wip

Author: dominic-r

authentik/lib/default.yml

@@ -21,6 +21,7 @@ postgresql:
   user: authentik
   port: 5432
   password: "env://POSTGRES_PASSWORD"
+  sslmode: disable
   use_pool: False
   test:
     name: test_authentik

internal/config/config.go

@@ -169,8 +169,17 @@ func (c *Config) parseScheme(rawVal string) string {
 	case "env":
 		e, ok := os.LookupEnv(u.Host)
 		if ok {
+			log.WithFields(log.Fields{
+				"env_var": u.Host,
+				"found":   true,
+			}).Trace("Resolved environment variable")
 			return e
 		}
+		log.WithFields(log.Fields{
+			"env_var":  u.Host,
+			"found":    false,
+			"fallback": u.RawQuery,
+		}).Warn("Environment variable not found, using fallback")
 		return u.RawQuery
 	case "file":
 		d, err := os.ReadFile(u.Path)

internal/outpost/proxyv2/application/session_postgres_test.go

@@ -9,7 +9,6 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gorm.io/driver/postgres"
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
 
@@ -19,9 +18,8 @@ import (
 	"goauthentik.io/internal/outpost/proxyv2/types"
 )
 
-func SetupTestDB(t *testing.T) *gorm.DB {
+func SetupTestDB(t *testing.T) (*gorm.DB, *postgresstore.RefreshableConnPool) {
 	cfg := config.Get().PostgreSQL
-	dsn := buildDSN(cfg)
 
 	gormConfig := &gorm.Config{
 		Logger: logger.Default.LogMode(logger.Silent),
@@ -30,34 +28,25 @@ func SetupTestDB(t *testing.T) *gorm.DB {
 		},
 	}
 
-	db, err := gorm.Open(postgres.Open(dsn), gormConfig)
+	// Use standardized setup
+	db, pool, err := postgresstore.SetupGORMWithRefreshablePool(cfg, gormConfig, 10, 100, time.Hour)
 	require.NoError(t, err)
 
-	return db
+	return db, pool
 }
 
-func CleanupTestDB(t *testing.T, db *gorm.DB) {
+func CleanupTestDB(t *testing.T, db *gorm.DB, pool *postgresstore.RefreshableConnPool) {
 	assert.NoError(t, db.Exec("DELETE FROM authentik_providers_proxy_proxysession").Error)
-	sdb, err := db.DB()
-	assert.NoError(t, err)
-	assert.NoError(t, sdb.Close())
+	assert.NoError(t, pool.Close())
 }
 
-func buildDSN(cfg config.PostgreSQLConfig) string {
-	dsn, err := postgresstore.BuildDSN(cfg)
-	if err != nil {
-		panic(err)
-	}
-	return dsn
-}
-
-func NewTestStore(db *gorm.DB) *postgresstore.PostgresStore {
-	return postgresstore.NewTestStore(db)
+func NewTestStore(db *gorm.DB, pool *postgresstore.RefreshableConnPool) *postgresstore.PostgresStore {
+	return postgresstore.NewTestStore(db, pool)
 }
 
 func TestPostgresStore_SessionLifecycle(t *testing.T) {
-	db := SetupTestDB(t)
-	defer CleanupTestDB(t, db)
+	db, pool := SetupTestDB(t)
+	defer CleanupTestDB(t, db, pool)
 
 	// Create sessions directly in the database for testing
 	userID := uuid.New()
@@ -111,8 +100,8 @@ func TestPostgresStore_SessionLifecycle(t *testing.T) {
 }
 
 func TestPostgresStore_LogoutSessions(t *testing.T) {
-	db := SetupTestDB(t)
-	defer CleanupTestDB(t, db)
+	db, pool := SetupTestDB(t)
+	defer CleanupTestDB(t, db, pool)
 
 	// Create multiple sessions for different users
 	user1 := uuid.New()
@@ -164,7 +153,7 @@ func TestPostgresStore_LogoutSessions(t *testing.T) {
 	assert.Equal(t, int64(3), totalCount)
 
 	// Logout user1 sessions using LogoutSessions method
-	store := NewTestStore(db)
+	store := NewTestStore(db, pool)
 	err := store.LogoutSessions(context.Background(), func(c types.Claims) bool {
 		return c.Sub == user1.String()
 	})
@@ -182,8 +171,8 @@ func TestPostgresStore_LogoutSessions(t *testing.T) {
 }
 
 func TestPostgresStore_SessionExpiration(t *testing.T) {
-	db := SetupTestDB(t)
-	defer CleanupTestDB(t, db)
+	db, pool := SetupTestDB(t)
+	defer CleanupTestDB(t, db, pool)
 
 	// Create expired and valid sessions
 	expiredSession := postgresstore.ProxySession{
@@ -234,8 +223,8 @@ func TestPostgresStore_SessionExpiration(t *testing.T) {
 }
 
 func TestPostgresStore_SessionClaims(t *testing.T) {
-	db := SetupTestDB(t)
-	defer CleanupTestDB(t, db)
+	db, pool := SetupTestDB(t)
+	defer CleanupTestDB(t, db, pool)
 
 	// Create session with complex claims
 	userID := uuid.New()

internal/outpost/proxyv2/filesystemstore/filesystemstore.go

@@ -77,8 +77,8 @@ func NewStore(storePath string, keyPairs ...[]byte) (*Store, error) {
 }
 
