Getting the signed in user in .Net from a Postgresql database - postgresql

I'm developing a system using NHibernate and PostgreSQL, with Npgsql data provider.
I need to get the logged in user in my system in a trigger in order to run an audit function.
Is there any way to set the user in the NHibernate session or to get it directly from the database?
Please help!

Here's a detailed explanation of how to get application-level user identity into triggers that I wrote a while ago. Essentially you can use a temporary table to store the user login or a custom GUC. Either way, your application must explicitly set that up when it creates a session so that it can be accessed later.
Personally I think you should usually be using PostgreSQL users and SET ROLE as explained here, but I realise that's not always an option.

Related

PostgresSQL|Scala: Any efficient way to interact using different Users for different queries with heavy ACL use

My whole interest in PostgreSQL is driven by its ACL system which is really powerful.
To access the data in a Scala application I have two options in mind EBeans/JDBC or Slick FRM.
Our application is an enterprise one and has more than 1000 users, who will be accessing it simultaneously, having different roles and access permissions. The current connectors, I am aware of, ask for database username/password at the time of connection building, and I haven't found these providing any facility to change the username/password on the fly as we will be getting the user reference from session object of the user accessing our server.
I am not sure how much the title of the question makes sense, but I don't see recreating(or separately creating) a database connection for every user as an efficient solution. What I am looking for is a library or toolkit which lets us supply the interacting sub-user/ROLE in options parameter using which PostgreSQL can do its ACL enforcing/check on data/manipulation requested.
You can "impersonate" a user in Postgres during a transaction and reset just before the transaction is done using the SET ROLE or SET SESSION AUTHORIZATION commands issued after establishing a database connection.

EF Core with SQL Server persistence requires VIEW SERVER STATE permissions?

If I use EF Core against SQL Server, and the user account on the connection does not have permissions for VIEW SERVER STATE on object 'server', database 'master', the operation will fail with a DBUpdateException stating that this permission is missing.
What is EF Core trying to do that requires this permission? Is there any way for me to disable whatever it is doing that requires it? or do I have to add this permission?
Check if there is any access to the tables like sys.dm_tran_active_transactions, sys.dm_tran_current_transaction when you do the save changes in EF. Maybe it could be through a table trigger. I faced a similar issue due to a trigger trying to access those sys tables.

Staging environment for Azure Mobile Services using Code First Migrations

I seem to have trouble understanding a concept with Azure Mobile Services that are using .NET backend with Code First and migrations enabled.
Currently I have deployed a "productive" instance of AMS, let's say it's called "AMD". It is running at amd.azure-mobile.net. Database structure has been created using Enable-Migrations and Add-Migration. This is all fine now for this productive instance, it is running and is fully functional.
Now I want to create an INT instance to have a separate environment for tests etc. I want to name it differently, say "AMDINT". It should run at amdint.azure-mobile.net and should also have a separate database, to make it impossible to break stuff in production.
Originally I thought I could pull it off like this:
1) Create the new instance under amdint.azure-mobile.net with a new database to go with it
2) Create a web.config transform for a newly created configuration called "INT" (primarily to change the MS_MobileServiceName value to the new name)
3) Download the publishing profile of the new instance, import it, make it use the "INT" configuration and deploy it
The new bits apparently get deployed, but whenever I hit an endpoint that requires DB access, an error will be generated in the logs and it says
Database initialization failed. Could not initialize one or more objects in schema 'amdint'. Please ensure that the database connection string is correct. For more details on the error, please see the inner exception. ---> System.InvalidOperationException: Database initialization failed. Could not initialize one or more objects in schema 'amdint'. Please ensure that the database connection string is correct. For more details on the error, please see the inner exception. ---> System.Data.SqlClient.SqlException: User does not have permission to perform this action.
So I used Azure User Management Console (AUMC) to see if permissions were missing for the user that is being specified in the connection string in the configuration tab of the new service, but the user was present for that database. I also edited the user's permissions to include every possible right, but this did not change anything.
Then I noticed that the migrations files specify a database schema for the Up() and Down() methods. For a test, I changed these strings from "amd.tablename" to "amdint.tablename" and was pretty confident I had nailed it.
However, this still brought the same error. So I used the database user's credentials from the connection string and opened database editor from the management console in the browser, and saw that with all the added rights it can edit the database schema just fine (created and deleted a table for testing purposes). However, no single table has been created by the Initializer; the database was blank.
But since I was able to edit, I somehow believe that either the error message about insufficient permissions is misleading or that I am looking at the wrong place.
Does anyone know of a way to accomplish what I am trying to do? I don't want to have separate Visual Studio projects for production and INT, obviously.
I think what you're running into is the issue that Mobile Services creates a special schema user that has rights to only tables in that schema. This schema has the same name as your mobile service. So, even if the two databases are on the same DB server, the connection string for a DEV mobile service wouldn't work for PROD, and vice versa.
Here are some suggestions to make your setup easier:
In the Azure Portal, Mobile Services doesn't allow modifying the connection string that it creates for you, which is called MS_TableConnectionString. I recommend that in your case, you create a new connection string with a different key and use that for each of your services, e.g., AMD_TableConnectionString. Make sure that for each service, the database user has access to each schema (more on that in a minute).
To use the new connection string, change your super constructor call in your DbContext class, e.g., base("name=AMD_TableConnectionString").
Use the application setting MS_MobileServiceName in your web.config and/or the Azure Portal to set the schema for your service. This is use by the Mobile Service Entity Framework initializer.
NOTE: If you're already using separate databases for DEV and PROD, you have the option of using the same schema name for both your DEV and PROD instances, which might make testing and setup easier.
Either way, the database user in the connection string must have full permissions to whatever schema name you specify in MS_MobileServiceName.
(You probably have this part working.) Make sure that the Mobile Services SQL Generator is run. It will automatically run if you set an Entity Framework database initializer, but some folks like to have all database changes done through DB migrations. In that case, follow this tutorial here: https://azure.microsoft.com/en-us/documentation/articles/mobile-services-dotnet-backend-how-to-use-code-first-migrations/#using-code-first-migrations-without-an-initializer

