npm - dbgate-api-premium - Versions diffs - 6.6.0 → 6.6.2 - Mend

dbgate-api-premium 6.6.0 → 6.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (62) hide show

package/package.json +6 -6
package/src/auth/authProvider.js +14 -2
package/src/auth/storageAuthProvider.js +89 -22
package/src/controllers/archive.js +1 -1
package/src/controllers/auth.js +3 -2
package/src/controllers/cloud.js +1 -1
package/src/controllers/config.js +8 -5
package/src/controllers/connections.js +12 -11
package/src/controllers/databaseConnections.js +148 -83
package/src/controllers/files.js +49 -19
package/src/controllers/plugins.js +7 -4
package/src/controllers/runners.js +10 -6
package/src/controllers/scheduler.js +4 -3
package/src/controllers/serverConnections.js +69 -14
package/src/controllers/sessions.js +8 -5
package/src/controllers/storage.js +81 -51
package/src/controllers/storageDb.js +118 -4
package/src/controllers/uploads.js +2 -2
package/src/currentVersion.js +2 -2
package/src/index.js +36 -5
package/src/main.js +59 -20
package/src/proc/databaseConnectionProcess.js +45 -13
package/src/proc/serverConnectionProcess.js +32 -6
package/src/proc/sessionProcess.js +2 -2
package/src/proc/sshForwardProcess.js +1 -1
package/src/shell/archiveWriter.js +1 -1
package/src/shell/copyStream.js +1 -1
package/src/shell/executeQuery.js +3 -3
package/src/shell/importDatabase.js +3 -3
package/src/shell/jsonLinesReader.js +1 -1
package/src/shell/jsonLinesWriter.js +1 -1
package/src/shell/jsonReader.js +1 -1
package/src/shell/jsonWriter.js +1 -1
package/src/shell/loadDatabase.js +2 -2
package/src/shell/modifyJsonLinesReader.js +1 -1
package/src/shell/queryReader.js +1 -1
package/src/shell/requirePlugin.js +6 -1
package/src/shell/runScript.js +1 -1
package/src/shell/sqlDataWriter.js +1 -1
package/src/shell/tableReader.js +3 -3
package/src/shell/tableWriter.js +1 -1
package/src/shell/unzipDirectory.js +4 -4
package/src/shell/zipDirectory.js +3 -3
package/src/shell/zipJsonLinesData.js +3 -3
package/src/storageModel.js +726 -105
package/src/utility/DatastoreProxy.js +3 -3
package/src/utility/JsonLinesDatastore.js +4 -2
package/src/utility/appLogStore.js +119 -0
package/src/utility/auditlog.js +1 -1
package/src/utility/authProxy.js +4 -4
package/src/utility/checkLicense.js +10 -4
package/src/utility/childProcessChecker.js +1 -1
package/src/utility/cloudIntf.js +5 -5
package/src/utility/cloudUpgrade.js +4 -4
package/src/utility/connectUtility.js +1 -1
package/src/utility/directories.js +2 -2
package/src/utility/extractSingleFileFromZip.js +3 -3
package/src/utility/hasPermission.js +286 -71
package/src/utility/loadModelTransform.js +1 -1
package/src/utility/sshTunnel.js +7 -7
package/src/utility/sshTunnelProxy.js +1 -1
package/src/utility/useController.js +3 -3

