forge-sql-orm 2.1.23 → 2.1.24

package/src/core/Rovo.ts

@@ -1,3 +1,4 @@
+// qlty-ignore: +qlty:file-complexity
 import {
   ForgeSqlOperation,
   ForgeSqlOrmOptions,
@@ -11,6 +12,18 @@ import { Parser, Select } from "node-sql-parser";
 import { AnyMySqlTable, MySqlColumn } from "drizzle-orm/mysql-core";
 import { getTableName } from "drizzle-orm/table";
 
+/**
+ * Configuration for RovoIntegrationSettingImpl.
+ */
+interface RovoIntegrationSettingConfig {
+  accountId: string;
+  tableName: string;
+  contextParam: Record<string, string>;
+  rls: boolean;
+  rlsFields: string[];
+  rlsWherePart: (alias: string) => string;
+}
+
 /**
  * Implementation of RovoIntegrationSetting interface.
  * Stores configuration for Rovo query execution including user context, table name, and RLS settings.
@@ -29,27 +42,15 @@ class RovoIntegrationSettingImpl implements RovoIntegrationSetting {
   /**
    * Creates a new RovoIntegrationSettingImpl instance.
    *
-   * @param {string} accountId - The account ID of the active user
-   * @param {string} tableName - The name of the table to query
-   * @param {Record<string, string>} contextParam - Context parameters for query substitution (parameter name -> value mapping)
-   * @param {boolean} rls - Whether Row-Level Security is enabled
-   * @param {string[]} rlsFields - Array of field names required for RLS validation
-   * @param {(alias: string) => string} rlsWherePart - Function that generates WHERE clause for RLS filtering
-   */
-  constructor(
-    accountId: string,
-    tableName: string,
-    contextParam: Record<string, string>,
-    rls: boolean,
-    rlsFields: string[],
-    rlsWherePart: (alias: string) => string,
-  ) {
-    this.accountId = accountId;
-    this.tableName = tableName;
-    this.contextParam = contextParam;
-    this.rls = rls;
-    this.rlsFields = rlsFields;
-    this.rlsWherePart = rlsWherePart;
+   * @param config - Configuration object for the setting
+   */
+  constructor(config: RovoIntegrationSettingConfig) {
+    this.accountId = config.accountId;
+    this.tableName = config.tableName;
+    this.contextParam = config.contextParam;
+    this.rls = config.rls;
+    this.rlsFields = config.rlsFields;
+    this.rlsWherePart = config.rlsWherePart;
   }
 
   /**
@@ -350,14 +351,14 @@ class RovoIntegrationSettingCreatorImpl implements RovoIntegrationSettingCreator
    */
   async build(): Promise<RovoIntegrationSetting> {
     const useRls = this.isUseRls ? await this.isUseRlsConditional() : false;
-    return new RovoIntegrationSettingImpl(
-      this.accountId,
-      this.tableName,
-      this.contextParam,
-      useRls,
-      this.rlsFields,
-      this.wherePart,
-    );
+    return new RovoIntegrationSettingImpl({
+      accountId: this.accountId,
+      tableName: this.tableName,
+      contextParam: this.contextParam,
+      rls: useRls,
+      rlsFields: this.rlsFields,
+      rlsWherePart: this.wherePart,
+    });
   }
 }
 
@@ -593,6 +594,21 @@ export class Rovo implements RovoIntegration {
     return trimmedQuery;
   }
 
+  /**
+   * Validates that AST represents a single SELECT statement.
+   */
+  private validateSelectAst(ast: any): void {
+    if (Array.isArray(ast)) {
+      if (ast.length !== 1 || ast[0].type !== "select") {
+        throw new Error(
+          "Only a single SELECT query is allowed. Multiple statements or non-SELECT statements are not permitted.",
+        );
+      }
+    } else if (ast && ast.type !== "select") {
+      throw new Error("Only SELECT queries are allowed.");
+    }
+  }
+
   /**
    * Normalizes SQL query using AST parsing and stringification.
    * This ensures consistent formatting and validates the query structure.
@@ -606,15 +622,7 @@ export class Rovo implements RovoIntegration {
       const parser = new Parser();
       const ast = parser.astify(sql.trim());
 
