blazer 2.5.0 → 2.6.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fad6bd2d76ea45a8ec72956177648848a6dede796354a01f27359b4cb7cfeedb
-  data.tar.gz: a8f81985d77b110c850d421ac86376bbf71cf5f2b318cfea496e8cedb1f1a108
+  metadata.gz: b32d2190afc8df872db60250651c97eae9d202d0b23042a4b853169edbc2d458
+  data.tar.gz: 64cb17476627ce2108e2aaf9619648e4a743774983c29bcb7478a3b4500f4617
 SHA512:
-  metadata.gz: 6fd612ec162dc5b6a23ef1f6b3580da0de7f1cec8788520557e8a25ef0bdf4337df775b0cacb4e292003e1a4565460c411a67951a5ea27048a994fb1178463d7
-  data.tar.gz: 4a5e760ca38fb96fa54df64469f3fd3223d6b23698da0491c43dc8bc3ef92f7f83b14bea028821ba5708adf209bc147975edaf6d4dc76ecb5916d51905e7f2f0
+  metadata.gz: d6eb64793a84ba433e6a68caaa5419dbcbb3f80ae842854b486f552459e77b434bc7d43bacf1d97175fea1857c74e66b440f7de55cc1e591133740f47ea84f18
+  data.tar.gz: 0723a52bb56f41d3526d66799f19a6fa82b91cd51aa3a35b5bede9523012bc0cee291db1f6e71eb74657c8e595ac0dc1b3f20febb1687121c35830456b924c2a

data/CHANGELOG.md

@@ -1,3 +1,28 @@
+## 2.6.4 (2022-05-24)
+
+- Fixed error with caching
+
+## 2.6.3 (2022-05-11)
+
+- Fixed error with canceling queries
+
+## 2.6.2 (2022-05-06)
+
+- Fixed error with Postgres when prepared statements are disabled with Rails < 6.1
+
+## 2.6.1 (2022-04-21)
+
+- Added `region` setting to Amazon Athena
+- Fixed error with MySQL for Rails < 7
+- Fixed error with binary data
+
+## 2.6.0 (2022-04-20)
+
+- Fixed quoting issue with variables
+- Custom adapters now need to specify how to quote variables in queries
+- Added experimental support for Propshaft
+- Fixed error with empty results with InfluxDB
+
 ## 2.5.0 (2022-01-04)
 
 - Added support for Slack OAuth tokens

data/README.md

@@ -61,7 +61,7 @@ For production, specify your database:
 ENV["BLAZER_DATABASE_URL"] = "postgres://user:password@hostname:5432/database"
 ```
 
-Blazer tries to protect against queries which modify data (by running each query in a transaction and rolling it back), but a safer approach is to use a read-only user. [See how to create one](#permissions).
+When possible, Blazer tries to protect against queries which modify data by running each query in a transaction and rolling it back, but a safer approach is to use a read-only user. [See how to create one](#permissions).
 
 #### Checks (optional)
 
@@ -144,16 +144,14 @@ Be sure to render or redirect for unauthorized users.
 
 ## Permissions
 
-Blazer runs each query in a transaction and rolls it back to prevent queries from modifying data. As an additional line of defense, we recommend using a read only user.
-
 ### PostgreSQL
 
-Create a user with read only permissions:
+Create a user with read-only permissions:
 
 ```sql
 BEGIN;
-CREATE ROLE blazer LOGIN PASSWORD 'secret123';
-GRANT CONNECT ON DATABASE database_name TO blazer;
+CREATE ROLE blazer LOGIN PASSWORD 'secret';
+GRANT CONNECT ON DATABASE dbname TO blazer;
 GRANT USAGE ON SCHEMA public TO blazer;
 GRANT SELECT ON ALL TABLES IN SCHEMA public TO blazer;
 ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO blazer;
@@ -162,19 +160,20 @@ COMMIT;
 
 ### MySQL
 
-Create a user with read only permissions:
+Create a user with read-only permissions:
 
 ```sql
-GRANT SELECT, SHOW VIEW ON database_name.* TO blazer@’127.0.0.1′ IDENTIFIED BY ‘secret123‘;
+CREATE USER 'blazer'@'127.0.0.1' IDENTIFIED BY 'secret';
+GRANT SELECT, SHOW VIEW ON dbname.* TO 'blazer'@'127.0.0.1';
 FLUSH PRIVILEGES;
 ```
 
 ### MongoDB
 
-Create a user with read only permissions:
+Create a user with read-only permissions:
 
