neonctl 2.22.0 → 2.23.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (116) hide show
  1. package/README.md +242 -16
  2. package/analytics.js +5 -2
  3. package/commands/branches.js +9 -1
  4. package/commands/checkout.js +249 -0
  5. package/commands/connection_string.js +15 -2
  6. package/commands/data_api.js +286 -0
  7. package/commands/functions.js +277 -0
  8. package/commands/index.js +12 -0
  9. package/commands/link.js +667 -0
  10. package/commands/neon_auth.js +1013 -0
  11. package/commands/projects.js +9 -1
  12. package/commands/psql.js +62 -0
  13. package/commands/set_context.js +7 -2
  14. package/context.js +86 -14
  15. package/functions_api.js +44 -0
  16. package/index.js +3 -0
  17. package/package.json +60 -51
  18. package/psql/cli.js +51 -0
  19. package/psql/command/cmd_cond.js +437 -0
  20. package/psql/command/cmd_connect.js +815 -0
  21. package/psql/command/cmd_copy.js +1025 -0
  22. package/psql/command/cmd_describe.js +1810 -0
  23. package/psql/command/cmd_format.js +909 -0
  24. package/psql/command/cmd_io.js +2187 -0
  25. package/psql/command/cmd_lo.js +385 -0
  26. package/psql/command/cmd_meta.js +970 -0
  27. package/psql/command/cmd_misc.js +187 -0
  28. package/psql/command/cmd_pipeline.js +1141 -0
  29. package/psql/command/cmd_restrict.js +171 -0
  30. package/psql/command/cmd_show.js +751 -0
  31. package/psql/command/dispatch.js +343 -0
  32. package/psql/command/inputQueue.js +42 -0
  33. package/psql/command/shared.js +71 -0
  34. package/psql/complete/filenames.js +139 -0
  35. package/psql/complete/index.js +104 -0
  36. package/psql/complete/matcher.js +314 -0
  37. package/psql/complete/psqlVars.js +247 -0
  38. package/psql/complete/queries.js +491 -0
  39. package/psql/complete/rules.js +2387 -0
  40. package/psql/core/common.js +1250 -0
  41. package/psql/core/help.js +576 -0
  42. package/psql/core/mainloop.js +1353 -0
  43. package/psql/core/prompt.js +437 -0
  44. package/psql/core/settings.js +684 -0
  45. package/psql/core/sqlHelp.js +1066 -0
  46. package/psql/core/startup.js +840 -0
  47. package/psql/core/syncVars.js +116 -0
  48. package/psql/core/variables.js +287 -0
  49. package/psql/describe/formatters.js +1277 -0
  50. package/psql/describe/processNamePattern.js +270 -0
  51. package/psql/describe/queries.js +2373 -0
  52. package/psql/describe/versionGate.js +43 -0
  53. package/psql/index.js +2005 -0
  54. package/psql/io/history.js +299 -0
  55. package/psql/io/input.js +120 -0
  56. package/psql/io/lineEditor/buffer.js +323 -0
  57. package/psql/io/lineEditor/complete.js +227 -0
  58. package/psql/io/lineEditor/filename.js +159 -0
  59. package/psql/io/lineEditor/index.js +891 -0
  60. package/psql/io/lineEditor/keymap.js +738 -0
  61. package/psql/io/lineEditor/vt100.js +363 -0
  62. package/psql/io/pgpass.js +202 -0
  63. package/psql/io/pgservice.js +194 -0
  64. package/psql/io/psqlrc.js +422 -0
  65. package/psql/print/aligned.js +1756 -0
  66. package/psql/print/asciidoc.js +248 -0
  67. package/psql/print/crosstab.js +460 -0
  68. package/psql/print/csv.js +92 -0
  69. package/psql/print/html.js +258 -0
  70. package/psql/print/json.js +96 -0
  71. package/psql/print/latex.js +396 -0
  72. package/psql/print/pager.js +265 -0
  73. package/psql/print/troff.js +258 -0
  74. package/psql/print/unaligned.js +118 -0
  75. package/psql/print/units.js +135 -0
  76. package/psql/scanner/slash.js +513 -0
  77. package/psql/scanner/sql.js +910 -0
  78. package/psql/scanner/stringutils.js +390 -0
  79. package/psql/types/backslash.js +1 -0
  80. package/psql/types/connection.js +1 -0
  81. package/psql/types/index.js +7 -0
  82. package/psql/types/printer.js +1 -0
  83. package/psql/types/repl.js +1 -0
  84. package/psql/types/scanner.js +24 -0
