feat: enforce strong DB password values

Description

Enforce strong DB password values during clone creation.

The password must have sufficient (60 bits) entropy (raw cryptographic strength of the password). A password with 60 bits of entropy has 2^60 (or about 1.15 quintillion) possible combinations.

This MR doesn't load large datasets, and doesn't contact external services. So, keep in mind that the rules don't protect against common passwords or PWNed passwords.

Related issue

Examples

Weak password

$ dblab clone create --username john --password 123
2023/08/21 06:26:52 failed to get response: password validation: insecure password, try including more special characters, using lowercase letters, using uppercase letters or using a longer password

Strong password

$ dblab clone create --username john --password Ae6ua1ahoog7Aisi
{
    "id": "cjhhjj0n9i6s738qaoe0",
    "protected": false,
    "deleteAt": null,
    "createdAt": "2023-08-21T08:01:16Z",
    "status": {
        "code": "OK",
        "message": "Clone is ready to accept Postgres connections."
    },
    "db": {
        "connStr": "host=localhost port=6001 user=john dbname=postgres",
        "host": "localhost",
        "port": "6001",
        "username": "john",
        "password": "",
        "dbName": ""
    },
    "snapshot": {
        "id": "oldest5@snapshot_20230821075549",
        "createdAt": "2023-08-21T07:57:15Z",
        "dataStateAt": "2023-08-21T07:55:49Z",
        "pool": "oldest5",
        "numClones": 1,
        "physicalSize": "0 B",
        "logicalSize": "71 MiB"
    },
    "metadata": {
        "cloningTime": 0.668200092,
        "maxIdleMinutes": 30,
        "cloneDiffSize": "186 KiB",
        "logicalSize": "71 MiB"
    }
}

Checklist

• MR description has been reviewed
• MR changes are functionally tested
• MR does NOT have API/CLI changes OR there are API/CLI changes and they have been reviewed & DOCS ARE ADJUSTED (reference doc, etc)
• MR does NOT have UI changes OR there are UI changes and they have been reviewed & UX IS REVIEWED

Closes #530

assigned to @akartasov

requested review from @fomin.list, @NikolayS, and @vitabaks

changed the description

Test

• DBLab image: registry.gitlab.com/postgres-ai/database-lab/dblab-server:530-validate-passwords
• UI image: registry.gitlab.com/postgres-ai/database-lab/ce-ui:530-validate-passwords

docker run --rm -it --env HCLOUD_API_TOKEN=${HCLOUD_API_TOKEN} \
  postgresai/dle-se-ansible:v1.0-rc.8 \
    ansible-playbook deploy_dle.yml --extra-vars \
    "provision='hetzner' \
    server_name='vitaliy-dle-test-hetzner' \
    server_type='CCX23' \
    server_image='ubuntu-22.04' \
    server_location='ash' \
    volume_size='60' \
    dle_verification_token='nzgLkg88BCkpCDW0DXSwWWoXuOfSshfe' \
    dle_version='3.4.0' \
    zpool_datasets_number='3' \
    dle_platform_org_key='******' \
    dle_platform_url='https://v2.postgres.ai/api/general' \
    dle_platform_project_name='vitaliy-dle-test-hetzner' \
    dle_image='registry.gitlab.com/postgres-ai/database-lab/dblab-server:530-validate-passwords'  \
    dle_ui_image='registry.gitlab.com/postgres-ai/database-lab/ce-ui:530-validate-passwords'"

Result

error pulling image configuration: download failed after attempts=1: error parsing HTTP 403 response body: invalid character '<' looking for beginning of value: "<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message></Error>"

• Access denied
• the problem with the registry, not related to this MR

I have re-deployed the dblab server in another region (hil) and there is access to the image here.