-```
-db.createUser({user: "blazer", pwd: "password", roles: ["read"]})
+```javascript
+db.createUser({user: "blazer", pwd: "secret", roles: ["read"]})
 ```
 
 Also, make sure authorization is enabled when you start the server.
@@ -609,6 +608,7 @@ data_sources:
     workgroup: primary
     access_key_id: ...
     secret_access_key: ...
+    region: ...
 ```
 
 Here’s an example IAM policy:
@@ -656,6 +656,8 @@ data_sources:
     url: redshift://user:password@hostname:5439/database
 ```
 
+Use a [read-only user](https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html).
+
 ### Apache Drill
 
 Add [drill-sergeant](https://github.com/ankane/drill-sergeant) to your Gemfile and set:
@@ -667,6 +669,8 @@ data_sources:
     url: http://hostname:8047
 ```
 
+Use a [read-only user](https://drill.apache.org/docs/roles-and-privileges/).
+
 ### Apache Hive
 
 Add [hexspace](https://github.com/ankane/hexspace) to your Gemfile and set:
@@ -690,6 +694,8 @@ data_sources:
     url: ignite://user:password@hostname:10800
 ```
 
+Use a [read-only user](https://www.gridgain.com/docs/latest/administrators-guide/security/authorization-permissions) (requires a third-party plugin).
+
 ### Apache Spark
 
 Add [hexspace](https://github.com/ankane/hexspace) to your Gemfile and set:
@@ -705,7 +711,7 @@ Use a read-only user. Requires the [Thrift server](https://spark.apache.org/docs
 
 ### Cassandra
 
-Add [cassandra-driver](https://github.com/datastax/ruby-driver) to your Gemfile and set:
+Add [cassandra-driver](https://github.com/datastax/ruby-driver) (and [sorted_set](https://github.com/knu/sorted_set) for Ruby 3+) to your Gemfile and set:
 
 ```yml
 data_sources:
@@ -713,6 +719,8 @@ data_sources:
     url: cassandra://user:password@hostname:9042/keyspace
 ```
 
+Use a [read-only role](https://docs.datastax.com/en/cql-oss/3.3/cql/cql_using/useSecurePermission.html).
+
 ### Druid
 
 Enable [SQL support](http://druid.io/docs/latest/querying/sql.html#configuration) on the broker and set:
@@ -724,6 +732,8 @@ data_sources:
     url: http://hostname:8082
 ```
 
+Use a [read-only role](https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security.html).
+
 ### Elasticsearch
 
 Add [elasticsearch](https://github.com/elastic/elasticsearch-ruby) to your Gemfile and set:
@@ -735,6 +745,8 @@ data_sources:
     url: http://user:password@hostname:9200
 ```
 
+Use a [read-only role](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html).
+
 ### Google BigQuery
 
 Add [google-cloud-bigquery](https://github.com/GoogleCloudPlatform/google-cloud-ruby/tree/master/google-cloud-bigquery) to your Gemfile and set:
@@ -757,6 +769,8 @@ data_sources:
     url: ibm-db://user:password@hostname:50000/database
 ```
 
+Use a [read-only user](https://www.ibm.com/support/pages/creating-read-only-database-permissions-user).
+
 ### InfluxDB
 
 Add [influxdb](https://github.com/influxdata/influxdb-ruby) to your Gemfile and set:
@@ -768,7 +782,7 @@ data_sources:
     url: http://user:password@hostname:8086/database
 ```
 
-Supports [InfluxQL](https://docs.influxdata.com/influxdb/v1.8/query_language/explore-data/)
+Use a [read-only user](https://docs.influxdata.com/influxdb/v1.8/administration/authentication_and_authorization/). Supports [InfluxQL](https://docs.influxdata.com/influxdb/v1.8/query_language/explore-data/).
 
 ### MongoDB
 
@@ -782,6 +796,8 @@ data_sources:
     url: mongodb://user:password@hostname:27017/database
 ```
 
+Use a [read-only user](#mongodb).
+
 ### MySQL
 
 Add [mysql2](https://github.com/brianmario/mysql2) to your Gemfile (if it’s not there) and set:
@@ -792,6 +808,8 @@ data_sources:
     url: mysql2://user:password@hostname:3306/database
 ```
 
+Use a [read-only user](#mysql).
+
 ### Neo4j
 
 Add [neo4j-core](https://github.com/neo4jrb/neo4j-core) to your Gemfile and set:
@@ -803,6 +821,8 @@ data_sources:
     url: http://user:password@hostname:7474
 ```
 
+Use a [read-only user](https://neo4j.com/docs/cypher-manual/current/access-control/manage-privileges/).
+
 ### OpenSearch
 
