java source code of PostgresDBConnection

Gatekeeper-master
- .circleci
  - push.sh
  - config.yml
- services
  - db
    - src
      - main
        java
        org
        finra
        gatekeeper
        rds
        exception
        GKUnsupportedDBException.java
        model
        RdsCheckUsersTableQuery.java
        RdsGrantAccessQuery.java
        RdsRevokeAccessQuery.java
        RdsQuery.java
        DbUser.java
        RoleType.java
        interfaces
        DBConnection.java
        GKUserCredentialsProvider.java
    - pom.xml
    - .gitignore
  - pom.xml
  - common
    - src
      - main
        java
        org
        finra
        gatekeeper
        common
        services
        user
        search
        GatekeeperLdapLookupService.java
        auth
        GatekeeperAuthorizationService.java
        GatekeeperOpenLDAPAuthorizationService.java
        GatekeeperActiveDirectoryLDAPAuthorizationService.java
        model
        UserSupplier.java
        GatekeeperSearchUserEntry.java
        GatekeeperUserEntry.java
        interfaces
        IGatekeeperUserLookupService.java
        IGatekeeperUserAuthorizationService.java
        properties
        GatekeeperPropertiesService.java
        account
        AccountInformationService.java
        model
        Region.java
        Account.java
        backend2backend
        Backend2BackendService.java
        properties
        GatekeeperAuthProperties.java
        GatekeeperAwsProperties.java
        GatekeeperAccountProperties.java
        GatekeeperSharedProperties.java
        authfilter
        UserHeaderFilter.java
        parser
        SSOParser.java
        IGatekeeperUserProfile.java
        GatekeeperUserProfile.java
        UserParser.java
        CompositeParser.java
        controllers
        LdapLookupController.java
        GatekeeperWebSecurityConfig.java
        GatekeeperCommonConfig.java
      - test
        resources
        application.yml
        java
        org
        finra
        gatekeeper
        common
        services
        ldap
        GatekeeperSearchUserEntryTest.java
        account
        AccountInformationServiceTest.java
        properties
        GatekeeperAccountPropertiesNotProvidedTest.java
        GatekeeperAccountPropertiesTest.java
        TestApplication.java
    - pom.xml
    - .gitignore
  - rds
    - src
      - main
        resources
        application.yml
        logback.xml
        META-INF
        spring.factories
        schema.sql
        processes
        Gatekeeper_access.bpmn20.xml
        emails
        failure.ftl
        accessRequested.ftl
        manualRemoval.ftl
        accessDenied.ftl
        requestCanceled.ftl
        accessGranted.ftl
        accessExpired.ftl
        credentials.ftl
        userGrant.ftl
        attachments
        exception.ftl
        privatekey.ftl
        java
        org
        finra
        gatekeeper
        configuration
        AppConfig.java
        GatekeeperProperties.java
        GatekeeperRdsAuthProperties.java
        GatekeeperApprovalProperties.java
        GatekeeperOverrideProperties.java
        services
        passwords
        PasswordGenerationService.java
        db
        connections
        PostgresDBConnection.java
        MySQLDBConnection.java
        DatabaseConnectionService.java
        EnvVarDBCredentialsService.java
        factory
        DatabaseConnectionFactory.java
        email
        EmailService.java
        wrappers
        EmailServiceWrapper.java
        auth
        GatekeeperRdsRole.java
        model
        AppApprovalThreshold.java
        RoleMembership.java
        GatekeeperRoleService.java
        accessrequest
        listeners
        GatekeeperAccessRequestHandler.java
        AccessRequestService.java
        delegates
        RevokeAccessServiceTask.java
        GrantAccessServiceTask.java
        model
        AWSRdsDatabase.java
        RequestStatus.java
        UserRole.java
        response
        AccessRequestCreationResponse.java
        AccessRequestCreationOutcome.java
        AccessRequestRepository.java
        OverridePolicy.java
        AccessRequest.java
        User.java
        aws
        AwsSessionService.java
        RdsLookupService.java
        SGLookupService.java
        factory
        AwsSessionFactory.java
        model
        AWSEnvironment.java
        GatekeeperRDSInstance.java
        DatabaseType.java
        controllers
        DatabaseController.java
        LookupController.java
        AccessRequestController.java
        wrappers
        RemoveUsersWrapper.java
        AccessRequestWrapper.java
        ActiveAccessRequestWrapper.java
        GetRoleResponseWrapper.java
        CompletedAccessRequestWrapper.java
        AuthController.java
        exception
        GatekeeperException.java
        Application.java
      - test
        java
        org
        finra
        gatekeeper
        configuration
        PropertyConfigOverridePolicyTest.java
        PropertyConfigApprovalThresholdTest.java
        services
        db
