb/hAc=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5", + "rev": "ac8e6f32e11e9c7f153823abc3ab007f2a65d3e1", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index af277c789..202c176c5 100644 --- a/flake.nix +++ b/flake.nix @@ -14,19 +14,18 @@ git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; nixpkgs-go124.url = "github:Nixos/nixpkgs/d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0"; - gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=dev&rev=b62c6be7385048488c5a73b749ff7346188ca941"; + gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; + gatekeeper.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { flake-utils, ... }@inputs: - inputs.flake-parts.lib.mkFlake { inherit inputs; } (_args: let + inputs.flake-parts.lib.mkFlake { inherit inputs; } (_: { systems = with flake-utils.lib; [ system.x86_64-linux system.aarch64-linux system.aarch64-darwin ]; - in rec { - imports = [ nix/apps.nix @@ -40,16 +39,5 @@ nix/packages nix/overlays ]; - - packages = builtins.listToAttrs (map (system: - let - pkgs = import inputs.nixpkgs { inherit system; }; - in { - name = system; - value = { - gatekeeper = inputs.gatekeeper.packages.${system}.default; - }; - }) systems ); - }); } diff --git a/nix/internal/default.nix b/nix/internal/default.nix deleted file mode 100644 index faa96e082..000000000 --- a/nix/internal/default.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ - description = "Gatekeeper PAM"; - - inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - - gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper"; - }; - - outputs = { self, nixpkgs, gatekeeper }: - let - pkgs = import nixpkgs { system = "x86_64-linux"; }; - in { - packages.x86_64-linux.default = pkgs.stdenv.mkDerivation { - pname = "gatekeeper"; - version = "0.1.0"; - - # Use lib/include from your module - buildInputs = [ gatekeeper.packages.x86_64-linux.default ]; - - src = ./.; - }; - }; -} - -{ stdenv, go, gcc, pamModulePackage, ... }: - -stdenv.mkDerivation { - pname = "consumer"; - version = "0.1.0"; - - buildInputs = [ - pamModulePackage # this brings in the .so, headers, etc. - ]; - - buildPhase = '' - echo "Building consumer project..." - ls -lh ${pamModulePackage}/lib/security - ''; -} \ No newline at end of file diff --git a/nix/packages/default.nix b/nix/packages/default.nix index f297c8359..acb60e432 100644 --- a/nix/packages/default.nix +++ b/nix/packages/default.nix @@ -1,6 +1,9 @@ { self, inputs, ... }: { - imports = [ ./postgres.nix ]; + imports = [ + ./postgres.nix + ./gatekeeper.nix + ]; perSystem = { inputs', diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix new file mode 100644 index 000000000..6c9298210 --- /dev/null +++ b/nix/packages/gatekeeper.nix @@ -0,0 +1,11 @@ +{ inputs, ... }: +{ + perSystem = + { system, pkgs, ... }: + let + go124 = inputs.nixpkgs-go124.legacyPackages.${pkgs.system}.go_1_24; + in + { + packages.gatekeeper = inputs.gatekeeper.lib.${system}.makeGatekeeper { go = go124; }; + }; +} From fe1d07a71c257cf0e5effa682d0e8201fb236682 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 26 Aug 2025 13:08:21 +0200 Subject: [PATCH 04/23] chore: add overlay --- ansible/tasks/setup-postgres.yml | 15 +++++++++++++++ nix/overlays/default.nix | 9 +++++++++ 2 files changed, 24 insertions(+) diff --git a/ansible/tasks/setup-postgres.yml b/ansible/tasks/setup-postgres.yml index 691c24da4..b68227ad0 100644 --- a/ansible/tasks/setup-postgres.yml +++ b/ansible/tasks/setup-postgres.yml @@ -139,6 +139,21 @@ group: postgres when: debpkg_mode or nixpkg_mode +- name: Check if psql_version is psql_15 + set_fact: + is_psql_15: "{{ psql_version in ['psql_15'] }}" + +- name: create placeholder pam config + file: + path: '/etc/pam.d/{{ item }}' + state: touch + owner: postgres + group: postgres + mode: 0664 + with_items: + - 'postgresql' + when: (debpkg_mode or nixpkg_mode) and not is_psql_15 + # Add pg_hba.conf - name: import pg_hba.conf template: diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix index b508af8e3..8044e4207 100644 --- a/nix/overlays/default.nix +++ b/nix/overlays/default.nix @@ -60,5 +60,14 @@ buildPgrxExtension_0_14_3 = prev.buildPgrxExtension.override { cargo-pgrx = final.cargo-pgrx.cargo-pgrx_0_14_3; }; + + # place the gatekeeper module in the expected libpam location + gatekeeper = self.inputs.gatekeeper.packages.${final.system}.default; + linux-pam = prev.linux-pam.overrideAttrs (old: { + postInstall = (old.postInstall or "") + '' + mkdir -p $out/lib/security + cp ${final.gatekeeper}/lib/security/pam_jwt_pg.so $out/lib/security/ + ''; + }); }; } From 2c4e1d7ce6401b832d64936c803224a7d9ff9a69 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 26 Aug 2025 13:26:02 +0200 Subject: [PATCH 05/23] chore: add deploy_key for gk repo --- .github/workflows/nix-build.yml | 6 ++++++ nix/overlays/default.nix | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml index 695dc2abf..69ef85ba4 100644 --- a/.github/workflows/nix-build.yml +++ b/.github/workflows/nix-build.yml @@ -56,6 +56,12 @@ jobs: sudo -E python -c "import os; file = open('/etc/nix/nix-secret-key', 'w'); file.write(os.environ['NIX_SIGN_SECRET_KEY']); file.close()" env: NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }} + - name: Setup SSH for deploy key + run: | + mkdir -p ~/.ssh + echo "${{ secrets.GK_DEPLOY_KEY }}" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + ssh-keyscan github.com >> ~/.ssh/known_hosts - name: Setup cache script if: ${{ github.secret_source == 'Actions' }} run: | diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix index 8044e4207..7fc606f14 100644 --- a/nix/overlays/default.nix +++ b/nix/overlays/default.nix @@ -66,7 +66,7 @@ linux-pam = prev.linux-pam.overrideAttrs (old: { postInstall = (old.postInstall or "") + '' mkdir -p $out/lib/security - cp ${final.gatekeeper}/lib/security/pam_jwt_pg.so $out/lib/security/ + cp ${final.gatekeeper}/lib/security/*.so $out/lib/security/ ''; }); }; From 83b4af01d04fb03f86a04f673e774acc45be7bd8 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 26 Aug 2025 16:48:11 +0200 Subject: [PATCH 06/23] fix: fmt and go version, hopefully --- nix/overlays/default.nix | 10 ++++++---- nix/packages/gatekeeper.nix | 4 ++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix index 7fc606f14..d195959cc 100644 --- a/nix/overlays/default.nix +++ b/nix/overlays/default.nix @@ -64,10 +64,12 @@ # place the gatekeeper module in the expected libpam location gatekeeper = self.inputs.gatekeeper.packages.${final.system}.default; linux-pam = prev.linux-pam.overrideAttrs (old: { - postInstall = (old.postInstall or "") + '' - mkdir -p $out/lib/security - cp ${final.gatekeeper}/lib/security/*.so $out/lib/security/ - ''; + postInstall = + (old.postInstall or "") + + '' + mkdir -p $out/lib/security + cp ${final.gatekeeper}/lib/security/*.so $out/lib/security/ + ''; }); }; } diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 6c9298210..266bf5f80 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -1,9 +1,9 @@ { inputs, ... }: { perSystem = - { system, pkgs, ... }: + { system, ... }: let - go124 = inputs.nixpkgs-go124.legacyPackages.${pkgs.system}.go_1_24; + go124 = inputs.nixpkgs-go124.legacyPackages.${system}.go_1_24; in { packages.gatekeeper = inputs.gatekeeper.lib.