pg_reports 0.4.0 → 0.5.1

data/app/controllers/pg_reports/dashboard_controller.rb

@@ -9,6 +9,7 @@ module PgReports
 
     def index
       @pg_stat_status = PgReports.pg_stat_statements_status
+      @current_database = PgReports.system.current_database
     end
 
     def enable_pg_stat_statements
@@ -25,15 +26,40 @@ module PgReports
 
     def live_metrics
       threshold = params[:long_query_threshold]&.to_i || 60
-      data = Modules::System.live_metrics(long_query_threshold: threshold)
 
-      render json: {
-        success: true,
-        metrics: data,
-        timestamp: Time.current.to_i
-      }
-    rescue => e
-      render json: {success: false, error: e.message}, status: :unprocessable_entity
+      # Check if we have access to required statistics
+      begin
+        data = Modules::System.live_metrics(long_query_threshold: threshold)
+
+        # Validate that we got actual data
+        if data[:connections][:total].nil? && data[:transactions][:total].nil?
+          render json: {
+            success: false,
+            error: "Unable to fetch database statistics. Check database permissions.",
+            available: false
+          }, status: :service_unavailable
+          return
+        end
+
+        render json: {
+          success: true,
+          metrics: data,
+          timestamp: Time.current.to_i,
+          available: true
+        }
+      rescue PG::InsufficientPrivilege => e
+        render json: {
+          success: false,
+          error: "Insufficient database permissions to access statistics views",
+          available: false
+        }, status: :forbidden
+      rescue => e
+        render json: {
+          success: false,
+          error: e.message,
+          available: false
+        }, status: :unprocessable_entity
+      end
     end
 
     def show
@@ -72,11 +98,24 @@ module PgReports
       problem_fields = Dashboard::ReportsRegistry.problem_fields(report_key)
       problem_explanations = load_problem_explanations(category, report_key)
 
+      # Add query hashes for security
+      data_with_hashes = report.data.first(100).map do |row|
+        row_hash = row.dup
+
+        # If this row contains a query column, store it with a hash
+        if row_hash.key?("query") && row_hash["query"].present?
+          query_hash = store_query_with_hash(row_hash["query"])
+          row_hash["query_hash"] = query_hash
+        end
+
+        row_hash
+      end
+
       render json: {
         success: true,
         title: report.title,
         columns: report.columns,
-        data: report.data.first(100),
+        data: data_with_hashes,
         total: report.size,
         generated_at: report.generated_at.strftime("%Y-%m-%d %H:%M:%S"),
         thresholds: thresholds,
@@ -134,18 +173,42 @@ module PgReports
     end
 
     def explain_analyze
-      query = params[:query]
+      query_hash = params[:query_hash]
       query_params = params[:params] || {}
 
-      if query.blank?
-        render json: {success: false, error: "Query is required"}, status: :unprocessable_entity
+      if query_hash.blank?
+        render json: {success: false, error: "Query hash is required"}, status: :unprocessable_entity
         return
       end
 
-      # Security: Only allow SELECT queries for EXPLAIN ANALYZE (SHOW not supported by EXPLAIN)
-      normalized = query.strip.gsub(/\s+/, " ").downcase
-      unless normalized.start_with?("select")
-        render json: {success: false, error: "Only SELECT queries are allowed for EXPLAIN ANALYZE"}, status: :unprocessable_entity
+      # Security: Check if raw query execution is allowed
+      unless PgReports.config.allow_raw_query_execution
+        render json: {
+          success: false,
+          error: "Query execution from dashboard is disabled. Enable it in configuration with 'config.allow_raw_query_execution = true'"
+        }, status: :forbidden
+        return
+      end
+
+      # Security: Retrieve and validate query by hash
+      begin
+        query = retrieve_query_by_hash(query_hash)
+
+        if query.nil?
+          render json: {success: false, error: "Query not found or expired. Please refresh the page."}, status: :not_found
+          return
+        end
+      rescue SecurityError => e
+        render json: {success: false, error: "Security violation: #{e.message}"}, status: :forbidden
+        return
+      end
+
+      # Check for trigger variables (NEW, OLD) which are only available in trigger context
+      if query.match?(/\b(NEW|OLD)\./i)
+        render json: {
+          success: false,
+          error: "Cannot EXPLAIN ANALYZE queries with trigger variables (NEW, OLD). These are only available within trigger functions."
+        }, status: :unprocessable_entity
         return
       end
 
