spindb 0.46.5 → 0.47.1

package/dist/engines/cockroachdb/index.js

@@ -10,7 +10,7 @@
  * - Uses PostgreSQL wire protocol for client connections
  * - Single binary: `cockroach` (handles server, sql client, and admin tasks)
  * - Default database: `defaultdb`
- * - Default user: `root` (no password in insecure mode)
+ * - Default local admin user: `root` authenticated via generated client cert
  */
 import { spawn } from 'child_process';
 import { existsSync } from 'fs';
@@ -30,10 +30,80 @@ import { normalizeVersion, SUPPORTED_MAJOR_VERSIONS, COCKROACHDB_VERSION_MAP, }
 import { fetchAvailableVersions as fetchHostdbVersions } from './hostdb-releases.js';
 import { detectBackupFormat as detectBackupFormatImpl, restoreBackup, } from './restore.js';
 import { createBackup } from './backup.js';
-import { validateCockroachIdentifier, escapeCockroachIdentifier, escapeSqlValue, parseCsvLine, parseCsvRecords, isInsecureConnection, } from './cli-utils.js';
+import { validateCockroachIdentifier, escapeCockroachIdentifier, escapeSqlValue, parseCsvLine, parseCsvRecords, isInsecureConnection, buildLocalCockroachSqlArgs, buildSecureCockroachConnectionString, buildInsecureCockroachConnectionString, getCockroachCertsDir, getCockroachCaCertPath, getCockroachCaKeyPath, getCockroachClientCertPath, getCockroachClientKeyPath, } from './cli-utils.js';
 import { parseCSVToQueryResult } from '../../core/query-parser.js';
 const ENGINE = 'cockroachdb';
 const engineDef = getEngineDefaults(ENGINE);
+async function runCockroachCommand(cockroachPath, args, spawnOptions = {}) {
+    return new Promise((resolve, reject) => {
+        const proc = spawn(cockroachPath, args, {
+            stdio: ['ignore', 'pipe', 'pipe'],
+            ...spawnOptions,
+        });
+        let stdout = '';
+        let stderr = '';
+        proc.stdout?.on('data', (data) => {
+            stdout += data.toString();
+        });
+        proc.stderr?.on('data', (data) => {
+            stderr += data.toString();
+        });
+        proc.on('error', reject);
+        proc.on('close', (code) => {
+            if (code === 0) {
+                resolve({ stdout, stderr });
+            }
+            else {
+                reject(new Error(stderr || `cockroach exited with code ${code}`));
+            }
+        });
+    });
+}
+async function ensureSecureLocalAssets(cockroachPath, containerName, bindAddress) {
+    const certsDir = getCockroachCertsDir(containerName);
+    const caKey = getCockroachCaKeyPath(containerName);
+    const nodeCert = join(certsDir, 'node.crt');
+    const nodeKey = join(certsDir, 'node.key');
+    const rootClientCert = getCockroachClientCertPath(containerName, 'root');
+    const rootClientKey = getCockroachClientKeyPath(containerName, 'root');
+    await mkdir(certsDir, { recursive: true });
+    if (!existsSync(join(certsDir, 'ca.crt')) || !existsSync(caKey)) {
+        await runCockroachCommand(cockroachPath, [
+            'cert',
+            'create-ca',
+            '--certs-dir',
+            certsDir,
+            '--ca-key',
+            caKey,
+        ]);
+    }
+    if (!existsSync(nodeCert) || !existsSync(nodeKey)) {
+        const hosts = new Set(['127.0.0.1', 'localhost', '::1']);
+        if (bindAddress && bindAddress !== '0.0.0.0' && bindAddress !== '::') {
+            hosts.add(bindAddress);
+        }
+        await runCockroachCommand(cockroachPath, [
+            'cert',
+            'create-node',
+            ...Array.from(hosts),
+            '--certs-dir',
+            certsDir,
+            '--ca-key',
+            caKey,
+        ]);
+    }
+    if (!existsSync(rootClientCert) || !existsSync(rootClientKey)) {
+        await runCockroachCommand(cockroachPath, [
+            'cert',
+            'create-client',
+            'root',
+            '--certs-dir',
+            certsDir,
+            '--ca-key',
+            caKey,
+        ]);
+    }
+}
 export class CockroachDBEngine extends BaseEngine {
     name = ENGINE;
     displayName = 'CockroachDB';
@@ -168,11 +238,13 @@ export class CockroachDBEngine extends BaseEngine {
         const httpPort = port + 1; // HTTP admin UI port
         onProgress?.({ stage: 'starting', message: 'Starting CockroachDB...' });
         logDebug(`Starting CockroachDB with data dir: ${dataDir}`);
+        await ensureSecureLocalAssets(cockroachBinary, name, container.bindAddress);
         // CockroachDB start command
-        // Using --insecure for local development (no TLS)
+        // Local containers run in secure mode with per-container certs.