${system}.makeGatekeeper { go = go124; }; From 1bfa11b10fc41c93ef09417e1ec752caeee427fb Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 26 Aug 2025 17:25:56 +0200 Subject: [PATCH 07/23] fix: fmt and go version, hopefully --- flake.lock | 8 ++++---- flake.nix | 2 +- nix/packages/gatekeeper.nix | 10 +++++++++- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index e7cd62b51..2a4459802 100644 --- a/flake.lock +++ b/flake.lock @@ -251,17 +251,17 @@ }, "nixpkgs-go124": { "locked": { - "lastModified": 1754085309, - "narHash": "sha256-3RTSdhnqTcxS5wjKNEBpbt0hiSKfBZiQPlWHn90N1qQ=", + "lastModified": 1756125398, + "narHash": "sha256-XexyKZpf46cMiO5Vbj+dWSAXOnr285GHsMch8FBoHbc=", "owner": "Nixos", "repo": "nixpkgs", - "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", + "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5", "type": "github" }, "original": { "owner": "Nixos", "repo": "nixpkgs", - "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", + "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5", "type": "github" } }, diff --git a/flake.nix b/flake.nix index 202c176c5..441672652 100644 --- a/flake.nix +++ b/flake.nix @@ -13,7 +13,7 @@ treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; - nixpkgs-go124.url = "github:Nixos/nixpkgs/d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0"; + nixpkgs-go124.url = "github:Nixos/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5"; gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; gatekeeper.inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 266bf5f80..02b4903fd 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -3,7 +3,15 @@ perSystem = { system, ... }: let - go124 = inputs.nixpkgs-go124.legacyPackages.${system}.go_1_24; + + go124 = + let + candidate = inputs.nixpkgs-go124.legacyPackages.${system}; + in + if candidate ? go_1_24 then + candidate.go_1_24 + else + throw "❌ nixpkgs-go124.${system} does not provide go_1_24!"; in { packages.gatekeeper = inputs.gatekeeper.lib.${system}.makeGatekeeper { go = go124; }; From e96db7c01290ed63ae0cd4b00b130e233079a4e3 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 26 Aug 2025 18:08:23 +0200 Subject: [PATCH 08/23] fix: pass go override in overlays --- nix/overlays/default.nix | 4 +++- nix/packages/gatekeeper.nix | 9 +-------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix index d195959cc..648f9a32a 100644 --- a/nix/overlays/default.nix +++ b/nix/overlays/default.nix @@ -62,7 +62,9 @@ }; # place the gatekeeper module in the expected libpam location - gatekeeper = self.inputs.gatekeeper.packages.${final.system}.default; + gatekeeper = self.inputs.gatekeeper.packages.${final.system}.default.override { + go = self.inputs.nixpkgs-go124.legacyPackages.${final.system}.go_1_24; + }; linux-pam = prev.linux-pam.overrideAttrs (old: { postInstall = (old.postInstall or "") diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 02b4903fd..9fdce18a1 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -4,14 +4,7 @@ { system, ... }: let - go124 = - let - candidate = inputs.nixpkgs-go124.legacyPackages.${system}; - in - if candidate ? go_1_24 then - candidate.go_1_24 - else - throw "❌ nixpkgs-go124.${system} does not provide go_1_24!"; + go124 = inputs.nixpkgs-go124.legacyPackages.${system}.go_1_24; in { packages.gatekeeper = inputs.gatekeeper.lib.${system}.makeGatekeeper { go = go124; }; From db510df5ab8d98e8d4b981e4effad53f3c8d8bc4 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Wed, 27 Aug 2025 09:01:19 +0200 Subject: [PATCH 09/23] fix: pass go override in overlays --- nix/overlays/default.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix index 648f9a32a..fffde0ea9 100644 --- a/nix/overlays/default.nix +++ b/nix/overlays/default.nix @@ -62,9 +62,7 @@ }; # place the gatekeeper module in the expected libpam location - gatekeeper = self.inputs.gatekeeper.packages.${final.system}.default.override { - go = self.inputs.nixpkgs-go124.legacyPackages.${final.system}.go_1_24; - }; + gatekeeper = self.packages.${final.system}.gatekeeper; linux-pam = prev.linux-pam.overrideAttrs (old: { postInstall = (old.postInstall or "") From 648c661147351b79cbe541bff1d5e64efa2fa14b Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Thu, 28 Aug 2025 10:40:03 -0400 Subject: [PATCH 10/23] feat: package gatekeeper in this package set --- flake.lock | 46 ++++--------------------------------- flake.nix | 6 +++-- nix/overlays/default.nix | 2 +- nix/packages/gatekeeper.nix | 41 ++++++++++++++++++++++++++++++--- 4 files changed, 47 insertions(+), 48 deletions(-) diff --git a/flake.lock b/flake.lock index 2a4459802..5afaace67 100644 --- a/flake.lock +++ b/flake.lock @@ -77,24 +77,6 @@ "inputs": { "systems": "systems_2" }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { - "inputs": { - "systems": "systems_3" - }, "locked": { "lastModified": 1694529238, "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", @@ -109,13 +91,8 @@ "type": "github" } }, - "gatekeeper": { - "inputs": { - "flake-utils": "flake-utils_2", - "nixpkgs": [ - "nixpkgs" - ] - }, + "gatekeeper-src": { + "flake": false, "locked": { "lastModified": 1756149255, "narHash": "sha256-WRD0VUjACeXkhlCXtiR+8NCs+lk03DA4wCooxCiqgRg=", @@ -216,7 +193,7 @@ }, "nix2container": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_2", "nixpkgs": "nixpkgs_3" }, "locked": { @@ -347,7 +324,7 @@ "inputs": { "flake-parts": "flake-parts", "flake-utils": "flake-utils", - "gatekeeper": "gatekeeper", + "gatekeeper-src": "gatekeeper-src", "git-hooks": "git-hooks", "nix-editor": "nix-editor", "nix-fast-build": "nix-fast-build", @@ -406,21 +383,6 @@ "type": "github" } }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 441672652..60655abb6 100644 --- a/flake.nix +++ b/flake.nix @@ -14,8 +14,10 @@ git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; nixpkgs-go124.url = "github:Nixos/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5"; - gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; - gatekeeper.inputs.nixpkgs.follows = "nixpkgs"; + gatekeeper-src = { + url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; + flake = false; + }; }; outputs = diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix index fffde0ea9..ad71f10f3 100644 --- a/nix/overlays/default.nix +++ b/nix/overlays/default.nix @@ -68,7 +68,7 @@ (old.postInstall or "") + '' mkdir -p $out/lib/security - cp ${final.gatekeeper}/lib/security/*.so $out/lib/security/ + cp ${self.packages.${final.system}.gatekeeper}/lib/security/*.so $out/lib/security/ ''; }); }; diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 9fdce18a1..0c94de3dc 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -1,12 +1,47 @@ { inputs, ... }: { perSystem = - { system, ... }: + { system, pkgs, ... }: let - go124 = inputs.nixpkgs-go124.legacyPackages.${system}.go_1_24; + # Use completely clean nixpkgs without any overlays for gatekeeper + cleanPkgs = inputs.nixpkgs.legacyPackages.${system}; + buildGoModule = cleanPkgs.buildGoModule.override { go = go124; }; in { - packages.gatekeeper = inputs.gatekeeper.lib.