Improve teh securty of teh DB

2025-10-19 19:22:37 +02:00
parent 62971c07d7
commit 05da20357d
87 changed files with 7998 additions and 932 deletions
--- a/shared/database/base.py
+++ b/shared/database/base.py
@@ -32,8 +32,8 @@ class DatabaseManager:
    """
    
    def __init__(
-        self, 
-        database_url: str, 
+        self,
+        database_url: str,
        service_name: str = "unknown",
        pool_size: int = 20,
        max_overflow: int = 30,
@@ -43,11 +43,18 @@ class DatabaseManager:
        connect_timeout: int = 30,
        **engine_kwargs
    ):
+        # Add SSL parameters to database URL if PostgreSQL
+        if "postgresql" in database_url.lower() and "ssl" not in database_url.lower():
+            separator = "&" if "?" in database_url else "?"
+            # asyncpg uses 'ssl=require' or 'ssl=verify-full', not 'sslmode'
+            database_url = f"{database_url}{separator}ssl=require"
+            logger.info(f"SSL enforcement added to database URL for {service_name}")
+
        self.database_url = database_url
        self.service_name = service_name
        self.pool_size = pool_size
        self.max_overflow = max_overflow
-        
+
        # Configure pool for async engines
        # Note: SQLAlchemy 2.0 async engines automatically use AsyncAdaptedQueuePool
        # We should NOT specify poolclass for async engines unless using StaticPool for SQLite
@@ -66,7 +73,7 @@ class DatabaseManager:
            engine_config["poolclass"] = StaticPool
            engine_config["pool_size"] = 1
            engine_config["max_overflow"] = 0
-        
+
        self.async_engine = create_async_engine(database_url, **engine_config)
        
        # Create session factory
@@ -325,7 +332,14 @@ AsyncSessionLocal = None
 def init_legacy_compatibility(database_url: str):
    """Initialize legacy global variables for backward compatibility"""
    global engine, AsyncSessionLocal
-    
+
+    # Add SSL parameters to database URL if PostgreSQL
+    if "postgresql" in database_url.lower() and "ssl" not in database_url.lower():
+        separator = "&" if "?" in database_url else "?"
+        # asyncpg uses 'ssl=require' or 'ssl=verify-full', not 'sslmode'
+        database_url = f"{database_url}{separator}ssl=require"
+        logger.info("SSL enforcement added to legacy database URL")
+
    engine = create_async_engine(
        database_url,
        echo=False,