vrr/ruvector
2
0
Fork 0
mirror of https://github.com/ruvnet/RuVector.git synced 2026-05-25 15:03:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(ruvector-postgres): IVFFlat storage, HNSW query, SQL injection fixes

Browse source 
## Index Fixes
- IVFFlat: Implement write_inverted_list() for proper vector storage
- IVFFlat: Update build to write inverted lists with correct page refs
- IVFFlat: Add rewrite_centroids() for in-place centroid updates
- HNSW: Fix hnsw_rescan() to extract query vectors from datum
- HNSW: Implement build_index_from_heap() with proper heap scan

## Security Fixes (3 CRITICAL)
- CVE-PENDING-001: SQL injection in tenant isolation (isolation.rs)
- CVE-PENDING-002: SQL injection in audit logging (operations.rs)
- CVE-PENDING-003: SQL injection via drop partition (isolation.rs)

## New Files
- src/tenancy/validation.rs: Input validation for tenant IDs
- docs/SECURITY_AUDIT_REPORT.md: Full security audit documentation

## Verified
- IVFFlat index build:  Collects and stores vectors
- IVFFlat query:  Returns correct results
- HNSW index build:  Working
- HNSW query:  Returns correct results

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
rUv 2025-12-26 04:05:58 +00:00
parent 3a31b5f53a
commit 4568743fd0
11 changed files with 1512 additions and 248 deletions
Download patch file Download diff file Expand all files Collapse all files

346
crates/ruvector-postgres/docs/SECURITY_AUDIT_REPORT.md Normal file
View file

@ -0,0 +1,346 @@
# RuVector-Postgres v2.0.0 Security Audit Report
**Date:** 2025-12-26
**Auditor:** Claude Code Security Review
**Scope:** `/crates/ruvector-postgres/src/**/*.rs`
**Branch:** `feat/ruvector-postgres-v2`
**Status:** CRITICAL issues FIXED
---
## Executive Summary
| Severity | Count | Status |
|----------|-------|--------|
| **CRITICAL** | 3 | ✅ **FIXED** |
| **HIGH** | 2 | ⚠️ Documented for future improvement |
| **MEDIUM** | 3 | ⚠️ Documented for future improvement |
| **LOW** | 2 | ✅ Acceptable |
| **INFO** | 3 | ✅ Acceptable patterns noted |
### Security Fixes Applied (2025-12-26)
1. **Created `validation.rs` module** - Input validation for tenant IDs and identifiers
2. **Fixed SQL injection in `isolation.rs`** - All SQL now uses `quote_identifier()` and parameterized queries
3. **Fixed SQL injection in `operations.rs`** - `AuditLogEntry` now properly escapes all values
4. **Added `ValidatedTenantId` type** - Type-safe tenant ID validation
5. **Query routing uses `$1` placeholders** - Parameterized queries prevent injection
---
## CRITICAL Findings
### CVE-PENDING-001: SQL Injection in Tenant Isolation Module ✅ FIXED
**Location:** `src/tenancy/isolation.rs`
**Lines:** 233, 454, 461, 477, 491
**Status:** ✅ **FIXED on 2025-12-26**
**Original Vulnerable Code:**
```rust
// Line 233 - Direct table name interpolation
Ok(format!("DROP TABLE IF EXISTS {} CASCADE;", partition_name))
// Line 454 - Direct tenant_id interpolation
filter: format!("tenant_id = '{}'", tenant_id),
```
**Applied Fix:**
```rust
// Now uses validated identifiers with quote_identifier()
validate_identifier(partition_name)?;
Ok(format!("DROP TABLE IF EXISTS {} CASCADE;", quote_identifier(partition_name)))
// Now uses parameterized queries with $1 placeholder
filter: "tenant_id = $1".to_string(),
tenant_param: Some(tenant_id.to_string()),
```
**Changes Made:**
- Added `validate_tenant_id()` calls before any SQL generation
- All table/schema/partition names now use `quote_identifier()`
- Query routing returns `tenant_id = $1` placeholder instead of direct interpolation
- Added `tenant_param` field to `QueryRoute::SharedWithFilter` for binding
---
### CVE-PENDING-002: SQL Injection in Tenant Audit Logging ✅ FIXED
**Location:** `src/tenancy/operations.rs`
**Lines:** 515-527
**Status:** ✅ **FIXED on 2025-12-26**
**Original Vulnerable Code:**
```rust
format!("'{}'", u) // Direct user_id interpolation
format!("'{}'", ip) // Direct IP interpolation
```
**Applied Fix:**
```rust
// New parameterized version
pub fn insert_sql_parameterized(&self) -> (String, Vec<Option<String>>) {
let sql = "INSERT INTO ruvector.tenant_audit_log ... VALUES ($1, $2, $3, $4, $5, $6, $7)";
// Params bound safely
}
// Legacy version now escapes properly
let escaped_user_id = escape_string_literal(u);
// IP validated: if validate_ip_address(ip) { Some(...) } else { None }
```
**Changes Made:**
- Added `insert_sql_parameterized()` for new code (preferred)
- Legacy `insert_sql()` now uses `escape_string_literal()` for all values
- Added IP address validation - invalid IPs become NULL
- Tenant ID validated before SQL generation
---
### CVE-PENDING-003: SQL Injection via Drop Partition ✅ FIXED
**Location:** `src/tenancy/isolation.rs:227-234`
**Status:** ✅ **FIXED on 2025-12-26**
**Original Vulnerable Code:**
```rust
Ok(format!("DROP TABLE IF EXISTS {} CASCADE;", partition_name)) // UNSAFE
```
**Applied Fix:**
```rust
// Validate inputs
validate_tenant_id(tenant_id)?;
validate_identifier(partition_name)?;
// Verify partition belongs to tenant (authorization check)
let partition_exists = self.partitions.get(tenant_id)
.map(|p| p.iter().any(|p| p.partition_name == partition_name))
.unwrap_or(false);
if !partition_exists {
return Err(IsolationError::PartitionNotFound(partition_name.to_string()));
}
// Use quoted identifier
Ok(format!("DROP TABLE IF EXISTS {} CASCADE;", quote_identifier(partition_name)))
```
**Changes Made:**
- Added input validation for both tenant_id and partition_name
- Added authorization check - partition must belong to tenant
- Used `quote_identifier()` for safe SQL generation
---
## HIGH Findings
### HIGH-001: Excessive Panic/Unwrap Usage
**Location:** Multiple files (63 files affected)
**Count:** 462 occurrences of `unwrap()`, `expect()`, `panic!`
**Description:**
Unhandled panics in PostgreSQL extensions can crash the database backend process.
**Impact:**
- Denial of Service through crafted inputs
- Database backend crashes
- Service unavailability
**Affected Patterns:**
```rust
.unwrap() // 280+ occurrences
.expect("...") // 150+ occurrences
panic!("...") // 32 occurrences
```
**Remediation:**
1. Replace `unwrap()` with `unwrap_or_default()` or proper error handling
2. Use `pgrx::error!()` for graceful PostgreSQL error reporting
3. Implement `Result<T, E>` return types for public functions
4. Add input validation before operations that can panic
---
### HIGH-002: Unsafe Integer Casts
**Location:** Multiple files
**Count:** 392 occurrences
**Description:**
Unchecked integer casts between types (e.g., `as usize`, `as i32`, `as u64`) can cause overflow/underflow.
**Affected Patterns:**
```rust
value as usize // Can panic on 32-bit systems
len as i32 // Can overflow for large vectors
index as u64 // Can truncate on edge cases
```
**Remediation:**
1. Use `TryFrom`/`try_into()` with error handling
2. Add bounds checking before casts
3. Use `saturating_cast` or `checked_cast` patterns
4. Validate dimension/size limits at API boundary
---
## MEDIUM Findings
### MEDIUM-001: Unsafe Pointer Operations in Index Storage
**Location:** `src/index/ivfflat_storage.rs`, `src/index/hnsw_am.rs`
**Description:**
Index access methods use raw pointer operations for performance, which are inherently unsafe.
**Affected Patterns:**
- `std::ptr::read()`
- `std::ptr::write()`
- `std::slice::from_raw_parts()`
- `std::slice::from_raw_parts_mut()`
**Mitigation Applied:**
- Operations are gated behind `unsafe` blocks
- Required for pgrx PostgreSQL integration
- No user-controlled data reaches pointers directly
**Recommendation:**
1. Add bounds checking assertions before pointer access
2. Document safety invariants for each unsafe block
3. Consider `#[deny(unsafe_op_in_unsafe_fn)]` lint
---
### MEDIUM-002: Unbounded Vector Allocations
**Location:** Multiple modules
**Description:**
Some operations allocate vectors based on user-provided dimensions without upper limits.
**Affected Areas:**
- `Vec::with_capacity(dimension)` in type constructors
- `.collect()` on unbounded iterators
- Graph traversal result sets
**Remediation:**
1. Define `MAX_VECTOR_DIMENSION` constant (e.g., 16384)
2. Validate dimensions at input boundaries
3. Add configurable limits via GUC parameters
---
### MEDIUM-003: Missing Rate Limiting on Tenant Operations
**Location:** `src/tenancy/operations.rs`
**Description:**
Tenant creation and audit logging have no rate limiting, allowing potential abuse.
**Remediation:**
1. Add configurable rate limits per tenant
2. Implement quota checking before operations
3. Add throttling for expensive operations
---
## LOW Findings
### LOW-001: Debug Output in Tests Only
**Location:** `src/distance/simd.rs`
**Count:** 7 `println!` statements
**Status:** ACCEPTABLE - All debug output is in `#[cfg(test)]` modules only.
---
### LOW-002: Error Messages May Reveal Internal Paths
**Location:** Various error handling code
**Description:**
Some error messages include internal details that could aid attackers.
**Example:**
```rust
format!("Failed to spawn worker: {}", e)
format!("Failed to decode operation: {}", e)
```
**Remediation:**
1. Use generic user-facing error messages
2. Log detailed errors internally only
3. Implement error code system for debugging
---
## INFO - Acceptable Patterns
### INFO-001: No Command Execution Found
No `Command::new()`, `exec`, or shell execution patterns found. ✅
### INFO-002: No File System Operations
No `std::fs`, `File::open`, or path manipulation in production code. ✅
### INFO-003: No Hardcoded Credentials
No passwords, API keys, or secrets in source code. ✅
---
## Security Checklist Summary
| Category | Status | Notes |
|----------|--------|-------|
| SQL Injection | ❌ FAIL | 3 critical findings in tenancy module |
| Command Injection | ✅ PASS | No shell execution |
| Path Traversal | ✅ PASS | No file operations |
| Memory Safety | ⚠️ WARN | Acceptable unsafe for pgrx, but review recommended |
| Input Validation | ⚠️ WARN | Missing on tenant/partition names |
| DoS Prevention | ⚠️ WARN | Panic-prone code paths |
| Auth/AuthZ | ✅ PASS | No bypasses found |
| Crypto | ✅ PASS | No cryptographic code present |
| Information Disclosure | ✅ PASS | Debug output test-only |
---
## Remediation Priority
### Immediate (Before Release)
1. **Fix SQL injection in tenancy module** - Use parameterized queries
2. **Validate tenant_id format** - Alphanumeric only, max length 64
### Short Term (Next Sprint)
3. Replace critical `unwrap()` calls with proper error handling
4. Add dimension limits to vector operations
5. Implement input validation helpers
### Medium Term
6. Add rate limiting to tenant operations
7. Audit and document all `unsafe` blocks
8. Convert integer casts to checked variants
---
## Testing Recommendations
1. **Fuzz testing:** Apply cargo-fuzz to SQL-generating functions
2. **Property testing:** Test boundary conditions with proptest
3. **Integration tests:** Add SQL injection test vectors
4. **Negative tests:** Verify malformed inputs are rejected
---
## Appendix: Files Reviewed
- 80+ source files in `/crates/ruvector-postgres/src/`
- 148 `#[pg_extern]` function definitions
- Focus areas: tenancy, index, distance, types, graph
---
*Report generated by Claude Code security analysis*