${system}.makeGatekeeper { go = go124; }; + packages.gatekeeper = buildGoModule { + pname = "gatekeeper"; + version = "0.1.0"; + + src = inputs.gatekeeper-src; + + vendorHash = "sha256-pdF+bhvZQwd2iSEHVtDAGihkYZGSaQaFdsF8MSrWuKQ="; + + buildInputs = + [ cleanPkgs.pam ] + ++ cleanPkgs.lib.optionals cleanPkgs.stdenv.isDarwin [ + cleanPkgs.darwin.apple_sdk.frameworks.Security + ]; + + buildPhase = '' + runHook preBuild + go build -buildmode=c-shared -o pam_jwt_pg.so + runHook postBuild + ''; + + installPhase = '' + runHook preInstall + mkdir -p $out/lib/security + cp pam_jwt_pg.so $out/lib/security/ + runHook postInstall + ''; + + meta = with pkgs.lib; { + description = "PAM module for JWT authentication with PostgreSQL backend"; + homepage = "https://github.com/supabase/jit-db-gatekeeper"; + license = licenses.mit; + platforms = platforms.unix; + }; + }; }; } From 77e0f4bbe3d43e7660ec48020ad3aa272539465b Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Thu, 28 Aug 2025 11:15:31 -0400 Subject: [PATCH 11/23] fix: update source of go 1.24 nixpkgs --- flake.lock | 8 ++++---- flake.nix | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 5afaace67..2c650b127 100644 --- a/flake.lock +++ b/flake.lock @@ -228,17 +228,17 @@ }, "nixpkgs-go124": { "locked": { - "lastModified": 1756125398, - "narHash": "sha256-XexyKZpf46cMiO5Vbj+dWSAXOnr285GHsMch8FBoHbc=", + "lastModified": 1754085309, + "narHash": "sha256-3RTSdhnqTcxS5wjKNEBpbt0hiSKfBZiQPlWHn90N1qQ=", "owner": "Nixos", "repo": "nixpkgs", - "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5", + "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", "type": "github" }, "original": { "owner": "Nixos", "repo": "nixpkgs", - "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5", + "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", "type": "github" } }, diff --git a/flake.nix b/flake.nix index 60655abb6..c1d0d4dac 100644 --- a/flake.nix +++ b/flake.nix @@ -13,7 +13,7 @@ treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; - nixpkgs-go124.url = "github:Nixos/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5"; + nixpkgs-go124.url = "github:Nixos/nixpkgs/d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0"; gatekeeper-src = { url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; flake = false; From 4a8983cfa4f5dc5feffb744a4f227d41b3006d12 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Thu, 28 Aug 2025 11:53:53 -0400 Subject: [PATCH 12/23] Revert "fix: update source of go 1.24 nixpkgs" This reverts commit 70206f2469381a9f442999bee6bdb1db38d6190f. --- flake.lock | 8 ++++---- flake.nix | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 2c650b127..5afaace67 100644 --- a/flake.lock +++ b/flake.lock @@ -228,17 +228,17 @@ }, "nixpkgs-go124": { "locked": { - "lastModified": 1754085309, - "narHash": "sha256-3RTSdhnqTcxS5wjKNEBpbt0hiSKfBZiQPlWHn90N1qQ=", + "lastModified": 1756125398, + "narHash": "sha256-XexyKZpf46cMiO5Vbj+dWSAXOnr285GHsMch8FBoHbc=", "owner": "Nixos", "repo": "nixpkgs", - "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", + "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5", "type": "github" }, "original": { "owner": "Nixos", "repo": "nixpkgs", - "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", + "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5", "type": "github" } }, diff --git a/flake.nix b/flake.nix index c1d0d4dac..60655abb6 100644 --- a/flake.nix +++ b/flake.nix @@ -13,7 +13,7 @@ treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; - nixpkgs-go124.url = "github:Nixos/nixpkgs/d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0"; + nixpkgs-go124.url = "github:Nixos/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5"; gatekeeper-src = { url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; flake = false; From 441eccc9aa630af7b2140165b55bca0a3b7b9cb9 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Thu, 28 Aug 2025 11:53:56 -0400 Subject: [PATCH 13/23] Revert "feat: package gatekeeper in this package set" This reverts commit 1dfd426037ea92f76ad9b10c85a1df7930e98dab. --- flake.lock | 46 +++++++++++++++++++++++++++++++++---- flake.nix | 6 ++--- nix/overlays/default.nix | 2 +- nix/packages/gatekeeper.nix | 41 +++------------------------------ 4 files changed, 48 insertions(+), 47 deletions(-) diff --git a/flake.lock b/flake.lock index 5afaace67..2a4459802 100644 --- a/flake.lock +++ b/flake.lock @@ -77,6 +77,24 @@ "inputs": { "systems": "systems_2" }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, "locked": { "lastModified": 1694529238, "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", @@ -91,8 +109,13 @@ "type": "github" } }, - "gatekeeper-src": { - "flake": false, + "gatekeeper": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ] + }, "locked": { "lastModified": 1756149255, "narHash": "sha256-WRD0VUjACeXkhlCXtiR+8NCs+lk03DA4wCooxCiqgRg=", @@ -193,7 +216,7 @@ }, "nix2container": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixpkgs": "nixpkgs_3" }, "locked": { @@ -324,7 +347,7 @@ "inputs": { "flake-parts": "flake-parts", "flake-utils": "flake-utils", - "gatekeeper-src": "gatekeeper-src", + "gatekeeper": "gatekeeper", "git-hooks": "git-hooks", "nix-editor": "nix-editor", "nix-fast-build": "nix-fast-build", @@ -383,6 +406,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 60655abb6..441672652 100644 --- a/flake.nix +++ b/flake.nix @@ -14,10 +14,8 @@ git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; nixpkgs-go124.url = "github:Nixos/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5"; - gatekeeper-src = { - url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; - flake = false; - }; + gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; + gatekeeper.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix index ad71f10f3..fffde0ea9 100644 --- a/nix/overlays/default.nix +++ b/nix/overlays/default.nix @@ -68,7 +68,7 @@ (old.postInstall or "") + '' mkdir -p $out/lib/security - cp ${self.packages.${final.system}.gatekeeper}/lib/security/*.so $out/lib/security/ + cp ${final.gatekeeper}/lib/security/*.so $out/lib/security/ ''; }); }; diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 0c94de3dc..9fdce18a1 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -1,47 +1,12 @@ { inputs, ... }: { perSystem = - { system, pkgs, ... }: + { system, ... }: let + go124 = inputs.nixpkgs-go124.legacyPackages.${system}.go_1_24; - # Use completely clean nixpkgs without any overlays for gatekeeper - cleanPkgs = inputs.nixpkgs.legacyPackages.${system}; - buildGoModule = cleanPkgs.buildGoModule.override { go = go124; }; in { - packages.gatekeeper = buildGoModule { - pname = "gatekeeper"; - version = "0.1.0"; - - src = inputs.gatekeeper-src; - - vendorHash = "sha256-pdF+bhvZQwd2iSEHVtDAGihkYZGSaQaFdsF8MSrWuKQ="; - - buildInputs = - [ cleanPkgs.pam ] - ++ cleanPkgs.lib.optionals cleanPkgs.stdenv.isDarwin [ - cleanPkgs.darwin.apple_sdk.frameworks.Security - ]; - - buildPhase = '' - runHook preBuild - go build -buildmode=c-shared -o pam_jwt_pg.so - runHook postBuild - ''; - - installPhase = '' - runHook preInstall - mkdir -p $out/lib/security - cp pam_jwt_pg.so $out/lib/security/ - runHook postInstall - ''; - - meta = with pkgs.lib; { - description = "PAM module for JWT authentication with PostgreSQL backend"; - homepage = "https://github.com/supabase/jit-db-gatekeeper"; - license = licenses.mit; - platforms = platforms.unix; - }; - }; + packages.gatekeeper = inputs.gatekeeper.lib.