package/src/utility/hasPermission.js CHANGED Viewed

@@ -1,96 +1,303 @@
-const { compilePermissions, testPermission } = require('dbgate-tools');
+const { compilePermissions, testPermission, getPermissionsCacheKey } = require('dbgate-tools');
 const _ = require('lodash');
 const { getAuthProviderFromReq } = require('../auth/authProvider');
 const cachedPermissions = {};
-function hasPermission(tested, req) {
+async function loadPermissionsFromRequest(req) {
+  const authProvider = getAuthProviderFromReq(req);
   if (!req) {
-    // request object not available, allow all
-    return true;
+    return null;
   }
-  const permissions = getAuthProviderFromReq(req).getCurrentPermissions(req);
+  const loadedPermissions = await authProvider.getCurrentPermissions(req);
+  return loadedPermissions;
+}
-  if (!cachedPermissions[permissions]) {
-    cachedPermissions[permissions] = compilePermissions(permissions);
+function hasPermission(tested, loadedPermissions) {
+  if (!loadedPermissions) {
+    // not available, allow all
+    return true;
   }
-  return testPermission(tested, cachedPermissions[permissions]);
-  // const { user } = (req && req.auth) || {};
-  // const { login } = (process.env.OAUTH_PERMISSIONS && req && req.user) || {};
-  // const key = user || login || '';
-  // const logins = getLogins();
+  const permissionsKey = getPermissionsCacheKey(loadedPermissions);
+  if (!cachedPermissions[permissionsKey]) {
+    cachedPermissions[permissionsKey] = compilePermissions(loadedPermissions);
+  }
-  // if (!userPermissions[key]) {
-  //   if (logins) {
-  //     const login = logins.find(x => x.login == user);
-  //     userPermissions[key] = compilePermissions(login ? login.permissions : null);
-  //   } else {
-  //     userPermissions[key] = compilePermissions(process.env.PERMISSIONS);
-  //   }
-  // }
-  // return testPermission(tested, userPermissions[key]);
+  return testPermission(tested, cachedPermissions[permissionsKey]);
 }
-// let loginsCache = null;
-// let loginsLoaded = false;
-// function getLogins() {
-//   if (loginsLoaded) {
-//     return loginsCache;
-//   }
-//   const res = [];
-//   if (process.env.LOGIN && process.env.PASSWORD) {
-//     res.push({
-//       login: process.env.LOGIN,
-//       password: process.env.PASSWORD,
-//       permissions: process.env.PERMISSIONS,
-//     });
-//   }
-//   if (process.env.LOGINS) {
-//     const logins = _.compact(process.env.LOGINS.split(',').map(x => x.trim()));
-//     for (const login of logins) {
-//       const password = process.env[`LOGIN_PASSWORD_${login}`];
-//       const permissions = process.env[`LOGIN_PERMISSIONS_${login}`];
-//       if (password) {
-//         res.push({
-//           login,
-//           password,
-//           permissions,
-//         });
-//       }
-//     }
-//   } else if (process.env.OAUTH_PERMISSIONS) {
-//     const login_permission_keys = Object.keys(process.env).filter(key => _.startsWith(key, 'LOGIN_PERMISSIONS_'));
-//     for (const permissions_key of login_permission_keys) {
-//       const login = permissions_key.replace('LOGIN_PERMISSIONS_', '');
-//       const permissions = process.env[permissions_key];
-//       userPermissions[login] = compilePermissions(permissions);
-//     }
-//   }
-//   loginsCache = res.length > 0 ? res : null;
-//   loginsLoaded = true;
-//   return loginsCache;
-// }
-function connectionHasPermission(connection, req) {
+function connectionHasPermission(connection, loadedPermissions) {
   if (!connection) {
     return true;
   }
   if (_.isString(connection)) {
-    return hasPermission(`connections/${connection}`, req);
+    return hasPermission(`connections/${connection}`, loadedPermissions);
   } else {
-    return hasPermission(`connections/${connection._id}`, req);
+    return hasPermission(`connections/${connection._id}`, loadedPermissions);
+  }
+}
+async function testConnectionPermission(connection, req, loadedPermissions) {