83
crates/ruvector-postgres/sql/ruvector--0.1.0.sql
View file

@ -478,18 +478,9 @@ LANGUAGE C IMMUTABLE STRICT PARALLEL SAFE;
-- ============================================================================
-- GNN (Graph Neural Network) Functions
-- ============================================================================
-- GCN forward pass
CREATE OR REPLACE FUNCTION ruvector_gcn_forward(features real[][], src int[], dst int[], weights real[], out_dim int)
RETURNS real[][]
AS 'MODULE_PATHNAME', 'ruvector_gcn_forward_wrapper'
LANGUAGE C IMMUTABLE PARALLEL SAFE;
-- GraphSAGE forward pass
CREATE OR REPLACE FUNCTION ruvector_graphsage_forward(features real[][], src int[], dst int[], out_dim int, sample_size int DEFAULT 10)
RETURNS real[][]
AS 'MODULE_PATHNAME', 'ruvector_graphsage_forward_wrapper'
LANGUAGE C IMMUTABLE PARALLEL SAFE;
-- Note: GCN and GraphSAGE functions are auto-generated by pgrx with JsonB signature
-- The functions ruvector_gcn_forward and ruvector_graphsage_forward use JsonB types
-- and are defined in src/gnn/operators.rs with #[pg_extern] macro
-- ============================================================================
-- Routing/Agent Functions (Tiny Dancer)
@ -789,71 +780,9 @@ COMMENT ON FUNCTION graph_bipartite_score(real[], real[], real) IS 'Compute bipa
-- ============================================================================
-- Embedding Generation Functions
-- ============================================================================
-- Generate embedding from text using default or specified model
CREATE OR REPLACE FUNCTION ruvector_embed(text text, model_name text DEFAULT 'all-MiniLM-L6-v2')
RETURNS real[]
AS 'MODULE_PATHNAME', 'ruvector_embed_wrapper'
LANGUAGE C IMMUTABLE STRICT PARALLEL SAFE;
-- Generate embeddings for multiple texts in batch
CREATE OR REPLACE FUNCTION ruvector_embed_batch(texts text[], model_name text DEFAULT 'all-MiniLM-L6-v2')
RETURNS real[][]
AS 'MODULE_PATHNAME', 'ruvector_embed_batch_wrapper'
LANGUAGE C IMMUTABLE STRICT PARALLEL SAFE;
-- List all available embedding models
CREATE OR REPLACE FUNCTION ruvector_embedding_models()
RETURNS TABLE (
model_name text,
dimensions integer,
description text,
is_loaded boolean
)
AS 'MODULE_PATHNAME', 'ruvector_embedding_models_wrapper'
LANGUAGE C IMMUTABLE STRICT;
-- Load embedding model into memory
CREATE OR REPLACE FUNCTION ruvector_load_model(model_name text)
RETURNS boolean
AS 'MODULE_PATHNAME', 'ruvector_load_model_wrapper'
LANGUAGE C STRICT;
-- Unload embedding model from memory
CREATE OR REPLACE FUNCTION ruvector_unload_model(model_name text)
RETURNS boolean
AS 'MODULE_PATHNAME', 'ruvector_unload_model_wrapper'
LANGUAGE C STRICT;
-- Get information about a specific model
CREATE OR REPLACE FUNCTION ruvector_model_info(model_name text)
RETURNS jsonb
AS 'MODULE_PATHNAME', 'ruvector_model_info_wrapper'
LANGUAGE C IMMUTABLE STRICT;
-- Set default embedding model
CREATE OR REPLACE FUNCTION ruvector_set_default_model(model_name text)
RETURNS boolean
AS 'MODULE_PATHNAME', 'ruvector_set_default_model_wrapper'
LANGUAGE C STRICT;
-- Get current default embedding model
CREATE OR REPLACE FUNCTION ruvector_default_model()
RETURNS text
AS 'MODULE_PATHNAME', 'ruvector_default_model_wrapper'
LANGUAGE C IMMUTABLE STRICT;
-- Get embedding generation statistics
CREATE OR REPLACE FUNCTION ruvector_embedding_stats()
RETURNS jsonb
AS 'MODULE_PATHNAME', 'ruvector_embedding_stats_wrapper'
LANGUAGE C IMMUTABLE STRICT;
-- Get dimensions for a specific model
CREATE OR REPLACE FUNCTION ruvector_embedding_dims(model_name text)
RETURNS integer
AS 'MODULE_PATHNAME', 'ruvector_embedding_dims_wrapper'
LANGUAGE C IMMUTABLE STRICT PARALLEL SAFE;
-- Note: Embedding functions require the 'embeddings' feature flag to be enabled
-- during compilation. These functions are not available in the default build.
-- To enable, build with: cargo pgrx package --features embeddings
-- ============================================================================
-- HNSW Access Method

