diff --git a/.gitignore b/.gitignore index 9a7926300..c7465b27d 100644 --- a/.gitignore +++ b/.gitignore @@ -10,7 +10,7 @@ !/Pipfile.lock !/pytest.ini !/setup.py -!/sqitch.conf +!/sqitch.template.conf !/wsgi.py # and these directories diff --git a/schema/deploy/roles/reporter/revoke-select-on-receiving-consensus-genome.sql b/schema/deploy/roles/reporter/revoke-select-on-receiving-consensus-genome.sql new file mode 100644 index 000000000..923464305 --- /dev/null +++ b/schema/deploy/roles/reporter/revoke-select-on-receiving-consensus-genome.sql @@ -0,0 +1,7 @@ +-- Deploy seattleflu/schema:roles/reporter/revoke-select-on-receiving-consensus-genome to pg + +begin; + +revoke select on receiving.consensus_genome from reporter; + +commit; diff --git a/schema/deploy/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql b/schema/deploy/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql new file mode 100644 index 000000000..2177b3666 --- /dev/null +++ b/schema/deploy/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql @@ -0,0 +1,7 @@ +-- Deploy seattleflu/schema:roles/reporter/revoke-select-on-receiving-sequence-read-set to pg + +begin; + +revoke select on receiving.sequence_read_set from reporter; + +commit; diff --git a/schema/deploy/shipping/views.sql b/schema/deploy/shipping/views.sql index 68e87c803..d7bbbda75 100644 --- a/schema/deploy/shipping/views.sql +++ b/schema/deploy/shipping/views.sql @@ -14,7 +14,7 @@ begin; -- there needs to be a lag between view development and consumers being -- updated, copy the view definition into v2 and make changes there. -create or replace view shipping.presence_absence_result_v1 as +create or replace view shipping.presence_absence_result_v1 with (security_invoker = true) as select sample.identifier as sample, target.identifier as target, @@ -39,7 +39,7 @@ grant select to "incidence-modeler"; -create or replace view shipping.presence_absence_result_v2 as +create or replace view shipping.presence_absence_result_v2 with (security_invoker = true) as select sample.identifier as sample, target.identifier as target, diff --git a/schema/deploy/shipping/views@2023-07-27.sql b/schema/deploy/shipping/views@2023-07-27.sql new file mode 100644 index 000000000..68e87c803 --- /dev/null +++ b/schema/deploy/shipping/views@2023-07-27.sql @@ -0,0 +1,67 @@ +-- Deploy seattleflu/schema:shipping/views to pg +-- requires: shipping/schema +-- requires: functions/array_distinct + +-- Hello! All shipping views are defined here. Rework this change with Sqitch +-- to change a view definition or add new views. This workflow helps keep +-- inter-view dependencies manageable. + +begin; + +-- This view is versioned as a hedge against future changes. Changing this +-- view in place is fine as long as changes are backwards compatible. Think of +-- the version number as the major part of a semantic versioning scheme. If +-- there needs to be a lag between view development and consumers being +-- updated, copy the view definition into v2 and make changes there. + +create or replace view shipping.presence_absence_result_v1 as + + select sample.identifier as sample, + target.identifier as target, + present, + organism.lineage as organism + + from warehouse.sample + join warehouse.presence_absence using (sample_id) + join warehouse.target using (target_id) + left join warehouse.organism using (organism_id) + where target.control = false; + +comment on view shipping.presence_absence_result_v1 is + 'View of warehoused presence-absence results for modeling and viz teams'; + +revoke all + on shipping.presence_absence_result_v1 + from "incidence-modeler"; + +grant select + on shipping.presence_absence_result_v1 + to "incidence-modeler"; + + +create or replace view shipping.presence_absence_result_v2 as + + select sample.identifier