From ba7c1588ae4119a885a26412e81ec5b028db9acc Mon Sep 17 00:00:00 2001
From: Abhijeet <41686026+abhvsn@users.noreply.github.com>
Date: Fri, 6 Dec 2024 10:49:27 +0530
Subject: [PATCH] fix: Add password based auth for postgres (#37068)

---
 deploy/docker/fs/opt/appsmith/entrypoint.sh   |  13 +-
 deploy/docker/fs/opt/appsmith/pg-utils.sh     |  52 ++--
 .../opt/appsmith/postgres/appsmith_hba.conf   |  24 ++
 deploy/docker/tests/.gitignore                |   1 +
 deploy/docker/tests/composes.sh               |  81 +++++
 deploy/docker/tests/test-pg-auth.sh           | 279 ++++++++++++++++++
 deploy/docker/tests/test-pg-utils.sh          |  13 +-
 scripts/local_testing.sh                      |  17 +-
 8 files changed, 454 insertions(+), 26 deletions(-)
 create mode 100644 deploy/docker/fs/opt/appsmith/postgres/appsmith_hba.conf
 create mode 100644 deploy/docker/tests/.gitignore
 create mode 100644 deploy/docker/tests/composes.sh
 create mode 100755 deploy/docker/tests/test-pg-auth.sh

diff --git a/deploy/docker/fs/opt/appsmith/entrypoint.sh b/deploy/docker/fs/opt/appsmith/entrypoint.sh
index ce39e43598..77ab4cd5de 100644
--- a/deploy/docker/fs/opt/appsmith/entrypoint.sh
+++ b/deploy/docker/fs/opt/appsmith/entrypoint.sh
@@ -1,5 +1,8 @@
 #!/usr/bin/env bash
 
+# Source the helper script
+source pg-utils.sh
+
 set -e
 
 tlog "Running as: $(id)"
@@ -440,6 +443,12 @@ init_postgres() {
       tlog "Initializing local Postgres data folder"
       su postgres -c "env PATH='$PATH' initdb -D $POSTGRES_DB_PATH"
     fi
+    cp /opt/appsmith/postgres/appsmith_hba.conf "$POSTGRES_DB_PATH/pg_hba.conf"
+    # PostgreSQL requires strict file permissions for the pg_hba.conf file. Add file permission settings after copying the configuration file.
+    # 600 is the recommended permission for pg_hba.conf file for read and write access to the owner only.
+    chown postgres:postgres "$POSTGRES_DB_PATH/pg_hba.conf"
+    chmod 600 "$POSTGRES_DB_PATH/pg_hba.conf"
+
     create_appsmith_pg_db "$POSTGRES_DB_PATH"
   else
     runEmbeddedPostgres=0
@@ -477,7 +486,9 @@ create_appsmith_pg_db() {
   local max_attempts=300
   local attempt=0
 
-  until su postgres -c "env PATH='$PATH' pg_isready -h 127.0.0.1"; do
+  local unix_socket_directory=$(get_unix_socket_directory "$POSTGRES_DB_PATH")
+  echo "Unix socket directory is $unix_socket_directory"
+  until su postgres -c "env PATH='$PATH' pg_isready -h $unix_socket_directory"; do
     if (( attempt >= max_attempts )); then
       echo "Postgres failed to start within 300 seconds."
       return 1
diff --git a/deploy/docker/fs/opt/appsmith/pg-utils.sh b/deploy/docker/fs/opt/appsmith/pg-utils.sh
index 27ad26efdc..4bb5dec16f 100755
--- a/deploy/docker/fs/opt/appsmith/pg-utils.sh
+++ b/deploy/docker/fs/opt/appsmith/pg-utils.sh
@@ -6,7 +6,8 @@ DB_HOST="127.0.0.1"
 DB_PORT="5432"
 DB_SCHEMA="appsmith"
 DB_NAME="appsmith"
-postgres_admin_user="postgres"
+POSTGRES_ADMIN_USER="postgres"
+POSTGRES_DB_PATH="/appsmith-stacks/data/postgres/main"
 
 waitForPostgresAvailability() {
   if [ -z "$PG_DB_HOST" ]; then
@@ -17,8 +18,9 @@ waitForPostgresAvailability() {
     MAX_RETRIES=50
     RETRYSECONDS=10
     retry_count=0
+    local unix_socket_directory=$(get_unix_socket_directory "$POSTGRES_DB_PATH")
     while true; do
-      su postgres -c "pg_isready -h '${PG_DB_HOST}' -p '${PG_DB_PORT}'"
+      su postgres -c "pg_isready -h $unix_socket_directory -p '${PG_DB_PORT}'"
       status=$?
 
