@teamkeel/functions-runtime 0.411.0 → 0.412.0-next.2

package/src/permissions.js

@@ -1,77 +0,0 @@
-const { AsyncLocalStorage } = require("async_hooks");
-const { PermissionError } = require("./errors");
-
-const PERMISSION_STATE = {
-  UNKNOWN: "unknown",
-  PERMITTED: "permitted",
-  UNPERMITTED: "unpermitted",
-};
-
-// withPermissions sets the initial permission state from the go runtime in the AsyncLocalStorage so consumers further down the hierarchy can read or mutate the state
-// at will
-const withPermissions = async (initialValue, cb) => {
-  const permissions = new Permissions();
-
-  return await permissionsApiInstance.run({ permitted: initialValue }, () => {
-    return cb({ getPermissionState: permissions.getState });
-  });
-};
-
-const permissionsApiInstance = new AsyncLocalStorage();
-
-class Permissions {
-  // The Go runtime performs role based permission rule checks prior to calling the functions
-  // runtime, so the status could already be granted. If already granted, then we need to inherit that permission state as the state is later used to decide whether to run in process permission checks
-  // TLDR if a role based permission is relevant and it is granted, then it is effectively the same as the end user calling api.permissions.allow() explicitly in terms of behaviour.
-
-  allow() {
-    const store = (permissionsApiInstance.getStore().permitted = true);
-  }
-
-  deny() {
-    // if a user is explicitly calling deny() then we want to throw an error
-    // so that any further execution of the custom function stops abruptly
-    permissionsApiInstance.getStore().permitted = false;
-
-    throw new PermissionError();
-  }
-
-  getState() {
-    const permitted = permissionsApiInstance.getStore().permitted;
-
-    switch (true) {
-      case permitted === false:
-        return PERMISSION_STATE.UNPERMITTED;
-      case permitted === null:
-        return PERMISSION_STATE.UNKNOWN;
-      case permitted === true:
-        return PERMISSION_STATE.PERMITTED;
-    }
-  }
-}
-
-const checkBuiltInPermissions = async ({
-  rows,
-  permissionFns,
-  ctx,
-  db,
-  functionName,
-}) => {
-  for (const permissionFn of permissionFns) {
-    const result = await permissionFn(rows, ctx, db);
-    // if any of the permission functions return true,
-    // then we return early
-    if (result) {
-      return;
-    }
-  }
-
-  throw new PermissionError(`Not permitted to access ${functionName}`);
-};
-
-module.exports.checkBuiltInPermissions = checkBuiltInPermissions;
-module.exports.PermissionError = PermissionError;
-module.exports.PERMISSION_STATE = PERMISSION_STATE;
-module.exports.Permissions = Permissions;
-module.exports.withPermissions = withPermissions;
-module.exports.permissionsApiInstance = permissionsApiInstance;

package/src/permissions.test.js

@@ -1,118 +0,0 @@
-const {
-  permissionsApiInstance,
-  Permissions,
-  PERMISSION_STATE,
-  checkBuiltInPermissions,
-} = require("./permissions");
-import { useDatabase } from "./database";
-import { beforeEach, describe, expect, test } from "vitest";
-const { PermissionError } = require("./errors");
-
-let permissions;
-let ctx = {};
-let db = useDatabase();
-
-describe("explicit", () => {
-  beforeEach(() => {
-    permissions = new Permissions();
-  });
-
-  test("explicitly allowing execution", () => {
-    wrapWithAsyncLocalStorage({ permitted: null }, () => {
-      expect(permissions.getState()).toEqual(PERMISSION_STATE.UNKNOWN);
-
-      permissions.allow();
-
-      expect(permissions.getState()).toEqual(PERMISSION_STATE.PERMITTED);
-    });
-  });
-
-  test("explicitly denying execution", () => {
-    wrapWithAsyncLocalStorage({ permitted: null }, () => {
-      expect(permissions.getState()).toEqual(PERMISSION_STATE.UNKNOWN);
-
-      expect(() => permissions.deny()).toThrowError(PermissionError);
-
-      expect(permissions.getState()).toEqual(PERMISSION_STATE.UNPERMITTED);
-    });
-  });
-});
-
-describe("prior state", () => {
-  test("when the prior state is granted", () => {
-    wrapWithAsyncLocalStorage(
-      {
-        permitted: true,
-      },
-      () => {
-        expect(permissions.getState()).toEqual(PERMISSION_STATE.PERMITTED);
-      }
-    );
-  });
-});
-
-describe("check", () => {
-  const functionName = "createPerson";
-
-  test("check - success", async () => {
-    const permissionRule1 = (records, ctx, db) => {
-      // Only allow names starting with Adam
-      return records.every((r) => r.name.startsWith("Adam"));
-    };
-
-    const rows = [
-      {
-        id: "123",
-        name: "Adam Bull",
-      },
-      {
-        id: "234",
-        name: "Adam Lambert",
-      },
-    ];
-
-    await expect(
-      checkBuiltInPermissions({
-        rows,
-        ctx,
-        db,
-        functionName,
-        permissionFns: [permissionRule1],
-      })
-    ).resolves.ok;
-  });
-
-  test("check - failure", async () => {
-    // only allow Petes
-    const permissionRule1 = (records, ctx, db) => {
-      return records.every((r) => r.name === "Pete");
-    };
-
-    const rows = [
-      {
-        id: "123",
-        name: "Adam", // this one will cause an error to be thrown because Adam is not Pete
-      },
-      {
-        id: "234",
-        name: "Pete",
-      },
-    ];
-
-    await expect(
-      checkBuiltInPermissions({
-        rows,
-        ctx,
-        db,
-        functionName,
-        permissionFns: [permissionRule1],
-      })
-    ).rejects.toThrow();
-  });
-});
-
-function wrapWithAsyncLocalStorage(initialState, testFn) {
-  permissionsApiInstance.run(initialState, () => {
-    testFn();
-  });
-}

