-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add endpoint to create postgres credentials #5767
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
import { MigrationInterface, QueryRunner } from 'typeorm'; | ||
|
||
export class AddPostgresCredentials1717751631669 implements MigrationInterface { | ||
name = 'AddPostgresCredentials1717751631669'; | ||
|
||
public async up(queryRunner: QueryRunner): Promise<void> { | ||
await queryRunner.query( | ||
`CREATE TABLE "core"."postgresCredentials" ("id" uuid NOT NULL DEFAULT uuid_generate_v4(), "user" character varying NOT NULL, "passwordHash" character varying NOT NULL, "createdAt" TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(), "updatedAt" TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(), "deletedAt" TIMESTAMP WITH TIME ZONE, "workspaceId" uuid NOT NULL, CONSTRAINT "PK_3f9c4cdf895bfea0a6ea15bdd81" PRIMARY KEY ("id"))`, | ||
); | ||
await queryRunner.query( | ||
`ALTER TABLE "core"."postgresCredentials" ADD CONSTRAINT "FK_9494639abc06f9c8c3691bf5d22" FOREIGN KEY ("workspaceId") REFERENCES "core"."workspace"("id") ON DELETE CASCADE ON UPDATE NO ACTION`, | ||
); | ||
} | ||
|
||
public async down(queryRunner: QueryRunner): Promise<void> { | ||
await queryRunner.query( | ||
`ALTER TABLE "core"."postgresCredentials" DROP CONSTRAINT "FK_9494639abc06f9c8c3691bf5d22"`, | ||
); | ||
await queryRunner.query(`DROP TABLE "core"."postgresCredentials"`); | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
import { ObjectType, Field } from '@nestjs/graphql'; | ||
|
||
import { IDField } from '@ptc-org/nestjs-query-graphql'; | ||
|
||
import { UUIDScalarType } from 'src/engine/api/graphql/workspace-schema-builder/graphql-types/scalars'; | ||
|
||
@ObjectType('PostgresCredentials') | ||
export class PostgresCredentialsDTO { | ||
@IDField(() => UUIDScalarType) | ||
id: string; | ||
|
||
@Field() | ||
user: string; | ||
|
||
@Field() | ||
password: string; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Consider encrypting the password field to enhance security. |
||
|
||
@Field() | ||
workspaceId: string; | ||
FelixMalfait marked this conversation as resolved.
Show resolved
Hide resolved
|
||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
import { | ||
Entity, | ||
Column, | ||
PrimaryGeneratedColumn, | ||
CreateDateColumn, | ||
UpdateDateColumn, | ||
ManyToOne, | ||
Relation, | ||
} from 'typeorm'; | ||
|
||
import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity'; | ||
|
||
@Entity({ name: 'postgresCredentials', schema: 'core' }) | ||
export class PostgresCredentials { | ||
@PrimaryGeneratedColumn('uuid') | ||
id: string; | ||
|
||
@Column({ nullable: false }) | ||
user: string; | ||
|
||
@Column({ nullable: false }) | ||
passwordHash: string; | ||
|
||
@CreateDateColumn({ type: 'timestamptz' }) | ||
createdAt: Date; | ||
|
||
@UpdateDateColumn({ type: 'timestamptz' }) | ||
updatedAt: Date; | ||
|
||
@Column({ nullable: true, type: 'timestamptz' }) | ||
deletedAt: Date; | ||
|
||
@ManyToOne(() => Workspace, (workspace) => workspace.allPostgresCredentials, { | ||
onDelete: 'CASCADE', | ||
}) | ||
workspace: Relation<Workspace>; | ||
Comment on lines
+33
to
+36
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Verify that cascading delete on workspace is intended and won't lead to unintended data loss. |
||
|
||
@Column({ nullable: false, type: 'uuid' }) | ||
workspaceId: string; | ||
Comment on lines
+38
to
+39
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Consider removing workspaceId if it's redundant due to the ManyToOne relation. |
||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
import { Module } from '@nestjs/common'; | ||
import { TypeOrmModule } from '@nestjs/typeorm'; | ||
|
||
import { PostgresCredentials } from 'src/engine/core-modules/postgres-credentials/postgres-credentials.entity'; | ||
import { PostgresCredentialsResolver } from 'src/engine/core-modules/postgres-credentials/postgres-credentials.resolver'; | ||
import { PostgresCredentialsService } from 'src/engine/core-modules/postgres-credentials/postgres-credentials.service'; | ||
import { EnvironmentModule } from 'src/engine/integrations/environment/environment.module'; | ||
|
||
@Module({ | ||
imports: [ | ||
TypeOrmModule.forFeature([PostgresCredentials], 'core'), | ||
EnvironmentModule, | ||
], | ||
providers: [ | ||
PostgresCredentialsResolver, | ||
PostgresCredentialsService, | ||
PostgresCredentials, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Providing the entity class here is unnecessary. Only resolvers and services should be in the providers array. |
||
], | ||
}) | ||
export class PostgresCredentialsModule {} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
import { UseGuards } from '@nestjs/common'; | ||
import { Resolver, Mutation, Query } from '@nestjs/graphql'; | ||
|
||
import { PostgresCredentialsDTO } from 'src/engine/core-modules/postgres-credentials/dtos/postgres-credentials.dto'; | ||
import { PostgresCredentialsService } from 'src/engine/core-modules/postgres-credentials/postgres-credentials.service'; | ||
import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity'; | ||
import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator'; | ||
import { JwtAuthGuard } from 'src/engine/guards/jwt.auth.guard'; | ||
|
||
@Resolver(() => PostgresCredentialsDTO) | ||
export class PostgresCredentialsResolver { | ||