${system}.makeGatekeeper { go = go124; }; }; } From f7e80c86e39e5303169e8e2142989e01881e954f Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Thu, 28 Aug 2025 15:38:13 -0400 Subject: [PATCH 14/23] fix: clean up nix flake and lock, drop overlay --- flake.lock | 67 +++---------------------------------- flake.nix | 4 +-- nix/overlays/default.nix | 11 ------ nix/packages/default.nix | 3 +- nix/packages/gatekeeper.nix | 58 ++++++++++++++++++++++++++------ 5 files changed, 56 insertions(+), 87 deletions(-) diff --git a/flake.lock b/flake.lock index 2a4459802..9d2865e1d 100644 --- a/flake.lock +++ b/flake.lock @@ -77,24 +77,6 @@ "inputs": { "systems": "systems_2" }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { - "inputs": { - "systems": "systems_3" - }, "locked": { "lastModified": 1694529238, "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", @@ -109,29 +91,6 @@ "type": "github" } }, - "gatekeeper": { - "inputs": { - "flake-utils": "flake-utils_2", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1756149255, - "narHash": "sha256-WRD0VUjACeXkhlCXtiR+8NCs+lk03DA4wCooxCiqgRg=", - "ref": "sam/add-flake-parts", - "rev": "34ba4a222c15b2480b837bbb3076508f36c9296f", - "revCount": 21, - "type": "git", - "url": "ssh://git@github.com/supabase/jit-db-gatekeeper" - }, - "original": { - "ref": "sam/add-flake-parts", - "rev": "34ba4a222c15b2480b837bbb3076508f36c9296f", - "type": "git", - "url": "ssh://git@github.com/supabase/jit-db-gatekeeper" - } - }, "git-hooks": { "inputs": { "flake-compat": "flake-compat", @@ -216,7 +175,7 @@ }, "nix2container": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_2", "nixpkgs": "nixpkgs_3" }, "locked": { @@ -251,17 +210,17 @@ }, "nixpkgs-go124": { "locked": { - "lastModified": 1756125398, - "narHash": "sha256-XexyKZpf46cMiO5Vbj+dWSAXOnr285GHsMch8FBoHbc=", + "lastModified": 1754085309, + "narHash": "sha256-3RTSdhnqTcxS5wjKNEBpbt0hiSKfBZiQPlWHn90N1qQ=", "owner": "Nixos", "repo": "nixpkgs", - "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5", + "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", "type": "github" }, "original": { "owner": "Nixos", "repo": "nixpkgs", - "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5", + "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", "type": "github" } }, @@ -347,7 +306,6 @@ "inputs": { "flake-parts": "flake-parts", "flake-utils": "flake-utils", - "gatekeeper": "gatekeeper", "git-hooks": "git-hooks", "nix-editor": "nix-editor", "nix-fast-build": "nix-fast-build", @@ -406,21 +364,6 @@ "type": "github" } }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 441672652..db14dac9a 100644 --- a/flake.nix +++ b/flake.nix @@ -13,9 +13,7 @@ treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; - nixpkgs-go124.url = "github:Nixos/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5"; - gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; - gatekeeper.inputs.nixpkgs.follows = "nixpkgs"; + nixpkgs-go124.url = "github:Nixos/nixpkgs/d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0"; }; outputs = diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix index fffde0ea9..b508af8e3 100644 --- a/nix/overlays/default.nix +++ b/nix/overlays/default.nix @@ -60,16 +60,5 @@ buildPgrxExtension_0_14_3 = prev.buildPgrxExtension.override { cargo-pgrx = final.cargo-pgrx.cargo-pgrx_0_14_3; }; - - # place the gatekeeper module in the expected libpam location - gatekeeper = self.packages.${final.system}.gatekeeper; - linux-pam = prev.linux-pam.overrideAttrs (old: { - postInstall = - (old.postInstall or "") - + '' - mkdir -p $out/lib/security - cp ${final.gatekeeper}/lib/security/*.so $out/lib/security/ - ''; - }); }; } diff --git a/nix/packages/default.nix b/nix/packages/default.nix index acb60e432..d3b56c264 100644 --- a/nix/packages/default.nix +++ b/nix/packages/default.nix @@ -2,7 +2,7 @@ { imports = [ ./postgres.nix - ./gatekeeper.nix + # ./gatekeeper.nix ]; perSystem = { @@ -37,6 +37,7 @@ cleanup-ami = pkgs.callPackage ./cleanup-ami.nix { }; dbmate-tool = pkgs.callPackage ./dbmate-tool.nix { inherit (self.supabase) defaults; }; docs = pkgs.callPackage ./docs.nix { }; + gatekeeper = pkgs.callPackage ./gatekeeper.nix { inherit inputs pkgs; }; supabase-groonga = pkgs.callPackage ./groonga { }; http-mock-server = pkgs.callPackage ./http-mock-server.nix { }; local-infra-bootstrap = pkgs.callPackage ./local-infra-bootstrap.nix { }; diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 9fdce18a1..8b88e0e32 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -1,12 +1,50 @@ -{ inputs, ... }: { - perSystem = - { system, ... }: - let - - go124 = inputs.nixpkgs-go124.legacyPackages.${system}.go_1_24; - in - { - packages.gatekeeper = inputs.gatekeeper.lib.${system}.makeGatekeeper { go = go124; }; - }; + inputs, + system, + pkgs, + ... +}: +let + go124 = inputs.nixpkgs-go124.legacyPackages.${system}.go_1_24; + # Use completely clean nixpkgs without any overlays for gatekeeper + #cleanPkgs = inputs.nixpkgs.legacyPackages.${system}; + buildGoModule = pkgs.buildGoModule.override { go = go124; }; +in + +buildGoModule { + pname = "gatekeeper"; + version = "0.1.0"; + + src = pkgs.fetchFromGitHub { + owner = "supabase"; + repo = "jit-db-gatekeeper"; + rev = "refs/heads/main"; + hash = "sha256-hrYh1dBxk+aN3b/J9mZqk/ZXHmWA/MIqZLVgICT7e90="; + }; + + vendorHash = "sha256-G9x2TARSJMn30R6ZOlsggxEtn5t2ezWz1YtkLXdYiAE="; + + buildInputs = [ + pkgs.pam + ] ++ pkgs.lib.optionals pkgs.stdenv.isDarwin [ pkgs.darwin.apple_sdk.frameworks.Security ]; + + buildPhase = '' + runHook preBuild + go build -buildmode=c-shared -o pam_jwt_pg.so + runHook postBuild + ''; + + installPhase = '' + runHook preInstall + mkdir -p $out/lib/security + cp pam_jwt_pg.so $out/lib/security/ + runHook postInstall + ''; + + meta = with pkgs.lib; { + description = "PAM module for JWT authentication with PostgreSQL backend"; + homepage = "https://github.com/supabase/jit-db-gatekeeper"; + license = licenses.mit; + platforms = platforms.unix; + }; } From 6e5c789b4b3486602fbfae03050e4e39329985a1 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Fri, 29 Aug 2025 13:29:18 +0200 Subject: [PATCH 15/23] chore: install gatekeeper with ansible --- ansible/tasks/setup-postgres.yml | 4 +--- ansible/tasks/stage2-setup-postgres.yml | 20 +++++++++++++++++++- nix/packages/gatekeeper.nix | 4 ++-- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/ansible/tasks/setup-postgres.yml b/ansible/tasks/setup-postgres.yml index b68227ad0..221eaeec7 100644 --- a/ansible/tasks/setup-postgres.yml +++ b/ansible/tasks/setup-postgres.yml @@ -145,13 +145,11 @@ - name: create placeholder pam config file: - path: '/etc/pam.d/{{ item }}' + path: '/etc/pam.d/postgresql' state: touch owner: postgres group: postgres mode: 0664 - with_items: - - 'postgresql' when: (debpkg_mode or nixpkg_mode) and not is_psql_15 # Add pg_hba.conf diff --git a/ansible/tasks/stage2-setup-postgres.yml b/ansible/tasks/stage2-setup-postgres.yml index 6f696d5d3..08426d7f1 100644 --- a/ansible/tasks/stage2-setup-postgres.yml +++ b/ansible/tasks/stage2-setup-postgres.yml @@ -94,7 +94,25 @@ shell: | sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#{{postgresql_version}}_src" when: stage2_nix - + +- name: Check psql_version and install gatekeeper if not pg15 + block: + - name: Check if psql_version is psql_15 + set_fact: + is_psql_15: "{{ psql_version == 'psql_15' }}" + + - name: Install gatekeeper from nix binary cache + become: yes + shell: | + sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#gatekeeper" + when: stage2_nix and not is_psql_15 + + - name: Create symbolic link for linux-pam to find pam_jit_pg.so + shell: > + sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.s + become: yes + when: stage2_nix and not is_psql_15 + - name: Set ownership and permissions for /etc/ssl/private become: yes file: diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 8b88e0e32..5f0fcbc68 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -30,14 +30,14 @@ buildGoModule { buildPhase = '' runHook preBuild - go build -buildmode=c-shared -o pam_jwt_pg.so + go build -buildmode=c-shared -o pam_jit_pg.so runHook postBuild ''; installPhase = '' runHook preInstall mkdir -p $out/lib/security - cp pam_jwt_pg.so $out/lib/security/ + cp pam_jit_pg.so $out/lib/security/ runHook postInstall ''; From bae7437c3d572e2973fdb7cbfdbe1f5e96e9367c Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Fri, 29 Aug 2025 16:40:24 +0200 Subject: [PATCH 16/23] fix: smallest typo --- ansible/tasks/stage2-setup-postgres.