postgres/v2: Matcher implementation

Signed-off-by: Hank Donnay <[email protected]>

Author: hdonnay

datastore/postgres/v2/matcher_v1.go

@@ -1,9 +1,121 @@
 package postgres
 
+import (
+	"context"
+	"fmt"
+	"sync/atomic"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/jackc/pgx/v5/stdlib"
+	"github.com/quay/zlog"
+	"github.com/remind101/migrate"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/trace"
+
+	"github.com/quay/claircore/datastore"
+	"github.com/quay/claircore/datastore/postgres/migrations"
+)
+
+func NewMatcher(ctx context.Context, cfg *pgxpool.Config, opt ...MatcherOption) (*MatcherV1, error) {
+	const prefix = `matcher`
+	var mCfg matcherConfig
+	for _, o := range opt {
+		mCfg = o.matcherConfig(mCfg)
+	}
+
+	if mCfg.Migrations {
+		cfg := cfg.ConnConfig.Copy()
+		cfg.DefaultQueryExecMode = pgx.QueryExecModeExec
+		err := func() error {
+			db := stdlib.OpenDB(*cfg)
+			defer db.Close()
+			migrator := migrate.NewPostgresMigrator(db)
+			migrator.Table = migrations.MatcherMigrationTable
+			err := migrator.Exec(migrate.Up, migrations.MatcherMigrations...)
+			if err != nil {
+				return fmt.Errorf("failed to perform migrations: %w", err)
+			}
+			return nil
+		}()
+		if err != nil {
+			return nil, err
+		}
+	}
+	var s MatcherV1
+	if err := s.init(ctx, cfg, prefix); err != nil {
+		return nil, err
+
+	}
+	return &s, nil
+}
+
 type MatcherOption interface {
 	matcherConfig(matcherConfig) matcherConfig
 }
 
 type matcherConfig struct {
 	Migrations bool
 }
+
+// MatcherV1 implements all interfaces in the vulnstore package
+type MatcherV1 struct {
+	storeCommon
+	// Initialized is used as an atomic bool for tracking initialization.
+	initialized uint32
+}
+
+var _ datastore.MatcherV1 = (*MatcherV1)(nil)
+
+// DeleteUpdateOperations implements [datastore.MatcherV1Updater].
+func (s *MatcherV1) DeleteUpdateOperations(ctx context.Context, id ...uuid.UUID) (int64, error) {
+	const query = `DELETE FROM update_operation WHERE ref = ANY($1::uuid[]);`
+	ctx = zlog.ContextWithValues(ctx, "component", "internal/vulnstore/postgres/deleteUpdateOperations")
+	if len(id) == 0 {
+		return 0, nil
+	}
+
+	// Pgx seems unwilling to do the []uuid.UUID → uuid[] conversion, so we're
+	// forced to make some garbage here.
+	refStr := make([]string, len(id))
+	for i := range id {
+		refStr[i] = id[i].String()
+	}
+	tag, err := s.pool.Exec(ctx, query, refStr)
+	if err != nil {
+		return 0, fmt.Errorf("failed to delete: %w", err)
+	}
+	return tag.RowsAffected(), nil
+}
+
+// Initialized implements [datastore.MatcherV1].
+func (s *MatcherV1) Initialized(ctx context.Context) (ok bool, err error) {
+	ctx, done := s.method(ctx, &err)
+	defer done()
+	span := trace.SpanFromContext(ctx)
+	ok = atomic.LoadUint32(&s.initialized) != 0
+	span.AddEvent(`loaded`, trace.WithAttributes(attribute.Bool("value", ok)))
+	if ok {
+		return true, nil
+	}
+
+	err = s.pool.AcquireFunc(ctx, s.acquire(ctx, `initialized`, func(ctx context.Context, c *pgxpool.Conn, query string) error {
+		return c.QueryRow(ctx, query).Scan(&ok)
+	}))
+	if err != nil {
+		return false, err
+	}
+
+	span.AddEvent(`initialized`, trace.WithAttributes(attribute.Bool("value", ok)))
+	// There were no rows when we looked, so report that. Don't update the bool,
+	// because it's in the 'false' state or another goroutine has read from the
+	// database and will want to swap in 'true'.
+	if !ok {
+		return false, nil
+	}
+	// If this fails, it means a concurrent goroutine already swapped. Any
+	// subsequent calls will see the 'true' value.
+	atomic.CompareAndSwapUint32(&s.initialized, 0, 1)
+	return true, nil
+}

