dbgate-api-premium 5.5.7-alpha.45

package/src/auth/storageAuthProvider.js

@@ -0,0 +1,393 @@
+const {
+  sortPermissionsFromTheSameLevel,
+  getPredefinedPermissions,
+  getLogger,
+  getConnectionLabel,
+} = require('dbgate-tools');
+const {
+  storageSelectFmt,
+  storageReadUserRolePermissions,
+  storageReadUserPermissions,
+  storageReadRolePermissions,
+} = require('../controllers/storageDb');
+const { getTokenSecret, getTokenLifetime } = require('./authCommon');
+const { AuthProviderBase } = require('./authProvider');
+const AD = require('activedirectory2').promiseWrapper;
+const jwt = require('jsonwebtoken');
+const logger = getLogger('storageAuthProvider');
+const axios = require('axios');
+const _ = require('lodash');
+const { authProxyGetTokenFromCode, authProxyGetRedirectUrl } = require('../utility/authProxy');
+
+async function loadPermissionsForUserId(userId) {
+  const rolePermissions = sortPermissionsFromTheSameLevel(await storageReadUserRolePermissions(userId));
+  const userPermissions = await storageReadUserPermissions(userId);
+  const loggedUserPermissions = await storageReadRolePermissions(-2);
+  return [...getPredefinedPermissions('logged-user'), ...loggedUserPermissions, ...rolePermissions, ...userPermissions];
+}
+
+class StorageProviderBase extends AuthProviderBase {
+  constructor(config) {
+    super();
+    this.config = config;
+    this.amoid = config.amoid;
+  }
+
+  getCurrentPermissions(req) {
+    return req?.user?.permissions || process.env.PERMISSIONS;
+  }
+
+  toJson() {
+    return {
+      ...super.toJson(),
+      name: this.config.name,
+      type: this.config.type,
+    };
+  }
+}
+
+class AnonymousProvider extends StorageProviderBase {
+  async login(login, password, options = undefined) {
+    const permissions = await [
+      ...getPredefinedPermissions('anonymous-user'),
+      ...(await storageReadRolePermissions(-1)),
+    ];
+
+    return {
+      accessToken: jwt.sign(
+        {
+          amoid: this.amoid,
+          permissions,
+        },
+        getTokenSecret(),
+        { expiresIn: getTokenLifetime() }
+      ),
+    };
+  }
+}
+
+class LocalAuthProvider extends StorageProviderBase {
+  constructor(config) {
+    super(config);
+  }
+  async login(login, password) {
+    const rows = await storageSelectFmt('select * from ~users where login = %v', login);
+    if (rows.length == 0) {
+      return { error: 'Login not allowed' };
+    }
+    const row = rows[0];
+    if (row.password == password) {
+      const userId = row.id;
+      const permissions = await loadPermissionsForUserId(userId);
+
+      return {
+        accessToken: jwt.sign(
+          {
+            amoid: this.amoid,
+            login,
+            permissions,
+            userId,
+          },
+          getTokenSecret(),
+          { expiresIn: getTokenLifetime() }
+        ),
+      };
+    }
+    return { error: 'Invalid credentials' };
+  }
+
+  getCurrentLogin(req) {
+    const login = req?.user?.login ?? req?.auth?.user ?? null;
+    return login;
+  }
+
+  toJson() {
+    return {
+      ...super.toJson(),
+      workflowType: 'credentials',
+    };
+  }
+}
+
+class OauthProvider extends StorageProviderBase {
+  constructor(config) {
+    super(config);
+  }
+
+  async getLogoutUrl() {
+    return this.config.oauthLogout;
+  }
+
+  async oauthToken(params) {
+    const { redirectUri, code } = params;
+
+    const scopeParam = this.config.oauthScope ? `&scope=${this.config.oauthScope}` : '';
+    const resp = await axios.default.post(
+      `${this.config.oauthToken}`,
+      `grant_type=authorization_code&code=${encodeURIComponent(code)}&redirect_uri=${encodeURIComponent(
+        redirectUri
+      )}&client_id=${this.config.oauthClient}&client_secret=${this.config.oauthClientSecret}${scopeParam}`