-      if (Array.isArray(ast)) {
-        if (ast.length !== 1 || ast[0].type !== "select") {
-          throw new Error(
-            "Only a single SELECT query is allowed. Multiple statements or non-SELECT statements are not permitted.",
-          );
-        }
-      } else if (ast && ast.type !== "select") {
-        throw new Error("Only SELECT queries are allowed.");
-      }
+      this.validateSelectAst(ast);
 
       const normalized = parser.sqlify(Array.isArray(ast) ? ast[0] : ast);
       return normalized.trim();
@@ -655,14 +663,9 @@ export class Rovo implements RovoIntegration {
   }
 
   /**
-   * Validates query structure for security compliance.
-   * Checks that only the specified table is referenced and no scalar subqueries are present.
-   *
-   * @param {Select} selectAst - The parsed SELECT AST node
-   * @param {string} tableName - The expected table name
-   * @throws {Error} If query references other tables or contains scalar subqueries
+   * Validates that query only references the expected table.
    */
-  private validateQueryStructure(selectAst: Select, tableName: string): void {
+  private validateTableReferences(selectAst: Select, tableName: string): void {
     const upperTableName = tableName.toUpperCase();
     const tablesInQuery = this.extractTables(selectAst);
     const uniqueTables = [...new Set(tablesInQuery)];
@@ -675,7 +678,12 @@ export class Rovo implements RovoIntegration {
           "JOINs, subqueries, or references to other tables are not permitted for security reasons.",
       );
     }
+  }
 
+  /**
+   * Validates that SELECT columns don't contain scalar subqueries.
+   */
+  private validateNoSubqueriesInColumns(selectAst: Select): void {
     if (selectAst.columns && Array.isArray(selectAst.columns)) {
       const hasSubqueryInColumns = selectAst.columns.some((col: any) => {
         if (col.expr) {
@@ -694,6 +702,19 @@ export class Rovo implements RovoIntegration {
     }
   }
 
+  /**
+   * Validates query structure for security compliance.
+   * Checks that only the specified table is referenced and no scalar subqueries are present.
+   *
+   * @param {Select} selectAst - The parsed SELECT AST node
+   * @param {string} tableName - The expected table name
+   * @throws {Error} If query references other tables or contains scalar subqueries
+   */
+  private validateQueryStructure(selectAst: Select, tableName: string): void {
+    this.validateTableReferences(selectAst, tableName);
+    this.validateNoSubqueriesInColumns(selectAst);
+  }
+
   /**
    * Validates query execution plan for security violations.
    * Uses EXPLAIN to detect JOINs, window functions, and references to other tables.
@@ -774,31 +795,14 @@ export class Rovo implements RovoIntegration {
   }
 
   /**
-   * Validates query results for RLS compliance.
-   * Ensures that required RLS fields are present and all fields originate from the correct table.
-   *
-   * @param {Result<unknown>} result - The query execution result
-   * @param {RovoIntegrationSetting} settings - Rovo settings containing RLS field requirements
-   * @param {string} upperTableName - The expected table name in uppercase
-   * @throws {Error} If required RLS fields are missing or fields originate from other tables
+   * Validates that required RLS fields are present and from correct table.
    */
-  private validateQueryResults(
-    result: Result<unknown>,
-    settings: RovoIntegrationSetting,
+  private validateRlsFields(
+    fields: Array<{ name: string; orgTable?: string }>,
+    rlsFields: string[],
     upperTableName: string,
   ): void {
-    if (!result?.metadata?.fields) {
-      return;
-    }
-
-    const fields = result.metadata.fields as Array<{
-      name: string;
-      schema?: string;
-      table?: string;
-      orgTable?: string;
-    }>;
-
-    settings.userScopeFields().forEach((field) => {
+    rlsFields.forEach((field) => {
       const actualFields = fields.filter((f) => f.name.toLowerCase() === field?.toLowerCase());
       if (actualFields.length === 0) {
         throw new Error(
@@ -814,7 +818,15 @@ export class Rovo implements RovoIntegration {
         );
       }
     });
+  }
 
+  /**
+   * Validates that all fields come from the expected table.
+   */
+  private validateAllFieldsFromTable(
+    fields: Array<{ orgTable?: string }>,
+    upperTableName: string,
+  ): void {
     const fieldsFromOtherTables = fields.filter(
       (f) => f.orgTable && f.orgTable.toUpperCase() !== upperTableName,
     );
@@ -827,6 +839,77 @@ export class Rovo implements RovoIntegration {
     }
   }
 
