datasette-apps 0.1a0__py3-none-any.whl

datasette_apps/__init__.py

@@ -0,0 +1,108 @@
+from datasette import hookimpl
+from datasette.jump import JumpSQL
+
+from .permissions import app_permission_sql, register_app_actions
+from .registry import Registry
+from .views import (
+    app_json,
+    app_query,
+    app_revision,
+    apps_index,
+    create_app,
+    delete_app,
+    edit_app,
+    launch_app,
+    pin_app,
+    top_homepage_html,
+    unpin_app,
+    view_app,
+)
+
+__all__ = ["Registry"]
+
+
+@hookimpl
+def register_routes():
+    return [
+        (r"^/-/apps$", apps_index),
+        (r"^/-/apps/create$", create_app),
+        (r"^/-/apps/(?P<id>[^/]+)\.json$", app_json),
+        (r"^/-/apps/(?P<id>[^/]+)/revisions/(?P<version>\d+)$", app_revision),
+        (r"^/-/apps/(?P<id>[^/]+)/edit$", edit_app),
+        (r"^/-/apps/(?P<id>[^/]+)/delete$", delete_app),
+        (r"^/-/apps/(?P<id>[^/]+)/pin$", pin_app),
+        (r"^/-/apps/(?P<id>[^/]+)/unpin$", unpin_app),
+        (r"^/-/apps/(?P<id>[^/]+)/launch$", launch_app),
+        (r"^/-/apps/(?P<id>[^/]+)/query$", app_query),
+        (r"^/-/apps/(?P<id>[^/]+)$", view_app),
+    ]
+
+
+@hookimpl
+def register_actions(datasette):
+    return register_app_actions()
+
+
+@hookimpl
+def permission_resources_sql(datasette, actor, action):
+    return app_permission_sql(actor, action)
+
+
+@hookimpl
+def jump_items_sql(datasette, actor, request):
+    async def inner():
+        app_sql, app_params = await datasette.allowed_resources_sql(
+            action="view-app", actor=actor
+        )
+        return JumpSQL(
+            sql=f"""
+            WITH allowed_apps AS (
+                {app_sql}
+            )
+            SELECT
+                'app' AS type,
+                apps.name AS label,
+                apps.description AS description,
+                json_object(
+                    'method', 'path',
+                    'path', CASE
+                        WHEN apps.external = 1
+                        THEN '/-/apps/' || apps.id || '/launch'
+                        ELSE apps.path
+                    END
+                ) AS url,
+                'app' || apps.name || ' ' || apps.description || ' ' ||
+                    apps.id || ' ' || apps.source AS search_text,
+                NULL AS display_name
+            FROM apps
+            JOIN allowed_apps
+                ON allowed_apps.parent = 'apps'
+               AND allowed_apps.child = apps.id
+            WHERE apps.deleted_at IS NULL
+            """,
+            params=app_params,
+        )
+
+    return inner
+
+
+@hookimpl
+async def startup(datasette):
+    await Registry(datasette).ensure_tables()
+
+
+@hookimpl
+def top_homepage(datasette, request):
+    return top_homepage_html(datasette, request)
+
+
+@hookimpl
+def extra_css_urls():
+    return ["/-/static-plugins/datasette-apps/datasette-apps.css"]
+
+
+@hookimpl
+def menu_links(datasette, actor, request):
+    if not actor:
+        return []
+    return [{"href": datasette.urls.path("/-/apps"), "label": "Apps"}]

datasette_apps/csp.py

@@ -0,0 +1,72 @@
+from __future__ import annotations
+
+import ipaddress
+import os
+from urllib.parse import urlsplit
+
+BASE_DIRECTIVES = [
+    "default-src 'none'",
+    "script-src 'unsafe-inline'",
+    "style-src 'unsafe-inline'",
+]
+
+APP_VIEW_PARENT_CSP = "frame-src 'none';"
+
+
+def _is_localhost(hostname):
+    if not hostname:
+        return False
+    hostname = hostname.lower()
+    if hostname == "localhost" or hostname.endswith(".localhost"):
+        return True
+    try:
+        return ipaddress.ip_address(hostname).is_loopback
+    except ValueError:
+        return False
+
+
+def normalize_connect_origin(origin):
+    parsed = urlsplit((origin or "").strip())
+    allow_insecure_test_origins = os.environ.get(
+        "DATASETTE_APPS_ALLOW_INSECURE_TEST_CSP_ORIGINS"
+    )
+    if parsed.scheme != "https" and not allow_insecure_test_origins:
+        raise ValueError("Only https:// origins are allowed")
+    if parsed.scheme not in {"http", "https"}:
+        raise ValueError("Only http:// and https:// origins are allowed")
+    if not parsed.hostname:
+        raise ValueError("Origin must include a host")
+    if parsed.username or parsed.password:
+        raise ValueError("Origin must not include username or password")
+    if parsed.query or parsed.fragment:
+        raise ValueError("Origin must not include query string or fragment")
+    if parsed.path and parsed.path != "/":
+        raise ValueError("Origin must not include a path")
+    hostname = parsed.hostname.lower()
+    if "*" in hostname:
+        raise ValueError("Wildcard hosts are not allowed")
+    if _is_localhost(hostname) and not allow_insecure_test_origins:
+        raise ValueError("Localhost origins are not allowed")
+
+    # Accessing .port validates the port and raises ValueError if malformed.
+    port = parsed.port
+    if ":" in hostname:
+        netloc = f"[{hostname}]"
+    else:
+        netloc = hostname
+    if port is not None:
+        netloc = f"{netloc}:{port}"
+    return f"{parsed.scheme}://{netloc}"
+
+
+def build_csp(connect_origins):
+    origins = [normalize_connect_origin(origin) for origin in connect_origins]
+    directives = [*BASE_DIRECTIVES]
+    if origins:
+        element_sources = ["'unsafe-inline'", *origins]
+        directives.append(f"script-src-elem {' '.join(element_sources)}")
+        directives.append(f"style-src-elem {' '.join(element_sources)}")
+    directives.append(f"img-src {' '.join(['data:', 'blob:', *origins])}")
+    if origins:
+        directives.append(f"connect-src {' '.join(origins)}")
+    return "; ".join(directives) + ";"

datasette_apps/data_access.py

@@ -0,0 +1,109 @@
+from __future__ import annotations
+
+from urllib.parse import urlencode
+
+from datasette.utils import tilde_encode
+
+from .registry import Registry
+
+
+class AppQueryError(Exception):
+    pass
+
+
+async def run_app_query(datasette, app, actor, database_name, sql, params=None):
+    allowed_databases = await Registry(datasette).get_sql_databases(app["id"])
+    if database_name not in allowed_databases:
+        raise AppQueryError("This app is not allowed to query that database")
+
+    if params is not None and not isinstance(params, dict):
+        raise AppQueryError("Query parameters must be an object of named values")
+
+    query_args = {
+        "sql": sql,
+        "_shape": "objects",
+        "_extra": "columns",
+    }
+    for key, value in (params or {}).items():
+        query_args[key] = "" if value is None else value
+
+    try:
+        database_path = datasette.urls.database(database_name)
+    except KeyError as e:
+        raise AppQueryError("Database not found") from e
+    path = f"{database_path}/-/query.json?" + urlencode(query_args, doseq=True)
+    response = await datasette.client.get(path, actor=actor)
+    try:
+        data = response.json()
+    except ValueError as e:
+        if response.status_code in (401, 403):
+            raise AppQueryError("Permission denied by Datasette") from e
+        raise AppQueryError("Query failed") from e
+    if response.status_code != 200 or not data.get("ok"):
+        raise AppQueryError(data.get("error") or "Query failed")
+    return {
+        "columns": data.get("columns") or [],
+        "rows": data.get("rows") or [],
+    }
+
+
+async def run_app_stored_query(
+    datasette, app, actor, database_name, query_name, params=None
+):
+    allowed_queries = await Registry(datasette).get_stored_queries(app["id"])
+    if f"{database_name}/{query_name}" not in allowed_queries:
+        raise AppQueryError("This app is not allowed to run that stored query")
+
+    if params is not None and not isinstance(params, dict):
+        raise AppQueryError("Query parameters must be an object of named values")
+
+    stored_query = await datasette.get_query(database_name, query_name)
+    if stored_query is None:
+        raise AppQueryError("Stored query not found")
+
+    try:
+        database_path = datasette.urls.database(database_name)
+    except KeyError as e:
+        raise AppQueryError("Database not found") from e
+
+    query_path = f"{database_path}/{tilde_encode(query_name)}"
+    if stored_query.is_write:
+        response = await datasette.client.post(
+            query_path + "?_json=1",
+            actor=actor,
+            json={
+                key: "" if value is None else value
+                for key, value in (params or {}).items()
+            },
+        )
+        return _json_response_or_error(response)
+
+    query_args = {
+        "_shape": "objects",
+        "_extra": "columns",
+    }
+    for key, value in (params or {}).items():
+        query_args[key] = "" if value is None else value
+    response = await datasette.client.get(
+        f"{query_path}.json?" + urlencode(query_args, doseq=True),
+        actor=actor,
+    )
+    data = _json_response_or_error(response)
+    return {
+        "columns": data.get("columns") or [],
+        "rows": data.get("rows") or [],
+    }
+
+
+def _json_response_or_error(response):
+    try:
+        data = response.json()
+    except ValueError as e:
+        if response.status_code in (401, 403):
+            raise AppQueryError("Permission denied by Datasette") from e
+        raise AppQueryError("Stored query failed") from e
+    if response.status_code != 200 or data.get("ok") is False:
+        raise AppQueryError(
+            data.get("error") or data.get("message") or "Stored query failed"
+        )
+    return data

datasette_apps/db.py

@@ -0,0 +1,357 @@
+from __future__ import annotations
+
+SCHEMA = """
+CREATE TABLE IF NOT EXISTS apps (
+    id TEXT PRIMARY KEY,
+    external INTEGER NOT NULL DEFAULT 0,
+    name TEXT NOT NULL,
+    description TEXT NOT NULL DEFAULT '',
+    path TEXT NOT NULL,
+    source TEXT NOT NULL DEFAULT '',
+    metadata TEXT NOT NULL DEFAULT '{}',
+    actor_id TEXT,
+    is_private INTEGER NOT NULL DEFAULT 1,
+    stored_queries TEXT NOT NULL DEFAULT '[]',
+    current_version INTEGER,
+    deleted_at TEXT,
+    deleted_actor_id TEXT,
+    created_at TEXT NOT NULL,
+    updated_at TEXT NOT NULL,
+    CHECK (external IN (0, 1)),
+    CHECK (is_private IN (0, 1))
+);
+
+CREATE TABLE IF NOT EXISTS app_revisions (
+    app_id TEXT NOT NULL REFERENCES apps(id),
+    version INTEGER NOT NULL,
+    actor_id TEXT,
+    name TEXT,
+    description TEXT,
+    html TEXT,
+    is_private INTEGER,
+    sql_databases TEXT,
+    stored_queries TEXT,
+    csp_origins TEXT,
+    changed_fields TEXT NOT NULL DEFAULT '[]',
+    created_at TEXT NOT NULL,
+    PRIMARY KEY (app_id, version),
+    CHECK (is_private IN (0, 1) OR is_private IS NULL)
+);
+
+CREATE INDEX IF NOT EXISTS idx_apps_updated ON apps(updated_at DESC, id);
+CREATE INDEX IF NOT EXISTS idx_apps_external_updated ON apps(external, updated_at DESC, id);
+CREATE INDEX IF NOT EXISTS idx_apps_source ON apps(source);
+
+CREATE VIRTUAL TABLE IF NOT EXISTS apps_fts
+USING fts5(name, description, source, content='apps', content_rowid='rowid');
+
+CREATE TRIGGER IF NOT EXISTS apps_ai AFTER INSERT ON apps BEGIN
+    INSERT INTO apps_fts(rowid, name, description, source)
+    VALUES (new.rowid, new.name, new.description, new.source);
+END;
+
+CREATE TRIGGER IF NOT EXISTS apps_ad AFTER DELETE ON apps BEGIN
+    INSERT INTO apps_fts(apps_fts, rowid, name, description, source)
+    VALUES ('delete', old.rowid, old.name, old.description, old.source);
+END;
+
+CREATE TRIGGER IF NOT EXISTS apps_au AFTER UPDATE ON apps BEGIN
+    INSERT INTO apps_fts(apps_fts, rowid, name, description, source)
+    VALUES ('delete', old.rowid, old.name, old.description, old.source);
+    INSERT INTO apps_fts(rowid, name, description, source)
+    VALUES (new.rowid, new.name, new.description, new.source);
+END;
+
+CREATE TABLE IF NOT EXISTS app_access (
+    id INTEGER PRIMARY KEY,
+    app_id TEXT REFERENCES apps(id),
+    action TEXT NOT NULL,
+    subject_type TEXT NOT NULL,
+    subject_id TEXT,
+    allow INTEGER NOT NULL DEFAULT 1,
+    created_at TEXT NOT NULL,
+    updated_at TEXT NOT NULL,
+    CHECK (subject_type IN ('authenticated')),
+    CHECK (allow IN (0, 1))
+);