114
crates/ruvector-postgres/sql/ruvector--2.0.0.sql
View file

@ -479,18 +479,9 @@ LANGUAGE C IMMUTABLE STRICT PARALLEL SAFE;
-- ============================================================================
-- GNN (Graph Neural Network) Functions
-- ============================================================================
-- GCN forward pass
CREATE OR REPLACE FUNCTION ruvector_gcn_forward(features real[][], src int[], dst int[], weights real[], out_dim int)
RETURNS real[][]
AS 'MODULE_PATHNAME', 'ruvector_gcn_forward_wrapper'
LANGUAGE C IMMUTABLE PARALLEL SAFE;
-- GraphSAGE forward pass
CREATE OR REPLACE FUNCTION ruvector_graphsage_forward(features real[][], src int[], dst int[], out_dim int, sample_size int DEFAULT 10)
RETURNS real[][]
AS 'MODULE_PATHNAME', 'ruvector_graphsage_forward_wrapper'
LANGUAGE C IMMUTABLE PARALLEL SAFE;
-- Note: GCN and GraphSAGE functions are auto-generated by pgrx with JsonB signature
-- The functions ruvector_gcn_forward and ruvector_graphsage_forward use JsonB types
-- and are defined in src/gnn/operators.rs with #[pg_extern] macro
-- ============================================================================
-- Routing/Agent Functions (Tiny Dancer)
@ -790,71 +781,9 @@ COMMENT ON FUNCTION graph_bipartite_score(real[], real[], real) IS 'Compute bipa
-- ============================================================================
-- Embedding Generation Functions
-- ============================================================================
-- Generate embedding from text using default or specified model
CREATE OR REPLACE FUNCTION ruvector_embed(text text, model_name text DEFAULT 'all-MiniLM-L6-v2')
RETURNS real[]
AS 'MODULE_PATHNAME', 'ruvector_embed_wrapper'
LANGUAGE C IMMUTABLE STRICT PARALLEL SAFE;
-- Generate embeddings for multiple texts in batch
CREATE OR REPLACE FUNCTION ruvector_embed_batch(texts text[], model_name text DEFAULT 'all-MiniLM-L6-v2')
RETURNS real[][]
AS 'MODULE_PATHNAME', 'ruvector_embed_batch_wrapper'
LANGUAGE C IMMUTABLE STRICT PARALLEL SAFE;
-- List all available embedding models
CREATE OR REPLACE FUNCTION ruvector_embedding_models()
RETURNS TABLE (
model_name text,
dimensions integer,
description text,
is_loaded boolean
)
AS 'MODULE_PATHNAME', 'ruvector_embedding_models_wrapper'
LANGUAGE C IMMUTABLE STRICT;
-- Load embedding model into memory
CREATE OR REPLACE FUNCTION ruvector_load_model(model_name text)
RETURNS boolean
AS 'MODULE_PATHNAME', 'ruvector_load_model_wrapper'
LANGUAGE C STRICT;
-- Unload embedding model from memory
CREATE OR REPLACE FUNCTION ruvector_unload_model(model_name text)
RETURNS boolean
AS 'MODULE_PATHNAME', 'ruvector_unload_model_wrapper'
LANGUAGE C STRICT;
-- Get information about a specific model
CREATE OR REPLACE FUNCTION ruvector_model_info(model_name text)
RETURNS jsonb
AS 'MODULE_PATHNAME', 'ruvector_model_info_wrapper'
LANGUAGE C IMMUTABLE STRICT;
-- Set default embedding model
CREATE OR REPLACE FUNCTION ruvector_set_default_model(model_name text)
RETURNS boolean
AS 'MODULE_PATHNAME', 'ruvector_set_default_model_wrapper'
LANGUAGE C STRICT;
-- Get current default embedding model
CREATE OR REPLACE FUNCTION ruvector_default_model()
RETURNS text
AS 'MODULE_PATHNAME', 'ruvector_default_model_wrapper'
LANGUAGE C IMMUTABLE STRICT;
-- Get embedding generation statistics
CREATE OR REPLACE FUNCTION ruvector_embedding_stats()
RETURNS jsonb
AS 'MODULE_PATHNAME', 'ruvector_embedding_stats_wrapper'
LANGUAGE C IMMUTABLE STRICT;
-- Get dimensions for a specific model
CREATE OR REPLACE FUNCTION ruvector_embedding_dims(model_name text)
RETURNS integer
AS 'MODULE_PATHNAME', 'ruvector_embedding_dims_wrapper'
LANGUAGE C IMMUTABLE STRICT PARALLEL SAFE;
-- Note: Embedding functions require the 'embeddings' feature flag to be enabled
-- during compilation. These functions are not available in the default build.
-- To enable, build with: cargo pgrx package --features embeddings
-- ============================================================================
-- HNSW Access Method
@ -899,3 +828,34 @@ CREATE OPERATOR CLASS ruvector_ip_ops
COMMENT ON OPERATOR CLASS ruvector_ip_ops USING hnsw IS
'ruvector HNSW operator class for inner product (max similarity)';
-- ============================================================================
-- IVFFlat Access Method
-- ============================================================================
-- IVFFlat Access Method Handler
CREATE OR REPLACE FUNCTION ruivfflat_handler(internal)
RETURNS index_am_handler
AS 'MODULE_PATHNAME', 'ruivfflat_handler_wrapper'
LANGUAGE C STRICT;
-- Create IVFFlat Access Method (also aliased as 'ivfflat' for pgvector compatibility)
CREATE ACCESS METHOD ruivfflat TYPE INDEX HANDLER ruivfflat_handler;
-- Operator Classes for IVFFlat (L2/Euclidean distance)
CREATE OPERATOR CLASS ruvector_l2_ops
DEFAULT FOR TYPE ruvector USING ruivfflat AS
OPERATOR 1 <-> (ruvector, ruvector) FOR ORDER BY float_ops,
FUNCTION 1 ruvector_l2_distance(ruvector, ruvector);
-- IVFFlat Cosine Operator Class
CREATE OPERATOR CLASS ruvector_cosine_ops
FOR TYPE ruvector USING ruivfflat AS
OPERATOR 1 <=> (ruvector, ruvector) FOR ORDER BY float_ops,
FUNCTION 1 ruvector_cosine_distance(ruvector, ruvector);
-- IVFFlat Inner Product Operator Class
CREATE OPERATOR CLASS ruvector_ip_ops
FOR TYPE ruvector USING ruivfflat AS
OPERATOR 1 <#> (ruvector, ruvector) FOR ORDER BY float_ops,
FUNCTION 1 ruvector_inner_product(ruvector, ruvector);

10
crates/ruvector-postgres/src/gnn/mod.rs
View file

@ -2,6 +2,16 @@
//!
//! Provides GNN-based embeddings and graph-aware vector operations.
// GNN sub-modules
pub mod aggregators;
pub mod gcn;
pub mod graphsage;
pub mod message_passing;
pub mod operators;
// Re-export operator functions for PostgreSQL
pub use operators::*;
use pgrx::prelude::*;
use serde::{Deserialize, Serialize};
use std::collections::HashMap;

207
crates/ruvector-postgres/src/index/hnsw_am.rs
View file

@ -36,6 +36,8 @@ use std::sync::atomic::{AtomicU64, Ordering as AtomicOrdering};
use crate::distance::{distance, DistanceMetric};
use crate::index::HnswConfig;
use crate::types::RuVector;
use pgrx::FromDatum;
// ============================================================================
// Constants
@ -791,26 +793,106 @@ unsafe extern "C" fn hnsw_build(
result.into_pg()
}
/// Build callback state for heap scan
struct HnswBuildState {
index: Relation,
meta: *mut HnswMetaPage,
tuple_count: u64,
}
/// Build callback called for each heap tuple
unsafe extern "C" fn hnsw_build_callback(
index: Relation,
ctid: ItemPointer,
values: *mut Datum,
isnull: *mut bool,
_tuple_is_alive: bool,
state: *mut ::std::os::raw::c_void,
) {
let build_state = &mut *(state as *mut HnswBuildState);
