UNPKG

pg-create-db

Version:

Database creation tool for PostgreSQL database server

github.com/EndyKaufman/pg-tools

EndyKaufman/pg-tools

353 lines (352 loc) 16.8 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.CreateDatabaseService = void 0; const connection_string_1 = require("connection-string"); const log4js_1 = require("log4js"); const get_log_level_1 = require("../utils/get-log-level"); const replace_env_1 = require("../utils/replace-env"); class CreateDatabaseService { constructor(dryRun) { this.dryRun = dryRun; this.logger = (0, log4js_1.getLogger)('create-database'); this.logger.level = (0, get_log_level_1.getLogLevel)(); this.logger.info(`dryRun: ${dryRun}`); } loadPackages() { if (!this.Client) { // eslint-disable-next-line @typescript-eslint/no-var-requires this.Client = require('pg').Client; } if (!this.pgp) { // eslint-disable-next-line @typescript-eslint/no-var-requires this.pgp = require('pg-promise'); } } async createDatabase({ rootDatabaseUrl, appDatabaseUrl, forceChangeUsername, forceChangePassword, dropAppDatabase, extensions, }) { rootDatabaseUrl = (0, replace_env_1.replaceEnv)(rootDatabaseUrl); appDatabaseUrl = (0, replace_env_1.replaceEnv)(appDatabaseUrl); this.loadPackages(); await this.checkSuperuserName(rootDatabaseUrl); if (dropAppDatabase) { await this.dropAppDatabaseHandler(rootDatabaseUrl, appDatabaseUrl); } if (forceChangeUsername) { await this.forceChangeUsername(rootDatabaseUrl, appDatabaseUrl); } await this.createAppDatabaseHandler(rootDatabaseUrl, appDatabaseUrl, extensions, forceChangePassword); await this.closeRootDbConnection(); } async dropAppDatabaseHandler(rootDatabaseUrl, appDatabaseUrl) { this.logger.info('Start drop database...'); const rootDatabase = this.parseDatabaseUrl(rootDatabaseUrl); const appDatabase = this.parseDatabaseUrl(appDatabaseUrl); this.logger.debug('Root database:', rootDatabase.DATABASE); this.logger.debug('App database:', appDatabase.DATABASE); const db = this.getRootDbConnection({ username: rootDatabase.USERNAME, password: rootDatabase.PASSWORD, port: rootDatabase.PORT, host: (rootDatabase.HOST || '').split(':')[0], database: rootDatabase.DATABASE, }); if (appDatabase.USERNAME !== rootDatabase.USERNAME) { try { if (this.dryRun) { this.logger.info(`DROP DATABASE "${appDatabase.DATABASE}"`); } else { this.logger.debug(`DROP DATABASE "${appDatabase.DATABASE}"`); await db.none(`DROP DATABASE "${appDatabase.DATABASE}"`, []); } // eslint-disable-next-line @typescript-eslint/no-explicit-any } catch (err) { if (!String(err).includes('already exists')) { this.logger.error(err, err.stack); throw err; } } } else { this.logger.error(`Application database user and root database user must be different`); } this.logger.info('End of drop database...'); } async createAppDatabaseHandler(rootDatabaseUrl, appDatabaseUrl, extensions, forceChangePassword) { this.logger.info('Start create database...'); const rootDatabase = this.parseDatabaseUrl(rootDatabaseUrl); const appDatabase = this.parseDatabaseUrl(appDatabaseUrl); this.logger.debug('Root database:', rootDatabase.DATABASE); this.logger.debug('App database:', appDatabase.DATABASE); const db = this.getRootDbConnection({ username: rootDatabase.USERNAME, password: rootDatabase.PASSWORD, port: rootDatabase.PORT, host: (rootDatabase.HOST || '').split(':')[0], database: rootDatabase.DATABASE, }); try { if (appDatabase.USERNAME !== rootDatabase.USERNAME) { try { if (this.dryRun) { this.logger.info(`CREATE DATABASE ${appDatabase.DATABASE}`); } else { this.logger.debug(`CREATE DATABASE ${appDatabase.DATABASE}`); await db.none('CREATE DATABASE $1:name', [appDatabase.DATABASE]); } // eslint-disable-next-line @typescript-eslint/no-explicit-any } catch (err) { if (!String(err).includes('already exists')) { this.logger.error(err, err.stack); throw err; } else { if (forceChangePassword) { await this.forceChangePassword(rootDatabaseUrl, appDatabaseUrl); } } } await this.applyPermissionsHandler(rootDatabaseUrl, appDatabaseUrl); const updateDatabaseQuery = extensions .map((extension) => `CREATE EXTENSION IF NOT EXISTS "${extension}"`) .filter(Boolean) .map((sql) => `${sql};` || `DO $$ BEGIN ${sql}; EXCEPTION WHEN others THEN null; END $$;`); const pgAppConfig = { user: appDatabase.USERNAME, host: (rootDatabase.HOST || '').split(':')[0], password: appDatabase.PASSWORD, port: rootDatabase.PORT, database: appDatabase.DATABASE, idleTimeoutMillis: 30000, }; const appClient = new this.Client(pgAppConfig); await appClient.connect(); for (const query of updateDatabaseQuery) { try { if (this.dryRun) { this.logger.info(query); } else { this.logger.debug(query); await appClient.query(query); } // eslint-disable-next-line @typescript-eslint/no-explicit-any } catch (err) { if (!String(err).includes('already exists')) { this.logger.debug(query); this.logger.error(err, err.stack); throw err; } } } await appClient.end(); } else { this.logger.error(`Application database user and root database user must be different`); } // eslint-disable-next-line @typescript-eslint/no-explicit-any } catch (err) { if (!String(err).includes('already exists')) { this.logger.error(err, err.stack); throw err; } } this.logger.info('End of create database...'); } async forceChangePassword(rootDatabaseUrl, appDatabaseUrl) { const rootDatabase = this.parseDatabaseUrl(rootDatabaseUrl); const appDatabase = this.parseDatabaseUrl(appDatabaseUrl); const db = this.getRootDbConnection({ username: rootDatabase.USERNAME, password: rootDatabase.PASSWORD, port: rootDatabase.PORT, host: (rootDatabase.HOST || '').split(':')[0], database: rootDatabase.DATABASE, }); this.logger.debug(`ALTERING PASSWORD OF ${appDatabase.USERNAME} to '********'`); await db.none(`ALTER USER $1:name WITH PASSWORD '${appDatabase.PASSWORD}'`, [appDatabase.USERNAME]); } async checkSuperuserName(rootDatabaseUrl) { const rootDatabase = this.parseDatabaseUrl(rootDatabaseUrl); if (rootDatabase.USERNAME !== 'postgres') { throw Error(`The username for the root database must always be "postgres", otherwise the user will not receive "super" rights, current username "${rootDatabase.USERNAME}"`); } } async forceChangeUsername(rootDatabaseUrl, appDatabaseUrl) { const rootDatabase = this.parseDatabaseUrl(rootDatabaseUrl); const appDatabase = this.parseDatabaseUrl(appDatabaseUrl); this.logger.info('Start updating username...'); const db = this.getRootDbConnection({ username: rootDatabase.USERNAME, password: rootDatabase.PASSWORD, port: rootDatabase.PORT, host: (rootDatabase.HOST || '').split(':')[0], database: rootDatabase.DATABASE, }); try { // Get a list of users const users = await db.any(` select d.datname, (select string_agg(u.usename, ',' order by u.usename) from pg_user u where has_database_privilege(u.usename, d.datname, 'CREATE')) as allowed_users from pg_database d order by d.datname`); const curDb = users.find(({ datname }) => datname === appDatabase.DATABASE); if (!curDb) { throw new Error(`"${appDatabase.DATABASE}" does not exist! force change username was not applied`); } const nonRootUsers = curDb.allowed_users.split(',').filter((user) => user !== rootDatabase.USERNAME); // Verify that there is only one non-root user if (nonRootUsers.length === 1) { if (nonRootUsers[0] === appDatabase.USERNAME) { return; } if (this.dryRun) { this.logger.info(`ALTER USER '${nonRootUsers[0]}':name RENAME TO '${appDatabase.USERNAME}':name`); this.logger.info(`ALTER USER '${appDatabase.USERNAME}':name WITH PASSWORD '********'`); } else { await db.none(`ALTER USER $1:name RENAME TO $2:name`, [nonRootUsers[0], appDatabase.USERNAME]); await db.none(`ALTER USER $1:name WITH PASSWORD '${appDatabase.PASSWORD}'`, [appDatabase.USERNAME]); this.logger.info('Username have been updated...'); } } else { this.logger.error('There are multiple non-root users in the database: ', nonRootUsers); throw new Error('Cannot update credentials: multiple non-root users exist'); } } catch (error) { if (!String(error).includes('does not exist')) { throw error; } } } getRootDbConnection(rootDatabase) { if (!this.rootDatabaseConnection) { this.rootDatabaseConnection = this.pgp({})({ user: rootDatabase.username, password: rootDatabase.password, port: rootDatabase.port, host: (rootDatabase.host || '').split(':')[0], database: rootDatabase.database, }); } return this.rootDatabaseConnection; } async closeRootDbConnection() { await this.rootDatabaseConnection.