+
+CREATE INDEX IF NOT EXISTS idx_app_access_lookup
+    ON app_access(action, app_id, subject_type, subject_id);
+
+CREATE TABLE IF NOT EXISTS app_sql_databases (
+    app_id TEXT NOT NULL REFERENCES apps(id),
+    database_name TEXT NOT NULL,
+    created_at TEXT NOT NULL,
+    updated_at TEXT NOT NULL,
+    PRIMARY KEY (app_id, database_name)
+);
+
+CREATE INDEX IF NOT EXISTS idx_app_sql_databases_app
+    ON app_sql_databases(app_id, database_name);
+
+CREATE TABLE IF NOT EXISTS app_csp_origins (
+    id INTEGER PRIMARY KEY,
+    app_id TEXT NOT NULL REFERENCES apps(id),
+    directive TEXT NOT NULL DEFAULT 'connect-src',
+    origin TEXT NOT NULL,
+    created_at TEXT NOT NULL,
+    updated_at TEXT NOT NULL,
+    CHECK (directive IN ('connect-src')),
+    UNIQUE (app_id, directive, origin)
+);
+
+CREATE INDEX IF NOT EXISTS idx_app_csp_origins_app
+    ON app_csp_origins(app_id, directive);
+
+CREATE TABLE IF NOT EXISTS app_user_state (
+    actor_id TEXT NOT NULL,
+    app_id TEXT NOT NULL REFERENCES apps(id),
+    last_accessed_at TEXT,
+    pinned_at TEXT,
+    access_count INTEGER NOT NULL DEFAULT 0,
+    PRIMARY KEY (actor_id, app_id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_app_user_state_actor_pinned
+    ON app_user_state(actor_id, pinned_at DESC, last_accessed_at DESC, app_id);
+
+CREATE INDEX IF NOT EXISTS idx_app_user_state_actor_recent
+    ON app_user_state(actor_id, last_accessed_at DESC, app_id);
+"""
+
+
+async def ensure_tables(datasette):
+    internal_db = datasette.get_internal_database()
+
+    def create_schema(conn):
+        existing_tables = {
+            row[0]
+            for row in conn.execute(
+                "SELECT name FROM sqlite_master WHERE type = 'table'"
+            )
+        }
+        if "apps" in existing_tables:
+            app_columns = {row[1] for row in conn.execute("PRAGMA table_info(apps)")}
+            if "is_private" not in app_columns:
+                conn.execute(
+                    "ALTER TABLE apps ADD COLUMN is_private INTEGER NOT NULL DEFAULT 1"
+                )
+                conn.execute("UPDATE apps SET is_private = 0 WHERE external = 1")
+                if "app_access" in existing_tables:
+                    conn.execute("""
+                        UPDATE apps
+                        SET is_private = 0
+                        WHERE id IN (
+                            SELECT app_id
+                            FROM app_access
+                            WHERE action = 'view-app'
+                              AND subject_type = 'authenticated'
+                              AND allow = 1
+                        )
+                        """)
+            if "stored_queries" not in app_columns:
+                conn.execute(
+                    "ALTER TABLE apps ADD COLUMN stored_queries TEXT NOT NULL DEFAULT '[]'"
+                )
+            if "deleted_at" not in app_columns:
+                conn.execute("ALTER TABLE apps ADD COLUMN deleted_at TEXT")
+            if "deleted_actor_id" not in app_columns:
+                conn.execute("ALTER TABLE apps ADD COLUMN deleted_actor_id TEXT")
+        if "apps" in existing_tables:
+            conn.execute("""
+                CREATE TABLE IF NOT EXISTS app_sql_databases (
+                    app_id TEXT NOT NULL REFERENCES apps(id),
+                    database_name TEXT NOT NULL,
+                    created_at TEXT NOT NULL,
+                    updated_at TEXT NOT NULL,
+                    PRIMARY KEY (app_id, database_name)
+                )
+                """)
+            conn.execute("""
+                CREATE TABLE IF NOT EXISTS app_csp_origins (
+                    id INTEGER PRIMARY KEY,
+                    app_id TEXT NOT NULL REFERENCES apps(id),
+                    directive TEXT NOT NULL DEFAULT 'connect-src',
+                    origin TEXT NOT NULL,
+                    created_at TEXT NOT NULL,
+                    updated_at TEXT NOT NULL,
+                    CHECK (directive IN ('connect-src')),
+                    UNIQUE (app_id, directive, origin)