        DatabaseConnectionServiceTest.java
        mockconnection
        MockDBConnection.java
        roles
        GatekeeperRoleServiceTest.java
        accessrequest
        AccessRequestServiceTest.java
        aws
        RdsLookupServiceTest.java
    - pom.xml
    - README.md
    - Dockerfile
    - .gitignore
  - ec2
    - src
      - main
        resources
        application.yml
        logback.xml
        META-INF
        spring.factories
        spring-configuration-metadata.json
        schema.sql
        processes
        Gatekeeper_access.bpmn20.xml
        emails
        failure.ftl
        accessRequested.ftl
        manualRemoval.ftl
        accessDenied.ftl
        username.ftl
        requestCanceled.ftl
        processCancelled.ftl
        accessGranted.ftl
        accessExpired.ftl
        credentials.ftl
        attachments
        exception.ftl
        privatekey.ftl
        java
        org
        finra
        Application.java
        gatekeeper
        configuration
        properties
        GatekeeperSsmProperties.java
        GatekeeperEmailProperties.java
        GatekeeperEC2Properties.java
        GatekeeperProperties.java
        GatekeeperSnsProperties.java
        GatekeeperApprovalProperties.java
        GatekeeperConfig.java
        services
        email
        EmailService.java
        model
        GatekeeperLinuxNotification.java
        GatekeeperWindowsNotification.java
        wrappers
        EmailServiceWrapper.java
        auth
        GatekeeperRole.java
        GatekeeperRoleService.java
        accessrequest
        listeners
        GatekeeperAccessRequestHandler.java
        AccessRequestService.java
        delegates
        RevokeAccessServiceTask.java
        GrantAccessServiceTask.java
        model
        RequestStatus.java
        AccessRequestRepository.java
        AWSInstance.java
        AccessRequest.java
        User.java
        messaging
        dto
        UserInstancesDTO.java
        RequestEventDTO.java
        ActiveAccessRequestDTO.java
        ActiveRequestUserDTO.java
        enums
        EventType.java
        aws
        AwsSessionService.java
        SsmService.java
        factory
        AwsSessionFactory.java
        SnsService.java
        Ec2LookupService.java
        model
        GatekeeperAWSInstance.java
        AWSEnvironment.java
        keypairs
        KeypairService.java
        controllers
        LookupController.java
        AccessRequestController.java
        wrappers
        AccessRequestWrapper.java
        ActiveAccessRequestWrapper.java
        CompletedAccessRequestWrapper.java
        AuthController.java
        exception
        GatekeeperException.java
      - test
        resources
        emails
        test.ftl
        java
        org
        finra
        gatekeeper
        services
        mail
        EmailServiceWrapperTest.java
        accessrequest
        LiveAccessRequestServiceTest.java
        AccessRequestServiceTest.java
        delegates
        RevokeAccessServiceTest.java
        model
        AccessRequestTest.java
        UserTest.java
        RequestStatusTest.java
        AWSInstanceTest.java
        aws
        Ec2LookupServiceTest.java
        AwsSessionServiceTest.java
        SsmServiceTest.java
        model
        GatekeeperAWSInstanceTest.java
        AWSEnvironmentTest.java
        keypairs
        KeypairServiceTest.java
    - pom.xml
    - Dockerfile
    - .gitignore
- img
- containers
  - nginx
    - vhost
      - nginx.conf
    - Dockerfile
    - static
      - index.html
  - base
    - scripts
      - selfsign.sh
    - Dockerfile
  - fake-sso-proxy
    - certs
      - server.key
      - server.crt
    - httpd
      - httpd-vhosts.conf
      - httpd.conf
    - Dockerfile
  - java
    - pem
      - rds-combined-ca-bundle.pem
    - Dockerfile
  - docker-compose.yml
- stop.sh
- ui
  - test
    - e2e
      - e2e.conf.js
    - app.run.mocked.js
    - mocks
      - ad.mocks.js
      - grant.mocks.js
      - env.mocks.js
      - rds.request.mocks.js
      - request.mocks.js
      - role.mocks.js
      - aws.mocks.js
    - unit
      - specs
        gatekeeper.component.spec.js
        selfservice.component.spec.js
        rdsselfservice.component.spec.js
        shared.component.spec.js
        request.component.spec.js
        rdsadmin.component.spec.js
        app.spec.js
        gktable.spec.js
  - .jshintrc
  - spec.js
  - webpack.config.js
  - .babelrc
  - README.md
  - package.json
  - karma.conf.js
  - Dockerfile
  - app
    - app.js
    - common-web
      - utils
        DirectiveUtils.js
        BaseDirective.js
      - banner
        components
        header
        gk-header.js
        gk-header-directive.js
        index.js
        assets
        html
        gk-header.tpl.html
        fonts
        MaterialIcons-Regular.woff
        MaterialIcons-Regular.eot
        MaterialIcons-Regular.ttf
        MaterialIcons-Regular.woff2
        MaterialIcons-Regular.ijmap
        css
        gk-banner.css
        material-icons.css
      - table