root@vitaliy-dle-test-hetzner:~# docker ps
CONTAINER ID   IMAGE                                                                              COMMAND                  CREATED          STATUS          PORTS                              NAMES
e7c4a280a9fe   registry.gitlab.com/postgres-ai/database-lab/ce-ui:530-validate-passwords          "/docker-entrypoint.…"   19 seconds ago   Up 18 seconds   2346/tcp, 127.0.0.1:2346->80/tcp   dblab_embedded_ui_cjr1qtnjja9c73crplhg
e8828434bb1b   registry.gitlab.com/postgres-ai/database-lab/dblab-server:530-validate-passwords   "docker-entrypoint.s…"   36 seconds ago   Up 35 seconds   127.0.0.1:2345->2345/tcp           dblab_server
root@vitaliy-dle-test-hetzner:~# 

Result:

Retrieval Status - Finished, but I don't see the snapshot in the UI

2023/09/04 18:15:11 restore.go:304: [INFO] Restoring job has been finished
2023/09/04 18:15:11 tools.go:455: [INFO] Removing container ID: c6aae563476acde5dd480edf3a112655fbd874a3d4ba9b4f5b524bd2907389e9
2023/09/04 18:15:42 tools.go:461: [INFO] Container "c6aae563476acde5dd480edf3a112655fbd874a3d4ba9b4f5b524bd2907389e9" has been stopped
2023/09/04 18:15:42 tools.go:472: [INFO] Container "c6aae563476acde5dd480edf3a112655fbd874a3d4ba9b4f5b524bd2907389e9" has been removed
2023/09/04 18:15:42 retrieval.go:501: [DEBUG] Skip the logicalDump job because it does not belong to the snapshot group
2023/09/04 18:15:42 retrieval.go:501: [DEBUG] Skip the logicalRestore job because it does not belong to the snapshot group
2023/09/04 18:15:42 retrieval.go:453: [DEBUG] Taking a snapshot on the pool: &{dblab_pool/dataset_3 zfs 2023-09-04 18:13:56 +0000 UTC dataset_3 /var/lib/dblab/dblab_pool clones data sockets observer {{0 0} 0 0 0 0} refreshing}
2023/09/04 18:15:42 configuration.go:204: [DEBUG] Configuring pg_hba.conf...
2023/09/04 18:15:42 configuration.go:228: [DEBUG] Configuring Postgres...
2023/09/04 18:15:42 configuration.go:439: [DEBUG] Applying configuration: /var/lib/dblab/dblab_pool/dataset_3/data/postgresql.dblab.snapshot.conf
2023/09/04 18:15:42 runners.go:155: [DEBUG] Run(Local): stderr no datasets available
2023/09/04 18:15:42 runners.go:106: [DEBUG] Run(Local): "zfs snapshot -r dblab_pool/dataset_3@snapshot_20230904181356"
2023/09/04 18:15:42 runners.go:151: [DEBUG] Run(Local): output ""
2023/09/04 18:15:42 runners.go:106: [DEBUG] Run(Local): "zfs set dblab:datastateat="20230904181356" dblab_pool/dataset_3@snapshot_20230904181356"
2023/09/04 18:15:42 runners.go:151: [DEBUG] Run(Local): output ""

root@vitaliy-dle-test-hetzner:~# zfs list -t all
NAME                                           USED  AVAIL     REFER  MOUNTPOINT
dblab_pool                                    70.9M  57.6G       26K  /var/lib/dblab/dblab_pool
dblab_pool/dataset_1                           180K  57.6G      180K  /var/lib/dblab/dblab_pool/dataset_1
dblab_pool/dataset_2                            24K  57.6G       24K  /var/lib/dblab/dblab_pool/dataset_2
dblab_pool/dataset_3                          70.5M  57.6G     70.5M  /var/lib/dblab/dblab_pool/dataset_3
dblab_pool/dataset_3@snapshot_20230904181356     0B      -     70.5M  -
root@vitaliy-dle-test-hetzner:~# 
root@vitaliy-dle-test-hetzner:~# dblab snapshot list
[
    {
        "id": "dblab_pool/dataset_3@snapshot_20230904181356",
        "createdAt": "2023-09-04T18:15:42Z",
        "dataStateAt": "2023-09-04T18:13:56Z",
        "pool": "dblab_pool/dataset_3",
        "numClones": 0,
        "physicalSize": "0 B",
        "logicalSize": "587 MiB"
    }
]

