dbgate-api-premium 6.6.0 → 6.6.2

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "dbgate-api-premium",
   "main": "src/index.js",
-  "version": "6.6.0",
+  "version": "6.6.2",
   "homepage": "https://dbgate.org/",
   "repository": {
     "type": "git",
@@ -30,10 +30,10 @@
     "compare-versions": "^3.6.0",
     "cors": "^2.8.5",
     "cross-env": "^6.0.3",
-    "dbgate-datalib": "^6.6.0",
+    "dbgate-datalib": "^6.6.2",
     "dbgate-query-splitter": "^4.11.5",
-    "dbgate-sqltree": "^6.6.0",
-    "dbgate-tools": "^6.6.0",
+    "dbgate-sqltree": "^6.6.2",
+    "dbgate-tools": "^6.6.2",
     "debug": "^4.3.4",
     "diff": "^5.0.0",
     "diff2html": "^3.4.13",
@@ -56,7 +56,7 @@
     "ncp": "^2.0.0",
     "node-cron": "^2.0.3",
     "on-finished": "^2.4.1",
-    "pinomin": "^1.0.4",
+    "pinomin": "^1.0.5",
     "portfinder": "^1.0.28",
     "rimraf": "^3.0.0",
     "semver": "^7.6.3",
@@ -86,7 +86,7 @@
   "devDependencies": {
     "@types/fs-extra": "^9.0.11",
     "@types/lodash": "^4.14.149",
-    "dbgate-types": "^6.6.0",
+    "dbgate-types": "^6.6.2",
     "env-cmd": "^10.1.0",
     "jsdoc-to-markdown": "^9.0.5",
     "node-loader": "^1.0.2",

package/src/auth/authProvider.js

@@ -36,12 +36,24 @@ class AuthProviderBase {
     return !!req?.user || !!req?.auth;
   }
 
-  getCurrentPermissions(req) {
+  async getCurrentPermissions(req) {
     const login = this.getCurrentLogin(req);
     const permissions = process.env[`LOGIN_PERMISSIONS_${login}`];
     return permissions || process.env.PERMISSIONS;
   }
 
+  async checkCurrentConnectionPermission(req, conid) {
+    return true;
+  }
+
+  async getCurrentDatabasePermissions(req) {
+    return [];
+  }
+
+  async getCurrentTablePermissions(req) {
+    return [];
+  }
+  
   getLoginPageConnections() {
     return null;
   }
@@ -94,7 +106,7 @@ class OAuthProvider extends AuthProviderBase {
       payload = jwt.decode(id_token);
     }
 
-    logger.info({ payload }, 'User payload returned from OAUTH');
+    logger.info({ payload }, 'DBGM-00002 User payload returned from OAUTH');
 
     const login =
       process.env.OAUTH_LOGIN_FIELD && payload && payload[process.env.OAUTH_LOGIN_FIELD]

package/src/auth/storageAuthProvider.js

@@ -11,6 +11,11 @@ const {
   storageReadUserPermissions,
   storageReadRolePermissions,
   storageSqlCommandFmt,
+  loadSuperadminPermissions,
+  readComplexUserRolePermissions,
+  readComplexRolePermissions,
+  storageCheckRoleConnectionAccess,
+  storageCheckUserRoleConnectionAccess,
 } = require('../controllers/storageDb');
 const { getTokenSecret, getTokenLifetime } = require('./authCommon');
 const { AuthProviderBase } = require('./authProvider');
@@ -31,6 +36,34 @@ async function loadPermissionsForUserId(userId) {
   return [...getPredefinedPermissions('logged-user'), ...loggedUserPermissions, ...rolePermissions, ...userPermissions];
 }
 