        BaseTable.js
        templates
        gkTableDataString.tpl.html
        gkTableSingleSelect.tpl.html
        gkTableReadOnly.tpl.html
        gkTable.tpl.html
        gkTableMultiSelect.tpl.html
        gkTableDataNumber.tpl.html
        gkTableData.tpl.html
        gkTableSingleSelectDialog.tpl.html
        gkTableDataDate.tpl.html
        GkTableConfig.js
        GkTableCheckboxFilter.js
        GkDialogTableConfig.js
        GkTableDataConfig.js
        index.js
        assets
        gk-table.css
      - list
        HorizontalListDirective.js
        templates
        horizontalList.tpl.html
        index.js
      - index.js
      - assets
        hardware-icons.svg
        places-icons.svg
        editor-icons.svg
        image-icons.svg
        communication-icons.svg
        navigation-icons.svg
        action-icons.svg
        file-icons.svg
        av-icons.svg
        maps-icons.svg
        device-icons.svg
        content-icons.svg
        alert-icons.svg
        toggle-icons.svg
        social-icons.svg
        notification-icons.svg
    - component
      - error
        error.tpl.html
        denied.tpl.html
      - gatekeeper.js
      - select
        GatekeeperSelectButton.js
        template
        selectbutton.tpl.html
        select.tpl.html
        GatekeeperSelectController.js
        index.js
      - GatekeeperController.js
      - rds
        selfservice
        RdsSchemaDialogController.js
        GkRdsCheckbox.js
        RdsSelfServiceController.js
        GkRdsSearch.js
        template
        gatekeeperRoleCheckbox.tpl.html
        gatekeeperRdsGrantComponent.tpl.html
        gatekeeperAWSRdsComponent.tpl.html
        schemas.tpl.html
        rdsSelfService.tpl.html
        admin
        template
        rdsAdmin.tpl.html
        RdsAdminController.js
        request
        RdsRequestDialogAdminController.js
        RdsRequestController.js
        template
        request.tpl.html
        RdsRequestHistoryController.js
        template
        rds.tpl.html
        GatekeeperRdsController.js
        index.js
      - shared
        selfservice
        GatekeeperSelfServiceController.js
        template
        gatekeeperSubmissionDialog.tpl.html
        gatekeeperADComponent.tpl.html
        model
        GatekeeperSubmissionDialogJustification.js
        GatekeeperJustificationConfig.js
        GatekeeperSubmissionDialogController.js
        ADDataService.js
        admin
        GatekeeperAdminController.js
        RdsUsersDataService.js
        RoleDataService.js
        SchemaDataService.js
        Ec2ConfigService.js
        RdsRevokeUsersDataService.js
        RdsConfigService.js
        request
        GatekeeperRequestHistoryController.js
        GatekeeperRequestDialogController.js
        template
        gatekeeperRequest.tpl.html
        GatekeeperRequestDialogAdminController.js
        GatekeeperRequestDialogRequestorController.js
        GatekeeperRequestController.js
        generic
        DirectiveUtils.js
        DataService.js
        SearchableDataService.js
        BaseDirective.js
        GkNavBar.js
        DisallowSpaces.js
        template
        horizontalList.tpl.html
        gkNavBar.tpl.html
        RequestDataService.js
        AccountDataService.js
        AWSDataService.js
        RDSDataService.js
        RdsGrantDataService.js
        GrantDataService.js
        index.js
      - ec2
        selfservice
        template
        ec2SelfService.tpl.html
        gatekeeperAWSEc2Component.tpl.html
        gatekeeperEc2GrantComponent.tpl.html
        Ec2SelfServiceController.js
        request
        Ec2RequestDialogAdminController.js
        Ec2RequestController.js
        template
        request.tpl.html
        Ec2RequestHistoryController.js
        template
        ec2.tpl.html
        GatekeeperEc2Controller.js
        index.js
      - gatekeeper.tpl.html
    - index.html
    - app.run.js
    - app.config.js
    - css
      - main.css
    - assets
      - Compute_AmazonEC2.svg
      - Database_AmazonRDS.svg
      - favicon.ico
      - gatekeeper.svg
  - .gitignore
- services_only.yml
- LICENSE
- local-docker-compose.yml
- config
  - ldap
    - gatekeeper_local.ldif
  - gatekeeper_config.env
  - ec2_service_config.env
  - rds_service_config.env
  - accounts-service
    - application.yml
- demo-services
  - fake-account-service
    - src
      - main
        java
        org
        finra
        fakeaccountservice
        AccountConfiguration.java
        FakeAccountServiceApplication.java
      - test
        java
        org
        finra
        fakeaccountservice
        FakeAccountServiceApplicationTests.java
    - pom.xml
    - config
      - application.yml
    - Dockerfile
    - .gitignore
- README.md
- start.sh
- .gitignore
- aws
  - rds
    - mysql_setup.sql
    - postgres_setup.sql
  - ssm
    - GK-WN-Delete.json
    - empty
      - GK-WN-Delete.json
      - GK-Create.json
      - GK-Delete.json
      - GK-WN-Create.json
    - GK-Create.json
    - GK-Delete.json
    - GK-WN-Create.json
- DCO

