Merge pull request #1 from alf-cactus/alf/sample_data_changes

Alf/sample data changes

.github/workflows/test-install.yml

@@ -6,11 +6,7 @@ name: CI
 # events but only for the master branch
 # test change
 
-on:
-  push:
-    branches: [ master, tim/test-install-github ]
-  pull_request:
-    branches: [ tim/test-install-in-github ]
+on: [push, pull_request]
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
@@ -26,5 +22,5 @@ jobs:
 
     # Runs a single command using the runners shell
     - name: Run a one-line script
-      run: cd /home/runner/work/firewall-orchestrator/firewall-orchestrator && ansible-playbook -i inventory site.yml -K
+      run: cd /home/runner/work/firewall-orchestrator/firewall-orchestrator && ansible-playbook -i inventory -e 'run_on_github=yes' site.yml -K
 

client/client_stub.cs

@@ -18,10 +18,10 @@ class Program
         private static async Task Main()
         {
             // Server URL
-            const string ServerURI = "https://10.5.5.110/api/v1/graphql";
+            const string ServerURI = "https://demo.itsecorg.de/api/v1/graphql";
 
             // Erlaube alle Zertifikate // ENTFERNEN SOBALD SERVER GÜLTIGES ZERTIFIKAT HAT
-            ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
+            // ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
 
             // Neuer Http Client
             HttpClient client = new HttpClient();

documentation/git-howto.md

@@ -1,30 +1,44 @@
+It is recommended to create a personal fork and work on that, except you only make changes on documentation (but no code change). Just use the Fork button on the GitHub UI.
 
-<pre>
-
-hod@fworch-dev:~/firewall-orchestrator$ git pull
-Already up to date.
-12:36
-Kann keine Aktion in Richtung  CactuseSecurity/firewall-orchestrator Repo  erkennen.
-Fork bleibt auf dem alten Stand und der Clone vom Fork auch
-12:38
-Habe es nun so gemacht und es funktioniert:https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/syncing-a-fork
-12:58
-git remote -v
-git remote add upstream https://github.com/CactuseSecurity/firewall-orchestrator.git
-git remote -v
-git fetch upstream
-git checkout master
-git merge upstream/master
-git push
-13:00
-Und beim nächsten Mal nur noch:
-git fetch upstream
-git checkout master
-git merge upstream/master
-git push
-13:03
-besser wäre natürlich
-git remote add upstream ssh://github.com/CactuseSecurity/firewall-orchestrator.git
-13:12
-umbenennen mit git remote set-url upstream ssh://github.com/CactuseSecurity/firewall-orchestrator.git
-</pre>
+From that fork you can create local clones.
+
+It is possible to sync your fork via the GitHub UI, but it leads at least to an ugly additional commit in your fork history:
+(https://rick.cogley.info/post/update-your-forked-repository-directly-on-github/)
+
+So better use the command line:
+
+Source: https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/syncing-a-fork
+
+Add ssh key to profile (Profile - Settings - ssh keys)
+
+# First time add upstream URL (only has to be done once): 
+
+    git remote -v
+    git remote add upstream https://github.com/CactuseSecurity/firewall-orchestrator.git
+    git remote -v
+
+# Sync with upstream 
+
+    git fetch upstream
+    git checkout master
+    git merge upstream/master
+    git push
+
+
+# Working via ssh
+
+    git remote add upstream ssh://github.com/CactuseSecurity/firewall-orchestrator.git
+
+# Change upstream name
+
+    git remote set-url upstream ssh://github.com/CactuseSecurity/firewall-orchestrator.git
+
+# Example with non-master branch
+
+    git clone [email protected]:tpurschke/firewall-orchestrator.git -b tim/make-api-reinstallable
+    cd firewall-orchestrator/
+    git remote add upstream [email protected]:CactuseSecurity/firewall-orchestrator.git
+    git fetch upstream
+    git checkout tim/make-api-reinstallable
+    git merge upstream/tim/make-api-reinstallable
+    git push

documentation/install-advanced.md

@@ -5,7 +5,12 @@
 
        cd firewall-orchestrator; ansible-playbook -i inventory -e "http_proxy=http://1.2.3.4:3128 https_proxy=http://1.2.3.4:3128" site.yml -K
        
-## Advanced installation 2: distributed setup
+## Advanced installation 2: clean install
+   if you want to drop the database and re-install from scratch, simply add the variable clean_install as follows:
+
+       cd firewall-orchestrator; ansible-playbook -i inventory -e "clean_install=1" site.yml -K
+
+## Advanced installation 3: distributed setup
 
 if you want to distribute functionality to different hosts:
 

documentation/modules/api/graphql-howto.md

@@ -0,0 +1,16 @@
+# concepts
+- schema: describes available functionality 
+- data types
+  - (object) type 
+  - scalar
+    - Int, Float, String, Boolean, ID
+  - query
+  - mutation
+  - subscription
+  - enum
+
+
+# tools
+  - graphql query tool insomnia
+  - ubuntu: sudo snap install insomnia oder:
+  - https://insomnia.rest/download/core/?&ref=