+  if (!loadedPermissions) {
+    loadedPermissions = await loadPermissionsFromRequest(req);
+  }
+  if (process.env.STORAGE_DATABASE) {
+    if (hasPermission(`all-connections`, loadedPermissions)) {
+      return;
+    }
+    const conid = _.isString(connection) ? connection : connection?._id;
+    if (hasPermission('internal-storage', loadedPermissions) && conid == '__storage') {
+      return;
+    }
+    const authProvider = getAuthProviderFromReq(req);
+    if (!req) {
+      return;
+    }
+    if (!(await authProvider.checkCurrentConnectionPermission(req, conid))) {
+      throw new Error('DBGM-00263 Connection permission not granted');
+    }
+  } else {
+    if (!connectionHasPermission(connection, loadedPermissions)) {
+      throw new Error('DBGM-00264 Connection permission not granted');
+    }
+  }
+}
+async function loadDatabasePermissionsFromRequest(req) {
+  const authProvider = getAuthProviderFromReq(req);
+  if (!req) {
+    return null;
+  }
+  const databasePermissions = await authProvider.getCurrentDatabasePermissions(req);
+  return databasePermissions;
+}
+async function loadTablePermissionsFromRequest(req) {
+  const authProvider = getAuthProviderFromReq(req);
+  if (!req) {
+    return null;
+  }
+  const tablePermissions = await authProvider.getCurrentTablePermissions(req);
+  return tablePermissions;
+}
+function matchDatabasePermissionRow(conid, database, permissionRow) {
+  if (permissionRow.connection_id) {
+    if (conid != permissionRow.connection_id) {
+      return false;
+    }
+  }
+  if (permissionRow.database_names_list) {
+    const items = permissionRow.database_names_list.split('\n');
+    if (!items.find(item => item.trim()?.toLowerCase() === database?.toLowerCase())) {
+      return false;
+    }
+  }
+  if (permissionRow.database_names_regex) {
+    const regex = new RegExp(permissionRow.database_names_regex, 'i');
+    if (!regex.test(database)) {
+      return false;
+    }
+  }
+  return true;
+}
+function matchTablePermissionRow(objectTypeField, schemaName, pureName, permissionRow) {
+  if (permissionRow.table_names_list) {
+    const items = permissionRow.table_names_list.split('\n');
+    if (!items.find(item => item.trim()?.toLowerCase() === pureName?.toLowerCase())) {
+      return false;
+    }
+  }
+  if (permissionRow.table_names_regex) {
+    const regex = new RegExp(permissionRow.table_names_regex, 'i');
+    if (!regex.test(pureName)) {
+      return false;
+    }
+  }
+  if (permissionRow.schema_names_list) {
+    const items = permissionRow.schema_names_list.split('\n');
+    if (!items.find(item => item.trim()?.toLowerCase() === schemaName?.toLowerCase())) {
+      return false;
+    }
+  }
+  if (permissionRow.schema_names_regex) {
+    const regex = new RegExp(permissionRow.schema_names_regex, 'i');
+    if (!regex.test(schemaName)) {
+      return false;
+    }
+  }
+  return true;
+}
+const DATABASE_ROLE_ID_NAMES = {
+  '-1': 'view',
+  '-2': 'read_content',
+  '-3': 'write_data',
+  '-4': 'run_script',
+  '-5': 'deny',
+};
+function getDatabaseRoleLevelIndex(roleName) {
+  if (!roleName) {
+    return 6;
+  }
+  if (roleName == 'run_script') {
+    return 5;
+  }
+  if (roleName == 'write_data') {
+    return 4;
+  }
+  if (roleName == 'read_content') {
+    return 3;
+  }
+  if (roleName == 'view') {
+    return 2;
+  }
+  if (roleName == 'deny') {
+    return 1;
+  }
+  return 6;
+}
+function getTablePermissionRoleLevelIndex(roleName) {
+  if (!roleName) {
+    return 6;
+  }
+  if (roleName == 'run_script') {
+    return 5;
+  }
+  if (roleName == 'create_update_delete') {
+    return 4;
+  }
+  if (roleName == 'update_only') {
+    return 3;
+  }
+  if (roleName == 'read') {
+    return 2;
+  }
+  if (roleName == 'deny') {
+    return 1;
   }
+  return 6;
 }
-function testConnectionPermission(connection, req) {
-  if (!connectionHasPermission(connection, req)) {