as sample, + target.identifier as target, + present, + organism.lineage as organism, + presence_absence.details as details + + from warehouse.sample + join warehouse.presence_absence using (sample_id) + join warehouse.target using (target_id) + left join warehouse.organism using (organism_id) + where target.control = false; + +comment on view shipping.presence_absence_result_v2 is + 'View of warehoused presence-absence results for modeling and viz teams'; + +revoke all + on shipping.presence_absence_result_v2 + from "incidence-modeler"; + +grant select + on shipping.presence_absence_result_v2 + to "incidence-modeler"; + +commit; diff --git a/schema/deploy/warehouse/consensus-genome/access-role-rls.sql b/schema/deploy/warehouse/consensus-genome/access-role-rls.sql new file mode 100644 index 000000000..fe0cf2f28 --- /dev/null +++ b/schema/deploy/warehouse/consensus-genome/access-role-rls.sql @@ -0,0 +1,17 @@ +-- Deploy seattleflu/schema:warehouse/consensus-genome/access-role-rls to pg + +begin; + +alter table warehouse.consensus_genome + add access_role regrole; + +create policy consensus_genome_rls + on warehouse.consensus_genome + for all + to public + using (access_role is null or pg_has_role(current_user, access_role, 'usage')); + +alter table warehouse.consensus_genome + enable row level security; + +commit; diff --git a/schema/deploy/warehouse/genomic-sequence/access-role-rls.sql b/schema/deploy/warehouse/genomic-sequence/access-role-rls.sql new file mode 100644 index 000000000..f6db83c7b --- /dev/null +++ b/schema/deploy/warehouse/genomic-sequence/access-role-rls.sql @@ -0,0 +1,17 @@ +-- Deploy seattleflu/schema:warehouse/genomic-sequence/access-role-rls to pg + +begin; + +alter table warehouse.genomic_sequence + add access_role regrole; + +create policy genomic_sequence_rls + on warehouse.genomic_sequence + for all + to public + using (access_role is null or pg_has_role(current_user, access_role, 'usage')); + +alter table warehouse.genomic_sequence + enable row level security; + +commit; diff --git a/schema/deploy/warehouse/sample/access-role-rls.sql b/schema/deploy/warehouse/sample/access-role-rls.sql new file mode 100644 index 000000000..1a0eea295 --- /dev/null +++ b/schema/deploy/warehouse/sample/access-role-rls.sql @@ -0,0 +1,17 @@ +-- deploy seattleflu/schema:warehouse/sample/access-role-rls to pg + +begin; + +alter table warehouse.sample + add access_role regrole; + +create policy sample_rls + on warehouse.sample + for all + to public + using (access_role is null or pg_has_role(current_user, access_role, 'usage')); + +alter table warehouse.sample + enable row level security; + +commit; diff --git a/schema/deploy/warehouse/sequence-read-set/access-role-rls.sql b/schema/deploy/warehouse/sequence-read-set/access-role-rls.sql new file mode 100644 index 000000000..c11a52bcc --- /dev/null +++ b/schema/deploy/warehouse/sequence-read-set/access-role-rls.sql @@ -0,0 +1,17 @@ +-- Deploy seattleflu/schema:warehouse/sequence-read-set/access-role-rls to pg + +begin; + +alter table warehouse.sequence_read_set + add access_role regrole; + +create policy sequence_read_set_rls + on warehouse.sequence_read_set + for all + to public + using (access_role is null or pg_has_role(current_user, access_role, 'usage')); + +alter table warehouse.sequence_read_set + enable row level security; + +commit; diff --git a/schema/revert/roles/reporter/revoke-select-on-receiving-consensus-genome.sql b/schema/revert/roles/reporter/revoke-select-on-receiving-consensus-genome.sql new file mode 100644 index 000000000..0d92dabba --- /dev/null +++ b/schema/revert/roles/reporter/revoke-select-on-receiving-consensus-genome.sql @@ -0,0 +1,7 @@ +-- Revert seattleflu/schema:roles/reporter/revoke-select-on-receiving-consensus-genome from pg + +begin; + +grant