npm - @sysnee/pgs - Versions diffs - 0.1.7-rc.2 → 0.1.7-rc.3 - Mend

@sysnee/pgs 0.1.7-rc.2 → 0.1.7-rc.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/haproxy-lua/pg-route.lua +23 -119
package/haproxy.cfg +3 -8
package/manager.js +25 -35
package/package.json +1 -1

package/haproxy-lua/pg-route.lua CHANGED Viewed

@@ -1,11 +1,9 @@
--- PostgreSQL Protocol Parser for HAProxy
--- Routes connections based on username extracted from startup packet
--- Checks tenant-access.json for access control
+-- PostgreSQL Protocol Router for HAProxy
+-- Routes connections based on SNI hostname
+-- Format: tenant_id.pgs.cloud.sysnee.com
--- Simple JSON parser for our limited use case (flat object with string keys and boolean values)
 local function parse_json(str)
     local result = {}
-    -- Match patterns like "key": true or "key": false
     for key, value in string.gmatch(str, '"([^"]+)":%s*(%w+)') do
         if value == "true" then
             result[key] = true
@@ -16,12 +14,10 @@ local function parse_json(str)
     return result
 end
--- Cache for tenant access configuration
 local tenant_access_cache = {}
 local cache_timestamp = 0
-local CACHE_TTL = 5 -- seconds
+local CACHE_TTL = 5
--- Load tenant access configuration
 local function load_tenant_access()
     local now = core.now().sec
     if now - cache_timestamp < CACHE_TTL then
@@ -39,139 +35,47 @@ local function load_tenant_access()
     local content = file:read("*all")
     file:close()
-    local data = parse_json(content)
-    tenant_access_cache = data or {}
+    tenant_access_cache = parse_json(content) or {}
     cache_timestamp = now
     return tenant_access_cache
 end
--- Parse PostgreSQL startup packet to extract username
--- PostgreSQL startup packet format:
--- [4 bytes: length] [4 bytes: protocol version] [key=value pairs\0]
-local function parse_startup_packet(data)
-    if #data < 8 then
-        return nil
-    end
-    -- Read packet length (big-endian)
-    local len = (string.byte(data, 1) * 16777216) +
-                (string.byte(data, 2) * 65536) +
-                (string.byte(data, 3) * 256) +
-                string.byte(data, 4)
-    if #data < len then
-        return nil
-    end
-    -- Read protocol version
-    local major = (string.byte(data, 5) * 256) + string.byte(data, 6)
-    local minor = (string.byte(data, 7) * 256) + string.byte(data, 8)
-    -- Check for SSL request (protocol 1234.5679)
-    if major == 1234 and minor == 5679 then
-        return { ssl_request = true }
-    end
-    -- Check for cancel request (protocol 1234.5678)
-    if major == 1234 and minor == 5678 then
-        return { cancel_request = true }
-    end
-    -- Normal startup message (protocol 3.0)
-    if major ~= 3 then
-        return nil
-    end
-    -- Parse key-value pairs starting at byte 9
-    local params = {}
-    local pos = 9
-    while pos < len do
-        -- Read key
-        local key_start = pos
-        while pos <= len and string.byte(data, pos) ~= 0 do
-            pos = pos + 1
-        end
-        if pos > len then break end
-        local key = string.sub(data, key_start, pos - 1)
