Automatic generation of PostgREST configuration

.gitignore

@@ -3,3 +3,4 @@ __pycache__
 /static
 .env
 gargantext.ini
+postgrest.conf

tools/postgrest.conf → tools/conf/postgrest.template.conf

-db-uri = "postgres://authenticator:CHANGEME@127.0.0.1:5432/gargandb"
+db-uri = "{DB_URI}"
 db-schema = "api"
 db-anon-role = "anon"
 db-pool = 10
@@ -11,7 +11,7 @@ server-port = 3000
 
 ## choose a secret to enable JWT auth
 ## (use "@filename" to load from separate file)
-jwt-secret = "Mw/q=efK3ai7}?}?!D68}a2.j}G5;1]ceI;OV1l=N^(-mH+%l="
+jwt-secret = "{SECRET_KEY}"
 # secret-is-base64 = false
 
 ## limit rows in response

tools/mkconf.sh

 #!/usr/bin/env bash
 
+query () {
+    PGPASSWORD="$2" psql -w -d "$DB_NAME" -U "$1" -h "$DB_HOST" -p "$DB_PORT" \
+                         -c "$3" 1>/dev/null 2>&1
+}
+
+escape_ini () {
+    echo -n "$1" | sed -e 's/[/&\]/\\&/g'
+}
+
+# Adapted from https://gist.github.com/cdown/1163649
+escape_url () {
+    local _LC_COLLATE=$LC_COLLATE
+    LC_COLLATE=C
+
+    local length="${#1}"
+    for (( i = 0; i < length; i++ )); do
+        local c="${1:i:1}"
+        case $c in
+            [a-zA-Z0-9.~_-]) printf "$c" ;;
+            *) printf '%%%02X' "'$c" ;;
+        esac
+    done
+
+    LC_COLLATE=$_LC_COLLATE
+}
+
 USAGE="Usage: $0 [-h|--help] [-f|--force] [dev|prod]"
 while :; do
     case $1 in
@@ -17,8 +43,12 @@ TARGET="${1:-dev}"
 # Gargantext configuration file path
 [ -z "$GARGANTEXT_CONF" ] && GARGANTEXT_CONF=gargantext.ini
 
-# Configuration template path
-TEMPLATE=tools/conf/gargantext.template.ini
+# PostgREST configuration file path
+[ -z "$POSTGREST_CONF" ] && POSTGREST_CONF=postgrest.conf
+
+# Configuration template paths
+GARGANTEXT_TEMPLATE=tools/conf/gargantext.template.ini
+POSTGREST_TEMPLATE=tools/conf/postgrest.template.conf
 
 # Check for configuration file existence
 if [ -f "$GARGANTEXT_CONF" -a -z "$FORCE" ]; then
@@ -38,10 +68,10 @@ fi
 # Setup DEBUG mode for dev target
 [ "$TARGET" = "prod" ] && DEBUG=False || DEBUG=True
 
-echo "Generate secret key for Django..."
-SECRET_KEY=$(python ./tools/gensecret.py)
+echo "▸ Generate secret key for Django..."
+SECRET_KEY=$(pipenv run python ./tools/gensecret.py 2>/dev/null)
 
-echo "PostgreSQL configuration..."
+echo "▸ PostgreSQL configuration..."
 
 DB_NAME_DEFAULT=gargandb
 DB_USER_DEFAULT=gargantua
@@ -58,27 +88,43 @@ while :; do
     read -s -p "Please provide the password for $DB_USER: " DB_PASS && echo
 
     echo "Check database access..."
-    if ! sudo -u postgres PGPASSWORD="$DB_PASS" psql -wq -d "$DB_NAME" \
-                    -U "$DB_USER" -h 127.0.0.1 -c "" 1>/dev/null 2>&1; then
-        read -p "Can't connect to database, give up? (Y/n) " GIVE_UP
-        [ -z "$GIVE_UP" -o "${GIVE_UP,,}" = "y" ] && break
-    else
+    if query "$DB_USER" "$DB_PASS" ""; then
+        DB_ACCESS=true
         echo "Access granted!"
         break
+    else
+        DB_ACCESS=false
+        read -p "Can't connect to database, give up? (Y/n) " GIVE_UP
+        [ -z "$GIVE_UP" -o "${GIVE_UP,,}" = "y" ] && break
     fi
 done
 