       case $status in
@@ -106,31 +108,34 @@ init_pg_db() {
     # Check if the DB_HOST is local (localhost or 127.0.0.1)
     if [[ "$PG_DB_HOST" == "localhost" || "$PG_DB_HOST" == "127.0.0.1" ]]; then
 
+      local unix_socket_directory=$(get_unix_socket_directory "$POSTGRES_DB_PATH")
       # Check if the database exists
-      DB_CHECK=$(psql -h "$PG_DB_HOST" -p "$PG_DB_PORT" -U postgres -d "postgres" -tAc "SELECT 1 FROM pg_database WHERE datname='$PG_DB_NAME'")
+      DB_CHECK=$(psql -h "$unix_socket_directory" -p "$PG_DB_PORT" -U "$POSTGRES_ADMIN_USER" -tAc "SELECT 1 FROM pg_database WHERE datname='$PG_DB_NAME'")
 
       if [ "$DB_CHECK" != "1" ]; then
         echo "Database $PG_DB_NAME does not exist. Creating database..."
-        psql -h "$PG_DB_HOST" -p "$PG_DB_PORT" -U postgres -d "postgres" -c "CREATE DATABASE $PG_DB_NAME;"
+        psql -h "$unix_socket_directory" -p "$PG_DB_PORT" -U "$POSTGRES_ADMIN_USER" -c "CREATE DATABASE $PG_DB_NAME;"
       else
         echo "Database $PG_DB_NAME already exists."
       fi
 
       # Check if the schema exists
-      SCHEMA_CHECK=$(psql -h "$PG_DB_HOST" -p "$PG_DB_PORT" -U postgres -d "$PG_DB_NAME" -tAc "SELECT 1 FROM information_schema.schemata WHERE schema_name='appsmith'")
+      SCHEMA_CHECK=$(psql -h "$unix_socket_directory" -p "$PG_DB_PORT" -U "$POSTGRES_ADMIN_USER" -d "$PG_DB_NAME" -tAc "SELECT 1 FROM information_schema.schemata WHERE schema_name='appsmith'")
 
       # Create schema and user if not exists
       if [ "$SCHEMA_CHECK" != "1" ]; then
         echo "Creating user '$PG_DB_USER' with password "
-        psql -h "$PG_DB_HOST" -p "$PG_DB_PORT" -U postgres -d "$PG_DB_NAME" -c "CREATE USER \"$PG_DB_USER\" WITH PASSWORD '$PG_DB_PASSWORD';"
+        psql -h "$unix_socket_directory" -p "$PG_DB_PORT" -U "$POSTGRES_ADMIN_USER" -d "$PG_DB_NAME" -c "CREATE USER \"$PG_DB_USER\" WITH PASSWORD '$PG_DB_PASSWORD';"
 