/*
 * Copyright 2018. Gatekeeper Contributors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 */

package org.finra.gatekeeper.services.db.connections;

import org.finra.gatekeeper.configuration.GatekeeperProperties;
import org.finra.gatekeeper.rds.exception.GKUnsupportedDBException;
import org.finra.gatekeeper.rds.interfaces.DBConnection;
import org.finra.gatekeeper.rds.interfaces.GKUserCredentialsProvider;
import org.finra.gatekeeper.rds.model.*;
import org.postgresql.ds.PGPoolingDataSource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.dao.DataAccessException;
import org.springframework.jdbc.CannotGetJdbcConnectionException;
import org.springframework.jdbc.core.*;
import org.springframework.stereotype.Component;

import java.sql.*;
import java.time.LocalDateTime;
import java.time.format.DateTimeFormatter;
import java.util.*;

/**
 * Interface for dealing with Postgres RDS Connections
 */
@Component
public class PostgresDBConnection implements DBConnection {

    private final Logger logger = LoggerFactory.getLogger(PostgresDBConnection.class);
    private final GKUserCredentialsProvider gkUserCredentialsProvider;
    private final String EXPIRATION_TIMESTAMP = "yyyy-MM-dd HH:mm:ss";
    private final String getSchemas = "SELECT distinct table_schema||'.'||table_name FROM information_schema.role_table_grants "
    + "where grantee = ? order by table_schema||'.'||table_name";
    private final String getUsers = "select rolname from pg_roles where rolcanlogin = true";

    private final String gkUserName;
    private final Boolean ssl;
    private final String sslMode;
    private final String sslCert;
    private final Integer connectTimeout;

    @Autowired
    public PostgresDBConnection(GatekeeperProperties gatekeeperProperties,
                                @Qualifier("credentialsProvider") GKUserCredentialsProvider gkUserCredentialsProvider){
        this.gkUserCredentialsProvider = gkUserCredentialsProvider;
        GatekeeperProperties.GatekeeperDbProperties db = gatekeeperProperties.getDb();
        GatekeeperProperties.GatekeeperDbProperties.PostgresDbProperties postgres = db.getPostgres();
        this.gkUserName = db.getGkUser();
        this.ssl = postgres.getSsl();
        this.sslMode = postgres.getSslMode();
        this.sslCert = postgres.getSslCert();
        this.connectTimeout = postgres.getConnectTimeout();
    }

    public boolean grantAccess(RdsGrantAccessQuery rdsGrantAccessQuery) throws SQLException {
        String address = rdsGrantAccessQuery.getAddress();
        String user = rdsGrantAccessQuery.getUser();
        RoleType role = rdsGrantAccessQuery.getRole();
        String password = rdsGrantAccessQuery.getPassword();
        int length = rdsGrantAccessQuery.getTime();

