@budibase/backend-core 3.2.4 → 3.2.6

package/src/redis/tests/redlockImpl.spec.ts

@@ -1,105 +0,0 @@
-import { LockName, LockType, LockOptions } from "@budibase/types"
-import { AUTO_EXTEND_POLLING_MS, doWithLock } from "../redlockImpl"
-import { DBTestConfiguration, generator } from "../../../tests"
-
-describe("redlockImpl", () => {
-  beforeEach(() => {
-    jest.useFakeTimers()
-  })
-
-  describe("doWithLock", () => {
-    const config = new DBTestConfiguration()
-    const lockTtl = AUTO_EXTEND_POLLING_MS
-
-    function runLockWithExecutionTime({
-      opts,
-      task,
-      executionTimeMs,
-    }: {
-      opts: LockOptions
-      task: () => Promise<string>
-      executionTimeMs: number
-    }) {
-      return config.doInTenant(() =>
-        doWithLock(opts, async () => {
-          // Run in multiple intervals until hitting the expected time
-          const interval = lockTtl / 10
-          for (let i = executionTimeMs; i > 0; i -= interval) {
-            await jest.advanceTimersByTimeAsync(interval)
-          }
-          return task()
-        })
-      )
-    }
-
-    it.each(Object.values(LockType))(
-      "should return the task value and release the lock",
-      async (lockType: LockType) => {
-        const expectedResult = generator.guid()
-        const mockTask = jest.fn().mockResolvedValue(expectedResult)
-
-        const opts: LockOptions = {
-          name: LockName.PERSIST_WRITETHROUGH,
-          type: lockType,
-          ttl: lockTtl,
-        }
-
-        const result = await runLockWithExecutionTime({
-          opts,
-          task: mockTask,
-          executionTimeMs: 0,
-        })
-
-        expect(result.executed).toBe(true)
-        expect(result.executed && result.result).toBe(expectedResult)
-        expect(mockTask).toHaveBeenCalledTimes(1)
-      }
-    )
-
-    it("should extend when type is autoextend", async () => {
-      const expectedResult = generator.guid()
-      const mockTask = jest.fn().mockResolvedValue(expectedResult)
-      const mockOnExtend = jest.fn()
-
-      const opts: LockOptions = {
-        name: LockName.PERSIST_WRITETHROUGH,
-        type: LockType.AUTO_EXTEND,
-        onExtend: mockOnExtend,
-      }
-
-      const result = await runLockWithExecutionTime({
-        opts,
-        task: mockTask,
-        executionTimeMs: lockTtl * 2.5,
-      })
-
-      expect(result.executed).toBe(true)
-      expect(result.executed && result.result).toBe(expectedResult)
-      expect(mockTask).toHaveBeenCalledTimes(1)
-      expect(mockOnExtend).toHaveBeenCalledTimes(5)
-    })
-
-    it.each(Object.values(LockType).filter(t => t !== LockType.AUTO_EXTEND))(
-      "should timeout when type is %s",
-      async (lockType: LockType) => {
-        const mockTask = jest.fn().mockResolvedValue("mockResult")
-
-        const opts: LockOptions = {
-          name: LockName.PERSIST_WRITETHROUGH,
-          type: lockType,
-          ttl: lockTtl,
-        }
-
-        await expect(
-          runLockWithExecutionTime({
-            opts,
-            task: mockTask,
-            executionTimeMs: lockTtl * 2,
-          })
-        ).rejects.toThrow(
-          `Unable to fully release the lock on resource "lock:${config.tenantId}_persist_writethrough".`
-        )
-      }
-    )
-  })
-})