+class SuperadminAuthProvider extends AuthProviderBase {
+  constructor() {
+    super();
+    this.amoid = 'superadmin';
+  }
+
+  // @ts-ignore
+  async getCurrentPermissions(req) {
+    const permissions = await loadSuperadminPermissions();
+    return permissions;
+  }
+
+  async getCurrentDatabasePermissions(req) {
+    const databasePermissions = await readComplexRolePermissions(-3, 'role_databases');
+    return databasePermissions;
+  }
+
+  async getCurrentTablePermissions(req) {
+    const tablePermissions = await readComplexRolePermissions(-3, 'role_tables');
+    return tablePermissions;
+  }
+
+  async checkCurrentConnectionPermission(req, conid) {
+    const res = await storageCheckRoleConnectionAccess(-3, conid);
+    return res;
+  }
+}
+
 class StorageProviderBase extends AuthProviderBase {
   constructor(config) {
     super();
@@ -38,10 +71,6 @@ class StorageProviderBase extends AuthProviderBase {
     this.amoid = config.amoid;
   }
 
-  getCurrentPermissions(req) {
-    return req?.user?.permissions || process.env.PERMISSIONS;
-  }
-
   toJson() {
     return {
       ...super.toJson(),
@@ -49,15 +78,38 @@ class StorageProviderBase extends AuthProviderBase {
       type: this.config.type,
     };
   }
+
+  async getCurrentPermissions(req) {
+    const userId = this.getUserIdFromRequest(req);
+    const permissions = await loadPermissionsForUserId(userId);
+    return permissions;
+  }
+
+  async getCurrentDatabasePermissions(req) {
+    const userId = this.getUserIdFromRequest(req);
+    const databasePermissions = await readComplexUserRolePermissions(userId, 'user_databases', 'role_databases');
+    return databasePermissions;
+  }
+
+  async getCurrentTablePermissions(req) {
+    const userId = this.getUserIdFromRequest(req);
+    const tablePermissions = await readComplexUserRolePermissions(userId, 'user_tables', 'role_tables');
+    return tablePermissions;
+  }
+
+  async checkCurrentConnectionPermission(req, conid) {
+    const userId = this.getUserIdFromRequest(req);
+    const res = await storageCheckUserRoleConnectionAccess(userId, conid);
+    return res;
+  }
+
+  getUserIdFromRequest(req) {
+    return req?.user?.userId ?? -1;
+  }
 }
 
 class AnonymousProvider extends StorageProviderBase {
   async login(login, password, options = undefined, req = undefined) {
-    const permissions = await [
-      ...getPredefinedPermissions('anonymous-user'),
-      ...(await storageReadRolePermissions(-1)),
-    ];
-
     if (!(await isLoginLicensed(req, `anonymous`))) {
       return { error: LOGIN_LIMIT_ERROR };
     }
@@ -75,7 +127,6 @@ class AnonymousProvider extends StorageProviderBase {
     const accessToken = jwt.sign(
       {
         amoid: this.amoid,
-        permissions,
         licenseUid,
       },
       getTokenSecret(),
@@ -87,6 +138,30 @@ class AnonymousProvider extends StorageProviderBase {
       accessToken,
     };
   }
+
+  // @ts-ignore
+  async getCurrentPermissions(req) {
+    const permissions = await [
+      ...getPredefinedPermissions('anonymous-user'),
+      ...(await storageReadRolePermissions(-1)),
+    ];
+    return permissions;
+  }
+
+  async getCurrentDatabasePermissions(req) {
+    const databasePermissions = await readComplexRolePermissions(-1, 'role_databases');
+    return databasePermissions;
+  }
+
+  async getCurrentTablePermissions(req) {
+    const tablePermissions = await readComplexRolePermissions(-1, 'role_tables');
+    return tablePermissions;
+  }
+
+  async checkCurrentConnectionPermission(req, conid) {
+    const res = await storageCheckRoleConnectionAccess(-1, conid);
+    return res;
+  }
 }
 
 class LocalAuthProvider extends StorageProviderBase {
@@ -101,7 +176,6 @@ class LocalAuthProvider extends StorageProviderBase {
     const row = decryptUser(rows[0]);
     if (row.password == password) {
       const userId = row.id;
-      const permissions = await loadPermissionsForUserId(userId);
 
       if (!(await isLoginLicensed(req, `local:${login}`))) {
         return { error: LOGIN_LIMIT_ERROR };
@@ -122,7 +196,6 @@ class LocalAuthProvider extends StorageProviderBase {
         {
           amoid: this.amoid,
           login,
-          permissions,
           userId,
           licenseUid,
         },
@@ -190,7 +263,7 @@ class OauthProvider extends StorageProviderBase {
 
     const payload = jwt.decode(id_token ?? access_token);
 