        PGPoolingDataSource dataSource = null;

        try {
            dataSource = connect(address, gkUserCredentialsProvider.getGatekeeperSecret(rdsGrantAccessQuery));
            JdbcTemplate conn = new JdbcTemplate(dataSource);

            String expirationTime = LocalDateTime.now().plusDays(length).format(DateTimeFormatter.ofPattern(EXPIRATION_TIMESTAMP));
            String userWithSuffix = user + "_" + role.getShortSuffix();
            //Try to revoke the user
            boolean revoked = true;

            // If the user already exists then we'll need to try to remove it, if they don't we'll just create the user.
            if(userExists(conn, userWithSuffix)) {
                logger.info("User " + userWithSuffix + " already exists, try to remove the user.");
                try {
                    // try to delete the user if they already are present
                    revoked = revokeUser(conn, userWithSuffix);
                } catch (Exception ex) {
                    logger.error("Could not remove the existing user from the database. Falling back by trying to rotate the existing user's password", ex);
                    revoked = false;
                }
            }
            if(revoked) {
                // Update the gk roles on the DB
                createUser(conn, address, userWithSuffix, password, role, expirationTime);
            }else{
                // Rotate the password and expiration time for te existing user.
                updateUser(conn, address, userWithSuffix, password, role, expirationTime);
            }
            return true;
        }catch(Exception ex){
            logger.error("An exception was thrown while trying to grant access to user " + user + "_" + role.getShortSuffix() + " on address " + address , ex);
            return false;
        }finally{
            if(dataSource != null) {
                dataSource.close();
            }
        }
    }

    public boolean revokeAccess(RdsRevokeAccessQuery rdsRevokeAccessQuery) throws SQLException{
        String address = rdsRevokeAccessQuery.getAddress();
        String user = rdsRevokeAccessQuery.getUser();
        RoleType role = rdsRevokeAccessQuery.getRole();

        PGPoolingDataSource dataSource = null;
        try {
            dataSource = connect(address, gkUserCredentialsProvider.getGatekeeperSecret(rdsRevokeAccessQuery));
            JdbcTemplate conn = new JdbcTemplate(dataSource);
            logger.info("Removing " + user + " from " + address + " if they exist.");
            if(role != null) {
                //if roles is provided revoke the user with the suffix (from activiti)
                revokeUser(conn, user + "_" + role.getShortSuffix());
            }else{
                //if roles is not provided just revoke the user (forced removal)
                revokeUser(conn, user);
            }
            return true;

        }catch(Exception ex){
            String username = role == null ? user : user + "_" + role.getShortSuffix();
            logger.error("An exception was thrown while trying to revoke user " + username + " from address " + address, ex);
            return false;
        } finally {
            if(dataSource != null) {
                dataSource.close();
            }
        }
    }

    public Map<RoleType, List<String>> getAvailableTables(RdsQuery rdsQuery) throws SQLException{
        String address = rdsQuery.getAddress();
        Map<RoleType, List<String>> results = new HashMap<>();
        PGPoolingDataSource dataSource = connect(address, gkUserCredentialsProvider.getGatekeeperSecret(rdsQuery));
        JdbcTemplate conn = new JdbcTemplate(dataSource);

        logger.info("Getting available schema information for " + address);
        for(RoleType roleType : RoleType.values()) {
            try {
                List<String> schemas = conn.queryForList(getSchemas, new Object[]{roleType.getDbRole()}, String.class);
                results.put(roleType, !schemas.isEmpty() ? schemas : Collections.singletonList("No Schemas are available for role " + roleType.getDbRole() + " at this time."));
                logger.info("Retrieved available schema information for database " + address + " for role " + roleType.getDbRole());
            } catch (Exception ex) {
                logger.error("Could not retrieve available role information for database " + address + " for role " +  roleType.getDbRole(), ex);
                results.put(roleType, Collections.singletonList("Unable to get available schemas for role " + roleType.getDbRole()));
            }
        }
        dataSource.close();
        return results;
    }

    public List<String> checkDb(RdsQuery rdsQuery) throws GKUnsupportedDBException {
        String address = rdsQuery.getAddress();

