@blamejs/core 0.14.26 → 0.15.0

package/lib/audit-tools.js

@@ -63,9 +63,11 @@ var canonicalJson = require("./canonical-json");
 var auditSign = require("./audit-sign");
 var backupCrypto = require("./backup/crypto");
 var clusterStorage = require("./cluster-storage");
+var frameworkFiles = require("./framework-files");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
 var safeJson = require("./safe-json");
+var sql = require("./sql");
 var { defineClass } = require("./framework-error");
 
 var FRAMEWORK_VERSION = (pkg && pkg.version) || "unknown";
@@ -79,6 +81,17 @@ var audit = lazyRequire(function () { return require("./audit"); });
 
 var AuditToolsError = defineClass("AuditToolsError", { alwaysPermanent: true });
 
+// b.sql opts for every framework-table statement: thread the ACTIVE backend
+// dialect (clusterStorage.dialect() — "sqlite" single-node, "postgres" |
+// "mysql" in cluster mode) so the emitted identifier quoting + dialect
+// idioms (ON CONFLICT vs ON DUPLICATE KEY) match the backend the SQL
+// dispatches to. Defaulting to "sqlite" works on Postgres only by accident
+// (both double-quote identifiers) and emits the wrong quoting on MySQL.
+// clusterStorage.execute still rewrites table names + translates `?`
+// placeholders at dispatch; this controls only the builder-side quoting +
+// idiom selection.
+function _sqlOpts() { return { dialect: clusterStorage.dialect() }; }
+
 // Dual-control gate constants for the audit_log physical purge. The
 // purge erases signed audit history, so when an operator has declared
 // audit_log under b.db.declareRequireDualControl the deletion requires
@@ -274,42 +287,48 @@ function _verifyChainSlice(rows, startPrevHash) {
 // cluster-storage reader so the tooling works in both single-node and
 // cluster deployments without the caller knowing which mode is active.
 async function _defaultReadRows(criteria) {
-  var sql = 'SELECT * FROM "audit_log"';
-  var conds = [];
-  var params = [];
-  if (criteria.fromMs != null)        { conds.push("recordedAt >= ?"); params.push(criteria.fromMs); }
-  if (criteria.toMs != null)          { conds.push("recordedAt <= ?"); params.push(criteria.toMs); }
-  if (criteria.beforeMs != null)      { conds.push("recordedAt < ?");  params.push(criteria.beforeMs); }
-  if (criteria.action)                { conds.push("action = ?");      params.push(criteria.action); }
-  if (criteria.firstCounter != null)  { conds.push("monotonicCounter >= ?"); params.push(criteria.firstCounter); }
-  if (criteria.lastCounter != null)   { conds.push("monotonicCounter <= ?"); params.push(criteria.lastCounter); }
-  if (conds.length > 0) sql += " WHERE " + conds.join(" AND ");
-  sql += " ORDER BY monotonicCounter ASC";
-  return clusterStorage.executeAll(sql, params);
+  // Compose the criteria onto a b.sql SELECT with a BARE logical table name
+  // (clusterStorage rewrites the framework name + placeholderizes); b.sql
+  // quotes the camelCase columns + binds every value.
+  var qb = sql.select("audit_log", _sqlOpts());
+  if (criteria.fromMs != null)       qb.whereOp("recordedAt", ">=", criteria.fromMs);
+  if (criteria.toMs != null)         qb.whereOp("recordedAt", "<=", criteria.toMs);
+  if (criteria.beforeMs != null)     qb.whereOp("recordedAt", "<", criteria.beforeMs);
+  if (criteria.action)               qb.where("action", criteria.action);
+  if (criteria.firstCounter != null) qb.whereOp("monotonicCounter", ">=", criteria.firstCounter);
+  if (criteria.lastCounter != null)  qb.whereOp("monotonicCounter", "<=", criteria.lastCounter);
+  qb.orderBy("monotonicCounter", "asc");
+  var built = qb.toSql();
+  return clusterStorage.executeAll(built.sql, built.params);
 }
 
 async function _defaultReadCoveringCheckpoint(lastCounter) {
-  return clusterStorage.executeOne(
-    "SELECT * FROM audit_checkpoints " +
-    "WHERE atMonotonicCounter >= ? " +
-    "ORDER BY atMonotonicCounter ASC LIMIT 1",
-    [lastCounter]
-  );
+  var built = sql.select("audit_checkpoints", _sqlOpts())
+    .whereOp("atMonotonicCounter", ">=", lastCounter)
+    .orderBy("atMonotonicCounter", "asc")
+    .limit(1)
+    .toSql();
+  return clusterStorage.executeOne(built.sql, built.params);
 }
 
