pg_reports 0.5.1 → 0.5.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 05027e6e3278a707d98301a3d4a44dbce9930d26e963359d1afb01b57626df0c
-  data.tar.gz: 0c03b76ef459a04fa4ea732e062fd73020d814c5f11bcc6e3f0a771d17e66976
+  metadata.gz: 0e9a2129fba68b259fc72598215a7cc02ff8785c93a786603505d9b9987d5df1
+  data.tar.gz: 7910113c5cc18115f59463067ab201f1942ec8b968570557af8aefda645098c7
 SHA512:
-  metadata.gz: a5e8a8eae451b10265dcbd3a9839f21d7c647d0876e7a41b7ac8e2a2219b87bbfbd45ec621f6ac552aba1c1cb8284005a114ca8758c3bd61e9cf3440ca6838d6
-  data.tar.gz: cf37e2c3458b8f24ca6bc548f7d58dea29af6547c14bf1c6db1468962fa1ec6e2095a9df8923045e5b8e86c6cf8c00e054e90e21cd803c7137d10db96e3f12de
+  metadata.gz: 7e5573dd2cca17cc74cdfe104e6eb09249069d59d50b033effd15e9c46bcb63040da50d998d91c8a2c7e31b8dc4fd3f86c2692f5b60d83050db766942d9a5d46
+  data.tar.gz: 025a5a37c86817e22265aff1227e332a1f5dd09cf0954a48321fe1ca5dc8c8f402cd13671c4b7b4c1b69e7ec739ef7f8ca47280b11894718d1bcaa946d7983b7

data/CHANGELOG.md

@@ -7,6 +7,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.5.3] - 2026-02-11
+
+### Fixed
+
+- **Live Query Monitor** - fixed filtering that was too aggressive:
+  - Removed `dashboard_controller.rb` from query filtering to allow monitoring user application queries
+  - Now correctly shows queries from user's application even when dashboard page is active
+  - Only internal pg_reports module queries are filtered (as intended)
+
+### Added
+
+- **IDE Integration for Live Query Monitor**:
+  - Clickable source file links in query monitor now open files in IDE
+  - Support for multiple IDEs: VS Code, RubyMine, IntelliJ IDEA, Cursor (with WSL variants)
+  - Smart IDE selection: shows menu or opens directly if favorite IDE is set
+  - IDE settings button (⚙️) in dashboard header for choosing default IDE
+  - Settings persist in localStorage across all dashboard pages
+
+## [0.5.2] - 2026-02-09
+
+### Fixed
+
+- **pg_stat_statements detection no longer requires `pg_read_all_settings` role**:
+  - Changed `pg_stat_statements_preloaded?` to query pg_stat_statements directly instead of checking `shared_preload_libraries`
+  - Fixes permission denied errors in environments like CloudnativePG where regular users lack access to `shared_preload_libraries` setting
+  - Works seamlessly with Kubernetes PostgreSQL operators and managed databases with restricted permissions
+  - Improved error messages in `enable_pg_stat_statements!` method
+
 ## [0.5.1] - 2026-02-09
 
 ### Added
@@ -15,23 +43,46 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - New config option `allow_raw_query_execution` (default: `false`)
   - Environment variable support: `PG_REPORTS_ALLOW_RAW_QUERY_EXECUTION`
   - Security documentation in README with examples and best practices
-  - Frontend UI: disabled buttons with tooltips when feature is off
-  - JavaScript validation in `executeQuery()` and `executeExplainAnalyze()` functions
   - Configuration tests for new security setting
+- **Hash-based Query Execution System** - prevents SQL injection and query tampering:
+  - Backend generates SHA256 hash for each query and stores in Rails.cache (1-hour TTL)
+  - Frontend sends only hash (not query text) to execution endpoints
+  - Backend retrieves and validates original query by hash
+  - Strict validation: only SELECT queries, no dangerous keywords, no multiple statements
+  - Cache failure handling with clear error messages
+  - Protection against nested SQL injection attempts
+- **Enhanced Error Handling** - improved user feedback:
+  - Active warning messages instead of disabled buttons when feature is off
+  - Toast notifications with configuration instructions
+  - Detailed error messages in modal with code examples
+  - Clear messaging when Redis/cache backend is unavailable
 
