From 02eb5f01b0f8c3810a1a83ae6ce80ecd9818e568 Mon Sep 17 00:00:00 2001 From: James Date: Fri, 2 Aug 2024 09:19:12 -0400 Subject: [PATCH] Init --- .gitignore | 50 +++ .../V2__CONFIGURE_PIC_SURE_APPLICATION.sql | 17 + .../V3__CONFIGURE_JUPYTERHUB_APPLICATION.sql | 5 + Baseline/picsure/V2__CREATE_HPDS_RESOURCE.sql | 5 + ....1__UPDATE_UTHSC_USER_METADATA_MAPPING.sql | 4 + .../auth/V10__ADD_UTHSC_CONNECTION.sql | 1 + .../auth/V11__UPDATE_BCH_CONNECTOR_ADFS.sql | 24 ++ .../auth/V12__UPDATE_TERMS_OF_SERVICE.sql | 29 ++ .../V13__UPDATE_TERMS_OF_SERVICE_AGAIN.sql | 30 ++ ...14__REPAIR_UTHSC_USER_METADATA_MAPPING.sql | 9 + .../auth/V15__FIX_WUSTL_CASING.sql | 6 + .../V16__CREATE_SECRET_DATAFRAME_RULE.sql | 56 ++++ .../auth/V17__CREATE_UUID_GEN_RULE.sql | 38 +++ .../V18__UPDATE_TERMS_OF_SERVICE_2023.sql | 32 ++ .../auth/V19__VARIANT_EXPLORER.sql | 49 +++ .../auth/V20__ADD_SAVE_DATASET_ROLE.sql | 33 ++ .../auth/V21__UPDATE_CREATE_UUID_GEN_RULE.sql | 3 + .../auth/V22__FIX_LEADING_SPACES.sql | 9 + .../V2__CONFIGURE_PIC_SURE_APPLICATION.sql | 27 ++ .../V3__CONFIGURE_JUPYTERHUB_APPLICATION.sql | 5 + ...V4__UPDATE_CCHMC_USER_METADATA_MAPPING.sql | 1 + .../auth/V5__CREATE_AGGREGATE_ACCESSRULE.sql | 49 +++ .../auth/V6__ADD_DEFAULT_ROLES.sql | 158 ++++++++++ .../auth/V7__ADD_TERMS_OF_SERVICE.sql | 28 ++ .../auth/V8__UPDATE_TERMS_OF_SERVICE.sql | 29 ++ .../auth/V9__ADD_DATA_MANAGER_ROLES.sql | 295 ++++++++++++++++++ .../picsure/V2__CREATE_HPDS_RESOURCE.sql | 2 + GIC-Institution/auth/V10__ADD_SAD_ROLE.sql | 72 +++++ .../auth/V11__VARIANT_EXPLORER.sql | 49 +++ GIC-Institution/auth/V12__ADD_RULES.sql | 57 ++++ .../auth/V13__FIX_LEADING_SPACES.sql | 5 + .../V2__CONFIGURE_PIC_SURE_APPLICATION.sql | 17 + .../V3__CONFIGURE_JUPYTERHUB_APPLICATION.sql | 5 + .../V4__CREATE_AGGREGATE_RULES_AND_USER.sql | 105 +++++++ .../auth/V5__ADD_CROSS_COUNT_RULES.sql | 52 +++ ...V6__FIX_CONNECTION_CONFIGURATION_ERROR.sql | 3 + ...__FIX_CONNECTION_CONFIGURATION_FORREAL.sql | 4 + GIC-Institution/auth/V8__SITE_ADMIN.sql | 22 ++ .../auth/V9__ADD_SAD_ROLE_TO_INST_USER.sql | 12 + .../picsure/V3.1__CREATE_HPDS_RESOURCE.sql | 6 + README.md | 12 +- 41 files changed, 1414 insertions(+), 1 deletion(-) create mode 100644 .gitignore create mode 100644 Baseline/auth/V2__CONFIGURE_PIC_SURE_APPLICATION.sql create mode 100644 Baseline/auth/V3__CONFIGURE_JUPYTERHUB_APPLICATION.sql create mode 100644 Baseline/picsure/V2__CREATE_HPDS_RESOURCE.sql create mode 100644 GIC-Common-Area/auth/V10.1__UPDATE_UTHSC_USER_METADATA_MAPPING.sql create mode 100644 GIC-Common-Area/auth/V10__ADD_UTHSC_CONNECTION.sql create mode 100644 GIC-Common-Area/auth/V11__UPDATE_BCH_CONNECTOR_ADFS.sql create mode 100644 GIC-Common-Area/auth/V12__UPDATE_TERMS_OF_SERVICE.sql create mode 100644 GIC-Common-Area/auth/V13__UPDATE_TERMS_OF_SERVICE_AGAIN.sql create mode 100644 GIC-Common-Area/auth/V14__REPAIR_UTHSC_USER_METADATA_MAPPING.sql create mode 100644 GIC-Common-Area/auth/V15__FIX_WUSTL_CASING.sql create mode 100644 GIC-Common-Area/auth/V16__CREATE_SECRET_DATAFRAME_RULE.sql create mode 100644 GIC-Common-Area/auth/V17__CREATE_UUID_GEN_RULE.sql create mode 100644 GIC-Common-Area/auth/V18__UPDATE_TERMS_OF_SERVICE_2023.sql create mode 100644 GIC-Common-Area/auth/V19__VARIANT_EXPLORER.sql create mode 100644 GIC-Common-Area/auth/V20__ADD_SAVE_DATASET_ROLE.sql create mode 100644 GIC-Common-Area/auth/V21__UPDATE_CREATE_UUID_GEN_RULE.sql create mode 100644 GIC-Common-Area/auth/V22__FIX_LEADING_SPACES.sql create mode 100644 GIC-Common-Area/auth/V2__CONFIGURE_PIC_SURE_APPLICATION.sql create mode 100644 GIC-Common-Area/auth/V3__CONFIGURE_JUPYTERHUB_APPLICATION.sql create mode 100644 GIC-Common-Area/auth/V4__UPDATE_CCHMC_USER_METADATA_MAPPING.sql create mode 100644 GIC-Common-Area/auth/V5__CREATE_AGGREGATE_ACCESSRULE.sql create mode 100644 GIC-Common-Area/auth/V6__ADD_DEFAULT_ROLES.sql create mode 100644 GIC-Common-Area/auth/V7__ADD_TERMS_OF_SERVICE.sql create mode 100644 GIC-Common-Area/auth/V8__UPDATE_TERMS_OF_SERVICE.sql create mode 100644 GIC-Common-Area/auth/V9__ADD_DATA_MANAGER_ROLES.sql create mode 100644 GIC-Common-Area/picsure/V2__CREATE_HPDS_RESOURCE.sql create mode 100644 GIC-Institution/auth/V10__ADD_SAD_ROLE.sql create mode 100644 GIC-Institution/auth/V11__VARIANT_EXPLORER.sql create mode 100644 GIC-Institution/auth/V12__ADD_RULES.sql create mode 100644 GIC-Institution/auth/V13__FIX_LEADING_SPACES.sql create mode 100644 GIC-Institution/auth/V2__CONFIGURE_PIC_SURE_APPLICATION.sql create mode 100644 GIC-Institution/auth/V3__CONFIGURE_JUPYTERHUB_APPLICATION.sql create mode 100644 GIC-Institution/auth/V4__CREATE_AGGREGATE_RULES_AND_USER.sql create mode 100644 GIC-Institution/auth/V5__ADD_CROSS_COUNT_RULES.sql create mode 100644 GIC-Institution/auth/V6__FIX_CONNECTION_CONFIGURATION_ERROR.sql create mode 100644 GIC-Institution/auth/V7__FIX_CONNECTION_CONFIGURATION_FORREAL.sql create mode 100644 GIC-Institution/auth/V8__SITE_ADMIN.sql create mode 100644 GIC-Institution/auth/V9__ADD_SAD_ROLE_TO_INST_USER.sql create mode 100644 GIC-Institution/picsure/V3.1__CREATE_HPDS_RESOURCE.sql diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..447483b --- /dev/null +++ b/.gitignore @@ -0,0 +1,50 @@ +# Ignore macOS system files +.DS_Store + +# Ignore Linux system files +*~ + +# Ignore Visual Studio Code settings +.vscode/ +.vscode/* + +# Ignore JetBrains IDEs (e.g., IntelliJ, PyCharm, WebStorm, etc.) +.idea/ +*.iml +*.iws +out/ + +# Ignore common SQL editor/IDE files +*.sublime-workspace +*.sublime-project + +# Ignore log files +*.log + +# Ignore temporary files created by editors +*.swp +*.tmp +*.bak +*.old +*.orig + +# Ignore backups +*.sql.bak + +# Ignore compiled binary files +*.out +*.o +*.a +*.so + +# Ignore Thumbs.db (Windows-specific, but in case someone uses Windows) +Thumbs.db + +# Ignore SQL dump files +*.sql.dump + +# Ignore any environment variable files +.env + +# Ignore any other system-specific hidden files +._* diff --git a/Baseline/auth/V2__CONFIGURE_PIC_SURE_APPLICATION.sql b/Baseline/auth/V2__CONFIGURE_PIC_SURE_APPLICATION.sql new file mode 100644 index 0000000..fd0a9a9 --- /dev/null +++ b/Baseline/auth/V2__CONFIGURE_PIC_SURE_APPLICATION.sql @@ -0,0 +1,17 @@ +use auth; +INSERT INTO application VALUES (0x__APPLICATION_UUID__,'PIC-SURE multiple data access API',0x01,'PICSURE','','/picsureui'); +INSERT INTO `privilege` VALUES +(0x7044061AF65B425F86CE73A1BF7F4402,'PIC-SURE Auth super admin for managing roles/privileges/application/connections','SUPER_ADMIN',NULL,'[]',NULL), +(0xAD08212E096F414CBA8D1BAE09415DAB,'PIC-SURE Auth admin for managing users.','ADMIN',NULL,'[]',NULL); +INSERT INTO `privilege` VALUES (0xF65B425F867044061ACE73A1BF7F4402,'User who cann run any PIC-SURE Query','PIC_SURE_ANY_QUERY',0x__APPLICATION_UUID__,'[]',NULL); +INSERT INTO `role` VALUES (0x002DC366B0D8420F998F885D0ED797FD,'PIC-SURE Top Admin','PIC-SURE Auth Micro App Top admin including Admin and super Admin, can manage roles and privileges directly'); +INSERT INTO `role` VALUES (0x8F885D0ED797FD002DC366B0D8420F99,'Admin','Normal admin users, can manage other users including assignment of roles and privileges'); +INSERT INTO `role` VALUES (0x797FD002DC366B0D8420F998F885D0ED,'PIC-SURE User','Normal user, can run any query including data export.'); +INSERT INTO `connection` VALUES (0x97FD002DC366B0D8420F998F885D0ED7, 'Google', 'google-oauth2','google-oauth2|','[{"label":"Email", "id":"email"}]'); +INSERT INTO `role_privilege` VALUES +(0x002DC366B0D8420F998F885D0ED797FD,0x7044061AF65B425F86CE73A1BF7F4402), +(0x002DC366B0D8420F998F885D0ED797FD,0xAD08212E096F414CBA8D1BAE09415DAB), +(0x8F885D0ED797FD002DC366B0D8420F99,0xAD08212E096F414CBA8D1BAE09415DAB), +(0x797FD002DC366B0D8420F998F885D0ED,0xF65B425F867044061ACE73A1BF7F4402); +INSERT INTO `userMetadataMapping` VALUES +(unhex('17FD002DC366B0D8420F998F885D0ED7'), '$.email', unhex('97FD002DC366B0D8420F998F885D0ED7'), '$.email'); diff --git a/Baseline/auth/V3__CONFIGURE_JUPYTERHUB_APPLICATION.sql b/Baseline/auth/V3__CONFIGURE_JUPYTERHUB_APPLICATION.sql new file mode 100644 index 0000000..6c62d96 --- /dev/null +++ b/Baseline/auth/V3__CONFIGURE_JUPYTERHUB_APPLICATION.sql @@ -0,0 +1,5 @@ +use auth; +INSERT INTO application VALUES (0xDEADBEEFE9B1458594536ED31D456752,'JupyterHub authentication via PSAMA',0x01,'JupyterHub','','/jupyterhub'); +INSERT INTO `privilege` VALUES (0x530AF81BE8F744AB85E8222D0C743410,'JupyterHub user for accessing notebooks','JUPYTER_USER',0xDEADBEEFE9B1458594536ED31D456752,'[]',NULL); +INSERT INTO `role` VALUES (0x7EF44B39239318D5B4C2D467580CE4E8,'JupyterHub User','The user is able to access JupyterHub as a normal user'); +INSERT INTO `role_privilege` VALUES (0x7EF44B39239318D5B4C2D467580CE4E8, 0x530AF81BE8F744AB85E8222D0C743410); diff --git a/Baseline/picsure/V2__CREATE_HPDS_RESOURCE.sql b/Baseline/picsure/V2__CREATE_HPDS_RESOURCE.sql new file mode 100644 index 0000000..e6fcb47 --- /dev/null +++ b/Baseline/picsure/V2__CREATE_HPDS_RESOURCE.sql @@ -0,0 +1,5 @@ +use picsure; +INSERT INTO `resource` + (uuid, targetURL, resourceRSPath, description, name, token, hidden, metadata) + VALUES + (0x__RESOURCE_UUID__, NULL, 'http://hpds:8080/PIC-SURE/', 'Basic HPDS resource', 'hpds', NULL, FALSE, NULL); \ No newline at end of file diff --git a/GIC-Common-Area/auth/V10.1__UPDATE_UTHSC_USER_METADATA_MAPPING.sql b/GIC-Common-Area/auth/V10.1__UPDATE_UTHSC_USER_METADATA_MAPPING.sql new file mode 100644 index 0000000..be40244 --- /dev/null +++ b/GIC-Common-Area/auth/V10.1__UPDATE_UTHSC_USER_METADATA_MAPPING.sql @@ -0,0 +1,4 @@ +INSERT INTO `userMetadataMapping` VALUES +(unhex('B6BD9D7F9E3311ECA5F4126ACB86EEFB'), '$.email', unhex('97FD002DC366B0D8420F998F885D0ED7'), '$.email'); + +update connection set id = 'UTHSC' where id = 'uthsc'; \ No newline at end of file diff --git a/GIC-Common-Area/auth/V10__ADD_UTHSC_CONNECTION.sql b/GIC-Common-Area/auth/V10__ADD_UTHSC_CONNECTION.sql new file mode 100644 index 0000000..6ddd6f4 --- /dev/null +++ b/GIC-Common-Area/auth/V10__ADD_UTHSC_CONNECTION.sql @@ -0,0 +1 @@ +INSERT INTO `connection` VALUES (0xB6BD9D7F9E3311ECA5F4126ACB86EEFB, 'UTHSC', 'uthsc','samlp|UTHSC|','[{"label":"The University of Tennessee Health Science Center Email", "id":"email"}]'); diff --git a/GIC-Common-Area/auth/V11__UPDATE_BCH_CONNECTOR_ADFS.sql b/GIC-Common-Area/auth/V11__UPDATE_BCH_CONNECTOR_ADFS.sql new file mode 100644 index 0000000..276884e --- /dev/null +++ b/GIC-Common-Area/auth/V11__UPDATE_BCH_CONNECTOR_ADFS.sql @@ -0,0 +1,24 @@ + +SET @uuidADFSConn = UNHEX(REPLACE(UUID(),'-','')); +SET @uuidLDAPConn = (select uuid from connection where id='ldap-connector'); + +-- Create the connection entity for BCH-ADFS +INSERT INTO `connection` VALUES (@uuidADFSConn, 'BCH-ADFS', 'BCH-ADFS','adfs|BCH-ADFS|','[{"label":"BCH Email", "id":"email"}]'); + +-- Create the userMetadataMapping for BCH-ADFS +INSERT INTO `userMetadataMapping` VALUES +(UNHEX(REPLACE(uuid(), '-', '')), '$.email', @uuidADFSConn, '$.email'); + +-- Create an ADFS user for each of the ldap-connector users. +-- We preserve the ability to roll back to the ldap-connector if necessary and also preserve the UUIDs for audit purposes + insert into user + (select UNHEX(REPLACE(uuid(), '-', '')), NULL, general_metadata, acceptedTOS, @uuidADFSConn, email,0x00,NULL, is_active, NULL + from user where connectionId=@uuidLDAPConn); + +-- Assign the same roles to the ADFS users that are assigned to the LDAP users + +insert into user_role (select b.uuid new_uuid, role_id from + (select * from user_role left join user on user_id=uuid where connectionId=@uuidLDAPConn) a + left join + (select * from user where connectionId=@uuidADFSConn) b on a.email = b.email ); + diff --git a/GIC-Common-Area/auth/V12__UPDATE_TERMS_OF_SERVICE.sql b/GIC-Common-Area/auth/V12__UPDATE_TERMS_OF_SERVICE.sql new file mode 100644 index 0000000..311aafb --- /dev/null +++ b/GIC-Common-Area/auth/V12__UPDATE_TERMS_OF_SERVICE.sql @@ -0,0 +1,29 @@ +use auth; + +INSERT INTO termsOfService (uuid, dateUpdated, content) + VALUES (UNHEX(REPLACE(uuid(),'-','')), CURRENT_TIMESTAMP(), + '
+
+
+
Terms and Conditions of Use of the Genomic Information Commons (GIC) Portal
+
+
+
User must select the terms and click “accept” to certify that User agrees to the Terms and Conditions of Use of the GIC Portal:
+
+
+
+
+
+
+
+
+
+
+
+
+ + +
+
+
+
'); diff --git a/GIC-Common-Area/auth/V13__UPDATE_TERMS_OF_SERVICE_AGAIN.sql b/GIC-Common-Area/auth/V13__UPDATE_TERMS_OF_SERVICE_AGAIN.sql new file mode 100644 index 0000000..af9579e --- /dev/null +++ b/GIC-Common-Area/auth/V13__UPDATE_TERMS_OF_SERVICE_AGAIN.sql @@ -0,0 +1,30 @@ +use auth; + +INSERT INTO termsOfService (uuid, dateUpdated, content) + VALUES (UNHEX(REPLACE(uuid(),'-','')), CURRENT_TIMESTAMP(), + '
+
+
+
Terms and Conditions of Use of the Genomic Information Commons (GIC) Portal
+
+
+
User must select the terms and click “accept” to certify that User agrees to the Terms and Conditions of Use of the GIC Portal:
+
+
+
+
+
+
+
+
+
+
+
+
+
+ + +
+
+
+
'); diff --git a/GIC-Common-Area/auth/V14__REPAIR_UTHSC_USER_METADATA_MAPPING.sql b/GIC-Common-Area/auth/V14__REPAIR_UTHSC_USER_METADATA_MAPPING.sql new file mode 100644 index 0000000..f18f240 --- /dev/null +++ b/GIC-Common-Area/auth/V14__REPAIR_UTHSC_USER_METADATA_MAPPING.sql @@ -0,0 +1,9 @@ +use auth; + +DELETE + FROM `userMetadataMapping` + WHERE uuid = unhex('B6BD9D7F9E3311ECA5F4126ACB86EEFB'); + +INSERT + INTO `userMetadataMapping` (uuid, auth0MetadataJsonPath, connectionId, generalMetadataJsonPath) + VALUES (unhex('2B464334D120880E2250A7626FC2ED8D'), '$.email', unhex('B6BD9D7F9E3311ECA5F4126ACB86EEFB'), '$.email'); diff --git a/GIC-Common-Area/auth/V15__FIX_WUSTL_CASING.sql b/GIC-Common-Area/auth/V15__FIX_WUSTL_CASING.sql new file mode 100644 index 0000000..7f92000 --- /dev/null +++ b/GIC-Common-Area/auth/V15__FIX_WUSTL_CASING.sql @@ -0,0 +1,6 @@ +use auth; + +-- Casing issue: id was lower case. Stuff wasn't matching. +UPDATE `connection` + SET id = 'WUSTL' + WHERE label = 'WUSTL'; diff --git a/GIC-Common-Area/auth/V16__CREATE_SECRET_DATAFRAME_RULE.sql b/GIC-Common-Area/auth/V16__CREATE_SECRET_DATAFRAME_RULE.sql new file mode 100644 index 0000000..0628e0f --- /dev/null +++ b/GIC-Common-Area/auth/V16__CREATE_SECRET_DATAFRAME_RULE.sql @@ -0,0 +1,56 @@ +use auth; + +INSERT + INTO access_rule ( + uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, + subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates + ) VALUES ( + unhex(REPLACE(uuid(),'-','')), 'Secret Dataframe', 'Dataframes that cannot be accessed', + '$..expectedResultType', 4, 'SECRET_ADMIN_DATAFRAME', 0x00, 0x00, NULL, 0x00, 0x00 + ); + +-- We alias the access rule table as 'ar' in the insert query because MYSQL doesn't let you reference the table you are +-- inserting into directly. +-- This regex is essentially matching to three cases: +-- /query +-- /query//sync +-- /query//status +INSERT + INTO access_rule ( + uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, + subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates + ) + VALUES ( + unhex(REPLACE(uuid(),'-','')), 'Secret Dataframe Query Route Regex', 'Dataframes that cannot be accessed', + '$.[\'Target Service\']', 11, '((/query.