dbgate-api-premium 5.5.7-alpha.45

package/src/utility/SSHConnection.js

@@ -0,0 +1,251 @@
+/*
+ * Copyright 2018 Stocard GmbH.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const { Client } = require('ssh2');
+const net = require('net');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const debug = require('debug');
+
+// interface Options {
+//   username?: string;
+//   password?: string;
+//   privateKey?: string | Buffer;
+//   agentForward?: boolean;
+//   bastionHost?: string;
+//   passphrase?: string;
+//   endPort?: number;
+//   endHost: string;
+//   agentSocket?: string;
+//   skipAutoPrivateKey?: boolean;
+//   noReadline?: boolean;
+// }
+
+// interface ForwardingOptions {
+//   fromPort: number;
+//   toPort: number;
+//   toHost?: string;
+// }
+
+class SSHConnection {
+  constructor(options) {
+    this.options = options;
+    this.debug = debug('ssh');
+    this.connections = [];
+    this.isWindows = process.platform === 'win32';
+    if (!options.username) {
+      this.options.username = process.env['SSH_USERNAME'] || process.env['USER'];
+    }
+    if (!options.endPort) {
+      this.options.endPort = 22;
+    }
+    if (!options.privateKey && !options.agentForward && !options.skipAutoPrivateKey) {
+      const defaultFilePath = path.join(os.homedir(), '.ssh', 'id_rsa');
+      if (fs.existsSync(defaultFilePath)) {
+        this.options.privateKey = fs.readFileSync(defaultFilePath);
+      }
+    }
+  }
+
+  async shutdown() {
+    this.debug('Shutdown connections');
+    for (const connection of this.connections) {
+      connection.removeAllListeners();
+      connection.end();
+    }
+    return new Promise(resolve => {
+      if (this.server) {
+        this.server.close(resolve);
+      }
+      return resolve();
+    });
+  }
+
+  async tty() {
+    const connection = await this.establish();
+    this.debug('Opening tty');
+    await this.shell(connection);
+  }
+
+  async executeCommand(command) {
+    const connection = await this.establish();
+    this.debug('Executing command "%s"', command);
+    await this.shell(connection, command);
+  }
+
+  async shell(connection, command) {
+    return new Promise((resolve, reject) => {
+      connection.shell((err, stream) => {
+        if (err) {
+          return reject(err);
+        }
+        stream
+          .on('close', async () => {
+            stream.end();
+            process.stdin.unpipe(stream);
+            process.stdin.destroy();
+            connection.end();
+            await this.shutdown();
+            return resolve();
+          })
+          .stderr.on('data', data => {
+            return reject(data);
+          });
+        stream.pipe(process.stdout);
+
+        if (command) {
+          stream.end(`${command}\nexit\n`);
+        } else {
+          process.stdin.pipe(stream);
+        }
+      });
+    });
+  }
+
+  async establish() {
+    let connection;
+    if (this.options.bastionHost) {
+      connection = await this.connectViaBastion(this.options.bastionHost);
+    } else {
+      connection = await this.connect(this.options.endHost);
+    }
+    return connection;
+  }
+
+  async connectViaBastion(bastionHost) {
+    this.debug('Connecting to bastion host "%s"', bastionHost);
+    const connectionToBastion = await this.connect(bastionHost);
+    return new Promise((resolve, reject) => {
+      connectionToBastion.forwardOut(
+        '127.0.0.1',
+        22,
+        this.options.endHost,
+        this.options.endPort || 22,
+        async (err, stream) => {
+          if (err) {
+            return reject(err);