  85. package/psql/types/settings.js +1 -0
  86. package/psql/types/variables.js +1 -0
  87. package/psql/wire/connection.js +2844 -0
  88. package/psql/wire/copy.js +108 -0
  89. package/psql/wire/notify.js +59 -0
  90. package/psql/wire/pipeline.js +519 -0
  91. package/psql/wire/protocol.js +466 -0
  92. package/psql/wire/sasl.js +296 -0
  93. package/psql/wire/tls.js +596 -0
  94. package/test_utils/fixtures.js +1 -0
  95. package/utils/enrichers.js +18 -1
  96. package/utils/esbuild.js +147 -0
  97. package/utils/middlewares.js +1 -1
  98. package/utils/psql.js +107 -11
  99. package/utils/zip.js +4 -0
  100. package/writer.js +1 -1
  101. package/commands/auth.test.js +0 -211
  102. package/commands/branches.test.js +0 -460
  103. package/commands/connection_string.test.js +0 -196
  104. package/commands/databases.test.js +0 -39
  105. package/commands/help.test.js +0 -9
  106. package/commands/init.test.js +0 -56
  107. package/commands/ip_allow.test.js +0 -59
  108. package/commands/operations.test.js +0 -7
  109. package/commands/orgs.test.js +0 -7
  110. package/commands/projects.test.js +0 -144
  111. package/commands/roles.test.js +0 -37
  112. package/commands/set_context.test.js +0 -159
  113. package/commands/vpc_endpoints.test.js +0 -69
  114. package/env.test.js +0 -55
  115. package/utils/formats.test.js +0 -32
  116. package/writer.test.js +0 -104
@@ -0,0 +1,296 @@
1
+ /**
2
+ * SASL / SCRAM-SHA-256[-PLUS] client for the psql wire layer (WP-03).
3
+ *
4
+ * Ported from node-postgres' `packages/pg/lib/crypto/sasl.js` (MIT,
5
+ * Copyright (c) 2010-2020 Brian Carlson). Adaptations from upstream:
6
+ *
7
+ * - Pure Node `node:crypto` (sync PBKDF2 / HMAC) instead of SubtleCrypto;
8
+ * this module is sync because the wire layer drives it from a state
9
+ * machine that already buffers bytes.
10
+ * - The `pg` `Connection` / `Stream` plumbing is removed. Channel binding
11
+ * data (the certificate hash) is passed in as `Buffer` by the caller,
12
+ * not derived from a TLS socket. The caller (WP-02) is responsible for
13
+ * extracting `tls-server-end-point` per RFC 5929 (i.e. SHA-256 over
14
+ * the cert's `tbsCertificate`, or the cert's own signature hash when
15
+ * strong enough — that policy lives upstream of this module).
16
+ * - Returns Buffer-typed messages because the wire framer consumes
17
+ * Buffers; upstream pg works in strings because its message reader
18
+ * does the same.
19
+ * - SASLprep: ported upstream's permissive minimal SASLprep (the three
20
+ * transformations that actually change byte content). The full RFC
21
+ * 4013 prohibition + bidi tables are *not* implemented — matches
22
+ * libpq's and pg's behaviour, see comment on `saslprep` below.
23
+ *
24
+ * Server signature verification uses `crypto.timingSafeEqual` to avoid
25
+ * leaking timing information about the comparison result.
26
+ */
27
+ import { createHash, createHmac, pbkdf2Sync, randomBytes as nodeRandomBytes, timingSafeEqual, } from 'node:crypto';
28
+ export class SaslMechanismError extends Error {
29
+ constructor(message) {
30
+ super(message);
31
+ this.name = 'SaslMechanismError';
32
+ }
33
+ }
34
+ export class SaslVerificationError extends Error {
35
+ constructor(message) {
36
+ super(message);
37
+ this.name = 'SaslVerificationError';
38
+ }
39
+ }
40
+ export class SaslProtocolError extends Error {
41
+ constructor(message) {
42
+ super(message);
43
+ this.name = 'SaslProtocolError';
44
+ }
45
+ }
46
+ export function createScramClient(opts) {
47
+ const { mechanism, gs2Header, cbindInput } = chooseMechanism(opts.mechanisms, opts.channelBinding);
48
+ const rng = opts.randomBytes ?? nodeRandomBytes;
49
+ // 18 raw bytes => 24 base64 chars; same width as upstream pg.
