Init

.gitignore

@@ -0,0 +1,50 @@
+# Ignore macOS system files
+.DS_Store
+
+# Ignore Linux system files
+*~
+
+# Ignore Visual Studio Code settings
+.vscode/
+.vscode/*
+
+# Ignore JetBrains IDEs (e.g., IntelliJ, PyCharm, WebStorm, etc.)
+.idea/
+*.iml
+*.iws
+out/
+
+# Ignore common SQL editor/IDE files
+*.sublime-workspace
+*.sublime-project
+
+# Ignore log files
+*.log
+
+# Ignore temporary files created by editors
+*.swp
+*.tmp
+*.bak
+*.old
+*.orig
+
+# Ignore backups
+*.sql.bak
+
+# Ignore compiled binary files
+*.out
+*.o
+*.a
+*.so
+
+# Ignore Thumbs.db (Windows-specific, but in case someone uses Windows)
+Thumbs.db
+
+# Ignore SQL dump files
+*.sql.dump
+
+# Ignore any environment variable files
+.env
+
+# Ignore any other system-specific hidden files
+._*

Baseline/auth/V2__CONFIGURE_PIC_SURE_APPLICATION.sql

@@ -0,0 +1,17 @@
+use auth;
+INSERT INTO application VALUES (0x__APPLICATION_UUID__,'PIC-SURE multiple data access API',0x01,'PICSURE','','/picsureui');
+INSERT INTO `privilege` VALUES 
+(0x7044061AF65B425F86CE73A1BF7F4402,'PIC-SURE Auth super admin for managing roles/privileges/application/connections','SUPER_ADMIN',NULL,'[]',NULL),
+(0xAD08212E096F414CBA8D1BAE09415DAB,'PIC-SURE Auth admin for managing users.','ADMIN',NULL,'[]',NULL);
+INSERT INTO `privilege` VALUES (0xF65B425F867044061ACE73A1BF7F4402,'User who cann run any PIC-SURE Query','PIC_SURE_ANY_QUERY',0x__APPLICATION_UUID__,'[]',NULL);
+INSERT INTO `role` VALUES (0x002DC366B0D8420F998F885D0ED797FD,'PIC-SURE Top Admin','PIC-SURE Auth Micro App Top admin including Admin and super Admin, can manage roles and privileges directly');
+INSERT INTO `role` VALUES (0x8F885D0ED797FD002DC366B0D8420F99,'Admin','Normal admin users, can manage other users including assignment of roles and privileges');
+INSERT INTO `role` VALUES (0x797FD002DC366B0D8420F998F885D0ED,'PIC-SURE User','Normal user, can run any query including data export.');
+INSERT INTO `connection` VALUES (0x97FD002DC366B0D8420F998F885D0ED7, 'Google', 'google-oauth2','google-oauth2|','[{"label":"Email", "id":"email"}]');
+INSERT INTO `role_privilege` VALUES 
+(0x002DC366B0D8420F998F885D0ED797FD,0x7044061AF65B425F86CE73A1BF7F4402),
+(0x002DC366B0D8420F998F885D0ED797FD,0xAD08212E096F414CBA8D1BAE09415DAB),
+(0x8F885D0ED797FD002DC366B0D8420F99,0xAD08212E096F414CBA8D1BAE09415DAB),
+(0x797FD002DC366B0D8420F998F885D0ED,0xF65B425F867044061ACE73A1BF7F4402);
+INSERT INTO `userMetadataMapping` VALUES 
+(unhex('17FD002DC366B0D8420F998F885D0ED7'), '$.email', unhex('97FD002DC366B0D8420F998F885D0ED7'), '$.email');

Baseline/auth/V3__CONFIGURE_JUPYTERHUB_APPLICATION.sql

@@ -0,0 +1,5 @@
+use auth;
+INSERT INTO application VALUES (0xDEADBEEFE9B1458594536ED31D456752,'JupyterHub authentication via PSAMA',0x01,'JupyterHub','','/jupyterhub');
+INSERT INTO `privilege` VALUES (0x530AF81BE8F744AB85E8222D0C743410,'JupyterHub user for accessing notebooks','JUPYTER_USER',0xDEADBEEFE9B1458594536ED31D456752,'[]',NULL);
+INSERT INTO `role` VALUES (0x7EF44B39239318D5B4C2D467580CE4E8,'JupyterHub User','The user is able to access JupyterHub as a normal user');
+INSERT INTO `role_privilege` VALUES (0x7EF44B39239318D5B4C2D467580CE4E8, 0x530AF81BE8F744AB85E8222D0C743410);

