release: 2023-06-01 (#407)

Author: vdelacruzb

CHANGELOG.md

@@ -4,6 +4,10 @@ CARTO Analytics Toolbox Core.
 
 All notable commits to this project will be documented in this file.
 
+## 2023-06-01 
+
+- fix(tools|installer): verify lds config when using cat-installer (#406)
+
 ## 2023-05-05
 
 - feat(sf|h3): add H3_CENTER function (#395)

clouds/postgres/common/list_libraries.js

@@ -23,7 +23,8 @@ if (diff.length) {
         /\.github\/workflows\/postgres\.yml/,
         /clouds\/postgres\/common\/.+/,
         /clouds\/postgres\/libraries\/.+/,
-        /clouds\/postgres\/.*Makefile/
+        /clouds\/postgres\/.*Makefile/,
+        /clouds\/postgres\/version/
     ];
     const patternModulesSql = /clouds\/postgres\/modules\/sql\/([^\s]*?)\//g;
     const patternModulesTest = /clouds\/postgres\/modules\/test\/([^\s]*?)\//g;

clouds/snowflake/common/test-utils.js

@@ -71,10 +71,21 @@ function sortByKeyAndRound (list, orderKey, roundedKeys, precision=10) {
     return list;
 }
 
+async function existsTable (table) {
+    try {
+        const query = `SELECT * FROM ${table} LIMIT 0`;
+        await runQuery(query);
+        return true;
+    } catch {
+        return false;
+    }
+}
+
 module.exports = {
     runQuery,
     createTable,
     deleteTable,
     sortByKey,
-    sortByKeyAndRound
+    sortByKeyAndRound,
+    existsTable
 }

clouds/snowflake/modules/sql/h3/H3_RESOLUTION.sql

@@ -2,7 +2,7 @@
 -- Copyright (C) 2023 CARTO
 ----------------------------
 
-CREATE OR REPLACE FUNCTION @@SF_SCHEMA@@.H3_RESOLUTION
+CREATE OR REPLACE SECURE FUNCTION @@SF_SCHEMA@@.H3_RESOLUTION
 (
     h3 STRING
 )

tools/installer/setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = cat-installer
-version = 0.2.0
+version = 0.2.1
 description = Python script to install the CARTO Analytics Toolbox in Redshift and Postgres
 long_description = file: README.md
 long_description_content_type = text/markdown
@@ -33,6 +33,8 @@ install_requires =
     sqlparse>0.4
     redshift-connector>2.0
     psycopg2-binary>=2.9.1
+    pyjwt==2.7.0
+    validator-collection==1.5.0
 zip_safe = False
 [options.entry_points]
 console_scripts =

tools/installer/src/__init__.py

@@ -5,6 +5,8 @@
 import click
 import zipfile
 import redshift_connector
+import jwt
+from validator_collection import checkers
 
 from tqdm import trange
 from sqlparse import split
@@ -77,6 +79,34 @@ def run_sql(sql, config):
                 print(notice.strip())
 
 
+def validate_lds_config(lds_config):
+    pattern = r'^(lds-function-asia-northeast1|lds-function-australia-southeast1|lds-function-europe-west1|lds-function-us-east1)$'  # noqa: E501
+    if not validate_str(lds_config.get('lambda'), pattern):
+        exit('incorrect configuration: missing or invalid lds.lambda')
+
+    pattern = r'^arn:aws:iam::[0-9]+:role/CartoFunctionsRedshiftRole,arn:aws:iam::000955892807:role/CartoFunctionsRole$'  # noqa: E501
+    if not validate_str(lds_config.get('roles'), pattern):
+        exit('incorrect configuration: missing or invalid lds.roles')
+
+    if not validate_str(lds_config.get('api_base_url')):
+        exit('incorrect configuration: missing lds.api_base_url')
+
+    if not checkers.is_url(lds_config.get('api_base_url')):
+        exit('incorrect configuration: invalid lds.api_base_url')
+
+    token = lds_config.get('token')
+    if not validate_str(token):
+        exit('incorrect configuration: missing lds.token')
+    algorithm = jwt.get_unverified_header(token).get('alg')
+    if not algorithm:
+        exit('incorrect configuration: invalid lds.token')
+    jwt_payload = jwt.decode(
+        token, algorithms=[algorithm], options={'verify_signature': False}
+    )
+    if not jwt_payload.get('a') or not jwt_payload.get('jti'):
+        exit('incorrect configuration: invalid lds.token')
+
+
 def validate_config(config):
     connection = config.get('connection')
 
@@ -107,21 +137,9 @@ def validate_config(config):
     if not validate_str(connection.get('password')):
         exit('incorrect configuration: missing connection.password')
 
-    lds = config.get('lds')
-    if cloud == 'redshift' and lds is not None:
-        pattern = r'^(lds-function-asia-northeast1|lds-function-australia-southeast1|lds-function-europe-west1|lds-function-us-east1)$'  # noqa: E501
-        if not validate_str(lds.get('lambda'), pattern):
-            exit('incorrect configuration: missing or invalid lds.lambda')
-
-        pattern = r'^arn:aws:iam::[0-9]+:role/CartoFunctionsRedshiftRole,arn:aws:iam::000955892807:role/CartoFunctionsRole$'  # noqa: E501
-        if not validate_str(lds.get('roles'), pattern):
-            exit('incorrect configuration: missing or invalid lds.roles')
-
-        if not validate_str(lds.get('api_base_url')):
-            exit('incorrect configuration: missing lds.api_base_url')
-
-        if not validate_str(lds.get('token')):
-            exit('incorrect configuration: missing lds.token')
+    lds_config = config.get('lds')
+    if cloud == 'redshift' and lds_config is not None:
+        validate_lds_config(lds_config)
 
 
 def validate_str(string, pattern=None):