@@ -164,39 +227,50 @@ module PgReports
       result = ActiveRecord::Base.connection.execute("EXPLAIN (ANALYZE, BUFFERS, FORMAT TEXT) #{final_query}")
       explain_output = result.map { |r| r["QUERY PLAN"] }.join("\n")
 
-      # Extract stats from the output
-      stats = {}
-      if (match = explain_output.match(/Planning Time: ([\d.]+) ms/))
-        stats[:planning_time] = match[1].to_f
-      end
-      if (match = explain_output.match(/Execution Time: ([\d.]+) ms/))
-        stats[:execution_time] = match[1].to_f
-      end
-      if (match = explain_output.match(/cost=[\d.]+\.\.([\d.]+)/))
-        stats[:total_cost] = match[1].to_f
-      end
-      if (match = explain_output.match(/rows=(\d+)/))
-        stats[:rows] = match[1].to_i
-      end
+      # Analyze the EXPLAIN output
+      analyzer = ExplainAnalyzer.new(explain_output)
+      analysis = analyzer.to_h
 
-      render json: {success: true, explain: explain_output, stats: stats}
+      render json: {
+        success: true,
+        explain: explain_output,
+        stats: analysis[:stats],
+        annotated_lines: analysis[:annotated_lines],
+        problems: analysis[:problems],
+        summary: analysis[:summary]
+      }
     rescue => e
       render json: {success: false, error: e.message}, status: :unprocessable_entity
     end
 
     def execute_query
-      query = params[:query]
+      query_hash = params[:query_hash]
       query_params = params[:params] || {}
 
-      if query.blank?
-        render json: {success: false, error: "Query is required"}, status: :unprocessable_entity
+      if query_hash.blank?
+        render json: {success: false, error: "Query hash is required"}, status: :unprocessable_entity
         return
       end
 
-      # Security: Only allow SELECT and SHOW queries
-      normalized = query.strip.gsub(/\s+/, " ").downcase
-      unless normalized.start_with?("select") || normalized.start_with?("show")
-        render json: {success: false, error: "Only SELECT and SHOW queries are allowed"}, status: :unprocessable_entity
+      # Security: Check if raw query execution is allowed
+      unless PgReports.config.allow_raw_query_execution
+        render json: {
+          success: false,
+          error: "Query execution from dashboard is disabled. Enable it in configuration with 'config.allow_raw_query_execution = true'"
+        }, status: :forbidden
+        return
+      end
+
+      # Security: Retrieve and validate query by hash
+      begin
+        query = retrieve_query_by_hash(query_hash)
+
+        if query.nil?
+          render json: {success: false, error: "Query not found or expired. Please refresh the page."}, status: :not_found
+          return
+        end
+      rescue SecurityError => e
+        render json: {success: false, error: "Security violation: #{e.message}"}, status: :forbidden
         return
       end
 
@@ -287,6 +361,123 @@ module PgReports
       render json: {success: false, error: e.message}, status: :unprocessable_entity
     end
 