datastore/postgres/v2/matcher_v1_enrichment.go

@@ -0,0 +1,152 @@
+package postgres
+
+import (
+	"context"
+	"crypto/md5"
+	"errors"
+	"fmt"
+	"io"
+	"sort"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/quay/zlog"
+
+	"github.com/quay/claircore/libvuln/driver"
+)
+
+// UpdateEnrichments creates a new UpdateOperation, inserts the provided
+// EnrichmentRecord(s), and ensures enrichments from previous updates are not
+// queried by clients.
+func (s *MatcherV1) UpdateEnrichments(ctx context.Context, name string, fp driver.Fingerprint, es []driver.EnrichmentRecord) (_ uuid.UUID, err error) {
+	ctx, done := s.method(ctx, &err)
+	defer done()
+
+	type digestPair struct {
+		Kind   string
+		Digest []byte
+	}
+	hashes := make([]digestPair, len(es))
+	func() {
+		_, span := tracer.Start(ctx, `doHashes`)
+		defer span.End()
+		for i := range es {
+			hashes[i].Kind, hashes[i].Digest = hashEnrichment(&es[i])
+		}
+	}()
+
+	var ref uuid.UUID
+	err = pgx.BeginTxFunc(ctx, s.pool, txRW, s.tx(ctx, `UpdateEnrichments`, func(ctx context.Context, tx pgx.Tx) (err error) {
+		var id uint64
+		err = pgx.BeginFunc(ctx, tx, s.call(ctx, `create`, func(ctx context.Context, tx pgx.Tx, query string) error {
+			if err := tx.QueryRow(ctx, query, name, string(fp)).Scan(&id, &ref); err != nil {
+				return err
+			}
+			return nil
+		}))
+		if err != nil {
+			return fmt.Errorf("unable to create enrichment update operation: %w", err)
+		}
+		zlog.Debug(ctx).
+			Str("ref", ref.String()).
+			Msg("update_operation created")
+
+		err = pgx.BeginFunc(ctx, tx, s.call(ctx, `insert`, func(ctx context.Context, tx pgx.Tx, query string) error {
+			var batch pgx.Batch
+			for i := range es {
+				batch.Queue(query, hashes[i].Kind, hashes[i].Digest, name, es[i].Tags, es[i].Enrichment)
+			}
+			res := tx.SendBatch(ctx, &batch)
+			defer res.Close()
+			for range es {
+				if _, err := res.Exec(); err != nil {
+					return err
+				}
+			}
+			return nil
+		}))
+		if err != nil {
+			return fmt.Errorf("unable to insert enrichments: %w", err)
+		}
+
+		err = pgx.BeginFunc(ctx, tx, s.call(ctx, `associate`, func(ctx context.Context, tx pgx.Tx, query string) error {
+			var batch pgx.Batch
+			for i := range es {
+				batch.Queue(query, hashes[i].Kind, hashes[i].Digest, name, id)
+			}
+			res := tx.SendBatch(ctx, &batch)
+			defer res.Close()
+			for range es {
+				if _, err := res.Exec(); err != nil {
+					return err
+				}
+			}
+			return nil
+		}))
+		if err != nil {
+			return fmt.Errorf("unable to associate enrichments: %w", err)
+		}
+
+		return nil
+	}))
+	if err != nil {
+		return uuid.Nil, err
+	}
+
+	zlog.Debug(ctx).
+		Stringer("ref", ref).
+		Int("inserted", len(es)).
+		Msg("update_operation committed")
+
+	_ = s.pool.AcquireFunc(ctx, s.acquire(ctx, `refresh`, func(ctx context.Context, c *pgxpool.Conn, query string) error {
+		if _, err := c.Exec(ctx, query); err != nil {
+			// TODO(hank) Log?
+			return fmt.Errorf("unable to refresh update operations view: %w", err)
+		}
+		return nil
+	}))
+
+	return ref, nil
+}
+
+func hashEnrichment(r *driver.EnrichmentRecord) (k string, d []byte) {
+	h := md5.New()
+	sort.Strings(r.Tags)
+	for _, t := range r.Tags {
+		io.WriteString(h, t)
+		h.Write([]byte("\x00"))
+	}
+	h.Write(r.Enrichment)
+	return "md5", h.Sum(nil)
+}
+
+func (s *MatcherV1) GetEnrichment(ctx context.Context, name string, tags []string) (res []driver.EnrichmentRecord, err error) {
+	ctx, done := s.method(ctx, &err)
+	defer done()
+
+	res = make([]driver.EnrichmentRecord, 0, 8) // Guess at capacity.
+	err = pgx.BeginTxFunc(ctx, s.pool, txRO, s.call(ctx, `get`, func(ctx context.Context, tx pgx.Tx, query string) (err error) {
+		rows, err := tx.Query(ctx, query, name, tags)
+		if err != nil {
+			return err
+		}
+		for rows.Next() {
+			i := len(res)
+			res = append(res, driver.EnrichmentRecord{})
+			r := &res[i]
+			if err := rows.Scan(&r.Tags, &r.Enrichment); err != nil {
+				return err
+			}
+		}
+		return rows.Err()
+	}))
+	switch {
+	case errors.Is(err, nil):
+	case errors.Is(err, pgx.ErrNoRows):
+		return nil, nil
+	default:
+		return nil, err
+	}
+	return res, nil
+}