 Add [opensearch-ruby](https://github.com/opensearch-project/opensearch-ruby) to your Gemfile and set:
@@ -814,6 +834,8 @@ data_sources:
     url: http://user:password@hostname:9200
 ```
 
+Use a [read-only user](https://opensearch.org/docs/latest/security-plugin/access-control/permissions/).
+
 ### Oracle
 
 Add [activerecord-oracle_enhanced-adapter](https://github.com/rsim/oracle-enhanced) and [ruby-oci8](https://github.com/kubo/ruby-oci8) to your Gemfile and set:
@@ -824,6 +846,8 @@ data_sources:
     url: oracle-enhanced://user:password@hostname:1521/database
 ```
 
+Use a [read-only user](https://docs.oracle.com/cd/B19306_01/network.102/b14266/authoriz.htm).
+
 ### PostgreSQL
 
 Add [pg](https://github.com/ged/ruby-pg) to your Gemfile (if it’s not there) and set:
@@ -834,6 +858,8 @@ data_sources:
     url: postgres://user:password@hostname:5432/database
 ```
 
+Use a [read-only user](#postgresql).
+
 ### Presto
 
 Add [presto-client](https://github.com/treasure-data/presto-client-ruby) to your Gemfile and set:
@@ -844,6 +870,8 @@ data_sources:
     url: presto://user@hostname:8080/catalog
 ```
 
+Use a [read-only user](https://prestodb.io/docs/current/security/built-in-system-access-control.html).
+
 ### Salesforce
 
 Add [restforce](https://github.com/restforce/restforce) to your Gemfile and set:
@@ -865,7 +893,7 @@ SALESFORCE_CLIENT_SECRET="client secret"
 SALESFORCE_API_VERSION="41.0"
 ```
 
-Supports [SOQL](https://developer.salesforce.com/docs/atlas.en-us.soql_sosl.meta/soql_sosl/sforce_api_calls_soql.htm)
+Use a read-only user. Supports [SOQL](https://developer.salesforce.com/docs/atlas.en-us.soql_sosl.meta/soql_sosl/sforce_api_calls_soql.htm).
 
 ### Socrata Open Data API (SODA)
 
@@ -879,7 +907,7 @@ data_sources:
     app_token: ...
 ```
 
-Supports [SoQL](https://dev.socrata.com/docs/functions/)
+Supports [SoQL](https://dev.socrata.com/docs/functions/).
 
 ### Snowflake
 
@@ -913,6 +941,8 @@ data_sources:
     conn_str: Driver=/path/to/libSnowflake.so;uid=user;pwd=password;server=host.snowflakecomputing.com
 ```
 
+Use a [read-only role](https://docs.snowflake.com/en/user-guide/security-access-control-configure.html).
+
 ### SQLite
 
 Add [sqlite3](https://github.com/sparklemotion/sqlite3-ruby) to your Gemfile and set:
@@ -933,6 +963,8 @@ data_sources:
     url: sqlserver://user:password@hostname:1433/database
 ```
 
+Use a [read-only user](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/getting-started-with-database-engine-permissions?view=sql-server-ver15).
+
 ## Creating an Adapter
 
 Create an adapter for any data store with:
@@ -1009,6 +1041,22 @@ override_csp: true
 
 ## Upgrading
 
+### 2.6
+
+Custom adapters now need to specify how to quote variables in queries (there is no longer a default)
+
+```ruby
+class FooAdapter < Blazer::Adapters::BaseAdapter
+  def quoting
+    :backslash_escape # single quote strings and convert ' to \' and \ to \\
+    # or
+    :single_quote_escape # single quote strings and convert ' to ''
+    # or
+    ->(value) { ... } # custom method
+  end
+end
+```
+
 ### 2.3
 
 To archive queries, create a migration

data/app/assets/javascripts/blazer/queries.js

@@ -3,6 +3,9 @@ var runningQueries = []
 var maxQueries = 3
 
 function runQuery(data, success, error) {
+  if (!data.data_source) {
+    throw new Error("Data source is required to cancel queries")
+  }
   data.run_id = uuid()
   var query = {
     data: data,
@@ -50,7 +53,11 @@ function runQueryHelper(query) {
       queryComplete(query)
     }
   }).fail( function(jqXHR, textStatus, errorThrown) {
-    if (!query.canceled) {
+    // check jqXHR.status instead of query.canceled
+    // so it works for page navigation with Firefox and Safari
+    if (jqXHR.status === 0) {
+      cancelServerQuery(query)
+    } else {
       var message = (typeof errorThrown === "string") ? errorThrown : errorThrown.message
       if (!message) {
         message = "An error occurred"
@@ -83,6 +90,8 @@ function cancelAllQueries() {
   }
 }
 