-escape_ini () {
-    echo -n "$1" | sed -e 's/[/&\]/\\&/g'
-}
+echo "▸ PostgresREST configuration..."
+
+PGREST_USER=authenticator
+PGREST_PASS=CHANGEME
+
+if $DB_ACCESS && query "$PGREST_USER" "$PGREST_PASS" ""; then
+    read -p "You should change password for database user $PGREST_USER, auto-generate a new one? (Y/n) " PGREST_CHANGE
+    # Generate a password with letters and digits between 12 and 20 chars
+    PGREST_PASS=$(pipenv run python ./tools/gensecret.py LD 12 20 2>/dev/null)
+    if [ "${PGREST_CHANGE,,}" = "y" ]; then
+        query "$DB_USER" "$DB_PASS" "ALTER ROLE $PGREST_USER PASSWORD '$PGREST_PASS'"
+    fi
+fi
+
+PGREST_DB_URI="postgres://"$(escape_url "$PGREST_USER")":"$(escape_url "$PGREST_PASS")"@"$(escape_url "$DB_HOST")":"$(escape_url "$DB_PORT")"/"$(escape_url "$DB_NAME")
 
 # Escape variables
 SECRET_KEY=$(escape_ini "$SECRET_KEY")
+DB_HOST=$(escape_ini "${DB_HOST:-127.0.0.1}")
+DB_PORT=$(escape_ini "${DB_PORT:-5432}")
 DB_NAME=$(escape_ini "$DB_NAME")
 DB_USER=$(escape_ini "$DB_USER")
 DB_PASS=$(escape_ini "$DB_PASS")
+PGREST_DB_URI=$(escape_ini "$PGREST_DB_URI")
 
-echo "Generate configuration file from $TEMPLATE..."
+echo "▸ Generate configuration file from $GARGANTEXT_TEMPLATE..."
 sed -E -e "s/[{]DEBUG[}]/$DEBUG/g" \
        -e "s/[{]SECRET_KEY[}]/$SECRET_KEY/g" \
        -e "s/[{]DB_HOST[}]/$DB_HOST/g" \
@@ -86,11 +132,22 @@ sed -E -e "s/[{]DEBUG[}]/$DEBUG/g" \
        -e "s/[{]DB_NAME[}]/$DB_NAME/g" \
        -e "s/[{]DB_USER[}]/$DB_USER/g" \
        -e "s/[{]DB_PASS[}]/$DB_PASS/g" \
-       "$TEMPLATE" > "$GARGANTEXT_CONF" \
+       "$GARGANTEXT_TEMPLATE" > "$GARGANTEXT_CONF" \
     && echo "Configuration for $TARGET environment written successfully in" \
             "$GARGANTEXT_CONF."
 
+echo "▸ Generate configuration file for PostgREST from $POSTGREST_TEMPLATE..."
+sed -E -e "s/[{]DB_URI[}]/$PGREST_DB_URI/g" \
+       -e "s/[{]SECRET_KEY[}]/$SECRET_KEY/g" \
+       "$POSTGREST_TEMPLATE" > "$POSTGREST_CONF" \
+    && echo "PostgREST configuration written successfully in $POSTGREST_CONF."
+
 if [ -z "$DB_PASS" ]; then
-    echo "You didn't provide any database password, please" \
+    echo "WARNING: You didn't provide any database password, please" \
          "edit $GARGANTEXT_CONF before running Gargantext."
 fi
+
+if ! $DB_ACCESS; then
+    echo "WARNING: Couldn't configure PostgREST user $PGREST_USER correctly," \
+         "you may need to edit $POSTGREST_CONF manually."
+fi

tools/mkenvs.sh

@@ -10,9 +10,10 @@ EOF
 build_env () {
     cat << EOF > $ENV_FILE
 $DJANGO_VAR
-# Path to gargantext configuration file, you're welcome to change that; when
-# a simple filename is given, it'll be searched in current directory
+# Paths of configuration files, you're welcome to change that; when a simple
+# filename is given, it'll be searched in current directory.
 GARGANTEXT_CONF=gargantext.ini
+POSTGREST_CONF=postgrest.conf
 EOF
 }