package/src/redis/utils.ts

@@ -1,128 +0,0 @@
-import env from "../environment"
-import * as Redis from "ioredis"
-
-const SLOT_REFRESH_MS = 2000
-const CONNECT_TIMEOUT_MS = 10000
-export const SEPARATOR = "-"
-
-/**
- * These Redis databases help us to segment up a Redis keyspace by prepending the
- * specified database name onto the cache key. This means that a single real Redis database
- * can be split up a bit; allowing us to use scans on small databases to find some particular
- * keys within.
- * If writing a very large volume of keys is expected (say 10K+) then it is better to keep these out
- * of the default keyspace and use a separate one - the SelectableDatabase can be used for this.
- */
-export enum Databases {
-  PW_RESETS = "pwReset",
-  VERIFICATIONS = "verification",
-  INVITATIONS = "invitation",
-  DEV_LOCKS = "devLocks",
-  DEBOUNCE = "debounce",
-  SESSIONS = "session",
-  USER_CACHE = "users",
-  FLAGS = "flags",
-  APP_METADATA = "appMetadata",
-  QUERY_VARS = "queryVars",
-  LICENSES = "license",
-  GENERIC_CACHE = "data_cache",
-  WRITE_THROUGH = "writeThrough",
-  LOCKS = "locks",
-  SOCKET_IO = "socket_io",
-  BPM_EVENTS = "bpmEvents",
-  DOC_WRITE_THROUGH = "docWriteThrough",
-}
-
-/**
- * These define the numeric Redis databases that can be access with the SELECT command -
- * (https://redis.io/commands/select/). By default a Redis server/cluster will have 16 selectable
- * databases, increasing this count increases the amount of CPU/memory required to run the server.
- * Ideally new Redis keyspaces should be used sparingly, only when absolutely necessary for performance
- * to be maintained. Generally a keyspace can grow to be very large is scans are not needed or desired,
- * but if you need to walk through all values in a database periodically then a separate selectable
- * keyspace should be used.
- */
-export enum SelectableDatabase {
-  DEFAULT = 0,
-  SOCKET_IO = 1,
-  RATE_LIMITING = 2,
-  UNUSED_2 = 3,
-  UNUSED_3 = 4,
-  UNUSED_4 = 5,
-  UNUSED_5 = 6,
-  UNUSED_6 = 7,
-  UNUSED_7 = 8,
-  UNUSED_8 = 9,
-  UNUSED_9 = 10,
-  UNUSED_10 = 11,
-  UNUSED_11 = 12,
-  UNUSED_12 = 13,
-  UNUSED_13 = 14,
-  UNUSED_14 = 15,
-}
-
-export function getRedisConnectionDetails() {
-  let password = env.REDIS_PASSWORD
-  let url: string[] | string = env.REDIS_URL.split("//")
-  // get rid of the protocol
-  url = url.length > 1 ? url[1] : url[0]
-  // check for a password etc
-  url = url.split("@")
-  if (url.length > 1) {
-    // get the password
-    password = url[0].split(":")[1]
-    url = url[1]
-  } else {
-    url = url[0]
-  }
-  const [host, port] = url.split(":")
-
-  const portNumber = parseInt(port)
-  return {
-    host,
-    password,
-    // assume default port for redis if invalid found
-    port: isNaN(portNumber) ? 6379 : portNumber,
-  }
-}
-
-export function getRedisOptions() {
-  const { host, password, port } = getRedisConnectionDetails()
-  let redisOpts: Redis.RedisOptions = {
-    connectTimeout: CONNECT_TIMEOUT_MS,
-    port: port,
-    host,
-    password,
-  }
-  let opts: Redis.ClusterOptions | Redis.RedisOptions = redisOpts
-  if (env.REDIS_CLUSTERED) {
-    opts = {
-      connectTimeout: CONNECT_TIMEOUT_MS,
-      redisOptions: {
-        ...redisOpts,
-        tls: {},
-      },
-      slotsRefreshTimeout: SLOT_REFRESH_MS,
-      dnsLookup: (address: string, callback: any) => callback(null, address),
-    } as Redis.ClusterOptions
-  }
-  return opts
-}
-
-export function addDbPrefix(db: string, key: string) {
-  if (key.includes(db)) {
-    return key
-  }
-  return `${db}${SEPARATOR}${key}`
-}
-
-export function removeDbPrefix(key: string) {
-  let parts = key.split(SEPARATOR)
-  if (parts.length >= 2) {
-    parts.shift()
-    return parts.join(SEPARATOR)
-  } else {
-    // return the only part
-    return parts[0]
-  }
-}

