botserver/src/basic/keywords/find.rs

use super::table_access::{check_table_access, filter_fields_by_role, AccessType, UserRoles};
use crate::security::sql_guard::sanitize_identifier;
use crate::shared::models::UserSession;
use crate::shared::state::AppState;
use crate::shared::utils;
use crate::shared::utils::to_array;
use diesel::pg::PgConnection;
use diesel::prelude::*;
use diesel::sql_types::Text;
use log::{error, trace, warn};
use rhai::Dynamic;
use rhai::Engine;
use serde_json::{json, Value};

#[derive(QueryableByName)]
struct JsonRow {
    #[diesel(sql_type = Text)]
    row_data: String,
}

pub fn find_keyword(state: &AppState, user: UserSession, engine: &mut Engine) {
    let connection = state.conn.clone();
    let user_roles = UserRoles::from_user_session(&user);

    engine
        .register_custom_syntax(["FIND", "$expr$", ",", "$expr$"], false, {
            move |context, inputs| {
                let table_name = context.eval_expression_tree(&inputs[0])?;
                let filter = context.eval_expression_tree(&inputs[1])?;
                let mut binding = connection.get().map_err(|e| format!("DB error: {e}"))?;
                let binding2 = table_name.to_string();
                let binding3 = filter.to_string();

                let access_info = match check_table_access(
                    &mut binding,
                    &binding2,
                    &user_roles,
                    AccessType::Read,
                ) {
                    Ok(info) => info,
                    Err(e) => {
                        warn!("FIND access denied: {e}");
                        return Err(e.into());
                    }
                };

                let result = tokio::task::block_in_place(|| {
                    tokio::runtime::Handle::current()
                        .block_on(async { execute_find(&mut binding, &binding2, &binding3) })
                })
                .map_err(|e| format!("DB error: {e}"))?;

                if let Some(results) = result.get("results") {
                    let filtered =
                        filter_fields_by_role(results.clone(), &user_roles, &access_info);
                    let array = to_array(utils::json_value_to_dynamic(&filtered));
                    Ok(Dynamic::from(array))
                } else {
                    Err("No results".into())
                }
            }
        })
        .expect("valid syntax registration");
}

pub fn execute_find(
    conn: &mut PgConnection,
    table_str: &str,
    filter_str: &str,
) -> Result<Value, String> {
    trace!(
        "Starting execute_find with table: {table_str}, filter: {filter_str}"
    );

    let safe_table = sanitize_identifier(table_str);

    let (where_clause, params) = utils::parse_filter(filter_str).map_err(|e| e.to_string())?;

    let query = format!(
        "SELECT row_to_json(t)::text as row_data FROM (SELECT * FROM {safe_table} WHERE {where_clause} LIMIT 10) t"
    );

    let raw_results: Vec<JsonRow> = if params.is_empty() {
        diesel::sql_query(&query)
            .load(conn)
            .map_err(|e| {
                error!("SQL execution error: {e}");
                e.to_string()
            })?
    } else {
        diesel::sql_query(&query)
            .bind::<Text, _>(&params[0])
            .load(conn)
            .map_err(|e| {
                error!("SQL execution error: {e}");
                e.to_string()
            })?
    };

    let results: Vec<Value> = raw_results
        .into_iter()
        .filter_map(|row| serde_json::from_str(&row.row_data).ok())
        .collect();