+    def start_query_monitoring
+      monitor = PgReports::QueryMonitor.instance
+
+      result = monitor.start
+
+      if result[:success]
+        render json: result
+      else
+        render json: result, status: :unprocessable_entity
+      end
+    rescue => e
+      render json: {success: false, error: e.message}, status: :unprocessable_entity
+    end
+
+    def stop_query_monitoring
+      monitor = PgReports::QueryMonitor.instance
+
+      result = monitor.stop
+
+      if result[:success]
+        render json: result
+      else
+        render json: result, status: :unprocessable_entity
+      end
+    rescue => e
+      render json: {success: false, error: e.message}, status: :unprocessable_entity
+    end
+
+    def query_monitor_status
+      monitor = PgReports::QueryMonitor.instance
+      status = monitor.status
+
+      render json: {
+        success: true,
+        enabled: status[:enabled],
+        session_id: status[:session_id],
+        query_count: status[:query_count]
+      }
+    rescue => e
+      render json: {success: false, error: e.message}, status: :unprocessable_entity
+    end
+
+    def query_monitor_feed
+      monitor = PgReports::QueryMonitor.instance
+
+      unless monitor.enabled
+        render json: {success: false, message: "Monitoring not active"}
+        return
+      end
+
+      limit = params[:limit]&.to_i || 50
+      session_id = params[:session_id]
+
+      queries = monitor.queries(limit: limit, session_id: session_id)
+
+      render json: {
+        success: true,
+        queries: queries,
+        timestamp: Time.current.to_i
+      }
+    rescue => e
+      render json: {success: false, error: e.message}, status: :unprocessable_entity
+    end
+
+    def load_query_history
+      monitor = PgReports::QueryMonitor.instance
+
+      limit = params[:limit]&.to_i || 50
+      session_id = params[:session_id]
+
+      queries = monitor.load_from_log(limit: limit, session_id: session_id)
+
+      render json: {
+        success: true,
+        queries: queries,
+        timestamp: Time.current.to_i
+      }
+    rescue => e
+      render json: {success: false, error: e.message}, status: :unprocessable_entity
+    end
+
+    def download_query_monitor
+      monitor = PgReports::QueryMonitor.instance
+
+      # Allow download even when monitoring is stopped, as long as there are queries
+      queries = monitor.queries
+      if queries.empty?
+        render json: {success: false, error: "No queries to download"}, status: :unprocessable_entity
+        return
+      end
+
+      format_type = params[:format] || "txt"
+      filename = "query-monitor-#{Time.current.strftime("%Y%m%d-%H%M%S")}"
+
+      case format_type
+      when "csv"
+        csv_data = generate_query_monitor_csv(queries)
+        send_data csv_data,
+          filename: "#{filename}.csv",
+          type: "text/csv; charset=utf-8",
+          disposition: "attachment"
+      when "json"
+        send_data queries.to_json,
+          filename: "#{filename}.json",
+          type: "application/json; charset=utf-8",
+          disposition: "attachment"
+      else
+        text_data = generate_query_monitor_text(queries)
+        send_data text_data,
+          filename: "#{filename}.txt",
+          type: "text/plain; charset=utf-8",
+          disposition: "attachment"
+      end
+    rescue => e
+      render json: {success: false, error: e.message}, status: :unprocessable_entity
+    end
+
     private
 
     def authenticate_dashboard!
@@ -326,7 +517,7 @@ module PgReports
 
       # Also allow threshold overrides (calls_threshold, etc.)
       params.each do |key, value|
-        if key.to_s.end_with?('_threshold') && value.present?
+        if key.to_s.end_with?("_threshold") && value.present?
           result[key.to_sym] = value.to_i
         end
       end
@@ -356,7 +547,7 @@ module PgReports
       result = query.dup
 
       # Sort by param number descending to replace $10 before $1
-      params_hash.keys.map(&:to_i).sort.reverse.each do |num|
+      params_hash.keys.map(&:to_i).sort.reverse_each do |num|
         value = params_hash[num.to_s] || params_hash[num]
         next if value.nil? || value.to_s.empty?
 