$pool.end(); this.rootDatabaseConnection = null; } async applyPermissionsHandler(rootDatabaseUrl, appDatabaseUrl) { this.logger.info('Start apply permissions...'); this.logger.debug('Root database url:', rootDatabaseUrl); this.logger.debug('App database url:', appDatabaseUrl); const rootDatabase = this.parseDatabaseUrl(rootDatabaseUrl); const appDatabase = this.parseDatabaseUrl(appDatabaseUrl); const createDatabaseQuery = [ appDatabase.USERNAME !== rootDatabase.USERNAME && `CREATE USER "${appDatabase.USERNAME}" WITH PASSWORD '${appDatabase.PASSWORD}'`, appDatabase.USERNAME !== rootDatabase.USERNAME && `grant connect on database "${appDatabase.DATABASE}" to "${appDatabase.USERNAME}"`, appDatabase.USERNAME !== rootDatabase.USERNAME && `grant all on schema public to "${appDatabase.USERNAME}"`, appDatabase.USERNAME !== rootDatabase.USERNAME && `GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO "${appDatabase.USERNAME}"`, `GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "${appDatabase.USERNAME}"`, `GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO "${appDatabase.USERNAME}"`, `GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO "${appDatabase.USERNAME}"`, `GRANT delete, insert, references, select, trigger, truncate, update ON ALL TABLES IN SCHEMA public TO "${appDatabase.USERNAME}"`, `GRANT select, update, usage ON ALL SEQUENCES IN SCHEMA public TO "${appDatabase.USERNAME}"`, `GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO "${appDatabase.USERNAME}"`, `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO "${appDatabase.USERNAME}"`, `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO "${appDatabase.USERNAME}"`, `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON FUNCTIONS TO "${appDatabase.USERNAME}"`, `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT delete, insert, references, select, trigger, truncate, update ON TABLES TO "${appDatabase.USERNAME}"`, `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT select, update, usage ON SEQUENCES TO "${appDatabase.USERNAME}"`, `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO "${appDatabase.USERNAME}"`, `GRANT ALL PRIVILEGES ON DATABASE "${appDatabase.DATABASE}" TO "${appDatabase.USERNAME}"`, appDatabase.USERNAME !== rootDatabase.USERNAME && `GRANT ALL PRIVILEGES ON DATABASE "${appDatabase.DATABASE}" TO ${rootDatabase.USERNAME}`, appDatabase.USERNAME !== rootDatabase.USERNAME && `ALTER USER "${appDatabase.USERNAME}" WITH LOGIN CREATEROLE NOCREATEDB NOSUPERUSER INHERIT`, appDatabase.USERNAME !== rootDatabase.USERNAME && `DO $$ BEGIN DECLARE t record; BEGIN FOR t IN (select 'GRANT ALL ON TABLE ' || schemaname || '."' || tablename || '" to "${appDatabase.USERNAME}"' query from pg_tables where schemaname in ('public') order by schemaname, tablename) LOOP EXECUTE format('%s', t.query); END LOOP; END; END $$`, ] .filter(Boolean) .map((sql) => `${sql};` /* || `DO $$ BEGIN ${sql}; EXCEPTION WHEN others THEN null; END $$;`*/); const pgConfig = { user: rootDatabase.USERNAME, host: (rootDatabase.HOST || '').split(':')[0], password: rootDatabase.PASSWORD, port: rootDatabase.PORT, database: appDatabase.DATABASE, idleTimeoutMillis: 30000, }; const client = new this.Client(pgConfig); await client.connect(); for (const query of createDatabaseQuery) { try { if (this.dryRun) { this.logger.info(query.replace(appDatabase.PASSWORD || '', '********')); } else { this.logger.debug(query.replace(appDatabase.PASSWORD || '', '********')); await client.query(query); } // eslint-disable-next-line @typescript-eslint/no-explicit-any } catch (err) { if (!String(err).includes('already exists')) { this.logger.debug(query); this.logger.error(err, err.stack); throw err; } } } await client.end(); this.logger.info('End of apply permissions...'); } parseDatabaseUrl(databaseUrl) { try { const cs = new connection_string_1.ConnectionString(databaseUrl); const USERNAME = cs.user; const PASSWORD = cs.password; const PORT = cs.port; const HOST = cs.hosts && cs.hosts[0].toString(); const DATABASE = cs.path && cs.path[0]; const SCHEMA = cs.params && cs.params['schema']; const SCHEMAS = cs.params && cs.params['schemas']; return { USERNAME, PASSWORD, HOST, DATABASE, SCHEMA, SCHEMAS, PORT }; } catch (err) { this.logger.debug({ databaseUrl }); throw err; } } } exports.CreateDatabaseService = CreateDatabaseService;