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/tasks/stage2-setup-postgres.yml b/ansible/tasks/stage2-setup-postgres.yml index 08426d7f1..0d8c52182 100644 --- a/ansible/tasks/stage2-setup-postgres.yml +++ b/ansible/tasks/stage2-setup-postgres.yml @@ -109,7 +109,7 @@ - name: Create symbolic link for linux-pam to find pam_jit_pg.so shell: > - sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.s + sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.so become: yes when: stage2_nix and not is_psql_15 From 87993d5881c637eed5767e1b642fdd9fe10a413f Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Fri, 29 Aug 2025 18:49:05 +0200 Subject: [PATCH 17/23] Apply suggestion from @hunleyd Co-authored-by: Douglas J Hunley --- ansible/tasks/stage2-setup-postgres.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/ansible/tasks/stage2-setup-postgres.yml b/ansible/tasks/stage2-setup-postgres.yml index 0d8c52182..e314d8523 100644 --- a/ansible/tasks/stage2-setup-postgres.yml +++ b/ansible/tasks/stage2-setup-postgres.yml @@ -95,23 +95,24 @@ sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#{{postgresql_version}}_src" when: stage2_nix -- name: Check psql_version and install gatekeeper if not pg15 +- name: Check if psql_version is psql_15 + set_fact: + is_psql_15: "{{ psql_version == 'psql_15' }}" + +- name: Install gatekeeper if not pg15 + when: + - stage2_nix + - not is_pgsql_15 block: - - name: Check if psql_version is psql_15 - set_fact: - is_psql_15: "{{ psql_version == 'psql_15' }}" - - - name: Install gatekeeper from nix binary cache + - name: Install gatekeeper from nix binary cache become: yes shell: | sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#gatekeeper" - when: stage2_nix and not is_psql_15 - name: Create symbolic link for linux-pam to find pam_jit_pg.so shell: > sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.so become: yes - when: stage2_nix and not is_psql_15 - name: Set ownership and permissions for /etc/ssl/private become: yes From 1a87595dcf8f1b3b091e5708cdb17f3748bb8808 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Fri, 29 Aug 2025 20:32:54 +0200 Subject: [PATCH 18/23] fix: syntax error --- ansible/tasks/stage2-setup-postgres.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/tasks/stage2-setup-postgres.yml b/ansible/tasks/stage2-setup-postgres.yml index e314d8523..fe2c4a77a 100644 --- a/ansible/tasks/stage2-setup-postgres.yml +++ b/ansible/tasks/stage2-setup-postgres.yml @@ -102,17 +102,17 @@ - name: Install gatekeeper if not pg15 when: - stage2_nix - - not is_pgsql_15 + - not is_psql_15 block: - - name: Install gatekeeper from nix binary cache + - name: Install gatekeeper from nix binary cache become: yes shell: | sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#gatekeeper" - name: Create symbolic link for linux-pam to find pam_jit_pg.so - shell: > - sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.so become: yes + shell: | + sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.so - name: Set ownership and permissions for /etc/ssl/private become: yes From f9c4bae1adf7cfdbebbf7b53708e5292041ca2dc Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Fri, 12 Sep 2025 10:02:17 -0400 Subject: [PATCH 19/23] test: some sanity tests for jit pam module --- testinfra/test_ami_nix.py | 134 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 134 insertions(+) diff --git a/testinfra/test_ami_nix.py b/testinfra/test_ami_nix.py index 42442de18..561122abf 100644 --- a/testinfra/test_ami_nix.py +++ b/testinfra/test_ami_nix.py @@ -623,6 +623,140 @@ def test_libpq5_version(host): print("✓ libpq5 version is >= 14") +def test_jit_pam_module_installed(host): + """Test that the JIT PAM module (pam_jit_pg.so) is properly installed.""" + # Check if gatekeeper is installed via Nix + result = run_ssh_command(host['ssh'], "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null") + if result['succeeded']: + print(f"\nJIT PAM module found in Nix profile:\n{result['stdout']}") + else: + print("\nJIT PAM module not found in postgres user's Nix profile") + assert False, "JIT PAM module (pam_jit_pg.so) not found in expected location" + + # Check if the symlink exists in the Linux PAM security directory + result = run_ssh_command(host['ssh'], "find /nix/store -type f -path '*/lib/security/pam_jit_pg.so' 2>/dev/null | head -5") + if result['succeeded'] and result['stdout'].strip(): + print(f"\nJIT PAM module symlinks found:\n{result['stdout']}") + else: + print("\nNo JIT PAM module symlinks found in /nix/store") + + # Verify the module is a valid shared library + result = run_ssh_command(host['ssh'], "file /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so") + if result['succeeded']: + print(f"\nJIT PAM module file type:\n{result['stdout']}") + assert "shared object" in result['stdout'].lower() or "dynamically linked" in result['stdout'].lower(), \ + "JIT PAM module is not a valid shared library" + + print("✓ JIT PAM module is properly installed") + + +def test_pam_postgresql_config(host): + """Test that the PAM configuration for PostgreSQL exists and is properly configured.""" + # Check PostgreSQL version to determine if PAM config should exist + result = run_ssh_command(host['ssh'], "sudo -u postgres psql --version | grep -oE '[0-9]+' | head -1") + pg_major_version = 15 # Default + if result['succeeded'] and result['stdout'].strip(): + try: + pg_major_version = int(result['stdout'].strip()) + except ValueError: + pass + + print(f"\nPostgreSQL major version: {pg_major_version}") + + # PAM config should exist for non-PostgreSQL 15 versions + if pg_major_version != 15: + # Check if PAM config file exists + result = run_ssh_command(host['ssh'], "ls -la /etc/pam.d/postgresql") + if result['succeeded']: + print(f"\nPAM config file found:\n{result['stdout']}") + + # Check file permissions + result = run_ssh_command(host['ssh'], "stat -c '%a %U %G' /etc/pam.d/postgresql") + if result['succeeded']: + perms = result['stdout'].strip() + print(f"PAM config permissions: {perms}") + # Should be owned by postgres:postgres with 664 permissions + assert "postgres postgres" in perms, "PAM config not owned by postgres:postgres" + else: + print("\nPAM config file not found") + assert False, "PAM configuration file /etc/pam.d/postgresql not found" + else: + print("\nSkipping PAM config check for PostgreSQL 15") + # For PostgreSQL 15, the PAM config should NOT exist + result = run_ssh_command(host['ssh'], "test -f /etc/pam.d/postgresql") + if result['succeeded']: + print("\nWARNING: PAM config exists for PostgreSQL 15 (not expected)") + + print("✓ PAM configuration is properly set up") + + +def test_jit_pam_gatekeeper_profile(host): + """Test that the gatekeeper package is properly installed in the postgres user's Nix profile.""" + # Check if gatekeeper is in the postgres user's Nix profile + result = run_ssh_command(host['ssh'], "sudo -u postgres nix profile list 2>/dev/null | grep -i gatekeeper") + if result['succeeded'] and result['stdout'].strip(): + print(f"\nGatekeeper found in Nix profile:\n{result['stdout']}") + else: + # Try alternative check + result = run_ssh_command(host['ssh'], "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/ | grep -i gate") + if result['succeeded'] and result['stdout'].strip(): + print(f"\nGatekeeper-related files in profile:\n{result['stdout']}") + else: + print("\nGatekeeper not found in postgres user's Nix profile") + # This might be expected if it's installed system-wide instead + + # Check if we can find the gatekeeper derivation + result = run_ssh_command(host['ssh'], "find /nix/store -maxdepth 1 -type d -name '*gatekeeper*' 2>/dev/null | head -5") + if result['succeeded'] and result['stdout'].strip(): + print(f"\nGatekeeper