data layer
This commit is contained in:
98
data-layer/api/internal/service/sql_service.go
Normal file
98
data-layer/api/internal/service/sql_service.go
Normal file
@@ -0,0 +1,98 @@
|
||||
package service
|
||||
|
||||
import (
|
||||
"context"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/ClickHouse/clickhouse-go/v2/lib/driver"
|
||||
"go.uber.org/zap"
|
||||
|
||||
"github.com/dbiz/cdp/data-layer/api/internal/apperr"
|
||||
"github.com/dbiz/cdp/data-layer/api/internal/model"
|
||||
"github.com/dbiz/cdp/data-layer/api/internal/repo"
|
||||
)
|
||||
|
||||
// SQLService backs the Custom SQL sandbox. It applies two layers of guard:
|
||||
// 1. App-level: parse the statement, reject anything that is not a single
|
||||
// SELECT and anything containing DDL/DML keywords.
|
||||
// 2. DB-level: queries run against a SELECT-only ClickHouse account so the
|
||||
// server rejects writes even if app-level checks are bypassed.
|
||||
type SQLService struct {
|
||||
ch driver.Conn // read-only conn
|
||||
log *zap.Logger
|
||||
}
|
||||
|
||||
func NewSQLService(roConn driver.Conn, log *zap.Logger) *SQLService {
|
||||
return &SQLService{ch: roConn, log: log}
|
||||
}
|
||||
|
||||
var forbiddenKeywords = []string{
|
||||
"INSERT", "UPDATE", "DELETE", "DROP", "CREATE", "ALTER", "TRUNCATE",
|
||||
"GRANT", "REVOKE", "ATTACH", "DETACH", "OPTIMIZE", "RENAME", "EXCHANGE",
|
||||
}
|
||||
|
||||
// validateReadOnly rejects multi-statement input and obvious DDL/DML.
|
||||
func validateReadOnly(sql string) error {
|
||||
trimmed := strings.TrimSpace(sql)
|
||||
if trimmed == "" {
|
||||
return apperr.BadRequest("sql is empty", "sql", nil)
|
||||
}
|
||||
// Reject multiple statements -- the ClickHouse driver also rejects this,
|
||||
// but we want a friendly error before hitting the wire.
|
||||
if strings.Contains(strings.TrimRight(trimmed, ";"), ";") {
|
||||
return apperr.BadRequest("only a single statement is allowed", "sql", nil)
|
||||
}
|
||||
upper := strings.ToUpper(trimmed)
|
||||
if !strings.HasPrefix(upper, "SELECT") && !strings.HasPrefix(upper, "WITH") {
|
||||
return apperr.BadRequest("only SELECT statements are allowed", "sql", nil)
|
||||
}
|
||||
// Token-level keyword scan: \bKW\b to avoid false positives like "created_at".
|
||||
for _, kw := range forbiddenKeywords {
|
||||
if hasWord(upper, kw) {
|
||||
return apperr.BadRequest("statement contains forbidden keyword: "+kw, "sql", nil)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func hasWord(s, word string) bool {
|
||||
for {
|
||||
idx := strings.Index(s, word)
|
||||
if idx < 0 {
|
||||
return false
|
||||
}
|
||||
left := idx == 0 || !isIdent(s[idx-1])
|
||||
right := idx+len(word) == len(s) || !isIdent(s[idx+len(word)])
|
||||
if left && right {
|
||||
return true
|
||||
}
|
||||
s = s[idx+len(word):]
|
||||
}
|
||||
}
|
||||
|
||||
func isIdent(c byte) bool {
|
||||
return c == '_' || (c >= '0' && c <= '9') || (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z')
|
||||
}
|
||||
|
||||
// Run executes the (validated) SQL against the read-only ClickHouse user.
|
||||
// Results are never cached -- queries are arbitrary.
|
||||
func (s *SQLService) Run(ctx context.Context, sql string) (*model.QueryResult, error) {
|
||||
if err := validateReadOnly(sql); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
start := time.Now()
|
||||
rows, err := s.ch.Query(ctx, sql)
|
||||
if err != nil {
|
||||
// ClickHouse syntax / permission errors are user-visible, not 500.
|
||||
return nil, apperr.BadRequest("clickhouse rejected query: "+err.Error(), "sql", err)
|
||||
}
|
||||
defer rows.Close()
|
||||
|
||||
res, err := repo.ScanRows(rows)
|
||||
if err != nil {
|
||||
return nil, apperr.Internal(err)
|
||||
}
|
||||
res.DurationMS = time.Since(start).Milliseconds()
|
||||
return res, nil
|
||||
}
|
||||
Reference in New Issue
Block a user