         const args = [
             'start-single-node',
-            '--insecure',
+            '--certs-dir',
+            getCockroachCertsDir(name),
             '--store',
             dataDir,
             '--listen-addr',
@@ -262,7 +334,7 @@ export class CockroachDBEngine extends BaseEngine {
         // Windows needs a longer timeout since CockroachDB initialization takes more time
         const timeout = isWindows ? 120000 : 60000;
         logDebug(`Waiting for CockroachDB server to be ready on port ${port}... (timeout: ${timeout}ms)`);
-        const ready = await this.waitForReady(port, version, timeout);
+        const ready = await this.waitForReady(name, port, version, timeout);
         logDebug(`waitForReady returned: ${ready}`);
         if (!ready) {
             // Clean up the spawned process and PID file before throwing
@@ -288,7 +360,7 @@ export class CockroachDBEngine extends BaseEngine {
         };
     }
     // Wait for CockroachDB to be ready
-    async waitForReady(port, version, timeoutMs = 60000) {
+    async waitForReady(containerName, port, version, timeoutMs = 60000) {
         logDebug(`waitForReady called for port ${port}, version ${version}`);
         const startTime = Date.now();
         const checkInterval = 500;
@@ -310,14 +382,11 @@ export class CockroachDBEngine extends BaseEngine {
             attempt++;
             logDebug(`Connection attempt ${attempt}...`);
             try {
-                const args = [
-                    'sql',
-                    '--insecure',
-                    '--host',
-                    `127.0.0.1:${port}`,
-                    '--execute',
-                    'SELECT 1',
-                ];
+                const args = buildLocalCockroachSqlArgs({
+                    containerName,
+                    port,
+                });
+                args.push('--execute', 'SELECT 1');
                 await new Promise((resolve, reject) => {
                     const proc = spawn(cockroach, args, {
                         stdio: ['ignore', 'pipe', 'pipe'],
@@ -403,18 +472,15 @@ export class CockroachDBEngine extends BaseEngine {
     }
     // Get CockroachDB server status
     async status(container) {
-        const { port, version } = container;
+        const { name, port, version } = container;
         // Try to connect
         try {
             const cockroach = await this.getCockroachPath(version);
-            const args = [
-                'sql',
-                '--insecure',
-                '--host',
-                `127.0.0.1:${port}`,
-                '--execute',
-                'SELECT 1',
-            ];
+            const args = buildLocalCockroachSqlArgs({
+                containerName: name,
+                port,
+            });
+            args.push('--execute', 'SELECT 1');
             await new Promise((resolve, reject) => {
                 const proc = spawn(cockroach, args, {
                     stdio: ['ignore', 'pipe', 'pipe'],
@@ -452,23 +518,40 @@ export class CockroachDBEngine extends BaseEngine {
     }
     /**
      * Get connection string
-     * Format: postgresql://root@127.0.0.1:PORT/DATABASE?sslmode=disable
+     * Format: postgresql://root@127.0.0.1:PORT/DATABASE?sslmode=verify-full...