select on receiving.consensus_genome to reporter; + +commit; diff --git a/schema/revert/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql b/schema/revert/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql new file mode 100644 index 000000000..06f6f8160 --- /dev/null +++ b/schema/revert/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql @@ -0,0 +1,7 @@ +-- Revert seattleflu/schema:roles/reporter/revoke-select-on-receiving-sequence-read-set from pg + +begin; + +grant select on receiving.sequence_read_set to reporter; + +commit; diff --git a/schema/revert/shipping/views.sql b/schema/revert/shipping/views.sql index dc03ad179..68e87c803 100644 --- a/schema/revert/shipping/views.sql +++ b/schema/revert/shipping/views.sql @@ -38,10 +38,30 @@ grant select on shipping.presence_absence_result_v1 to "incidence-modeler"; + +create or replace view shipping.presence_absence_result_v2 as + + select sample.identifier as sample, + target.identifier as target, + present, + organism.lineage as organism, + presence_absence.details as details + + from warehouse.sample + join warehouse.presence_absence using (sample_id) + join warehouse.target using (target_id) + left join warehouse.organism using (organism_id) + where target.control = false; + +comment on view shipping.presence_absence_result_v2 is + 'View of warehoused presence-absence results for modeling and viz teams'; + revoke all on shipping.presence_absence_result_v2 from "incidence-modeler"; -drop view shipping.presence_absence_result_v2; +grant select + on shipping.presence_absence_result_v2 + to "incidence-modeler"; commit; diff --git a/schema/revert/shipping/views@2023-07-27.sql b/schema/revert/shipping/views@2023-07-27.sql new file mode 100644 index 000000000..dc03ad179 --- /dev/null +++ b/schema/revert/shipping/views@2023-07-27.sql @@ -0,0 +1,47 @@ +-- Deploy seattleflu/schema:shipping/views to pg +-- requires: shipping/schema +-- requires: functions/array_distinct + +-- Hello! All shipping views are defined here. Rework this change with Sqitch +-- to change a view definition or add new views. This workflow helps keep +-- inter-view dependencies manageable. + +begin; + +-- This view is versioned as a hedge against future changes. Changing this +-- view in place is fine as long as changes are backwards compatible. Think of +-- the version number as the major part of a semantic versioning scheme. If +-- there needs to be a lag between view development and consumers being +-- updated, copy the view definition into v2 and make changes there. + +create or replace view shipping.presence_absence_result_v1 as + + select sample.identifier as sample, + target.identifier as target, + present, + organism.lineage as organism + + from warehouse.sample + join warehouse.presence_absence using (sample_id) + join warehouse.target using (target_id) + left join warehouse.organism using (organism_id) + where target.control = false; + +comment on view shipping.presence_absence_result_v1 is + 'View of warehoused presence-absence results for modeling and viz teams'; + +revoke all + on shipping.presence_absence_result_v1 + from "incidence-modeler"; + +grant select + on shipping.presence_absence_result_v1 + to "incidence-modeler"; + +revoke all + on shipping.presence_absence_result_v2 + from "incidence-modeler"; + +drop view shipping.presence_absence_result_v2; + +commit; diff --git a/schema/revert/warehouse/consensus-genome/access-role-rls.sql b/schema/revert/warehouse/consensus-genome/access-role-rls.sql new file mode 100644 index 000000000..23738f4bb --- /dev/null +++ b/schema/revert/warehouse/consensus-genome/access-role-rls.sql @@ -0,0 +1,14 @@ +-- Revert seattleflu/schema:warehouse/consensus-genome/access-role-rls from pg + +begin; + +alter table warehouse.consensus_genome + disable