@sysnee/pgs 0.1.7-rc.1 → 0.1.7-rc.3

package/haproxy-lua/pg-route.lua

@@ -1,11 +1,9 @@
--- PostgreSQL Protocol Parser for HAProxy
--- Routes connections based on username extracted from startup packet
--- Checks tenant-access.json for access control
+-- PostgreSQL Protocol Router for HAProxy
+-- Routes connections based on SNI hostname
+-- Format: tenant_id.pgs.cloud.sysnee.com
 
--- Simple JSON parser for our limited use case (flat object with string keys and boolean values)
 local function parse_json(str)
     local result = {}
-    -- Match patterns like "key": true or "key": false
     for key, value in string.gmatch(str, '"([^"]+)":%s*(%w+)') do
         if value == "true" then
             result[key] = true
@@ -16,12 +14,10 @@ local function parse_json(str)
     return result
 end
 
--- Cache for tenant access configuration
 local tenant_access_cache = {}
 local cache_timestamp = 0
-local CACHE_TTL = 5 -- seconds
+local CACHE_TTL = 5
 
--- Load tenant access configuration
 local function load_tenant_access()
     local now = core.now().sec
     if now - cache_timestamp < CACHE_TTL then
@@ -39,139 +35,47 @@ local function load_tenant_access()
     local content = file:read("*all")
     file:close()
     
-    local data = parse_json(content)
-    tenant_access_cache = data or {}
+    tenant_access_cache = parse_json(content) or {}
     cache_timestamp = now
-    
     return tenant_access_cache
 end
 
--- Parse PostgreSQL startup packet to extract username
--- PostgreSQL startup packet format:
--- [4 bytes: length] [4 bytes: protocol version] [key=value pairs\0]
-local function parse_startup_packet(data)
-    if #data < 8 then
-        return nil
-    end
-    
-    -- Read packet length (big-endian)
-    local len = (string.byte(data, 1) * 16777216) +
-                (string.byte(data, 2) * 65536) +
-                (string.byte(data, 3) * 256) +
-                string.byte(data, 4)
-    
-    if #data < len then
-        return nil
-    end
-    
-    -- Read protocol version
-    local major = (string.byte(data, 5) * 256) + string.byte(data, 6)
-    local minor = (string.byte(data, 7) * 256) + string.byte(data, 8)
-    
-    -- Check for SSL request (protocol 1234.5679)
-    if major == 1234 and minor == 5679 then
-        return { ssl_request = true }
-    end
-    
-    -- Check for cancel request (protocol 1234.5678)
-    if major == 1234 and minor == 5678 then
-        return { cancel_request = true }
-    end
-    
-    -- Normal startup message (protocol 3.0)
-    if major ~= 3 then
-        return nil
-    end
-    
-    -- Parse key-value pairs starting at byte 9
-    local params = {}
-    local pos = 9
-    
-    while pos < len do
-        -- Read key
-        local key_start = pos
-        while pos <= len and string.byte(data, pos) ~= 0 do
-            pos = pos + 1
-        end
-        
-        if pos > len then break end
-        
-        local key = string.sub(data, key_start, pos - 1)
-        pos = pos + 1 -- skip null
-        
-        if key == "" then break end -- end of parameters
-        
-        -- Read value
-        local val_start = pos
-        while pos <= len and string.byte(data, pos) ~= 0 do
-            pos = pos + 1
-        end
-        
-        local value = string.sub(data, val_start, pos - 1)
-        pos = pos + 1 -- skip null
-        
-        params[key] = value
-    end
-    
-    return params
+-- Extract tenant_id from hostname
+-- Supports: tenant_id.pgs.cloud.sysnee.com or tenant_id.any.domain.com
+local function extract_tenant_from_sni(hostname)
+    if not hostname then return nil end
+    local tenant = string.match(hostname, "^([^.]+)%.")
+    return tenant
 end
 
--- Main routing function called by HAProxy
-function pg_route(txn)
-    -- Get data from the request buffer
-    local data = txn.req:data(0)
-    
-    if not data or #data == 0 then
-        -- No data yet, need to wait
-        return
-    end
+function pg_route_by_sni(txn)
+    local sni = txn.f:ssl_fc_sni()
     