Baseline/picsure/V2__CREATE_HPDS_RESOURCE.sql

@@ -0,0 +1,5 @@
+use picsure;
+INSERT INTO `resource`
+    (uuid, targetURL, resourceRSPath, description, name, token, hidden, metadata)
+    VALUES
+    (0x__RESOURCE_UUID__, NULL, 'http://hpds:8080/PIC-SURE/', 'Basic HPDS resource', 'hpds', NULL, FALSE, NULL);

GIC-Common-Area/auth/V10.1__UPDATE_UTHSC_USER_METADATA_MAPPING.sql

@@ -0,0 +1,4 @@
+INSERT INTO `userMetadataMapping` VALUES 
+(unhex('B6BD9D7F9E3311ECA5F4126ACB86EEFB'), '$.email', unhex('97FD002DC366B0D8420F998F885D0ED7'), '$.email');
+
+update connection set id = 'UTHSC' where id = 'uthsc';

GIC-Common-Area/auth/V10__ADD_UTHSC_CONNECTION.sql

@@ -0,0 +1 @@
+INSERT INTO `connection` VALUES (0xB6BD9D7F9E3311ECA5F4126ACB86EEFB, 'UTHSC', 'uthsc','samlp|UTHSC|','[{"label":"The University of Tennessee Health Science Center Email", "id":"email"}]');

GIC-Common-Area/auth/V11__UPDATE_BCH_CONNECTOR_ADFS.sql

@@ -0,0 +1,24 @@
+
+SET @uuidADFSConn = UNHEX(REPLACE(UUID(),'-',''));
+SET @uuidLDAPConn = (select uuid from connection where id='ldap-connector');
+
+-- Create the connection entity for BCH-ADFS
+INSERT INTO `connection` VALUES (@uuidADFSConn, 'BCH-ADFS', 'BCH-ADFS','adfs|BCH-ADFS|','[{"label":"BCH Email", "id":"email"}]');
+
+-- Create the userMetadataMapping for BCH-ADFS
+INSERT INTO `userMetadataMapping` VALUES 
+(UNHEX(REPLACE(uuid(), '-', '')), '$.email', @uuidADFSConn, '$.email');
+
+-- Create an ADFS user for each of the ldap-connector users. 
+-- We preserve the ability to roll back to the ldap-connector if necessary and also preserve the UUIDs for audit purposes
+ insert into user 
+   (select UNHEX(REPLACE(uuid(), '-', '')), NULL, general_metadata, acceptedTOS, @uuidADFSConn, email,0x00,NULL, is_active, NULL
+    from user where connectionId=@uuidLDAPConn);
+
+-- Assign the same roles to the ADFS users that are assigned to the LDAP users
+
+insert into user_role (select b.uuid new_uuid, role_id from 
+	(select * from user_role left join user on user_id=uuid where connectionId=@uuidLDAPConn)  a
+	left join 
+	(select * from user where connectionId=@uuidADFSConn) b on a.email = b.email );
+

GIC-Common-Area/auth/V12__UPDATE_TERMS_OF_SERVICE.sql

@@ -0,0 +1,29 @@
+use auth;
+
+INSERT INTO termsOfService (uuid, dateUpdated, content)
+	VALUES (UNHEX(REPLACE(uuid(),'-','')), CURRENT_TIMESTAMP(),
+    '<div id="main-content" class="container">
+   <div>
+      <div id="tos">
+         <div class="header-tool">Terms and Conditions of Use of the Genomic Information Commons (GIC) Portal</div>
+         <br />
+         <div class="tos-content">
+            <div>User must select the terms and click “accept” to certify that User agrees to the Terms and Conditions of Use of the GIC Portal:</div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">i. User is a paid employee of a GIC member site.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">ii. If User’s employment statuses change, User will notify User’s institutional biobank staff immediately.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">iii. User has completed all applicable required institutional certification training course(s), for example CITI training and such training is up to date.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">iv. User will not attempt to identify, or re-identify any patients contained in the aggregate data.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">v. User agrees to use the data and samples for research purposes only.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">vi. User agrees to follow all applicable terms and conditions including those applicable in the GIC Manual of Operating Procedures. User may be asked to agree to additional terms and conditions including but not limited to the GIC Publications Policy.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">vii. User agrees to having User’s activities monitored, stored, and used for security and for insight into how the research community uses the GIC. Activities include, but are not limited to, user logins, queries, user location, language, demographics, and device.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">viii. User understands that any violation of these Terms and Conditions of Use may subject User to disciplinary action by User’s institution.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">ix. User understands that any violation of these Terms and Conditions of Use may result in a probationary or permanent ban of access to the GIC.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">x. User acknowledges and agrees that access to the GIC portal may be revoked at any time, for any reason, with or without prior notice.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">xi. The Terms and Conditions may be modified from time to time and continued use of the GIC is deemed acceptance by the User of such Terms and Conditions and modifications thereof.</label></div>
+			<div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">xii. User understands that this portal enables feasibility studies in preparation for research. Research projects require active participation from local investigators and approval from a GIC Data and Sample Access Committee.</label></div>
+            <button type="button" id="acceptBtn" class="btn btn-info accept-tos-button" disabled="">  <span>Accept</span> </button>
+            <script>$(".tosCheckbox").on("change", function(){if ($(".tosCheckbox:checked").length == $(".tosCheckbox").length){$("#acceptBtn").prop("disabled",false);}else{$("#acceptBtn").prop("disabled", true);}});</script>
+         </div>
+      </div>
+   </div>
+</div>');