package/src/tracing.js

@@ -1,184 +0,0 @@
-const opentelemetry = require("@opentelemetry/api");
-const { BatchSpanProcessor } = require("@opentelemetry/sdk-trace-base");
-const {
-  OTLPTraceExporter,
-} = require("@opentelemetry/exporter-trace-otlp-proto");
-const { NodeTracerProvider } = require("@opentelemetry/sdk-trace-node");
-const { envDetectorSync } = require("@opentelemetry/resources");
-
-async function withSpan(name, fn) {
-  return getTracer().startActiveSpan(name, async (span) => {
-    try {
-      // await the thing (this means we can use try/catch)
-      return await fn(span);
-    } catch (err) {
-      // record any errors
-      span.recordException(err);
-      span.setStatus({
-        code: opentelemetry.SpanStatusCode.ERROR,
-        message: err.message,
-      });
-      // re-throw the error
-      throw err;
-    } finally {
-      // make sure the span is ended
-      span.end();
-    }
-  });
-}
-
-function patchFetch() {
-  if (!globalThis.fetch.patched) {
-    const originalFetch = globalThis.fetch;
-
-    globalThis.fetch = async (...args) => {
-      return withSpan("fetch", async (span) => {
-        const url = new URL(
-          args[0] instanceof Request ? args[0].url : String(args[0])
-        );
-        span.setAttribute("http.url", url.toString());
-        const scheme = url.protocol.replace(":", "");
-        span.setAttribute("http.scheme", scheme);
-
-        const options = args[0] instanceof Request ? args[0] : args[1] || {};
-        const method = (options.method || "GET").toUpperCase();
-        span.setAttribute("http.method", method);
-
-        const res = await originalFetch(...args);
-        span.setAttribute("http.status", res.status);
-        span.setAttribute("http.status_text", res.statusText);
-        return res;
-      });
-    };
-    globalThis.fetch.patched = true;
-  }
-}
-
-function patchConsoleLog() {
-  if (!console.log.patched) {
-    const originalConsoleLog = console.log;
-
-    console.log = (...args) => {
-      const span = opentelemetry.trace.getActiveSpan();
-      if (span) {
-        const output = args
-          .map((arg) => {
-            if (arg instanceof Error) {
-              return arg.stack;
-            }
-            if (typeof arg === "object") {
-              try {
-                return JSON.stringify(arg, getCircularReplacer());
-              } catch (error) {
-                return "[Object with circular references]";
-              }
-            }
-            if (typeof arg === "function") {
-              return arg() || arg.name || arg.toString();
-            }
-            return String(arg);
-          })
-          .join(" ");
-
-        span.addEvent(output);
-      }
-      originalConsoleLog(...args);
-    };
-
-    console.log.patched = true;
-  }
-}
-
-function patchConsoleError() {
-  if (!console.error.patched) {
-    const originalConsoleError = console.error;
-
-    console.error = (...args) => {
-      const span = opentelemetry.trace.getActiveSpan();
-      if (span) {
-        const output = args
-          .map((arg) => {
-            if (arg instanceof Error) {
-              return arg.stack;
-            }
-            if (typeof arg === "object") {
-              try {
-                return JSON.stringify(arg, getCircularReplacer());
-              } catch (error) {
-                return "[Object with circular references]";
-              }
-            }
-            if (typeof arg === "function") {
-              return arg() || arg.name || arg.toString();
-            }
-            return String(arg);
-          })
-          .join(" ");
-
-        span.setStatus({
-          code: opentelemetry.SpanStatusCode.ERROR,
-          message: output,
-        });
-      }
-      originalConsoleError(...args);
-    };
-
-    console.error.patched = true;
-  }
-}
-
-// Utility to handle circular references in objects
-function getCircularReplacer() {
-  const seen = new WeakSet();
-  return (key, value) => {
-    if (typeof value === "object" && value !== null) {
-      if (seen.has(value)) {
-        return "[Circular]";
-      }
-      seen.add(value);
-    }
-    return value;
-  };
-}
-
-function init() {
-  if (process.env.KEEL_TRACING_ENABLED == "true") {
-    const exporter = new OTLPTraceExporter();
-    const processor = new BatchSpanProcessor(exporter);
-
-    const provider = new NodeTracerProvider({
-      resource: envDetectorSync.detect(),
-      spanProcessors: [processor],
-    });
-
-    provider.register();
-  }
-
-  patchFetch();
-  patchConsoleLog();
-  patchConsoleError();
-}
-
-async function forceFlush() {
-  // The "delegate" is the actual provider set by the functions-runtime package
-  const provider = opentelemetry.trace.getTracerProvider().getDelegate();
-  if (provider && provider.forceFlush) {
-    await provider.forceFlush();
-  }
-}
-
-function getTracer() {
-  return opentelemetry.trace.getTracer("functions");
-}
-
-function spanNameForModelAPI(modelName, action) {
-  return `Database ${modelName}.${action}`;
-}
-
-module.exports = {
-  getTracer,
-  withSpan,
-  init,
-  forceFlush,
-  spanNameForModelAPI,
-};