+          }
+          const connection = await this.connect(this.options.endHost, stream);
+          return resolve(connection);
+        }
+      );
+    });
+  }
+
+  async connect(host, stream) {
+    this.debug('Connecting to "%s"', host);
+    const connection = new Client();
+    return new Promise(async (resolve, reject) => {
+      const options = {
+        host,
+        port: this.options.endPort,
+        username: this.options.username,
+        password: this.options.password,
+        privateKey: this.options.privateKey,
+      };
+      if (this.options.agentForward) {
+        options['agentForward'] = true;
+
+        // see https://github.com/mscdex/ssh2#client for agents on Windows
+        // guaranteed to give the ssh agent sock if the agent is running (posix)
+        let agentDefault = process.env['SSH_AUTH_SOCK'];
+        if (this.isWindows) {
+          // null or undefined
+          if (agentDefault == null) {
+            agentDefault = 'pageant';
+          }
+        }
+
+        const agentSock = this.options.agentSocket ? this.options.agentSocket : agentDefault;
+        if (agentSock == null) {
+          throw new Error('SSH Agent Socket is not provided, or is not set in the SSH_AUTH_SOCK env variable');
+        }
+        options['agent'] = agentSock;
+      }
+      if (stream) {
+        options['sock'] = stream;
+      }
+      // PPK private keys can be encrypted, but won't contain the word 'encrypted'
+      // in fact they always contain a `encryption` header, so we can't do a simple check
+      options['passphrase'] = this.options.passphrase;
+      const looksEncrypted = this.options.privateKey
+        ? this.options.privateKey.toString().toLowerCase().includes('encrypted')
+        : false;
+      if (looksEncrypted && !options['passphrase'] && !this.options.noReadline) {
+        // options['passphrase'] = await this.getPassphrase();
+      }
+      connection.on('ready', () => {
+        this.connections.push(connection);
+        return resolve(connection);
+      });
+
+      connection.on('error', error => {
+        reject(error);
+      });
+      try {
+        connection.connect(options);
+      } catch (error) {
+        reject(error);
+      }
+    });
+  }
+
+  //   private async getPassphrase() {
+  //     return new Promise(resolve => {
+  //       const rl = readline.createInterface({
+  //         input: process.stdin,
+  //         output: process.stdout,
+  //       });
+  //       rl.question('Please type in the passphrase for your private key: ', answer => {
+  //         return resolve(answer);
+  //       });
+  //     });
+  //   }
+
+  async forward(options) {
+    const connection = await this.establish();
+    return new Promise((resolve, reject) => {
+      this.server = net
+        .createServer(socket => {
+          this.debug(
+            'Forwarding connection from "localhost:%d" to "%s:%d"',
+            options.fromPort,
+            options.toHost,
+            options.toPort
+          );
+          connection.forwardOut(
+            'localhost',
+            options.fromPort,
+            options.toHost || 'localhost',
+            options.toPort,
+            (error, stream) => {
+              if (error) {
+                return reject(error);
+              }
+              socket.pipe(stream);
+              stream.pipe(socket);
+            }
+          );
+        })
+        .listen(options.fromPort, 'localhost', () => {
+          return resolve();
+        });
+    });
+  }
+}
+
+module.exports = { SSHConnection };