*/(sync|status))|(/query))$', 0x00, 0x00, + (SELECT ar.uuid FROM access_rule as ar WHERE ar.name = 'Secret Dataframe'), 0x00, 0x00 + ); + + +INSERT + INTO privilege (uuid, name, description, application_id) + VALUES ( + unhex(REPLACE(uuid(),'-','')), 'SECRET_ADMIN_DATAFRAME', 'Un-viewable dataframe privilege for PICSURE application', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + +INSERT + INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + (SELECT uuid FROM privilege WHERE name = 'SECRET_ADMIN_DATAFRAME'), + (SELECT uuid FROM access_rule WHERE name = 'Secret Dataframe') + ); + +INSERT + INTO role (uuid, name, description) + VALUES (unhex(REPLACE(uuid(),'-','')), + 'PIC-SURE Secret Dataframe Requester', + 'PIC-SURE Secret Dataframe Requester. Can create dataframes, but cannot view them.' + ); + +INSERT + INTO role_privilege (role_id, privilege_id) + VALUES ( + (SELECT uuid FROM role WHERE name = 'PIC-SURE Secret Dataframe Requester'), + (SELECT uuid FROM privilege WHERE name = 'SECRET_ADMIN_DATAFRAME') + ); \ No newline at end of file diff --git a/GIC-Common-Area/auth/V17__CREATE_UUID_GEN_RULE.sql b/GIC-Common-Area/auth/V17__CREATE_UUID_GEN_RULE.sql new file mode 100644 index 0000000..95bb427 --- /dev/null +++ b/GIC-Common-Area/auth/V17__CREATE_UUID_GEN_RULE.sql @@ -0,0 +1,38 @@ +use auth; + +set @resourceUUID = (SELECT + LOWER(CONCAT( + SUBSTR(HEX(uuid), 1, 8), '-', + SUBSTR(HEX(uuid), 9, 4), '-', + SUBSTR(HEX(uuid), 13, 4), '-', + SUBSTR(HEX(uuid), 17, 4), '-', + SUBSTR(HEX(uuid), 21) + )) from picsure.resource where name = "Query-ID-Gen"); + +SET @uuidRule = REPLACE(UUID(),'-',''); +INSERT + INTO access_rule ( + uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, + subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates + ) VALUES ( + unhex(@uuidRule), 'CREATE_UUID', 'Create common area UUID', '$query.resourceUUID', 4, + @resourceUUID, 0x00, 0x00, NULL, 0x00, 0x00 + ); + +SET @uuidPriv = REPLACE(UUID(),'-',''); +INSERT + INTO privilege (uuid, name, description, application_id) + VALUES ( + unhex(@uuidPriv), 'CREATE_UUID', 'Create common area UUID', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + unhex(@uuidPriv), + unhex(@uuidRule) + ); + +SET @uuidRole = (SELECT uuid FROM role WHERE name = 'PIC-SURE User'); +INSERT INTO role_privilege (role_id, privilege_id) VALUES (@uuidRole, unhex(@uuidPriv)); + diff --git a/GIC-Common-Area/auth/V18__UPDATE_TERMS_OF_SERVICE_2023.sql b/GIC-Common-Area/auth/V18__UPDATE_TERMS_OF_SERVICE_2023.sql new file mode 100644 index 0000000..ca45cbc --- /dev/null +++ b/GIC-Common-Area/auth/V18__UPDATE_TERMS_OF_SERVICE_2023.sql @@ -0,0 +1,32 @@ +use auth; + +INSERT INTO termsOfService (uuid, dateUpdated, content) + VALUES (UNHEX(REPLACE(uuid(),'-','')), CURRENT_TIMESTAMP(), + '
+
+
+
Terms and Conditions of Use of the Genomic Information Commons (GIC) Portal
+
+
+
User must select the terms and click “accept” to certify that User agrees to the Terms and Conditions of Use of the GIC Portal:
+
+
+
+
+
+
+
+
Research reported in this manuscript was supported by the member institutions of the Genomic Information Commons (GIC) and the National Center for Advancing Translational Sciences of the National Institutes of Health under Award Number(s) U01TR002623. The content is solely the responsibility of the authors and does not necessarily represent the official views of the National Institutes of Health or the GIC.
+
+
+
+
+
+
+
+ + +
+
+
+
'); diff --git a/GIC-Common-Area/auth/V19__VARIANT_EXPLORER.sql b/GIC-Common-Area/auth/V19__VARIANT_EXPLORER.sql new file mode 100644 index 0000000..6c0c71c --- /dev/null +++ b/GIC-Common-Area/auth/V19__VARIANT_EXPLORER.sql @@ -0,0 +1,49 @@ +use auth; + +SET @resourceUUID = (SELECT + LOWER(CONCAT( + SUBSTR(HEX(uuid), 1, 8), '-', + SUBSTR(HEX(uuid), 9, 4), '-', + SUBSTR(HEX(uuid), 13, 4), '-', + SUBSTR(HEX(uuid), 17, 4), '-', + SUBSTR(HEX(uuid), 21) + )) from picsure.resource where name = "Common-Search"); + +SET @uuidParentRule = REPLACE(UUID(),'-',''); +SET @uuidChildRule = REPLACE(UUID(),'-',''); + +INSERT + INTO access_rule ( + uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, + subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates + ) VALUES ( + unhex(@uuidParentRule), 'EXPLORE_VARIANT', 'Sync query for variant explorer', '$..expectedResultType', 11, + '(VARIANT_COUNT_FOR_QUERY|VCF_EXCERPT|AGGREGATE_VCF_EXCERPT)', 0x00, 0x00, NULL, 0x00, 0x00 + ); + +INSERT + INTO access_rule ( + uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, + subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates + ) + VALUES ( + unhex(@uuidChildRule), 'EXPLORE_VARIANT_URI', 'Sync query for variant explorer', + '$.[\'Target Service\']', 4, '/query/sync', 0x00, 0x00, + unhex(@uuidParentRule), 0x00, 0x00 + ); + +SET @uuidPriv = REPLACE(UUID(),'-',''); +INSERT + INTO privilege (uuid, name, description, application_id) + VALUES ( + unhex(@uuidPriv), 'EXPLORE_VARIANT', 'Explore aggregate results for variant', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + +INSERT + INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES (unhex(@uuidPriv), unhex(@uuidParentRule)); + +INSERT + INTO role_privilege (role_id, privilege_id) + VALUES ((SELECT uuid FROM role WHERE name = 'PIC-SURE User'), unhex(@uuidPriv)); diff --git a/GIC-Common-Area/auth/V20__ADD_SAVE_DATASET_ROLE.sql b/GIC-Common-Area/auth/V20__ADD_SAVE_DATASET_ROLE.sql new file mode 100644 index 0000000..58e580a --- /dev/null +++ b/GIC-Common-Area/auth/V20__ADD_SAVE_DATASET_ROLE.sql @@ -0,0 +1,33 @@ +use auth; + +SET @uuidRule = REPLACE(UUID(), '-', ''); +INSERT + INTO access_rule ( + uuid, name, description, value, + rule, type, checkMapKeyOnly, checkMapNode, subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates + ) + VALUES ( + unhex(@uuidRule), 'SAVE_DATASET', 'Can only do /dataset', '/dataset/named', + ' $.[\'Target Service\']', 6, 0, 0, NULL, 0, 0 + ); + +SET @uuidPriv = REPLACE(UUID(), '-', ''); +INSERT + INTO privilege ( + uuid, name, + description, + application_id + ) + VALUES ( + unhex(@uuidPriv), 'SAVE_DATASET', + 'Allow access to the /dataset/named/ function', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + +INSERT + INTO accessRule_privilege ( privilege_id, accessRule_id ) + VALUES ( unhex(@uuidPriv), unhex(@uuidRule) ); + +INSERT + INTO role_privilege ( role_id, privilege_id ) + VALUES ( (SELECT uuid FROM role WHERE name = 'PIC-SURE User'), unhex(@uuidPriv) ); diff --git a/GIC-Common-Area/auth/V21__UPDATE_CREATE_UUID_GEN_RULE.sql b/GIC-Common-Area/auth/V21__UPDATE_CREATE_UUID_GEN_RULE.sql new file mode 100644 index 0000000..c56b4d1 --- /dev/null +++ b/GIC-Common-Area/auth/V21__UPDATE_CREATE_UUID_GEN_RULE.sql @@ -0,0 +1,3 @@ +use auth; + +UPDATE access_rule SET rule = "query.resourceUUID" WHERE name = "CREATE_UUID"; diff --git a/GIC-Common-Area/auth/V22__FIX_LEADING_SPACES.sql b/GIC-Common-Area/auth/V22__FIX_LEADING_SPACES.sql new file mode 100644 index 0000000..73e7d67 --- /dev/null +++ b/GIC-Common-Area/auth/V22__FIX_LEADING_SPACES.sql @@ -0,0 +1,9 @@ +use auth; + +UPDATE access_rule + SET rule = '$.[\'Target Service\']' + WHERE name IN ('SAVE_DATASET', 'AR_ONLY_SEARCH', 'AR_ONLY_resource', 'AR_ONLY_info/resource', 'GATE_RESOURCE'); + +UPDATE access_rule + SET rule = '$.