      */
     getConnectionString(container, database) {
-        const { port } = container;
+        const { name, port } = container;
         const db = database || container.database || 'defaultdb';
-        return `postgresql://root@127.0.0.1:${port}/${db}?sslmode=disable`;
+        const legacyInsecureRunning = container.status === 'running' &&
+            !existsSync(getCockroachCaCertPath(name));
+        if (legacyInsecureRunning) {
+            return buildInsecureCockroachConnectionString({
+                port,
+                database: db,
+            });
+        }
+        return buildSecureCockroachConnectionString({
+            containerName: name,
+            port,
+            database: db,
+        });
     }
     // Open cockroach sql interactive shell
     async connect(container, database) {
-        const { port, version } = container;
+        const { name, port, version } = container;
         const db = database || container.database || 'defaultdb';
         const cockroach = await this.getCockroachPath(version);
+        const args = buildLocalCockroachSqlArgs({
+            containerName: name,
+            port,
+            database: db,
+        });
         const spawnOptions = {
             stdio: 'inherit',
         };
         return new Promise((resolve, reject) => {
-            const proc = spawn(cockroach, ['sql', '--insecure', '--host', `127.0.0.1:${port}`, '--database', db], spawnOptions);
+            const proc = spawn(cockroach, args, spawnOptions);
             proc.on('error', reject);
             proc.on('close', () => resolve());
         });
@@ -477,19 +560,16 @@ export class CockroachDBEngine extends BaseEngine {
      * Create a new database
      */
     async createDatabase(container, database) {
-        const { port, version } = container;
+        const { name, port, version } = container;
         // Validate database identifier to prevent SQL injection
         validateCockroachIdentifier(database, 'database');
         const escapedDb = escapeCockroachIdentifier(database);
         const cockroach = await this.getCockroachPath(version);
-        const args = [
-            'sql',
-            '--insecure',
-            '--host',
-            `127.0.0.1:${port}`,
-            '--execute',
-            `CREATE DATABASE IF NOT EXISTS ${escapedDb}`,
-        ];
+        const args = buildLocalCockroachSqlArgs({
+            containerName: name,
+            port,
+        });
+        args.push('--execute', `CREATE DATABASE IF NOT EXISTS ${escapedDb}`);
         await new Promise((resolve, reject) => {
             const proc = spawn(cockroach, args, {
                 stdio: ['ignore', 'pipe', 'pipe'],
@@ -514,7 +594,7 @@ export class CockroachDBEngine extends BaseEngine {
      * Drop a database
      */
     async dropDatabase(container, database) {
-        const { port, version } = container;
+        const { name, port, version } = container;
         // Don't allow dropping system databases
         const systemDatabases = ['defaultdb', 'postgres', 'system'];
         if (systemDatabases.includes(database.toLowerCase())) {
@@ -524,14 +604,11 @@ export class CockroachDBEngine extends BaseEngine {
         validateCockroachIdentifier(database, 'database');
         const escapedDb = escapeCockroachIdentifier(database);
         const cockroach = await this.getCockroachPath(version);
-        const args = [
-            'sql',
-            '--insecure',
-            '--host',
-            `127.0.0.1:${port}`,
-            '--execute',
-            `DROP DATABASE IF EXISTS ${escapedDb}`,
-        ];
+        const args = buildLocalCockroachSqlArgs({
+            containerName: name,
+            port,
+        });
+        args.push('--execute', `DROP DATABASE IF EXISTS ${escapedDb}`);
         await new Promise((resolve, reject) => {
             const proc = spawn(cockroach, args, {
                 stdio: ['ignore', 'pipe', 'pipe'],
@@ -556,7 +633,7 @@ export class CockroachDBEngine extends BaseEngine {
      * Rename a database using CockroachDB's native ALTER DATABASE RENAME
      */
     async renameDatabase(container, oldName, newName) {
-        const { port, version } = container;
+        const { name, port, version } = container;
         const systemDatabases = ['defaultdb', 'postgres', 'system'];
         if (systemDatabases.includes(oldName.toLowerCase())) {
             throw new Error(`Cannot rename system database: ${oldName}`);
@@ -569,14 +646,11 @@ export class CockroachDBEngine extends BaseEngine {
         const escapedOld = escapeCockroachIdentifier(oldName);
         const escapedNew = escapeCockroachIdentifier(newName);
         const cockroach = await this.getCockroachPath(version);
-        const args = [
-            'sql',
-            '--insecure',
-            '--host',
-            `127.0.0.1:${port}`,
-            '--execute',
-            `ALTER DATABASE ${escapedOld} RENAME TO ${escapedNew}`,
-        ];
+        const args = buildLocalCockroachSqlArgs({
+            containerName: name,
+            port,
+        });
+        args.push('--execute', `ALTER DATABASE ${escapedOld} RENAME TO ${escapedNew}`);
         await new Promise((resolve, reject) => {
             const proc = spawn(cockroach, args, {
                 stdio: ['ignore', 'pipe', 'pipe'],