package/src/security/auth.ts

@@ -1,24 +0,0 @@
-import env from "../environment"
-
-export const PASSWORD_MIN_LENGTH = +(env.PASSWORD_MIN_LENGTH || 12)
-export const PASSWORD_MAX_LENGTH = +(env.PASSWORD_MAX_LENGTH || 512)
-
-export function validatePassword(
-  password: string
-): { valid: true } | { valid: false; error: string } {
-  if (!password || password.length < PASSWORD_MIN_LENGTH) {
-    return {
-      valid: false,
-      error: `Password invalid. Minimum ${PASSWORD_MIN_LENGTH} characters.`,
-    }
-  }
-
-  if (password.length > PASSWORD_MAX_LENGTH) {
-    return {
-      valid: false,
-      error: `Password invalid. Maximum ${PASSWORD_MAX_LENGTH} characters.`,
-    }
-  }
-
-  return { valid: true }
-}

package/src/security/encryption.ts

@@ -1,185 +0,0 @@
-import crypto from "crypto"
-import fs from "fs"
-import zlib from "zlib"
-import env from "../environment"
-import { join } from "path"
-
-const ALGO = "aes-256-ctr"
-const SEPARATOR = "-"
-const ITERATIONS = 10000
-const STRETCH_LENGTH = 32
-
-const SALT_LENGTH = 16
-const IV_LENGTH = 16
-
-export enum SecretOption {
-  API = "api",
-  ENCRYPTION = "encryption",
-}
-
-export function getSecret(secretOption: SecretOption): string {
-  let secret, secretName
-  switch (secretOption) {
-    case SecretOption.ENCRYPTION:
-      secret = env.ENCRYPTION_KEY
-      secretName = "ENCRYPTION_KEY"
-      break
-    case SecretOption.API:
-    default:
-      secret = env.API_ENCRYPTION_KEY
-      secretName = "API_ENCRYPTION_KEY"
-      break
-  }
-  if (!secret) {
-    throw new Error(`Secret "${secretName}" has not been set in environment.`)
-  }
-  return secret
-}
-
-function stretchString(secret: string, salt: Buffer) {
-  return crypto.pbkdf2Sync(secret, salt, ITERATIONS, STRETCH_LENGTH, "sha512")
-}
-
-export function encrypt(
-  input: string,
-  secretOption: SecretOption = SecretOption.API
-) {
-  const salt = crypto.randomBytes(SALT_LENGTH)
-  const stretched = stretchString(getSecret(secretOption), salt)
-  const cipher = crypto.createCipheriv(ALGO, stretched, salt)
-  const base = cipher.update(input)
-  const final = cipher.final()
-  const encrypted = Buffer.concat([base, final]).toString("hex")
-  return `${salt.toString("hex")}${SEPARATOR}${encrypted}`
-}
-
-export function decrypt(
-  input: string,
-  secretOption: SecretOption = SecretOption.API
-) {
-  const [salt, encrypted] = input.split(SEPARATOR)
-  const saltBuffer = Buffer.from(salt, "hex")
-  const stretched = stretchString(getSecret(secretOption), saltBuffer)
-  const decipher = crypto.createDecipheriv(ALGO, stretched, saltBuffer)
-  const base = decipher.update(Buffer.from(encrypted, "hex"))
-  const final = decipher.final()
-  return Buffer.concat([base, final]).toString()
-}
-
-export async function encryptFile(
