cybertec-postgresql · pashagolub · Aug 8, 2023 · Jun 22, 2023 · Jun 22, 2023 · Jun 22, 2023
diff --git a/build-docker-demo.sh b/build-docker-demo.sh
diff --git a/docker/bootstrap/1_create_role_db.sql b/docker/bootstrap/1_create_role_db.sql
@@ -0,0 +1,9 @@
+CREATE ROLE pgwatch3 WITH 
+    IN ROLE pg_monitor
+    LOGIN PASSWORD 'pgwatch3admin';  -- change the pw for production
+
+CREATE DATABASE pgwatch3 OWNER pgwatch3;
+
+CREATE DATABASE pgwatch3_grafana OWNER pgwatch3;
+
+CREATE DATABASE pgwatch3_metrics OWNER pgwatch3;
diff --git a/docker/bootstrap/2_init_pgwatch_db.sh b/docker/bootstrap/2_init_pgwatch_db.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "pgwatch3" <<-EOSQL
+    CREATE EXTENSION pg_qualstats;
+    CREATE EXTENSION plpython3u;
+EOSQL
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "pgwatch3" \
+    -f /pgwatch3/metrics/00_helpers/get_load_average/9.1/metric.sql \
+    -f /pgwatch3/metrics/00_helpers/get_stat_statements/9.4/metric.sql \
+    -f /pgwatch3/metrics/00_helpers/get_stat_activity/9.2/metric.sql \
+    -f /pgwatch3/metrics/00_helpers/get_stat_replication/9.2/metric.sql \
+    -f /pgwatch3/metrics/00_helpers/get_table_bloat_approx/9.5/metric.sql \
+    -f /pgwatch3/metrics/00_helpers/get_table_bloat_approx_sql/12/metric.sql \
+    -f /pgwatch3/metrics/00_helpers/get_wal_size/10/metric.sql \
+    -f /pgwatch3/metrics/00_helpers/get_psutil_cpu/9.1/metric.sql \
+    -f /pgwatch3/metrics/00_helpers/get_psutil_mem/9.1/metric.sql \
+    -f /pgwatch3/metrics/00_helpers/get_psutil_disk/9.1/metric.sql \
+    -f /pgwatch3/metrics/00_helpers/get_psutil_disk_io_total/9.1/metric.sql
+
+
+if [ "$PW3_PG_SCHEMA_TYPE" == "timescale" ] ; then
+    psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "pgwatch3_metrics" <<-EOSQL
+        CREATE EXTENSION timescaledb;
+EOSQL
+fi
diff --git a/docker/daemon/Dockerfile b/docker/daemon/Dockerfile
@@ -0,0 +1,38 @@
+# ----------------------------------------------------------------
+# 1. Build Web UI
+# ----------------------------------------------------------------
+FROM node:19 AS uibuilder
+ADD src/webui /webui
+RUN cd webui && yarn install --network-timeout 100000 && yarn build
+
+# ----------------------------------------------------------------
+# 2. Build gatherer
+# ----------------------------------------------------------------
+FROM golang:1.20 as builder
+ARG GIT_HASH
+ARG GIT_TIME
+ENV GIT_HASH=${GIT_HASH}
+ENV GIT_TIME=${GIT_TIME}
+
+ADD src /pgwatch3
+COPY --from=uibuilder /webui/build /pgwatch3/webui/build
+RUN cd /pgwatch3 && bash build_gatherer.sh
+
+# ----------------------------------------------------------------
+# 3. Build the final image
+# ----------------------------------------------------------------
+FROM alpine
+
+# Copy over the compiled gatherer
+COPY --from=builder /pgwatch3/pgwatch3 /pgwatch3/
+COPY src/metrics /pgwatch3/metrics
+
+# Admin UI for configuring servers to be monitored
+EXPOSE 8080
+# Gatherer healthcheck port / metric statistics (JSON)
+EXPOSE 8081
+# Prometheus metrics scraping port
+EXPOSE 9187
+
+# Command to run the executable
+ENTRYPOINT ["/pgwatch3/pgwatch3"]
diff --git a/docker/demo/grafana.ini b/docker/demo/grafana.ini
@@ -21,8 +21,11 @@ org_name = Main Org.
 # Role for unauthenticated users, other valid values are `Editor` and `Admin`
 org_role = Editor
 
+<<<<<<<< HEAD:grafana/grafana_custom_config.ini
+========
 [dashboards]
 default_home_dashboard_path = /var/lib/grafana/dashboards/1-global-db-overview.json
+>>>>>>>> master:docker/demo/grafana.ini
 
 [metrics]
 enabled = false
diff --git a/docker/demo/supervisord.conf b/docker/demo/supervisord.conf
@@ -25,7 +25,11 @@ stdout_logfile_maxbytes=0
 