    Ok(json!({
        "command": "find",
        "table": table_str,
        "filter": filter_str,
        "results": results,
        "count": results.len()
    }))
}
App generator LLM-only, app logs, knowledge base, web search, designer magic 2025-12-28 11:50:50 -03:00			`use super::table_access::{check_table_access, filter_fields_by_role, AccessType, UserRoles};`
Fix 5 errors and 32 warnings: calendar, compliance, billing_alert_broadcast, unused vars 2026-01-13 22:21:25 -03:00			`use crate::security::sql_guard::sanitize_identifier;`
refactor: simplify UI panels, use pooled DB, add --noui flag - Removed unused `id` and `app_state` fields from `ChatPanel`; updated constructor to accept but ignore the state, reducing memory footprint. - Switched database access in `ChatPanel` from a raw `Mutex` lock to a connection pool (`app_state.conn.get()`), improving concurrency and error handling. - Reordered and cleaned up imports in `status_panel.rs` and formatted struct fields for readability. - Updated VS Code launch configuration to pass `--noui` argument, enabling headless mode for debugging. - Bumped several crate versions in `Cargo.lock` (e.g., `bitflags` to 2.10.0, `syn` to 2.0.108, `cookie` to 0.16.2) and added the new `ashpd` dependency, aligning the project with latest library releases. 2025-11-11 09:42:52 -03:00			`use crate::shared::models::UserSession;`
			`use crate::shared::state::AppState;`
			`use crate::shared::utils;`
			`use crate::shared::utils::to_array;`
- main.rs is compiling again. 2025-10-11 20:02:14 -03:00			`use diesel::pg::PgConnection;`
- Remove all compilation errors. 2025-10-11 12:29:03 -03:00			`use diesel::prelude::*;`
Fix 5 errors and 32 warnings: calendar, compliance, billing_alert_broadcast, unused vars 2026-01-13 22:21:25 -03:00			`use diesel::sql_types::Text;`
App generator LLM-only, app logs, knowledge base, web search, designer magic 2025-12-28 11:50:50 -03:00			`use log::{error, trace, warn};`
Migration to Rust and free from Azure. 2025-10-06 10:30:17 -03:00			`use rhai::Dynamic;`
			`use rhai::Engine;`
			`use serde_json::{json, Value};`
Fix 5 errors and 32 warnings: calendar, compliance, billing_alert_broadcast, unused vars 2026-01-13 22:21:25 -03:00
			`#[derive(QueryableByName)]`
			`struct JsonRow {`
			`#[diesel(sql_type = Text)]`
			`row_data: String,`
			`}`

App generator LLM-only, app logs, knowledge base, web search, designer magic 2025-12-28 11:50:50 -03:00			`pub fn find_keyword(state: &AppState, user: UserSession, engine: &mut Engine) {`
refactor(state): rename resource clients and improve keyword syntax Updated references from `redis_client`, `s3_client`, and `custom_conn` to unified names `cache`, `drive`, and `conn` for consistency across modules. Adjusted `add_suggestion_keyword` to use clearer parameter naming and enhanced custom syntax registration for better readability and maintainability. 2025-11-01 20:53:45 -03:00			`let connection = state.conn.clone();`
App generator LLM-only, app logs, knowledge base, web search, designer magic 2025-12-28 11:50:50 -03:00			`let user_roles = UserRoles::from_user_session(&user);`

- main.rs is compiling again. 2025-10-11 20:02:14 -03:00			`engine`
Fix clippy warnings: match arms, async/await, Debug impls, formatting - Fix match arms with identical bodies by consolidating patterns - Fix case-insensitive file extension comparisons using eq_ignore_ascii_case - Fix unnecessary Debug formatting in log/format macros - Fix clone_from usage instead of clone assignment - Fix let...else patterns where appropriate - Fix format! append to String using write! macro - Fix unwrap_or with function calls to use unwrap_or_else - Add missing fields to manual Debug implementations - Fix duplicate code in if blocks - Add type aliases for complex types - Rename struct fields to avoid common prefixes - Various other clippy warning fixes Note: Some 'unused async' warnings remain for functions that are called with .await but don't contain await internally - these are kept async for API compatibility. 2025-12-26 08:59:25 -03:00			`.register_custom_syntax(["FIND", "$expr$", ",", "$expr$"], false, {`
- main.rs is compiling again. 2025-10-11 20:02:14 -03:00			`move \|context, inputs\| {`
			`let table_name = context.eval_expression_tree(&inputs[0])?;`
			`let filter = context.eval_expression_tree(&inputs[1])?;`
Fix 5 errors and 32 warnings: calendar, compliance, billing_alert_broadcast, unused vars 2026-01-13 22:21:25 -03:00			`let mut binding = connection.get().map_err(\|e\| format!("DB error: {e}"))?;`
- main.rs is compiling again. 2025-10-11 20:02:14 -03:00			`let binding2 = table_name.to_string();`
			`let binding3 = filter.to_string();`
App generator LLM-only, app logs, knowledge base, web search, designer magic 2025-12-28 11:50:50 -03:00
			`let access_info = match check_table_access(`
			`&mut binding,`
			`&binding2,`
			`&user_roles,`
			`AccessType::Read,`
			`) {`
			`Ok(info) => info,`
			`Err(e) => {`
Fix 5 errors and 32 warnings: calendar, compliance, billing_alert_broadcast, unused vars 2026-01-13 22:21:25 -03:00			`warn!("FIND access denied: {e}");`
App generator LLM-only, app logs, knowledge base, web search, designer magic 2025-12-28 11:50:50 -03:00			`return Err(e.into());`
			`}`
			`};`

