postgresai 0.14.0-dev.10 → 0.14.0-dev.12

package/lib/init.ts

@@ -340,6 +340,7 @@ export async function buildInitPlan(params: {
   const qRole = quoteIdent(monitoringUser);
   const qDb = quoteIdent(database);
   const qPw = quoteLiteral(params.monitoringPassword);
+  const qRoleNameLit = quoteLiteral(monitoringUser);
 
   const steps: InitStep[] = [];
 
@@ -348,21 +349,26 @@ export async function buildInitPlan(params: {
     DB_IDENT: qDb,
   };
 
-  // Role creation/update is done in one template file; caller decides statement.
+  // Role creation/update is done in one template file.
+  // If roleExists is unknown, use a single DO block to create-or-alter safely.
+  let roleStmt: string | null = null;
   if (params.roleExists === false) {
-    const roleSql = applyTemplate(loadSqlTemplate("01.role.sql"), {
-      ...vars,
-      ROLE_STMT: `create user ${qRole} with password ${qPw};`,
-    });
-    steps.push({ name: "01.role", sql: roleSql });
+    roleStmt = `create user ${qRole} with password ${qPw};`;
   } else if (params.roleExists === true) {
-    const roleSql = applyTemplate(loadSqlTemplate("01.role.sql"), {
-      ...vars,
-      ROLE_STMT: `alter user ${qRole} with password ${qPw};`,
-    });
-    steps.push({ name: "01.role", sql: roleSql });
+    roleStmt = `alter user ${qRole} with password ${qPw};`;
+  } else {
+    roleStmt = `do $$ begin
+  if not exists (select 1 from pg_catalog.pg_roles where rolname = ${qRoleNameLit}) then
+    create user ${qRole} with password ${qPw};
+  else
+    alter user ${qRole} with password ${qPw};
+  end if;
+end $$;`;
   }
 
+  const roleSql = applyTemplate(loadSqlTemplate("01.role.sql"), { ...vars, ROLE_STMT: roleStmt });
+  steps.push({ name: "01.role", sql: roleSql });
+
   steps.push({
     name: "02.permissions",
     sql: applyTemplate(loadSqlTemplate("02.permissions.sql"), vars),
@@ -414,7 +420,12 @@ export async function applyInitPlan(params: {
     }
     await params.client.query("commit;");
   } catch (e) {
-    await params.client.query("rollback;");
+    // Rollback errors should never mask the original failure.
+    try {
+      await params.client.query("rollback;");
+    } catch {
+      // ignore
+    }
     throw e;
   }
 
@@ -432,4 +443,123 @@ export async function applyInitPlan(params: {
   return { applied, skippedOptional };
 }
 