+// needed for Chrome
+// queries are canceled before unload with Firefox and Safari
 $(window).on("unload", cancelAllQueries)
 
 function cancelQuery(query) {
@@ -90,7 +99,9 @@ function cancelQuery(query) {
   if (query.xhr) {
     query.xhr.abort()
   }
+}
 
+function cancelServerQuery(query) {
   // tell server
   var path = Routes.cancel_queries_path()
   var data = {run_id: query.run_id, data_source: query.data_source}

data/app/assets/stylesheets/blazer/application.css

@@ -1,4 +1,5 @@
 /*
+ *= require ./bootstrap-sprockets
  *= require ./bootstrap
  *= require ./selectize
  *= require ./github

data/app/assets/stylesheets/blazer/bootstrap-propshaft.css

@@ -0,0 +1,10 @@
+/*!
+ * Bootstrap v3.4.1 (https://getbootstrap.com/)
+ * Copyright 2011-2019 Twitter, Inc.
+ * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+ */
+@font-face {
+  font-family: "Glyphicons Halflings";
+  src: url('/blazer/glyphicons-halflings-regular.eot');
+  src: url('/blazer/glyphicons-halflings-regular.eot?#iefix') format('embedded-opentype'), url('/blazer/glyphicons-halflings-regular.woff2') format('woff2'), url('/blazer/glyphicons-halflings-regular.woff') format('woff'), url('/blazer/glyphicons-halflings-regular.ttf') format('truetype'), url('/blazer/glyphicons-halflings-regular.svg#glyphicons_halflingsregular') format('svg');
+}

data/app/assets/stylesheets/blazer/bootstrap-sprockets.css.erb

@@ -0,0 +1,10 @@
+/*!
+ * Bootstrap v3.4.1 (https://getbootstrap.com/)
+ * Copyright 2011-2019 Twitter, Inc.
+ * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+ */
+@font-face {
+  font-family: "Glyphicons Halflings";
+  src: url('<%= font_path("blazer/glyphicons-halflings-regular.eot") %>');
+  src: url('<%= font_path("blazer/glyphicons-halflings-regular.eot?#iefix") %>') format('embedded-opentype'), url('<%= font_path("blazer/glyphicons-halflings-regular.woff2") %>') format('woff2'), url('<%= font_path("blazer/glyphicons-halflings-regular.woff") %>') format('woff'), url('<%= font_path("blazer/glyphicons-halflings-regular.ttf") %>') format('truetype'), url('<%= font_path("blazer/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") %>') format('svg');
+}

data/app/assets/stylesheets/blazer/{bootstrap.css.erb → bootstrap.css}

@@ -263,11 +263,6 @@ th {
     border: 1px solid #ddd !important;
   }
 }
-@font-face {
-  font-family: "Glyphicons Halflings";
-  src: url('<%= font_path("blazer/glyphicons-halflings-regular.eot") %>');
-  src: url('<%= font_path("blazer/glyphicons-halflings-regular.eot?#iefix") %>') format('embedded-opentype'), url('<%= font_path("blazer/glyphicons-halflings-regular.woff2") %>') format('woff2'), url('<%= font_path("blazer/glyphicons-halflings-regular.woff") %>') format('woff'), url('<%= font_path("blazer/glyphicons-halflings-regular.ttf") %>') format('truetype'), url('<%= font_path("blazer/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") %>') format('svg');
-}
 .glyphicon {
   position: relative;
   top: 1px;
@@ -6831,4 +6826,3 @@ button.close {
     display: none !important;
   }
 }
-/*# sourceMappingURL=bootstrap.css.map */