[\'query\']' + WHERE name IN ('AR_RESOURCE_LIST'); diff --git a/GIC-Common-Area/auth/V2__CONFIGURE_PIC_SURE_APPLICATION.sql b/GIC-Common-Area/auth/V2__CONFIGURE_PIC_SURE_APPLICATION.sql new file mode 100644 index 0000000..5adc841 --- /dev/null +++ b/GIC-Common-Area/auth/V2__CONFIGURE_PIC_SURE_APPLICATION.sql @@ -0,0 +1,27 @@ +use auth; +INSERT INTO application VALUES (0x__APPLICATION_UUID__,'PIC-SURE multiple data access API',0x01,'PICSURE','','/picsureui'); +INSERT INTO `privilege` VALUES +(0x7044061AF65B425F86CE73A1BF7F4402,'PIC-SURE Auth super admin for managing roles/privileges/application/connections','SUPER_ADMIN',NULL,'[]',NULL), +(0xAD08212E096F414CBA8D1BAE09415DAB,'PIC-SURE Auth admin for managing users.','ADMIN',NULL,'[]',NULL); +INSERT INTO `privilege` VALUES (0xF65B425F867044061ACE73A1BF7F4402,'User who cann run any PIC-SURE Query','PIC_SURE_ANY_QUERY',0x__APPLICATION_UUID__,'[]',NULL); +INSERT INTO `role` VALUES (0x002DC366B0D8420F998F885D0ED797FD,'PIC-SURE Top Admin','PIC-SURE Auth Micro App Top admin including Admin and super Admin, can manage roles and privileges directly'); +INSERT INTO `role` VALUES (0x8F885D0ED797FD002DC366B0D8420F99,'Admin','Normal admin users, can manage other users including assignment of roles and privileges'); +INSERT INTO `role` VALUES (0x797FD002DC366B0D8420F998F885D0ED,'PIC-SURE User','Normal user, can run any query including data export.'); +INSERT INTO `connection` VALUES (0x97FD002DC366B0D8420F998F885D0ED7, 'Google', 'google-oauth2','google-oauth2|','[{"label":"Email", "id":"email"}]'); +INSERT INTO `connection` VALUES (0x97FB0D8420F998F885D0ED7D002DC366, 'BCH', 'ldap-connector','ad|ldap-connector|','[{"label":"BCH Email","id":"email"}]'); +INSERT INTO `connection` VALUES (0x97FD0F998F88002DC366B0D8425D0ED7, 'CCHMC', 'cchmc','samlp|cchmc|','[{"label":"CCHMC Email", "id":"email"}]'); +INSERT INTO `connection` VALUES (0x9766B0D8420F998F88FD002DC35D0ED7, 'CHOP', 'CHOP','samlp|CHOP|','[{"label":"CHOP Email", "id":"email"}]'); +INSERT INTO `connection` VALUES (0x976B0D8420F998F88FD002DC365D0ED7, 'PITT', 'pitt-edu','samlp|','[{"label":"PITT Email", "id":"email"}]'); +INSERT INTO `connection` VALUES (0x9B0D8420F7FD002DC366998F885D0ED7, 'WUSTL', 'wustl','samlp|wustl|','[{"label":"Washington University in St. Louis Email", "id":"email"}]'); +INSERT INTO `role_privilege` VALUES +(0x002DC366B0D8420F998F885D0ED797FD,0x7044061AF65B425F86CE73A1BF7F4402), +(0x002DC366B0D8420F998F885D0ED797FD,0xAD08212E096F414CBA8D1BAE09415DAB), +(0x8F885D0ED797FD002DC366B0D8420F99,0xAD08212E096F414CBA8D1BAE09415DAB), +(0x797FD002DC366B0D8420F998F885D0ED,0xF65B425F867044061ACE73A1BF7F4402); +INSERT INTO `userMetadataMapping` VALUES +(unhex('17FD002DC366B0D8420F998F885D0ED7'), '$.email', unhex('97FD002DC366B0D8420F998F885D0ED7'), '$.email'), +(unhex('17FB0D8420F998F885D0ED7D002DC366'), '$.email', unhex('97FB0D8420F998F885D0ED7D002DC366'), '$.email'), +(unhex('17FD0F998F88002DC366B0D8425D0ED7'), '$.email', unhex('97FD0F998F88002DC366B0D8425D0ED7'), '$.email'), +(unhex('1766B0D8420F998F88FD002DC35D0ED7'), '$.email', unhex('9766B0D8420F998F88FD002DC35D0ED7'), '$.email'), +(unhex('176B0D8420F998F88FD002DC365D0ED7'), '$.email', unhex('976B0D8420F998F88FD002DC365D0ED7'), '$.email'), +(unhex('1B0D8420F7FD002DC366998F885D0ED7'), '$.email', unhex('9B0D8420F7FD002DC366998F885D0ED7'), '$.email'); diff --git a/GIC-Common-Area/auth/V3__CONFIGURE_JUPYTERHUB_APPLICATION.sql b/GIC-Common-Area/auth/V3__CONFIGURE_JUPYTERHUB_APPLICATION.sql new file mode 100644 index 0000000..6c62d96 --- /dev/null +++ b/GIC-Common-Area/auth/V3__CONFIGURE_JUPYTERHUB_APPLICATION.sql @@ -0,0 +1,5 @@ +use auth; +INSERT INTO application VALUES (0xDEADBEEFE9B1458594536ED31D456752,'JupyterHub authentication via PSAMA',0x01,'JupyterHub','','/jupyterhub'); +INSERT INTO `privilege` VALUES (0x530AF81BE8F744AB85E8222D0C743410,'JupyterHub user for accessing notebooks','JUPYTER_USER',0xDEADBEEFE9B1458594536ED31D456752,'[]',NULL); +INSERT INTO `role` VALUES (0x7EF44B39239318D5B4C2D467580CE4E8,'JupyterHub User','The user is able to access JupyterHub as a normal user'); +INSERT INTO `role_privilege` VALUES (0x7EF44B39239318D5B4C2D467580CE4E8, 0x530AF81BE8F744AB85E8222D0C743410); diff --git a/GIC-Common-Area/auth/V4__UPDATE_CCHMC_USER_METADATA_MAPPING.sql b/GIC-Common-Area/auth/V4__UPDATE_CCHMC_USER_METADATA_MAPPING.sql new file mode 100644 index 0000000..d3dcb9a --- /dev/null +++ b/GIC-Common-Area/auth/V4__UPDATE_CCHMC_USER_METADATA_MAPPING.sql @@ -0,0 +1 @@ +UPDATE userMetadataMapping SET auth0MetadataJsonPath='$.nameIdAttributes.value' WHERE uuid=unhex('17FD0F998F88002DC366B0D8425D0ED7'); diff --git a/GIC-Common-Area/auth/V5__CREATE_AGGREGATE_ACCESSRULE.sql b/GIC-Common-Area/auth/V5__CREATE_AGGREGATE_ACCESSRULE.sql new file mode 100644 index 0000000..f2aa1b5 --- /dev/null +++ b/GIC-Common-Area/auth/V5__CREATE_AGGREGATE_ACCESSRULE.sql @@ -0,0 +1,49 @@ +use auth; + +INSERT INTO access_rule (uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates) + VALUES (unhex(REPLACE(uuid(),'-','')), 'HPDS Aggregate Counts', 'HPDS Counts', '$..expectedResultType', 4, 'COUNT', 0x00, 0x00, NULL, 0x00, 0x00); + +INSERT INTO access_rule (uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates) + VALUES (unhex(REPLACE(uuid(),'-','')), 'HPDS Aggregate Observation Counts', 'HPDS observation Counts', '$..expectedResultType', 4, 'OBSERVATION_COUNT', 0x00, 0x00, NULL, 0x00, 0x00); + +INSERT INTO access_rule (uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates) + VALUES (unhex(REPLACE(uuid(),'-','')), 'HPDS Aggregate Observation Cross Counts', 'HPDS observation cross Counts', '$..expectedResultType', 4, 'OBSERVATION_CROSS_COUNT', 0x00, 0x00, NULL, 0x00, 0x00); + + +INSERT INTO privilege (uuid, name, description, application_id) + VALUES (unhex(REPLACE(uuid(),'-','')), + 'AGGREGATE', + 'Aggregiate Data Sharing privilege for PICSURE application', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + (SELECT uuid FROM privilege WHERE name = 'AGGREGATE'), + (SELECT uuid FROM access_rule WHERE name = 'HPDS Aggregate Counts') + ); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + (SELECT uuid FROM privilege WHERE name = 'AGGREGATE'), + (SELECT uuid FROM access_rule WHERE name = 'HPDS Aggregate Observation Counts') + ); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + (SELECT uuid FROM privilege WHERE name = 'AGGREGATE'), + (SELECT uuid FROM access_rule WHERE name = 'HPDS Aggregate Observation Cross Counts') + ); + + +INSERT INTO role (uuid, name, description) + VALUES (unhex(REPLACE(uuid(),'-','')), + 'PIC-SURE Aggregate Count User', + 'PIC-SURE Aggregate Count User. Can perform aggregate count queries only.' + ); + +INSERT INTO role_privilege (role_id, privilege_id) + VALUES ( + (SELECT uuid FROM role WHERE name = 'PIC-SURE Aggregate Count User'), + (SELECT uuid FROM privilege WHERE name = 'AGGREGATE') + ); \ No newline at end of file diff --git a/GIC-Common-Area/auth/V6__ADD_DEFAULT_ROLES.sql b/GIC-Common-Area/auth/V6__ADD_DEFAULT_ROLES.sql new file mode 100644 index 0000000..5a4e3d3 --- /dev/null +++ b/GIC-Common-Area/auth/V6__ADD_DEFAULT_ROLES.sql @@ -0,0 +1,158 @@ +use auth; + +SET @uuidRule = REPLACE(UUID(),'-',''); +INSERT INTO access_rule VALUES ( + unhex(@uuidRule), + 'AR_INFO_COLUMN_LISTING', + 'allow query to info_column_listing', + '$..expectedResultType', + 4, + 'INFO_COLUMN_LISTING', + 0, + 0, + NULL, + 0, + 0 + ); + +SET @uuidPriv = REPLACE(UUID(),'-',''); +INSERT INTO privilege (uuid, name, description, application_id) + VALUES ( unhex(@uuidPriv), + 'PRIV_INFO_COLUMN_LISTING', + 'Allow access to variant info metadata', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + unhex(@uuidPriv), + unhex(@uuidRule) + ); + + + SET @uuidRole = REPLACE(UUID(),'-',''); + INSERT INTO role VALUES ( + unhex(@uuidRole), + 'INFO_COLUMN_LISTING', + 'Allow access to info column metadata' + ); + +INSERT INTO role_privilege (role_id, privilege_id) + VALUES ( + unhex(@uuidRole), + unhex(@uuidPriv) + ); + + + +SET @uuidRule = REPLACE(UUID(),'-',''); +INSERT INTO access_rule VALUES ( + unhex(@uuidRule), + 'AR_ONLY_SEARCH', + 'Can only do /search', + ' $.[\'Target Service\']', + 6, + '/search', + 0, + 0, + NULL, + 0, + 0 + ); + +SET @uuidPriv = REPLACE(UUID(),'-',''); +INSERT INTO privilege (uuid, name, description, application_id) + VALUES ( unhex(@uuidPriv), + 'PRIV_ONLY_SEARCH', + 'Allow access to the /search/ function', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + unhex(@uuidPriv), + unhex(@uuidRule) + ); + + + SET @uuidRole = REPLACE(UUID(),'-',''); + INSERT INTO role VALUES ( + unhex(@uuidRole), + 'SEARCH_ONLY', + 'Allow access to the /search/ function' + ); + +INSERT INTO role_privilege (role_id, privilege_id) + VALUES ( + unhex(@uuidRole), + unhex(@uuidPriv) + ); + + + + +SET @uuidRule = REPLACE(UUID(),'-',''); +INSERT INTO access_rule VALUES ( + unhex(@uuidRule), + 'AR_ONLY_resource', + 'Can only access /resource', + ' $.