 [program:postgres]
 command=/usr/local/bin/docker-entrypoint.sh postgres -c config_file=/etc/postgresql/postgresql.conf
+<<<<<<<< HEAD:docker/supervisord.conf
+startsecs=0
+========
 startsecs=5
+>>>>>>>> master:docker/demo/supervisord.conf
 priority=100
 stopsignal=INT
 autostart=false
@@ -48,5 +52,20 @@ user=grafana
 startsecs=5
 priority=500
 autostart=false
+<<<<<<<< HEAD:docker/supervisord.conf
+autorestart=false
+redirect_stderr=true
+
+[program:grafana_dashboard_setup]
+command=/pgwatch3/bootstrap/set_up_grafana_dashboards.sh
+priority=600
+autorestart=false
+startsecs=0
+autostart=false
+redirect_stderr=true
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+========
 autorestart=true
-redirect_stderr=true
+redirect_stderr=true
+>>>>>>>> master:docker/demo/supervisord.conf
diff --git a/src/config/cmdparser.go b/src/config/cmdparser.go
@@ -58,8 +58,8 @@ type StartOpts struct {
 // WebUIOpts specifies the internal web UI server options
 type WebUIOpts struct {
 	WebAddr     string `long:"web-addr" mapstructure:"web-addr" description:"TCP address in the form 'host:port' to listen on" default:":8080" env:"PW3_WEBADDR"`
-	WebUser     string `long:"web-user" mapstructure:"web-user" description:"Admin login" env:"PW3_WEBUSER"`
-	WebPassword string `long:"web-password" mapstructure:"web-password" description:"Admin password" env:"PW3_WEBPASSWORD"`
+	WebUser     string `long:"web-user" mapstructure:"web-user" description:"Admin login" env:"PW3_WEBUSER" default:"pgwatch3"`
+	WebPassword string `long:"web-password" mapstructure:"web-password" description:"Admin password" env:"PW3_WEBPASSWORD" default:"pgwatch3admin"`
 }
 
 type CmdOptions struct {

diff --git a/src/go.mod b/src/go.mod
@@ -4,6 +4,7 @@ go 1.20
 
 require (
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
+	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/gorilla/websocket v1.5.0
 	github.com/hashicorp/consul/api v1.24.0
 	github.com/jackc/pgx/v5 v5.4.3

diff --git a/src/go.sum b/src/go.sum
@@ -106,6 +106,8 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=

diff --git a/src/webserver/jwt.go b/src/webserver/jwt.go
@@ -0,0 +1,108 @@
+package webserver
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/golang-jwt/jwt"
+)
+
+type loginReq struct {
+	Username string `json:"user"`
+	Password string `json:"password"`
+}
+
+func (Server *WebUIServer) IsCorrectPassword(lr loginReq) bool {
+	return Server.WebUser == lr.Username && Server.WebPassword == lr.Password
+}
+
+func (Server *WebUIServer) handleLogin(w http.ResponseWriter, r *http.Request) {
+	var (
+		err   error
+		lr     loginReq
+		token string
+	)
+
+	defer func() {
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+		}
+	}()
+
+	switch r.Method {
+	case "POST":
+		if err = json.NewDecoder(r.Body).Decode(&lr); err != nil {
+			return
+		}
+		if !Server.IsCorrectPassword(lr) {
+			http.Error(w, "can not authenticate this user", http.StatusUnauthorized)
+			return
+		}
+		if token, err = generateJWT(lr.Username); err != nil {
+			return
+		}
+		_, err = w.Write([]byte(token))
+
+	case "GET":
+		fmt.Fprintf(w, "only POST methods is allowed.")
+		return
+	}
+}
+
+type EnsureAuth struct {
+	handler http.HandlerFunc
+}
+
+func (ea *EnsureAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if err := validateToken(r); err != nil {
+		http.Error(w, err.Error(), http.StatusUnauthorized)
+		return
+	}
+	ea.handler(w, r)
+}
+
+func NewEnsureAuth(handlerToWrap http.HandlerFunc) *EnsureAuth {
+	return &EnsureAuth{handlerToWrap}
+}
+
+var sampleSecretKey = []byte("5m3R7K4754p4m")
+
+func generateJWT(username string) (string, error) {
+	token := jwt.New(jwt.SigningMethodHS256)
+	claims := token.Claims.(jwt.MapClaims)
+
+	claims["authorized"] = true
+	claims["username"] = username
+	claims["exp"] = time.Now().Add(time.Hour * 8).Unix()
+
+	return token.SignedString(sampleSecretKey)
+}
+
+func validateToken(r *http.Request) (err error) {
+	if r.Header["Token"] == nil {
+		return errors.New("can not find token in header")
+	}
+	token, err := jwt.Parse(r.Header["Token"][0], func(token *jwt.Token) (interface{}, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, errors.New("there was an error in parsing")
+		}
+		return sampleSecretKey, nil
+	})
+	if err != nil {
+		return err
+	}
+	if token == nil {
+		return errors.New("invalid token")
+	}
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		return errors.New("cannot parse token claims")
+	}
+	if !claims.VerifyExpiresAt(time.Now().Local().Unix(), true) {
+		return errors.New("token expired")
+	}
+	return nil
+}
diff --git a/src/webserver/server.go b/src/webserver/server.go
@@ -39,11 +39,12 @@ func Init(opts config.WebUIOpts, webuifs fs.FS, api apiHandler, logger log.Logge
 		api,
 	}
 
