dbgate-api-premium 5.5.7-alpha.45

package/.env

@@ -0,0 +1,19 @@
+DEVMODE=1
+SHELL_SCRIPTING=1
+
+CLOUD_UPGRADE_FILE=c:\test\upg\upgrade.zip
+
+# PERMISSIONS=~widgets/app,~widgets/plugins
+# DISABLE_SHELL=1
+# HIDE_APP_EDITOR=1
+
+
+# DEVWEB=1
+# LOGINS=admin,test
+
+# LOGIN_PASSWORD_admin=admin
+# LOGIN_PERMISSIONS_admin=*
+
+# LOGIN_PASSWORD_test=test
+# LOGIN_PERMISSIONS_test=~*, widgets/database
+# WORKSPACE_DIR=/home/jena/dbgate-data-2

package/.yarnrc

@@ -0,0 +1,2 @@
+version-tag-prefix packages-api-v
+version-git-message "packages-api v%s"

package/README.md

@@ -0,0 +1 @@
+This package is used internally by DbGate Premium

package/env/dblogin/.env

@@ -0,0 +1,14 @@
+DEVMODE=1
+
+CONNECTIONS=mysql
+SINGLE_CONNECTION=mysql
+# SINGLE_DATABASE=Chinook
+
+LABEL_mysql=MySql localhost
+SERVER_mysql=localhost
+# USER_mysql=root
+PORT_mysql=3306
+# PASSWORD_mysql=Pwd2020Db
+ENGINE_mysql=mysql@dbgate-plugin-mysql
+# PASSWORD_MODE_mysql=askPassword
+PASSWORD_MODE_mysql=askUser

package/env/portal/.env

@@ -0,0 +1,70 @@
+DEVMODE=1
+
+CONNECTIONS=mysql,postgres,postgres1,mongo,mongo2,mysqlssh,sqlite,relational
+
+LABEL_mysql=MySql localhost
+SERVER_mysql=localhost
+USER_mysql=root
+PASSWORD_mysql=test
+PORT_mysql=3307
+ENGINE_mysql=mysql@dbgate-plugin-mysql
+
+LABEL_postgres=Postgres localhost
+SERVER_postgres=localhost
+USER_postgres=postgres
+PASSWORD_postgres=Pwd2020Db
+PORT_postgres=5432
+ENGINE_postgres=postgres@dbgate-plugin-postgres
+
+LABEL_postgres1=Postgres localhost test DB
+SERVER_postgres1=localhost
+USER_postgres1=postgres
+PASSWORD_postgres1=Pwd2020Db
+PORT_postgres1=5432
+ENGINE_postgres1=postgres@dbgate-plugin-postgres
+DATABASE_postgres1=test
+
+LABEL_mongo=Mongo URL
+URL_mongo=mongodb://localhost:27017
+ENGINE_mongo=mongo@dbgate-plugin-mongo
+
+LABEL_mongo2=Mongo Server
+SERVER_mongo2=localhost
+ENGINE_mongo2=mongo@dbgate-plugin-mongo
+
+LABEL_mysqlssh=MySql SSH
+SERVER_mysqlssh=localhost
+USER_mysqlssh=root
+PASSWORD_mysqlssh=xxx
+PORT_mysqlssh=3316
+ENGINE_mysqlssh=mysql@dbgate-plugin-mysql
+USE_SSH_mysqlssh=1
+SSH_HOST_mysqlssh=demo.dbgate.org
+SSH_PORT_mysqlssh=22
+SSH_MODE_mysqlssh=userPassword
+SSH_LOGIN_mysqlssh=root
+SSH_PASSWORD_mysqlssh=xxx
+
+LABEL_sqlite=sqlite
+FILE_sqlite=/home/jena/.dbgate/files/sqlite/feeds.sqlite
+ENGINE_sqlite=sqlite@dbgate-plugin-sqlite
+
+LABEL_relational=Relational dataset repo
+SERVER_relational=relational.fit.cvut.cz
+USER_relational=guest
+PASSWORD_relational=relational
+ENGINE_relational=mariadb@dbgate-plugin-mysql
+READONLY_relational=1
+
+# SETTINGS_dataGrid.showHintColumns=1
+
+# docker run -p 3000:3000 -e CONNECTIONS=mongo -e URL_mongo=mongodb://localhost:27017 -e ENGINE_mongo=mongo@dbgate-plugin-mongo -e LABEL_mongo=mongo dbgate/dbgate:beta
+
+# LOGINS=x,y
+# LOGIN_PASSWORD_x=x
+# LOGIN_PASSWORD_y=LOGIN_PASSWORD_y
+# LOGIN_PERMISSIONS_x=~*
+# LOGIN_PERMISSIONS_y=~*
+
+# PERMISSIONS=~*,connections/relational
+# PERMISSIONS=~*