[\'Target Service\']', + 6, + '/resource', + 0, + 0, + NULL, + 0, + 0 + ); + +SET @uuidPriv = REPLACE(UUID(),'-',''); +INSERT INTO privilege (uuid, name, description, application_id) + VALUES ( unhex(@uuidPriv), + 'PRIV_ONLY_RESOURCES', + 'Allow access to the /info/resources and /resource functions', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + unhex(@uuidPriv), + unhex(@uuidRule) + ); + + + +SET @uuidRule = REPLACE(UUID(),'-',''); +INSERT INTO access_rule VALUES ( + unhex(@uuidRule), + 'AR_ONLY_info/resource', + 'Can only access /info/resources', + ' $.[\'Target Service\']', + 6, + '/info/resources', + 0, + 0, + NULL, + 0, + 0 + ); + + INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + unhex(@uuidPriv), + unhex(@uuidRule) + ); + + + SET @uuidRole = REPLACE(UUID(),'-',''); + INSERT INTO role VALUES ( + unhex(@uuidRole), + 'RESOURCES_ONLY', + 'Allow access to the /info/resources and /resource function' + ); + +INSERT INTO role_privilege (role_id, privilege_id) + VALUES ( + unhex(@uuidRole), + unhex(@uuidPriv) + ); diff --git a/GIC-Common-Area/auth/V7__ADD_TERMS_OF_SERVICE.sql b/GIC-Common-Area/auth/V7__ADD_TERMS_OF_SERVICE.sql new file mode 100644 index 0000000..4a3d05b --- /dev/null +++ b/GIC-Common-Area/auth/V7__ADD_TERMS_OF_SERVICE.sql @@ -0,0 +1,28 @@ +use auth; + +INSERT INTO termsOfService (uuid, dateUpdated, content) + VALUES (UNHEX(REPLACE(uuid(),'-','')), CURRENT_TIMESTAMP(), + '
+
+
+
Terms and Conditions of Use of the Genomic Information Commons (GIC) Portal
+
+
+
User must select the terms and click “accept” to certify that User agrees to the Terms and Conditions of Use of the GIC Portal:
+
+
+
+
+
+
+
+
+
+
+
+ + +
+
+
+
'); diff --git a/GIC-Common-Area/auth/V8__UPDATE_TERMS_OF_SERVICE.sql b/GIC-Common-Area/auth/V8__UPDATE_TERMS_OF_SERVICE.sql new file mode 100644 index 0000000..311aafb --- /dev/null +++ b/GIC-Common-Area/auth/V8__UPDATE_TERMS_OF_SERVICE.sql @@ -0,0 +1,29 @@ +use auth; + +INSERT INTO termsOfService (uuid, dateUpdated, content) + VALUES (UNHEX(REPLACE(uuid(),'-','')), CURRENT_TIMESTAMP(), + '
+
+
+
Terms and Conditions of Use of the Genomic Information Commons (GIC) Portal
+
+
+
User must select the terms and click “accept” to certify that User agrees to the Terms and Conditions of Use of the GIC Portal:
+
+
+
+
+
+
+
+
+
+
+
+
+ + +
+
+
+
'); diff --git a/GIC-Common-Area/auth/V9__ADD_DATA_MANAGER_ROLES.sql b/GIC-Common-Area/auth/V9__ADD_DATA_MANAGER_ROLES.sql new file mode 100644 index 0000000..7700e39 --- /dev/null +++ b/GIC-Common-Area/auth/V9__ADD_DATA_MANAGER_ROLES.sql @@ -0,0 +1,295 @@ + +SET @uuidGate = REPLACE(UUID(),'-',''); +INSERT INTO access_rule VALUES ( + unhex(@uuidGate), + 'GATE_RESOURCE', + 'triggers rules for resource endpoint', + ' $.[\'Target Service\']', + 6, + '/resource', + 0, + 0, + NULL, + 0, + 0 + ); + + SET @uuidRule = REPLACE(UUID(),'-',''); + INSERT INTO access_rule VALUES ( + unhex(@uuidRule), + 'AR_RESOURCE_LIST', + 'Can list /resources', + ' $.[\'query\']', + 13, + NULL, + 0, + 0, + NULL, + 0, + 0 + ); + +INSERT INTO accessRule_gate (accessRule_id, gate_id) + VALUES (unhex(@uuidRule), unhex(@uuidGate)); + + +SET @uuidPriv = REPLACE(UUID(),'-',''); +INSERT INTO privilege (uuid, name, description, application_id) + VALUES ( unhex(@uuidPriv), + 'PRIV_LIST_RESOURCES', + 'Allow access to the /resource/ endpoint', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + unhex(@uuidPriv), + unhex(@uuidRule) + ); + + +-- several privileges weren't being evaulated. since we need to restrict access to resource endpoint +-- we need to fix these up +INSERT INTO role_privilege (role_id, privilege_id) + values ( (select uuid from role where name = 'PIC-SURE User'), + unhex(@uuidPriv) ); + +INSERT INTO role_privilege (role_id, privilege_id) + values ( (select uuid from role where name = 'PIC-SURE User'), + (select uuid from privilege where name = 'PRIV_INFO_COLUMN_LISTING') ); + +INSERT INTO role_privilege (role_id, privilege_id) + values ( (select uuid from role where name = 'PIC-SURE User'), + (select uuid from privilege where name = 'PRIV_ONLY_SEARCH') ); + + + -- We need to fill out the aggregate rules to include cross count queries +INSERT INTO access_rule (uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates) + VALUES (unhex(REPLACE(uuid(),'-','')), 'HPDS Cross Counts', 'HPDS cross Counts', '$..expectedResultType', 4, 'CROSS_COUNT', 0x00, 0x00, NULL, 0x00, 0x00); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + (SELECT uuid FROM privilege WHERE name = 'AGGREGATE'), + (SELECT uuid FROM access_rule WHERE name = 'HPDS Cross Counts') + ); + +INSERT INTO role_privilege (role_id, privilege_id) + values ( (select uuid from role where name = 'PIC-SURE User'), + (select uuid from privilege where name = 'AGGREGATE') ); + + + + +-- now add rules for the data managers to allow updates to their resource + +-- BCH -- +set @resourceUUID = (SELECT + LOWER(CONCAT( + SUBSTR(HEX(uuid), 1, 8), '-', + SUBSTR(HEX(uuid), 9, 4), '-', + SUBSTR(HEX(uuid), 13, 4), '-', + SUBSTR(HEX(uuid), 17, 4), '-', + SUBSTR(HEX(uuid), 21) + )) from picsure.resource where name = "BCH"); + +SET @uuidRule = REPLACE(UUID(),'-',''); +INSERT INTO access_rule VALUES ( + unhex(@uuidRule), + 'AR_UPDATE_BCH_RESOURCE', + 'allow update to BCH resource', + '$..uuid', + 4, + @resourceUUID, + 0, + 0, + NULL, + 0, + 0 + ); + +SET @uuidPriv = REPLACE(UUID(),'-',''); +INSERT INTO privilege (uuid, name, description, application_id) + VALUES ( unhex(@uuidPriv), + 'PRIV_DATA_MANAGER_BCH', + 'Allow updates to the /resource/ endpoint for BCH resource', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + unhex(@uuidPriv), + unhex(@uuidRule) + ); + +SET @uuidRole = REPLACE(UUID(),'-',''); + INSERT INTO role VALUES ( + unhex(@uuidRole), + 'DATA_MANAGER_BCH', + 'Allow Updates of BCH resource metadata' + ); + +INSERT INTO role_privilege (role_id, privilege_id) + VALUES ( + unhex(@uuidRole), + unhex(@uuidPriv) + ); + + +-- CHOP -- +set @resourceUUID = (SELECT + LOWER(CONCAT( + SUBSTR(HEX(uuid), 1, 8), '-', + SUBSTR(HEX(uuid), 9, 4), '-', + SUBSTR(HEX(uuid), 13, 4), '-', + SUBSTR(HEX(uuid), 17, 4), '-', + SUBSTR(HEX(uuid), 21) + )) from picsure.resource where name = "CHOP"); + +SET @uuidRule = REPLACE(UUID(),'-',''); +INSERT INTO access_rule VALUES ( + unhex(@uuidRule), + 'AR_UPDATE_CHOP_RESOURCE', + 'allow update to CHOP resource', + '$..uuid', + 4, + @resourceUUID, + 0, + 0, + NULL, + 0, + 0 + ); + +SET @uuidPriv = REPLACE(UUID(),'-',''); +INSERT INTO privilege (uuid, name, description, application_id) + VALUES ( unhex(@uuidPriv), + 'PRIV_DATA_MANAGER_CHOP', + 'Allow updates to the /resource/ endpoint for CHOP resource', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + unhex(@uuidPriv), + unhex(@uuidRule) + ); + +SET @uuidRole = REPLACE(UUID(),'-',''); + INSERT INTO role VALUES ( + unhex(@uuidRole), + 'DATA_MANAGER_CHOP', + 'Allow Updates of CHOP resource metadata' + ); + +INSERT INTO role_privilege (role_id, privilege_id) + VALUES ( + unhex(@uuidRole), + unhex(@uuidPriv) + ); + + +-- CCHMC -- +set @resourceUUID = (SELECT + LOWER(CONCAT( + SUBSTR(HEX(uuid), 1, 8), '-', + SUBSTR(HEX(uuid), 9, 4), '-', + SUBSTR(HEX(uuid), 13, 4), '-', + SUBSTR(HEX(uuid), 17, 4), '-', + SUBSTR(HEX(uuid), 21) + )) from picsure.resource where name = "CCHMC"); + +SET @uuidRule = REPLACE(UUID(),'-',''); +INSERT INTO access_rule VALUES ( + unhex(@uuidRule), + 'AR_UPDATE_CCHMC_RESOURCE', + 'allow update to CCHMC resource', + '$..uuid', + 4, + @resourceUUID, + 0, + 0, + NULL, + 0, + 0 + ); + +SET @uuidPriv = REPLACE(UUID(),'-',''); +INSERT INTO privilege (uuid, name, description, application_id) + VALUES ( unhex(@uuidPriv), + 