Encrypt PostgreSQL database and obtain key from web application user

I would like to create a web application using PostgreSQL as a database. I want to have the database encrypted, so that even an attacker that has root access to the database server can't decrypt the data (or at least he would have to mess around with temporary in-memory data which is hard). I don't care about the schema, only about the content of the tables.
I also don't want to store the decryption key somewhere on the application server (neither in a config file, nor hardcoded).
Instead, my idea was to encrypt the whole database (or just tables and rows?) using a key that is provided by the user over the web application and that decrypts at runtime.
Is this scenario possible with PostgreSQL and which options do I have implement this?
Side note: It's a .NET based application (ASP.NET MVC3) and I'm using the Npsql driver.
Use pgcrypto for encryption. But, a superuser can control the log files and tell the database to log everything, every query. And that will include the queries including your passwords.
You might want to use SELinux and SEPostgreSQL.

Finding a legacy firebird/Interbase database password

I have a customer that has an old non-existant application; he had a problem with the company that made the application and they won't disclose his database password. He realized that he signed a contract (back then) where it said that he was sort of "renting" the application and they had no right to disclose anything. This customer found out that he's not the only one with the same problem with that company. He's a Dentist and other dentists with the same old application experienced the same problems when trying to buy a new software and attempted to migrate their patients to the new system.
In either case, he wants to open his little firebird database, so we can at least extract some data to our SQL Servers. I have tried with the default 'masterkey' (which is, in fact, 'masterke' due to the 8 char limit) to no avail.
Now I know he could go legal and try to force the company to release his information, but I want to do it the short way. Does anybody know an app that can brute force/crack a legacy Firebird password?
Thanks.
EDIT: The legacy software is "STOMA-W", I cannot even find it on Internet. They are located in Asturias, Spain.
Firebird does not (yet) store passwords inside the database file.
With this in mind, move the database file to another server where the sysdba password is known.
Old Interbase and Firebird had hardcoded backdoor password you might want to try:
user: politically pass: correct
http://www.theregister.co.uk/2001/01/12/borland_interbase_backdoor_exposed
Provided not for the SYSDBA account, you may reset forgotten passwords for users with FlameRobin. After registering the database server on your localhost, use the Manage users... function in the context menu:
Here you get a list of users with options to delete or view/modify properties. If you click on the properties icon, you enter this dialogue where you simply enter the new password twice:
There is also IBConsole which comes packaged with the InterBase/Firebird SDK. It has similar functions.