- main.rs is compiling again. 2025-10-11 20:02:14 -03:00			`let result = tokio::task::block_in_place(\|\| {`
			`tokio::runtime::Handle::current()`
Fix clippy warnings: match arms, async/await, Debug impls, formatting - Fix match arms with identical bodies by consolidating patterns - Fix case-insensitive file extension comparisons using eq_ignore_ascii_case - Fix unnecessary Debug formatting in log/format macros - Fix clone_from usage instead of clone assignment - Fix let...else patterns where appropriate - Fix format! append to String using write! macro - Fix unwrap_or with function calls to use unwrap_or_else - Add missing fields to manual Debug implementations - Fix duplicate code in if blocks - Add type aliases for complex types - Rename struct fields to avoid common prefixes - Various other clippy warning fixes Note: Some 'unused async' warnings remain for functions that are called with .await but don't contain await internally - these are kept async for API compatibility. 2025-12-26 08:59:25 -03:00			`.block_on(async { execute_find(&mut binding, &binding2, &binding3) })`
- main.rs is compiling again. 2025-10-11 20:02:14 -03:00			`})`
Fix 5 errors and 32 warnings: calendar, compliance, billing_alert_broadcast, unused vars 2026-01-13 22:21:25 -03:00			`.map_err(\|e\| format!("DB error: {e}"))?;`
App generator LLM-only, app logs, knowledge base, web search, designer magic 2025-12-28 11:50:50 -03:00
- main.rs is compiling again. 2025-10-11 20:02:14 -03:00			`if let Some(results) = result.get("results") {`
App generator LLM-only, app logs, knowledge base, web search, designer magic 2025-12-28 11:50:50 -03:00			`let filtered =`
			`filter_fields_by_role(results.clone(), &user_roles, &access_info);`
			`let array = to_array(utils::json_value_to_dynamic(&filtered));`
- main.rs is compiling again. 2025-10-11 20:02:14 -03:00			`Ok(Dynamic::from(array))`
			`} else {`
			`Err("No results".into())`
			`}`
Migration to Rust and free from Azure. 2025-10-06 10:30:17 -03:00			`}`
- main.rs is compiling again. 2025-10-11 20:02:14 -03:00			`})`
feat(security): Complete security infrastructure implementation SECURITY MODULES ADDED: - security/auth.rs: Full RBAC with roles (Anonymous, User, Moderator, Admin, SuperAdmin, Service, Bot, BotOwner, BotOperator, BotViewer) and permissions - security/cors.rs: Hardened CORS (no wildcard in production, env-based config) - security/panic_handler.rs: Panic catching middleware with safe 500 responses - security/path_guard.rs: Path traversal protection, null byte prevention - security/request_id.rs: UUID request tracking with correlation IDs - security/error_sanitizer.rs: Sensitive data redaction from responses - security/zitadel_auth.rs: Zitadel token introspection and role mapping - security/sql_guard.rs: SQL injection prevention with table whitelist - security/command_guard.rs: Command injection prevention - security/secrets.rs: Zeroizing secret management - security/validation.rs: Input validation utilities - security/rate_limiter.rs: Rate limiting with governor crate - security/headers.rs: Security headers (CSP, HSTS, X-Frame-Options) MAIN.RS UPDATES: - Replaced tower_http::cors::Any with hardened create_cors_layer() - Added panic handler middleware - Added request ID tracking middleware - Set global panic hook SECURITY STATUS: - 0 unwrap() in production code - 0 panic! in production code - 0 unsafe blocks - cargo audit: PASS (no vulnerabilities) - Estimated completion: ~98% Remaining: Wire auth middleware to handlers, audit logs for sensitive data 2025-12-28 19:29:18 -03:00			`.expect("valid syntax registration");`
Migration to Rust and free from Azure. 2025-10-06 10:30:17 -03:00			`}`
Fix 5 errors and 32 warnings: calendar, compliance, billing_alert_broadcast, unused vars 2026-01-13 22:21:25 -03:00
Fix clippy warnings: match arms, async/await, Debug impls, formatting - Fix match arms with identical bodies by consolidating patterns - Fix case-insensitive file extension comparisons using eq_ignore_ascii_case - Fix unnecessary Debug formatting in log/format macros - Fix clone_from usage instead of clone assignment - Fix let...else patterns where appropriate - Fix format! append to String using write! macro - Fix unwrap_or with function calls to use unwrap_or_else - Add missing fields to manual Debug implementations - Fix duplicate code in if blocks - Add type aliases for complex types - Rename struct fields to avoid common prefixes - Various other clippy warning fixes Note: Some 'unused async' warnings remain for functions that are called with .await but don't contain await internally - these are kept async for API compatibility. 2025-12-26 08:59:25 -03:00			`pub fn execute_find(`
- main.rs is compiling again. 2025-10-11 20:02:14 -03:00			`conn: &mut PgConnection,`
Migration to Rust and free from Azure. 2025-10-06 10:30:17 -03:00			`table_str: &str,`
			`filter_str: &str,`
			`) -> Result<Value, String> {`
refactor: simplify UI panels, use pooled DB, add --noui flag - Removed unused `id` and `app_state` fields from `ChatPanel`; updated constructor to accept but ignore the state, reducing memory footprint. - Switched database access in `ChatPanel` from a raw `Mutex` lock to a connection pool (`app_state.conn.get()`), improving concurrency and error handling. - Reordered and cleaned up imports in `status_panel.rs` and formatted struct fields for readability. - Updated VS Code launch configuration to pass `--noui` argument, enabling headless mode for debugging. - Bumped several crate versions in `Cargo.lock` (e.g., `bitflags` to 2.10.0, `syn` to 2.0.108, `cookie` to 0.16.2) and added the new `ashpd` dependency, aligning the project with latest library releases. 2025-11-11 09:42:52 -03:00			`trace!(`
Fix 5 errors and 32 warnings: calendar, compliance, billing_alert_broadcast, unused vars 2026-01-13 22:21:25 -03:00			`"Starting execute_find with table: {table_str}, filter: {filter_str}"`
Migration to Rust and free from Azure. 2025-10-06 10:30:17 -03:00			`);`
Fix 5 errors and 32 warnings: calendar, compliance, billing_alert_broadcast, unused vars 2026-01-13 22:21:25 -03:00
			`let safe_table = sanitize_identifier(table_str);`