package/env/singledb/.env

@@ -0,0 +1,17 @@
+DEVMODE=1
+
+CONNECTIONS=mysql
+
+LABEL_mysql=MySql localhost
+SERVER_mysql=localhost
+USER_mysql=root
+PASSWORD_mysql=Pwd2020Db
+PORT_mysql=3306
+ENGINE_mysql=mysql@dbgate-plugin-mysql
+DBCONFIG_mysql=[{"name":"Chinook","connectionColor":"cyan"}]
+
+
+SINGLE_CONNECTION=mysql
+SINGLE_DATABASE=Chinook
+
+PERMISSIONS=files/charts/read

package/env/storage/.env

@@ -0,0 +1,43 @@
+DEVMODE=1
+DEVWEB=1 
+
+# STORAGE_SERVER=sql2022stage.sprinx.cz
+# STORAGE_USER=dbgate-admin
+# STORAGE_PASSWORD=UvT>2rnxJ_O=
+# STORAGE_DATABASE=dbgate-premium
+# STORAGE_ENGINE=mssql@dbgate-plugin-mssql
+
+STORAGE_SERVER=localhost
+STORAGE_USER=root
+STORAGE_PASSWORD=Pwd2020Db
+STORAGE_PORT=3306
+STORAGE_DATABASE=dbgate
+STORAGE_ENGINE=mysql@dbgate-plugin-mysql
+
+# STORAGE_SERVER=localhost
+# STORAGE_USER=postgres
+# STORAGE_PASSWORD=Pwd2020Db
+# STORAGE_PORT=5432
+# STORAGE_DATABASE=dbgate
+# STORAGE_ENGINE=postgres@dbgate-plugin-postgres
+
+# STORAGE_SERVER=172.20.0.146
+# STORAGE_USER=Metrostav
+# STORAGE_PASSWORD=MtsEvr_2018
+# STORAGE_PORT=1433
+# STORAGE_DATABASE=DbGateConfig
+# STORAGE_ENGINE=mssql@dbgate-plugin-mssql
+
+# STORAGE_SERVER=localhost
+# STORAGE_USER=system
+# STORAGE_SERVICE_NAME=xe
+# STORAGE_PASSWORD=Pwd2020Db
+# STORAGE_PORT=1521
+# STORAGE_DATABASE="C##DBGATE"
+# STORAGE_ENGINE=oracle@dbgate-plugin-oracle
+
+
+# ADMIN_PASSWORD=test
+# DBGATE_LICENSE=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSmFuIFByb2NoYXprYSIsImxpY2Vuc2VUeXBlIjoicHJlbWl1bSIsInZhbGlkVG8iOiIyMDI0LTA5LTMwIiwiaWF0IjoxNzIyNDM0NTUyLCJleHAiOjE3MzAyMTA1NTJ9.gqyK5DdKMYfrN1uPlD3wZA8P-4CUGiT_zkTdezE2ln6IPGVrHfapG7pZgPFMWYM-Nsj9_Q525tJvgazs4a3KcPoXdt_EtA78Kse5ILkkysFVwczvK4qYhymJdCo3_C7si3Pgc3bqXj2GSekIIJLaZ06lfZW9Wt6BTh8q-5SCuQu6_0FItikG1McszmwlgEanJctFp0PvnkSNRblbAFXrGUoWXMXAplthyD2ZGblqEbZBfvZYjSloZpC2KAN9wUib3wNvaKmMANIXLMQpBDh0plzbLyqsRGU-6pyZLxOI5AJ8nZtxJccLn1qUJ0fE_KDF3RjIxLZtj8ybeC8Rf3hQ0g
+
+# BASIC_AUTH=true