         echo "Schema 'appsmith' does not exist. Creating schema..."
-        psql -h "$PG_DB_HOST" -p "$PG_DB_PORT" -U postgres -d "$PG_DB_NAME" -c "CREATE SCHEMA appsmith;"
+        psql -h "$unix_socket_directory" -p "$PG_DB_PORT" -U "$POSTGRES_ADMIN_USER" -d "$PG_DB_NAME" -c "CREATE SCHEMA appsmith;"
       fi
-      USER=$PG_DB_USER SCHEMA="appsmith" DB=$PG_DB_NAME HOST=$PG_DB_HOST PORT=$PG_DB_PORT grant_permissions_for_schema
-
       echo "Creating pg_trgm extension..."
-      psql -h "$PG_DB_HOST" -p "$PG_DB_PORT" -U postgres -d "$PG_DB_NAME" -c "CREATE EXTENSION IF NOT EXISTS pg_trgm;"
+      psql -h "$unix_socket_directory" -p "$PG_DB_PORT" -U "$POSTGRES_ADMIN_USER" -d "$PG_DB_NAME" -c "CREATE EXTENSION IF NOT EXISTS pg_trgm;"
+
+      # Grant permissions to the user on the schema
+      USER=$PG_DB_USER SCHEMA="appsmith" DB=$PG_DB_NAME HOST=$PG_DB_HOST PORT=$PG_DB_PORT grant_permissions_for_local_db_schema
+    
     else
       echo "Remote PostgreSQL detected, running as current user."
       PGPASSWORD=$PG_DB_PASSWORD psql -h "$PG_DB_HOST" -p "$PG_DB_PORT" -U "$PG_DB_USER" -d "$PG_DB_NAME" -c "CREATE SCHEMA IF NOT EXISTS appsmith;"
@@ -160,18 +165,31 @@ init_pg_db() {
 # Returns:
 #     None
 # Example:
-#     USER="user" SCHEMA="schema" DB="db" HOST="host" PORT="port" grant_permissions_for_schema
-grant_permissions_for_schema() {
+#     USER="user" SCHEMA="schema" DB="db" HOST="host" PORT="port" grant_permissions_for_local_db_schema
+grant_permissions_for_local_db_schema() {
   local user=${USER-$DB_USER} schema=${SCHEMA-$DB_SCHEMA} db=${DB-$DB_NAME} host=${HOST-$DB_HOST} port=${PORT-$DB_PORT}
+  local unix_socket_directory=$(get_unix_socket_directory "$POSTGRES_DB_PATH")
   tlog "Granting permissions to user '${user}' on schema '$schema' in database '$db' on host '$host' and port '$port'..."
-  psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "GRANT ALL PRIVILEGES ON SCHEMA ${schema} TO ${user};"
-  psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ${schema} TO ${user};"
-  psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "ALTER DEFAULT PRIVILEGES IN SCHEMA ${schema} GRANT ALL PRIVILEGES ON TABLES TO ${user};"
-  psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "GRANT CONNECT ON DATABASE ${db} TO ${user};"
+  psql -h "$unix_socket_directory" -p "$port" -U "$POSTGRES_ADMIN_USER" -d "$db" -c "GRANT ALL PRIVILEGES ON SCHEMA ${schema} TO ${user};"
+  psql -h "$unix_socket_directory" -p "$port" -U "$POSTGRES_ADMIN_USER" -d "$db" -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ${schema} TO ${user};"
+  psql -h "$unix_socket_directory" -p "$port" -U "$POSTGRES_ADMIN_USER" -d "$db" -c "ALTER DEFAULT PRIVILEGES IN SCHEMA ${schema} GRANT ALL PRIVILEGES ON TABLES TO ${user};"
+  psql -h "$unix_socket_directory" -p "$port" -U "$POSTGRES_ADMIN_USER" -d "$db" -c "GRANT CONNECT ON DATABASE ${db} TO ${user};"
+}
+
+get_unix_socket_directory() {
+  local postgres_db_path=${1:-"$POSTGRES_DB_PATH"}
+  local unix_socket_directory
+  unix_socket_directory=$(grep -E "^unix_socket_directories" "$postgres_db_path/postgresql.conf" | sed -E "s/.*= (.*).*/\1/" | cut -d',' -f1)
+  # If unix_socket_directory is empty, default to /var/run/postgresql
+  if [ -z "$unix_socket_directory" ]; then
+    unix_socket_directory="/var/run/postgresql"
+  fi
+  echo "$unix_socket_directory"
 }
 