package/src/tracing.test.js

@@ -1,147 +0,0 @@
-import { expect, test, beforeEach } from "vitest";
-import tracing from "./tracing";
-import { NodeTracerProvider, Span } from "@opentelemetry/sdk-trace-node";
-const opentelemetry = require("@opentelemetry/api");
-
-let spanEvents = [];
-const provider = new NodeTracerProvider({
-  spanProcessors: [
-    {
-      forceFlush() {
-        return Promise.resolve();
-      },
-      onStart(span, parentContext) {
-        spanEvents.push({ event: "onStart", span, parentContext });
-      },
-      onEnd(span) {
-        spanEvents.push({ event: "onEnd", span });
-      },
-      shutdown() {
-        return Promise.resolve();
-      },
-    },
-  ],
-});
-provider.register();
-
-beforeEach(() => {
-  tracing.init();
-  spanEvents = [];
-});
-
-test("withSpan span time", async () => {
-  const waitTimeMillis = 100;
-  await tracing.withSpan("name", async () => {
-    await new Promise((resolve) => setTimeout(resolve, waitTimeMillis));
-  });
-
-  expect(spanEvents.map((e) => e.event)).toEqual(["onStart", "onEnd"]);
-  const spanDuration = spanEvents.pop().span._duration.pop();
-
-  // The '- 1' here is because sometimes the test fails due to the span duration
-  // being something like 99.87ms. As long as it's at least 99ms we're happy
-  const waitTimeNanos = (waitTimeMillis - 1) * 1000 * 1000;
-  expect(spanDuration).toBeGreaterThan(waitTimeNanos);
-});
-
-test("withSpan on error", async () => {
-  try {
-    await tracing.withSpan("name", async () => {
-      throw "err";
-    });
-    // previous line should have an error thrown
-    expect(true).toEqual(false);
-  } catch (e) {
-    expect(e).toEqual("err");
-    expect(spanEvents.map((e) => e.event)).toEqual(["onStart", "onEnd"]);
-    const lastSpanEvents = spanEvents.pop().span.events;
-    expect(lastSpanEvents).length(1);
-    expect(lastSpanEvents[0].name).toEqual("exception");
-    expect(lastSpanEvents[0].attributes).toEqual({
-      "exception.message": "err",
-    });
-  }
-});
-
-test("withSpan console.log", async () => {
-  await tracing.withSpan("name", async () => {
-    console.log("test log");
-  });
-
-  const span = spanEvents.pop().span;
-  expect(span.events).toHaveLength(1);
-  expect(span.events[0].name).toEqual("test log");
-});
-
-test("withSpan console.error", async () => {
-  await tracing.withSpan("name", async () => {
-    console.error("test error");
-  });
-
-  const span = spanEvents.pop().span;
-  expect(span.events).toHaveLength(0);
-  expect(span.status.code).toEqual(opentelemetry.SpanStatusCode.ERROR);
-  expect(span.status.message).toEqual("test error");
-});
-
-test("fetch - 200", async () => {
-  const res = await fetch("http://example.com");
-  expect(res.status).toEqual(200);
-
-  expect(spanEvents.map((e) => e.event)).toEqual(["onStart", "onEnd"]);
-  expect(spanEvents.pop().span.attributes).toEqual({
-    "http.url": "http://example.com/",
-    "http.scheme": "http",
-    "http.method": "GET",
-    "http.status": 200,
-    "http.status_text": "OK",
-  });
-});
-
-test("fetch - 404", async () => {
-  await fetch("https://keel.so/not-found");
-
-  expect(spanEvents.map((e) => e.event)).toEqual(["onStart", "onEnd"]);
-  expect(spanEvents.pop().span.attributes).toEqual({
-    "http.url": "https://keel.so/not-found",
-    "http.scheme": "https",
-    "http.method": "GET",
-    "http.status": 404,
-    "http.status_text": "Not Found",
-  });
-});
-
-test("fetch - invalid URL", async () => {
-  try {
-    await fetch({});
-  } catch (err) {
-    expect(err.message).toEqual("Invalid URL");
-  }
-
-  expect(spanEvents.map((e) => e.event)).toEqual(["onStart", "onEnd"]);
-
-  const span = spanEvents.pop().span;
-  expect(spanEvents.pop().span.attributes).toEqual({});
-  expect(span.events[0].name).toEqual("exception");
-  expect.assertions(4);
-});
-
-test("fetch - ENOTFOUND", async () => {
-  try {
-    await fetch("http://qpwoeuthnvksnvnsanrurvnc.com");
-  } catch (err) {
-    expect(err.message).toEqual("fetch failed");
-    expect(err.cause.code).toEqual("ENOTFOUND");
-  }
-
-  expect(spanEvents.map((e) => e.event)).toEqual(["onStart", "onEnd"]);
-
-  const span = spanEvents.pop().span;
-  expect(span.attributes).toEqual({
-    "http.method": "GET",
-    "http.scheme": "http",
-    "http.url": "http://qpwoeuthnvksnvnsanrurvnc.com/",
-  });
-  expect(span.events[0].name).toEqual("exception");
-  expect.assertions(5);
-});