package/src/utility/authProxy.js

@@ -0,0 +1,133 @@
+const axios = require('axios');
+const { Signer } = require('@aws-sdk/rds-signer');
+
+const AUTH_PROXY_URL = process.env.DEVWEB ? 'https://dbgate-auth-proxy.stages.udolni.net' : 'https://auth.dbgate.eu';
+// const AUTH_PROXY_URL = 'https://dbgate-auth-proxy.stages.udolni.net';
+
+let licenseKey = null;
+
+function setAuthProxyLicense(value) {
+  licenseKey = value;
+}
+
+function isAuthProxySupported() {
+  return true;
+}
+
+async function authProxyGetRedirectUrl({ client, type, state, redirectUri }) {
+  const respSession = await axios.default.post(
+    `${AUTH_PROXY_URL}/create-session`,
+    {
+      client,
+      type,
+    },
+    {
+      headers: {
+        'Content-Type': 'application/json',
+        Authorization: `Bearer ${licenseKey ?? process.env.DBGATE_LICENSE}`,
+      },
+    }
+  );
+
+  const { sid } = respSession.data;
+
+  const url = redirectUri
+    ? `${AUTH_PROXY_URL}/login?sid=${sid}&redirectUri=${encodeURIComponent(redirectUri)}&state=${encodeURIComponent(
+        state
+      )}`
+    : `${AUTH_PROXY_URL}/login?sid=${sid}&state=${encodeURIComponent(state)}`;
+
+  return {
+    url,
+    sid,
+  };
+}
+
+async function authProxyGetTokenFromCode({ sid, code }) {
+  try {
+    const respToken = await axios.default.post(
+      `${AUTH_PROXY_URL}/acquire-token`,
+      {
+        sid,
+        code,
+      },
+      {
+        headers: {
+          'Content-Type': 'application/json',
+          Authorization: `Bearer ${licenseKey ?? process.env.DBGATE_LICENSE}`,
+        },
+      }
+    );
+    return respToken.data.token;
+  } catch (err) {
+    return null;
+  }
+}
+
+function startTokenChecking(sid, callback) {
+  const started = Date.now();
+  const interval = setInterval(async () => {
+    if (Date.now() - started > 60 * 1000) {
+      clearInterval(interval);
+      return;
+    }
+
+    try {
+      const resp = await axios.default.post(
+        `${AUTH_PROXY_URL}/get-token`,
+        {
+          sid,
+        },
+        {
+          headers: {
+            'Content-Type': 'application/json',
+            Authorization: `Bearer ${licenseKey ?? process.env.DBGATE_LICENSE}`,
+          },
+        }
+      );
+
+      if (resp.data.status == 'ok') {
+        clearInterval(interval);
+        callback(resp.data.token);
+      }
+    } catch (err) {
+      console.error('Error checking token', err);
+    }
+  }, 500);
+}
+
+function getAuthProxyUrl() {
+  return AUTH_PROXY_URL;
+}
+
+function supportsAwsIam() {
+  return true;
+}
+
+async function getAwsIamToken(props) {
+  const { accessKeyId, secretAccessKey, awsRegion, port, user, server } = props;
+  const signer = new Signer({
+    credentials: {
+      accessKeyId,
+      secretAccessKey,
+    },
+    region: awsRegion,
+    port,
+    username: user,
+    hostname: server,
+  });
+
+  const token = await signer.getAuthToken();
+  return token;
+}
+
+module.exports = {
+  isAuthProxySupported,
+  authProxyGetRedirectUrl,
+  authProxyGetTokenFromCode,
+  setAuthProxyLicense,
+  startTokenChecking,
+  getAuthProxyUrl,
+  supportsAwsIam,
+  getAwsIamToken,
+};