-	mux.HandleFunc("/db", s.handleDBs)
-	mux.HandleFunc("/metric", s.handleMetrics)
-	mux.HandleFunc("/preset", s.handlePresets)
-	mux.HandleFunc("/stats", s.handleStats)
-	mux.HandleFunc("/log", s.serveWsLog)
+	mux.Handle("/db", NewEnsureAuth(s.handleDBs))
+	mux.Handle("/metric", NewEnsureAuth(s.handleMetrics))
+	mux.Handle("/preset", NewEnsureAuth(s.handlePresets))
+	mux.Handle("/stats", NewEnsureAuth(s.handleStats))
+	mux.Handle("/log", NewEnsureAuth(s.serveWsLog))
+	mux.HandleFunc("/login", s.handleLogin)
 	mux.HandleFunc("/", s.handleStatic)
 
 	go func() { panic(s.ListenAndServe()) }()

diff --git a/src/webui/src/App.tsx b/src/webui/src/App.tsx
@@ -4,27 +4,37 @@ import { Box, Toolbar } from "@mui/material";
 import CssBaseline from "@mui/material/CssBaseline";
 import { ThemeProvider, createTheme } from "@mui/material/styles";
 
-import { QueryClientProvider } from "@tanstack/react-query";
-import { queryClient } from "queryClient";
+import { QueryClientProvider } from "QueryClient";
 
 import { Route, Routes } from "react-router-dom";
+import { PrivateRoute } from "layout/PrivateRoute";
+import { privateRoutes, publicRoutes } from "layout/Routes";
 
+import { AlertComponent } from "layout/common/AlertComponent";
 import { AppBar } from "./layout/AppBar";
-import { routes } from "./layout/Routes";
 
 const mdTheme = createTheme();
 
 export default function App() {
-  const routesItems = useMemo(
+
+  const publicRoutesItems = useMemo(
+    () =>
+      publicRoutes.map((route) => (
+        <Route key={route.link} path={route.link} element={<route.element />} />
+      )),
+    []
+  );
+
+  const privateRoutesItems = useMemo(
     () =>
-      routes.map((route) => (
-        <Route key={route.link} path={route.link} element={route.element()} />
+      privateRoutes.map((route) => (
+        <Route key={route.link} path={route.link} element={<PrivateRoute><route.element /></PrivateRoute>} />
       )),
     []
   );
 
   return (
-    <QueryClientProvider client={queryClient}>
+    <QueryClientProvider>
       <ThemeProvider theme={mdTheme}>
         <Box sx={{ display: "flex" }}>
           <CssBaseline />
@@ -41,7 +51,11 @@ export default function App() {
             }}
           >
             <Toolbar />
-            <Routes>{routesItems}</Routes>
+            <Routes>
+              {publicRoutesItems}
+              {privateRoutesItems}
+            </Routes>
+            <AlertComponent />
           </Box>
         </Box>
       </ThemeProvider>

diff --git a/src/webui/src/QueryClient.tsx b/src/webui/src/QueryClient.tsx
@@ -0,0 +1,50 @@
+import { QueryClientProvider as ClientProvider, MutationCache, QueryCache, QueryClient } from "@tanstack/react-query";
+import axios from "axios";
+import { isUnauthorized } from "axiosInstance";
+import { useNavigate } from "react-router-dom";
+import { logout } from "queries/Auth";
+import { useAlert } from "utils/AlertContext";
+
+type Props = {
+  children: JSX.Element
+};
+
+export const QueryClientProvider = ({ children }: Props) => {
+  const { callAlert } = useAlert();
+  const navigate = useNavigate();
+
+  const queryClient = new QueryClient({
+    queryCache: new QueryCache({
+      onError: (error) => {
+        if (axios.isAxiosError(error)) {
+          if (isUnauthorized(error)) {
+            callAlert("error", `${error.response?.data}`);
+            logout(navigate);
+          }
+        }
+      }
+    }),
+    mutationCache: new MutationCache({
+      onSuccess: (_data, _variables, _context, mutation) => {
+        callAlert("success", "Success");
+        if (mutation.options.mutationKey) {
+          queryClient.invalidateQueries(mutation.options.mutationKey);
+        }
+      },
+      onError: (error) => {
+        if (axios.isAxiosError(error)) {
+          callAlert("error", `${error.response?.data}`);
+          if (isUnauthorized(error)) {
+            logout(navigate);
+          }
+        }
+      }
+    })
+  });
+
+  return (
+    <ClientProvider client={queryClient} contextSharing={true}>
+      {children}
+    </ClientProvider>
+  );
+};