        String gkUserCreateRoleCheck = "select rolcreaterole from pg_roles where rolname = 'gatekeeper'";
        String gkRoleCheck = "select rolname from pg_roles where rolname in ('gk_datafix','gk_dba','gk_readonly')";

        List<String> issues = new ArrayList<>();
        List<String> gkRoles = new ArrayList<>();
        gkRoles.addAll(Arrays.asList("gk_datafix", "gk_readonly", "gk_dba"));
        PGPoolingDataSource dataSource = null;

        try{
            logger.info("Checking the gatekeeper setup for " + address);
            dataSource = connect(address, gkUserCredentialsProvider.getGatekeeperSecret(rdsQuery));
            JdbcTemplate conn = new JdbcTemplate(dataSource);
            Boolean createRolePermCheckResult = conn.queryForObject(gkUserCreateRoleCheck, Boolean.class);
            List<String> roleCheckResult = conn.queryForList(gkRoleCheck, String.class);

            if(!createRolePermCheckResult){
                issues.add("gatekeeper user missing createrole");
            }
            gkRoles.removeAll(roleCheckResult);
            if(!gkRoles.isEmpty()) {
                issues.add("missing the following roles: " + gkRoles);
            }
        }catch(SQLException e){
            logger.error("Error running check query", e);
        } catch(CannotGetJdbcConnectionException ex){
            logger.error("Failed to connect to DB", ex);
            if(ex.getMessage().contains("password")) {
                issues.add("Password authentication failed for gatekeeper user");
            }else{
                issues.add("Unable to connect to DB (" + ex.getCause().getMessage() + ")");
            }
        }finally{
            if(dataSource != null) {
                dataSource.close();
            }
        }

        return issues;

    }

    /**
     * Check to see if this user is the owner of any tables on the DB
     *
     * @param rdsCheckUsersTableQuery - the query details for the db
     * @return List of String - List of users that still own tables
     *
     * @throws SQLException - if there's an issue executing the query on the database
     */
    public List<String> checkIfUsersHasTables(RdsCheckUsersTableQuery rdsCheckUsersTableQuery) throws SQLException{
        String address = rdsCheckUsersTableQuery.getAddress();
        List<String> users = rdsCheckUsersTableQuery.getUsers();
        PGPoolingDataSource dataSource = null;
        try {
            dataSource = connect(address, gkUserCredentialsProvider.getGatekeeperSecret(rdsCheckUsersTableQuery));
            JdbcTemplate conn = new JdbcTemplate(dataSource);
            StringBuilder sb = new StringBuilder();
            users.forEach(user -> {
                sb.append("?,");
            });

            String query = "SELECT distinct tableowner FROM pg_tables t where t.tableowner in ("+ sb.deleteCharAt(sb.length() - 1).toString() + ")";

            List<String> outcome = conn.queryForList(query, users.toArray(), String.class);

            return outcome;

        }catch(SQLException ex){
            logger.error("An Error occured while checking to see if the user owns any tables on the database", ex);
            return users;
        }finally {
            if(dataSource != null) {
                dataSource.close();
            }
        }
    }

    public List<DbUser> getUsers(RdsQuery rdsQuery) throws SQLException{
        String address = rdsQuery.getAddress();
        PGPoolingDataSource dataSource = connect(address, gkUserCredentialsProvider.getGatekeeperSecret(rdsQuery));
        JdbcTemplate conn = new JdbcTemplate(dataSource);
        List<DbUser> results;
        logger.info("Getting available schema information for " + address);
        try {
            results = conn.query(getUsers, new PostgresDbUserMapper());
            logger.info("Retrieved users for database " + address);
        } catch (Exception ex) {
            logger.error("Could not retrieve list of users for database " + address, ex);
            results = Collections.emptyList();
        }
        dataSource.close();
        return results;
    }

    public List<String> getAvailableRoles(RdsQuery rdsQuery) throws SQLException{
        String address = rdsQuery.getAddress();