 # Example usage of the functions
 # waitForPostgresAvailability
 # extract_postgres_db_params "postgresql://user:password@localhost:5432/dbname"
 # init_pg_db
-# USER="user" SCHEMA="schema" DB="db" HOST="host" PORT="port" grant_permissions_for_schema
+# USER="user" SCHEMA="schema" DB="db" HOST="host" PORT="port" grant_permissions_for_local_db_schema
+# get_unix_socket_directory "/var/lib/postgresql/12/main"
\ No newline at end of file
diff --git a/deploy/docker/fs/opt/appsmith/postgres/appsmith_hba.conf b/deploy/docker/fs/opt/appsmith/postgres/appsmith_hba.conf
new file mode 100644
index 0000000000..6112c796d0
--- /dev/null
+++ b/deploy/docker/fs/opt/appsmith/postgres/appsmith_hba.conf
@@ -0,0 +1,24 @@
+# This is a custom configuration for Embedded PostgreSQL for Appsmith.
+# This file will be used to override the default pg_hba.conf file on restart.
+
+# What is the meaning of this configuration?
+# This configuration changes how PostgreSQL authenticates users 
+# connecting to the database. For user "postgres", we are allowing 
+# all connections from all addresses without any password on the unix 
+# socket. For all other users, we are allowing connections from IPv4 
+# and IPv6 with a password.
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+# "local" is for Unix domain socket connections only
+local   all             postgres                                trust
+# IPv4 local connections:
+host    appsmith        appsmith        127.0.0.1/32            scram-sha-256
+host    postgres        appsmith        127.0.0.1/32            scram-sha-256
+# IPv6 local connections:
+host    appsmith        appsmith        ::1/128                 scram-sha-256
+host    postgres        appsmith        ::1/128                 scram-sha-256
+# Allow replication connections from localhost, by a user with the
+# replication privilege.
+local   replication     all                                     scram-sha-256
+host    replication     all             127.0.0.1/32            scram-sha-256
+host    replication     all             ::1/128                 scram-sha-256
\ No newline at end of file
diff --git a/deploy/docker/tests/.gitignore b/deploy/docker/tests/.gitignore
new file mode 100644
index 0000000000..412c257475
--- /dev/null
+++ b/deploy/docker/tests/.gitignore
@@ -0,0 +1 @@
+docker-compose.yml
\ No newline at end of file
diff --git a/deploy/docker/tests/composes.sh b/deploy/docker/tests/composes.sh
new file mode 100644
index 0000000000..c1d1b19077
--- /dev/null
+++ b/deploy/docker/tests/composes.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+# set -o errexit
+# set -x
+
+generate_compose_file() {
+    local version=$1
+    check_appsmith_edition
+    cat <<EOF >${docker_compose_path}
+services:
+    appsmith:
+        image: index.docker.io/appsmith/appsmith-$edition:$version
+        container_name: $container_name
+        ports:
+            - "80:80"
+            - "443:443"
+        volumes:
+            - ${stacks_path}:/appsmith-stacks
+        environment:
+            - APPSMITH_CLOUD_SERVICES_BASE_URL=https://release-cs.appsmith.com
+        restart: unless-stopped
+EOF
+}
+
+compose_appsmith_version() {
+    local version=$1
+    generate_compose_file $version
+    docker compose up -d
+}
+
+compose_appsmith_latest() {
+    local version=latest
+    check_appsmith_edition
+
+    generate_compose_file $version
+    docker compose pull &&
+        docker compose up -d
+}
+
+compose_appsmith_local() {
+    local version=latest
+    check_appsmith_edition
+
+    cat <<EOF >${docker_compose_path}
+services:
+    appsmith:
+        image: appsmith/appsmith-local-$edition:$version
+        container_name: $container_name
+        ports:
+            - "80:80"
+            - "443:443"
+        volumes:
+            - ${stacks_path}:/appsmith-stacks
+        environment:
+            - APPSMITH_CLOUD_SERVICES_BASE_URL=https://release-cs.appsmith.com
+        restart: unless-stopped
+EOF
+
+    docker compose up -d
+
+    # return container name
+    echo "$container_name"
+}
+
+cleanup() {
+    echo "Starting fresh. Cleaning up the environment."
+    docker rm -f $container_name || true
+    sudo rm -rf ${stacks_path} || true
+}