'PRIV_DATA_MANAGER_CCHMC', + 'Allow updates to the /resource/ endpoint for CCHMC resource', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + unhex(@uuidPriv), + unhex(@uuidRule) + ); + +SET @uuidRole = REPLACE(UUID(),'-',''); + INSERT INTO role VALUES ( + unhex(@uuidRole), + 'DATA_MANAGER_CCHMC', + 'Allow Updates of CCHMC resource metadata' + ); + +INSERT INTO role_privilege (role_id, privilege_id) + VALUES ( + unhex(@uuidRole), + unhex(@uuidPriv) + ); + + + +-- WASHU -- +set @resourceUUID = (SELECT + LOWER(CONCAT( + SUBSTR(HEX(uuid), 1, 8), '-', + SUBSTR(HEX(uuid), 9, 4), '-', + SUBSTR(HEX(uuid), 13, 4), '-', + SUBSTR(HEX(uuid), 17, 4), '-', + SUBSTR(HEX(uuid), 21) + )) from picsure.resource where name = "WASHU"); + +SET @uuidRule = REPLACE(UUID(),'-',''); +INSERT INTO access_rule VALUES ( + unhex(@uuidRule), + 'AR_UPDATE_WASHU_RESOURCE', + 'allow update to WASHU resource', + '$..uuid', + 4, + @resourceUUID, + 0, + 0, + NULL, + 0, + 0 + ); + +SET @uuidPriv = REPLACE(UUID(),'-',''); +INSERT INTO privilege (uuid, name, description, application_id) + VALUES ( unhex(@uuidPriv), + 'PRIV_DATA_MANAGER_WASHU', + 'Allow updates to the /resource/ endpoint for WASHU resource', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + unhex(@uuidPriv), + unhex(@uuidRule) + ); + +SET @uuidRole = REPLACE(UUID(),'-',''); + INSERT INTO role VALUES ( + unhex(@uuidRole), + 'DATA_MANAGER_WASHU', + 'Allow Updates of WASHU resource metadata' + ); + +INSERT INTO role_privilege (role_id, privilege_id) + VALUES ( + unhex(@uuidRole), + unhex(@uuidPriv) + ); \ No newline at end of file diff --git a/GIC-Common-Area/picsure/V2__CREATE_HPDS_RESOURCE.sql b/GIC-Common-Area/picsure/V2__CREATE_HPDS_RESOURCE.sql new file mode 100644 index 0000000..c83db0a --- /dev/null +++ b/GIC-Common-Area/picsure/V2__CREATE_HPDS_RESOURCE.sql @@ -0,0 +1,2 @@ +use picsure; +INSERT INTO `resource` (uuid, targetURL, resourceRSPath, description, name, token) VALUES (0x__RESOURCE_UUID__,NULL,'http://hpds:8080/PIC-SURE/','Basic HPDS resource','hpds',NULL); diff --git a/GIC-Institution/auth/V10__ADD_SAD_ROLE.sql b/GIC-Institution/auth/V10__ADD_SAD_ROLE.sql new file mode 100644 index 0000000..ad77548 --- /dev/null +++ b/GIC-Institution/auth/V10__ADD_SAD_ROLE.sql @@ -0,0 +1,72 @@ +use auth; + +-- Add SAD rule, role, privilege + +INSERT + INTO access_rule ( + uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, + subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates + ) VALUES ( + unhex(REPLACE(uuid(),'-','')), 'Secret Dataframe', 'Dataframes that cannot be accessed', + '$..expectedResultType', 4, 'SECRET_ADMIN_DATAFRAME', 0x00, 0x00, NULL, 0x00, 0x00 + ); + +-- We alias the access rule table as 'ar' in the insert query because MYSQL doesn't let you reference the table you are +-- inserting into directly. +-- This regex is essentially matching to three cases: +-- /query +-- /query//sync +-- /query//status +INSERT + INTO access_rule ( + uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, + subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates + ) + VALUES ( + unhex(REPLACE(uuid(),'-','')), 'Secret Dataframe Query Route Regex', 'Dataframes that cannot be accessed', + '$.[\'Target Service\']', 11, '((/query.*/(sync|status))|(/query))$', 0x00, 0x00, + (SELECT ar.uuid FROM access_rule as ar WHERE ar.name = 'Secret Dataframe'), 0x00, 0x00 + ); + + +INSERT + INTO privilege (uuid, name, description, application_id) + VALUES ( + unhex(REPLACE(uuid(),'-','')), 'SECRET_ADMIN_DATAFRAME', 'Un-viewable dataframe privilege for PICSURE application', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + +INSERT + INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + (SELECT uuid FROM privilege WHERE name = 'SECRET_ADMIN_DATAFRAME'), + (SELECT uuid FROM access_rule WHERE name = 'Secret Dataframe') + ); + +INSERT + INTO role (uuid, name, description) + VALUES (unhex(REPLACE(uuid(),'-','')), + 'PIC-SURE Secret Dataframe Requester', + 'PIC-SURE Secret Dataframe Requester. Can create dataframes, but cannot view them.' + ); + +INSERT + INTO role_privilege (role_id, privilege_id) + VALUES ( + (SELECT uuid FROM role WHERE name = 'PIC-SURE Secret Dataframe Requester'), + (SELECT uuid FROM privilege WHERE name = 'SECRET_ADMIN_DATAFRAME') + ); + +-- The GIC institute nodes have a special user called CommonAreaUser that the common area uses to run federated queries. +-- This user now needs the ability to run these queries, so we add them to the Secret Admin Dataframe role + +-- We're ignoring duplicate key errors (the constraint will still be enforced) to handle institutes that already +-- upgraded and did this manually. + +-- This is a copy of the last migrator. I was worried about modifying migrators that may have already run, +-- so I just duplicated the logic. V9 will always fail outside of weird environments that I patched together +INSERT IGNORE INTO user_role (user_id, role_id) + VALUES ( + (SELECT uuid FROM user WHERE email = 'CommonAreaUser'), + (SELECT uuid FROM role WHERE name = 'PIC-SURE Secret Dataframe Requester') + ); diff --git a/GIC-Institution/auth/V11__VARIANT_EXPLORER.sql b/GIC-Institution/auth/V11__VARIANT_EXPLORER.sql new file mode 100644 index 0000000..6aec045 --- /dev/null +++ b/GIC-Institution/auth/V11__VARIANT_EXPLORER.sql @@ -0,0 +1,49 @@ +use auth; + +SET @resourceUUID = (SELECT + LOWER(CONCAT( + SUBSTR(HEX(uuid), 1, 8), '-', + SUBSTR(HEX(uuid), 9, 4), '-', + SUBSTR(HEX(uuid), 13, 4), '-', + SUBSTR(HEX(uuid), 17, 4), '-', + SUBSTR(HEX(uuid), 21) + )) from picsure.resource where name = "PIC-SURE Aggregate Resource"); + +SET @uuidParentRule = REPLACE(UUID(),'-',''); +SET @uuidChildRule = REPLACE(UUID(),'-',''); + +INSERT + INTO access_rule ( + uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, + subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates + ) VALUES ( + unhex(@uuidParentRule), 'EXPLORE_VARIANT', 'Sync query for variant explorer', '$..expectedResultType', 11, + '(VARIANT_COUNT_FOR_QUERY|AGGREGATE_VCF_EXCERPT)', 0x00, 0x00, NULL, 0x00, 0x00 + ); + +INSERT + INTO access_rule ( + uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, + subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates + ) + VALUES ( + unhex(@uuidChildRule), 'EXPLORE_VARIANT_URI', 'Sync query for variant explorer', + '$.[\'Target Service\']', 4, '/query/sync', 0x00, 0x00, + unhex(@uuidParentRule), 0x00, 0x00 + ); + +SET @uuidPriv = REPLACE(UUID(),'-',''); +INSERT + INTO privilege (uuid, name, description, application_id) + VALUES ( + unhex(@uuidPriv), 'EXPLORE_VARIANT', 'Explore aggregate results for variant', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + +INSERT + INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES (unhex(@uuidPriv), unhex(@uuidParentRule)); + +INSERT + INTO role_privilege (role_id, privilege_id) + VALUES ((SELECT uuid FROM role WHERE name = 'PIC-SURE Aggregate Count Role'), unhex(@uuidPriv)); diff --git a/GIC-Institution/auth/V12__ADD_RULES.sql b/GIC-Institution/auth/V12__ADD_RULES.sql new file mode 100644 index 0000000..0aeccfe --- /dev/null +++ b/GIC-Institution/auth/V12__ADD_RULES.sql @@ -0,0 +1,57 @@ +use auth; + +-- The way authorization works for PIC-SURE is odd. Generally, you assign users a series of privileges. +-- Each privilege has has a series of access rules that determine what you can access with that role. +-- BUT +-- If all the users privileges combine to have NO access rules, then that user gets UNIVERSAL access. +-- This results in really weird behavior when you add access rules to a privilege + role. You expect +-- for the user's permissions to expand, when in really you can actually drastically reduce permissions. +-- +-- The default role 'PIC-SURE User' has the privilege 'PIC_SURE_ANY_QUERY'. In this case, 'any query' +-- means any request. Now, there are other restrictions on requests that are enforced at the role level +-- using the @RolesAllowed annotation. This is what would stop an attacker from granting themselves roles, etc. +-- +-- All of this is to say, if I write a rule that grants the Data Admin permission to use the uploader resource +-- I'll actually just restrict them from using the rest of the application. So I have to: +-- 1. Make the implicit access rules that exist for the PIC_SURE_ANY_QUERY privilege explicit +-- 2. Make an access rule and privilege for the Data Admin to access the uploader resource +-- This is a bit tricky; I have to go by request URI and not resource ID because the resource may not be added +-- when this migrator runs. + + +SET @allowNonProxyRequests = unhex(REPLACE(UUID(),'-','')); + +-- Access rule for making existing PIC_SURE_ANY_QUERY logic explicit. Allows all requests +-- to any NON proxy endpoint. +INSERT + INTO access_rule ( + uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, + subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates + ) VALUES ( + @allowNonProxyRequests, 'ALLOW_NON_PROXY_REQUESTS', 'Permit requests to non proxy endpoints', + '$.