- main.rs is compiling again. 2025-10-11 20:02:14 -03:00			`let (where_clause, params) = utils::parse_filter(filter_str).map_err(\|e\| e.to_string())?;`
Fix 5 errors and 32 warnings: calendar, compliance, billing_alert_broadcast, unused vars 2026-01-13 22:21:25 -03:00
Migration to Rust and free from Azure. 2025-10-06 10:30:17 -03:00			`let query = format!(`
Fix 5 errors and 32 warnings: calendar, compliance, billing_alert_broadcast, unused vars 2026-01-13 22:21:25 -03:00			`"SELECT row_to_json(t)::text as row_data FROM (SELECT * FROM {safe_table} WHERE {where_clause} LIMIT 10) t"`
Migration to Rust and free from Azure. 2025-10-06 10:30:17 -03:00			`);`
Fix 5 errors and 32 warnings: calendar, compliance, billing_alert_broadcast, unused vars 2026-01-13 22:21:25 -03:00
			`let raw_results: Vec<JsonRow> = if params.is_empty() {`
			`diesel::sql_query(&query)`
			`.load(conn)`
			`.map_err(\|e\| {`
			`error!("SQL execution error: {e}");`
			`e.to_string()`
			`})?`
			`} else {`
			`diesel::sql_query(&query)`
			`.bind::<Text, _>(&params[0])`
			`.load(conn)`
			`.map_err(\|e\| {`
			`error!("SQL execution error: {e}");`
			`e.to_string()`
			`})?`
			`};`

			`let results: Vec<Value> = raw_results`
			`.into_iter()`
			`.filter_map(\|row\| serde_json::from_str(&row.row_data).ok())`
			`.collect();`

Migration to Rust and free from Azure. 2025-10-06 10:30:17 -03:00			`Ok(json!({`
Fix 5 errors and 32 warnings: calendar, compliance, billing_alert_broadcast, unused vars 2026-01-13 22:21:25 -03:00			`"command": "find",`
			`"table": table_str,`
			`"filter": filter_str,`
			`"results": results,`
			`"count": results.len()`
Migration to Rust and free from Azure. 2025-10-06 10:30:17 -03:00			`}))`
			`}`