+  /**
+   * Validates query results for RLS compliance.
+   * Ensures that required RLS fields are present and all fields originate from the correct table.
+   *
+   * @param {Result<unknown>} result - The query execution result
+   * @param {RovoIntegrationSetting} settings - Rovo settings containing RLS field requirements
+   * @param {string} upperTableName - The expected table name in uppercase
+   * @throws {Error} If required RLS fields are missing or fields originate from other tables
+   */
+  private validateQueryResults(
+    result: Result<unknown>,
+    settings: RovoIntegrationSetting,
+    upperTableName: string,
+  ): void {
+    if (!result?.metadata?.fields) {
+      return;
+    }
+
+    const fields = result.metadata.fields as Array<{
+      name: string;
+      schema?: string;
+      table?: string;
+      orgTable?: string;
+    }>;
+
+    this.validateRlsFields(fields, settings.userScopeFields(), upperTableName);
+    this.validateAllFieldsFromTable(fields, upperTableName);
+  }
+
+  /**
+   * Normalizes SQL query with error handling.
+   */
+  private normalizeQueryWithErrorHandling(query: string): string {
+    try {
+      return this.normalizeSqlString(query);
+    } catch (error: any) {
+      if (
+        error.message &&
+        (error.message.includes("Only") || error.message.includes("single SELECT"))
+      ) {
+        throw error;
+      }
+      if (error.message?.includes("SQL parsing error")) {
+        throw error;
+      }
+      throw new Error(
+        `SQL parsing error: ${error.message || "Invalid SQL syntax"}. Please check your query syntax.`,
+      );
+    }
+  }
+
+  /**
+   * Replaces context parameters in the query string.
+   */
+  private replaceQueryParameters(normalized: string, parameters: Record<string, string>): string {
+    let result = normalized.replaceAll("ari:cloud:identity::user/", "");
+    Object.entries(parameters).forEach(([key, value]) => {
+      result = result.replaceAll(key, value);
+    });
+    return result;
+  }
+
+  /**
+   * Performs all security validations on the query.
+   */
+  private async performSecurityValidations(normalized: string, tableName: string): Promise<void> {
+    const selectAst = this.parseSqlQuery(normalized);
+    this.validateQueryStructure(selectAst, tableName);
+    await this.validateExecutionPlan(normalized, tableName);
+  }
+
   /**
    * Executes a dynamic SQL query with comprehensive security validations.
    *
@@ -865,23 +948,7 @@ export class Rovo implements RovoIntegration {
     const trimmedQuery = this.validateInputs(dynamicSql, tableName);
 
     // Normalize SQL
-    let normalized: string;
-    try {
-      normalized = this.normalizeSqlString(trimmedQuery);
-    } catch (error: any) {
-      if (
-        error.message &&
-        (error.message.includes("Only") || error.message.includes("single SELECT"))
-      ) {
-        throw error;
-      }
-      if (error.message?.includes("SQL parsing error")) {
-        throw error;
-      }
-      throw new Error(
-        `SQL parsing error: ${error.message || "Invalid SQL syntax"}. Please check your query syntax.`,
-      );
-    }
+    let normalized = this.normalizeQueryWithErrorHandling(trimmedQuery);
 
     // Validate table name and account
     this.validateTableName(normalized, tableName);
@@ -892,25 +959,18 @@ export class Rovo implements RovoIntegration {
       );
     }
 
-    // Replace parameters in query
-    normalized = normalized.replaceAll("ari:cloud:identity::user/", "");
-    Object.entries(parameters).forEach(([key, value]) => {
-      normalized = normalized.replaceAll(key, value);
-    });
-
-    // Validate query structure
-    const selectAst = this.parseSqlQuery(normalized);
-    this.validateQueryStructure(selectAst, tableName);
-
-    // Validate execution plan
-    await this.validateExecutionPlan(normalized, tableName);
-
+    // Perform security validations
     // Apply RLS filtering if needed
     const isUseRLSFiltering = settings.isUseRLS();
     if (isUseRLSFiltering) {
-      normalized = this.applyRLSFiltering(normalized, settings);
+      normalized = this.applyRLSFiltering(normalized, settings) ?? normalized;
     }
 
+    // Replace parameters in query
+    normalized = this.replaceQueryParameters(normalized, parameters);
+
+    await this.performSecurityValidations(normalized, tableName);
+
     if (this.options.logRawSqlQuery) {
       // eslint-disable-next-line no-console
       console.debug("Rovo query: " + normalized);