@@ -601,7 +675,7 @@ export class CockroachDBEngine extends BaseEngine {
      * Get the database size in bytes
      */
     async getDatabaseSize(container) {
-        const { port, version, database } = container;
+        const { name, port, version, database } = container;
         const db = database || 'defaultdb';
         try {
             const cockroach = await this.getCockroachPath(version);
@@ -609,17 +683,12 @@ export class CockroachDBEngine extends BaseEngine {
             // CockroachDB query to get database size
             const query = `SELECT sum(range_size_mb) * 1024 * 1024 as size_bytes FROM [SHOW RANGES FROM DATABASE ${escapeCockroachIdentifier(db)}]`;
             const result = await new Promise((resolve, reject) => {
-                const args = [
-                    'sql',
-                    '--insecure',
-                    '--host',
-                    `127.0.0.1:${port}`,
-                    '--database',
-                    db,
-                    '--execute',
-                    query,
-                    '--format=csv',
-                ];
+                const args = buildLocalCockroachSqlArgs({
+                    containerName: name,
+                    port,
+                    database: db,
+                });
+                args.push('--execute', query, '--format=csv');
                 const proc = spawn(cockroach, args, {
                     stdio: ['ignore', 'pipe', 'pipe'],
                 });
@@ -852,21 +921,17 @@ export class CockroachDBEngine extends BaseEngine {
     }
     // Run a SQL file or inline SQL statement
     async runScript(container, options) {
-        const { port, version } = container;
+        const { name, port, version } = container;
         const db = options.database || container.database || 'defaultdb';
         const cockroach = await this.getCockroachPath(version);
         if (options.file) {
             // Run SQL file
-            const args = [
-                'sql',
-                '--insecure',
-                '--host',
-                `127.0.0.1:${port}`,
-                '--database',
-                db,
-                '--file',
-                options.file,
-            ];
+            const args = buildLocalCockroachSqlArgs({
+                containerName: name,
+                port,
+                database: db,
+            });
+            args.push('--file', options.file);
             await new Promise((resolve, reject) => {
                 const proc = spawn(cockroach, args, {
                     stdio: 'inherit',
@@ -887,14 +952,11 @@ export class CockroachDBEngine extends BaseEngine {
         }
         else if (options.sql) {
             // Run inline SQL via stdin
-            const args = [
-                'sql',
-                '--insecure',
-                '--host',
-                `127.0.0.1:${port}`,
-                '--database',
-                db,
-            ];
+            const args = buildLocalCockroachSqlArgs({
+                containerName: name,
+                port,
+                database: db,
+            });
             await new Promise((resolve, reject) => {
                 const proc = spawn(cockroach, args, {
                     stdio: ['pipe', 'inherit', 'inherit'],
@@ -923,19 +985,27 @@ export class CockroachDBEngine extends BaseEngine {
      * Execute a SQL query and return structured results
      */
     async executeQuery(container, query, options) {
-        const { port, version } = container;
+        const { name, port, version } = container;
         const db = options?.database || container.database || 'defaultdb';
         const cockroach = await this.getCockroachPath(version);
         return new Promise((resolve, reject) => {
-            const args = ['sql'];
-            if (options?.password) {
-                const user = options.username || 'root';
-                const encodedPass = encodeURIComponent(options.password);
-                args.push('--url', `postgresql://${user}:${encodedPass}@127.0.0.1:${port}/${db}?sslmode=disable`);
-            }
-            else {
-                args.push('--insecure', '--host', `127.0.0.1:${port}`, '--database', db);
-            }
+            const args = options?.host
+                ? (() => {
+                    const username = options.username || 'root';
+                    const remoteUrl = new URL(`postgresql://${encodeURIComponent(username)}@${options.host}:${port}/${db}`);
+                    if (options.password) {
+                        remoteUrl.password = options.password;
+                    }
+                    remoteUrl.searchParams.set('sslmode', options.ssl === false ? 'disable' : 'require');
+                    return ['sql', '--url', remoteUrl.toString()];
+                })()
+                : buildLocalCockroachSqlArgs({
+                    containerName: name,
+                    port,
+                    database: db,
+                    username: options?.username,
+                    password: options?.password,
+                });
             args.push('--execute', query, '--format=csv');
             const proc = spawn(cockroach, args, {
                 stdio: ['ignore', 'pipe', 'pipe'],
@@ -967,18 +1037,14 @@ export class CockroachDBEngine extends BaseEngine {
      * List all user databases, excluding system databases (defaultdb, postgres, system).