+                )
+                """)
+            conn.execute("""
+                CREATE TABLE IF NOT EXISTS app_revisions (
+                    app_id TEXT NOT NULL REFERENCES apps(id),
+                    version INTEGER NOT NULL,
+                    actor_id TEXT,
+                    name TEXT,
+                    description TEXT,
+                    html TEXT,
+                    is_private INTEGER,
+                    sql_databases TEXT,
+                    stored_queries TEXT,
+                    csp_origins TEXT,
+                    changed_fields TEXT NOT NULL DEFAULT '[]',
+                    created_at TEXT NOT NULL,
+                    PRIMARY KEY (app_id, version),
+                    CHECK (is_private IN (0, 1) OR is_private IS NULL)
+                )
+                """)
+            revision_columns = {
+                row[1] for row in conn.execute("PRAGMA table_info(app_revisions)")
+            }
+            if "stored_queries" not in revision_columns:
+                conn.execute("ALTER TABLE app_revisions ADD COLUMN stored_queries TEXT")
+        if "apps" in existing_tables and "app_versions" in existing_tables:
+            conn.execute("""
+                INSERT INTO app_revisions (
+                    app_id, version, actor_id, name, description, html,
+                    is_private, sql_databases, stored_queries, csp_origins,
+                    changed_fields, created_at
+                )
+                SELECT
+                    apps.id,
+                    1,
+                    apps.actor_id,
+                    apps.name,
+                    apps.description,
+                    COALESCE(
+                        (
+                            SELECT app_versions.html
+                            FROM app_versions
+                            WHERE app_versions.app_id = apps.id
+                              AND app_versions.version = apps.current_version
+                            LIMIT 1
+                        ),
+                        (
+                            SELECT app_versions.html
+                            FROM app_versions
+                            WHERE app_versions.app_id = apps.id
+                            ORDER BY app_versions.version DESC
+                            LIMIT 1
+                        ),
+                        ''
+                    ),
+                    apps.is_private,
+                    COALESCE(
+                        (
+                            SELECT json_group_array(database_name)
+                            FROM (
+                                SELECT database_name
+                                FROM app_sql_databases
+                                WHERE app_sql_databases.app_id = apps.id
+                                ORDER BY database_name
+                            )
+                        ),
+                        '[]'
+                    ),
+                    apps.stored_queries,
+                    COALESCE(
+                        (
+                            SELECT json_group_array(origin)
+                            FROM (
+                                SELECT origin
+                                FROM app_csp_origins
+                                WHERE app_csp_origins.app_id = apps.id
+                                  AND directive = 'connect-src'
+                                ORDER BY origin
+                            )
+                        ),
+                        '[]'
+                    ),
+                    '["name", "description", "html", "is_private", "sql_databases", "stored_queries", "csp_origins"]',
+                    apps.updated_at
+                FROM apps
+                WHERE apps.external = 0
+                  AND NOT EXISTS (
+                      SELECT 1
+                      FROM app_revisions
+                      WHERE app_revisions.app_id = apps.id
+                  )
+                """)
+            conn.execute("""
+                UPDATE app_revisions
+                SET html = (