-    local params = parse_startup_packet(data)
-    
-    if not params then
-        core.Warning("Failed to parse PostgreSQL startup packet")
+    if not sni or sni == "" then
+        core.Warning("No SNI hostname provided")
         txn:set_var("txn.pg_blocked", true)
         return
     end
     
-    -- Handle SSL request - route to default pool for SSL negotiation
-    -- PostgreSQL will respond 'N' (no SSL), then client retries without SSL
-    if params.ssl_request then
-        core.Info("SSL request received, routing to SSL negotiation pool")
-        -- Route to SSL pool backend which forwards to any available PostgreSQL
-        -- This allows SSL negotiation to complete
-        txn:set_var("txn.pg_backend", "pg_ssl_pool")
-        return
-    end
-    
-    -- Handle cancel request
-    if params.cancel_request then
-        txn:set_var("txn.pg_blocked", true)
-        return
-    end
+    local tenant_id = extract_tenant_from_sni(sni)
     
-    local username = params["user"]
-    if not username then
-        core.Warning("No username in PostgreSQL startup packet")
+    if not tenant_id then
+        core.Warning("Invalid hostname format: " .. sni)
         txn:set_var("txn.pg_blocked", true)
         return
     end
     
-    -- Load tenant access configuration
     local access = load_tenant_access()
     
-    -- Check if tenant has external access enabled
-    if not access[username] then
-        core.Warning("Access denied: " .. username)
+    if not access[tenant_id] then
+        core.Warning("Access denied for tenant: " .. tenant_id)
         txn:set_var("txn.pg_blocked", true)
         return
     end
     
-    -- Route to tenant's backend
-    local backend = "pgs_" .. username
-    core.Info("Routing user " .. username .. " to backend " .. backend)
+    local backend = "pgs_" .. tenant_id
+    core.Info("Routing SNI " .. sni .. " to backend " .. backend)
     txn:set_var("txn.pg_backend", backend)
 end
 
--- Register the action with HAProxy
-core.register_action("pg_route", { "tcp-req" }, pg_route, 0)
+core.register_action("pg_route_by_sni", { "tcp-req" }, pg_route_by_sni, 0)

package/haproxy.cfg

@@ -13,23 +13,18 @@ defaults
     retries 3
 
 frontend postgres_frontend
-    bind *:5432
+    bind *:5432 ssl crt /etc/haproxy/certs/wildcard.pem
     mode tcp
     
-    # Use Lua script to parse PostgreSQL startup packet and route by username
+    # Extract tenant from SNI hostname
     tcp-request inspect-delay 5s
-    tcp-request content lua.pg_route
+    tcp-request content lua.pg_route_by_sni
     tcp-request content reject if { var(txn.pg_blocked) -m bool }
     
-    # Route to backend based on username extracted by Lua
     use_backend %[var(txn.pg_backend)] if { var(txn.pg_backend) -m found }
-    
-    # Default backend for unknown connections
     default_backend pg_reject
 
 backend pg_reject
     mode tcp
     timeout server 1s
 
-backend pg_ssl_pool
-    mode tcp

package/manager.js

@@ -19,6 +19,8 @@ const CONFIG_DIR = path.join(os.homedir(), '.sysnee-config');
 
 const COMPOSE_FILE_PATH = path.join(CONFIG_DIR, 'docker-compose.yml');
 const INIT_DIR_PATH = path.join(CONFIG_DIR, 'init');
+const LUA_DIR_PATH = path.join(CONFIG_DIR, 'haproxy-lua');
+const CERTS_DIR_PATH = path.join(CONFIG_DIR, 'certs');
 const HAPROXY_CFG_PATH = path.join(CONFIG_DIR, 'haproxy.cfg');
 const TENANT_ACCESS_FILE_PATH = path.join(CONFIG_DIR, 'tenant-access.json');
 const SETUP_STATUS_PATH = path.join(CONFIG_DIR, 'status.txt');
@@ -64,33 +66,17 @@ function generateHAProxyConfig() {
     console.debug('In generateHAProxy function')
     const doc = loadCompose();
 
-    // Get all tenant services
     const tenants = Object.keys(doc.services || {})
         .filter(name => name.startsWith('pgs_') && name !== 'haproxy');
 