+export type VerifyInitResult = {
+  ok: boolean;
+  missingRequired: string[];
+  missingOptional: string[];
+};
+
+export async function verifyInitSetup(params: {
+  client: PgClient;
+  database: string;
+  monitoringUser: string;
+  includeOptionalPermissions: boolean;
+}): Promise<VerifyInitResult> {
+  const missingRequired: string[] = [];
+  const missingOptional: string[] = [];
+
+  const role = params.monitoringUser;
+  const db = params.database;
+
+  const roleRes = await params.client.query("select 1 from pg_catalog.pg_roles where rolname = $1", [role]);
+  const roleExists = (roleRes.rowCount ?? 0) > 0;
+  if (!roleExists) {
+    missingRequired.push(`role "${role}" does not exist`);
+    // If role is missing, other checks will error or be meaningless.
+    return { ok: false, missingRequired, missingOptional };
+  }
+
+  const connectRes = await params.client.query(
+    "select has_database_privilege($1, $2, 'CONNECT') as ok",
+    [role, db]
+  );
+  if (!connectRes.rows?.[0]?.ok) {
+    missingRequired.push(`CONNECT on database "${db}"`);
+  }
+
+  const pgMonitorRes = await params.client.query(
+    "select pg_has_role($1, 'pg_monitor', 'member') as ok",
+    [role]
+  );
+  if (!pgMonitorRes.rows?.[0]?.ok) {
+    missingRequired.push("membership in role pg_monitor");
+  }
+
+  const pgIndexRes = await params.client.query(
+    "select has_table_privilege($1, 'pg_catalog.pg_index', 'SELECT') as ok",
+    [role]
+  );
+  if (!pgIndexRes.rows?.[0]?.ok) {
+    missingRequired.push("SELECT on pg_catalog.pg_index");
+  }
+
+  const viewExistsRes = await params.client.query("select to_regclass('public.pg_statistic') is not null as ok");
+  if (!viewExistsRes.rows?.[0]?.ok) {
+    missingRequired.push("view public.pg_statistic exists");
+  } else {
+    const viewPrivRes = await params.client.query(
+      "select has_table_privilege($1, 'public.pg_statistic', 'SELECT') as ok",
+      [role]
+    );
+    if (!viewPrivRes.rows?.[0]?.ok) {
+      missingRequired.push("SELECT on view public.pg_statistic");
+    }
+  }
+
+  const schemaUsageRes = await params.client.query(
+    "select has_schema_privilege($1, 'public', 'USAGE') as ok",
+    [role]
+  );
+  if (!schemaUsageRes.rows?.[0]?.ok) {
+    missingRequired.push("USAGE on schema public");
+  }
+
+  const rolcfgRes = await params.client.query("select rolconfig from pg_catalog.pg_roles where rolname = $1", [role]);
+  const rolconfig = rolcfgRes.rows?.[0]?.rolconfig;
+  const spLine = Array.isArray(rolconfig) ? rolconfig.find((v: any) => String(v).startsWith("search_path=")) : undefined;
+  if (typeof spLine !== "string" || !spLine) {
+    missingRequired.push("role search_path is set");
+  } else {
+    // We accept any ordering as long as public and pg_catalog are included.
+    const sp = spLine.toLowerCase();
+    if (!sp.includes("public") || !sp.includes("pg_catalog")) {
+      missingRequired.push("role search_path includes public and pg_catalog");
+    }
+  }
+
+  if (params.includeOptionalPermissions) {
+    // Optional RDS/Aurora extras
+    {
+      const extRes = await params.client.query("select 1 from pg_extension where extname = 'rds_tools'");
+      if ((extRes.rowCount ?? 0) === 0) {
+        missingOptional.push("extension rds_tools");
+      } else {
+        const fnRes = await params.client.query(
+          "select has_function_privilege($1, 'rds_tools.pg_ls_multixactdir()', 'EXECUTE') as ok",
+          [role]
+        );
+        if (!fnRes.rows?.[0]?.ok) {
+          missingOptional.push("EXECUTE on rds_tools.pg_ls_multixactdir()");
+        }
+      }
+    }
+
+    // Optional self-managed extras
+    const optionalFns = [
+      "pg_catalog.pg_stat_file(text)",
+      "pg_catalog.pg_stat_file(text, boolean)",
+      "pg_catalog.pg_ls_dir(text)",
+      "pg_catalog.pg_ls_dir(text, boolean, boolean)",
+    ];
+    for (const fn of optionalFns) {
+      const fnRes = await params.client.query("select has_function_privilege($1, $2, 'EXECUTE') as ok", [role, fn]);
+      if (!fnRes.rows?.[0]?.ok) {
+        missingOptional.push(`EXECUTE on ${fn}`);
+      }
+    }
+  }
+
+  return { ok: missingRequired.length === 0, missingRequired, missingOptional };
+}
+
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "postgresai",
-  "version": "0.14.0-dev.10",
+  "version": "0.14.0-dev.12",
   "description": "postgres_ai CLI (Node.js)",
   "license": "Apache-2.0",
   "private": false,

package/sql/01.role.sql

@@ -1,4 +1,15 @@
 -- Role creation / password update (template-filled by cli/lib/init.ts)
+--
+-- Example expansions (for readability/review):
+--   create user "postgres_ai_mon" with password '...';
+--   alter user "postgres_ai_mon" with password '...';
+--   do $$ begin
+--     if not exists (select 1 from pg_catalog.pg_roles where rolname = 'postgres_ai_mon') then
+--       create user "postgres_ai_mon" with password '...';
+--     else
+--       alter user "postgres_ai_mon" with password '...';
+--     end if;
+--   end $$;
 {{ROLE_STMT}}
 
 

package/test/init.integration.test.cjs

@@ -190,6 +190,29 @@ test(
   }
 );
 
+test(
+  "integration: init requires explicit monitoring password in non-interactive mode (unless --print-password)",
+  { skip: !havePostgresBinaries() },
+  async (t) => {
+    const pg = await withTempPostgres(t);
+
+    // spawnSync captures stdout/stderr (non-TTY). We should not print a generated password unless explicitly requested.
+    {
+      const r = await runCliInit([pg.adminUri, "--skip-optional-permissions"]);
+      assert.notEqual(r.status, 0);
+      assert.match(r.stderr, /not printed in non-interactive mode/i);
+      assert.match(r.stderr, /--print-password/);
+    }
+
+    // With explicit opt-in, it should succeed (and will print the generated password).
+    {
+      const r = await runCliInit([pg.adminUri, "--print-password", "--skip-optional-permissions"]);
+      assert.equal(r.status, 0, r.stderr || r.stdout);
+      assert.match(r.stdout, /Generated password for monitoring user/i);
+    }
+  }
+);
+
 test(
   "integration: init fixes slightly-off permissions idempotently",
   { skip: !havePostgresBinaries() },
@@ -276,4 +299,67 @@ test("integration: init reports nicely when lacking permissions", { skip: !haveP
   assert.match(r.stderr, /Hint: connect as a superuser/i);
 });
 