derivations found:\n{result['stdout']}") + else: + print("\nNo gatekeeper derivations found in /nix/store") + + print("✓ Gatekeeper package installation check completed") + + +def test_jit_pam_module_dependencies(host): + """Test that the JIT PAM module has all required dependencies.""" + # Check dependencies of the PAM module + result = run_ssh_command(host['ssh'], "ldd /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null") + if result['succeeded']: + print(f"\nJIT PAM module dependencies:\n{result['stdout']}") + + # Check for required libraries + required_libs = ["libpam", "libc"] + for lib in required_libs: + if lib not in result['stdout'].lower(): + print(f"WARNING: Required library {lib} not found in dependencies") + + # Check for any missing dependencies + if "not found" in result['stdout'].lower(): + assert False, "JIT PAM module has missing dependencies" + else: + print("\nCould not check JIT PAM module dependencies") + + print("✓ JIT PAM module dependencies are satisfied") + + +def test_jit_pam_postgresql_integration(host): + """Test that PostgreSQL can be configured to use PAM authentication.""" + # Check if PAM is available as an authentication method in PostgreSQL + result = run_ssh_command(host['ssh'], "sudo -u postgres psql -c \"SELECT name, setting FROM pg_settings WHERE name LIKE '%pam%';\" 2>/dev/null") + if result['succeeded']: + print(f"\nPostgreSQL PAM-related settings:\n{result['stdout']}") + + # Check pg_hba.conf for potential PAM entries (even if not currently active) + result = run_ssh_command(host['ssh'], "grep -i pam /etc/postgresql/pg_hba.conf 2>/dev/null || echo 'No PAM entries in pg_hba.conf'") + if result['succeeded']: + print(f"\nPAM entries in pg_hba.conf:\n{result['stdout']}") + + # Verify PostgreSQL was compiled with PAM support + result = run_ssh_command(host['ssh'], "sudo -u postgres pg_config --configure 2>/dev/null | grep -i pam || echo 'PAM compile flag not found'") + if result['succeeded']: + print(f"\nPostgreSQL PAM compile flags:\n{result['stdout']}") + + print("✓ PostgreSQL PAM integration check completed") + + def test_postgrest_read_only_session_attrs(host): """Test PostgREST with target_session_attrs=read-only and check for session errors.""" # First, check if PostgreSQL is configured for read-only mode From 706b66d7046623a76965ca166a380eacdaea352d Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Fri, 12 Sep 2025 14:38:51 -0400 Subject: [PATCH 20/23] fix: get treefmt to pass --- testinfra/test_ami_nix.py | 137 ++++++++++++++++++++++++-------------- 1 file changed, 87 insertions(+), 50 deletions(-) diff --git a/testinfra/test_ami_nix.py b/testinfra/test_ami_nix.py index 561122abf..4776d9ad2 100644 --- a/testinfra/test_ami_nix.py +++ b/testinfra/test_ami_nix.py @@ -626,134 +626,171 @@ def test_libpq5_version(host): def test_jit_pam_module_installed(host): """Test that the JIT PAM module (pam_jit_pg.so) is properly installed.""" # Check if gatekeeper is installed via Nix - result = run_ssh_command(host['ssh'], "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null") - if result['succeeded']: + result = run_ssh_command( + host["ssh"], + "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null", + ) + if result["succeeded"]: print(f"\nJIT PAM module found in Nix profile:\n{result['stdout']}") else: print("\nJIT PAM module not found in postgres user's Nix profile") assert False, "JIT PAM module (pam_jit_pg.so) not found in expected location" - + # Check if the symlink exists in the Linux PAM security directory - result = run_ssh_command(host['ssh'], "find /nix/store -type f -path '*/lib/security/pam_jit_pg.so' 2>/dev/null | head -5") - if result['succeeded'] and result['stdout'].strip(): + result = run_ssh_command( + host["ssh"], + "find /nix/store -type f -path '*/lib/security/pam_jit_pg.so' 2>/dev/null | head -5", + ) + if result["succeeded"] and result["stdout"].strip(): print(f"\nJIT PAM module symlinks found:\n{result['stdout']}") else: print("\nNo JIT PAM module symlinks found in /nix/store") - + # Verify the module is a valid shared library - result = run_ssh_command(host['ssh'], "file /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so") - if result['succeeded']: + result = run_ssh_command( + host["ssh"], "file /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so" + ) + if result["succeeded"]: print(f"\nJIT PAM module file type:\n{result['stdout']}") - assert "shared object" in result['stdout'].lower() or "dynamically linked" in result['stdout'].lower(), \ - "JIT PAM module is not a valid shared library" - + assert ( + "shared object" in result["stdout"].lower() + or "dynamically linked" in result["stdout"].lower() + ), "JIT PAM module is not a valid shared library" + print("✓ JIT PAM module is properly installed") def test_pam_postgresql_config(host): """Test that the PAM configuration for PostgreSQL exists and is properly configured.""" # Check PostgreSQL version to determine if PAM config should exist - result = run_ssh_command(host['ssh'], "sudo -u postgres psql --version | grep -oE '[0-9]+' | head -1") + result = run_ssh_command( + host["ssh"], "sudo -u postgres psql --version | grep -oE '[0-9]+' | head -1" + ) pg_major_version = 15 # Default - if result['succeeded'] and result['stdout'].strip(): + if result["succeeded"] and result["stdout"].strip(): try: - pg_major_version = int(result['stdout'].strip()) + pg_major_version = int(result["stdout"].strip()) except ValueError: pass - + print(f"\nPostgreSQL major version: {pg_major_version}") - + # PAM config should exist for non-PostgreSQL 15 versions if pg_major_version != 15: # Check if PAM config file exists - result = run_ssh_command(host['ssh'], "ls -la /etc/pam.d/postgresql") - if result['succeeded']: + result = run_ssh_command(host["ssh"], "ls -la /etc/pam.d/postgresql") + if result["succeeded"]: print(f"\nPAM config file found:\n{result['stdout']}") - + # Check file permissions - result = run_ssh_command(host['ssh'], "stat -c '%a %U %G' /etc/pam.d/postgresql") - if result['succeeded']: - perms = result['stdout'].strip() + result = run_ssh_command( + host["ssh"], "stat -c '%a %U %G' /etc/pam.d/postgresql" + ) + if result["succeeded"]: + perms = result["stdout"].strip() print(f"PAM config permissions: {perms}") # Should be owned by postgres:postgres with 664 permissions - assert "postgres postgres" in perms, "PAM config not owned by postgres:postgres" + assert ( + "postgres postgres" in perms + ), "PAM config not owned by postgres:postgres" else: print("\nPAM config file not found") assert False, "PAM configuration file /etc/pam.d/postgresql not found" else: print("\nSkipping PAM config check for PostgreSQL 15") # For PostgreSQL 15, the PAM config should NOT exist - result = run_ssh_command(host['ssh'], "test -f /etc/pam.d/postgresql") - if result['succeeded']: + result = run_ssh_command(host["ssh"], "test -f /etc/pam.d/postgresql") + if result["succeeded"]: print("\nWARNING: PAM config exists for PostgreSQL 15 (not expected)") - + print("✓ PAM configuration is properly set up") def test_jit_pam_gatekeeper_profile(host): """Test that the gatekeeper package is properly installed in the postgres user's Nix profile.""" # Check if gatekeeper is in the postgres user's Nix profile - result = run_ssh_command(host['ssh'], "sudo -u postgres nix profile list 2>/dev/null | grep -i gatekeeper") - if result['succeeded'] and result['stdout'].strip(): + result = run_ssh_command( + host["ssh"], + "sudo -u postgres nix profile list 2>/dev/null | grep -i gatekeeper", + ) + if result["succeeded"] and result["stdout"].strip(): print(f"\nGatekeeper