-    logger.info({ payload }, 'User payload returned from OAUTH');
+    logger.info({ payload }, 'DBGM-00003 User payload returned from OAUTH');
 
     const login =
       this.config.oauthLoginField && payload && payload[this.config.oauthLoginField]
@@ -198,7 +271,6 @@ class OauthProvider extends StorageProviderBase {
         : 'oauth';
 
     const loginRows = await storageSelectFmt('select * from ~users where ~login = %v', login);
-    const permissions = await loadPermissionsForUserId(loginRows[0]?.id ?? -1);
 
     if (this.config.oauthOnlyDefinedLogins == 1 && loginRows.length == 0) {
       sendToAuditLog(req, {
@@ -264,7 +336,6 @@ class OauthProvider extends StorageProviderBase {
       {
         amoid: this.amoid,
         login,
-        permissions,
         userId: loginRows[0]?.id,
         licenseUid,
       },
@@ -328,7 +399,6 @@ class ADProvider extends StorageProviderBase {
       }
 
       const loginRows = await storageSelectFmt('select * from ~users where ~login = %v', login);
-      const permissions = await loadPermissionsForUserId(loginRows[0]?.id ?? -1);
 
       if (this.config.adOnlyDefinedLogins == 1) {
         if (loginRows.length == 0) {
@@ -355,8 +425,8 @@ class ADProvider extends StorageProviderBase {
         {
           amoid: this.amoid,
           login,
-          permissions,
           licenseUid,
+          userId: loginRows[0]?.id ?? -1,
         },
         getTokenSecret(),
         { expiresIn: getTokenLifetime() }
@@ -421,7 +491,6 @@ class DatabaseProvider extends StorageProviderBase {
       return { error: 'Login not allowed', login };
     }
     const userId = rows[0]?.id;
-    const permissions = await loadPermissionsForUserId(userId ?? -1);
 
     if (!(await isLoginLicensed(req, `db:${login}`))) {
       return { error: LOGIN_LIMIT_ERROR };
@@ -442,7 +511,6 @@ class DatabaseProvider extends StorageProviderBase {
       {
         amoid: this.amoid,
         login,
-        permissions,
         userId,
         conid,
         licenseUid,
@@ -485,12 +553,11 @@ class MsEntraProvider extends StorageProviderBase {
 
     const payload = jwt.decode(token);
 
-    logger.info({ payload }, 'User payload returned from MS Entra');
+    logger.info({ payload }, 'DBGM-00004 User payload returned from MS Entra');
 
     const { email } = payload;
 
     const loginRows = await storageSelectFmt('select * from ~users where ~email = %v', email);
-    const permissions = await loadPermissionsForUserId(loginRows[0]?.id ?? -1);
 
     if (this.config.msentraOnlyDefinedLogins == 1) {
       if (loginRows.length == 0) {
@@ -527,7 +594,6 @@ class MsEntraProvider extends StorageProviderBase {
       const accessToken = jwt.sign(
         {
           amoid: this.amoid,
-          permissions,
           msentraToken: token,
           userId: loginRows[0]?.id,
           login: payload.unique_name,
@@ -593,4 +659,5 @@ function createStorageAuthProvider(config) {
 
 module.exports = {
   createStorageAuthProvider,
+  SuperadminAuthProvider,
 };

package/src/controllers/archive.js

@@ -102,7 +102,7 @@ module.exports = {
         ...fileType('.matview.sql', 'matview.sql'),
       ];
     } catch (err) {
-      logger.error(extractErrorLogData(err), 'Error reading archive files');
+      logger.error(extractErrorLogData(err), 'DBGM-00001 Error reading archive files');
       return [];
     }
   },

package/src/controllers/auth.js

@@ -51,6 +51,7 @@ function authMiddleware(req, res, next) {
     '/auth/oauth-token',
     '/auth/login',
     '/auth/redirect',
+    '/redirect',
     '/stream',
     '/storage/get-connections-for-login-page',
     '/storage/set-admin-password',
@@ -99,7 +100,7 @@ function authMiddleware(req, res, next) {
       return next();
     }
 