        PGPoolingDataSource dataSource = connect(address, gkUserCredentialsProvider.getGatekeeperSecret(rdsQuery));
        JdbcTemplate conn = new JdbcTemplate(dataSource);
        List<String> results;
        logger.info("Getting available roles for " + address);
        try {
            results = conn.queryForList("select rolname from pg_catalog.pg_roles where rolname like 'gk_%' and rolcanlogin = false", String.class);
        } catch (Exception ex) {
            logger.error("Could not retrieve list of roles for database " + address, ex);
            throw ex;
        }finally {
            dataSource.close();
        }
        return results;
    }

    private PGPoolingDataSource connect(String url, String gkUserPassword) throws SQLException {
        String dbUrl = url.split("/")[0];
        logger.info("Getting connection for " + dbUrl);
        logger.info("Creating Datasource connection for " + dbUrl);
        String pgUrl = dbUrl + "/postgres"; // url with postgres instead of whatever was on the AWS console
        try {
            return connectHelper(pgUrl, gkUserPassword); // Try postgres first since it is a default db.
        } catch (Exception e){
            logger.info("postgres database not present for " + dbUrl.split("/")[0] + " Attempting connection to " + url + " as fallback.");
            return connectHelper(url, gkUserPassword); // Fall-back if postgres isn't there
        }
    }

    private PGPoolingDataSource connectHelper(String address, String gkUserPassword) {
        PGPoolingDataSource dataSource = new PGPoolingDataSource();
        String dbUrl = "jdbc:postgresql://" + address;

        dataSource.setDataSourceName(address);
        dataSource.setUrl(dbUrl);
        dataSource.setUser(gkUserName);
        dataSource.setPassword(gkUserPassword);
        dataSource.setConnectTimeout(connectTimeout);
        dataSource.setSsl(ssl);
        dataSource.setSslMode(sslMode);
        dataSource.setSslRootCert(sslCert);
        //Do not want to keep the connection after execution

        try {
            new JdbcTemplate(dataSource).queryForList("select 1"); // Tests the connection
        } catch (Exception e) {
            logger.error("Failed to connect to " + address);
            dataSource.close(); // close the datasource
            throw e;
        }
        logger.info("Using the following properties with the connection: " + ssl);
        return dataSource;

    }

    private void updateUser(JdbcTemplate conn, String address, String user, String password, RoleType role, String expirationTime ) throws SQLException{
        logger.info("Rotating the password for " + user + " on " + address + " with role " + role.getDbRole());
        conn.execute("ALTER USER " + user + " PASSWORD '" + password + "' VALID UNTIL " + " '" + expirationTime + "'", new PostgresCallableStatementExecutor());
        logger.info("Done Updating user " + user + " on " + address + " with role " + role.getDbRole());
    }

    private void createUser(JdbcTemplate conn, String address, String user, String password, RoleType role, String expirationTime ) throws SQLException{
        logger.info("Creating user " + user + " on " + address + " with role " + role.getDbRole());
        conn.execute("CREATE USER " + user, new PostgresCallableStatementExecutor());
        conn.execute("SET log_statement='none'", new PostgresCallableStatementExecutor());
        conn.execute("ALTER USER " + user + " PASSWORD '" + password + "' VALID UNTIL " + " '" + expirationTime + "'", new PostgresCallableStatementExecutor());
        conn.execute("SET log_statement='ddl'", new PostgresCallableStatementExecutor());
        conn.execute("GRANT " + role.getDbRole() + " TO " + user, new PostgresCallableStatementExecutor());
        logger.info("Done Creating user " + user + " on " + address + " with role " + role.getDbRole());
    }

    private boolean userExists(JdbcTemplate conn, String user){
        logger.info("Checking to see if user " + user + " exists");
        return conn.queryForList("SELECT 1 FROM pg_roles WHERE rolname='" + user+"'").size() > 0;
    }
    private boolean revokeUser(JdbcTemplate conn, String user){
        conn.execute("DROP USER IF EXISTS " + user, new PostgresCallableStatementExecutor());
        return !userExists(conn, user);
    }

    private class PostgresCallableStatementExecutor implements CallableStatementCallback<Boolean> {
        public Boolean doInCallableStatement(CallableStatement callableStatement) throws SQLException, DataAccessException {
            return callableStatement.execute();
        }
    }

    private class PostgresDbUserMapper implements  RowMapper<DbUser> {
        public DbUser mapRow(ResultSet rs, int rowNum) throws SQLException{
            return new DbUser()
                    .setUsername(rs.getString(1));
        }
    }
}