found in Nix profile:\n{result['stdout']}") else: # Try alternative check - result = run_ssh_command(host['ssh'], "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/ | grep -i gate") - if result['succeeded'] and result['stdout'].strip(): + result = run_ssh_command( + host["ssh"], + "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/ | grep -i gate", + ) + if result["succeeded"] and result["stdout"].strip(): print(f"\nGatekeeper-related files in profile:\n{result['stdout']}") else: print("\nGatekeeper not found in postgres user's Nix profile") # This might be expected if it's installed system-wide instead - + # Check if we can find the gatekeeper derivation - result = run_ssh_command(host['ssh'], "find /nix/store -maxdepth 1 -type d -name '*gatekeeper*' 2>/dev/null | head -5") - if result['succeeded'] and result['stdout'].strip(): + result = run_ssh_command( + host["ssh"], + "find /nix/store -maxdepth 1 -type d -name '*gatekeeper*' 2>/dev/null | head -5", + ) + if result["succeeded"] and result["stdout"].strip(): print(f"\nGatekeeper derivations found:\n{result['stdout']}") else: print("\nNo gatekeeper derivations found in /nix/store") - + print("✓ Gatekeeper package installation check completed") def test_jit_pam_module_dependencies(host): """Test that the JIT PAM module has all required dependencies.""" # Check dependencies of the PAM module - result = run_ssh_command(host['ssh'], "ldd /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null") - if result['succeeded']: + result = run_ssh_command( + host["ssh"], + "ldd /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null", + ) + if result["succeeded"]: print(f"\nJIT PAM module dependencies:\n{result['stdout']}") - + # Check for required libraries required_libs = ["libpam", "libc"] for lib in required_libs: - if lib not in result['stdout'].lower(): + if lib not in result["stdout"].lower(): print(f"WARNING: Required library {lib} not found in dependencies") - + # Check for any missing dependencies - if "not found" in result['stdout'].lower(): + if "not found" in result["stdout"].lower(): assert False, "JIT PAM module has missing dependencies" else: print("\nCould not check JIT PAM module dependencies") - + print("✓ JIT PAM module dependencies are satisfied") def test_jit_pam_postgresql_integration(host): """Test that PostgreSQL can be configured to use PAM authentication.""" # Check if PAM is available as an authentication method in PostgreSQL - result = run_ssh_command(host['ssh'], "sudo -u postgres psql -c \"SELECT name, setting FROM pg_settings WHERE name LIKE '%pam%';\" 2>/dev/null") - if result['succeeded']: + result = run_ssh_command( + host["ssh"], + "sudo -u postgres psql -c \"SELECT name, setting FROM pg_settings WHERE name LIKE '%pam%';\" 2>/dev/null", + ) + if result["succeeded"]: print(f"\nPostgreSQL PAM-related settings:\n{result['stdout']}") - + # Check pg_hba.conf for potential PAM entries (even if not currently active) - result = run_ssh_command(host['ssh'], "grep -i pam /etc/postgresql/pg_hba.conf 2>/dev/null || echo 'No PAM entries in pg_hba.conf'") - if result['succeeded']: + result = run_ssh_command( + host["ssh"], + "grep -i pam /etc/postgresql/pg_hba.conf 2>/dev/null || echo 'No PAM entries in pg_hba.conf'", + ) + if result["succeeded"]: print(f"\nPAM entries in pg_hba.conf:\n{result['stdout']}") - + # Verify PostgreSQL was compiled with PAM support - result = run_ssh_command(host['ssh'], "sudo -u postgres pg_config --configure 2>/dev/null | grep -i pam || echo 'PAM compile flag not found'") - if result['succeeded']: + result = run_ssh_command( + host["ssh"], + "sudo -u postgres pg_config --configure 2>/dev/null | grep -i pam || echo 'PAM compile flag not found'", + ) + if result["succeeded"]: print(f"\nPostgreSQL PAM compile flags:\n{result['stdout']}") - + print("✓ PostgreSQL PAM integration check completed") From 5e8ca733a221a99625080d77a67115b382b5763a Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Fri, 12 Sep 2025 15:57:01 -0400 Subject: [PATCH 21/23] test: more fixes to test` --- testinfra/test_ami_nix.py | 50 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/testinfra/test_ami_nix.py b/testinfra/test_ami_nix.py index 4776d9ad2..2a28175b3 100644 --- a/testinfra/test_ami_nix.py +++ b/testinfra/test_ami_nix.py @@ -625,6 +625,22 @@ def test_libpq5_version(host): def test_jit_pam_module_installed(host): """Test that the JIT PAM module (pam_jit_pg.so) is properly installed.""" + # Check PostgreSQL version first + result = run_ssh_command( + host["ssh"], "sudo -u postgres psql --version | grep -oE '[0-9]+' | head -1" + ) + pg_major_version = 15 # Default + if result["succeeded"] and result["stdout"].strip(): + try: + pg_major_version = int(result["stdout"].strip()) + except ValueError: + pass + + # Skip test for PostgreSQL 15 as gatekeeper is not installed for PG15 + if pg_major_version == 15: + print("\nSkipping JIT PAM module test for PostgreSQL 15 (not installed)") + return + # Check if gatekeeper is installed via Nix result = run_ssh_command( host["ssh"], @@ -708,6 +724,22 @@ def test_pam_postgresql_config(host): def test_jit_pam_gatekeeper_profile(host): """Test that the gatekeeper package is properly installed in the postgres user's Nix profile.""" + # Check PostgreSQL version first + result = run_ssh_command( + host["ssh"], "sudo -u postgres psql --version | grep -oE '[0-9]+' | head -1" + ) + pg_major_version = 15 # Default + if result["succeeded"] and result["stdout"].strip(): + try: + pg_major_version = int(result["stdout"].strip()) + except ValueError: + pass + + # Skip test for PostgreSQL 15 as gatekeeper is not installed for PG15 + if pg_major_version == 15: + print("\nSkipping gatekeeper profile test for PostgreSQL 15 (not installed)") + return + # Check if gatekeeper is in the postgres user's Nix profile result = run_ssh_command( host["ssh"], @@ -742,6 +774,24 @@ def test_jit_pam_gatekeeper_profile(host): def test_jit_pam_module_dependencies(host): """Test that the JIT PAM module has all required dependencies.""" + # Check PostgreSQL version first + result = run_ssh_command( + host["ssh"], "sudo -u postgres psql --version | grep -oE '[0-9]+' | head -1" + ) + pg_major_version = 15 # Default + if result["succeeded"] and result["stdout"].strip(): + try: + pg_major_version = int(result["stdout"].strip()) + except ValueError: + pass + + # Skip test for PostgreSQL 15 as gatekeeper is not installed for PG15 + if pg_major_version == 15: + print( + "\nSkipping JIT PAM module dependencies test for PostgreSQL 15 (not installed)" + ) + return + # Check dependencies of the PAM module result = run_ssh_command( host["ssh"], From 18c157017fd03ddb929edf635978757a6e06eaa6 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Fri, 10 Oct 2025 12:51:17 +0200 Subject: [PATCH 22/23] chore: rebase and small changes from review --- .github/workflows/nix-build.yml | 10 ++------- nix/packages/gatekeeper.nix | 2 +- testinfra/test_ami_nix.py | 36 +++++++++++++++++---------------- 3 files changed, 22 insertions(+), 26 deletions(-) diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml index 69ef85ba4..1e796456d 100644 --- a/.github/workflows/nix-build.yml +++ b/.github/workflows/nix-build.yml @@ -24,7 +24,7 @@ jobs: fail-fast: false matrix: include: - - runner: blacksmith-32vcpu-ubuntu-2404 + - runner: blacksmith-32vcpu-ubuntu-2404 arch: amd64 - runner: blacksmith-32vcpu-ubuntu-2404-arm arch: arm64 @@ -56,12 +56,6 @@ jobs: sudo -E python -c "import os; file = open('/etc/nix/nix-secret-key', 'w'); file.write(os.environ['NIX_SIGN_SECRET_KEY']); file.close()" env: NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }} - - name: Setup SSH for deploy key - run: | - mkdir -p ~/.ssh - echo "${{ secrets.GK_DEPLOY_KEY }}" > ~/.ssh/id_ed25519 - chmod 600 ~/.ssh/id_ed25519 - ssh-keyscan github.com >> ~/.ssh/known_hosts - name: Setup cache script if: ${{ github.secret_source == 'Actions' }} run: | @@ -116,7 +110,7 @@ jobs: df -h - name: Build psql bundle run: > - nix run "github:Mic92/nix-fast-build?rev=b1dae483ab7d4139a6297e02b6de9e5d30e43d48" + nix run "github:Mic92/nix-fast-build?rev=b1dae483ab7d4139a6297e02b6de9e5d30e43d48" -- --skip-cached --no-nom ${{ matrix.runner == 'macos-latest-xlarge' && '--max-jobs 1' || '' }} --flake ".