-    logger.error(extractErrorLogData(err), 'Sending invalid token error');
+    logger.error(extractErrorLogData(err), 'DBGM-00098 Sending invalid token error');
 
     return unauthorizedResponse(req, res, 'invalid token');
   }
@@ -139,9 +140,9 @@ module.exports = {
         const accessToken = jwt.sign(
           {
             login: 'superadmin',
-            permissions: await storage.loadSuperadminPermissions(),
             roleId: -3,
             licenseUid,
+            amoid: 'superadmin',
           },
           getTokenSecret(),
           {

package/src/controllers/cloud.js

@@ -45,7 +45,7 @@ module.exports = {
       const resp = await callCloudApiGet('content-list');
       return resp;
     } catch (err) {
-      logger.error(extractErrorLogData(err), 'Error getting cloud content list');
+      logger.error(extractErrorLogData(err), 'DBGM-00099 Error getting cloud content list');
 
       return [];
     }

package/src/controllers/config.js

@@ -3,7 +3,7 @@ const os = require('os');
 const path = require('path');
 const axios = require('axios');
 const { datadir, getLogsFilePath } = require('../utility/directories');
-const { hasPermission } = require('../utility/hasPermission');
+const { hasPermission, loadPermissionsFromRequest } = require('../utility/hasPermission');
 const socket = require('../utility/socket');
 const _ = require('lodash');
 const AsyncLock = require('async-lock');
@@ -46,7 +46,7 @@ module.exports = {
   async get(_params, req) {
     const authProvider = getAuthProviderFromReq(req);
     const login = authProvider.getCurrentLogin(req);
-    const permissions = authProvider.getCurrentPermissions(req);
+    const permissions = await authProvider.getCurrentPermissions(req);
     const isUserLoggedIn = authProvider.isUserLoggedIn(req);
 
     const singleConid = authProvider.getSingleConnectionId(req);
@@ -280,7 +280,8 @@ module.exports = {
 
   updateSettings_meta: true,
   async updateSettings(values, req) {
-    if (!hasPermission(`settings/change`, req)) return false;
+    const loadedPermissions = await loadPermissionsFromRequest(req);
+    if (!hasPermission(`settings/change`, loadedPermissions)) return false;
     cachedSettingsValue = null;
 
     const res = await lock.acquire('settings', async () => {
@@ -392,7 +393,8 @@ module.exports = {
 
   exportConnectionsAndSettings_meta: true,
   async exportConnectionsAndSettings(_params, req) {
-    if (!hasPermission(`admin/config`, req)) {
+    const loadedPermissions = await loadPermissionsFromRequest(req);
+    if (!hasPermission(`admin/config`, loadedPermissions)) {
       throw new Error('Permission denied: admin/config');
     }
 
@@ -416,7 +418,8 @@ module.exports = {
 
   importConnectionsAndSettings_meta: true,
   async importConnectionsAndSettings({ db }, req) {
-    if (!hasPermission(`admin/config`, req)) {
+    const loadedPermissions = await loadPermissionsFromRequest(req);
+    if (!hasPermission(`admin/config`, loadedPermissions)) {
       throw new Error('Permission denied: admin/config');
     }
 

package/src/controllers/connections.js

@@ -14,7 +14,7 @@ const JsonLinesDatabase = require('../utility/JsonLinesDatabase');
 const processArgs = require('../utility/processArgs');
 const { safeJsonParse, getLogger, extractErrorLogData } = require('dbgate-tools');
 const platformInfo = require('../utility/platformInfo');
-const { connectionHasPermission, testConnectionPermission } = require('../utility/hasPermission');
+const { connectionHasPermission, testConnectionPermission, loadPermissionsFromRequest } = require('../utility/hasPermission');
 const pipeForkLogs = require('../utility/pipeForkLogs');
 const requireEngineDriver = require('../utility/requireEngineDriver');
 const { getAuthProviderById } = require('../auth/authProvider');
@@ -116,12 +116,12 @@ function getPortalCollections() {
       }
     }
 