 ### Changed
 
 - **BREAKING CHANGE**: `execute_query` and `explain_analyze` endpoints now require explicit opt-in
   - Both endpoints return 403 Forbidden when `allow_raw_query_execution` is `false` (default)
-  - Dashboard "Execute Query" and "EXPLAIN ANALYZE" buttons disabled by default
   - To restore previous behavior, add to initializer: `config.allow_raw_query_execution = true`
   - **Migration path**: Users must explicitly enable this feature if they were using Query Analyzer
+- **UI/UX Improvements**:
+  - Query Analyzer modal size increased: width 600px→900px, height 80vh→90vh for better query visibility
+  - "EXPLAIN ANALYZE", "Execute Query", and "Create Migration" buttons now show active warnings when clicked (instead of being disabled)
+  - Warning messages include configuration instructions with code examples
+  - Better visual feedback for disabled features
+- **Query Execution Flow**:
+  - `execute_query` and `explain_analyze` endpoints now accept `query_hash` parameter (instead of `query`)
+  - New helper methods: `store_query_with_hash()` and `retrieve_query_by_hash()`
+  - Frontend stores `data-query-hash` attribute on EXPLAIN ANALYZE buttons
+  - JavaScript validation happens client-side before API calls
 
 ### Security
 
-- Raw SQL execution from dashboard is now **disabled by default** to prevent unauthorized data access
+- **Critical Security Enhancement**: Raw SQL execution from dashboard is now **disabled by default** to prevent unauthorized data access
+- **Query Tampering Prevention**: Frontend cannot modify queries - hash-based verification ensures query integrity
+- **SQL Injection Protection**: Strict validation on backend prevents any non-SELECT queries or dangerous keywords
+- **Multiple Statement Prevention**: Semicolon detection blocks SQL injection attempts with multiple statements
+- **Cache Dependency**: Query execution temporarily disabled if Redis/cache backend is unavailable (fail-secure)
 - Recommended setup: only enable in development/staging environments
-- Existing safety measures (SELECT/SHOW only, automatic LIMIT) still apply when enabled
+- Existing safety measures (automatic LIMIT) still apply when enabled
 
 ## [0.5.0] - 2026-02-07
 

data/README.md

@@ -1,6 +1,6 @@
 # PgReports
 
-[![Gem Version](https://badge.fury.io/rb/pg_reports.svg)](https://badge.fury.io/rb/pg_reports)
+[![Gem Version](https://img.shields.io/gem/v/pg_reports.svg)](https://rubygems.org/gems/pg_reports)
 [![Ruby](https://img.shields.io/badge/Ruby-2.7%2B-red.svg)](https://www.ruby-lang.org/)
 [![Rails](https://img.shields.io/badge/Rails-5.0%2B-red.svg)](https://rubyonrails.org/)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
@@ -277,6 +277,8 @@ For query analysis, you need to enable `pg_stat_statements`:
    PgReports.enable_pg_stat_statements!
    ```
 
+> **Note**: PgReports does **not** require the `pg_read_all_settings` role. It detects `pg_stat_statements` availability by directly querying the extension, making it compatible with CloudnativePG, managed databases, and other environments with restricted permissions.
+
 ## Report Object
 
 Every method returns a `PgReports::Report` object:

data/app/views/layouts/pg_reports/application.html.erb

@@ -776,6 +776,53 @@
       text-decoration: underline;
     }
 
+    /* IDE Dropdown for query source links */
+    .ide-dropdown-overlay {
+      position: fixed;
+      inset: 0;
+      z-index: 999;
+      display: none;
+    }
+
+    .ide-dropdown-overlay.show {
+      display: block;
+    }
+
+    .ide-menu {
+      position: fixed;
+      background: var(--bg-card);
+      border: 1px solid var(--border-color);
+      border-radius: 6px;
+      box-shadow: 0 8px 32px rgba(0, 0, 0, 0.3);
+      z-index: 1000;
+      min-width: 160px;
+      overflow: hidden;
+      display: none;
+    }
+
+    .ide-menu.show {
+      display: block;
+    }
+
+    .ide-menu a {
+      display: block;
+      padding: 0.6rem 0.875rem;
+      color: var(--text-secondary);
+      text-decoration: none;
+      font-size: 0.75rem;
+      transition: all 0.15s ease;
+      border-bottom: 1px solid var(--border-color);
+    }
+
+    .ide-menu a:last-child {
+      border-bottom: none;
+    }
+
+    .ide-menu a:hover {
+      background: var(--bg-tertiary);
+      color: var(--text-primary);
+    }
+
     /* Download Dropdown */
     .download-dropdown {
       position: relative;
@@ -831,6 +878,58 @@
       opacity: 0.9;
       transform: translateY(-1px);
     }
+
+    /* IDE Settings Modal */
+    .settings-label {
+      color: var(--text-secondary);
+      margin-bottom: 1rem;
+      font-size: 0.9rem;
+    }
+
+    .ide-options {
+      display: flex;
+      flex-direction: column;
+      gap: 0.5rem;
+    }
+
+    .ide-option {
+      display: flex;
+      align-items: center;
+      gap: 0.75rem;
+      padding: 0.75rem 1rem;
+      background: var(--bg-tertiary);
+      border: 1px solid var(--border-color);
+      border-radius: 8px;
+      cursor: pointer;
+      transition: all 0.15s;
+    }
+
+    .ide-option:hover {
+      background: var(--bg-secondary);
+      border-color: var(--accent-purple);
+    }
+
+    .ide-option:has(input:checked) {
+      background: rgba(157, 140, 214, 0.15);
+      border-color: var(--accent-purple);
+    }
+
+    .ide-option input[type="radio"] {
+      accent-color: var(--accent-purple);
+    }
+
+    .ide-option span {
+      color: var(--text-secondary);
+      font-size: 0.875rem;
+    }
+
+    .ide-option:has(input:checked) span {
+      color: var(--text-primary);
+    }
+
+    .modal-small {
+      max-width: 360px;
+    }
   </style>
 </head>
 <body>
@@ -840,6 +939,10 @@
 
   <div id="toast" class="toast"></div>
 
+  <!-- IDE Dropdown overlay and menu -->
+  <div id="ide-dropdown-overlay" class="ide-dropdown-overlay" onclick="closeIdeMenu()"></div>
+  <div id="ide-menu" class="ide-menu"></div>
+
   <script>
     const pgReportsRoot = document.querySelector('meta[name="pg-reports-root"]')?.content || '/pg_reports';
 

data/app/views/pg_reports/dashboard/index.html.erb

@@ -20,6 +20,7 @@
       </button>
       <button class="btn-info" onclick="showPgStatInfo()">?</button>
     <% end %>
+    <button class="btn-info" onclick="showIdeSettingsModal()" title="IDE Settings">⚙️</button>
     <div class="header-badge" id="pg-stat-badge">
       <% if @pg_stat_status[:ready] %>
         <span class="badge-dot"></span>
@@ -85,6 +86,49 @@ pg_stat_statements.track = all</pre>
   </div>
 </div>
 
+<!-- IDE Settings Modal -->
+<div id="ide-settings-modal" class="modal" style="display: none;">
+  <div class="modal-content modal-small">
+    <div class="modal-header">
+      <h3>⚙️ IDE Settings</h3>
+      <button class="modal-close" onclick="closeIdeSettingsModal()">&times;</button>
+    </div>
+    <div class="modal-body">
+      <p class="settings-label">Default IDE for source links:</p>
+      <div class="ide-options">
+        <label class="ide-option">
+          <input type="radio" name="default-ide" value="" onchange="setDefaultIde('')">
+          <span>Show menu (default)</span>
+        </label>
+        <label class="ide-option">
+          <input type="radio" name="default-ide" value="vscode-wsl" onchange="setDefaultIde('vscode-wsl')">
+          <span>VS Code (WSL)</span>
+        </label>
+        <label class="ide-option">
+          <input type="radio" name="default-ide" value="vscode" onchange="setDefaultIde('vscode')">
+          <span>VS Code</span>
+        </label>
+        <label class="ide-option">
+          <input type="radio" name="default-ide" value="rubymine" onchange="setDefaultIde('rubymine')">
+          <span>RubyMine</span>
+        </label>
+        <label class="ide-option">
+          <input type="radio" name="default-ide" value="intellij" onchange="setDefaultIde('intellij')">
+          <span>IntelliJ IDEA</span>
+        </label>
+        <label class="ide-option">
+          <input type="radio" name="default-ide" value="cursor-wsl" onchange="setDefaultIde('cursor-wsl')">
+          <span>Cursor (WSL)</span>
+        </label>
+        <label class="ide-option">
+          <input type="radio" name="default-ide" value="cursor" onchange="setDefaultIde('cursor')">
+          <span>Cursor</span>
+        </label>
+      </div>
+    </div>
+  </div>
+</div>
+
 <!-- Live Monitoring Panel -->
 <div id="live-monitoring" class="live-monitoring-panel" style="display: none;">
   <div class="live-monitoring-header">
@@ -1131,6 +1175,159 @@ pg_stat_statements.track = all</pre>
   document.addEventListener('DOMContentLoaded', initLiveMonitoring);
   window.addEventListener('beforeunload', stopPolling);
 