      */
     async listDatabases(container) {
-        const { port, version } = container;
+        const { name, port, version } = container;
         const cockroach = await this.getCockroachPath(version);
         return new Promise((resolve, reject) => {
-            const args = [
-                'sql',
-                '--insecure',
-                '--host',
-                `127.0.0.1:${port}`,
-                '--execute',
-                `SHOW DATABASES`,
-                '--format=csv',
-            ];
+            const args = buildLocalCockroachSqlArgs({
+                containerName: name,
+                port,
+            });
+            args.push('--execute', `SHOW DATABASES`, '--format=csv');
             const proc = spawn(cockroach, args, {
                 stdio: ['ignore', 'pipe', 'pipe'],
             });
@@ -1010,18 +1076,32 @@ export class CockroachDBEngine extends BaseEngine {
     async createUser(container, options) {
         const { username, password, database } = options;
         assertValidUsername(username);
-        const { port, version } = container;
+        const { name, port, version } = container;
         const db = database || container.database || 'defaultdb';
         validateCockroachIdentifier(username, 'user');
         validateCockroachIdentifier(db, 'database');
         const escapedUser = escapeCockroachIdentifier(username);
         const escapedDb = escapeCockroachIdentifier(db);
         const cockroach = await this.getCockroachPath(version);
-        // CockroachDB in insecure mode doesn't support passwords.
-        // Create user without password and grant privileges.
-        // SQL is sent via stdin to avoid shell escaping issues with --execute.
-        const sql = `CREATE USER IF NOT EXISTS ${escapedUser}; GRANT ALL ON DATABASE ${escapedDb} TO ${escapedUser};`;
-        const args = ['sql', '--insecure', '--host', `127.0.0.1:${port}`];
+        // Local CockroachDB containers run with TLS enabled. Bootstrap admin commands
+        // authenticate as root via the generated client certificate, while end users
+        // connect with password-based auth over TLS.
+        const escapedPassword = password.replace(/'/g, "''");
+        const sql = [
+            `CREATE USER IF NOT EXISTS ${escapedUser}`,
+            `ALTER USER ${escapedUser} WITH PASSWORD '${escapedPassword}'`,
+            `GRANT ALL ON DATABASE ${escapedDb} TO ${escapedUser}`,
+            `GRANT ALL ON SCHEMA public TO ${escapedUser}`,
+            `GRANT ALL ON ALL TABLES IN SCHEMA public TO ${escapedUser}`,
+            `GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO ${escapedUser}`,
+            `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO ${escapedUser}`,
+            `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO ${escapedUser}`,
+        ].join('; ') + ';';
+        const args = buildLocalCockroachSqlArgs({
+            containerName: name,
+            port,
+            database: db,
+        });
         await new Promise((resolve, reject) => {
             const proc = spawn(cockroach, args, {
                 stdio: ['pipe', 'pipe', 'pipe'],
@@ -1042,12 +1122,15 @@ export class CockroachDBEngine extends BaseEngine {
             proc.stdin?.write(sql);
             proc.stdin?.end();
         });
-        // In insecure mode, connections don't use passwords
-        const connectionString = `postgresql://${encodeURIComponent(username)}@127.0.0.1:${port}/${db}?sslmode=disable`;
+        const connectionString = buildSecureCockroachConnectionString({
+            containerName: name,
+            port,
+            database: db,
+            username,
+            password,
+        });
         return {
             username,
-            // CockroachDB insecure mode does not enforce password authentication,
-            // but we return the caller-provided password for credential file consistency.
             password,
             connectionString,
             engine: container.engine,