-    logger.info({ connections: connections.map(pickSafeConnectionInfo) }, 'Using connections from ENV variables');
+    logger.info({ connections: connections.map(pickSafeConnectionInfo) }, 'DBGM-00005 Using connections from ENV variables');
     const noengine = connections.filter(x => !x.engine);
     if (noengine.length > 0) {
       logger.warn(
         { connections: noengine.map(x => x._id) },
-        'Invalid CONNECTIONS configuration, missing ENGINE for connection ID'
+        'DBGM-00006 Invalid CONNECTIONS configuration, missing ENGINE for connection ID'
       );
     }
     return connections;
@@ -227,6 +227,7 @@ module.exports = {
   list_meta: true,
   async list(_params, req) {
     const storage = require('./storage');
+    const loadedPermissions = await loadPermissionsFromRequest(req);
 
     const storageConnections = await storage.connections(req);
     if (storageConnections) {
@@ -234,9 +235,9 @@ module.exports = {
     }
     if (portalConnections) {
       if (platformInfo.allowShellConnection) return portalConnections;
-      return portalConnections.map(maskConnection).filter(x => connectionHasPermission(x, req));
+      return portalConnections.map(maskConnection).filter(x => connectionHasPermission(x, loadedPermissions));
     }
-    return (await this.datastore.find()).filter(x => connectionHasPermission(x, req));
+    return (await this.datastore.find()).filter(x => connectionHasPermission(x, loadedPermissions));
   },
 
   async getUsedEngines() {
@@ -375,7 +376,7 @@ module.exports = {
   update_meta: true,
   async update({ _id, values }, req) {
     if (portalConnections) return;
-    testConnectionPermission(_id, req);
+    await testConnectionPermission(_id, req);
     const res = await this.datastore.patch(_id, values);
     socket.emitChanged('connection-list-changed');
     return res;
@@ -392,7 +393,7 @@ module.exports = {
   updateDatabase_meta: true,
   async updateDatabase({ conid, database, values }, req) {
     if (portalConnections) return;
-    testConnectionPermission(conid, req);
+    await testConnectionPermission(conid, req);
     const conn = await this.datastore.get(conid);
     let databases = (conn && conn.databases) || [];
     if (databases.find(x => x.name == database)) {
@@ -410,7 +411,7 @@ module.exports = {
   delete_meta: true,
   async delete(connection, req) {
     if (portalConnections) return;
-    testConnectionPermission(connection, req);
+    await testConnectionPermission(connection, req);
     const res = await this.datastore.remove(connection._id);
     socket.emitChanged('connection-list-changed');
     return res;
@@ -452,7 +453,7 @@ module.exports = {
         _id: '__model',
       };
     }
-    testConnectionPermission(conid, req);
+    await testConnectionPermission(conid, req);
     return this.getCore({ conid, mask: true });
   },
 
@@ -530,7 +531,7 @@ module.exports = {
       socket.emit('got-volatile-token', { strmid, savedConId: conid, volatileConId: volatile._id });
       return { success: true };
     } catch (err) {
-      logger.error(extractErrorLogData(err), 'Error getting DB token');
+      logger.error(extractErrorLogData(err), 'DBGM-00100 Error getting DB token');
       return { error: err.message };
     }
   },
@@ -546,7 +547,7 @@ module.exports = {
       const resp = await authProvider.login(null, null, { conid: volatile._id }, req);
       return resp;
     } catch (err) {
-      logger.error(extractErrorLogData(err), 'Error getting DB token');
+      logger.error(extractErrorLogData(err), 'DBGM-00101 Error getting DB token');
       return { error: err.message };
     }
   },