@@ -371,17 +562,15 @@ module PgReports
     def quote_param_value(value)
       str = value.to_s
 
-      # Check if it looks like a number
-      if str.match?(/\A-?\d+(\.\d+)?\z/)
-        str
+      # Check if it looks like NULL
+      if str.downcase == "null"
+        "NULL"
       # Check if it looks like a boolean
       elsif str.downcase.in?(["true", "false"])
         str.downcase
-      # Check if it looks like NULL
-      elsif str.downcase == "null"
-        "NULL"
       else
-        # Quote as string, escape single quotes
+        # Quote as string by default - PostgreSQL will handle type casting
+        # This ensures compatibility with both text and numeric columns
         "'#{str.gsub("'", "''")}'"
       end
     end
@@ -397,5 +586,117 @@ module PgReports
         "#{query} LIMIT #{limit}"
       end
     end
+
+    # Generate a secure hash for a query and store it in cache
+    def store_query_with_hash(query)
+      require "digest"
+
+      # Generate SHA256 hash of the query
+      query_hash = Digest::SHA256.hexdigest(query)
+
+      # Store in Rails cache with 1 hour expiration
+      begin
+        Rails.cache.write("pg_reports:query:#{query_hash}", query, expires_in: 1.hour)
+      rescue => e
+        # Log cache error but don't fail - we'll catch it on retrieval
+        Rails.logger.warn("PgReports: Failed to store query hash in cache: #{e.message}") if defined?(Rails.logger)
+      end
+
+      query_hash
+    end
+
+    # Retrieve and validate a query by its hash
+    def retrieve_query_by_hash(query_hash)
+      return nil if query_hash.blank?
+
+      # Retrieve from cache with error handling
+      query = nil
+      begin
+        query = Rails.cache.read("pg_reports:query:#{query_hash}")
+      rescue => e
+        # Cache backend is unavailable
+        Rails.logger.error("PgReports: Failed to read from cache: #{e.message}") if defined?(Rails.logger)
+        raise SecurityError, "Cache system unavailable. Query execution temporarily disabled for security. Please ensure Redis/cache backend is running."
+      end
+
+      if query.blank?
+        # Query not found - either expired or was never stored
+        return nil
+      end
+
+      # Strict validation: must be a SELECT query only
+      normalized = query.strip.gsub(/\s+/, " ").downcase
+
+      # Check for semicolons (prevents multiple statements)
+      if query.include?(";")
+        raise SecurityError, "Multiple statements are not allowed (semicolons detected)"
+      end
+
+      # Must start with SELECT (case insensitive)
+      unless normalized.start_with?("select")
+        raise SecurityError, "Only SELECT queries are allowed. Found: #{normalized.split.first&.upcase || 'unknown'}"
+      end
+
+      # Check for dangerous keywords that might be in subqueries or CTEs
+      dangerous_keywords = %w[insert update delete drop alter create truncate grant revoke]
+      dangerous_keywords.each do |keyword|
+        if normalized.match?(/\b#{keyword}\b/)
+          raise SecurityError, "Dangerous keyword detected: #{keyword.upcase}"
+        end
+      end
+
+      query
+    end
+
+    def generate_query_monitor_csv(queries)
+      require "csv"
+
+      CSV.generate do |csv|
+        # Header
+        csv << ["Timestamp", "Duration (ms)", "Query Name", "SQL", "Source File", "Source Line"]
+
+        # Data rows
+        queries.each do |query|
+          csv << [
+            query[:timestamp],
+            query[:duration_ms],
+            query[:name],
+            query[:sql],
+            query.dig(:source_location, :file),
+            query.dig(:source_location, :line)
+          ]
+        end
+      end
+    end
+
+    def generate_query_monitor_text(queries)
+      output = []
+      output << "=" * 80
+      output << "Query Monitor Export"
+      output << "Generated: #{Time.current.strftime("%Y-%m-%d %H:%M:%S")}"
+      output << "Total Queries: #{queries.size}"
+      output << "=" * 80
+      output << ""
+
+      queries.each_with_index do |query, index|
+        output << "Query ##{index + 1}"
+        output << "-" * 80
+        output << "Timestamp:  #{query[:timestamp]}"
+        output << "Duration:   #{query[:duration_ms]}ms"
+        output << "Name:       #{query[:name]}"
+
+        if query[:source_location]
+          output << "Source:     #{query[:source_location][:file]}:#{query[:source_location][:line]}"
+        end
+
+        output << ""
+        output << "SQL:"
+        output << query[:sql]
+        output << ""
+        output << ""
+      end
+
+      output.join("\n")
+    end
   end
 end