// Skip null values
if *isnull {
return;
}
// Extract vector from datum
let datum = *values;
let vector = match RuVector::from_polymorphic_datum(datum, false, pg_sys::InvalidOid) {
Some(v) => v.as_slice().to_vec(),
None => {
// Fallback: try direct varlena extraction
let raw_ptr = datum.cast_mut_ptr::<pg_sys::varlena>();
if raw_ptr.is_null() {
return;
}
let detoasted = pg_sys::pg_detoast_datum(raw_ptr);
if detoasted.is_null() {
return;
}
let data_ptr = pgrx::varlena::vardata_any(detoasted as *const _) as *const u8;
let dims = ptr::read_unaligned(data_ptr as *const u16) as usize;
if dims == 0 {
return;
}
let f32_ptr = data_ptr.add(4) as *const f32;
std::slice::from_raw_parts(f32_ptr, dims).to_vec()
}
};
if vector.is_empty() {
return;
}
// Update dimensions on first tuple
let meta = &mut *build_state.meta;
if meta.node_count == 0 {
meta.dimensions = vector.len() as u32;
}
// Insert into graph
let tid = *ctid;
hnsw_insert_vector(index, &vector, tid, meta);
build_state.tuple_count += 1;
}
/// Build the index from heap table
unsafe fn build_index_from_heap(
_heap: Relation,
_index: Relation,
_index_info: *mut IndexInfo,
heap: Relation,
index: Relation,
index_info: *mut IndexInfo,
meta: &mut HnswMetaPage,
_parallel: bool,
) -> u64 {
// TODO: Implement full heap scan with IndexBuildHeapScan
// For now, return empty
let tuple_count = 0u64;
pgrx::log!("HNSW v2: Scanning heap for vectors");
// In production, this would:
// 1. Scan heap using pg_sys::table_index_build_scan
// 2. Collect all vectors into memory or temp file
// 3. Use parallel construction if enabled and tuple_count > PARALLEL_BUILD_THRESHOLD
// 4. Build HNSW graph incrementally
// Create build state
let mut build_state = HnswBuildState {
index,
meta: meta as *mut HnswMetaPage,
tuple_count: 0,
};
meta.node_count = tuple_count;
tuple_count
// Scan heap using PostgreSQL's table scan API
// This calls our callback for each tuple
pg_sys::table_index_build_scan(
heap,
index,
index_info,
true, // allow_sync
false, // progress
Some(hnsw_build_callback),
&mut build_state as *mut HnswBuildState as *mut ::std::os::raw::c_void,
std::ptr::null_mut(), // snapshot (NULL = MVCC snapshot)
);
pgrx::log!(
"HNSW v2: Built index with {} vectors, dims={}",
build_state.tuple_count,
meta.dimensions
);
build_state.tuple_count
}
/// Build empty index callback (for CREATE INDEX CONCURRENTLY)
@ -847,31 +929,62 @@ unsafe extern "C" fn hnsw_insert(
return false;
}
// Get metadata
let (meta_page, meta_buffer) = get_meta_page(index);
let meta = read_metadata(meta_page);
pg_sys::UnlockReleaseBuffer(meta_buffer);
// Get metadata with exclusive lock for modification
let (meta_page, meta_buffer) = get_meta_page_exclusive(index);
let mut meta = read_metadata(meta_page);
// Check integrity gate if enabled
if meta.flags & FLAG_INTEGRITY_ENABLED != 0 {
if !check_integrity_gate(meta.integrity_contract_id, "insert") {
pg_sys::UnlockReleaseBuffer(meta_buffer);
pgrx::warning!("HNSW insert blocked by integrity gate");
return false;
}
}
// Extract vector from datum
// Extract vector from datum using RuVector::from_polymorphic_datum
let datum = *values;
let dimensions = meta.dimensions as usize;
let vector = match RuVector::from_polymorphic_datum(datum, false, pg_sys::InvalidOid) {
Some(v) => v.as_slice().to_vec(),
None => {
// Fallback: try direct varlena extraction
let raw_ptr = datum.cast_mut_ptr::<pg_sys::varlena>();
if raw_ptr.is_null() {
pg_sys::UnlockReleaseBuffer(meta_buffer);
return false;
}
let detoasted = pg_sys::pg_detoast_datum(raw_ptr);
if detoasted.is_null() {
pg_sys::UnlockReleaseBuffer(meta_buffer);
return false;
}
let data_ptr = pgrx::varlena::vardata_any(detoasted as *const _) as *const u8;
let dims = ptr::read_unaligned(data_ptr as *const u16) as usize;
let f32_ptr = data_ptr.add(4) as *const f32;
std::slice::from_raw_parts(f32_ptr, dims).to_vec()
}
};
// TODO: Extract vector data from RuVector type
// For now, just acknowledge the insert
// let vector = extract_vector_from_datum(datum, dimensions);
if vector.is_empty() {
pg_sys::UnlockReleaseBuffer(meta_buffer);
return false;
}
// Would call:
// hnsw_insert_vector(index, &vector, *heap_tid, &meta)
// Update dimensions in metadata if this is first insert
if meta.node_count == 0 {
meta.dimensions = vector.len() as u32;
}
true
// Insert vector into graph
let tid = *heap_tid;
let success = hnsw_insert_vector(index, &vector, tid, &mut meta);
// Write updated metadata
write_metadata(meta_page, &meta);
pg_sys::MarkBufferDirty(meta_buffer);
pg_sys::UnlockReleaseBuffer(meta_buffer);
success
}
/// Insert a vector into the HNSW graph
@ -1240,7 +1353,7 @@ unsafe extern "C" fn hnsw_rescan(
orderbys: ScanKey,
norderbys: ::std::os::raw::c_int,
) {
pgrx::debug1!("HNSW v2: Rescan");
pgrx::debug1!("HNSW v2: Rescan (norderbys={})", norderbys);
let state = &mut *((*scan).opaque as *mut HnswScanState);
@ -1252,17 +1365,47 @@ unsafe extern "C" fn hnsw_rescan(
// Extract query vector from ORDER BY
if norderbys > 0 && !orderbys.is_null() {
let orderby = &*orderbys;
let _datum = orderby.sk_argument;
let datum = orderby.sk_argument;
// TODO: Extract vector from datum
// state.query_vector = extract_vector_from_datum(datum, state.dimensions);
// Extract RuVector from datum using FromDatum trait
if let Some(vector) = RuVector::from_polymorphic_datum(
datum,
false, // not null
pg_sys::InvalidOid,
) {
state.query_vector = vector.as_slice().to_vec();
pgrx::debug1!(
"HNSW v2: Extracted query vector with {} dimensions",
state.query_vector.len()
);
} else {
// Fallback: try to interpret as raw pointer to varlena
let raw_ptr = datum.cast_mut_ptr::<pg_sys::varlena>();
if !raw_ptr.is_null() {
let detoasted = pg_sys::pg_detoast_datum(raw_ptr);
if !detoasted.is_null() {
// Read dimensions and data from varlena
let data_ptr = pgrx::varlena::vardata_any(detoasted as *const _) as *const u8;
let dimensions = ptr::read_unaligned(data_ptr as *const u16) as usize;
let f32_ptr = data_ptr.add(4) as *const f32;
state.query_vector = std::slice::from_raw_parts(f32_ptr, dimensions).to_vec();
pgrx::debug1!(
"HNSW v2: Extracted query vector (fallback) with {} dimensions",
dimensions
);
}
}
}
}
// For now, use empty query (search won't work without real extraction)
// Use default if extraction failed
if state.query_vector.is_empty() {
pgrx::warning!("HNSW: Could not extract query vector, using zeros");
state.query_vector = vec![0.0; state.dimensions];
}
// Extract k from scan descriptor or use default
state.k = 10; // TODO: Extract from query LIMIT
// Get ef_search from GUC (ruvector.ef_search)
state.k = 10; // Default, will be overridden by LIMIT in executor
}
/// Get tuple callback - return next result