50
+ // Commas are not part of the base64 alphabet, so the nonce is automatically
51
+ // SCRAM-safe (RFC 5802 §5.1 forbids `,` in `r=`).
52
+ const clientNonce = rng(18).toString('base64');
53
+ const internal = {
54
+ state: 'init',
55
+ mechanism,
56
+ clientNonce,
57
+ gs2Header,
58
+ cbindInput,
59
+ password: opts.password,
60
+ serverSignature: null,
61
+ };
62
+ return {
63
+ mechanism,
64
+ start: () => start(internal),
65
+ continue: (serverFirst) => continueSession(internal, serverFirst),
66
+ finish: (serverFinal) => {
67
+ finishSession(internal, serverFinal);
68
+ },
69
+ };
70
+ }
71
+ function chooseMechanism(advertised, channelBinding) {
72
+ const hasPlus = advertised.includes('SCRAM-SHA-256-PLUS');
73
+ const hasPlain = advertised.includes('SCRAM-SHA-256');
74
+ if (channelBinding && hasPlus) {
75
+ const gs2 = 'p=tls-server-end-point,,';
76
+ return {
77
+ mechanism: 'SCRAM-SHA-256-PLUS',
78
+ gs2Header: gs2,
79
+ cbindInput: Buffer.concat([
80
+ Buffer.from(gs2, 'utf8'),
81
+ channelBinding.data,
82
+ ]),
83
+ };
84
+ }
85
+ if (hasPlain) {
86
+ // Client has channel-binding data but server doesn't advertise PLUS: per
87
+ // RFC 5802 §6 the client must signal this with `y` so a downgrade attack
88
+ // is detected (the server, if PLUS-capable, would have advertised it).
89
+ const gs2 = channelBinding ? 'y,,' : 'n,,';
90
+ return {
91
+ mechanism: 'SCRAM-SHA-256',
92
+ gs2Header: gs2,
93
+ cbindInput: Buffer.from(gs2, 'utf8'),
94
+ };
95
+ }
96
+ throw new SaslMechanismError(`SASL: server offered [${advertised.join(', ')}] but only SCRAM-SHA-256 and SCRAM-SHA-256-PLUS are supported`);
97
+ }
98
+ function start(s) {
99
+ if (s.state !== 'init') {
100
+ throw new SaslProtocolError(`SASL: start() called in state ${s.state}`);
101
+ }
102
+ // n=,r=<nonce> — the username field is empty because PostgreSQL ignores it
103
+ // (the actual user was sent in StartupMessage) and an empty `n=` matches
104
+ // libpq's wire output. Note pg sends `n=*` instead; both interoperate.
105
+ const clientFirstBare = `n=,r=${s.clientNonce}`;
106
+ const clientFirstMessage = Buffer.from(s.gs2Header + clientFirstBare, 'utf8');
107
+ s.state = 'sent-first';
108
+ return { mechanism: s.mechanism, clientFirstMessage };
109
+ }
110
+ function continueSession(s, serverFirst) {
111
+ if (s.state !== 'sent-first') {
112
+ throw new SaslProtocolError(`SASL: continue() called in state ${s.state}`);
113
+ }
114
+ const serverFirstStr = serverFirst.toString('utf8');
115
+ const parsed = parseServerFirst(serverFirstStr);
116
+ if (!parsed.nonce.startsWith(s.clientNonce)) {
117
+ throw new SaslProtocolError('SASL: server nonce does not start with client nonce');
118
+ }
119
+ if (parsed.nonce.length === s.clientNonce.length) {
120
+ throw new SaslProtocolError('SASL: server nonce is too short');
121
+ }
122
+ const clientFirstBare = `n=,r=${s.clientNonce}`;
123
+ const serverFirstString = `r=${parsed.nonce},s=${parsed.salt},i=${String(parsed.iteration)}`;
124
+ // c=<base64 of GS2 header || optional CB data>
125
+ const channelBindingB64 = s.cbindInput.toString('base64');
126
+ const clientFinalWithoutProof = `c=${channelBindingB64},r=${parsed.nonce}`;
127
+ const authMessage = `${clientFirstBare},${serverFirstString},${clientFinalWithoutProof}`;
128
+ const saltBytes = Buffer.from(parsed.salt, 'base64');
129
+ // SASLprep the password before PBKDF2 (RFC 5802 §2.2). Our impl is minimal;
130
+ // see saslprep() comment for the deviation from full RFC 4013.