+
+check_appsmith_edition() {
+    export edition=ce
+    if [[ "$(git remote get-url origin)" == *appsmithorg/appsmith-ee* ]]; then
+        export edition=ee
+    fi
+    echo "Edition: $edition"
+}
+
+container_name="appsmith-docker-test"
+# mkdir -p /tmp/$container_name
+stacks_path="/tmp/$container_name-stacks"
+docker_compose_path="docker-compose.yml"
\ No newline at end of file
diff --git a/deploy/docker/tests/test-pg-auth.sh b/deploy/docker/tests/test-pg-auth.sh
new file mode 100755
index 0000000000..854de8a962
--- /dev/null
+++ b/deploy/docker/tests/test-pg-auth.sh
@@ -0,0 +1,279 @@
+#!/bin/bash
+set -o errexit
+# set -x
+
+source ./composes.sh
+
+
+# Function to update the APPSMITH_DB_URL in docker.env
+# Once postgres is the default db, the APPSMITH_POSTGRES_DB_URL will be removed and this step won't be required anymore
+# Check run-java.sh for more details why we need to update the APPSMITH_DB_URL to point to postgres
+update_db_url() {
+  docker exec "${container_name}" bash -c "sed -i 's|^APPSMITH_DB_URL=mongodb|# &|' /appsmith-stacks/configuration/docker.env"
+  docker exec "${container_name}" bash -c "sed -i 's|^APPSMITH_POSTGRES_DB_URL=|APPSMITH_DB_URL=|' /appsmith-stacks/configuration/docker.env"
+}
+
+# Function to check if the Appsmith instance is up
+is_appsmith_instance_ready() {
+  local max_retries=200
+  local retry_count=0
+  local response_code
+
+  while [ $retry_count -lt $max_retries ]; do
+    response_code=$(curl -s -o /dev/null -w "%{http_code}" http://localhost/health)
+    if [[ $response_code -eq 200 ]]; then
+      echo "Appsmith instance is ready."
+      return 0
+    fi
+    echo "Waiting for Appsmith instance to be ready... (Attempt: $((retry_count + 1)))"
+    retry_count=$((retry_count + 1))
+    sleep 2
+  done
+  return 1
+}
+
+# Function to wait until the postgres is ready
+wait_for_postgres() {
+  local max_retries=200
+  local retry_count=0
+
+  while [ $retry_count -lt $max_retries ]; do
+    if docker exec "${container_name}" pg_isready; then
+      echo "Postgres is ready."
+      return 0
+    fi
+    echo "Waiting for Postgres to be ready... (Attempt: $((retry_count + 1)))"
+    retry_count=$((retry_count + 1))
+    sleep 2
+  done
+}
+
+# Function to read the password from the PostgreSQL URL in docker.env.sh
+get_appsmith_password() {
+  local password
+  password=$(docker exec "${container_name}" bash -c "grep -i 'APPSMITH_DB_URL' /appsmith-stacks/configuration/docker.env | sed -n 's/^.*\/\/appsmith:\([^@]*\)@.*$/\1/p'")
+  printf "%s" "$password"
+}
+
+# Function to check the read access to databases
+check_user_datasource_access_with_auth() {
+  local password
+  local appsmith_user_local_access
+  local appsmith_user_remote_access
+  password=$(get_appsmith_password)
+  docker exec -i "${container_name}" bash -c "psql -h 127.0.0.1 -p 5432 -U appsmith -c '\l'" <<EOF
+$password
+EOF
+  appsmith_user_remote_access=$?
+  docker exec -i "${container_name}" bash -c "psql -p 5432 -U appsmith -c '\l'"
+  appsmith_user_local_access=$?
+  # Check if the Appsmith user does not have read access with local unix socket but has read access with local tcp socket
+  if [[ $appsmith_user_local_access -ne 0 && $appsmith_user_remote_access -eq 0 ]]; then
+    echo "appsmith user does not have read access to databases with local unix socket: ✅"
+    echo "appsmith user has read access to databases with local tcp socket: ✅"
+    local pg_user_local_access
+    local pg_user_remote_access
+    # Check if the postgres user has read access to databases with local unix socket
+    docker exec -i "${container_name}" bash -c "psql -p 5432 -U postgres -d appsmith -c '\l'"
+    pg_user_local_access=$?
+    # Check if the postgres user does not have read access to databases with local tcp socket
+    docker exec -i "${container_name}" bash -c "psql -h 127.0.0.1 -p 5432 -U postgres -d appsmith -c '\l'"
+    pg_user_remote_access=$?
+    if [[ $pg_user_local_access -eq 0 && $pg_user_remote_access -ne 0 ]]; then
+        echo "postgres user has read access to databases with local unix socket: ✅"
+        echo "postgres user does not have read access to databases with local tcp socket: ✅"
+        return 0