documentation/modules/api/hasura-howto.md

@@ -0,0 +1,18 @@
+
+# concepts and tools
+  - hasura metadata: Hasura metadata stores information about your tables, 
+  relationships, permissions, etc. that is used to generate the GraphQL schema and API:
+  see https://hasura.io/docs/1.0/graphql/manual/how-it-works/metadata-schema.html
+  - graphiql - https://demo.itsecorg.de/api/console/api-explorer
+  - track tables, views, relations --> create queries and expose these
+  - permissions can be set here: https://demo.itsecorg.de/api/console/data/schema/public/permissions
+
+# hasura database 
+  - hasura creates the schemas hdb_catalog and hdb_views in parallel to public (see https://hasura.io/docs/1.0/graphql/manual/how-it-works/metadata-schema.html)
+    - hdb_catalog.hdb_relationship contains the forein key constraints of the original database
+    - hdb_catalog.hdb_permission contains the roles' permissions
+    - hdb_catalog.view.hdb_role contains roles
+
+# authentication
+  - https://hasura.io/blog/hasura-authentication-explained/#jwt-auth
+  - how to devine roles & permissions in hasura: 

documentation/modules/api/query_root.sdl

@@ -0,0 +1,93 @@
+changelog_object
+
+fetch data from the table: "changelog_object"
+[changelog_object!]!
+distinct_on: [changelog_object_select_column!]
+
+distinct select on columns
+limit: Int
+
+limit the number of rows returned
+offset: Int
+
+skip the first n rows. Use only with order_by
+order_by: [changelog_object_order_by!]
+
+sort the rows by one or more columns
+where: changelog_object_bool_exp
+
+filter the rows returned
+
+
+rules
+
+An array relationship
+[rule!]!
+distinct_on: [rule_select_column!]
+
+distinct select on columns
+limit: Int
+
+limit the number of rows returned
+offset: Int
+
+skip the first n rows. Use only with order_by
+order_by: [rule_order_by!]
+
+sort the rows by one or more columns
+where: rule_bool_exp
+
+filter the rows returned
+
+
+enum sec_gateway_type {
+  FIREWALL
+  PROXY
+  IPS
+  LOADBALANCER
+  WAF
+}
+
+interface rule_object {
+  id: ID
+  name: String
+  sec_manager: sec_manager
+  sec_gateway: sec_gateway
+  uid: String
+}
+
+type nw_object implements rule_object {
+  id: ID
+  name: String
+  sec_manager: sec_manager
+}
+
+type sec_gateway {
+  name: String
+  id: ID
+  sec_gateway_type: sec_gateway_type
+  product: product
+  product_version: product_version
+  sec_manager: sec_manager
+}
+
+type product {
+  vendor: String
+  os: String
+}
+
+type product_version {
+  version: String
+}
+
+type sec_manager {
+  name: String
+  id: ID
+  sec_gw: [sec_gateway]
+}
+
+type rule {
+  source: [nw_object]
+  destination: [nw_object]
+  service: [service]
+}

roles/api/doc/todo.txt → documentation/modules/api/todo.txt

@@ -38,4 +38,18 @@ todo:
 - get rid of rule_order table or at least reduce it
 - find a way to delete all old data (>x years)
 
+------
 
+- define permission functions based on role tables:
+   user_visible_managements(user_id)
+   user_visible_devices(user_id)
+
+- define permissions (only works for tables containing dev or mgm
+  {"dev_id":"_in":user_visible_devices("x-Hasura-User_Id")}
+  {"mgm_id":"_in":user_visible_managements("x-Hasura-User_Id")}
+
+- create auth site (using turbogears and pgjwt)
+
+- make installer work when multiple php or postgres versions are insalled
+
+- get pgadmin working again (error:  ERROR:  column "proisagg" does not exist LINE 9:  WHERE proisagg = FALSE AND pronamespace = 2200::oid)

inventory/group_vars/all

@@ -1,3 +1,4 @@
+ansible_python_interpreter: /usr/bin/python3
 
 http_proxy: ""
 #http_proxy: http://admsrv.int.cactus:3128

inventory/group_vars/backends

@@ -9,8 +9,11 @@ api_user_email: "{{ api_user }}@localhost"
 api_hasura_admin_secret: "st8chelt1er"
 api_hasura_jwt_secret: "ab957df1a33ea38a821278fb04d92abce830175ce9bcdef0e597622434480ccd"
 api_hasura_jwt_alg: "HS384"
-api_hasura_version: "v1.2.1"
+api_container_name: hasura_fw_orch
+#api_hasura_version: "v1.3.0-beta.1"
+api_hasura_version: "v1.2.2"
 api_hostname: "127.0.0.1"
 api_port: 8080
 API_SECRET_KEY: '3s)3o5_@2d!t21nammq38hnux9cfz5#9o0&nb4y8yn5xvqdhh^'
-python_binary: /usr/bin/python3
+python_binary: /usr/bin/python3
+api_venv_dir: "{{ iso_home }}/api_venv"