diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index cab15207..382397c1 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -29,7 +29,7 @@ jobs: - name: "initialize container" run: | - docker run -d -p 5432:5432 --name signalo opengisch/signalo:unstable + docker run -d -p 5432:5432 --name signalo -v $(pwd):/src opengisch/signalo:unstable docker exec signalo init_db.sh wait docker exec -e PGSERVICE=pg_signalo_demo signalo init_db.sh build -d docker exec -e PGSERVICE=pg_signalo_demo signalo /src/scripts/all-signs.py @@ -66,6 +66,12 @@ jobs: run: | docker push opengisch/signalo:unstable + - name: Deploy Demo DB + run: | + docker exec signalo pg_dump --format custom --exclude-schema=public --blobs --compress 5 --file signalo-testing-db-dump-with-demo.backup signalo + pg_restore --host=${DEMO_DB_HOST} --username=${DEMO_DB_USER} --port=${DEMO_DB_PORT} --dbname==${DEMO_DB_TESTING} --exit-on-error --clean --if-exists --no-owner signalo-testing-db-dump-with-demo.backup + psql --host=${DEMO_DB_HOST} --username=${DEMO_DB_USER} --port=${DEMO_DB_PORT} --dbname=${DEMO_DB_TESTING} -v EXIT_ON_ERROR=on -f ./datamodel/roles.sql + - name: "failure logs" if: failure() run: | diff --git a/datamodel/roles/create.sql b/datamodel/roles/create.sql new file mode 100644 index 00000000..e25b092c --- /dev/null +++ b/datamodel/roles/create.sql @@ -0,0 +1,5 @@ + +CREATE ROLE signalo_viewer NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION; +CREATE ROLE signalo_user NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION; + +GRANT signalo_viewer TO signalo_user; diff --git a/datamodel/roles/setup.sql b/datamodel/roles/setup.sql new file mode 100644 index 00000000..146afb9a --- /dev/null +++ b/datamodel/roles/setup.sql @@ -0,0 +1,30 @@ +------------------------------------------ +/* GRANT on schemas - once per database */ +------------------------------------------ + +/* Viewer */ +GRANT USAGE ON SCHEMA signalo_db TO signalo_viewer; +GRANT USAGE ON SCHEMA signalo_app TO signalo_viewer; + +GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA signalo_db TO signalo_viewer; +GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA signalo_app TO signalo_viewer; + +GRANT SELECT, REFERENCES, TRIGGER ON ALL TABLES IN SCHEMA signalo_db TO signalo_viewer; +GRANT SELECT, REFERENCES, TRIGGER ON ALL TABLES IN SCHEMA signalo_app TO signalo_viewer; + +ALTER DEFAULT PRIVILEGES IN SCHEMA signalo_db GRANT SELECT, REFERENCES, TRIGGER ON TABLES TO signalo_viewer; +ALTER DEFAULT PRIVILEGES IN SCHEMA signalo_app GRANT SELECT, REFERENCES, TRIGGER ON TABLES TO signalo_viewer; + + +/* User */ +GRANT ALL ON SCHEMA signalo_db TO signalo_user; +GRANT ALL ON ALL TABLES IN SCHEMA signalo_db TO signalo_user; +GRANT ALL ON ALL SEQUENCES IN SCHEMA signalo_db TO signalo_user; +ALTER DEFAULT PRIVILEGES IN SCHEMA signalo_db GRANT ALL ON TABLES TO signalo_user; +ALTER DEFAULT PRIVILEGES IN SCHEMA signalo_db GRANT ALL ON SEQUENCES TO signalo_user; + +GRANT ALL ON SCHEMA signalo_app TO signalo_user; +GRANT ALL ON ALL TABLES IN SCHEMA signalo_app TO signalo_user; +GRANT ALL ON ALL SEQUENCES IN SCHEMA signalo_app TO signalo_user; +ALTER DEFAULT PRIVILEGES IN SCHEMA signalo_app GRANT ALL ON TABLES TO signalo_user; +ALTER DEFAULT PRIVILEGES IN SCHEMA signalo_app GRANT ALL ON SEQUENCES TO signalo_user; diff --git a/datamodel/setup.sh b/datamodel/setup.sh index 77c4a019..de6ddfb8 100755 --- a/datamodel/setup.sh +++ b/datamodel/setup.sh @@ -94,3 +94,10 @@ if [[ $demo_data == True ]]; then fi ${DIR}/app/create_app.py --pg_service ${PGSERVICE} --srid=${SRID} + +if [[ $roles == True ]]; then + echo "*** setting roles" + # for now demo data is the test data + psql "service=${PGSERVICE}" -v ON_ERROR_STOP=1 -f ${DIR}/roles/create.sql + psql "service=${PGSERVICE}" -v ON_ERROR_STOP=1 -f ${DIR}/roles/setup.sql +fi diff --git a/scripts/run-docker.sh b/scripts/run-docker.sh index 769a312f..b1fc3afb 100755 --- a/scripts/run-docker.sh +++ b/scripts/run-docker.sh @@ -7,10 +7,25 @@ set -e export $(grep -v '^#' .env | xargs) BUILD=0 -DEMO_DATA=0 +DEMO_DATA="" SIGNALO_PG_PORT=${SIGNALO_PG_PORT:-5432} - -while getopts 'bdp:' opt; do +ROLES="" + +show_help() { + echo "Usage: $(basename "$0") [OPTIONS]... [ARGUMENTS]..." + echo + echo "Description:" + echo " Build and run Docker container with SIGNALO application" + echo + echo "Options:" + echo " -h Display this help message and exit" + echo " -b Build Docker image" + echo " -d Load demo data" + echo " -r Create roles" + echo " -p Override PG port" +} + +while getopts 'bdrp:h' opt; do case "$opt" in b) echo "Rebuild docker image" @@ -19,15 +34,17 @@ while getopts 'bdp:' opt; do d) echo "Load demo data" - DEMO_DATA=1 + DEMO_DATA="-d" ;; p) echo "Overriding PG port to ${OPTARG}" TWW_PG_PORT=${OPTARG} ;; - - + r) + echo "Setting up roles" + ROLES="-r" + ;; ?|h) echo "Usage: $(basename $0) [-bd] [-p PG_PORT]" exit 1 @@ -43,6 +60,4 @@ fi docker rm -f signalo || true docker run -d -p ${SIGNALO_PG_PORT}:5432 -v $(pwd):/src --name signalo opengisch/signalo -c log_statement=all docker exec signalo init_db.sh wait -if [[ $DEMO_DATA -eq 1 ]]; then - docker exec signalo init_db.sh build -d -fi +docker exec signalo init_db.sh build ${DEMO_DATA} ${ROLES}