+test("integration: init --verify returns 0 when ok and non-zero when missing", { skip: !havePostgresBinaries() }, async (t) => {
+  const pg = await withTempPostgres(t);
+  const { Client } = require("pg");
+
+  // Prepare: run init
+  {
+    const r = await runCliInit([pg.adminUri, "--password", "monpw", "--skip-optional-permissions"]);
+    assert.equal(r.status, 0, r.stderr || r.stdout);
+  }
+
+  // Verify should pass
+  {
+    const r = await runCliInit([pg.adminUri, "--verify", "--skip-optional-permissions"]);
+    assert.equal(r.status, 0, r.stderr || r.stdout);
+    assert.match(r.stdout, /init verify: OK/i);
+  }
+
+  // Break a required privilege and ensure verify fails
+  {
+    const c = new Client({ connectionString: pg.adminUri });
+    await c.connect();
+    // pg_catalog tables are often readable via PUBLIC by default; revoke from PUBLIC too so the failure is deterministic.
+    await c.query("revoke select on pg_catalog.pg_index from public");
+    await c.query("revoke select on pg_catalog.pg_index from postgres_ai_mon");
+    await c.end();
+  }
+  {
+    const r = await runCliInit([pg.adminUri, "--verify", "--skip-optional-permissions"]);
+    assert.notEqual(r.status, 0);
+    assert.match(r.stderr, /init verify failed/i);
+    assert.match(r.stderr, /pg_catalog\.pg_index/i);
+  }
+});
+
+test("integration: init --reset-password updates the monitoring role login password", { skip: !havePostgresBinaries() }, async (t) => {
+  const pg = await withTempPostgres(t);
+  const { Client } = require("pg");
+
+  // Initial setup with password pw1
+  {
+    const r = await runCliInit([pg.adminUri, "--password", "pw1", "--skip-optional-permissions"]);
+    assert.equal(r.status, 0, r.stderr || r.stdout);
+  }
+
+  // Reset to pw2
+  {
+    const r = await runCliInit([pg.adminUri, "--reset-password", "--password", "pw2", "--skip-optional-permissions"]);
+    assert.equal(r.status, 0, r.stderr || r.stdout);
+    assert.match(r.stdout, /password reset/i);
+  }
+
+  // Connect as monitoring user with new password should work
+  {
+    const c = new Client({
+      connectionString: `postgresql://postgres_ai_mon:pw2@127.0.0.1:${pg.port}/testdb`,
+    });
+    await c.connect();
+    const ok = await c.query("select 1 as ok");
+    assert.equal(ok.rows[0].ok, 1);
+    await c.end();
+  }
+});
+
 

package/test/init.test.cjs

@@ -5,6 +5,17 @@ const assert = require("node:assert/strict");
 // Run via: npm --prefix cli test
 const init = require("../dist/lib/init.js");
 
+function runCli(args, env = {}) {
+  const { spawnSync } = require("node:child_process");
+  const path = require("node:path");
+  const node = process.execPath;
+  const cliPath = path.resolve(__dirname, "..", "dist", "bin", "postgres-ai.js");
+  return spawnSync(node, [cliPath, ...args], {
+    encoding: "utf8",
+    env: { ...process.env, ...env },
+  });
+}
+
 test("maskConnectionString hides password when present", () => {
   const masked = init.maskConnectionString("postgresql://user:secret@localhost:5432/mydb");
   assert.match(masked, /postgresql:\/\/user:\*{5}@localhost:5432\/mydb/);
@@ -42,6 +53,18 @@ test("buildInitPlan includes create user when role does not exist", async () =>
   assert.ok(!plan.steps.some((s) => s.optional));
 });
 
+test("buildInitPlan includes role step when roleExists is omitted", async () => {
+  const plan = await init.buildInitPlan({
+    database: "mydb",
+    monitoringUser: "postgres_ai_mon",
+    monitoringPassword: "pw",
+    includeOptionalPermissions: false,
+  });
+  const roleStep = plan.steps.find((s) => s.name === "01.role");
+  assert.ok(roleStep);
+  assert.match(roleStep.sql, /do\s+\$\$/i);
+});
+
 test("buildInitPlan inlines password safely for CREATE/ALTER ROLE grammar", async () => {
   const plan = await init.buildInitPlan({
     database: "mydb",
@@ -113,4 +136,11 @@ test("print-sql redaction regex matches password literal with embedded quotes",
   assert.match(redacted, /password '<redacted>'/i);
 });
 
+test("cli: init --print-sql works without connection (offline mode)", () => {
+  const r = runCli(["init", "--print-sql", "-d", "mydb", "--password", "monpw"]);
+  assert.equal(r.status, 0, r.stderr || r.stdout);
+  assert.match(r.stdout, /SQL plan \(offline; not connected\)/);
+  assert.match(r.stdout, /grant connect on database "mydb" to "postgres_ai_mon"/i);
+});
+