+    );
+
+    const { access_token, refresh_token } = resp.data;
+
+    const payload = jwt.decode(access_token);
+
+    logger.info({ payload }, 'User payload returned from OAUTH');
+
+    const login =
+      this.config.oauthLoginField && payload && payload[this.config.oauthLoginField]
+        ? payload[this.config.oauthLoginField]
+        : 'oauth';
+
+    const loginRows = await storageSelectFmt('select * from ~users where ~login = %v', login);
+    const permissions = await loadPermissionsForUserId(loginRows[0]?.id ?? -1);
+
+    if (this.config.oauthOnlyDefinedLogins == 1) {
+      if (loginRows.length == 0) {
+        return { error: `Username ${login} not allowed to log in` };
+      }
+    }
+
+    let groups =
+      this.config.oauthGroupField && payload && _.get(payload, this.config.oauthGroupField)
+        ? _.get(payload, this.config.oauthGroupField)
+        : [];
+
+    if (_.isString(groups)) {
+      groups = groups.split(',');
+    }
+
+    if (this.config.oauthOnlyDefinedGroups == 1) {
+      const roleRows = await storageSelectFmt('select * from ~roles where ~name in (%,v)', groups);
+      if (roleRows.length == 0) {
+        return { error: `Groups ${groups.join(', ')} not allowed to log in` };
+      }
+    }
+
+    if (access_token) {
+      return {
+        accessToken: jwt.sign(
+          {
+            amoid: this.amoid,
+            login,
+            permissions,
+            userId: loginRows[0]?.id,
+          },
+          getTokenSecret(),
+          { expiresIn: getTokenLifetime() }
+        ),
+      };
+    }
+
+    return { error: 'Token not found' };
+  }
+
+  redirect({ state, redirectUri }) {
+    const scopeParam = this.config.oauthScope ? `&scope=${this.config.oauthScope}` : '';
+    return {
+      status: 'ok',
+      uri: `${this.config.oauthAuth}?client_id=${
+        this.config.oauthClient
+      }&response_type=code&redirect_uri=${encodeURIComponent(redirectUri)}&state=${encodeURIComponent(
+        state
+      )}${scopeParam}`,
+    };
+  }
+
+  toJson() {
+    return {
+      ...super.toJson(),
+      workflowType: 'redirect',
+    };
+  }
+}
+
+class ADProvider extends StorageProviderBase {
+  constructor(config) {
+    super(config);
+  }
+
+  async login(login, password) {
+    const adConfig = {
+      url: this.config.adUrl,
+      baseDN: this.config.adBaseDN,
+      username: this.config.adLogin,
+      password: this.config.adPassword,
+    };
+    const ad = new AD(adConfig);
+    try {
+      const res = await ad.authenticate(login, password);
+      if (!res) {
+        return { error: `Login failed, AD rejected login ${login}` };
+      }
+
+      const loginRows = await storageSelectFmt('select * from ~users where ~login = %v', login);
+      const permissions = await loadPermissionsForUserId(loginRows[0]?.id ?? -1);
+
+      if (this.config.adOnlyDefinedLogins == 1) {
+        if (loginRows.length == 0) {
+          return { error: `Username ${login} not allowed to log in` };
+        }
+      }
+
+      return {
+        accessToken: jwt.sign(
+          {
+            amoid: this.amoid,
+            login,
+            permissions,
+          },
+          getTokenSecret(),
+          { expiresIn: getTokenLifetime() }
+        ),
+      };
+    } catch (e) {
+      return { error: `Login failed: ${e.message}` };
+    }
+  }
+
+  toJson() {
+    return {
+      ...super.toJson(),
+      workflowType: 'credentials',
+    };
+  }
+}
+
+class DatabaseProvider extends StorageProviderBase {
+  constructor(config) {
+    super(config);
+  }
+
+  async getLoginPageConnections() {
+    const resp = await storageSelectFmt('select * from ~connections');
+    return resp.map(x => ({