336
crates/ruvector-postgres/src/index/ivfflat_am.rs
View file

@ -45,6 +45,8 @@ use std::sync::atomic::{AtomicU64, AtomicBool, Ordering as AtomicOrdering};
use crate::distance::{DistanceMetric, distance};
use crate::quantization::{QuantizationType, scalar, product, binary};
use crate::types::RuVector;
use pgrx::FromDatum;
// ============================================================================
// Constants
@ -785,6 +787,54 @@ unsafe fn write_centroids(
current_page
}
/// Rewrite centroids in-place (updates existing pages)
unsafe fn rewrite_centroids(
index: Relation,
centroids: &[(CentroidEntry, Vec<f32>)],
start_page: u32,
dimensions: usize,
) {
let centroid_size = size_of::<CentroidEntry>() + dimensions * 4;
let page_header_size = size_of::<pg_sys::PageHeaderData>();
let usable_space = pg_sys::BLCKSZ as usize - page_header_size;
let centroids_per_page = usable_space / centroid_size;
let mut current_page = start_page;
let mut written = 0;
while written < centroids.len() {
let buffer = pg_sys::ReadBuffer(index, current_page);
pg_sys::LockBuffer(buffer, pg_sys::BUFFER_LOCK_EXCLUSIVE as i32);
let page = pg_sys::BufferGetPage(buffer);
let header = page as *mut pg_sys::PageHeaderData;
let data_ptr = (header as *mut u8).add(page_header_size);
let batch_size = (centroids.len() - written).min(centroids_per_page);
for i in 0..batch_size {
let (entry, vector) = &centroids[written + i];
let entry_ptr = data_ptr.add(i * centroid_size);
// Write entry
ptr::write(entry_ptr as *mut CentroidEntry, *entry);
// Write vector
let vector_ptr = entry_ptr.add(size_of::<CentroidEntry>()) as *mut f32;
for (j, &val) in vector.iter().enumerate() {
ptr::write(vector_ptr.add(j), val);
}
}
written += batch_size;
pg_sys::MarkBufferDirty(buffer);
pg_sys::UnlockReleaseBuffer(buffer);
current_page += 1;
}
}
/// Read vectors from an inverted list
unsafe fn read_inverted_list(
index: Relation,
@ -868,6 +918,114 @@ unsafe fn read_inverted_list(
result
}
/// Write vectors to an inverted list, returns (start_page, page_count)
unsafe fn write_inverted_list(
index: Relation,
cluster_id: u32,
entries: &[(ItemPointerData, Vec<f32>)],
dimensions: usize,
quantization: QuantizationType,
) -> (u32, u32) {
if entries.is_empty() {
return (0, 0);
}
let page_header_size = size_of::<pg_sys::PageHeaderData>();
let list_header_size = size_of::<ListPageHeader>();
let usable_space = pg_sys::BLCKSZ as usize - page_header_size - list_header_size;
// Calculate entry size based on quantization
let entry_size = match quantization {
QuantizationType::None => size_of::<VectorEntry>() + dimensions * 4,
QuantizationType::Scalar => size_of::<VectorEntry>() + dimensions + 8,
QuantizationType::Product => size_of::<VectorEntry>() + 48,
QuantizationType::Binary => size_of::<VectorEntry>() + (dimensions + 7) / 8,
};
let entries_per_page = usable_space / entry_size;
if entries_per_page == 0 {
pgrx::warning!("IVFFlat: Vector too large for page, entry_size={}", entry_size);
return (0, 0);
}
let mut start_page: u32 = 0;
let mut page_count: u32 = 0;
let mut prev_buffer: Buffer = pg_sys::InvalidBuffer as Buffer;
let mut prev_header_ptr: *mut ListPageHeader = std::ptr::null_mut();
let mut written = 0;
while written < entries.len() {
// Allocate new page
let buffer = pg_sys::ReadBuffer(index, P_NEW_BLOCK);
let actual_page = pg_sys::BufferGetBlockNumber(buffer);
pg_sys::LockBuffer(buffer, pg_sys::BUFFER_LOCK_EXCLUSIVE as i32);
let page = pg_sys::BufferGetPage(buffer);
pg_sys::PageInit(page, pg_sys::BLCKSZ as Size, 0);
// Track first page
if start_page == 0 {
start_page = actual_page;
}
page_count += 1;
// Link previous page to this one
if !prev_header_ptr.is_null() {
(*prev_header_ptr).next_page = actual_page;
pg_sys::MarkBufferDirty(prev_buffer);
pg_sys::UnlockReleaseBuffer(prev_buffer);
}
let header = page as *mut pg_sys::PageHeaderData;
let data_ptr = (header as *mut u8).add(page_header_size);
// Write list page header
let list_header = data_ptr as *mut ListPageHeader;
(*list_header).page_type = IVFFLAT_PAGE_LIST;
(*list_header).cluster_id = cluster_id as u8;
(*list_header)._padding = [0; 2];
(*list_header).next_page = 0; // Will be updated if there's a next page
(*list_header).dimensions = dimensions as u32;
let entry_data_ptr = data_ptr.add(list_header_size);
let batch_size = (entries.len() - written).min(entries_per_page);
for i in 0..batch_size {
let (tid, vector) = &entries[written + i];
let entry_ptr = entry_data_ptr.add(i * entry_size);
// Write VectorEntry header
let vec_entry = VectorEntry::from_item_pointer(*tid, 0);
ptr::write(entry_ptr as *mut VectorEntry, vec_entry);
// Write vector data (no quantization for now)
let vector_ptr = entry_ptr.add(size_of::<VectorEntry>()) as *mut f32;
for (j, &val) in vector.iter().enumerate() {
if j < dimensions {
ptr::write(vector_ptr.add(j), val);
}
}
}
(*list_header).entry_count = batch_size as u32;
written += batch_size;
pg_sys::MarkBufferDirty(buffer);
// Keep reference for linking
prev_buffer = buffer;
prev_header_ptr = list_header;
}
// Release the last buffer
if prev_buffer != pg_sys::InvalidBuffer as Buffer {
pg_sys::UnlockReleaseBuffer(prev_buffer);
}
(start_page, page_count)
}
// ============================================================================
// Index Search
// ============================================================================
@ -982,19 +1140,85 @@ unsafe extern "C" fn ivfflat_ambuild(
..Default::default()
};
// Collect vectors from heap
let mut training_sample: Vec<Vec<f32>> = Vec::new();
// Collect vectors from heap using table scan
let mut all_vectors: Vec<(ItemPointerData, Vec<f32>)> = Vec::new();
// TODO: Implement proper heap scan using table_beginscan
// For now, this is a placeholder
pgrx::info!("IVFFlat v2: Scanning heap for vectors");
// Sample vectors for training (if we had vectors)
if !training_sample.is_empty() {
meta.dimensions = training_sample[0].len() as u32;
// Use build callback to collect vectors
struct IvfBuildState {
vectors: *mut Vec<(ItemPointerData, Vec<f32>)>,
}
unsafe extern "C" fn ivf_build_callback(
_index: Relation,
ctid: ItemPointer,
values: *mut Datum,
isnull: *mut bool,
_tuple_is_alive: bool,
state: *mut ::std::os::raw::c_void,
) {
let build_state = &mut *(state as *mut IvfBuildState);
if *isnull {
return;
}
let datum = *values;
let vector = match RuVector::from_polymorphic_datum(datum, false, pg_sys::InvalidOid) {
Some(v) => v.as_slice().to_vec(),
None => {
let raw_ptr = datum.cast_mut_ptr::<pg_sys::varlena>();
if raw_ptr.is_null() {
return;
}
let detoasted = pg_sys::pg_detoast_datum(raw_ptr);
if detoasted.is_null() {
return;
}
let data_ptr = pgrx::varlena::vardata_any(detoasted as *const _) as *const u8;
let dims = std::ptr::read_unaligned(data_ptr as *const u16) as usize;
if dims == 0 {
return;
}
let f32_ptr = data_ptr.add(4) as *const f32;
std::slice::from_raw_parts(f32_ptr, dims).to_vec()
}
};
if !vector.is_empty() {
(*build_state.vectors).push((*ctid, vector));
}
}
let mut build_state = IvfBuildState {
vectors: &mut all_vectors as *mut Vec<(ItemPointerData, Vec<f32>)>,
};
pg_sys::table_index_build_scan(
heap,
index,
index_info,
true,
false,
Some(ivf_build_callback),
&mut build_state as *mut IvfBuildState as *mut ::std::os::raw::c_void,
std::ptr::null_mut(),
);
pgrx::info!("IVFFlat v2: Collected {} vectors from heap", all_vectors.len());
// Set dimensions from first vector
if !all_vectors.is_empty() {
meta.dimensions = all_vectors[0].1.len() as u32;
}
// Sample vectors for training
let training_sample: Vec<Vec<f32>> = all_vectors.iter()
.take(10000.min(all_vectors.len()))
.map(|(_, v)| v.clone())
.collect();
pgrx::info!("IVFFlat v2: Training with {} samples, {} lists",
training_sample.len(), lists);
@ -1020,17 +1244,17 @@ unsafe extern "C" fn ivfflat_ambuild(
meta.min_list_size = *list_sizes.iter().filter(|&&s| s > 0).min().unwrap_or(&0) as u32;
meta.health_score = (meta.calculate_health() * 1000.0) as u32;
// Write metadata page
// Write initial metadata page
write_meta_page(index, &meta);
// Write centroids
let centroid_entries: Vec<(CentroidEntry, Vec<f32>)> = centroids
// Write centroids first (to reserve pages)
let centroid_entries_temp: Vec<(CentroidEntry, Vec<f32>)> = centroids
.iter()
.enumerate()
.map(|(i, c)| {
(CentroidEntry {
cluster_id: i as u32,
list_start_page: 0, // Will be filled later
list_start_page: 0, // Will be updated after writing lists
list_page_count: 0,
vector_count: cluster_lists.get(i).map(|l| l.len()).unwrap_or(0) as u32,
distance_sum: 0.0,
@ -1039,15 +1263,59 @@ unsafe extern "C" fn ivfflat_ambuild(
})
.collect();
let lists_start = write_centroids(
let lists_start_page = write_centroids(
index,
&centroid_entries,
&centroid_entries_temp,
meta.centroid_start_page,
meta.dimensions as usize,
);
// Update metadata with lists start page
meta.lists_start_page = lists_start;
// Write inverted lists for each cluster
pgrx::info!("IVFFlat v2: Writing inverted lists for {} clusters", n_clusters);
let mut list_info: Vec<(u32, u32)> = Vec::with_capacity(n_clusters);
let mut total_vectors_written = 0u64;
for (cluster_id, entries) in cluster_lists.iter().enumerate() {
let (start_page, page_count) = write_inverted_list(
index,
cluster_id as u32,
entries,
meta.dimensions as usize,
quantization,
);
list_info.push((start_page, page_count));
total_vectors_written += entries.len() as u64;
}
pgrx::info!("IVFFlat v2: Written {} vectors to inverted lists", total_vectors_written);
// Re-write centroids with correct list_start_page values
let centroid_entries_final: Vec<(CentroidEntry, Vec<f32>)> = centroids
.iter()
.enumerate()
.map(|(i, c)| {
let (start_page, page_count) = list_info.get(i).copied().unwrap_or((0, 0));
(CentroidEntry {
cluster_id: i as u32,
list_start_page: start_page,
list_page_count: page_count,
vector_count: cluster_lists.get(i).map(|l| l.len()).unwrap_or(0) as u32,
distance_sum: 0.0,
reserved: 0,
}, c.clone())
})
.collect();
// Overwrite centroids with updated list_start_page values
rewrite_centroids(
index,
&centroid_entries_final,
meta.centroid_start_page,
meta.dimensions as usize,
);
// Update metadata
meta.lists_start_page = lists_start_page;
meta.trained = 1;
meta.vector_count = all_vectors.len() as u64;
write_meta_page(index, &meta);
@ -1241,7 +1509,7 @@ unsafe extern "C" fn ivfflat_amrescan(
orderbys: ScanKey,
norderbys: ::std::os::raw::c_int,
) {
pgrx::debug1!("IVFFlat v2: Rescan");
pgrx::debug1!("IVFFlat v2: Rescan (norderbys={})", norderbys);
let state = (*scan).opaque as *mut IvfFlatScanState;
if state.is_null() {
@ -1255,10 +1523,40 @@ unsafe extern "C" fn ivfflat_amrescan(
// Extract query vector from ORDER BY
if norderbys > 0 && !orderbys.is_null() {
// TODO: Extract query vector from scan key
// The ORDER BY operator's argument contains the query vector
let orderby = &*orderbys;
let datum = orderby.sk_argument;
// Calculate adaptive probes if enabled
// Extract RuVector from datum using FromDatum trait
if let Some(vector) = RuVector::from_polymorphic_datum(
datum,
false, // not null
pg_sys::InvalidOid,
) {
(*state).query = vector.as_slice().to_vec();
pgrx::debug1!(
"IVFFlat v2: Extracted query vector with {} dimensions",
(*state).query.len()
);
} else {
// Fallback: try to interpret as raw pointer to varlena
let raw_ptr = datum.cast_mut_ptr::<pg_sys::varlena>();
if !raw_ptr.is_null() {
let detoasted = pg_sys::pg_detoast_datum(raw_ptr);
if !detoasted.is_null() {
// Read dimensions and data from varlena
let data_ptr = pgrx::varlena::vardata_any(detoasted as *const _) as *const u8;
let dimensions = std::ptr::read_unaligned(data_ptr as *const u16) as usize;
let f32_ptr = data_ptr.add(4) as *const f32;
(*state).query = std::slice::from_raw_parts(f32_ptr, dimensions).to_vec();
pgrx::debug1!(
"IVFFlat v2: Extracted query vector (fallback) with {} dimensions",
dimensions
);
}
}
}
// Calculate adaptive probes if query was extracted
if !(*state).query.is_empty() {
let query_norm = vector_norm(&(*state).query);
(*state).probes = compute_adaptive_probes(