#checks.$(nix eval --raw --impure --expr 'builtins.currentSystem')" env: diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 5f0fcbc68..7cba56bbd 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -18,7 +18,7 @@ buildGoModule { src = pkgs.fetchFromGitHub { owner = "supabase"; repo = "jit-db-gatekeeper"; - rev = "refs/heads/main"; + rev = "v1.0.0"; hash = "sha256-hrYh1dBxk+aN3b/J9mZqk/ZXHmWA/MIqZLVgICT7e90="; }; diff --git a/testinfra/test_ami_nix.py b/testinfra/test_ami_nix.py index 2a28175b3..ae4b07b1a 100644 --- a/testinfra/test_ami_nix.py +++ b/testinfra/test_ami_nix.py @@ -403,9 +403,9 @@ def is_healthy(ssh) -> bool: def test_postgrest_is_running(host): """Check if postgrest service is running using our SSH connection.""" result = run_ssh_command(host["ssh"], "systemctl is-active postgrest") - assert ( - result["succeeded"] and result["stdout"].strip() == "active" - ), "PostgREST service is not running" + assert result["succeeded"] and result["stdout"].strip() == "active", ( + "PostgREST service is not running" + ) def test_postgrest_responds_to_requests(host): @@ -547,9 +547,9 @@ def test_postgresql_version(host): if version_match: major_version = int(version_match.group(1)) print(f"PostgreSQL major version: {major_version}") - assert ( - major_version >= 14 - ), f"PostgreSQL version {major_version} is less than 14" + assert major_version >= 14, ( + f"PostgreSQL version {major_version} is less than 14" + ) else: assert False, "Could not parse PostgreSQL version number" else: @@ -579,9 +579,9 @@ def test_libpq5_version(host): if version_match: major_version = int(version_match.group(1)) print(f"libpq5 major version: {major_version}") - assert ( - major_version >= 14 - ), f"libpq5 version {major_version} is less than 14" + assert major_version >= 14, ( + f"libpq5 version {major_version} is less than 14" + ) else: print("Could not parse libpq5 version from dpkg output") else: @@ -614,9 +614,9 @@ def test_libpq5_version(host): if version_match: major_version = int(version_match.group(1)) print(f"psql/libpq major version: {major_version}") - assert ( - major_version >= 14 - ), f"psql/libpq version {major_version} is less than 14" + assert major_version >= 14, ( + f"psql/libpq version {major_version} is less than 14" + ) else: print("Could not parse psql version") @@ -706,9 +706,9 @@ def test_pam_postgresql_config(host): perms = result["stdout"].strip() print(f"PAM config permissions: {perms}") # Should be owned by postgres:postgres with 664 permissions - assert ( - "postgres postgres" in perms - ), "PAM config not owned by postgres:postgres" + assert "postgres postgres" in perms, ( + "PAM config not owned by postgres:postgres" + ) else: print("\nPAM config file not found") assert False, "PAM configuration file /etc/pam.d/postgresql not found" @@ -743,7 +743,7 @@ def test_jit_pam_gatekeeper_profile(host): # Check if gatekeeper is in the postgres user's Nix profile result = run_ssh_command( host["ssh"], - "sudo -u postgres nix profile list 2>/dev/null | grep -i gatekeeper", + "sudo -u postgres nix profile list --json | jq -r '.elements.gatekeeper.storePaths[0]'", ) if result["succeeded"] and result["stdout"].strip(): print(f"\nGatekeeper found in Nix profile:\n{result['stdout']}") @@ -998,7 +998,9 @@ def test_postgrest_read_only_session_attrs(host): print( f"\nFound 'session is not read-only' errors in PostgREST logs:\n{result['stdout']}" ) - assert False, "PostgREST logs contain 'session is not read-only' errors even though PostgreSQL is configured for read-only mode" + assert False, ( + "PostgREST logs contain 'session is not read-only' errors even though PostgreSQL is configured for read-only mode" + ) else: print("\nNo 'session is not read-only' errors found in PostgREST logs") From 60bc843a13d1a0a4795c12de55cc389f6f58e9d9 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Fri, 10 Oct 2025 14:41:02 +0200 Subject: [PATCH 23/23] chore: ruff --- testinfra/test_ami_nix.py | 34 ++++++++++++++++------------------ 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/testinfra/test_ami_nix.py b/testinfra/test_ami_nix.py index ae4b07b1a..fc069e529 100644 --- a/testinfra/test_ami_nix.py +++ b/testinfra/test_ami_nix.py @@ -403,9 +403,9 @@ def is_healthy(ssh) -> bool: def test_postgrest_is_running(host): """Check if postgrest service is running using our SSH connection.""" result = run_ssh_command(host["ssh"], "systemctl is-active postgrest") - assert result["succeeded"] and result["stdout"].strip() == "active", ( - "PostgREST service is not running" - ) + assert ( + result["succeeded"] and result["stdout"].strip() == "active" + ), "PostgREST service is not running" def test_postgrest_responds_to_requests(host): @@ -547,9 +547,9 @@ def test_postgresql_version(host): if version_match: major_version = int(version_match.group(1)) print(f"PostgreSQL major version: {major_version}") - assert major_version >= 14, ( - f"PostgreSQL version {major_version} is less than 14" - ) + assert ( + major_version >= 14 + ), f"PostgreSQL version {major_version} is less than 14" else: assert False, "Could not parse PostgreSQL version number" else: @@ -579,9 +579,9 @@ def test_libpq5_version(host): if version_match: major_version = int(version_match.group(1)) print(f"libpq5 major version: {major_version}") - assert major_version >= 14, ( - f"libpq5 version {major_version} is less than 14" - ) + assert ( + major_version >= 14 + ), f"libpq5 version {major_version} is less than 14" else: print("Could not parse libpq5 version from dpkg output") else: @@ -614,9 +614,9 @@ def test_libpq5_version(host): if version_match: major_version = int(version_match.group(1)) print(f"psql/libpq major version: {major_version}") - assert major_version >= 14, ( - f"psql/libpq version {major_version} is less than 14" - ) + assert ( + major_version >= 14 + ), f"psql/libpq version {major_version} is less than 14" else: print("Could not parse psql version") @@ -706,9 +706,9 @@ def test_pam_postgresql_config(host): perms = result["stdout"].strip() print(f"PAM config permissions: {perms}") # Should be owned by postgres:postgres with 664 permissions - assert "postgres postgres" in perms, ( - "PAM config not owned by postgres:postgres" - ) + assert ( + "postgres postgres" in perms + ), "PAM config not owned by postgres:postgres" else: print("\nPAM config file not found") assert False, "PAM configuration file /etc/pam.d/postgresql not found" @@ -998,9 +998,7 @@ def test_postgrest_read_only_session_attrs(host): print( f"\nFound 'session is not read-only' errors in PostgREST logs:\n{result['stdout']}" ) - assert False, ( - "PostgREST logs contain 'session is not read-only' errors even though PostgreSQL is configured for read-only mode" - ) + assert False, "PostgREST logs contain 'session is not read-only' errors even though PostgreSQL is configured for read-only mode" else: print("\nNo 'session is not read-only' errors found in PostgREST logs")