-    throw new Error('Connection permission not granted');
+function getDatabasePermissionRole(conid, database, loadedDatabasePermissions) {
+  let res = 'deny';
+  for (const permissionRow of loadedDatabasePermissions) {
+    if (!matchDatabasePermissionRow(conid, database, permissionRow)) {
+      continue;
+    }
+    res = DATABASE_ROLE_ID_NAMES[permissionRow.database_permission_role_id];
+  }
+  return res;
+}
+const TABLE_ROLE_ID_NAMES = {
+  '-1': 'read',
+  '-2': 'update_only',
+  '-3': 'create_update_delete',
+  '-4': 'run_script',
+  '-5': 'deny',
+};
+const TABLE_SCOPE_ID_NAMES = {
+  '-1': 'all_objects',
+  '-2': 'tables',
+  '-3': 'views',
+  '-4': 'tables_views_collections',
+  '-5': 'procedures',
+  '-6': 'functions',
+  '-7': 'triggers',
+  '-8': 'sql_objects',
+  '-9': 'collections',
+};
+function getTablePermissionRole(
+  conid,
+  database,
+  objectTypeField,
+  schemaName,
+  pureName,
+  loadedTablePermissions,
+  databasePermissionRole
+) {
+  let res =
+    databasePermissionRole == 'read_content'
+      ? 'read'
+      : databasePermissionRole == 'write_data'
+      ? 'create_update_delete'
+      : databasePermissionRole == 'run_script'
+      ? 'run_script'
+      : 'deny';
+  for (const permissionRow of loadedTablePermissions) {
+    if (!matchDatabasePermissionRow(conid, database, permissionRow)) {
+      continue;
+    }
+    if (!matchTablePermissionRow(objectTypeField, schemaName, pureName, permissionRow)) {
+      continue;
+    }
+    const scope = TABLE_SCOPE_ID_NAMES[permissionRow.table_permission_scope_id];
+    switch (scope) {
+      case 'tables':
+        if (objectTypeField != 'tables') continue;
+        break;
+      case 'views':
+        if (objectTypeField != 'views') continue;
+        break;
+      case 'tables_views_collections':
+        if (objectTypeField != 'tables' && objectTypeField != 'views' && objectTypeField != 'collections') continue;
+        break;
+      case 'procedures':
+        if (objectTypeField != 'procedures') continue;
+        break;
+      case 'functions':
+        if (objectTypeField != 'functions') continue;
+        break;
+      case 'triggers':
+        if (objectTypeField != 'triggers') continue;
+        break;
+      case 'sql_objects':
+        if (objectTypeField != 'procedures' && objectTypeField != 'functions' && objectTypeField != 'triggers')
+          continue;
+        break;
+      case 'collections':
+        if (objectTypeField != 'collections') continue;
+        break;
+    }
+    res = TABLE_ROLE_ID_NAMES[permissionRow.table_permission_role_id];
+  }
+  return res;
+}
+async function testStandardPermission(permission, req, loadedPermissions) {
+  if (!loadedPermissions) {
+    loadedPermissions = await loadPermissionsFromRequest(req);
+  }
+  if (!hasPermission(permission, loadedPermissions)) {
+    throw new Error('DBGM-00265 Permission not granted');
+  }
+}
+async function testDatabaseRolePermission(conid, database, requiredRole, req) {
+  if (!process.env.STORAGE_DATABASE) {
+    return;
+  }
+  const loadedPermissions = await loadPermissionsFromRequest(req);
+  if (hasPermission(`all-databases`, loadedPermissions)) {
+    return;
+  }
+  const databasePermissions = await loadDatabasePermissionsFromRequest(req);
+  const role = getDatabasePermissionRole(conid, database, databasePermissions);
+  const requiredIndex = getDatabaseRoleLevelIndex(requiredRole);
+  const roleIndex = getDatabaseRoleLevelIndex(role);
+  if (roleIndex < requiredIndex) {
+    throw new Error('DBGM-00266 Permission not granted');
   }
 }
@@ -98,4 +305,12 @@ module.exports = {
   hasPermission,
   connectionHasPermission,
   testConnectionPermission,
+  loadPermissionsFromRequest,
+  loadDatabasePermissionsFromRequest,
+  loadTablePermissionsFromRequest,
+  getDatabasePermissionRole,
+  getTablePermissionRole,
+  testStandardPermission,
+  testDatabaseRolePermission,
+  getTablePermissionRoleLevelIndex,
 };