+      conid: x.conid,
+      label: getConnectionLabel(x),
+      passwordMode: x.passwordMode,
+      useRedirectDbLogin: x.useRedirectDbLogin,
+    }));
+  }
+
+  async login(login, password, options) {
+    const { conid } = options;
+    const rows = login ? await storageSelectFmt('select * from ~users where ~login = %v', login) : [];
+    if (this.config.dbloginOnlyDefinedLogins == 1 && rows.length == 0) {
+      return { error: 'Login not allowed' };
+    }
+    const userId = rows[0]?.id;
+    const permissions = await loadPermissionsForUserId(userId ?? -1);
+    return {
+      accessToken: jwt.sign(
+        {
+          amoid: this.amoid,
+          login,
+          permissions,
+          userId,
+          conid,
+        },
+        getTokenSecret(),
+        { expiresIn: getTokenLifetime() }
+      ),
+    };
+  }
+
+  getSingleConnectionId(req) {
+    return req?.user?.conid;
+  }
+
+  toJson() {
+    return {
+      ...super.toJson(),
+      workflowType: 'database',
+    };
+  }
+}
+
+class MsEntraProvider extends StorageProviderBase {
+  constructor(config) {
+    super(config);
+  }
+
+  async getLogoutUrl() {
+    return null;
+  }
+
+  async oauthToken(params) {
+    const { sid, code } = params;
+
+    const token = await authProxyGetTokenFromCode({ sid, code });
+
+    const payload = jwt.decode(token);
+
+    logger.info({ payload }, 'User payload returned from MS Entra');
+
+    const { email } = payload;
+
+    const loginRows = await storageSelectFmt('select * from ~users where ~email = %v', email);
+    const permissions = await loadPermissionsForUserId(loginRows[0]?.id ?? -1);
+
+    if (this.config.msentraOnlyDefinedLogins == 1) {
+      if (loginRows.length == 0) {
+        return { error: `Email ${email} not allowed to log in` };
+      }
+    }
+
+    if (token) {
+      return {
+        accessToken: jwt.sign(
+          {
+            amoid: this.amoid,
+            permissions,
+            msentraToken: token,
+            userId: loginRows[0]?.id,
+            login: payload.unique_name,
+          },
+          getTokenSecret(),
+          { expiresIn: getTokenLifetime() }
+        ),
+      };
+    }
+
+    return { error: 'Token not found' };
+  }
+
+  async redirect({ state, redirectUri }) {
+    const authUrl = await authProxyGetRedirectUrl({ type: 'msentra', client: 'web', redirectUri, state });
+    return {
+      status: 'ok',
+      uri: authUrl.url,
+    };
+  }
+
+  toJson() {
+    return {
+      ...super.toJson(),
+      workflowType: 'redirect',
+    };
+  }
+}
+
+function createStorageAuthProvider(config) {
+  switch (config.type) {
+    case 'local':
+      return new LocalAuthProvider(config);
+    case 'oauth':
+      return new OauthProvider(config);
+    case 'ad':
+      return new ADProvider(config);
+    case 'database':
+      return new DatabaseProvider(config);
+    case 'msentra':
+      return new MsEntraProvider(config);
+    case 'none':
+      return new AnonymousProvider(config);
+    default:
+      return new StorageProviderBase(config);
+  }
+}
+
+module.exports = {
+  createStorageAuthProvider,
+};

package/src/controllers/apps.js

@@ -0,0 +1,280 @@
+const fs = require('fs-extra');
+const _ = require('lodash');
+const path = require('path');
+const { appdir } = require('../utility/directories');
+const socket = require('../utility/socket');
+const connections = require('./connections');
+
+module.exports = {
+  folders_meta: true,
+  async folders() {
+    const folders = await fs.readdir(appdir());
+    return [
+      ...folders.map(name => ({
+        name,
+      })),
+    ];
+  },
+
+  createFolder_meta: true,
+  async createFolder({ folder }) {
+    const name = await this.getNewAppFolder({ name: folder });