package/src/tryExecuteFunction.js

@@ -1,91 +0,0 @@
-const { withDatabase } = require("./database");
-const { withAuditContext } = require("./auditing");
-const {
-  withPermissions,
-  PERMISSION_STATE,
-  checkBuiltInPermissions,
-} = require("./permissions");
-const { PermissionError } = require("./errors");
-const { PROTO_ACTION_TYPES } = require("./consts");
-
-// tryExecuteFunction will create a new database transaction around a function call
-// and handle any permissions checks. If a permission check fails, then an Error will be thrown and the catch block will be hit.
-function tryExecuteFunction(
-  { request, db, permitted, permissionFns, actionType, ctx, functionConfig },
-  cb
-) {
-  return withPermissions(permitted, async ({ getPermissionState }) => {
-    let requiresTransaction = true;
-    switch (actionType) {
-      case PROTO_ACTION_TYPES.GET:
-      case PROTO_ACTION_TYPES.LIST:
-      case PROTO_ACTION_TYPES.READ:
-        requiresTransaction = false;
-        break;
-    }
-
-    if (functionConfig?.dbTransaction !== undefined) {
-      requiresTransaction = functionConfig.dbTransaction;
-    }
-
-    return withDatabase(db, requiresTransaction, async ({ transaction }) => {
-      const fnResult = await withAuditContext(request, async () => {
-        return cb();
-      });
-
-      // api.permissions maintains an internal state of whether the current function has been *explicitly* permitted/denied by the user in the course of their custom function, or if execution has already been permitted by a role based permission (evaluated in the main runtime).
-      // we need to check that the final state is permitted or unpermitted. if it's not, then it means that the user has taken no explicit action to permit/deny
-      // and therefore we default to checking the permissions defined in the schema automatically.
-      switch (getPermissionState()) {
-        case PERMISSION_STATE.PERMITTED:
-          return fnResult;
-        case PERMISSION_STATE.UNPERMITTED:
-          throw new PermissionError(
-            `Not permitted to access ${request.method}`
-          );
-        default:
-          // unknown state, proceed with checking against the built in permissions in the schema
-          const relevantPermissions = permissionFns[request.method];
-
-          const peakInsideTransaction =
-            actionType === PROTO_ACTION_TYPES.CREATE;
-
-          let rowsForPermissions = [];
-          if (fnResult != null) {
-            switch (actionType) {
-              case PROTO_ACTION_TYPES.LIST:
-                rowsForPermissions = fnResult;
-                break;
-              case PROTO_ACTION_TYPES.DELETE:
-                rowsForPermissions = [{ id: fnResult }];
-                break;
-              case (PROTO_ACTION_TYPES.GET, PROTO_ACTION_TYPES.CREATE):
-                rowsForPermissions = [fnResult];
-                break;
-              default:
-                rowsForPermissions = [fnResult];
-                break;
-            }
-          }
-
-          // check will throw a PermissionError if a permission rule is invalid
-          await checkBuiltInPermissions({
-            rows: rowsForPermissions,
-            permissionFns: relevantPermissions,
-            // it is important that we pass db here as db represents the connection to the database
-            // *outside* of the current transaction. Given that any changes inside of a transaction
-            // are opaque to the outside, we can utilize this when running permission rules and then deciding to
-            // rollback any changes if they do not pass. However, for creates we need to be able to 'peak' inside the transaction to read the created record, as this won't exist outside of the transaction.
-            db: peakInsideTransaction ? transaction : db,
-            ctx,
-            functionName: request.method,
-          });
-
-          // If the built in permission check above doesn't throw, then it means that the request is permitted and we can continue returning the return value from the custom function out of the transaction
-          return fnResult;
-      }
-    });
-  });
-}
-
-module.exports.tryExecuteFunction = tryExecuteFunction;