-  { dir, filename }: { dir: string; filename: string },
-  secret: string
-) {
-  const outputFileName = `${filename}.enc`
-
-  const filePath = join(dir, filename)
-  if (fs.lstatSync(filePath).isDirectory()) {
-    throw new Error("Unable to encrypt directory")
-  }
-  const inputFile = fs.createReadStream(filePath)
-  const outputFile = fs.createWriteStream(join(dir, outputFileName))
-
-  const salt = crypto.randomBytes(SALT_LENGTH)
-  const iv = crypto.randomBytes(IV_LENGTH)
-  const stretched = stretchString(secret, salt)
-  const cipher = crypto.createCipheriv(ALGO, stretched, iv)
-
-  outputFile.write(salt)
-  outputFile.write(iv)
-
-  inputFile.pipe(zlib.createGzip()).pipe(cipher).pipe(outputFile)
-
-  return new Promise<{ filename: string; dir: string }>(r => {
-    outputFile.on("finish", () => {
-      r({
-        filename: outputFileName,
-        dir,
-      })
-    })
-  })
-}
-
-async function getSaltAndIV(path: string) {
-  const fileStream = fs.createReadStream(path)
-
-  const salt = await readBytes(fileStream, SALT_LENGTH)
-  const iv = await readBytes(fileStream, IV_LENGTH)
-  fileStream.close()
-  return { salt, iv }
-}
-
-export async function decryptFile(
-  inputPath: string,
-  outputPath: string,
-  secret: string
-) {
-  if (fs.lstatSync(inputPath).isDirectory()) {
-    throw new Error("Unable to encrypt directory")
-  }
-  const { salt, iv } = await getSaltAndIV(inputPath)
-  const inputFile = fs.createReadStream(inputPath, {
-    start: SALT_LENGTH + IV_LENGTH,
-  })
-
-  const outputFile = fs.createWriteStream(outputPath)
-
-  const stretched = stretchString(secret, salt)
-  const decipher = crypto.createDecipheriv(ALGO, stretched, iv)
-
-  const unzip = zlib.createGunzip()
-
-  inputFile.pipe(decipher).pipe(unzip).pipe(outputFile)
-
-  return new Promise<void>((res, rej) => {
-    outputFile.on("finish", () => {
-      outputFile.close()
-      res()
-    })
-
-    inputFile.on("error", e => {
-      outputFile.close()
-      rej(e)
-    })
-
-    decipher.on("error", e => {
-      outputFile.close()
-      rej(e)
-    })
-
-    unzip.on("error", e => {
-      outputFile.close()
-      rej(e)
-    })
-
-    outputFile.on("error", e => {
-      outputFile.close()
-      rej(e)
-    })
-  })
-}
-
-function readBytes(stream: fs.ReadStream, length: number) {
-  return new Promise<Buffer>((resolve, reject) => {
-    let bytesRead = 0
-    const data: Buffer[] = []
-
-    stream.on("readable", () => {
-      let chunk
-
-      while ((chunk = stream.read(length - bytesRead)) !== null) {
-        data.push(chunk)
-        bytesRead += chunk.length
-      }
-
-      resolve(Buffer.concat(data))
-    })
-
-    stream.on("end", () => {
-      reject(new Error("Insufficient data in the stream."))
-    })
-
-    stream.on("error", error => {
-      reject(error)
-    })
-  })
-}