+    elif [[ $pg_user_local_access -ne 0 ]]; then
+        echo "postgres user does not have read access to databases with local unix socket: ❌"
+    elif [[ $pg_user_remote_access -eq 0 ]]; then
+        echo "postgres user has read access to databases with local tcp socket: ❌"
+    fi
+  elif [[ $appsmith_user_local_access -eq 0 ]]; then
+    echo "appsmith user has read access to databases with local unix socket: ❌"
+  elif [[ $appsmith_user_remote_access -ne 0 ]]; then
+    echo "appsmith user does not have read access to databases with local tcp socket: ❌"
+  fi
+  return 1
+}
+
+# Function to check if the Appsmith user has read access to databases
+check_user_datasource_access_with_host_port_wo_auth() {
+  docker exec "${container_name}" bash -c "psql -h 127.0.0.1 -p 5432 -U postgres -c '\l'"
+  return $?
+}
+
+# Function to check if the Appsmith user has read access to databases
+check_user_datasource_access_with_local_port_wo_auth() {
+  docker exec "${container_name}" bash -c "psql -p 5432 -U postgres -c '\l'"
+  return $?
+}
+
+# Test to check if the postgres auth is enabled after upgrading from 1.50 to local image
+# Expectation:
+# 1. Appsmith instance should be able to upgrade from v1.50 to local image
+# 2. Postgres user should have read access to databases with local unix socket
+# 3. Postgres user should not have read access to databases with tcp socket
+# 4. Appsmith user should not have read access to databases with local unix socket
+# 5. Appsmith user should have read access to databases with tcp socket
+test_postgres_auth_enabled_upgrade_from_150tolocal() {
+    # Steps:
+    # 1. Start the Appsmith 1.50 instance
+    # 2. Check if the Appsmith instance is up
+    # 3. Check if the postgres user has read access to databases
+    # 4. Update the APPSMITH_DB_URL in docker.env to point to postgres
+    # 5. Start the Appsmith local image
+    # 6. Check if the Appsmith instance is up
+    # 7. Check if the Appsmith user has read access to databases
+    # 8. Check if the postgres user has read access to databases
+    echo "############################################################"
+    echo "Starting ${FUNCNAME[0]}"
+
+    cleanup
+    # appsmith v1.50 does not have postgres auth enabled
+    echo "Starting Appsmith 150"
+    compose_appsmith_version v1.50
+    # Wait until postgres to come up
+    wait_for_postgres
+
+    # Check if the Appsmith instance is up
+    if is_appsmith_instance_ready; then
+
+        # Check if the postgres user has read access to databases
+        if check_user_datasource_access_with_host_port_wo_auth; then
+            echo "postgres user has read access to databases: ✅"
+        else
+            # We don't expect the postgres user to not have read access as the auth level is set to trust hence failing the test after this step immediately
+            echo "postgres user does not have read access to databases: ❌"
+            exit 1
+        fi
+    else
+        echo "Appsmith instance failed to start."
+        exit 1
+    fi
+
+    # Update the APPSMITH_DB_URL in docker.env to point to postgres to initialise appsmith user and schema when the container with local image is started
+    update_db_url
+    echo "Remove container to reuse the same volume for local image"
+    docker compose down --timeout 30 # wait upto timeout for graceful shutdown.
+    # ensure the container exists before trying to remove it
+    docker compose ps -q "${container_name}" && \
+        docker compose rm -fsv "${container_name}" || \
+        echo "Container "${container_name}" does not exist."
+
+    echo "Starting Appsmith local to check the auth"
+    compose_appsmith_local
+    
+    MAX_RETRIES=10
+    RETRYSECONDS=5
+    retry_count=0
+
+    while true; do
+        retry_count=$((retry_count + 1))
+        if docker exec "${container_name}" pg_isready &&
+          [ "$(docker exec "${container_name}" bash -c 'cat /appsmith-stacks/data/postgres/main/PG_VERSION')" = "14" ]; then
+            break
+        fi
+        if [ $retry_count -le $MAX_RETRIES ]; then
+            echo "Waiting for postgres to be up..."
+            sleep $RETRYSECONDS
+        else
+            echo "Test ${FUNCNAME[0]} Failed"