package/src/utility/loadModelTransform.js CHANGED Viewed

@@ -28,7 +28,7 @@ async function loadModelTransform(file) {
     }
     return null;
   } catch (err) {
-    logger.error(extractErrorLogData(err), `Error loading model transform ${file}`);
+    logger.error(extractErrorLogData(err), `DBGM-00173 Error loading model transform ${file}`);
     return null;
   }
 }

package/src/utility/sshTunnel.js CHANGED Viewed

@@ -40,7 +40,7 @@ function callForwardProcess(connection, tunnelConfig, tunnelCacheKey) {
       tunnelConfig,
     });
   } catch (err) {
-    logger.error(extractErrorLogData(err), 'Error connecting SSH');
+    logger.error(extractErrorLogData(err), 'DBGM-00174 Error connecting SSH');
   }
   return new Promise((resolve, reject) => {
     let promiseHandled = false;
@@ -57,18 +57,18 @@ function callForwardProcess(connection, tunnelConfig, tunnelCacheKey) {
       }
     });
     subprocess.on('exit', code => {
-      logger.info(`SSH forward process exited with code ${code}`);
+      logger.info(`DBGM-00090 SSH forward process exited with code ${code}`);
       delete sshTunnelCache[tunnelCacheKey];
       if (!promiseHandled) {
         reject(
           new Error(
-            'SSH forward process exited, try to change "Local host address for SSH connections" in Settings/Connections'
+            'DBGM-00091 SSH forward process exited, try to change "Local host address for SSH connections" in Settings/Connections'
           )
         );
       }
     });
     subprocess.on('error', error => {
-      logger.error(extractErrorLogData(error), 'SSH forward process error');
+      logger.error(extractErrorLogData(error), 'DBGM-00092 SSH forward process error');
       delete sshTunnelCache[tunnelCacheKey];
       if (!promiseHandled) {
         reject(error);
@@ -97,13 +97,13 @@ async function getSshTunnel(connection) {
     };
     try {
       logger.info(
-        `Creating SSH tunnel to ${connection.sshHost}-${connection.server}:${connection.port}, using local port ${localPort}`
+        `DBGM-00093 Creating SSH tunnel to ${connection.sshHost}-${connection.server}:${connection.port}, using local port ${localPort}`
       );
       const subprocess = await callForwardProcess(connection, tunnelConfig, tunnelCacheKey);
       logger.info(
-        `Created SSH tunnel to ${connection.sshHost}-${connection.server}:${connection.port}, using local port ${localPort}`
+        `DBGM-00094 Created SSH tunnel to ${connection.sshHost}-${connection.server}:${connection.port}, using local port ${localPort}`
       );
       sshTunnelCache[tunnelCacheKey] = {
@@ -114,7 +114,7 @@ async function getSshTunnel(connection) {
       };
       return sshTunnelCache[tunnelCacheKey];
     } catch (err) {
-      logger.error(extractErrorLogData(err), 'Error creating SSH tunnel:');
+      logger.error(extractErrorLogData(err), 'DBGM-00095 Error creating SSH tunnel:');
       // error is not cached
       return {
         state: 'error',

package/src/utility/sshTunnelProxy.js CHANGED Viewed

@@ -10,7 +10,7 @@ async function handleGetSshTunnelRequest({ msgid, connection }, subprocess) {
   try {
     subprocess.send({ msgtype: 'getsshtunnel-response', msgid, response });
   } catch (err) {
-    logger.error(extractErrorLogData(err), 'Error sending to SSH tunnel');
+    logger.error(extractErrorLogData(err), 'DBGM-00175 Error sending to SSH tunnel');
   }
 }

package/src/utility/useController.js CHANGED Viewed

@@ -12,11 +12,11 @@ module.exports = function useController(app, electron, route, controller) {
   const router = express.Router();
   if (controller._init) {
-    logger.info(`Calling init controller for controller ${route}`);
+    logger.info(`DBGM-00096 Calling init controller for controller ${route}`);
     try {
       controller._init();
     } catch (err) {
-      logger.error(extractErrorLogData(err), `Error initializing controller, exiting application`);
+      logger.error(extractErrorLogData(err), `DBGM-00097 Error initializing controller, exiting application`);
       process.exit(1);
     }
   }
@@ -78,7 +78,7 @@ module.exports = function useController(app, electron, route, controller) {
           const data = await controller[key]({ ...req.body, ...req.query }, req);
           res.json(data);
         } catch (err) {
-          logger.error(extractErrorLogData(err), `Error when processing route ${route}/${key}`);
+          logger.error(extractErrorLogData(err), `DBGM-00176 Error when processing route ${route}/${key}`);
           if (err instanceof MissingCredentialsError) {
             res.json({
               missingCredentials: true,