• Safari and Chrome have the same problem.
• restarting the dblab_server container didn't help
• restarting the dblab_embedded_ui container didn't help

mentioned in merge request !819 (merged)

Test 2

• DBLab image: registry.gitlab.com/postgres-ai/database-lab/dblab-server:530-validate-passwords
• UI image: registry.gitlab.com/postgres-ai/database-lab/ce-ui:conditional-snapshot-request

docker run --rm -it --env HCLOUD_API_TOKEN=${HCLOUD_API_TOKEN} \
  postgresai/dle-se-ansible:v1.0-rc.8 \
    ansible-playbook deploy_dle.yml --extra-vars \
    "provision='hetzner' \
    server_name='vitaliy-dle-test-hetzner' \
    server_type='CCX23' \
    server_image='ubuntu-22.04' \
    server_location='ash' \
    volume_size='60' \
    dle_verification_token='nzgLkg88BCkpCDW0DXSwWWoXuOfSshfe' \
    dle_version='3.4.0' \
    zpool_datasets_number='3' \
    dle_platform_org_key='******' \
    dle_platform_url='https://v2.postgres.ai/api/general' \
    dle_platform_project_name='vitaliy-dle-test-hetzner' \
    dle_image='registry.gitlab.com/postgres-ai/database-lab/dblab-server:530-validate-passwords'  \
    dle_ui_image='registry.gitlab.com/postgres-ai/database-lab/ce-ui:conditional-snapshot-request'"

Result

root@vitaliy-dle-test-hetzner:~# docker ps
CONTAINER ID   IMAGE                                                                              COMMAND                  CREATED          STATUS                   PORTS                              NAMES
0eeafac6a753   registry.gitlab.com/postgres-ai/database-lab/ce-ui:conditional-snapshot-request    "/docker-entrypoint.…"   6 minutes ago    Up 6 minutes             2346/tcp, 127.0.0.1:2346->80/tcp   dblab_embedded_ui_cjrknelg16oc73dimrr0
54aeedad03ed   postgresai/netdata-for-dle:v1.40.1                                                 "/usr/sbin/run.sh"       7 minutes ago    Up 7 minutes (healthy)                                      netdata
49b1a7f423a9   registry.gitlab.com/postgres-ai/database-lab/dblab-server:530-validate-passwords   "docker-entrypoint.s…"   10 minutes ago   Up 6 minutes             127.0.0.1:2345->2345/tcp           dblab_server

test with dockerImage: "postgresai/extended-postgres:15-0.4.0"

Snapshots are available in the UI - OK

Try to create a clone with a simple password - "test"

• OK

Try to create a clone with a no secure password - "test123"

• OK

Try to create a clone with a more secure password - "SecretPa$$w0rd!"

• OK

Try connect to clone

root@vitaliy-dle-test-hetzner:~# PGPASSWORD='SecretPa$$w0rd!' psql "host=localhost port=6000 user=test dbname=test"
psql (15.4 (Ubuntu 15.4-1.pgdg22.04+1))
Type "help" for help.

test=# select version();
                                                           version                                                           
-----------------------------------------------------------------------------------------------------------------------------
 PostgreSQL 15.4 (Debian 15.4-1.pgdg110+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit
(1 row)

test=# \q

passed

resolved all threads

approved this merge request

resolved all threads

@akartasov please add details on what we mean by "strong" here -- to the MR description. We'll also need to document it.

changed the description

approved this merge request

resolved all threads

mentioned in commit 51fa47d0

merged

mentioned in commit 39f51d27

mentioned in commit 4097da36

mentioned in issue #550 (closed)