package/package.json

@@ -0,0 +1,89 @@
+{
+  "name": "dbgate-api-premium",
+  "main": "src/index.js",
+  "version": "5.5.7-alpha.45",
+  "homepage": "https://dbgate.org/",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/dbgate/dbgate.git"
+  },
+  "author": "Jan Prochazka",
+  "license": "Commercial",
+  "keywords": [
+    "sql",
+    "json",
+    "import",
+    "export",
+    "dbgate"
+  ],
+  "dependencies": {
+    "@aws-sdk/rds-signer": "^3.665.0",
+    "activedirectory2": "^2.1.0",
+    "async-lock": "^1.2.6",
+    "axios": "^0.21.1",
+    "body-parser": "^1.19.0",
+    "bufferutil": "^4.0.1",
+    "byline": "^5.0.0",
+    "compare-versions": "^3.6.0",
+    "cors": "^2.8.5",
+    "cross-env": "^6.0.3",
+    "dbgate-datalib": "^5.5.7-alpha.45",
+    "dbgate-query-splitter": "^4.11.2",
+    "dbgate-sqltree": "^5.5.7-alpha.45",
+    "dbgate-tools": "^5.5.7-alpha.45",
+    "debug": "^4.3.4",
+    "diff": "^5.0.0",
+    "diff2html": "^3.4.13",
+    "eslint": "^6.8.0",
+    "express": "^4.17.1",
+    "express-basic-auth": "^1.2.0",
+    "express-fileupload": "^1.2.0",
+    "external-sorting": "^1.3.1",
+    "fs-extra": "^9.1.0",
+    "fs-reverse": "^0.0.3",
+    "get-port": "^5.1.1",
+    "http": "^0.0.0",
+    "is-electron": "^2.2.1",
+    "js-yaml": "^4.1.0",
+    "json-stable-stringify": "^1.0.1",
+    "jsonwebtoken": "^8.5.1",
+    "line-reader": "^0.4.0",
+    "lodash": "^4.17.21",
+    "moment": "^2.24.0",
+    "ncp": "^2.0.0",
+    "node-cron": "^2.0.3",
+    "on-finished": "^2.4.1",
+    "pinomin": "^1.0.4",
+    "portfinder": "^1.0.28",
+    "rimraf": "^3.0.0",
+    "semver": "^7.6.3",
+    "simple-encryptor": "^4.0.0",
+    "ssh2": "^1.11.0",
+    "stream-json": "^1.8.0",
+    "tar": "^6.0.5"
+  },
+  "scripts": {
+    "start": "env-cmd -f .env node src/index.js --listen-api",
+    "start:portal": "env-cmd -f env/portal/.env node src/index.js --listen-api",
+    "start:singledb": "env-cmd -f env/singledb/.env node src/index.js --listen-api",
+    "start:auth": "env-cmd -f env/auth/.env node src/index.js --listen-api",
+    "start:dblogin": "env-cmd -f env/dblogin/.env node src/index.js --listen-api",
+    "start:filedb": "env-cmd node src/index.js /home/jena/test/chinook/Chinook.db --listen-api",
+    "start:storage": "env-cmd -f env/storage/.env node src/index.js --listen-api",
+    "start:storage:built": "env-cmd -f env/storage/.env cross-env DEVMODE= BUILTWEBMODE=1 node dist/bundle.js --listen-api",
+    "start:singleconn": "env-cmd node src/index.js --server localhost --user root --port 3307 --engine mysql@dbgate-plugin-mysql --password test --listen-api",
+    "ts": "tsc",
+    "build": "webpack"
+  },
+  "devDependencies": {
+    "@types/fs-extra": "^9.0.11",
+    "@types/lodash": "^4.14.149",
+    "dbgate-types": "^5.5.7-alpha.45",
+    "env-cmd": "^10.1.0",
+    "node-loader": "^1.0.2",
+    "nodemon": "^2.0.2",
+    "typescript": "^4.4.3",
+    "webpack": "^5.91.0",
+    "webpack-cli": "^5.1.4"
+  }
+}

package/src/auth/authCommon.js

@@ -0,0 +1,16 @@
+const crypto = require('crypto');
+
+const tokenSecret = crypto.randomUUID();
+
+function getTokenLifetime() {
+  return process.env.TOKEN_LIFETIME || '1d';
+}
+
+function getTokenSecret() {
+  return tokenSecret;
+}
+
+module.exports = {
+  getTokenLifetime,
+  getTokenSecret,
+};