193
crates/ruvector-postgres/src/tenancy/isolation.rs
View file

@ -14,6 +14,10 @@ use pgrx::prelude::*;
use serde::{Deserialize, Serialize};
use super::registry::{IsolationLevel, TenantConfig, TenantError, get_registry};
use super::validation::{
validate_tenant_id, validate_identifier, quote_identifier,
escape_string_literal, safe_partition_name, safe_schema_name, ValidationError
};
/// Partition configuration for tenant
#[derive(Debug, Clone, Serialize, Deserialize)]
@ -118,7 +122,17 @@ impl IsolationManager {
table_name: &str,
tenant_column: &str,
) -> Result<String, IsolationError> {
// Generate SQL for RLS setup
// Validate identifiers to prevent SQL injection
validate_identifier(table_name)
.map_err(|e| IsolationError::SqlError(format!("Invalid table name: {}", e)))?;
validate_identifier(tenant_column)
.map_err(|e| IsolationError::SqlError(format!("Invalid column name: {}", e)))?;
// Use quoted identifiers for safety
let quoted_table = quote_identifier(table_name);
let quoted_column = quote_identifier(tenant_column);
// Generate SQL for RLS setup with quoted identifiers
let sql = format!(
r#"
-- Enable RLS on the table
@ -145,8 +159,8 @@ CREATE POLICY ruvector_admin_wildcard ON {table}
FOR SELECT
USING (current_setting('ruvector.tenant_id', true) = '*');
"#,
table = table_name,
column = tenant_column
table = quoted_table,
column = quoted_column
);
self.rls_tables.insert(table_name.to_string(), tenant_column.to_string());
@ -174,15 +188,19 @@ CREATE POLICY ruvector_admin_wildcard ON {table}
tenant_id: &str,
parent_table: &str,
) -> Result<PartitionConfig, IsolationError> {
let partition_name = format!(
"{}_{}",
parent_table,
tenant_id.replace('-', "_").replace('.', "_")
);
// Validate inputs to prevent SQL injection
validate_tenant_id(tenant_id)
.map_err(|e| IsolationError::SqlError(format!("Invalid tenant ID: {}", e)))?;
validate_identifier(parent_table)
.map_err(|e| IsolationError::SqlError(format!("Invalid table name: {}", e)))?;
// Generate safe partition name
let partition_name = safe_partition_name(tenant_id, parent_table)
.map_err(|e| IsolationError::SqlError(format!("Invalid partition name: {}", e)))?;
let config = PartitionConfig {
tenant_id: tenant_id.to_string(),
partition_name: partition_name.clone(),
partition_name,
parent_table: parent_table.to_string(),
partition_key: tenant_id.to_string(),
created_at: chrono_now_millis(),
@ -199,6 +217,12 @@ CREATE POLICY ruvector_admin_wildcard ON {table}
/// Generate SQL for creating a partition
pub fn generate_partition_sql(&self, config: &PartitionConfig) -> String {
// Use quoted identifiers for safety
let quoted_partition = quote_identifier(&config.partition_name);
let quoted_parent = quote_identifier(&config.parent_table);
let escaped_tenant_id = escape_string_literal(&config.partition_key);
let safe_index_name = format!("idx_{}_vec", config.partition_name);
format!(
r#"
-- Create partition for tenant
@ -206,12 +230,13 @@ CREATE TABLE IF NOT EXISTS {partition} PARTITION OF {parent}
FOR VALUES IN ('{tenant_id}');
-- Create indexes on partition
CREATE INDEX IF NOT EXISTS idx_{partition}_vec
CREATE INDEX IF NOT EXISTS {index_name}
ON {partition} USING ruhnsw (vec vector_cosine_ops);
"#,
partition = config.partition_name,
parent = config.parent_table,
tenant_id = config.partition_key
partition = quoted_partition,
parent = quoted_parent,
tenant_id = escaped_tenant_id,
index_name = quote_identifier(&safe_index_name)
)
}
@ -225,12 +250,29 @@ CREATE INDEX IF NOT EXISTS idx_{partition}_vec
/// Drop partition for a tenant
pub fn drop_partition(&self, tenant_id: &str, partition_name: &str) -> Result<String, IsolationError> {
// Validate inputs to prevent SQL injection
validate_tenant_id(tenant_id)
.map_err(|e| IsolationError::SqlError(format!("Invalid tenant ID: {}", e)))?;
validate_identifier(partition_name)
.map_err(|e| IsolationError::SqlError(format!("Invalid partition name: {}", e)))?;
// Verify partition belongs to this tenant (security check)
let partition_exists = self.partitions
.get(tenant_id)
.map(|partitions| partitions.iter().any(|p| p.partition_name == partition_name))
.unwrap_or(false);
if !partition_exists {
return Err(IsolationError::PartitionNotFound(partition_name.to_string()));
}
// Remove from tracking
if let Some(mut partitions) = self.partitions.get_mut(tenant_id) {
partitions.retain(|p| p.partition_name != partition_name);
}
Ok(format!("DROP TABLE IF EXISTS {} CASCADE;", partition_name))
// Use quoted identifier for safety
Ok(format!("DROP TABLE IF EXISTS {} CASCADE;", quote_identifier(partition_name)))
}
// =========================================================================
@ -242,14 +284,17 @@ CREATE INDEX IF NOT EXISTS idx_{partition}_vec
&self,
tenant_id: &str,
) -> Result<DedicatedSchemaConfig, IsolationError> {
let schema_name = format!(
"tenant_{}",
tenant_id.replace('-', "_").replace('.', "_")
);
// Validate tenant ID to prevent SQL injection
validate_tenant_id(tenant_id)
.map_err(|e| IsolationError::SqlError(format!("Invalid tenant ID: {}", e)))?;
// Generate safe schema name
let schema_name = safe_schema_name(tenant_id)
.map_err(|e| IsolationError::SqlError(format!("Invalid schema name: {}", e)))?;
let config = DedicatedSchemaConfig {
tenant_id: tenant_id.to_string(),
schema_name: schema_name.clone(),
schema_name,
tables: Vec::new(),
indexes: Vec::new(),
created_at: chrono_now_millis(),
@ -262,6 +307,11 @@ CREATE INDEX IF NOT EXISTS idx_{partition}_vec
/// Generate SQL for creating dedicated schema
pub fn generate_schema_sql(&self, config: &DedicatedSchemaConfig) -> String {
// Use quoted identifiers for safety
let quoted_schema = quote_identifier(&config.schema_name);
let index_name = format!("idx_{}_embeddings_vec", config.schema_name);
let quoted_index = quote_identifier(&index_name);
format!(
r#"
-- Create dedicated schema for tenant
@ -271,7 +321,7 @@ CREATE SCHEMA IF NOT EXISTS {schema};
-- (Application should SET search_path = {schema}, public;)
-- Create embeddings table in tenant schema
CREATE TABLE IF NOT EXISTS {schema}.embeddings (
CREATE TABLE IF NOT EXISTS {schema}."embeddings" (
id BIGSERIAL PRIMARY KEY,
content TEXT,
vec vector(1536),
@ -280,15 +330,16 @@ CREATE TABLE IF NOT EXISTS {schema}.embeddings (
);
-- Create HNSW index
CREATE INDEX IF NOT EXISTS idx_{schema}_embeddings_vec
ON {schema}.embeddings USING ruhnsw (vec vector_cosine_ops);
CREATE INDEX IF NOT EXISTS {index_name}
ON {schema}."embeddings" USING ruhnsw (vec vector_cosine_ops);
-- Grant usage to tenant role
GRANT USAGE ON SCHEMA {schema} TO ruvector_users;
GRANT ALL ON ALL TABLES IN SCHEMA {schema} TO ruvector_users;
GRANT ALL ON ALL SEQUENCES IN SCHEMA {schema} TO ruvector_users;
"#,
schema = config.schema_name
schema = quoted_schema,
index_name = quoted_index
)
}
@ -319,6 +370,10 @@ GRANT ALL ON ALL SEQUENCES IN SCHEMA {schema} TO ruvector_users;
/// Drop dedicated schema
pub fn drop_dedicated_schema(&self, tenant_id: &str, cascade: bool) -> Result<String, IsolationError> {
// Validate tenant ID
validate_tenant_id(tenant_id)
.map_err(|e| IsolationError::SqlError(format!("Invalid tenant ID: {}", e)))?;
let config = self.dedicated_schemas
.remove(tenant_id)
.map(|(_, v)| v)
@ -326,9 +381,10 @@ GRANT ALL ON ALL SEQUENCES IN SCHEMA {schema} TO ruvector_users;
let cascade_clause = if cascade { "CASCADE" } else { "RESTRICT" };
// Use quoted identifier for safety
Ok(format!(
"DROP SCHEMA IF EXISTS {} {};",
config.schema_name, cascade_clause
quote_identifier(&config.schema_name), cascade_clause
))
}
@ -446,19 +502,37 @@ GRANT ALL ON ALL SEQUENCES IN SCHEMA {schema} TO ruvector_users;
// =========================================================================
/// Get the appropriate table/schema for a tenant's query
///
/// Returns a QueryRoute that uses parameterized placeholders ($1) instead of
/// directly interpolating tenant_id values to prevent SQL injection.
pub fn route_query(&self, tenant_id: &str, base_table: &str) -> QueryRoute {
// Validate tenant_id to prevent SQL injection even when using parameterized queries
// This provides defense-in-depth
if validate_tenant_id(tenant_id).is_err() {
// Invalid tenant_id - return a safe filter that will match nothing
return QueryRoute::SharedWithFilter {
table: base_table.to_string(),
filter: "false".to_string(), // Safe - matches nothing
tenant_param: None,
};
}
let config = match get_registry().get(tenant_id) {
Some(c) => c,
None => return QueryRoute::SharedWithFilter {
table: base_table.to_string(),
filter: format!("tenant_id = '{}'", tenant_id),
// Use parameterized query placeholder - caller must bind tenant_id
filter: "tenant_id = $1".to_string(),
tenant_param: Some(tenant_id.to_string()),
},
};
match config.isolation_level {
IsolationLevel::Shared => QueryRoute::SharedWithFilter {
table: base_table.to_string(),
filter: format!("tenant_id = '{}'", tenant_id),
// Use parameterized query placeholder
filter: "tenant_id = $1".to_string(),
tenant_param: Some(tenant_id.to_string()),
},
IsolationLevel::Partition => {
// Check if partition exists
@ -471,10 +545,11 @@ GRANT ALL ON ALL SEQUENCES IN SCHEMA {schema} TO ruvector_users;
};
}
}
// Fall back to shared with filter
// Fall back to shared with filter (parameterized)
QueryRoute::SharedWithFilter {
table: base_table.to_string(),
filter: format!("tenant_id = '{}'", tenant_id),
filter: "tenant_id = $1".to_string(),
tenant_param: Some(tenant_id.to_string()),
}
}
IsolationLevel::Dedicated => {
@ -485,10 +560,11 @@ GRANT ALL ON ALL SEQUENCES IN SCHEMA {schema} TO ruvector_users;
table: base_table.to_string(),
};
}
// Fall back to shared with filter
// Fall back to shared with filter (parameterized)
QueryRoute::SharedWithFilter {
table: base_table.to_string(),
filter: format!("tenant_id = '{}'", tenant_id),
filter: "tenant_id = $1".to_string(),
tenant_param: Some(tenant_id.to_string()),
}
}
}
@ -505,9 +581,15 @@ impl Default for IsolationManager {
#[derive(Debug, Clone)]
pub enum QueryRoute {
/// Use shared table with tenant filter (RLS handles this automatically)
///
/// The filter uses parameterized query placeholders ($1) for safety.
/// The tenant_param contains the actual value to bind.
SharedWithFilter {
table: String,
/// SQL filter clause using $1 placeholder for tenant_id
filter: String,
/// The tenant_id value to bind to $1 (None if filter is static like "false")
tenant_param: Option<String>,
},
/// Use dedicated partition table
Partition {
@ -526,17 +608,40 @@ impl QueryRoute {
match self {
Self::SharedWithFilter { table, .. } => table.clone(),
Self::Partition { partition_table } => partition_table.clone(),
Self::DedicatedSchema { schema, table } => format!("{}.{}", schema, table),
Self::DedicatedSchema { schema, table } => {
format!("{}.{}", quote_identifier(schema), quote_identifier(table))
}
}
}
/// Get additional WHERE clause if needed
/// Get additional WHERE clause if needed (parameterized)
///
/// Returns the filter clause and the parameter value to bind.
/// The filter uses $1 placeholder for the tenant_id.
pub fn where_clause(&self) -> Option<String> {
match self {
Self::SharedWithFilter { filter, .. } => Some(filter.clone()),
_ => None,
}
}
/// Get the tenant parameter value to bind to $1
pub fn tenant_param(&self) -> Option<String> {
match self {
Self::SharedWithFilter { tenant_param, .. } => tenant_param.clone(),
_ => None,
}
}
/// Get WHERE clause and parameter together for convenience
pub fn where_clause_with_param(&self) -> Option<(String, Option<String>)> {
match self {
Self::SharedWithFilter { filter, tenant_param, .. } => {
Some((filter.clone(), tenant_param.clone()))
}
_ => None,
}
}
}
/// Isolation operation errors
@ -621,16 +726,34 @@ mod tests {
let manager = IsolationManager::new();
// Default routing (no config) should use shared with filter
let route = manager.route_query("unknown-tenant", "embeddings");
let route = manager.route_query("unknown_tenant", "embeddings");
match route {
QueryRoute::SharedWithFilter { table, filter } => {
QueryRoute::SharedWithFilter { table, filter, tenant_param } => {
assert_eq!(table, "embeddings");
assert!(filter.contains("unknown-tenant"));
// Filter should use parameterized placeholder
assert_eq!(filter, "tenant_id = $1");
// Tenant param should contain the tenant_id
assert_eq!(tenant_param, Some("unknown_tenant".to_string()));
}
_ => panic!("Expected SharedWithFilter"),
}
}
#[test]
fn test_query_routing_invalid_tenant() {
let manager = IsolationManager::new();
// Invalid tenant_id should return safe "false" filter
let route = manager.route_query("'; DROP TABLE users;--", "embeddings");
match route {
QueryRoute::SharedWithFilter { filter, tenant_param, .. } => {
assert_eq!(filter, "false");
assert!(tenant_param.is_none());
}
_ => panic!("Expected SharedWithFilter with false filter"),
}
}
#[test]
fn test_rls_tracking() {
let manager = IsolationManager::new();