package/src/security/index.ts

@@ -1 +0,0 @@
-export * from "./auth"

package/src/security/permissions.ts

@@ -1,166 +0,0 @@
-import {
-  PermissionLevel,
-  PermissionType,
-  BuiltinPermissionID,
-} from "@budibase/types"
-import flatten from "lodash/flatten"
-import cloneDeep from "lodash/fp/cloneDeep"
-
-export { PermissionType, PermissionLevel } from "@budibase/types"
-
-export type RoleHierarchy = {
-  permissionId: string
-}[]
-
-export class Permission {
-  type: PermissionType
-  level: PermissionLevel
-
-  constructor(type: PermissionType, level: PermissionLevel) {
-    this.type = type
-    this.level = level
-  }
-}
-
-export function levelToNumber(perm: PermissionLevel) {
-  switch (perm) {
-    // not everything has execute privileges
-    case PermissionLevel.EXECUTE:
-      return 0
-    case PermissionLevel.READ:
-      return 1
-    case PermissionLevel.WRITE:
-      return 2
-    case PermissionLevel.ADMIN:
-      return 3
-    default:
-      return -1
-  }
-}
-
-/**
- * Given the specified permission level for the user return the levels they are allowed to carry out.
- * @param userPermLevel The permission level of the user.
- * @return All the permission levels this user is allowed to carry out.
- */
-export function getAllowedLevels(userPermLevel: PermissionLevel): string[] {
-  switch (userPermLevel) {
-    case PermissionLevel.EXECUTE:
-      return [PermissionLevel.EXECUTE]
-    case PermissionLevel.READ:
-      return [PermissionLevel.EXECUTE, PermissionLevel.READ]
-    case PermissionLevel.WRITE:
-    case PermissionLevel.ADMIN:
-      return [
-        PermissionLevel.EXECUTE,
-        PermissionLevel.READ,
-        PermissionLevel.WRITE,
-      ]
-    default:
-      return []
-  }
-}
-
-export const BUILTIN_PERMISSIONS: {
-  [key in keyof typeof BuiltinPermissionID]: {
-    _id: (typeof BuiltinPermissionID)[key]
-    name: string
-    permissions: Permission[]
-  }
-} = {
-  PUBLIC: {
-    _id: BuiltinPermissionID.PUBLIC,
-    name: "Public",
-    permissions: [
-      new Permission(PermissionType.WEBHOOK, PermissionLevel.EXECUTE),
-    ],
-  },
-  READ_ONLY: {
-    _id: BuiltinPermissionID.READ_ONLY,
-    name: "Read only",
-    permissions: [
-      new Permission(PermissionType.QUERY, PermissionLevel.READ),
-      new Permission(PermissionType.TABLE, PermissionLevel.READ),
-      new Permission(PermissionType.APP, PermissionLevel.READ),
-    ],
-  },
-  WRITE: {
-    _id: BuiltinPermissionID.WRITE,
-    name: "Read/Write",
-    permissions: [
-      new Permission(PermissionType.QUERY, PermissionLevel.WRITE),
-      new Permission(PermissionType.TABLE, PermissionLevel.WRITE),
-      new Permission(PermissionType.AUTOMATION, PermissionLevel.EXECUTE),
-      new Permission(PermissionType.LEGACY_VIEW, PermissionLevel.READ),
-      new Permission(PermissionType.APP, PermissionLevel.READ),
-    ],
-  },
-  POWER: {
-    _id: BuiltinPermissionID.POWER,
-    name: "Power",
-    permissions: [
-      new Permission(PermissionType.TABLE, PermissionLevel.WRITE),
-      new Permission(PermissionType.USER, PermissionLevel.READ),
-      new Permission(PermissionType.AUTOMATION, PermissionLevel.EXECUTE),
-      new Permission(PermissionType.WEBHOOK, PermissionLevel.READ),
-      new Permission(PermissionType.LEGACY_VIEW, PermissionLevel.READ),
-      new Permission(PermissionType.APP, PermissionLevel.READ),
-    ],
-  },
-  ADMIN: {
-    _id: BuiltinPermissionID.ADMIN,
-    name: "Admin",
-    permissions: [
-      new Permission(PermissionType.TABLE, PermissionLevel.ADMIN),
-      new Permission(PermissionType.USER, PermissionLevel.ADMIN),
-      new Permission(PermissionType.AUTOMATION, PermissionLevel.ADMIN),
-      new Permission(PermissionType.WEBHOOK, PermissionLevel.READ),
-      new Permission(PermissionType.QUERY, PermissionLevel.ADMIN),
-      new Permission(PermissionType.LEGACY_VIEW, PermissionLevel.READ),
-      new Permission(PermissionType.APP, PermissionLevel.READ),
-    ],
-  },
-}
-
-export function getBuiltinPermissions() {
-  return cloneDeep(BUILTIN_PERMISSIONS)
-}
-
-export function getBuiltinPermissionByID(id: string) {
-  const perms = Object.values(BUILTIN_PERMISSIONS)
-  return perms.find(perm => perm._id === id)
-}
-
-export function doesHaveBasePermission(
-  permType: PermissionType,
-  permLevel: PermissionLevel,
-  rolesHierarchy: RoleHierarchy
-) {
-  const basePermissions = [
-    ...new Set(rolesHierarchy.map(role => role.permissionId)),
-  ]
-  const builtins = Object.values(BUILTIN_PERMISSIONS)
-  let permissions = flatten(
-    builtins
-      .filter(builtin => basePermissions.indexOf(builtin._id) !== -1)
-      .map(builtin => builtin.permissions)
-  )
-  for (let permission of permissions) {
-    if (
-      permission.type === permType &&
-      getAllowedLevels(permission.level).indexOf(permLevel) !== -1
-    ) {
-      return true
-    }
-  }
-  return false
-}
-
-export function isPermissionLevelHigherThanRead(level: PermissionLevel) {
-  return levelToNumber(level) > 1
-}
-
-// utility as a lot of things need simply the builder permission
-export const BUILDER = PermissionType.BUILDER
-export const CREATOR = PermissionType.CREATOR
-export const GLOBAL_BUILDER = PermissionType.GLOBAL_BUILDER