 async function _defaultReadPredecessorRowHash(firstCounter) {
   if (firstCounter <= 1) return auditChain.ZERO_HASH;
-  var row = await clusterStorage.executeOne(
-    "SELECT rowHash FROM audit_log WHERE monotonicCounter = ?",
-    [firstCounter - 1]
-  );
+  var rowBuilt = sql.select("audit_log", _sqlOpts())
+    .columns(["rowHash"])
+    .where("monotonicCounter", firstCounter - 1)
+    .toSql();
+  var row = await clusterStorage.executeOne(rowBuilt.sql, rowBuilt.params);
   if (!row) {
     // First row of the slice is right after a purged range. Read the
-    // purge anchor's lastRowHash instead.
-    var anchor = await clusterStorage.executeOne(
-      "SELECT lastPurgedRowHash, lastPurgedCounter FROM _blamejs_audit_purge_anchor " +
-      "WHERE scope = 'audit'"
-    );
+    // purge anchor's lastRowHash instead. The anchor is an external-only
+    // table whose LOGICAL name IS the `_blamejs_`-prefixed name (it maps
+    // to itself in LOCAL_TO_EXTERNAL); b.sql must receive it bare so
+    // clusterStorage rewrites it. allow:hand-rolled-sql — bare logical key.
+    var anchorBuilt = sql.select("_blamejs_audit_purge_anchor", _sqlOpts())   // allow:hand-rolled-sql
+      .columns(["lastPurgedRowHash", "lastPurgedCounter"])
+      .where("scope", "audit")
+      .toSql();
+    var anchor = await clusterStorage.executeOne(anchorBuilt.sql, anchorBuilt.params);
     if (anchor && Number(anchor.lastPurgedCounter) === firstCounter - 1) {
       return anchor.lastPurgedRowHash;
     }
@@ -343,7 +362,7 @@ async function _buildBundle(args) {
     return JSON.stringify(_rowToWireForm(r));
   }).join("\n") + "\n";
   var rowsEnc = await backupCrypto.encryptWithFreshSalt(jsonl, passphrase);
-  files["rows.enc"] = rowsEnc.encrypted;
+  files[frameworkFiles.fileName("rowsEnc")] = rowsEnc.encrypted;
 
   // 2. (archive) Encrypt the checkpoint JSON
   var checkpointSalt = null;
@@ -351,7 +370,7 @@ async function _buildBundle(args) {
   if (checkpoint) {
     var ckptJson = _canonicalize(_rowToWireForm(checkpoint));
     var ckptEnc = await backupCrypto.encryptWithFreshSalt(ckptJson, passphrase);
-    files["checkpoint.enc"] = ckptEnc.encrypted;
+    files[frameworkFiles.fileName("checkpointEnc")] = ckptEnc.encrypted;
     checkpointSalt = ckptEnc.salt;
     checkpointEncrypted = ckptEnc.encrypted;
   }
@@ -401,9 +420,9 @@ async function _writeBundle(args) {
   var built  = await _buildBundle(args);
 
   atomicFile.ensureDir(outDir);
-  atomicFile.writeSync(nodePath.join(outDir, "rows.enc"), built.files["rows.enc"], { fileMode: 0o600 });
-  if (built.files["checkpoint.enc"]) {
-    atomicFile.writeSync(nodePath.join(outDir, "checkpoint.enc"), built.files["checkpoint.enc"], { fileMode: 0o600 });
+  atomicFile.writeSync(nodePath.join(outDir, frameworkFiles.fileName("rowsEnc")), built.files[frameworkFiles.fileName("rowsEnc")], { fileMode: 0o600 });
+  if (built.files[frameworkFiles.fileName("checkpointEnc")]) {
+    atomicFile.writeSync(nodePath.join(outDir, frameworkFiles.fileName("checkpointEnc")), built.files[frameworkFiles.fileName("checkpointEnc")], { fileMode: 0o600 });
   }
   var manifestPath = nodePath.join(outDir, "manifest.json");
   atomicFile.writeSync(manifestPath, built.files["manifest.json"], { fileMode: 0o600 });
@@ -432,7 +451,7 @@ async function _readBundle(inDir, passphrase) {
       "manifest.kind must be one of " + Object.keys(VALID_KINDS).join(", "));
   }
 