+            exit 1
+        fi
+    done
+    
+    # Check if the Appsmith instance is up
+    if is_appsmith_instance_ready; then
+
+        # Check if the Appsmith user has read access to databases
+        if check_user_datasource_access_with_auth; then
+            echo "Test ${FUNCNAME[0]} Passed ✅"
+        else 
+            echo "Test ${FUNCNAME[0]} Failed ❌"
+            exit 1
+        fi
+    else
+        echo "Appsmith instance failed to start."
+        echo "Test ${FUNCNAME[0]} Failed ❌"
+        exit 1
+    fi
+}
+
+# Test to check if the postgres auth is enabled after restarting local image
+# Expectation:
+# 1. Appsmith instance should be able to start to local image with mongodb default uri
+# 2. Appsmith instance should be able to restart to local image with postgres uri
+# 3. Postgres user should have read access to databases with local unix socket
+# 4. Postgres user should not have read access to databases with tcp socket
+# 5. Appsmith user should not have read access to databases with local unix socket
+# 6. Appsmith user should have read access to databases with tcp socket
+test_postgres_auth_enabled_restart_localtolocal() {
+    # Steps:
+    # 1. Start the Appsmith local instance with mongodb default uri
+    # 2. Check if the Appsmith instance is up
+    # 3. Check if the postgres user has read access to databases
+    # 4. Update the APPSMITH_DB_URL in docker.env to point to postgres
+    # 5. Start the Appsmith local image
+    # 6. Check if the Appsmith instance is up
+    # 7. Check if the Appsmith user has read access to databases
+    # 8. Check if the postgres user has read access to databases
+    echo "############################################################"
+    echo "Starting ${FUNCNAME[0]}"
+
+    cleanup
+    echo "Starting Appsmith local with mongodb default uri"
+    compose_appsmith_local
+    # Wait until postgres to come up
+    wait_for_postgres
+
+    # Check if the Appsmith instance is up
+    if is_appsmith_instance_ready; then
+
+        # Check if the postgres user has read access to databases
+        if check_user_datasource_access_with_local_port_wo_auth; then
+            echo "postgres user has read access to databases: ✅"
+        else
+            # We don't expect the postgres user to not have read access as the auth level is set to trust hence failing the test after this step immediately
+            echo "postgres user does not have read access to databases: ❌"
+            exit 1
+        fi
+    else
+        echo "Appsmith instance failed to start."
+        exit 1
+    fi
+
+    # Update the APPSMITH_DB_URL in docker.env to point to postgres to initialise appsmith user and schema when the container with local image is started
+    update_db_url
+    echo "Remove container to reuse the same volume for local image"
+    docker compose down --timeout 30 # wait upto timeout for graceful shutdown.
+    # ensure the container exists before trying to remove it
+    docker compose ps -q "${container_name}" && \
+        docker compose rm -fsv "${container_name}" || \
+        echo "Container "${container_name}" does not exist."
+
+    echo "Starting Appsmith local to check the auth"
+    compose_appsmith_local
+
+    wait_for_postgres
+
+    # Check if the Appsmith instance is up
+    if is_appsmith_instance_ready; then
+
+        # Check if the Appsmith user has read access to databases
+        if check_user_datasource_access_with_auth; then
+            echo "Test ${FUNCNAME[0]} Passed ✅"
+        else 
+            echo "Test ${FUNCNAME[0]} Failed ❌"
+            exit 1
+        fi
+    else
+        echo "Appsmith instance failed to start."
+        echo "Test ${FUNCNAME[0]} Failed ❌"
+        exit 1
+    fi
+}
+
+container_name="appsmith-docker-test"
+
+test_postgres_auth_enabled_upgrade_from_150tolocal
+test_postgres_auth_enabled_restart_localtolocal
\ No newline at end of file
diff --git a/deploy/docker/tests/test-pg-utils.sh b/deploy/docker/tests/test-pg-utils.sh
index 56bec14456..3ab87727de 100755
--- a/deploy/docker/tests/test-pg-utils.sh
+++ b/deploy/docker/tests/test-pg-utils.sh
@@ -23,7 +23,7 @@ test_extract_postgres_db_params_valid_db_string() {
     exit 1
   fi
 