package/src/auth/authProvider.js

@@ -0,0 +1,343 @@
+const { getTokenSecret, getTokenLifetime } = require('./authCommon');
+const _ = require('lodash');
+const axios = require('axios');
+const { getLogger, getPredefinedPermissions } = require('dbgate-tools');
+
+const AD = require('activedirectory2').promiseWrapper;
+const jwt = require('jsonwebtoken');
+
+const logger = getLogger('authProvider');
+
+class AuthProviderBase {
+  amoid = 'none';
+
+  async login(login, password, options = undefined) {
+    return {
+      accessToken: jwt.sign(
+        {
+          amoid: this.amoid,
+        },
+        getTokenSecret(),
+        { expiresIn: getTokenLifetime() }
+      ),
+    };
+  }
+
+  oauthToken(params) {
+    return {};
+  }
+
+  getCurrentLogin(req) {
+    const login = req?.user?.login ?? req?.auth?.user ?? null;
+    return login;
+  }
+
+  isUserLoggedIn(req) {
+    return !!req?.user || !!req?.auth;
+  }
+
+  getCurrentPermissions(req) {
+    const login = this.getCurrentLogin(req);
+    const permissions = process.env[`LOGIN_PERMISSIONS_${login}`];
+    return permissions || process.env.PERMISSIONS;
+  }
+
+  getLoginPageConnections() {
+    return null;
+  }
+
+  getSingleConnectionId(req) {
+    return null;
+  }
+
+  toJson() {
+    return {
+      amoid: this.amoid,
+      workflowType: 'anonymous',
+      name: 'Anonymous',
+    };
+  }
+
+  async redirect({ state }) {
+    return {
+      status: 'error',
+    };
+  }
+
+  async getLogoutUrl() {
+    return null;
+  }
+}
+
+class OAuthProvider extends AuthProviderBase {
+  amoid = 'oauth';
+
+  async oauthToken(params) {
+    const { redirectUri, code } = params;
+
+    const scopeParam = process.env.OAUTH_SCOPE ? `&scope=${process.env.OAUTH_SCOPE}` : '';
+    const resp = await axios.default.post(
+      `${process.env.OAUTH_TOKEN}`,
+      `grant_type=authorization_code&code=${encodeURIComponent(code)}&redirect_uri=${encodeURIComponent(
+        redirectUri
+      )}&client_id=${process.env.OAUTH_CLIENT_ID}&client_secret=${process.env.OAUTH_CLIENT_SECRET}${scopeParam}`
+    );
+
+    const { access_token, refresh_token, id_token } = resp.data;
+
+    let payload = jwt.decode(access_token);
+
+    // Fallback to id_token in case the access_token is not a JWT
+    // https://www.oauth.com/oauth2-servers/access-tokens/
+    // https://github.com/dbgate/dbgate/issues/727
+    if (!payload && id_token) {
+      payload = jwt.decode(id_token);
+    }
+
+    logger.info({ payload }, 'User payload returned from OAUTH');
+
+    const login =
+      process.env.OAUTH_LOGIN_FIELD && payload && payload[process.env.OAUTH_LOGIN_FIELD]
+        ? payload[process.env.OAUTH_LOGIN_FIELD]
+        : 'oauth';
+
+    if (
+      process.env.OAUTH_ALLOWED_LOGINS &&
+      !process.env.OAUTH_ALLOWED_LOGINS.split(',').find(x => x.toLowerCase().trim() == login.toLowerCase().trim())
+    ) {
+      return { error: `Username ${login} not allowed to log in` };
+    }
+
+    const groups =
+      process.env.OAUTH_GROUP_FIELD && payload && payload[process.env.OAUTH_GROUP_FIELD]
+        ? payload[process.env.OAUTH_GROUP_FIELD]
+        : [];
+
+    const allowedGroups = process.env.OAUTH_ALLOWED_GROUPS
+      ? process.env.OAUTH_ALLOWED_GROUPS.split(',').map(group => group.toLowerCase().trim())
+      : [];
+
+    if (process.env.OAUTH_ALLOWED_GROUPS && !groups.some(group => allowedGroups.includes(group.toLowerCase().trim()))) {
+      return { error: `Username ${login} does not belong to an allowed group` };
+    }
+
+    if (access_token) {
+      return {
+        accessToken: jwt.sign({ login }, getTokenSecret(), { expiresIn: getTokenLifetime() }),
+      };
+    }
+
+    return { error: 'Token not found' };
+  }
+
+  async getLogoutUrl() {
+    return process.env.OAUTH_LOGOUT;
+  }
+
+  toJson() {
+    return {
+      ...super.toJson(),
+      workflowType: 'redirect',
+      name: 'OAuth 2.0',
+    };
+  }
+
+  redirect({ state, redirectUri }) {
+    const scopeParam = process.env.OAUTH_SCOPE ? `&scope=${process.env.OAUTH_SCOPE}` : '';
+    return {
+      status: 'ok',
+      uri: `${process.env.OAUTH_AUTH}?client_id=${
+        process.env.OAUTH_CLIENT_ID
+      }&response_type=code&redirect_uri=${encodeURIComponent(redirectUri)}&state=${encodeURIComponent(
+        state
+      )}${scopeParam}`,