-  var rowsEncPath = nodePath.join(inDir, "rows.enc");
+  var rowsEncPath = nodePath.join(inDir, frameworkFiles.fileName("rowsEnc"));
   if (!nodeFs.existsSync(rowsEncPath)) {
     throw new AuditToolsError("audit-tools/no-rows-blob",
       "rows.enc missing in " + inDir);
@@ -450,7 +469,7 @@ async function _readBundle(inDir, passphrase) {
 
   var checkpoint = null;
   if (manifest.kind === KIND_ARCHIVE) {
-    var ckptPath = nodePath.join(inDir, "checkpoint.enc");
+    var ckptPath = nodePath.join(inDir, frameworkFiles.fileName("checkpointEnc"));
     if (!nodeFs.existsSync(ckptPath)) {
       throw new AuditToolsError("audit-tools/no-checkpoint-blob",
         "checkpoint.enc missing in " + inDir + " (archive bundles must include the covering checkpoint)");
@@ -945,26 +964,35 @@ async function purge(opts) {
 }
 
 async function _defaultReadPurgeAnchor() {
-  return clusterStorage.executeOne(
-    "SELECT * FROM _blamejs_audit_purge_anchor WHERE scope = 'audit'"
-  );
+  // External-only table — its logical name IS the `_blamejs_`-prefixed name
+  // (self-mapped in LOCAL_TO_EXTERNAL); b.sql receives it bare so
+  // clusterStorage rewrites it. allow:hand-rolled-sql — bare logical key.
+  var built = sql.select("_blamejs_audit_purge_anchor", _sqlOpts())   // allow:hand-rolled-sql
+    .where("scope", "audit")
+    .toSql();
+  return clusterStorage.executeOne(built.sql, built.params);
 }
 
 async function _defaultApplyPurge(args) {
   var del = await db().purgeAuditChain({ lastPurgedCounter: args.lastPurgedCounter });
-  // UPSERT the single-row anchor. SQLite + Postgres both support
-  // INSERT ... ON CONFLICT(scope) DO UPDATE.
-  await clusterStorage.execute(
-    "INSERT INTO _blamejs_audit_purge_anchor " +
-    "(scope, lastPurgedCounter, lastPurgedRowHash, archiveBundleId, purgedAt) " +
-    "VALUES ('audit', ?, ?, ?, ?) " +
-    "ON CONFLICT(scope) DO UPDATE SET " +
-    "lastPurgedCounter = excluded.lastPurgedCounter, " +
-    "lastPurgedRowHash = excluded.lastPurgedRowHash, " +
-    "archiveBundleId   = excluded.archiveBundleId, " +
-    "purgedAt          = excluded.purgedAt",
-    [args.lastPurgedCounter, args.lastPurgedRowHash, args.archiveBundleId, args.purgedAt]
-  );
+  // UPSERT the single-row anchor via b.sql ON CONFLICT(scope) DO UPDATE
+  // (SQLite + Postgres). The anchor is external-only; its logical name IS
+  // the `_blamejs_`-prefixed name (self-mapped), passed bare so
+  // clusterStorage rewrites + placeholderizes. b.sql quotes the camelCase
+  // columns + binds 'audit'. allow:hand-rolled-sql — bare logical key.
+  var built = sql.upsert("_blamejs_audit_purge_anchor", _sqlOpts())   // allow:hand-rolled-sql
+    .columns(["scope", "lastPurgedCounter", "lastPurgedRowHash", "archiveBundleId", "purgedAt"])
+    .values({
+      scope:             "audit",
+      lastPurgedCounter: args.lastPurgedCounter,
+      lastPurgedRowHash: args.lastPurgedRowHash,
+      archiveBundleId:   args.archiveBundleId,
+      purgedAt:          args.purgedAt,
+    })
+    .onConflict(["scope"])
+    .doUpdateFromExcluded(["lastPurgedCounter", "lastPurgedRowHash", "archiveBundleId", "purgedAt"])
+    .toSql();
+  await clusterStorage.execute(built.sql, built.params);
   return {
     rowsDeleted:        del.rowsDeleted,
     checkpointsDeleted: del.checkpointsDeleted,
@@ -1047,7 +1075,7 @@ async function forensicSnapshot(opts) {
     reason:            opts.reason,
     actor:             opts.actor || null,
     composedAt:        new Date().toISOString(),
-    auditSliceFile:    returnBytes ? "rows.enc" : (sliceResult && sliceResult.manifestPath),
+    auditSliceFile:    returnBytes ? frameworkFiles.fileName("rowsEnc") : (sliceResult && sliceResult.manifestPath),
     auditSliceCount:   sliceResult && sliceResult.rowCount,
     runtime: {
       nodeVersion: process.version,