131
+ const normalizedPassword = saslprep(s.password);
132
+ const saltedPassword = pbkdf2Sync(Buffer.from(normalizedPassword, 'utf8'), saltBytes, parsed.iteration, 32, 'sha256');
133
+ const clientKey = hmac(saltedPassword, 'Client Key');
134
+ const storedKey = sha256(clientKey);
135
+ const clientSignature = hmac(storedKey, authMessage);
136
+ const clientProof = xor(clientKey, clientSignature);
137
+ const serverKey = hmac(saltedPassword, 'Server Key');
138
+ s.serverSignature = hmac(serverKey, authMessage);
139
+ s.state = 'sent-final';
140
+ return Buffer.from(`${clientFinalWithoutProof},p=${clientProof.toString('base64')}`, 'utf8');
141
+ }
142
+ function finishSession(s, serverFinal) {
143
+ if (s.state !== 'sent-final') {
144
+ throw new SaslProtocolError(`SASL: finish() called in state ${s.state}`);
145
+ }
146
+ if (s.serverSignature === null) {
147
+ // Defensive: should be impossible because state machine guards it.
148
+ throw new SaslProtocolError('SASL: no server signature recorded');
149
+ }
150
+ const parsed = parseServerFinal(serverFinal.toString('utf8'));
151
+ const received = Buffer.from(parsed.serverSignature, 'base64');
152
+ // Constant-time comparison: defeats timing side channels that could let an
153
+ // attacker (with control over `v=`) learn the prefix of our derived signature.
154
+ if (received.length !== s.serverSignature.length ||
155
+ !timingSafeEqual(received, s.serverSignature)) {
156
+ throw new SaslVerificationError('SASL: server signature does not match — possible MITM or wrong password');
157
+ }
158
+ s.state = 'done';
159
+ }
160
+ function parseServerFirst(text) {
161
+ const attrs = parseAttributePairs(text);
162
+ const nonce = attrs.get('r');
163
+ if (!nonce) {
164
+ throw new SaslProtocolError('SASL: server-first missing `r=` (nonce)');
165
+ }
166
+ if (!isPrintableChars(nonce)) {
167
+ throw new SaslProtocolError('SASL: server-first nonce contains non-printable characters');
168
+ }
169
+ const salt = attrs.get('s');
170
+ if (!salt) {
171
+ throw new SaslProtocolError('SASL: server-first missing `s=` (salt)');
172
+ }
173
+ if (!isBase64(salt)) {
174
+ throw new SaslProtocolError('SASL: server-first salt is not base64');
175
+ }
176
+ const iterStr = attrs.get('i');
177
+ if (!iterStr) {
178
+ throw new SaslProtocolError('SASL: server-first missing `i=` (iterations)');
179
+ }
180
+ if (!/^[1-9][0-9]*$/.test(iterStr)) {
181
+ throw new SaslProtocolError(`SASL: server-first iteration count is not a positive integer: ${iterStr}`);
182
+ }
183
+ return { nonce, salt, iteration: parseInt(iterStr, 10) };
184
+ }
185
+ function parseServerFinal(text) {
186
+ const attrs = parseAttributePairs(text);
187
+ const errorAttr = attrs.get('e');
188
+ if (errorAttr) {
189
+ throw new SaslVerificationError(`SASL: server-final returned error: ${errorAttr}`);
190
+ }
191
+ const v = attrs.get('v');
192
+ if (!v) {
193
+ throw new SaslProtocolError('SASL: server-final missing `v=` (server signature)');
194
+ }
195
+ if (!isBase64(v)) {
196
+ throw new SaslProtocolError('SASL: server-final `v=` is not base64');
197
+ }
198
+ return { serverSignature: v };
199
+ }
200
+ function parseAttributePairs(text) {
201
+ const out = new Map();
202
+ for (const pair of text.split(',')) {
203
+ if (pair.length < 2 || pair[1] !== '=') {
204
+ throw new SaslProtocolError(`SASL: malformed attribute pair: ${JSON.stringify(pair)}`);
205
+ }
206
+ const key = pair[0];
207
+ // RFC 5802 attribute lists never repeat an attribute; a duplicate is
208
+ // malformed server input. Reject it rather than silently last-wins,
209
+ // so a non-conformant/hostile server can't smuggle a shadow value
210
+ // (e.g. `v=<good>,v=<evil>`) past the parse.