+    await fs.mkdir(path.join(appdir(), name));
+    socket.emitChanged('app-folders-changed');
+    this.emitChangedDbApp(folder);
+    return name;
+  },
+
+  files_meta: true,
+  async files({ folder }) {
+    if (!folder) return [];
+    const dir = path.join(appdir(), folder);
+    if (!(await fs.exists(dir))) return [];
+    const files = await fs.readdir(dir);
+
+    function fileType(ext, type) {
+      return files
+        .filter(name => name.endsWith(ext))
+        .map(name => ({
+          name: name.slice(0, -ext.length),
+          label: path.parse(name.slice(0, -ext.length)).base,
+          type,
+        }));
+    }
+
+    return [
+      ...fileType('.command.sql', 'command.sql'),
+      ...fileType('.query.sql', 'query.sql'),
+      ...fileType('.config.json', 'config.json'),
+    ];
+  },
+
+  async emitChangedDbApp(folder) {
+    const used = await this.getUsedAppFolders();
+    if (used.includes(folder)) {
+      socket.emitChanged('used-apps-changed');
+    }
+  },
+
+  refreshFiles_meta: true,
+  async refreshFiles({ folder }) {
+    socket.emitChanged('app-files-changed', { app: folder });
+  },
+
+  refreshFolders_meta: true,
+  async refreshFolders() {
+    socket.emitChanged(`app-folders-changed`);
+  },
+
+  deleteFile_meta: true,
+  async deleteFile({ folder, file, fileType }) {
+    await fs.unlink(path.join(appdir(), folder, `${file}.${fileType}`));
+    socket.emitChanged('app-files-changed', { app: folder });
+    this.emitChangedDbApp(folder);
+  },
+
+  renameFile_meta: true,
+  async renameFile({ folder, file, newFile, fileType }) {
+    await fs.rename(
+      path.join(path.join(appdir(), folder), `${file}.${fileType}`),
+      path.join(path.join(appdir(), folder), `${newFile}.${fileType}`)
+    );
+    socket.emitChanged('app-files-changed', { app: folder });
+    this.emitChangedDbApp(folder);
+  },
+
+  renameFolder_meta: true,
+  async renameFolder({ folder, newFolder }) {
+    const uniqueName = await this.getNewAppFolder({ name: newFolder });
+    await fs.rename(path.join(appdir(), folder), path.join(appdir(), uniqueName));
+    socket.emitChanged(`app-folders-changed`);
+  },
+
+  deleteFolder_meta: true,
+  async deleteFolder({ folder }) {
+    if (!folder) throw new Error('Missing folder parameter');
+    await fs.rmdir(path.join(appdir(), folder), { recursive: true });
+    socket.emitChanged(`app-folders-changed`);
+    socket.emitChanged('app-files-changed', { app: folder });
+    socket.emitChanged('used-apps-changed');
+  },
+
+  async getNewAppFolder({ name }) {
+    if (!(await fs.exists(path.join(appdir(), name)))) return name;
+    let index = 2;
+    while (await fs.exists(path.join(appdir(), `${name}${index}`))) {
+      index += 1;
+    }
+    return `${name}${index}`;
+  },
+
+  getUsedAppFolders_meta: true,
+  async getUsedAppFolders() {
+    const list = await connections.list();
+    const apps = [];
+
+    for (const connection of list) {
+      for (const db of connection.databases || []) {
+        for (const key of _.keys(db || {})) {
+          if (key.startsWith('useApp:') && db[key]) {
+            apps.push(key.substring('useApp:'.length));
+          }
+        }
+      }
+    }
+
+    return _.intersection(_.uniq(apps), await fs.readdir(appdir()));
+  },
+
+  getUsedApps_meta: true,
+  async getUsedApps() {
+    const apps = await this.getUsedAppFolders();
+    const res = [];
+
+    for (const folder of apps) {
+      res.push(await this.loadApp({ folder }));
+    }
+    return res;
+  },
+
+  // getAppsForDb_meta: true,
+  // async getAppsForDb({ conid, database }) {
+  //   const connection = await connections.get({ conid });
+  //   if (!connection) return [];
+  //   const db = (connection.databases || []).find(x => x.name == database);