GIC-Common-Area/auth/V13__UPDATE_TERMS_OF_SERVICE_AGAIN.sql

@@ -0,0 +1,30 @@
+use auth;
+
+INSERT INTO termsOfService (uuid, dateUpdated, content)
+	VALUES (UNHEX(REPLACE(uuid(),'-','')), CURRENT_TIMESTAMP(),
+    '<div id="main-content" class="container">
+   <div>
+      <div id="tos">
+         <div class="header-tool">Terms and Conditions of Use of the Genomic Information Commons (GIC) Portal</div>
+         <br />
+         <div class="tos-content">
+            <div>User must select the terms and click “accept” to certify that User agrees to the Terms and Conditions of Use of the GIC Portal:</div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">i.User is a paid employee of a GIC member site, or, User has been granted a temporary exemption by GIC Project Director or the GIC Governance Committee.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">ii.User has completed all applicable required institutional certification training course(s), for example CITI training and such training is up to date or, User has been granted a temporary exemption by GIC Project Director or the GIC Governance Committee.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">iii. If User’s employment statuses change, User will notify User’s institutional biobank staff immediately.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">iv. User will not attempt to identify, or re-identify any patients contained in the aggregate data.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">v. User agrees to use the data and samples for research purposes only.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">vi. User agrees to follow all applicable terms and conditions including those applicable in the GIC Manual of Operating Procedures. User may be asked to agree to additional terms and conditions including but not limited to the GIC Publications Policy.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">vii. User agrees to having User’s activities monitored, stored, and used for security and for insight into how the research community uses the GIC. Activities include, but are not limited to, user logins, queries, user location, language, demographics, and device.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">viii. User agrees to User’s email address being added to the GIC mailing list for future communications. User can opt out at any time by emailing [email protected].</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">ix. User understands that any violation of these Terms and Conditions of Use may subject User to disciplinary action by User’s institution.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">x. User understands that any violation of these Terms and Conditions of Use may result in a probationary or permanent ban of access to the GIC.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">xi. User acknowledges and agrees that access to the GIC portal may be revoked at any time, for any reason, with or without prior notice.</label></div>
+            <div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">xii. The Terms and Conditions may be modified from time to time and continued use of the GIC is deemed acceptance by the User of such Terms and Conditions and modifications thereof.</label></div>
+			<div class="checkbox"><label><input type="checkbox" class="tosCheckbox" value="">xiii. User understands that this portal enables feasibility studies in preparation for research. Research projects require active participation from local investigators and approval from a GIC Data and Sample Access Committee.</label></div>
+            <button type="button" id="acceptBtn" class="btn btn-info accept-tos-button" disabled="">  <span>Accept</span> </button>
+            <script>$(".tosCheckbox").on("change", function(){if ($(".tosCheckbox:checked").length == $(".tosCheckbox").length){$("#acceptBtn").prop("disabled",false);}else{$("#acceptBtn").prop("disabled", true);}});</script>
+         </div>
+      </div>
+   </div>
+</div>');

GIC-Common-Area/auth/V14__REPAIR_UTHSC_USER_METADATA_MAPPING.sql

@@ -0,0 +1,9 @@
+use auth;
+
+DELETE
+    FROM `userMetadataMapping`
+    WHERE uuid = unhex('B6BD9D7F9E3311ECA5F4126ACB86EEFB');
+
+INSERT
+    INTO `userMetadataMapping` (uuid, auth0MetadataJsonPath, connectionId, generalMetadataJsonPath)
+    VALUES (unhex('2B464334D120880E2250A7626FC2ED8D'), '$.email', unhex('B6BD9D7F9E3311ECA5F4126ACB86EEFB'), '$.email');