-  echo "Test passed: test_extract_postgres_db_params_valid_db_string"
+  echo "Test passed: ${FUNCNAME[0]}"
 }
 
 test_extract_postgres_db_params_empty_dbname() {
@@ -36,7 +36,7 @@ test_extract_postgres_db_params_empty_dbname() {
     exit 1
   fi
 
-  echo "Test passed: test_extract_postgres_db_params_empty_dbname"
+  echo "Test passed: ${FUNCNAME[0]}"
 }
 
 test_extract_postgres_db_params_with_spaces() {
@@ -49,7 +49,13 @@ test_extract_postgres_db_params_with_spaces() {
     exit 1
   fi
 
-  echo "Test passed: test_extract_postgres_db_params_with_spaces"
+  echo "Test passed: ${FUNCNAME[0]}"
+}
+
+test_get_unix_socket_directory() {
+  local unix_socket_directory=$(get_unix_socket_directory)
+  assert_equals $unix_socket_directory "/var/run/postgresql"
+  echo "Test passed: ${FUNCNAME[0]}"
 }
 
 echo_params() {
@@ -64,5 +70,6 @@ echo_params() {
 test_extract_postgres_db_params_valid_db_string
 test_extract_postgres_db_params_empty_dbname
 test_extract_postgres_db_params_with_spaces
+test_get_unix_socket_directory
 
 echo "All Tests Pass!"
\ No newline at end of file
diff --git a/scripts/local_testing.sh b/scripts/local_testing.sh
index 199d38560f..b8fd6295ca 100755
--- a/scripts/local_testing.sh
+++ b/scripts/local_testing.sh
@@ -10,7 +10,7 @@ display_help()
   echo "If --local or -l is passed, it will build with local changes"
   echo "---------------------------------------------------------------------------------------"
   echo
-  echo "Syntax: $0 [-h] [-l] [-r [remote_url]] [branch_name] [cs_url]"
+  echo "Syntax: $0 [-h] [-l] [-r [remote_url]] [branch_name] [tag] [cs_url]"
   echo "options:"
   echo "-h     			Print this help"
   echo "-l or --local    	Use the local codebase and not git"
@@ -50,12 +50,14 @@ if [[ ($LOCAL == true) ]]
 then
   pretty_print "Setting up instance with local changes"
   BRANCH=release
-  cs_url=$2
+  tag=$2
+  cs_url=$3
 elif [[ ($REMOTE == true) ]]
 then
   pretty_print "Setting up instance with remote repository branch ..."
   REMOTE_REPOSITORY_URL=$2
   REMOTE_BRANCH=$3
+  tag=$4
   pretty_print "Please ignore if the following error occurs: remote remote_origin_for_local_test already exists."
   git remote add remote_origin_for_local_test $REMOTE_REPOSITORY_URL || git remote set-url remote_origin_for_local_test $REMOTE_REPOSITORY_URL
   git fetch remote_origin_for_local_test
@@ -63,7 +65,8 @@ then
   git pull remote_origin_for_local_test $REMOTE_BRANCH
 else
   BRANCH=$1
-  cs_url=$2
+  tag=$2
+  cs_url=$3
   pretty_print "Setting up instance to run on branch: $BRANCH"
   cd "$(dirname "$0")"/..
   git fetch origin $BRANCH
@@ -72,6 +75,10 @@ else
   pretty_print "Local branch is now up to date. Starting server build ..."
 fi
 
+if [[ -z "$tag" ]]; then
+  tag=latest
+fi
+pretty_print "Building Appsmith with tag: $tag"
 edition=ce
 if [[ "$(git remote get-url origin)" == *"/appsmith-ee"* ]]; then
   edition=ee
@@ -106,7 +113,7 @@ pretty_print "RTS build successful. Starting Docker build ..."
 
 popd
 bash "$(dirname "$0")/generate_info_json.sh"
-docker build -t appsmith/appsmith-ce:local-testing \
+docker build -t appsmith/appsmith-local-$edition:$tag \
   --build-arg BASE="appsmith/base-$edition:release" \
   --build-arg APPSMITH_CLOUD_SERVICES_BASE_URL="${cs_url:-https://release-cs.appsmith.com}" \
   . \
@@ -114,4 +121,4 @@ docker build -t appsmith/appsmith-ce:local-testing \
 pretty_print "Docker image build successful. Triggering run now ..."
 
 (docker stop appsmith || true) && (docker rm appsmith || true)
-docker run -d --name appsmith -p 80:80 -v "$PWD/stacks:/appsmith-stacks" appsmith/appsmith-ce:local-testing && sleep 15 && pretty_print "Local instance is up! Open Appsmith at http://localhost! "
+docker run -d --name appsmith -p 80:80 -v "$PWD/stacks:/appsmith-stacks" appsmith/appsmith-local-$edition:$tag && sleep 15 && pretty_print "Local instance is up! Open Appsmith at http://localhost! "