+  //   const apps = [];
+  //   const res = [];
+  //   if (db) {
+  //     for (const key of _.keys(db || {})) {
+  //       if (key.startsWith('useApp:') && db[key]) {
+  //         apps.push(key.substring('useApp:'.length));
+  //       }
+  //     }
+  //   }
+  //   for (const folder of apps) {
+  //     res.push(await this.loadApp({ folder }));
+  //   }
+  //   return res;
+  // },
+
+  loadApp_meta: true,
+  async loadApp({ folder }) {
+    const res = {
+      queries: [],
+      commands: [],
+      name: folder,
+    };
+    const dir = path.join(appdir(), folder);
+    if (await fs.exists(dir)) {
+      const files = await fs.readdir(dir);
+
+      async function processType(ext, field) {
+        for (const file of files) {
+          if (file.endsWith(ext)) {
+            res[field].push({
+              name: file.slice(0, -ext.length),
+              sql: await fs.readFile(path.join(dir, file), { encoding: 'utf-8' }),
+            });
+          }
+        }
+      }
+
+      await processType('.command.sql', 'commands');
+      await processType('.query.sql', 'queries');
+    }
+
+    try {
+      res.virtualReferences = JSON.parse(
+        await fs.readFile(path.join(dir, 'virtual-references.config.json'), { encoding: 'utf-8' })
+      );
+    } catch (err) {
+      res.virtualReferences = [];
+    }
+    try {
+      res.dictionaryDescriptions = JSON.parse(
+        await fs.readFile(path.join(dir, 'dictionary-descriptions.config.json'), { encoding: 'utf-8' })
+      );
+    } catch (err) {
+      res.dictionaryDescriptions = [];
+    }
+
+    return res;
+  },
+
+  async saveConfigFile(appFolder, filename, filterFunc, newItem) {
+    const file = path.join(appdir(), appFolder, filename);
+
+    let json;
+    try {
+      json = JSON.parse(await fs.readFile(file, { encoding: 'utf-8' }));
+    } catch (err) {
+      json = [];
+    }
+
+    if (filterFunc) {
+      json = json.filter(filterFunc);
+    }
+
+    json = [...json, newItem];
+
+    await fs.writeFile(file, JSON.stringify(json, undefined, 2));
+
+    socket.emitChanged('app-files-changed', { app: appFolder });
+    socket.emitChanged('used-apps-changed');
+  },
+
+  saveVirtualReference_meta: true,
+  async saveVirtualReference({ appFolder, schemaName, pureName, refSchemaName, refTableName, columns }) {
+    await this.saveConfigFile(
+      appFolder,
+      'virtual-references.config.json',
+      columns.length == 1
+        ? x =>
+            !(
+              x.schemaName == schemaName &&
+              x.pureName == pureName &&
+              x.columns.length == 1 &&
+              x.columns[0].columnName == columns[0].columnName
+            )
+        : null,
+      {
+        schemaName,
+        pureName,
+        refSchemaName,
+        refTableName,
+        columns,
+      }
+    );
+    return true;
+  },
+
+  saveDictionaryDescription_meta: true,
+  async saveDictionaryDescription({ appFolder, pureName, schemaName, expression, columns, delimiter }) {
+    await this.saveConfigFile(
+      appFolder,
+      'dictionary-descriptions.config.json',
+      x => !(x.schemaName == schemaName && x.pureName == pureName),
+      {
+        schemaName,
+        pureName,
+        expression,
+        columns,
+        delimiter,
+      }
+    );
+
+    return true;
+  },
+
+  createConfigFile_meta: true,
+  async createConfigFile({ appFolder, fileName, content }) {
+    const file = path.join(appdir(), appFolder, fileName);
+    if (!(await fs.exists(file))) {
+      await fs.writeFile(file, JSON.stringify(content, undefined, 2));
+      socket.emitChanged('app-files-changed', { app: appFolder });
+      socket.emitChanged('used-apps-changed');
+      return true;
+    }
+    return false;
+  },
+};