[\'Target Service\']', 11, '^/(?!proxy).*$', 0x00, 0x00, NULL, 0x00, 0x00 + ); + +-- Add that access rule to the PIC_SURE_ANY_QUERY privilege +SET @uuidPriv = (SELECT uuid FROM privilege WHERE name = 'PIC_SURE_ANY_QUERY'); +INSERT + INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES + (@uuidPriv, @allowNonProxyRequests); + +SET @allowUploaderRequests = unhex(REPLACE(UUID(),'-','')); +-- Access rule for allowing requests to the uploader via proxy +INSERT + INTO access_rule ( + uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, + subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates + ) VALUES ( + @allowUploaderRequests, 'ALLOW_UPLOADER', 'Permit requests to uploader endpoints', + '$.[\'Target Service\']', 11, '^/proxy/uploader.*$', 0x00, 0x00, NULL, 0x00, 0x00 + ); +-- Add that access rule to the DATA_ADMIN privilege +SET @uuidPriv = (SELECT uuid FROM privilege WHERE name = 'DATA_ADMIN'); +INSERT + INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES + (@uuidPriv, @allowUploaderRequests); diff --git a/GIC-Institution/auth/V13__FIX_LEADING_SPACES.sql b/GIC-Institution/auth/V13__FIX_LEADING_SPACES.sql new file mode 100644 index 0000000..c7d997e --- /dev/null +++ b/GIC-Institution/auth/V13__FIX_LEADING_SPACES.sql @@ -0,0 +1,5 @@ +use auth; + +UPDATE access_rule + SET rule = '$.[\'Target Service\']' + WHERE name IN ('AR_ONLY_SEARCH'); diff --git a/GIC-Institution/auth/V2__CONFIGURE_PIC_SURE_APPLICATION.sql b/GIC-Institution/auth/V2__CONFIGURE_PIC_SURE_APPLICATION.sql new file mode 100644 index 0000000..fd0a9a9 --- /dev/null +++ b/GIC-Institution/auth/V2__CONFIGURE_PIC_SURE_APPLICATION.sql @@ -0,0 +1,17 @@ +use auth; +INSERT INTO application VALUES (0x__APPLICATION_UUID__,'PIC-SURE multiple data access API',0x01,'PICSURE','','/picsureui'); +INSERT INTO `privilege` VALUES +(0x7044061AF65B425F86CE73A1BF7F4402,'PIC-SURE Auth super admin for managing roles/privileges/application/connections','SUPER_ADMIN',NULL,'[]',NULL), +(0xAD08212E096F414CBA8D1BAE09415DAB,'PIC-SURE Auth admin for managing users.','ADMIN',NULL,'[]',NULL); +INSERT INTO `privilege` VALUES (0xF65B425F867044061ACE73A1BF7F4402,'User who cann run any PIC-SURE Query','PIC_SURE_ANY_QUERY',0x__APPLICATION_UUID__,'[]',NULL); +INSERT INTO `role` VALUES (0x002DC366B0D8420F998F885D0ED797FD,'PIC-SURE Top Admin','PIC-SURE Auth Micro App Top admin including Admin and super Admin, can manage roles and privileges directly'); +INSERT INTO `role` VALUES (0x8F885D0ED797FD002DC366B0D8420F99,'Admin','Normal admin users, can manage other users including assignment of roles and privileges'); +INSERT INTO `role` VALUES (0x797FD002DC366B0D8420F998F885D0ED,'PIC-SURE User','Normal user, can run any query including data export.'); +INSERT INTO `connection` VALUES (0x97FD002DC366B0D8420F998F885D0ED7, 'Google', 'google-oauth2','google-oauth2|','[{"label":"Email", "id":"email"}]'); +INSERT INTO `role_privilege` VALUES +(0x002DC366B0D8420F998F885D0ED797FD,0x7044061AF65B425F86CE73A1BF7F4402), +(0x002DC366B0D8420F998F885D0ED797FD,0xAD08212E096F414CBA8D1BAE09415DAB), +(0x8F885D0ED797FD002DC366B0D8420F99,0xAD08212E096F414CBA8D1BAE09415DAB), +(0x797FD002DC366B0D8420F998F885D0ED,0xF65B425F867044061ACE73A1BF7F4402); +INSERT INTO `userMetadataMapping` VALUES +(unhex('17FD002DC366B0D8420F998F885D0ED7'), '$.email', unhex('97FD002DC366B0D8420F998F885D0ED7'), '$.email'); diff --git a/GIC-Institution/auth/V3__CONFIGURE_JUPYTERHUB_APPLICATION.sql b/GIC-Institution/auth/V3__CONFIGURE_JUPYTERHUB_APPLICATION.sql new file mode 100644 index 0000000..6c62d96 --- /dev/null +++ b/GIC-Institution/auth/V3__CONFIGURE_JUPYTERHUB_APPLICATION.sql @@ -0,0 +1,5 @@ +use auth; +INSERT INTO application VALUES (0xDEADBEEFE9B1458594536ED31D456752,'JupyterHub authentication via PSAMA',0x01,'JupyterHub','','/jupyterhub'); +INSERT INTO `privilege` VALUES (0x530AF81BE8F744AB85E8222D0C743410,'JupyterHub user for accessing notebooks','JUPYTER_USER',0xDEADBEEFE9B1458594536ED31D456752,'[]',NULL); +INSERT INTO `role` VALUES (0x7EF44B39239318D5B4C2D467580CE4E8,'JupyterHub User','The user is able to access JupyterHub as a normal user'); +INSERT INTO `role_privilege` VALUES (0x7EF44B39239318D5B4C2D467580CE4E8, 0x530AF81BE8F744AB85E8222D0C743410); diff --git a/GIC-Institution/auth/V4__CREATE_AGGREGATE_RULES_AND_USER.sql b/GIC-Institution/auth/V4__CREATE_AGGREGATE_RULES_AND_USER.sql new file mode 100644 index 0000000..9182280 --- /dev/null +++ b/GIC-Institution/auth/V4__CREATE_AGGREGATE_RULES_AND_USER.sql @@ -0,0 +1,105 @@ +use picsure; + +SET @uuidAggResource = (SELECT + (LOWER(CONCAT( + SUBSTR(HEX(uuid), 1, 8), '-', + SUBSTR(HEX(uuid), 9, 4), '-', + SUBSTR(HEX(uuid), 13, 4), '-', + SUBSTR(HEX(uuid), 17, 4), '-', + SUBSTR(HEX(uuid), 21) + ))) +FROM resource where name like 'PIC-SURE Aggregate Resource%' limit 1); + +use auth; + +SET @uuidResourceRule = REPLACE(UUID(),'-',''); +INSERT INTO access_rule (uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates) + VALUES (unhex(@uuidResourceRule), 'Aggregate Only Access', 'Allow Access to Aggregate Resource', '$..resourceUUID', 4, @uuidAggResource, 0x00, 0x00, unhex(@uuidCountRule), 0x00, 0x00); + + + +SET @uuidCountPrivilege = REPLACE(UUID(),'-',''); + +INSERT INTO privilege (uuid, name, description, application_id) + VALUES (unhex(@uuidCountPrivilege), + 'AGGREGATE', + 'Aggregiate Data Sharing privilege for PICSURE application', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + + +SET @uuidCountRule = REPLACE(UUID(),'-',''); +INSERT INTO access_rule (uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates) + VALUES (unhex(@uuidCountRule), 'HPDS Aggregate Counts', 'HPDS counts', '$..expectedResultType', 4, 'COUNT', 0x00, 0x00, NULL, 0x00, 0x00); + +INSERT INTO accessRule_gate (accessRule_id, gate_id) + VALUES ( + unhex(@uuidCountRule), + unhex(@uuidResourceRule) + ); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + unhex(@uuidCountPrivilege), + unhex(@uuidCountRule) + ); + +SET @uuidRule = REPLACE(UUID(),'-',''); +INSERT INTO access_rule (uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates) + VALUES (unhex(@uuidRule), 'HPDS Aggregate Cross Counts', 'HPDS cross counts', '$..expectedResultType', 4, 'CROSS_COUNT', 0x00, 0x00, NULL, 0x00, 0x00); + +INSERT INTO accessRule_gate (accessRule_id, gate_id) + VALUES ( + unhex(@uuidRule), + unhex(@uuidResourceRule) + ); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + unhex(@uuidCountPrivilege), + unhex(@uuidRule) + ); + +SET @uuidRule = REPLACE(UUID(),'-',''); +INSERT INTO access_rule VALUES (unhex(@uuidRule), 'AR_INFO_COLUMN_LISTING', 'Allow query to info_column_listing', '$..expectedResultType', 4, 'INFO_COLUMN_LISTING', 0, 0, NULL, 0, 0); + +INSERT INTO accessRule_gate (accessRule_id, gate_id) + VALUES ( + unhex(@uuidRule), + unhex(@uuidResourceRule) + ); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) +VALUES ( + unhex(@uuidCountPrivilege), + unhex(@uuidRule) +); + +SET @uuidRule = REPLACE(UUID(),'-',''); +INSERT INTO access_rule VALUES ( unhex(@uuidRule), 'AR_ONLY_SEARCH', 'Can do /search', ' $.