package/src/utility/checkLicense.js

@@ -0,0 +1,186 @@
+const { getLogger, extractErrorLogData } = require('dbgate-tools');
+const jwt = require('jsonwebtoken');
+const isElectron = require('is-electron');
+const { storageReadConfig } = require('../controllers/storageDb');
+const path = require('path');
+const os = require('os');
+const fs = require('fs');
+const { setAuthProxyLicense } = require('./authProxy');
+const axios = require('axios');
+const crypto = require('crypto');
+const platformInfo = require('./platformInfo');
+
+const logger = getLogger('checkLicense');
+
+const publicKey = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnkFvSGF5FuAJQEZWYTZw
+ILZD0nxnc1oOm71m0tzC+VGNm7wmSmP2Rt+kwsrqp/TrbIjH62B4FPumbFPVOsCj
+WQ0s2QnV3uclvC4ZeIhCtqSrxnFYfLLr1rA8Zg6WYutUK+I4djMHzqkcMfzKJTup
+J28ZL1Tn0W3ZnJ2GW5cSmmuHxOu+7PXFx0UjyaYMWGUvaXo6A5wLFR5BynCJMeOX
+HSYeVUN88w4uOzQUA+agUVitXMHtKs0LckadGptxJ31Ll1M2TCWggajuaqW8tHCg
+OaqL08uYAfHQAWER0F9wumsvD/zVWnc/Wi1fH7wt19XoBEt1TWpu+VcgPIDb3naQ
+mQIDAQAB
+-----END PUBLIC KEY-----
+`;
+
+let awsMetadataLoaded = false;
+let awsMetadata = null;
+async function getAwsMetadata() {
+  if (awsMetadataLoaded) {
+    return awsMetadata;
+  }
+  try {
+    const tokenResponse = await axios.default.put('http://169.254.169.254/latest/api/token', null, {
+      headers: {
+        'X-aws-ec2-metadata-token-ttl-seconds': '21600',
+      },
+      timeout: 1000,
+    });
+    const token = tokenResponse.data;
+
+    const amiIdResponse = await axios.default.get('http://169.254.169.254/latest/meta-data/ami-id', {
+      headers: {
+        'X-aws-ec2-metadata-token': token,
+      },
+      timeout: 1000,
+    });
+    const amiId = amiIdResponse.data;
+
+    const regionResponse = await axios.default.get('http://169.254.169.254/latest/meta-data/placement/region', {
+      headers: {
+        'X-aws-ec2-metadata-token': token,
+      },
+      timeout: 1000,
+    });
+    const region = regionResponse.data;
+
+    awsMetadata = { amiId, region };
+    awsMetadataLoaded = true;
+
+    logger.info(`Loaded AWS metadata, AMIID=${amiId}, region=${region}`);
+    return { amiId, region };
+  } catch (error) {
+    logger.error(extractErrorLogData(error), 'Error getting AWS metadata');
+    awsMetadataLoaded = true;
+    return null;
+  }
+}
+
+function checkLicenseKey(licenseKey) {
+  try {
+    const decoded = jwt.verify(licenseKey, publicKey, {
+      algorithms: ['RS256'],
+    });
+    if (decoded.licenseType != 'premium') {
+      logger.error(`Incorrect license type, expected premium, found ${decoded.licenseType}`);
+      return {
+        status: 'error',
+        error: `Incorrect license type, expected premium, found ${decoded.licenseType}`,
+      };
+    }
+    return {
+      status: 'ok',
+      type: 'premium',
+      validTo: decoded.validTo,
+      expiration: new Date(decoded.exp * 1000).toISOString(),
+      daysLeft: Math.round((decoded.exp * 1000 - Date.now()) / (24 * 60 * 60 * 1000)),
+      isGeneratedTrial: decoded.isGeneratedTrial,
+    };
+  } catch (err) {
+    try {
+      // detect expired license
+      const decoded = jwt.decode(licenseKey);
+      if (decoded) {
+        const { exp } = decoded;
+        if (exp * 1000 < Date.now()) {
+          return {
+            status: 'error',
+            isExpired: true,
+            errorMessage: 'License key is expired',
+          };
+        }
+      }
+    } catch (err) {}
+
+    logger.error(extractErrorLogData(err), 'License token is invalid');
+    return {
+      status: 'error',
+      error: err.message ?? 'License token is invalid',
+    };
+  }
+}
+
+let awsTokenLoaded = false;
+let awsTokenHash = null;
+function getAwsToken() {
+  if (awsTokenLoaded) {
+    return awsTokenHash;
+  }
+  try {
+    const token = fs
+      .readFileSync('/etc/drunid', {
+        encoding: 'utf-8',
+      })
+      .trim();
+    awsTokenHash = crypto.createHash('md5').update(token).digest('hex');
+  } catch (err) {}
+  awsTokenLoaded = true;
+  return awsTokenHash;
+}
+
+async function checkLicense() {
+  if (process.env.DBGATE_LICENSE) {
+    return checkLicenseKey(process.env.DBGATE_LICENSE);
+  }
+
+  if (platformInfo.isAwsUbuntuLayout && getAwsToken() == 'b93c7491890460063003a02de06ec84a') {
+    const metadata = await getAwsMetadata();
+    if (metadata?.amiId) {
+      return {
+        status: 'ok',
+        type: 'premium',
+      };
+    }
+  }
+
+  if (process.env.STORAGE_DATABASE) {
+    const licenseConfig = await storageReadConfig('license');
+    const key = licenseConfig?.licenseKey;
+    if (key) {
+      setAuthProxyLicense(key);
+      return checkLicenseKey(key);
+    }
+  }
+
+  const datadir = path.join(os.homedir(), '.dbgate');
+  if (isElectron()) {
+    try {
+      const licenseKey = fs.readFileSync(path.join(datadir, 'license.key'), {
+        encoding: 'utf-8',
+      });
+      setAuthProxyLicense(licenseKey);
+      if (licenseKey) {
+        return checkLicenseKey(licenseKey);
+      }
+    } catch (err) {
+      logger.warn(extractErrorLogData(err), 'Error loading license key');
+    }
+  }
+
+  if (isElectron()) {
+    return {
+      status: 'error',
+      error: 'License key not set',
+    };
+  } else {
+    return {
+      status: 'error',
+      error: 'Variable DBGATE_LICENSE is not set',
+    };
+  }
+}
+
+module.exports = {
+  checkLicense,
+  checkLicenseKey,
+};