11
crates/ruvector-postgres/src/tenancy/mod.rs
View file

@ -30,6 +30,7 @@ pub mod isolation;
pub mod quotas;
pub mod rls;
pub mod operations;
pub mod validation;
// Re-export main types
pub use registry::{
@ -70,6 +71,16 @@ pub use operations::{
TenantStats,
get_tenant_stats,
};
pub use validation::{
validate_tenant_id,
validate_identifier,
sanitize_for_identifier,
quote_identifier,
escape_string_literal,
safe_partition_name,
safe_schema_name,
ValidationError,
};
use pgrx::prelude::*;
use pgrx::JsonB;

94
crates/ruvector-postgres/src/tenancy/operations.rs
View file

@ -12,6 +12,7 @@ use super::isolation::{QueryRoute, get_isolation_manager};
use super::quotas::{QuotaResult, get_quota_manager};
use super::registry::{TenantConfig, TenantError, get_registry};
use super::rls::RlsManager;
use super::validation::{escape_string_literal, validate_tenant_id, validate_ip_address};
/// Result of a tenant-aware operation
#[derive(Debug, Clone)]
@ -56,7 +57,7 @@ impl<T> OperationResult<T> {
/// Tenant context for operations
#[derive(Debug, Clone)]
pub struct TenantContext {
/// Tenant ID
/// Tenant ID (validated)
pub tenant_id: String,
/// Tenant configuration
pub config: TenantConfig,
@ -66,6 +67,24 @@ pub struct TenantContext {
pub is_admin: bool,
}
/// Represents a validated tenant ID
#[derive(Debug, Clone)]
pub struct ValidatedTenantId(String);
impl ValidatedTenantId {
/// Create a new validated tenant ID
pub fn new(tenant_id: &str) -> Result<Self, TenantError> {
validate_tenant_id(tenant_id)
.map_err(|e| TenantError::InvalidId(format!("{}", e)))?;
Ok(Self(tenant_id.to_string()))
}
/// Get the tenant ID as a string
pub fn as_str(&self) -> &str {
&self.0
}
}
impl TenantContext {
/// Get current tenant context from GUC
pub fn current() -> Result<Self, TenantError> {
@ -80,6 +99,7 @@ impl TenantContext {
route: QueryRoute::SharedWithFilter {
table: "".to_string(),
filter: "true".to_string(), // No filter for admin
tenant_param: None, // Admin doesn't need tenant param
},
is_admin: true,
});
@ -509,20 +529,78 @@ impl AuditLogEntry {
self
}
/// Generate SQL to insert this audit entry
/// Generate SQL to insert this audit entry (parameterized version)
///
/// Returns the SQL with $1-$7 placeholders and the parameter values to bind.
/// This prevents SQL injection by using parameterized queries.
pub fn insert_sql_parameterized(&self) -> (String, Vec<Option<String>>) {
let sql = r#"
INSERT INTO ruvector.tenant_audit_log (tenant_id, operation, user_id, details, ip_address, success, error)
VALUES ($1, $2, $3, $4, $5, $6, $7)
"#.to_string();
let params = vec![
Some(self.tenant_id.clone()),
Some(self.operation.clone()),
self.user_id.clone(),
Some(serde_json::to_string(&self.details).unwrap_or_else(|_| "{}".to_string())),
// Only include IP if it's a valid IP address (defense in depth)
self.ip_address.as_ref().and_then(|ip| {
if validate_ip_address(ip) { Some(ip.clone()) } else { None }
}),
Some(self.success.to_string()),
self.error.clone(),
];
(sql, params)
}
/// Generate SQL to insert this audit entry (legacy - properly escaped)
///
/// Note: Prefer `insert_sql_parameterized()` for new code.
/// This method properly escapes all values but parameterized queries are safer.
pub fn insert_sql(&self) -> String {
// Validate tenant_id format
if validate_tenant_id(&self.tenant_id).is_err() {
// Log the attempt but don't execute with invalid tenant_id
return "SELECT 1 WHERE false".to_string(); // No-op query
}
// Escape all string values
let escaped_tenant_id = escape_string_literal(&self.tenant_id);
let escaped_operation = escape_string_literal(&self.operation);
let escaped_user_id = self.user_id.as_ref()
.map(|u| format!("'{}'", escape_string_literal(u)))
.unwrap_or_else(|| "NULL".to_string());
let escaped_details = escape_string_literal(
&serde_json::to_string(&self.details).unwrap_or_else(|_| "{}".to_string())
);
let escaped_ip = self.ip_address.as_ref()
.and_then(|ip| {
// Only include if valid IP format
if validate_ip_address(ip) {
Some(format!("'{}'", escape_string_literal(ip)))
} else {
None
}
})
.unwrap_or_else(|| "NULL".to_string());
let escaped_error = self.error.as_ref()
.map(|e| format!("'{}'", escape_string_literal(e)))
.unwrap_or_else(|| "NULL".to_string());
format!(
r#"
INSERT INTO ruvector.tenant_audit_log (tenant_id, operation, user_id, details, ip_address, success, error)
VALUES ('{}', '{}', {}, '{}', {}, {}, {})
"#,
self.tenant_id,
self.operation,
self.user_id.as_ref().map(|u| format!("'{}'", u)).unwrap_or("NULL".to_string()),
serde_json::to_string(&self.details).unwrap_or("{}".to_string()),
self.ip_address.as_ref().map(|ip| format!("'{}'", ip)).unwrap_or("NULL".to_string()),
escaped_tenant_id,
escaped_operation,
escaped_user_id,
escaped_details,
escaped_ip,
self.success,
self.error.as_ref().map(|e| format!("'{}'", e)).unwrap_or("NULL".to_string())
escaped_error
)
}
}

3
crates/ruvector-postgres/src/tenancy/registry.rs
View file

@ -541,6 +541,8 @@ pub enum TenantError {
QuotaExceeded(String, String),
/// Tenant mismatch (security violation)
TenantMismatch { context: String, request: String },
/// Invalid tenant ID format (validation error)
InvalidId(String),
}
impl std::fmt::Display for TenantError {
@ -559,6 +561,7 @@ impl std::fmt::Display for TenantError {
Self::TenantMismatch { context, request } => {
write!(f, "Tenant mismatch: context='{}', request='{}'", context, request)
}
Self::InvalidId(msg) => write!(f, "Invalid tenant ID: {}", msg),
}
}
}