 // CleanupExpired implements the CleanupStore interface for use with CleanupManager
-func (s *Store) CleanupExpired() error {
-	return s.SessionCleanup(context.Background())
+func (s *Store) CleanupExpired(ctx context.Context) error {
+	return s.SessionCleanup(ctx)
 }
 
 // SessionCleanup acquires a file lock to ensure only one instance runs at a time,

internal/outpost/proxyv2/postgresstore/connpool.go

@@ -37,7 +37,7 @@ type RefreshableConnPool struct {
 
 // NewRefreshableConnPool creates a new connection pool that refreshes credentials from config
 func NewRefreshableConnPool(initialDSN string, gormConfig *gorm.Config, maxIdleConns, maxOpenConns int, connMaxLifetime time.Duration) (*RefreshableConnPool, error) {
-	db, err := sql.Open("postgres", initialDSN)
+	db, err := sql.Open("pgx", initialDSN)
 	if err != nil {
 		return nil, err
 	}
@@ -112,7 +112,7 @@ func (p *RefreshableConnPool) refreshCredentials(ctx context.Context) error {
 	p.log.Info("PostgreSQL credentials changed, reconnecting...")
 
 	// Open new connection with fresh credentials
-	newDB, err := sql.Open("postgres", newDSN)
+	newDB, err := sql.Open("pgx", newDSN)
 	if err != nil {
 		p.log.WithError(err).Error("Failed to open new database connection with refreshed credentials")
 		return err

internal/outpost/proxyv2/postgresstore/connpool_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"os"
 	"path/filepath"
+	"sync"
 	"testing"
 	"time"
 
@@ -17,20 +18,19 @@ import (
 )
 
 func TestRefreshableConnPool_CredentialRefresh(t *testing.T) {
-	// Skip if no PostgreSQL available
-	if os.Getenv("AUTHENTIK_POSTGRESQL__HOST") == "" {
-		t.Skip("Skipping test: no PostgreSQL configured")
-	}
-
 	// Create a temporary file for password rotation
 	tmpDir := t.TempDir()
 	passwordFile := filepath.Join(tmpDir, "db_password")
 
-	// Write initial password
-	initialPassword := os.Getenv("AUTHENTIK_POSTGRESQL__PASSWORD")
+	cfg := config.Get()
+	initialConfig := cfg.RefreshPostgreSQLConfig()
+
+	// Determine the current database password as the baseline for the rotation test.
+	initialPassword := initialConfig.Password
 	if initialPassword == "" {
 		initialPassword = "postgres"
 	}
+
 	err := os.WriteFile(passwordFile, []byte(initialPassword), 0600)
 	require.NoError(t, err)
 
@@ -46,11 +46,10 @@ func TestRefreshableConnPool_CredentialRefresh(t *testing.T) {
 	}()
 
 	// Reload config
-	cfg := &config.Config{}
-	cfg.Setup()
+	refreshedConfig := cfg.RefreshPostgreSQLConfig()
 
 	// Build initial DSN
-	dsn, err := BuildDSN(cfg.PostgreSQL)
+	dsn, err := BuildDSN(refreshedConfig)
 	require.NoError(t, err)
 
 	gormConfig := &gorm.Config{
@@ -105,11 +104,6 @@ func TestRefreshableConnPool_Interfaces(t *testing.T) {
 }
 
 func TestRefreshableConnPool_ConcurrentAccess(t *testing.T) {
-	// Skip if no PostgreSQL available
-	if os.Getenv("AUTHENTIK_POSTGRESQL__HOST") == "" {
-		t.Skip("Skipping test: no PostgreSQL configured")
-	}
-
 	cfg := config.Get()
 	dsn, err := BuildDSN(cfg.PostgreSQL)
 	require.NoError(t, err)
@@ -125,27 +119,35 @@ func TestRefreshableConnPool_ConcurrentAccess(t *testing.T) {
 	db, err := pool.NewGORMDB()
 	require.NoError(t, err)
 
-	// Test concurrent queries
+	// Test that the connection is working
 	ctx := context.Background()
+	var result int
+	err = db.WithContext(ctx).Raw("SELECT 1").Scan(&result).Error
+	require.NoError(t, err, "Initial connection test should succeed")
+
+	// Test concurrent queries
 	numGoroutines := 10
 	numQueries := 5
 
+	var wg sync.WaitGroup
 	errChan := make(chan error, numGoroutines*numQueries)
 
 	for i := 0; i < numGoroutines; i++ {
+		wg.Add(1)
 		go func(goroutineID int) {
+			defer wg.Done()
 			for j := 0; j < numQueries; j++ {
 				var result int
-				err := db.WithContext(ctx).Raw("SELECT ?", goroutineID*numQueries+j).Scan(&result).Error
+				err := db.WithContext(ctx).Raw("SELECT 1").Scan(&result).Error
 				if err != nil {
 					errChan <- err
 				}
 			}
 		}(i)
 	}
 
-	// Wait a bit for goroutines to complete
-	time.Sleep(2 * time.Second)
+	// Wait for all goroutines to complete, then close the channel
+	wg.Wait()
 	close(errChan)
 
 	// Check for any errors