-        pos = pos + 1 -- skip null
-        if key == "" then break end -- end of parameters
-        -- Read value
-        local val_start = pos
-        while pos <= len and string.byte(data, pos) ~= 0 do
-            pos = pos + 1
-        end
-        local value = string.sub(data, val_start, pos - 1)
-        pos = pos + 1 -- skip null
-        params[key] = value
-    end
-    return params
+-- Extract tenant_id from hostname
+-- Supports: tenant_id.pgs.cloud.sysnee.com or tenant_id.any.domain.com
+local function extract_tenant_from_sni(hostname)
+    if not hostname then return nil end
+    local tenant = string.match(hostname, "^([^.]+)%.")
+    return tenant
 end
--- Main routing function called by HAProxy
-function pg_route(txn)
-    -- Get data from the request buffer
-    local data = txn.req:data(0)
-    if not data or #data == 0 then
-        -- No data yet, need to wait
-        return
-    end
+function pg_route_by_sni(txn)
+    local sni = txn.f:ssl_fc_sni()
-    local params = parse_startup_packet(data)
-    if not params then
-        core.Warning("Failed to parse PostgreSQL startup packet")
+    if not sni or sni == "" then
+        core.Warning("No SNI hostname provided")
         txn:set_var("txn.pg_blocked", true)
         return
     end
-    -- Handle SSL request - route to default pool for SSL negotiation
-    -- PostgreSQL will respond 'N' (no SSL), then client retries without SSL
-    if params.ssl_request then
-        core.Info("SSL request received, routing to SSL negotiation pool")
-        -- Route to SSL pool backend which forwards to any available PostgreSQL
-        -- This allows SSL negotiation to complete
-        txn:set_var("txn.pg_backend", "pg_ssl_pool")
-        return
-    end
-    -- Handle cancel request
-    if params.cancel_request then
-        txn:set_var("txn.pg_blocked", true)
-        return
-    end
+    local tenant_id = extract_tenant_from_sni(sni)
-    local username = params["user"]
-    if not username then
-        core.Warning("No username in PostgreSQL startup packet")
+    if not tenant_id then
+        core.Warning("Invalid hostname format: " .. sni)
         txn:set_var("txn.pg_blocked", true)
         return
     end
-    -- Load tenant access configuration
     local access = load_tenant_access()
-    -- Check if tenant has external access enabled
-    if not access[username] then
-        core.Warning("Access denied: " .. username)
+    if not access[tenant_id] then
+        core.Warning("Access denied for tenant: " .. tenant_id)
         txn:set_var("txn.pg_blocked", true)
         return
     end
-    -- Route to tenant's backend
-    local backend = "pgs_" .. username
-    core.Info("Routing user " .. username .. " to backend " .. backend)
+    local backend = "pgs_" .. tenant_id
+    core.Info("Routing SNI " .. sni .. " to backend " .. backend)
     txn:set_var("txn.pg_backend", backend)
 end
--- Register the action with HAProxy
-core.register_action("pg_route", { "tcp-req" }, pg_route, 0)
+core.register_action("pg_route_by_sni", { "tcp-req" }, pg_route_by_sni, 0)