+  // ============================================
+  // IDE Integration
+  // ============================================
+
+  const railsRootPath = '<%= Rails.root.to_s %>';
+  const wslDistro = 'Ubuntu';
+
+  const ideKeyMap = {
+    'vscode-wsl': 0,
+    'vscode': 1,
+    'rubymine': 2,
+    'intellij': 3,
+    'cursor-wsl': 4,
+    'cursor': 5
+  };
+
+  function getDefaultIde() {
+    return localStorage.getItem('pgReportsDefaultIde') || '';
+  }
+
+  function generateIdeUrls(filePath, lineNumber) {
+    if (!filePath) return [];
+
+    // Convert relative paths to absolute paths using Rails.root
+    let absolutePath = filePath;
+    if (!filePath.startsWith('/')) {
+      absolutePath = `${railsRootPath}/${filePath}`;
+    }
+
+    const line = lineNumber || 1;
+    const urls = [];
+
+    // VSCode (WSL Remote format)
+    urls.push({
+      name: 'VS Code (WSL)',
+      url: `vscode://vscode-remote/wsl+${wslDistro}${absolutePath}:${line}`
+    });
+
+    // VSCode (direct path)
+    urls.push({
+      name: 'VS Code',
+      url: `vscode://file${absolutePath}:${line}`
+    });
+
+    // RubyMine
+    urls.push({
+      name: 'RubyMine',
+      url: `rubymine://open?file=${absolutePath}&line=${line}`
+    });
+
+    // IntelliJ
+    urls.push({
+      name: 'IntelliJ',
+      url: `idea://open?file=${absolutePath}&line=${line}`
+    });
+
+    // Cursor (WSL Remote format)
+    urls.push({
+      name: 'Cursor (WSL)',
+      url: `cursor://vscode-remote/wsl+${wslDistro}${absolutePath}:${line}`
+    });
+
+    // Cursor (direct path)
+    urls.push({
+      name: 'Cursor',
+      url: `cursor://file${absolutePath}:${line}`
+    });
+
+    return urls;
+  }
+
+  function openInIDE(filePath, lineNumber, event) {
+    if (event) {
+      event.preventDefault();
+      event.stopPropagation();
+    }
+
+    const ideUrls = generateIdeUrls(filePath, lineNumber);
+    if (ideUrls.length === 0) return;
+
+    const defaultIde = getDefaultIde();
+
+    // If default IDE is set, open directly
+    if (defaultIde && ideKeyMap[defaultIde] !== undefined) {
+      const ideUrl = ideUrls[ideKeyMap[defaultIde]];
+      if (ideUrl) {
+        window.location.href = ideUrl.url;
+        return;
+      }
+    }
+
+    // No default IDE - show dropdown menu
+    const menu = document.getElementById('ide-menu');
+    const overlay = document.getElementById('ide-dropdown-overlay');
+
+    let menuHtml = '';
+    ideUrls.forEach(ide => {
+      menuHtml += `<a href="${ide.url}" onclick="closeIdeMenu()">${ide.name}</a>`;
+    });
+    menu.innerHTML = menuHtml;
+
+    // Position menu near the clicked element
+    if (event && event.target) {
+      const rect = event.target.getBoundingClientRect();
+      menu.style.top = (rect.bottom + 4) + 'px';
+      menu.style.left = rect.left + 'px';
+    }
+
+    // Show menu and overlay
+    menu.classList.add('show');
+    overlay.classList.add('show');
+  }
+
+  function closeIdeMenu() {
+    document.getElementById('ide-menu')?.classList.remove('show');
+    document.getElementById('ide-dropdown-overlay')?.classList.remove('show');
+  }
+
+  function showIdeSettingsModal() {
+    const modal = document.getElementById('ide-settings-modal');
+    modal.style.display = 'flex';
+    loadIdeSettingsState();
+  }
+
+  function closeIdeSettingsModal() {
+    document.getElementById('ide-settings-modal').style.display = 'none';
+  }
+
+  function setDefaultIde(ideKey) {
+    if (ideKey) {
+      localStorage.setItem('pgReportsDefaultIde', ideKey);
+    } else {
+      localStorage.removeItem('pgReportsDefaultIde');
+    }
+  }
+
+  function loadIdeSettingsState() {
+    const currentIde = getDefaultIde();
+    const radios = document.querySelectorAll('input[name="default-ide"]');
+    radios.forEach(radio => {
+      radio.checked = (radio.value === currentIde);
+    });
+  }
+
+  // Close IDE settings modal on backdrop click
+  document.addEventListener('DOMContentLoaded', function() {
+    document.getElementById('ide-settings-modal')?.addEventListener('click', function(e) {
+      if (e.target === this) {
+        closeIdeSettingsModal();
+      }
+    });
+  });
+
   // ============================================
   // Query Monitoring
   // ============================================
@@ -1405,7 +1602,7 @@ pg_stat_statements.track = all</pre>
     if (query.source_location && query.source_location.file) {
       const file = query.source_location.file;
       const line = query.source_location.line;
-      sourceInfo = `<a href="#" onclick="openInIDE('${escapeHtml(file)}', ${line}); return false;">
+      sourceInfo = `<a href="#" onclick="openInIDE('${escapeHtml(file)}', ${line}, event); return false;">
          ${escapeHtml(file)}:${line}
        </a>`;
     }