data/app/controllers/blazer/base_controller.rb

@@ -32,45 +32,34 @@ module Blazer
 
     private
 
-      def process_vars(statement, data_source)
-        (@bind_vars ||= []).concat(Blazer.extract_vars(statement)).uniq!
+      def process_vars(statement, var_params = nil)
+        var_params ||= request.query_parameters
+        (@bind_vars ||= []).concat(statement.variables).uniq!
+        # update in-place so populated in view and consistent across queries on dashboard
         @bind_vars.each do |var|
-          params[var] ||= Blazer.data_sources[data_source].variable_defaults[var]
-        end
-        @success = @bind_vars.all? { |v| params[v] }
-
-        if @success
-          @bind_vars.each do |var|
-            value = params[var].presence
-            if value
-              if ["start_time", "end_time"].include?(var)
-                value = value.to_s.gsub(" ", "+") # fix for Quip bug
-              end
-
-              if var.end_with?("_at")
-                begin
-                  value = Blazer.time_zone.parse(value)
-                rescue
-                  # do nothing
-                end
-              end
-
-              if value =~ /\A\d+\z/
-                value = value.to_i
-              elsif value =~ /\A\d+\.\d+\z/
-                value = value.to_f
-              end
-            end
-            value = Blazer.transform_variable.call(var, value) if Blazer.transform_variable
-            statement.gsub!("{#{var}}", ActiveRecord::Base.connection.quote(value))
+          if !var_params[var]
+            default = statement.data_source.variable_defaults[var]
+            # only add if default exists
+            var_params[var] = default if default
           end
         end
+        runnable = @bind_vars.all? { |v| var_params[v] }
+        statement.add_values(var_params) if runnable
+        runnable
+      end
+
+      def refresh_query(query)
+        statement = query.statement_object
+        runnable = process_vars(statement)
+        cohort_analysis_statement(statement) if statement.cohort_analysis?
+        statement.clear_cache if runnable
       end
 
       def add_cohort_analysis_vars
         @bind_vars << "cohort_period" unless @bind_vars.include?("cohort_period")
-        @smart_vars["cohort_period"] = ["day", "week", "month"]
-        params[:cohort_period] ||= "week"
+        @smart_vars["cohort_period"] = ["day", "week", "month"] if @smart_vars
+        # TODO create var_params method
+        request.query_parameters["cohort_period"] ||= "week"
       end
 
       def parse_smart_variables(var, data_source)
@@ -94,22 +83,33 @@ module Blazer
         [smart_var, error]
       end
 
-      # don't pass to url helpers
-      #
-      # some are dangerous when passed as symbols
-      # root_url({host: "evilsite.com"})
-      #
-      # certain ones (like host) only affect *_url and not *_path
-      #
-      # when permitted parameters are passed in Rails 6,
-      # they appear to be added as GET parameters
-      # root_url(params.permit(:host))
+      def cohort_analysis_statement(statement)
+        @cohort_period = params["cohort_period"] || "week"
+        @cohort_period = "week" unless ["day", "week", "month"].include?(@cohort_period)
+
+        # for now
+        @conversion_period = @cohort_period
+        @cohort_days =
+          case @cohort_period
+          when "day"
+            1
+          when "week"
+            7
+          when "month"
+            30
+          end
+
+        statement.apply_cohort_analysis(period: @cohort_period, days: @cohort_days)
+      end
+
+      # TODO allow all keys
+      # or show error message for disallowed keys
       UNPERMITTED_KEYS = [:controller, :action, :id, :host, :query, :dashboard, :query_id, :query_ids, :table_names, :authenticity_token, :utf8, :_method, :commit, :statement, :data_source, :name, :fork_query_id, :blazer, :run_id, :script_name, :original_script_name]
 
-      # remove unpermitted keys from both params and permitted keys for better sleep
-      def variable_params(resource)
+      def variable_params(resource, var_params = nil)
         permitted_keys = resource.variables - UNPERMITTED_KEYS.map(&:to_s)
-        params.except(*UNPERMITTED_KEYS).slice(*permitted_keys).permit!
+        var_params ||= request.query_parameters
+        var_params.slice(*permitted_keys)
       end
       helper_method :variable_params
 

data/app/controllers/blazer/dashboards_controller.rb

@@ -21,11 +21,8 @@ module Blazer
 
     def show
       @queries = @dashboard.dashboard_queries.order(:position).preload(:query).map(&:query)
-      @statements = []
       @queries.each do |query|
-        statement = query.statement.dup
-        process_vars(statement, query.data_source)
-        @statements << statement
+        @success = process_vars(query.statement_object)
       end
       @bind_vars ||= []
 
@@ -48,7 +45,7 @@ module Blazer
 
     def update
       if update_dashboard(@dashboard)
-        redirect_to dashboard_path(@dashboard, variable_params(@dashboard))
+        redirect_to dashboard_path(@dashboard, params: variable_params(@dashboard))
       else
         render_errors @dashboard
       end
@@ -61,13 +58,9 @@ module Blazer
 
     def refresh
       @dashboard.queries.each do |query|
-        data_source = Blazer.data_sources[query.data_source]
-        statement = query.statement.dup
-        process_vars(statement, query.data_source)
-        Blazer.transform_statement.call(data_source, statement) if Blazer.transform_statement
-        data_source.clear_cache(statement)
+        refresh_query(query)
       end
-      redirect_to dashboard_path(@dashboard, variable_params(@dashboard))
+      redirect_to dashboard_path(@dashboard, params: variable_params(@dashboard))
     end
 
     private