+                    SELECT app_versions.html
+                    FROM app_versions
+                    WHERE app_versions.app_id = app_revisions.app_id
+                    ORDER BY app_versions.version DESC
+                    LIMIT 1
+                )
+                WHERE version = 1
+                  AND (html IS NULL OR html = '')
+                  AND EXISTS (
+                      SELECT 1
+                      FROM app_versions
+                      WHERE app_versions.app_id = app_revisions.app_id
+                        AND app_versions.html != ''
+                  )
+                """)
+            conn.execute("UPDATE apps SET current_version = 1 WHERE external = 0")
+        if "apps" in existing_tables:
+            conn.execute("""
+            INSERT INTO app_revisions (
+                app_id, version, actor_id, name, description, html,
+                is_private, sql_databases, stored_queries, csp_origins,
+                changed_fields, created_at
+            )
+            SELECT
+                apps.id,
+                1,
+                apps.actor_id,
+                apps.name,
+                apps.description,
+                '',
+                apps.is_private,
+                COALESCE(
+                    (
+                        SELECT json_group_array(database_name)
+                        FROM (
+                            SELECT database_name
+                            FROM app_sql_databases
+                            WHERE app_sql_databases.app_id = apps.id
+                            ORDER BY database_name
+                        )
+                    ),
+                    '[]'
+                ),
+                apps.stored_queries,
+                COALESCE(
+                    (
+                        SELECT json_group_array(origin)
+                        FROM (
+                            SELECT origin
+                            FROM app_csp_origins
+                            WHERE app_csp_origins.app_id = apps.id
+                              AND directive = 'connect-src'
+                            ORDER BY origin
+                        )
+                    ),
+                    '[]'
+                ),
+                '["name", "description", "html", "is_private", "sql_databases", "stored_queries", "csp_origins"]',
+                apps.updated_at
+            FROM apps
+            WHERE apps.external = 0
+              AND NOT EXISTS (
+                  SELECT 1
+                  FROM app_revisions
+                  WHERE app_revisions.app_id = apps.id
+              )
+            """)
+            conn.execute("""
+            UPDATE apps
+            SET current_version = 1
+            WHERE external = 0
+              AND current_version IS NOT NULL
+              AND NOT EXISTS (
+                  SELECT 1
+                  FROM app_revisions
+                  WHERE app_revisions.app_id = apps.id
+                    AND app_revisions.version = apps.current_version
+              )
+            """)
+        conn.execute("DROP TABLE IF EXISTS app_versions")
+        conn.executescript(SCHEMA)
+
+    await internal_db.execute_write_fn(create_schema)

datasette_apps/ids.py

@@ -0,0 +1,33 @@
+from __future__ import annotations
+
+import secrets
+import threading
+import time
+
+_ENCODING = "0123456789abcdefghjkmnpqrstvwxyz"
+_LOCK = threading.Lock()
+_LAST_MS = -1
+_LAST_RANDOM = 0
+
+
+def _encode(value, length):
+    chars = []
+    for _ in range(length):
+        chars.append(_ENCODING[value & 31])
+        value >>= 5
+    return "".join(reversed(chars))
+
+
+def monotonic_ulid():
+    global _LAST_MS, _LAST_RANDOM
+
+    now_ms = time.time_ns() // 1_000_000
+    with _LOCK:
+        if now_ms == _LAST_MS:
+            _LAST_RANDOM += 1
+            if _LAST_RANDOM >= (1 << 80):
+                raise OverflowError("ULID randomness overflow")
+        else:
+            _LAST_MS = now_ms
+            _LAST_RANDOM = secrets.randbits(80)
+        return _encode(now_ms, 10) + _encode(_LAST_RANDOM, 16)