363
crates/ruvector-postgres/src/tenancy/validation.rs Normal file
View file

@ -0,0 +1,363 @@
//! Input Validation for Multi-Tenancy Security
//!
//! Provides strict validation for tenant IDs, table names, and other identifiers
//! to prevent SQL injection attacks.
use std::fmt;
/// Maximum length for tenant IDs
pub const MAX_TENANT_ID_LENGTH: usize = 64;
/// Maximum length for identifiers (tables, schemas, partitions)
pub const MAX_IDENTIFIER_LENGTH: usize = 63; // PostgreSQL limit
/// Validation error types
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum ValidationError {
/// Identifier is empty
Empty,
/// Identifier is too long
TooLong { max: usize, actual: usize },
/// Identifier contains invalid characters
InvalidCharacters { position: usize, char: char },
/// Identifier doesn't start with a valid character
InvalidStart { char: char },
/// Identifier is a reserved word
ReservedWord(String),
}
impl fmt::Display for ValidationError {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
match self {
Self::Empty => write!(f, "Identifier cannot be empty"),
Self::TooLong { max, actual } => {
write!(f, "Identifier too long: {} chars (max {})", actual, max)
}
Self::InvalidCharacters { position, char } => {
write!(f, "Invalid character '{}' at position {}", char, position)
}
Self::InvalidStart { char } => {
write!(f, "Identifier cannot start with '{}'", char)
}
Self::ReservedWord(word) => {
write!(f, "Cannot use reserved word: {}", word)
}
}
}
}
impl std::error::Error for ValidationError {}
/// Reserved PostgreSQL words that cannot be used as identifiers
const RESERVED_WORDS: &[&str] = &[
"select", "insert", "update", "delete", "drop", "create", "alter", "grant",
"revoke", "table", "schema", "index", "cascade", "restrict", "null", "true",
"false", "and", "or", "not", "in", "exists", "between", "like", "is", "as",
"from", "where", "order", "by", "group", "having", "limit", "offset", "join",
"inner", "outer", "left", "right", "cross", "on", "using", "union", "except",
"intersect", "all", "distinct", "case", "when", "then", "else", "end", "cast",
"coalesce", "nullif", "primary", "key", "foreign", "references", "unique",
"check", "default", "constraint", "trigger", "function", "procedure", "view",
"sequence", "type", "domain", "role", "user", "database", "tablespace",
"extension", "operator", "policy", "rule", "security", "definer", "invoker",
];
/// Validate a tenant ID
///
/// Tenant IDs must:
/// - Be 1-64 characters long
/// - Start with a letter or underscore
/// - Contain only letters, numbers, underscores, and hyphens
/// - Not be a reserved SQL keyword
///
/// # Examples
///
/// ```
/// use ruvector_postgres::tenancy::validation::validate_tenant_id;
///
/// assert!(validate_tenant_id("acme-corp").is_ok());
/// assert!(validate_tenant_id("tenant_123").is_ok());
/// assert!(validate_tenant_id("DROP TABLE users;--").is_err());
/// ```
pub fn validate_tenant_id(tenant_id: &str) -> Result<(), ValidationError> {
// Check empty
if tenant_id.is_empty() {
return Err(ValidationError::Empty);
}
// Check length
if tenant_id.len() > MAX_TENANT_ID_LENGTH {
return Err(ValidationError::TooLong {
max: MAX_TENANT_ID_LENGTH,
actual: tenant_id.len(),
});
}
// Check first character (must be letter or underscore)
let first_char = tenant_id.chars().next().unwrap();
if !first_char.is_ascii_alphabetic() && first_char != '_' {
return Err(ValidationError::InvalidStart { char: first_char });
}
// Check all characters
for (i, c) in tenant_id.chars().enumerate() {
if !is_valid_identifier_char(c) && c != '-' {
return Err(ValidationError::InvalidCharacters { position: i, char: c });
}
}
// Check reserved words (lowercase comparison)
let lower = tenant_id.to_lowercase();
if RESERVED_WORDS.contains(&lower.as_str()) {
return Err(ValidationError::ReservedWord(tenant_id.to_string()));
}
Ok(())
}
/// Validate a SQL identifier (table name, schema name, column name)
///
/// Identifiers must:
/// - Be 1-63 characters long (PostgreSQL limit)
/// - Start with a letter or underscore
/// - Contain only letters, numbers, and underscores
/// - Not be a reserved SQL keyword
pub fn validate_identifier(identifier: &str) -> Result<(), ValidationError> {
// Check empty
if identifier.is_empty() {
return Err(ValidationError::Empty);
}
// Check length
if identifier.len() > MAX_IDENTIFIER_LENGTH {
return Err(ValidationError::TooLong {
max: MAX_IDENTIFIER_LENGTH,
actual: identifier.len(),
});
}
// Check first character (must be letter or underscore)
let first_char = identifier.chars().next().unwrap();
if !first_char.is_ascii_alphabetic() && first_char != '_' {
return Err(ValidationError::InvalidStart { char: first_char });
}
// Check all characters (stricter than tenant_id - no hyphens)
for (i, c) in identifier.chars().enumerate() {
if !is_valid_identifier_char(c) {
return Err(ValidationError::InvalidCharacters { position: i, char: c });
}
}
// Check reserved words (lowercase comparison)
let lower = identifier.to_lowercase();
if RESERVED_WORDS.contains(&lower.as_str()) {
return Err(ValidationError::ReservedWord(identifier.to_string()));
}
Ok(())
}
/// Check if a character is valid for SQL identifiers
#[inline]
fn is_valid_identifier_char(c: char) -> bool {
c.is_ascii_alphanumeric() || c == '_'
}
/// Sanitize a tenant ID for use in partition/schema names
///
/// Converts hyphens and dots to underscores, validates the result.
pub fn sanitize_for_identifier(input: &str) -> Result<String, ValidationError> {
// First validate the input as a tenant ID
validate_tenant_id(input)?;
// Convert to valid identifier format
let sanitized = input
.replace('-', "_")
.replace('.', "_");
// Validate the result as an identifier
validate_identifier(&sanitized)?;
Ok(sanitized)
}
/// Escape a string for use in SQL string literals
///
/// This function properly escapes single quotes by doubling them.
/// Use this only for string values, NOT for identifiers!
pub fn escape_string_literal(input: &str) -> String {
input.replace('\'', "''")
}
/// Quote an identifier for safe use in SQL
///
/// This function wraps the identifier in double quotes and escapes
/// any double quotes within it. This is the PostgreSQL-safe way to
/// use dynamic identifiers.
///
/// # Examples
///
/// ```
/// use ruvector_postgres::tenancy::validation::quote_identifier;
///
/// assert_eq!(quote_identifier("my_table"), "\"my_table\"");
/// assert_eq!(quote_identifier("weird\"name"), "\"weird\"\"name\"");
/// ```
pub fn quote_identifier(identifier: &str) -> String {
format!("\"{}\"", identifier.replace('"', "\"\""))
}
/// Validate and quote a partition name
///
/// Returns a safely quoted partition name or an error.
pub fn safe_partition_name(tenant_id: &str, parent_table: &str) -> Result<String, ValidationError> {
// Validate both inputs
validate_tenant_id(tenant_id)?;
validate_identifier(parent_table)?;
// Create sanitized partition name
let sanitized_tenant = sanitize_for_identifier(tenant_id)?;
let partition_name = format!("{}_{}", parent_table, sanitized_tenant);
// Validate the combined name
validate_identifier(&partition_name)?;
Ok(partition_name)
}
/// Validate and quote a schema name
pub fn safe_schema_name(tenant_id: &str) -> Result<String, ValidationError> {
validate_tenant_id(tenant_id)?;
let sanitized = sanitize_for_identifier(tenant_id)?;
let schema_name = format!("tenant_{}", sanitized);
validate_identifier(&schema_name)?;
Ok(schema_name)
}
/// Validate an IP address format (basic check)
pub fn validate_ip_address(ip: &str) -> bool {
// Allow IPv4 and IPv6
ip.parse::<std::net::IpAddr>().is_ok()
}
/// Sanitize an IP address or return None if invalid
pub fn sanitize_ip_address(ip: Option<&str>) -> Option<String> {
ip.and_then(|i| {
if validate_ip_address(i) {
Some(i.to_string())
} else {
None
}
})
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_valid_tenant_ids() {
assert!(validate_tenant_id("acme-corp").is_ok());
assert!(validate_tenant_id("tenant_123").is_ok());
assert!(validate_tenant_id("my-tenant-id").is_ok());
assert!(validate_tenant_id("_private").is_ok());
assert!(validate_tenant_id("a").is_ok());
}
#[test]
fn test_invalid_tenant_ids() {
// Empty
assert!(matches!(validate_tenant_id(""), Err(ValidationError::Empty)));
// Too long
let long = "a".repeat(100);
assert!(matches!(validate_tenant_id(&long), Err(ValidationError::TooLong { .. })));
// Invalid start
assert!(matches!(validate_tenant_id("123tenant"), Err(ValidationError::InvalidStart { .. })));
assert!(matches!(validate_tenant_id("-tenant"), Err(ValidationError::InvalidStart { .. })));
// Invalid characters
assert!(matches!(validate_tenant_id("tenant'id"), Err(ValidationError::InvalidCharacters { .. })));
assert!(matches!(validate_tenant_id("tenant;drop"), Err(ValidationError::InvalidCharacters { .. })));
assert!(matches!(validate_tenant_id("tenant id"), Err(ValidationError::InvalidCharacters { .. })));
// Reserved words
assert!(matches!(validate_tenant_id("select"), Err(ValidationError::ReservedWord(_))));
assert!(matches!(validate_tenant_id("DROP"), Err(ValidationError::ReservedWord(_))));
}
#[test]
fn test_sql_injection_attempts() {
// Common SQL injection patterns
assert!(validate_tenant_id("'; DROP TABLE users;--").is_err());
assert!(validate_tenant_id("tenant' OR '1'='1").is_err());
assert!(validate_tenant_id("tenant\"; DELETE FROM").is_err());
assert!(validate_tenant_id("tenant$(whoami)").is_err());
assert!(validate_tenant_id("tenant`id`").is_err());
}
#[test]
fn test_valid_identifiers() {
assert!(validate_identifier("my_table").is_ok());
assert!(validate_identifier("embeddings").is_ok());
assert!(validate_identifier("_private_table").is_ok());
assert!(validate_identifier("table123").is_ok());
}
#[test]
fn test_invalid_identifiers() {
// Hyphens not allowed in identifiers
assert!(validate_identifier("my-table").is_err());
// Special characters
assert!(validate_identifier("my.table").is_err());
assert!(validate_identifier("my table").is_err());
}
#[test]
fn test_sanitize_for_identifier() {
assert_eq!(sanitize_for_identifier("acme-corp").unwrap(), "acme_corp");
assert_eq!(sanitize_for_identifier("my.tenant.id").unwrap(), "my_tenant_id");
assert_eq!(sanitize_for_identifier("simple").unwrap(), "simple");
}
#[test]
fn test_quote_identifier() {
assert_eq!(quote_identifier("my_table"), "\"my_table\"");
assert_eq!(quote_identifier("weird\"name"), "\"weird\"\"name\"");
assert_eq!(quote_identifier("UPPERCASE"), "\"UPPERCASE\"");
}
#[test]
fn test_escape_string_literal() {
assert_eq!(escape_string_literal("hello"), "hello");
assert_eq!(escape_string_literal("it's"), "it''s");
assert_eq!(escape_string_literal("O'Brien's"), "O''Brien''s");
}
#[test]
fn test_safe_partition_name() {
assert_eq!(safe_partition_name("acme-corp", "embeddings").unwrap(), "embeddings_acme_corp");
assert!(safe_partition_name("'; DROP TABLE", "embeddings").is_err());
}
#[test]
fn test_safe_schema_name() {
assert_eq!(safe_schema_name("acme-corp").unwrap(), "tenant_acme_corp");
assert!(safe_schema_name("'; DROP SCHEMA").is_err());
}
#[test]
fn test_validate_ip_address() {
assert!(validate_ip_address("192.168.1.1"));
assert!(validate_ip_address("10.0.0.1"));
assert!(validate_ip_address("::1"));
assert!(validate_ip_address("2001:db8::1"));
assert!(!validate_ip_address("not-an-ip"));
assert!(!validate_ip_address("192.168.1.256"));
assert!(!validate_ip_address("'; DROP TABLE"));
}
}