nodedb 0.0.0-beta.1

Local-first, real-time, edge-to-cloud hybrid database for multi-modal workloads
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

//! Emergency & incident response DDL commands.
//!
//! ```sql
//! EMERGENCY LOCKDOWN REASON 'security incident'
//! EMERGENCY UNLOCK
//! BLACKLIST AUTH USERS WHERE email LIKE '%@compromised.com' WITH KILL SESSIONS
//! ```

use pgwire::api::results::{Response, Tag};
use pgwire::error::PgWireResult;

use crate::control::security::identity::AuthenticatedIdentity;
use crate::control::state::SharedState;

use super::super::types::sqlstate_error;

/// EMERGENCY LOCKDOWN REASON '...'
pub fn emergency_lockdown(
    state: &SharedState,
    identity: &AuthenticatedIdentity,
    parts: &[&str],
) -> PgWireResult<Vec<Response>> {
    if !identity.is_superuser {
        return Err(sqlstate_error(
            "42501",
            "permission denied: requires superuser",
        ));
    }

    // Check two-party authorization if configured.
    if state.emergency.requires_two_party("EMERGENCY LOCKDOWN")
        && state
            .emergency
            .submit_two_party_approval("EMERGENCY LOCKDOWN", &identity.username)
    {
        return Err(sqlstate_error(
            "42000",
            "two-party authorization required: waiting for second admin approval",
        ));
    }

    let reason = parts
        .iter()
        .position(|p| p.to_uppercase() == "REASON")
        .map(|i| parts[i + 1..].join(" ").trim_matches('\'').to_string())
        .unwrap_or_else(|| "no reason provided".into());

    state.emergency.lockdown(&reason);

    state.audit_record(
        crate::control::security::audit::AuditEvent::AdminAction,
        Some(identity.tenant_id),
        &identity.username,
        &format!("EMERGENCY LOCKDOWN: {reason}"),
    );

    Ok(vec![Response::Execution(Tag::new("EMERGENCY LOCKDOWN"))])
}

/// EMERGENCY UNLOCK
pub fn emergency_unlock(
    state: &SharedState,
    identity: &AuthenticatedIdentity,
    _parts: &[&str],
) -> PgWireResult<Vec<Response>> {
    if !identity.is_superuser {
        return Err(sqlstate_error(
            "42501",
            "permission denied: requires superuser",
        ));
    }

    state.emergency.unlock();

    state.audit_record(
        crate::control::security::audit::AuditEvent::AdminAction,
        Some(identity.tenant_id),
        &identity.username,
        "EMERGENCY UNLOCK",
    );

    Ok(vec![Response::Execution(Tag::new("EMERGENCY UNLOCK"))])
}

/// BLACKLIST AUTH USERS WHERE email LIKE '%@compromised.com' [WITH KILL SESSIONS]
pub fn bulk_blacklist(
    state: &SharedState,
    identity: &AuthenticatedIdentity,
    parts: &[&str],
) -> PgWireResult<Vec<Response>> {
    if !identity.is_superuser {
        return Err(sqlstate_error(
            "42501",
            "permission denied: requires superuser",
        ));
    }

    // Parse: BLACKLIST AUTH USERS WHERE email LIKE '<pattern>' [WITH KILL SESSIONS]
    let like_idx = parts
        .iter()
        .position(|p| p.to_uppercase() == "LIKE")
        .ok_or_else(|| sqlstate_error("42601", "missing LIKE clause"))?;
    let pattern = parts
        .get(like_idx + 1)
        .map(|s| s.trim_matches('\''))
        .unwrap_or("");

    let kill_sessions = parts.iter().any(|p| p.to_uppercase() == "KILL");

    // Find matching auth users.
    let all_users = state.auth_users.list(false);
    let mut blacklisted_count = 0u32;
    let mut killed_count = 0usize;

    for user in &all_users {
        let matches = crate::bridge::scan_filter::sql_like_match(&user.email, pattern, false)
            || crate::bridge::scan_filter::sql_like_match(&user.username, pattern, false);
        if matches {
            let _ = state.blacklist.blacklist_user(
                &user.id,
                &format!("bulk blacklist: pattern '{pattern}'"),
                &identity.username,
                0, // Permanent.
            );
            blacklisted_count += 1;

            if kill_sessions {
                killed_count += state.session_registry.kill_sessions_for_user(&user.id);
            }
        }
    }

    state.audit_record(
        crate::control::security::audit::AuditEvent::AdminAction,
        Some(identity.tenant_id),
        &identity.username,
        &format!(
            "bulk blacklist: pattern '{pattern}', {blacklisted_count} users, {killed_count} sessions killed"
        ),
    );

    Ok(vec![Response::Execution(Tag::new(&format!(
        "BLACKLIST {blacklisted_count}"
    )))])
}