211
+ if (out.has(key)) {
212
+ throw new SaslProtocolError(`SASL: duplicate attribute ${JSON.stringify(key)} in message`);
213
+ }
214
+ out.set(key, pair.substring(2));
215
+ }
216
+ return out;
217
+ }
218
+ // printable = %x21-2B / %x2D-7E ;; printable ASCII except ","
219
+ function isPrintableChars(text) {
220
+ for (let i = 0; i < text.length; i++) {
221
+ const c = text.charCodeAt(i);
222
+ if (!((c >= 0x21 && c <= 0x2b) || (c >= 0x2d && c <= 0x7e))) {
223
+ return false;
224
+ }
225
+ }
226
+ return true;
227
+ }
228
+ function isBase64(text) {
229
+ return /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/.test(text);
230
+ }
231
+ // ---------------------------------------------------------------------------
232
+ // Crypto helpers
233
+ // ---------------------------------------------------------------------------
234
+ function hmac(key, msg) {
235
+ const h = createHmac('sha256', key);
236
+ h.update(msg);
237
+ return h.digest();
238
+ }
239
+ function sha256(data) {
240
+ return createHash('sha256').update(data).digest();
241
+ }
242
+ function xor(a, b) {
243
+ if (a.length !== b.length) {
244
+ throw new SaslProtocolError(`SASL: XOR length mismatch (${String(a.length)} vs ${String(b.length)})`);
245
+ }
246
+ const out = Buffer.alloc(a.length);
247
+ for (let i = 0; i < a.length; i++) {
248
+ out[i] = a[i] ^ b[i];
249
+ }
250
+ return out;
251
+ }
252
+ // ---------------------------------------------------------------------------
253
+ // SASLprep
254
+ // ---------------------------------------------------------------------------
255
+ /**
256
+ * Minimal SASLprep (RFC 4013) — exactly the three transformations that
257
+ * change byte content, ported from node-postgres' implementation:
258
+ *
259
+ * 1. RFC 3454 Table C.1.2 (non-ASCII space) -> U+0020 SPACE.
260
+ * 2. RFC 3454 Table B.1 (commonly mapped to nothing) -> empty.
261
+ * 3. NFKC normalization.
262
+ *
263
+ * We deliberately *skip* the RFC 4013 §2.3 prohibition table and the §6
264
+ * bidi checks. libpq is forgiving on those paths and PostgreSQL's own
265
+ * SASLprep matches that leniency for legacy roles — implementing strict
266
+ * RFC 4013 here would lock out passwords that already auth against the
267
+ * server. This deviation matches upstream pg.
268
+ *
269
+ * The character classes below intentionally contain combining marks and
270
+ * zero-width joiners (RFC 3454 Table B.1) and named spaces (Table C.1.2);
271
+ * they are spelled with `\u` escapes so the source is portable across
272
+ * encodings.
273
+ */
274
+ // Built once at module load: regex character classes for the two SASLprep
275
+ // transformations. They are constructed from \uXXXX escape sequences in a
276
+ // string so the source file stays ASCII-only and so we sidestep ESLint's
277
+ // `no-irregular-whitespace` and `no-misleading-character-class` rules —
278
+ // those only inspect raw regex literals, not dynamically-built patterns.
279
+ const NON_ASCII_SPACE_RE = new RegExp('[' + '\u00A0\u1680' + '\u2000-\u200B' + '\u202F\u205F\u3000' + ']', 'g');
280
+ // Combining marks and ZWJ are intentionally in this class; RFC 3454 Table B.1
281
+ // strips them precisely because they combine with neighbouring code points.
282
+ /* eslint-disable no-misleading-character-class */
283
+ const MAPPED_TO_NOTHING_RE = new RegExp('[' +
284
+ '\u00AD\u034F\u1806' +
285
+ '\u180B-\u180D' +
286
+ '\u200C\u200D\u2060' +
287
+ '\uFE00-\uFE0F' +
288
+ '\uFEFF' +
289
+ ']', 'g');
290
+ /* eslint-enable no-misleading-character-class */
291
+ function saslprep(password) {
292
+ return password
293
+ .replace(NON_ASCII_SPACE_RE, ' ')
294
+ .replace(MAPPED_TO_NOTHING_RE, '')
295
+ .normalize('NFKC');
296
+ }