package/haproxy.cfg CHANGED Viewed

@@ -13,23 +13,18 @@ defaults
     retries 3
 frontend postgres_frontend
-    bind *:5432
+    bind *:5432 ssl crt /etc/haproxy/certs/wildcard.pem
     mode tcp
-    # Use Lua script to parse PostgreSQL startup packet and route by username
+    # Extract tenant from SNI hostname
     tcp-request inspect-delay 5s
-    tcp-request content lua.pg_route
+    tcp-request content lua.pg_route_by_sni
     tcp-request content reject if { var(txn.pg_blocked) -m bool }
-    # Route to backend based on username extracted by Lua
     use_backend %[var(txn.pg_backend)] if { var(txn.pg_backend) -m found }
-    # Default backend for unknown connections
     default_backend pg_reject
 backend pg_reject
     mode tcp
     timeout server 1s
-backend pg_ssl_pool
-    mode tcp

package/manager.js CHANGED Viewed

@@ -20,6 +20,7 @@ const CONFIG_DIR = path.join(os.homedir(), '.sysnee-config');
 const COMPOSE_FILE_PATH = path.join(CONFIG_DIR, 'docker-compose.yml');
 const INIT_DIR_PATH = path.join(CONFIG_DIR, 'init');
 const LUA_DIR_PATH = path.join(CONFIG_DIR, 'haproxy-lua');
+const CERTS_DIR_PATH = path.join(CONFIG_DIR, 'certs');
 const HAPROXY_CFG_PATH = path.join(CONFIG_DIR, 'haproxy.cfg');
 const TENANT_ACCESS_FILE_PATH = path.join(CONFIG_DIR, 'tenant-access.json');
 const SETUP_STATUS_PATH = path.join(CONFIG_DIR, 'status.txt');
@@ -65,33 +66,17 @@ function generateHAProxyConfig() {
     console.debug('In generateHAProxy function')
     const doc = loadCompose();
-    // Get all tenant services
     const tenants = Object.keys(doc.services || {})
         .filter(name => name.startsWith('pgs_') && name !== 'haproxy');
-    console.debug(`tenants.lenght: ${tenants.length}`)
+    console.debug(`tenants.length: ${tenants.length}`)
-    // Get initial HAProxy config
     const templateFilePath = path.join(__dirname, 'haproxy.cfg')
     console.debug(`haproxy template file path: ${templateFilePath}`)
     let config = readFileSync(templateFilePath, 'utf8');
     console.debug(`haproxy template file loaded`)
-    // Add all tenant backends to SSL pool for SSL negotiation
-    // PostgreSQL will respond 'N' (no SSL) during negotiation, then client retries without SSL
-    if (tenants.length > 0) {
-        for (const serviceName of tenants) {
-            config += `    server ${serviceName}_ssl ${serviceName}:5432 check
-`;
-        }
-        config += `
-`;
-    } else {
-        config += `    # No tenants configured yet
-`;
-    }
-    // Generate backend for each tenant
+    // Generate backend for each tenant (routing by SNI hostname)
     for (const serviceName of tenants) {
         config += `backend ${serviceName}
     mode tcp
@@ -108,25 +93,23 @@ function generateHAProxyConfig() {
 function updateHAProxyDependsOn() {
     const doc = loadCompose();
-    // Get all tenant services
     const tenants = Object.keys(doc.services || {})
         .filter(name => name.startsWith('pgs_') && name !== 'haproxy');
-    // Ensure HAProxy service exists
-    if (!doc.services.haproxy) {
-        doc.services.haproxy = {
-            image: 'haproxy:latest',
-            container_name: 'postgres_proxy',
-            ports: ['5432:5432'],
-            volumes: [
-                `${HAPROXY_CFG_PATH}:/usr/local/etc/haproxy/haproxy.cfg:ro`,
-                `${LUA_DIR_PATH}:/etc/haproxy/lua:ro`,
-                `${TENANT_ACCESS_FILE_PATH}:/etc/haproxy/tenant-access.json:ro`
-            ],
-            networks: ['postgres_network'],
-            restart: 'unless-stopped'
-        };
-    }
+    // Always set HAProxy service with current config
+    doc.services.haproxy = {
+        image: 'haproxy:latest',
+        container_name: 'postgres_proxy',
+        ports: ['5432:5432'],
+        volumes: [
+            `${HAPROXY_CFG_PATH}:/usr/local/etc/haproxy/haproxy.cfg:ro`,
+            `${LUA_DIR_PATH}:/etc/haproxy/lua:ro`,
+            `${TENANT_ACCESS_FILE_PATH}:/etc/haproxy/tenant-access.json:ro`,
+            `${CERTS_DIR_PATH}:/etc/haproxy/certs:ro`
+        ],
+        networks: ['postgres_network'],
+        restart: 'unless-stopped'
+    };
     // Update depends_on
     if (tenants.length > 0) {
@@ -138,7 +121,7 @@ function updateHAProxyDependsOn() {
     saveCompose(doc);
     // Restart HAProxy
-    executeCommand('docker compose up -d haproxy');
+    executeCommand('docker restart postgres_proxy');
 }
 function createInitScript({ tenantId, password, databaseName }) {
@@ -244,6 +227,13 @@ function createInitialFiles() {
         const luaContent = readFileSync(luaSourceFile, 'utf8');
         writeFileSync(luaDestFile, luaContent);
     }
+    // Certs directory
+    if (!existsSync(CERTS_DIR_PATH)) {
+        mkdirSync(CERTS_DIR_PATH, { recursive: true });
+        console.log(`Created certs directory at ${CERTS_DIR_PATH}`);
+        console.log('Place your wildcard.pem certificate file there (combined cert + key)');
+    }
 }
 function checkSetupStatus() {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sysnee/pgs",
-  "version": "0.1.7-rc.2",
+  "version": "0.1.7-rc.3",
   "description": "Dynamic PostgreSQL service instance manager",
   "type": "module",
   "bin": {