datastore/postgres/v2/matcher_v1_gc.go

@@ -0,0 +1,111 @@
+package postgres
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5"
+	"github.com/quay/zlog"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/trace"
+)
+
+// GCThrottle sets a limit for the number of deleted update operations (and
+// subsequent cascade deletes in the uo_vuln table) that can occur in a GC run.
+const GCThrottle = 50
+
+// GC performs garbage collection on tables in the Matcher store.
+//
+// GC is split into two phases, first it will identify any update operations
+// which are older then the provided keep value and delete these.
+//
+// Next it will perform updater-based deletions of any vulnerabilities from the
+// vuln table which are not longer referenced by update operations.
+//
+// The GC is throttled to not overload the database with CASCADE deletes. If a
+// full GC is required, run this method until the returned value is 0.
+func (s *MatcherV1) GC(ctx context.Context, keep int) (_ int64, err error) {
+	ctx, done := s.method(ctx, &err)
+	defer done()
+	var (
+		total   int64
+		deleted int64
+	)
+
+	err = pgx.BeginTxFunc(ctx, s.pool, txRW, s.tx(ctx, `GC`, func(ctx context.Context, tx pgx.Tx) error {
+		var ops []uuid.UUID
+		span := trace.SpanFromContext(ctx)
+
+		err = pgx.BeginFunc(ctx, tx, s.call(ctx, `eligible`, func(ctx context.Context, tx pgx.Tx, query string) (err error) {
+			rows, err := tx.Query(ctx, query, keep+1, keep)
+			if err != nil {
+				return err
+			}
+			tmp, err := pgx.CollectRows(rows, pgx.RowTo[[]uuid.UUID])
+			if err != nil {
+				return err
+			}
+			for _, t := range tmp {
+				ops = append(ops, t...)
+			}
+			return nil
+		}))
+		if err != nil {
+			return err
+		}
+
+		total = int64(len(ops))
+		switch {
+		case len(ops) > GCThrottle:
+			ops = ops[:GCThrottle]
+		case len(ops) == 0:
+			return nil
+		}
+		span.SetAttributes(attribute.Int64("total", total), attribute.Int("ops", len(ops)))
+
+		err = pgx.BeginFunc(ctx, tx, s.call(ctx, `delete_ops`, func(ctx context.Context, tx pgx.Tx, query string) error {
+			tag, err := s.pool.Exec(ctx, query, ops)
+			deleted = tag.RowsAffected()
+			return err
+		}))
+		if err != nil {
+			return err
+		}
+
+		var updaters []string
+		err = pgx.BeginFunc(ctx, tx, s.call(ctx, `distinct`, func(ctx context.Context, tx pgx.Tx, query string) (err error) {
+			rows, err := tx.Query(ctx, query)
+			if err != nil {
+				return err
+			}
+			updaters, err = pgx.CollectRows(rows, pgx.RowTo[string])
+			return err
+		}))
+		if err != nil {
+			return err
+		}
+
+		for _, u := range updaters {
+			err = pgx.BeginFunc(ctx, tx, s.call(ctx, `orphaned`, func(ctx context.Context, tx pgx.Tx, query string) (err error) {
+				ctx = zlog.ContextWithValues(ctx, "updater", u)
+				trace.SpanFromContext(ctx).SetAttributes(attribute.String("updater", u))
+				zlog.Debug(ctx).
+					Msg("clean up start")
+				zlog.Debug(ctx).Msg("clean up done")
+
+				_, err = tx.Exec(ctx, query, u)
+				return err
+			}))
+			if err != nil {
+				return err
+			}
+		}
+
+		return nil
+	}))
+	if err != nil {
+		return 0, err
+	}
+
+	return total - deleted, nil
+}