GIC-Common-Area/auth/V15__FIX_WUSTL_CASING.sql

@@ -0,0 +1,6 @@
+use auth;
+
+-- Casing issue: id was lower case. Stuff wasn't matching.
+UPDATE `connection`
+    SET id = 'WUSTL'
+    WHERE label = 'WUSTL';

GIC-Common-Area/auth/V16__CREATE_SECRET_DATAFRAME_RULE.sql

@@ -0,0 +1,56 @@
+use auth;
+
+INSERT
+    INTO access_rule (
+        uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode,
+        subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates
+    )    VALUES (
+        unhex(REPLACE(uuid(),'-','')), 'Secret Dataframe', 'Dataframes that cannot be accessed',
+        '$..expectedResultType', 4, 'SECRET_ADMIN_DATAFRAME', 0x00, 0x00, NULL, 0x00, 0x00
+    );
+
+-- We alias the access rule table as 'ar' in the insert query because MYSQL doesn't let you reference the table you are
+-- inserting into directly.
+-- This regex is essentially matching to three cases:
+--  /query
+--  /query/<uuid>/sync
+--  /query/<uuid>/status
+INSERT
+    INTO access_rule (
+        uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode,
+        subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates
+    )
+    VALUES (
+        unhex(REPLACE(uuid(),'-','')), 'Secret Dataframe Query Route Regex', 'Dataframes that cannot be accessed',
+        '$.[\'Target Service\']', 11, '((/query.*/(sync|status))|(/query))$', 0x00, 0x00,
+        (SELECT ar.uuid FROM access_rule as ar WHERE ar.name = 'Secret Dataframe'), 0x00, 0x00
+    );
+
+
+INSERT
+    INTO privilege (uuid, name, description, application_id)
+    VALUES (
+        unhex(REPLACE(uuid(),'-','')), 'SECRET_ADMIN_DATAFRAME', 'Un-viewable dataframe privilege for PICSURE application',
+        (SELECT uuid FROM application WHERE name = 'PICSURE')
+    );
+
+INSERT
+    INTO accessRule_privilege (privilege_id, accessRule_id)
+	VALUES (
+		(SELECT uuid FROM privilege WHERE name = 'SECRET_ADMIN_DATAFRAME'),
+		(SELECT uuid FROM access_rule WHERE name = 'Secret Dataframe')
+	);
+
+INSERT
+    INTO role (uuid, name, description)
+	VALUES (unhex(REPLACE(uuid(),'-','')),
+		'PIC-SURE Secret Dataframe Requester',
+		'PIC-SURE Secret Dataframe Requester.  Can create dataframes, but cannot view them.'
+	);
+
+INSERT
+    INTO role_privilege (role_id, privilege_id)
+    VALUES (
+        (SELECT uuid FROM role WHERE name = 'PIC-SURE Secret Dataframe Requester'),
+        (SELECT uuid FROM privilege WHERE name = 'SECRET_ADMIN_DATAFRAME')
+    );

GIC-Common-Area/auth/V17__CREATE_UUID_GEN_RULE.sql

@@ -0,0 +1,38 @@
+use auth;
+
+set @resourceUUID = (SELECT
+  LOWER(CONCAT(
+    SUBSTR(HEX(uuid), 1, 8), '-',
+    SUBSTR(HEX(uuid), 9, 4), '-',
+    SUBSTR(HEX(uuid), 13, 4), '-',
+    SUBSTR(HEX(uuid), 17, 4), '-',
+    SUBSTR(HEX(uuid), 21)
+  )) from picsure.resource where name = "Query-ID-Gen");
+
+SET @uuidRule = REPLACE(UUID(),'-','');
+INSERT
+    INTO access_rule (
+        uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode,
+        subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates
+    )    VALUES (
+        unhex(@uuidRule), 'CREATE_UUID', 'Create common area UUID', '$query.resourceUUID', 4,
+        @resourceUUID, 0x00, 0x00, NULL, 0x00, 0x00
+    );
+
+SET @uuidPriv = REPLACE(UUID(),'-','');
+INSERT
+    INTO privilege (uuid, name, description, application_id)
+    VALUES (
+        unhex(@uuidPriv), 'CREATE_UUID', 'Create common area UUID',
+        (SELECT uuid FROM application WHERE name = 'PICSURE')
+    );
+
+INSERT INTO accessRule_privilege (privilege_id, accessRule_id)
+     VALUES (
+          unhex(@uuidPriv),
+          unhex(@uuidRule)
+     );
+
+SET @uuidRole = (SELECT uuid FROM role WHERE name = 'PIC-SURE User');
+INSERT INTO role_privilege (role_id, privilege_id) VALUES (@uuidRole, unhex(@uuidPriv));
+