[\'Target Service\']', 6, '/search', 0, 0, NULL, 0, 0); +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) +VALUES ( + unhex(@uuidCountPrivilege), + unhex(@uuidRule) +); + +SET @uuidRole = REPLACE(UUID(),'-',''); +INSERT INTO role (uuid, name, description) + VALUES (unhex(@uuidRole), + 'PIC-SURE Aggregate Count Role', + 'Can perform count queries using the aggregate resource only.' + ); + +INSERT INTO role_privilege (role_id, privilege_id) + VALUES ( + unhex(@uuidRole), + unhex(@uuidCountPrivilege) + ); + + +SET @uuidConn = REPLACE(UUID(),'-',''); +INSERT INTO `connection` VALUES (unhex(@uuidConn), 'Manual Token Connection', 'manual-token','',''); + +SET @uuidUser = REPLACE(UUID(),'-',''); +INSERT INTO user VALUES (unhex(@uuidUser), null, null, null, unhex(@uuidConn),'CommonAreaUser',0,concat('PIC_SURE_USER|', REPLACE(UUID(),'-','')),1,null); +INSERT INTO user_role VALUES (unhex(@uuidUser), unhex(@uuidRole)); diff --git a/GIC-Institution/auth/V5__ADD_CROSS_COUNT_RULES.sql b/GIC-Institution/auth/V5__ADD_CROSS_COUNT_RULES.sql new file mode 100644 index 0000000..fccf8ab --- /dev/null +++ b/GIC-Institution/auth/V5__ADD_CROSS_COUNT_RULES.sql @@ -0,0 +1,52 @@ +use picsure; + +SET @uuidAggResource = (SELECT + (LOWER(CONCAT( + SUBSTR(HEX(uuid), 1, 8), '-', + SUBSTR(HEX(uuid), 9, 4), '-', + SUBSTR(HEX(uuid), 13, 4), '-', + SUBSTR(HEX(uuid), 17, 4), '-', + SUBSTR(HEX(uuid), 21) + ))) +FROM resource where name like 'PIC-SURE Aggregate Resource%' limit 1); + +use auth; + +SET @uuidResourceRule = REPLACE(UUID(),'-',''); +INSERT INTO access_rule (uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates) + VALUES (unhex(@uuidResourceRule), 'Aggregate Only Access', 'Allow Access to Aggregate Resource', '$..resourceUUID', 4, @uuidAggResource, 0x00, 0x00, unhex(@uuidCountRule), 0x00, 0x00); + + +INSERT INTO access_rule (uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates) + VALUES (unhex(REPLACE(uuid(),'-','')), 'HPDS Aggregate Observation Counts', 'HPDS observation Counts', '$..expectedResultType', 4, 'OBSERVATION_COUNT', 0x00, 0x00, NULL, 0x00, 0x00); + +INSERT INTO access_rule (uuid, name, description, rule, type, value, checkMapKeyOnly, checkMapNode, subAccessRuleParent_uuid, isGateAnyRelation, isEvaluateOnlyByGates) + VALUES (unhex(REPLACE(uuid(),'-','')), 'HPDS Aggregate Observation Cross Counts', 'HPDS observation cross Counts', '$..expectedResultType', 4, 'OBSERVATION_CROSS_COUNT', 0x00, 0x00, NULL, 0x00, 0x00); + + +INSERT INTO accessRule_gate (accessRule_id, gate_id) + VALUES ( + (SELECT uuid FROM access_rule WHERE name = 'HPDS Aggregate Observation Cross Counts'), + unhex(@uuidResourceRule) + ); + + +INSERT INTO accessRule_gate (accessRule_id, gate_id) + VALUES ( + (SELECT uuid FROM access_rule WHERE name = 'HPDS Aggregate Observation Counts'), + unhex(@uuidResourceRule) + ); + + + INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + (SELECT uuid FROM privilege WHERE name = 'AGGREGATE'), + (SELECT uuid FROM access_rule WHERE name = 'HPDS Aggregate Observation Counts') + ); + +INSERT INTO accessRule_privilege (privilege_id, accessRule_id) + VALUES ( + (SELECT uuid FROM privilege WHERE name = 'AGGREGATE'), + (SELECT uuid FROM access_rule WHERE name = 'HPDS Aggregate Observation Cross Counts') + ); + diff --git a/GIC-Institution/auth/V6__FIX_CONNECTION_CONFIGURATION_ERROR.sql b/GIC-Institution/auth/V6__FIX_CONNECTION_CONFIGURATION_ERROR.sql new file mode 100644 index 0000000..202340d --- /dev/null +++ b/GIC-Institution/auth/V6__FIX_CONNECTION_CONFIGURATION_ERROR.sql @@ -0,0 +1,3 @@ +use auth; + +update connection set requiredFields = "[]" where id = "manual-token"; \ No newline at end of file diff --git a/GIC-Institution/auth/V7__FIX_CONNECTION_CONFIGURATION_FORREAL.sql b/GIC-Institution/auth/V7__FIX_CONNECTION_CONFIGURATION_FORREAL.sql new file mode 100644 index 0000000..0be983c --- /dev/null +++ b/GIC-Institution/auth/V7__FIX_CONNECTION_CONFIGURATION_FORREAL.sql @@ -0,0 +1,4 @@ +use auth; + +update connection set requiredFields = '[{"label":"Account Name", "id":"name"}]' where id = "manual-token"; +update user set general_metadata = '{"name":"Common Area Service User"}' where email = "CommonAreaUser"; \ No newline at end of file diff --git a/GIC-Institution/auth/V8__SITE_ADMIN.sql b/GIC-Institution/auth/V8__SITE_ADMIN.sql new file mode 100644 index 0000000..384a4db --- /dev/null +++ b/GIC-Institution/auth/V8__SITE_ADMIN.sql @@ -0,0 +1,22 @@ +use auth; + +SET @uuidRole = REPLACE(UUID(),'-',''); +INSERT INTO role VALUES ( + unhex(@uuidRole), + 'Data Admin', + 'Allow access to Dataset Requests tab' + ); + +SET @uuidPrivilege = REPLACE(UUID(),'-',''); +INSERT INTO privilege (uuid, name, description, application_id) + VALUES (unhex(@uuidPrivilege), + 'DATA_ADMIN', + 'Data Admin privilege for PICSURE application', + (SELECT uuid FROM application WHERE name = 'PICSURE') + ); + +INSERT INTO role_privilege (role_id, privilege_id) + VALUES ( + unhex(@uuidRole), + unhex(@uuidPrivilege) + ); \ No newline at end of file diff --git a/GIC-Institution/auth/V9__ADD_SAD_ROLE_TO_INST_USER.sql b/GIC-Institution/auth/V9__ADD_SAD_ROLE_TO_INST_USER.sql new file mode 100644 index 0000000..6b42a2e --- /dev/null +++ b/GIC-Institution/auth/V9__ADD_SAD_ROLE_TO_INST_USER.sql @@ -0,0 +1,12 @@ +use auth; + +-- The GIC institute nodes have a special user called CommonAreaUser that the common area uses to run federated queries. +-- This user now needs the ability to run these queries, so we add them to the Secret Admin Dataframe role + +-- We're ignoring duplicate key errors (the constraint will still be enforced) to handle institutes that already +-- upgraded and did this manually. +INSERT IGNORE INTO user_role (user_id, role_id) + VALUES ( + (SELECT uuid FROM user WHERE email = 'CommonAreaUser'), + (SELECT uuid FROM role WHERE name = 'PIC-SURE Secret Dataframe Requester') + ); diff --git a/GIC-Institution/picsure/V3.1__CREATE_HPDS_RESOURCE.sql b/GIC-Institution/picsure/V3.1__CREATE_HPDS_RESOURCE.sql new file mode 100644 index 0000000..2438414 --- /dev/null +++ b/GIC-Institution/picsure/V3.1__CREATE_HPDS_RESOURCE.sql @@ -0,0 +1,6 @@ +use picsure; + +INSERT IGNORE INTO `resource` + (uuid, targetURL, resourceRSPath, description, name, token, hidden, metadata) + VALUES + (0x__RESOURCE_UUID__,NULL,'http://hpds:8080/PIC-SURE/','Basic HPDS resource','hpds',NULL, FALSE, NULL); \ No newline at end of file diff --git a/README.md b/README.md index c35058f..97317d6 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,12 @@ # PIC-SURE-Migrations -Database migrations for the PIC-SURE All-in-One. +## Database migrations for the PIC-SURE All-in-One. + +This repository contains the database migrations for the PIC-SURE All-in-One. The migrations are written in [Flyway](https://flywaydb.org/) and are executed using the [PIC-SURE All-in-One](https://github.com/hms-dbmi/pic-sure-all-in-one) via the [PIC-SURE Database Migrations](https://github.com/hms-dbmi/pic-sure-all-in-one/blob/master/initial-configuration/jenkins/jenkins-docker/jobs/PIC-SURE%20Database%20Migrations/) Jenkins job. + +## This respository contains the following migrations: +1. Baseline Migration +2. GIC Institution Migration +3. GIC Common Area Migration + +> Note: if you are looking for the BDC PIC-SURE Migrations, please see the [BDC Infrastructure](https://github.com/hms-dbmi/pic-sure-bdc-infrastructure/tree/master/app-infrastructure/db) repository. +