+    };
+  }
+}
+
+class ADProvider extends AuthProviderBase {
+  amoid = 'ad';
+
+  async login(login, password, options = undefined) {
+    const adConfig = {
+      url: process.env.AD_URL,
+      baseDN: process.env.AD_BASEDN,
+      username: process.env.AD_USERNAME,
+      password: process.env.AD_PASSWORD,
+    };
+    const ad = new AD(adConfig);
+    try {
+      const res = await ad.authenticate(login, password);
+      if (!res) {
+        return { error: 'Login failed' };
+      }
+      if (
+        process.env.AD_ALLOWED_LOGINS &&
+        !process.env.AD_ALLOWED_LOGINS.split(',').find(x => x.toLowerCase().trim() == login.toLowerCase().trim())
+      ) {
+        return { error: `Username ${login} not allowed to log in` };
+      }
+      return {
+        accessToken: jwt.sign(
+          {
+            amoid: this.amoid,
+            login,
+          },
+          getTokenSecret(),
+          { expiresIn: getTokenLifetime() }
+        ),
+      };
+    } catch (e) {
+      return { error: 'Login failed' };
+    }
+  }
+
+  toJson() {
+    return {
+      ...super.toJson(),
+      workflowType: 'credentials',
+      name: 'Active Directory',
+    };
+  }
+}
+
+class LoginsProvider extends AuthProviderBase {
+  amoid = 'logins';
+
+  async login(login, password, options = undefined) {
+    if (login && password && process.env['LOGIN'] == login && process.env['PASSWORD'] == password) {
+      return {
+        accessToken: jwt.sign(
+          {
+            amoid: this.amoid,
+            login,
+          },
+          getTokenSecret(),
+          { expiresIn: getTokenLifetime() }
+        ),
+      };
+    }
+
+    if (password == process.env[`LOGIN_PASSWORD_${login}`]) {
+      return {
+        accessToken: jwt.sign(
+          {
+            amoid: this.amoid,
+            login,
+          },
+          getTokenSecret(),
+          { expiresIn: getTokenLifetime() }
+        ),
+      };
+    }
+    
+    return { error: 'Invalid credentials' };
+  }
+
+  toJson() {
+    return {
+      ...super.toJson(),
+      workflowType: 'credentials',
+      name: 'Login & Password',
+    };
+  }
+}
+
+class DenyAllProvider extends AuthProviderBase {
+  amoid = 'deny';
+
+  async login(login, password, options = undefined) {
+    return { error: 'Login not allowed' };
+  }
+
+  toJson() {
+    return {
+      ...super.toJson(),
+      workflowType: 'credentials',
+      name: 'Deny all',
+    };
+  }
+}
+
+function hasEnvLogins() {
+  if (process.env.LOGIN && process.env.PASSWORD) {
+    return true;
+  }
+  for (const key in process.env) {
+    if (key.startsWith('LOGIN_PASSWORD_')) {
+      return true;
+    }
+  }
+  return false;
+}
+
+function detectEnvAuthProvider() {
+  if (process.env.AUTH_PROVIDER) {
+    return process.env.AUTH_PROVIDER;
+  }
+
+  if (process.env.STORAGE_DATABASE) {
+    return 'denyall';
+  }
+  if (process.env.OAUTH_AUTH) {
+    return 'oauth';
+  }
+  if (process.env.AD_URL) {
+    return 'ad';
+  }
+  if (hasEnvLogins()) {
+    return 'logins';
+  }
+  return 'none';
+}
+
+function createEnvAuthProvider() {
+  const authProvider = detectEnvAuthProvider();
+  switch (authProvider) {
+    case 'oauth':
+      return new OAuthProvider();
+    case 'ad':
+      return new ADProvider();
+    case 'logins':
+      return new LoginsProvider();
+    case 'denyall':
+      return new DenyAllProvider();
+    default:
+      return new AuthProviderBase();
+  }
+}
+
+let defaultAuthProvider = createEnvAuthProvider();
+let authProviders = [defaultAuthProvider];
+
+function getAuthProviders() {
+  return authProviders;
+}
+
+function getAuthProviderById(amoid) {
+  return authProviders.find(x => x.amoid == amoid);
+}
+
+function getDefaultAuthProvider() {
+  return defaultAuthProvider;
+}
+
+function getAuthProviderFromReq(req) {
+  const authProviderId = req?.auth?.amoid || req?.user?.amoid;
+  return getAuthProviderById(authProviderId) ?? getDefaultAuthProvider();
+}
+
+function setAuthProviders(value, defaultProvider = null) {
+  authProviders = value;
+  defaultAuthProvider = defaultProvider || value[0];
+}
+
+module.exports = {
+  AuthProviderBase,
+  detectEnvAuthProvider,
+  getAuthProviders,
+  getDefaultAuthProvider,
+  setAuthProviders,
+  getAuthProviderById,
+  getAuthProviderFromReq,
+};