package/src/utility/childProcessChecker.js

@@ -0,0 +1,21 @@
+const { getLogger, extractErrorLogData } = require('dbgate-tools');
+
+const logger = getLogger('childProcessChecked');
+
+let counter = 0;
+
+function childProcessChecker() {
+  setInterval(() => {
+    try {
+      process.send({ msgtype: 'ping', counter: counter++ });
+    } catch (err) {
+      // This will come once parent dies.
+      // One way can be to check for error code ERR_IPC_CHANNEL_CLOSED
+      //     and call process.exit()
+      logger.error(extractErrorLogData(err), 'parent died');
+      process.exit(1);
+    }
+  }, 1000);
+}
+
+module.exports = childProcessChecker;

package/src/utility/cleanDirectory.js

@@ -0,0 +1,24 @@
+const fs = require('fs-extra');
+const path = require('path');
+const ageSeconds = 3600;
+
+async function cleanDirectory(directory, age = undefined) {
+  const files = await fs.readdir(directory);
+  const now = new Date().getTime();
+
+  for (const file of files) {
+    const full = path.join(directory, file);
+    const stat = await fs.stat(full);
+    const mtime = stat.mtime.getTime();
+    const expirationTime = mtime + (age || ageSeconds) * 1000;
+    if (now > expirationTime) {
+      if (stat.isDirectory()) {
+        await fs.rmdir(full, { recursive: true });
+      } else {
+        await fs.unlink(full);
+      }
+    }
+  }
+}
+
+module.exports = cleanDirectory;

package/src/utility/cloudUpgrade.js

@@ -0,0 +1,61 @@
+const axios = require('axios');
+const fs = require('fs');
+const fsp = require('fs/promises');
+const semver = require('semver');
+const currentVersion = require('../currentVersion');
+const { getLogger, extractErrorLogData } = require('dbgate-tools');
+
+const logger = getLogger('cloudUpgrade');
+
+async function checkCloudUpgrade() {
+  try {
+    const resp = await axios.default.get('https://api.github.com/repos/dbgate/dbgate/releases/latest');
+    const json = resp.data;
+    const version = json.name.substring(1);
+    let cloudDownloadedVersion = null;
+    try {
+      cloudDownloadedVersion = await fsp.readFile(process.env.CLOUD_UPGRADE_FILE + '.version', 'utf-8');
+    } catch (err) {
+      cloudDownloadedVersion = null;
+    }
+    if (
+      semver.gt(version, currentVersion.version) &&
+      (!cloudDownloadedVersion || semver.gt(version, cloudDownloadedVersion))
+    ) {
+      logger.info(`New version available: ${version}`);
+      const zipUrl = json.assets.find(x => x.name == 'cloud-build.zip').browser_download_url;
+
+      const writer = fs.createWriteStream(process.env.CLOUD_UPGRADE_FILE);
+
+      const response = await axios.default({
+        url: zipUrl,
+        method: 'GET',
+        responseType: 'stream',
+      });
+
+      response.data.pipe(writer);
+
+      await new Promise((resolve, reject) => {
+        writer.on('finish', resolve);
+        writer.on('error', reject);
+      });
+      await fsp.writeFile(process.env.CLOUD_UPGRADE_FILE + '.version', version);
+
+      logger.info(`Downloaded new version from ${zipUrl}`);
+    } else {
+      logger.info(`Checked version ${version} is not newer than ${cloudDownloadedVersion ?? currentVersion.version}, upgrade skippped`);
+    }
+  } catch (err) {
+    logger.error(extractErrorLogData(err), 'Error checking cloud upgrade');
+  }
+}
+
+function startCloudUpgradeTimer() {
+  // at first in 5 seconds
+  setTimeout(checkCloudUpgrade, 5000);
+
+  // hourly
+  setInterval(checkCloudUpgrade, 60 * 60 * 1000);
+}
+
+module.exports = startCloudUpgradeTimer;