constructor( | ||
private readonly postgresCredentialsService: PostgresCredentialsService, | ||
) {} | ||
|
||
@UseGuards(JwtAuthGuard) | ||
@Mutation(() => PostgresCredentialsDTO) | ||
async enablePostgresProxy(@AuthWorkspace() { id: workspaceId }: Workspace) { | ||
return this.postgresCredentialsService.enablePostgresProxy(workspaceId); | ||
Comment on lines
+18
to
+19
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ensure |
||
} | ||
|
||
@UseGuards(JwtAuthGuard) | ||
@Mutation(() => PostgresCredentialsDTO) | ||
async disablePostgresProxy(@AuthWorkspace() { id: workspaceId }: Workspace) { | ||
return this.postgresCredentialsService.disablePostgresProxy(workspaceId); | ||
Comment on lines
+24
to
+25
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ensure |
||
} | ||
|
||
@UseGuards(JwtAuthGuard) | ||
@Query(() => PostgresCredentialsDTO, { nullable: true }) | ||
async getPostgresCredentials( | ||
@AuthWorkspace() { id: workspaceId }: Workspace, | ||
) { | ||
return this.postgresCredentialsService.getPostgresCredentials(workspaceId); | ||
Comment on lines
+30
to
+33
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Consider adding error handling for |
||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,117 @@ | ||
import { InjectRepository } from '@nestjs/typeorm'; | ||
import { BadRequestException } from '@nestjs/common'; | ||
|
||
import { randomBytes } from 'crypto'; | ||
|
||
import { Repository } from 'typeorm'; | ||
|
||
import { | ||
decryptText, | ||
encryptText, | ||
} from 'src/engine/core-modules/auth/auth.util'; | ||
import { EnvironmentService } from 'src/engine/integrations/environment/environment.service'; | ||
import { PostgresCredentials } from 'src/engine/core-modules/postgres-credentials/postgres-credentials.entity'; | ||
import { NotFoundError } from 'src/engine/utils/graphql-errors.util'; | ||
import { PostgresCredentialsDTO } from 'src/engine/core-modules/postgres-credentials/dtos/postgres-credentials.dto'; | ||
|
||
export class PostgresCredentialsService { | ||
constructor( | ||
@InjectRepository(PostgresCredentials, 'core') | ||
private readonly postgresCredentialsRepository: Repository<PostgresCredentials>, | ||
private readonly environmentService: EnvironmentService, | ||
) {} | ||
|
||
async enablePostgresProxy( | ||
workspaceId: string, | ||
): Promise<PostgresCredentialsDTO> { | ||
const user = `user_${randomBytes(4).toString('hex')}`; | ||
const password = randomBytes(16).toString('hex'); | ||
|
||
const key = this.environmentService.get('LOGIN_TOKEN_SECRET'); | ||
const passwordHash = encryptText(password, key); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Handle the case where 'LOGIN_TOKEN_SECRET' is not set or is invalid to avoid potential runtime errors. |
||
|
||
const existingCredentials = | ||
await this.postgresCredentialsRepository.findOne({ | ||
where: { | ||
workspaceId, | ||
}, | ||
}); | ||
|
||
if (existingCredentials) { | ||
throw new BadRequestException( | ||
'Postgres credentials already exist for this workspace', | ||
); | ||
} | ||
|
||
const postgresCredentials = await this.postgresCredentialsRepository.create( | ||
{ | ||
user, | ||
passwordHash, | ||
workspaceId, | ||
}, | ||
); | ||
|
||
await this.postgresCredentialsRepository.save(postgresCredentials); | ||
|
||
return { | ||
id: postgresCredentials.id, | ||
user, | ||
password, | ||
workspaceId, | ||
}; | ||
} | ||
|
||
async disablePostgresProxy( | ||
workspaceId: string, | ||
): Promise<PostgresCredentialsDTO> { | ||
const postgresCredentials = | ||
await this.postgresCredentialsRepository.findOne({ | ||
where: { | ||
workspaceId, | ||
}, | ||
}); | ||
|
||
if (!postgresCredentials?.id) { | ||
throw new NotFoundError( | ||
'No valid Postgres credentials not found for this workspace', | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Typo in error message: 'No valid Postgres credentials not found' should be 'No valid Postgres credentials found'. |
||
); | ||
} | ||
|
||
await this.postgresCredentialsRepository.delete({ | ||
id: postgresCredentials.id, | ||
}); | ||
|
||
const key = this.environmentService.get('LOGIN_TOKEN_SECRET'); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Handle the case where 'LOGIN_TOKEN_SECRET' is not set or is invalid to avoid potential runtime errors. |
||
|
||
return { | ||
id: postgresCredentials.id, | ||
user: postgresCredentials.user, | ||
password: decryptText(postgresCredentials.passwordHash, key), | ||
workspaceId: postgresCredentials.workspaceId, | ||
}; | ||
} | ||
|
||
async getPostgresCredentials( | ||
workspaceId: string, | ||
): Promise<PostgresCredentialsDTO | null> { | ||
const postgresCredentials = | ||
await this.postgresCredentialsRepository.findOne({ | ||
where: { | ||
workspaceId, | ||
}, | ||
}); | ||
|
||
if (!postgresCredentials) { | ||
return null; | ||
} | ||
|
||
const key = this.environmentService.get('LOGIN_TOKEN_SECRET'); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Handle the case where 'LOGIN_TOKEN_SECRET' is not set or is invalid to avoid potential runtime errors. |
||
|
||
return { | ||
id: postgresCredentials.id, | ||
user: postgresCredentials.user, | ||
password: decryptText(postgresCredentials.passwordHash, key), | ||
workspaceId: postgresCredentials.workspaceId, | ||
}; | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider encrypting the 'passwordHash' column to enhance security.