data/lib/pg_reports/modules/system.rb

@@ -25,14 +25,19 @@ module PgReports
         result.first&.fetch("available", false) || false
       end
 
-      # Check if pg_stat_statements is in shared_preload_libraries
+      # Check if pg_stat_statements is preloaded and functional
       # @return [Boolean] Whether pg_stat_statements is preloaded
+      # @note This method tries to query pg_stat_statements directly instead of
+      #       checking shared_preload_libraries, which requires pg_read_all_settings role
       def pg_stat_statements_preloaded?
-        result = executor.execute(<<~SQL)
-          SELECT setting FROM pg_settings WHERE name = 'shared_preload_libraries'
-        SQL
-        setting = result.first&.fetch("setting", "") || ""
-        setting.include?("pg_stat_statements")
+        # If extension is not installed, it can't be preloaded
+        return false unless pg_stat_statements_available?
+
+        # Try to query pg_stat_statements - if it works, it's properly preloaded
+        executor.execute("SELECT 1 FROM pg_stat_statements LIMIT 1")
+        true
+      rescue
+        false
       end
 
       # Get pg_stat_statements status details
@@ -94,14 +99,20 @@ module PgReports
           executor.execute("CREATE EXTENSION IF NOT EXISTS pg_stat_statements")
 
           # Verify it worked
-          if pg_stat_statements_available?
+          if pg_stat_statements_available? && pg_stat_statements_preloaded?
             {success: true, message: "pg_stat_statements extension created successfully"}
-          else
+          elsif pg_stat_statements_available?
             {
               success: false,
-              message: "Extension created but not working. Check shared_preload_libraries in postgresql.conf",
+              message: "Extension created but not preloaded. Add 'pg_stat_statements' to shared_preload_libraries in postgresql.conf and restart PostgreSQL.",
               requires_restart: true
             }
+          else
+            {
+              success: false,
+              message: "Failed to create extension. Check database permissions.",
+              requires_restart: false
+            }
           end
         rescue => e
           error_message = e.message

data/lib/pg_reports/query_monitor.rb

@@ -200,10 +200,10 @@ module PgReports
         # Filter queries from pg_reports internal modules only:
         # - Installed gem: /gems/pg_reports-X.Y.Z/lib/
         # - Local gem: /pg_reports/lib/pg_reports/modules/
-        # - Dashboard controller: /pg_reports/app/controllers/pg_reports/
+        # Note: We intentionally DO NOT filter dashboard_controller.rb
+        # to allow monitoring of user application queries made during dashboard page loads
         path.match?(%r{/gems/pg_reports[-\d.]+/lib/}) ||
-          path.match?(%r{/pg_reports/lib/pg_reports/modules/}) ||
-          path.match?(%r{/pg_reports/app/controllers/pg_reports/dashboard_controller\.rb})
+          path.match?(%r{/pg_reports/lib/pg_reports/modules/})
       end
     end
 

data/lib/pg_reports/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PgReports
-  VERSION = "0.5.1"
+  VERSION = "0.5.3"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pg_reports
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 0.5.3
 platform: ruby
 authors:
 - Eldar Avatov