row level security; + +drop policy consensus_genome_rls + on warehouse.consensus_genome; + +alter table warehouse.consensus_genome + drop column access_role; + +commit; diff --git a/schema/revert/warehouse/genomic-sequence/access-role-rls.sql b/schema/revert/warehouse/genomic-sequence/access-role-rls.sql new file mode 100644 index 000000000..6e955efc7 --- /dev/null +++ b/schema/revert/warehouse/genomic-sequence/access-role-rls.sql @@ -0,0 +1,14 @@ +-- Revert seattleflu/schema:warehouse/genomic-sequence/access-role-rls from pg + +begin; + +alter table warehouse.genomic_sequence + disable row level security; + +drop policy genomic_sequence_rls + on warehouse.genomic_sequence; + +alter table warehouse.genomic_sequence + drop column access_role; + +commit; diff --git a/schema/revert/warehouse/sample/access-role-rls.sql b/schema/revert/warehouse/sample/access-role-rls.sql new file mode 100644 index 000000000..477c186ce --- /dev/null +++ b/schema/revert/warehouse/sample/access-role-rls.sql @@ -0,0 +1,14 @@ +-- Revert seattleflu/schema:warehouse/sample/access-role-rls from pg + +begin; + +alter table warehouse.sample + disable row level security; + +drop policy sample_rls + on warehouse.sample; + +alter table warehouse.sample + drop column access_role; + +commit; diff --git a/schema/revert/warehouse/sequence-read-set/access-role-rls.sql b/schema/revert/warehouse/sequence-read-set/access-role-rls.sql new file mode 100644 index 000000000..47bdf0d62 --- /dev/null +++ b/schema/revert/warehouse/sequence-read-set/access-role-rls.sql @@ -0,0 +1,14 @@ +-- Revert seattleflu/schema:warehouse/sequence-read-set/access-role-rls from pg + +begin; + +alter table warehouse.sequence_read_set + disable row level security; + +drop policy sequence_read_set_rls + on warehouse.sequence_read_set; + +alter table warehouse.sequence_read_set + drop column access_role; + +commit; diff --git a/schema/sqitch.plan b/schema/sqitch.plan index 8a2901c5b..0fe568688 100644 --- a/schema/sqitch.plan +++ b/schema/sqitch.plan @@ -243,3 +243,15 @@ functions/mint_identifiers 2022-07-15T22:13:52Z Dave Reinhart # roles/identifier-minter/grants [roles/identifier-minter/grants@2022-07-25] 2022-07-28T19:05:20Z Dave Reinhart # Add execute permissions on mint_identifiers function to identiifer-minter @2022-07-28 2022-07-28T19:20:25Z Dave Reinhart # Schema as of 28 July 2022 + +warehouse/sample/access-role-rls 2023-07-27T19:39:54Z Dave Reinhart # Add column to store role name; Implement row-level security on sample table +warehouse/genomic-sequence/access-role-rls 2023-07-27T21:01:44Z Dave Reinhart # Add column to store role name; Implement row-level security on genomic_sequence table +warehouse/consensus-genome/access-role-rls 2023-07-27T21:13:41Z Dave Reinhart # Add column to store role name; Implement row-level security on consensus_genome table +warehouse/sequence-read-set/access-role-rls 2023-07-27T21:32:39Z Dave Reinhart # Add column to store role name; Implement row-level security on sequence_read_set table +@2023-07-27 2023-07-27T21:44:39Z Dave Reinhart # Schema as of 27 July 2023 +shipping/views [shipping/views@2023-07-27] 2023-07-27T22:31:51Z Dave Reinhart # Add security invoker to shipping views for row-level security +@2023-07-28 2023-07-27T22:41:52Z Dave Reinhart # Schema as of 28 July 2023 + +roles/reporter/revoke-select-on-receiving-consensus-genome 2023-08-18T23:41:26Z Dave Reinhart # Revoke select permissions on receiving.consensus_genome from reporter. +roles/reporter/revoke-select-on-receiving-sequence-read-set 2023-08-21T17:02:31Z Dave Reinhart # Revoke select permissions on receiving.sequence_read_set from reporter. +@2023-08-21 2023-08-21T17:58:25Z Dave Reinhart # Schema as of 21 August 2023 diff --git a/schema/verify/roles/reporter/revoke-select-on-receiving-consensus-genome.sql