package/src/tryExecuteJob.js

@@ -1,29 +0,0 @@
-const { withDatabase } = require("./database");
-const { withAuditContext } = require("./auditing");
-const { withPermissions, PERMISSION_STATE } = require("./permissions");
-const { PermissionError } = require("./errors");
-
-// tryExecuteJob will create a new database transaction around a function call
-// and handle any permissions checks. If a permission check fails, then an Error will be thrown and the catch block will be hit.
-function tryExecuteJob({ db, permitted, request, functionConfig }, cb) {
-  return withPermissions(permitted, async ({ getPermissionState }) => {
-    let requiresTransaction = false;
-    if (functionConfig?.dbTransaction !== undefined) {
-      requiresTransaction = functionConfig.dbTransaction;
-    }
-    return withDatabase(db, requiresTransaction, async () => {
-      await withAuditContext(request, async () => {
-        return cb();
-      });
-
-      // api.permissions maintains an internal state of whether the current operation has been *explicitly* permitted/denied by the user in the course of their custom function, or if execution has already been permitted by a role based permission (evaluated in the main runtime).
-      // we need to check that the final state is permitted or unpermitted. if it's not, then it means that the user has taken no explicit action to permit/deny
-      // and therefore we default to checking the permissions defined in the schema automatically.
-      if (getPermissionState() === PERMISSION_STATE.UNPERMITTED) {
-        throw new PermissionError(`Not permitted to access ${request.method}`);
-      }
-    });
-  });
-}
-
-module.exports.tryExecuteJob = tryExecuteJob;

package/src/tryExecuteSubscriber.js

@@ -1,17 +0,0 @@
-const { withDatabase } = require("./database");
-const { withAuditContext } = require("./auditing");
-
-// tryExecuteSubscriber will create a new database connection and execute the function call.
-function tryExecuteSubscriber({ request, db, functionConfig }, cb) {
-  let requiresTransaction = false;
-  if (functionConfig?.dbTransaction !== undefined) {
-    requiresTransaction = functionConfig.dbTransaction;
-  }
-  return withDatabase(db, requiresTransaction, async () => {
-    await withAuditContext(request, async () => {
-      return cb();
-    });
-  });
-}
-
-module.exports.tryExecuteSubscriber = tryExecuteSubscriber;

package/src/type-utils.js

@@ -1,18 +0,0 @@
-const { Duration } = require("./Duration");
-
-function isPlainObject(obj) {
-  return Object.prototype.toString.call(obj) === "[object Object]";
-}
-
-function isRichType(obj) {
-  if (!isPlainObject(obj)) {
-    return false;
-  }
-
-  return obj instanceof Duration;
-}
-
-module.exports = {
-  isPlainObject,
-  isRichType,
-};

package/vite.config.js

@@ -1,7 +0,0 @@
-import { defineConfig, loadEnv } from "vite";
-
-export default ({ mode }) => {
-  process.env = { ...process.env, ...loadEnv(mode, process.cwd(), "") };
-
-  return defineConfig({});
-};