-    console.debug(`tenants.lenght: ${tenants.length}`)
+    console.debug(`tenants.length: ${tenants.length}`)
 
-    // Get initial HAProxy config
     const templateFilePath = path.join(__dirname, 'haproxy.cfg')
     console.debug(`haproxy template file path: ${templateFilePath}`)
     let config = readFileSync(templateFilePath, 'utf8');
     console.debug(`haproxy template file loaded`)
 
-    // Add all tenant backends to SSL pool for SSL negotiation
-    // PostgreSQL will respond 'N' (no SSL) during negotiation, then client retries without SSL
-    if (tenants.length > 0) {
-        for (const serviceName of tenants) {
-            config += `    server ${serviceName}_ssl ${serviceName}:5432 check
-`;
-        }
-        config += `
-`;
-    } else {
-        config += `    # No tenants configured yet
-`;
-    }
-
-    // Generate backend for each tenant
+    // Generate backend for each tenant (routing by SNI hostname)
     for (const serviceName of tenants) {
         config += `backend ${serviceName}
     mode tcp
@@ -107,25 +93,23 @@ function generateHAProxyConfig() {
 function updateHAProxyDependsOn() {
     const doc = loadCompose();
 
-    // Get all tenant services
     const tenants = Object.keys(doc.services || {})
         .filter(name => name.startsWith('pgs_') && name !== 'haproxy');
 
-    // Ensure HAProxy service exists
-    if (!doc.services.haproxy) {
-        doc.services.haproxy = {
-            image: 'haproxy:latest',
-            container_name: 'postgres_proxy',
-            ports: ['5432:5432'],
-            volumes: [
-                `${HAPROXY_CFG_PATH}:/usr/local/etc/haproxy/haproxy.cfg:ro`,
-                './haproxy-lua:/etc/haproxy/lua:ro',
-                `${TENANT_ACCESS_FILE_PATH}:/etc/haproxy/tenant-access.json:ro`
-            ],
-            networks: ['postgres_network'],
-            restart: 'unless-stopped'
-        };
-    }
+    // Always set HAProxy service with current config
+    doc.services.haproxy = {
+        image: 'haproxy:latest',
+        container_name: 'postgres_proxy',
+        ports: ['5432:5432'],
+        volumes: [
+            `${HAPROXY_CFG_PATH}:/usr/local/etc/haproxy/haproxy.cfg:ro`,
+            `${LUA_DIR_PATH}:/etc/haproxy/lua:ro`,
+            `${TENANT_ACCESS_FILE_PATH}:/etc/haproxy/tenant-access.json:ro`,
+            `${CERTS_DIR_PATH}:/etc/haproxy/certs:ro`
+        ],
+        networks: ['postgres_network'],
+        restart: 'unless-stopped'
+    };
 
     // Update depends_on
     if (tenants.length > 0) {
@@ -232,6 +216,24 @@ function createInitialFiles() {
         const haproxyTemplate = readFileSync(path.join(__dirname, 'haproxy.cfg'), 'utf8');
         writeFileSync(HAPROXY_CFG_PATH, haproxyTemplate);
     }
+
+    // Lua
+    if (!existsSync(LUA_DIR_PATH)) {
+        mkdirSync(LUA_DIR_PATH, { recursive: true });
+    }
+    const luaSourceFile = path.join(__dirname, 'haproxy-lua', 'pg-route.lua');
+    const luaDestFile = path.join(LUA_DIR_PATH, 'pg-route.lua');
+    if (!existsSync(luaDestFile)) {
+        const luaContent = readFileSync(luaSourceFile, 'utf8');
+        writeFileSync(luaDestFile, luaContent);
+    }
+
+    // Certs directory
+    if (!existsSync(CERTS_DIR_PATH)) {
+        mkdirSync(CERTS_DIR_PATH, { recursive: true });
+        console.log(`Created certs directory at ${CERTS_DIR_PATH}`);
+        console.log('Place your wildcard.pem certificate file there (combined cert + key)');
+    }
 }
 
 function checkSetupStatus() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sysnee/pgs",
-  "version": "0.1.7-rc.1",
+  "version": "0.1.7-rc.3",
   "description": "Dynamic PostgreSQL service instance manager",
   "type": "module",
   "bin": {