b/schema/verify/roles/reporter/revoke-select-on-receiving-consensus-genome.sql new file mode 100644 index 000000000..6ce6c4221 --- /dev/null +++ b/schema/verify/roles/reporter/revoke-select-on-receiving-consensus-genome.sql @@ -0,0 +1,7 @@ +-- Verify seattleflu/schema:roles/reporter/revoke-select-on-receiving-consensus-genome on pg + +begin; + +select 1/(not pg_catalog.has_table_privilege('reporter', 'receiving.consensus_genome', 'select'))::int; + +rollback; diff --git a/schema/verify/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql b/schema/verify/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql new file mode 100644 index 000000000..dc69e4004 --- /dev/null +++ b/schema/verify/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql @@ -0,0 +1,7 @@ +-- Verify seattleflu/schema:roles/reporter/revoke-select-on-receiving-sequence-read-set on pg + +begin; + +select 1/(not pg_catalog.has_table_privilege('reporter', 'receiving.sequence_read_set', 'select'))::int; + +rollback; diff --git a/schema/verify/shipping/views@2023-07-27.sql b/schema/verify/shipping/views@2023-07-27.sql new file mode 100644 index 000000000..136e6fc7e --- /dev/null +++ b/schema/verify/shipping/views@2023-07-27.sql @@ -0,0 +1,15 @@ +-- Verify seattleflu/schema:shipping/views on pg + +begin; + +select 1/(count(*) = 1)::int + from information_schema.views + where array[table_schema, table_name]::text[] + = pg_catalog.parse_ident('shipping.presence_absence_result_v1'); + +select 1/(count(*) = 1)::int + from information_schema.views + where array[table_schema, table_name]::text[] + = pg_catalog.parse_ident('shipping.presence_absence_result_v2'); + +rollback; diff --git a/schema/verify/warehouse/consensus-genome/access-role-rls.sql b/schema/verify/warehouse/consensus-genome/access-role-rls.sql new file mode 100644 index 000000000..3f3769eef --- /dev/null +++ b/schema/verify/warehouse/consensus-genome/access-role-rls.sql @@ -0,0 +1,5 @@ +-- Verify seattleflu/schema:warehouse/consensus-genome/access-role-rls on pg + +begin; + +rollback; diff --git a/schema/verify/warehouse/genomic-sequence/access-role-rls.sql b/schema/verify/warehouse/genomic-sequence/access-role-rls.sql new file mode 100644 index 000000000..812902791 --- /dev/null +++ b/schema/verify/warehouse/genomic-sequence/access-role-rls.sql @@ -0,0 +1,5 @@ +-- Verify seattleflu/schema:warehouse/genomic-sequence/access-role-rls on pg + +begin; + +rollback; diff --git a/schema/verify/warehouse/sample/access-role-rls.sql b/schema/verify/warehouse/sample/access-role-rls.sql new file mode 100644 index 000000000..5ae5eaa13 --- /dev/null +++ b/schema/verify/warehouse/sample/access-role-rls.sql @@ -0,0 +1,8 @@ +-- Verify seattleflu/schema:warehouse/sample/access-role-rls on pg + +begin; + + insert into warehouse.sample (identifier, access_role) + values ('__SAMPLE__', 'postgres'); + +rollback; diff --git a/schema/verify/warehouse/sequence-read-set/access-role-rls.sql b/schema/verify/warehouse/sequence-read-set/access-role-rls.sql new file mode 100644 index 000000000..4c8f6b769 --- /dev/null +++ b/schema/verify/warehouse/sequence-read-set/access-role-rls.sql @@ -0,0 +1,7 @@ +-- Verify seattleflu/schema:warehouse/sequence-read-set/access-role-rls on pg + +begin; + + + +rollback; diff --git a/sqitch.conf b/sqitch.template.conf similarity index 66% rename from sqitch.conf rename to sqitch.template.conf index 7d13770fc..6f7753493 100644 --- a/sqitch.conf +++ b/sqitch.template.conf @@ -18,10 +18,10 @@ target = dev [target "dev"] - uri = db:pg:seattleflu + uri = db:pg://@:/seattleflu [target "testing"] - uri = db:pg://testing.db.seattleflu.org/testing + uri = db:pg://@:/testing [target "production"] - uri = db:pg://production.db.seattleflu.org/production + uri = db:pg://@:/production