Merge pull request #79 from Dewberry/feature/add-del-update-processes

.github/workflows/e2e-tests.yml

@@ -25,6 +25,7 @@ jobs:
           echo STORAGE_RESULTS_PREFIX='results' >> .env
           echo STORAGE_LOGS_PREFIX='logs' >> .env
 
+          echo PLUGINS_LOAD_DIR='plugins' >> .env
           echo PLUGINS_DIR='/.data/plugins' >> .env
           echo TMP_JOB_LOGS_DIR='/.data/tmp/logs' >> .env
 

DEV_GUIDE.md

@@ -16,6 +16,7 @@
 - A user can use tools like Postman to set these headers themselves, but if auth is enabled, they will be checked against the token. This setup allows adding submitter info to the database when auth is not enabled.
 - I auth is enabled `X-ProcessAPI-User-Email` header is mandatory.
 - Requests from Service Role will not be verified for `X-ProcessAPI-User-Email`.
+- Only service_accounts can post callbacks
 - Requests from Admin Role are allowed to execute all processes, non-admins must have the role with same name as `processID` to execute that process.
 - Requests from Admin Role are allowed to retrieve all jobs information, non admins can only retrieve information for jobs that they submitted.
 - Only admins can add/update/delete processes

api/Dockerfile

@@ -28,5 +28,5 @@ COPY --from=dev /app/public /app/public
 COPY --from=dev /app/views /app/views
 COPY --from=dev /app/docs /app/docs
 
-ENTRYPOINT ["/app/main", "-pld", "plugins"]
+ENTRYPOINT ["/app/main"]
 # -------------------------------

api/handlers/config.go

@@ -43,9 +43,9 @@ type RESTHandler struct {
 	ProcessList  *pr.ProcessList
 
 	// Read DEV_GUIDE.md to learn about these
-	AuthLevel     int
-	AdminRoleName string
-	BotRoleName   string
+	AuthLevel       int
+	AdminRoleName   string
+	ServiceRoleName string
 }
 
 // Pretty print a JSON
@@ -79,8 +79,8 @@ func NewRESTHander() *RESTHandler {
 			"http://www.opengis.net/spec/ogcapi-processes-1/1.0/conf/job-list",
 			"http://www.opengis.net/spec/ogcapi-processes-1/1.0/conf/dismiss",
 		},
-		AdminRoleName: os.Getenv("AUTH_ADMIN_ROLE"),
-		BotRoleName:   os.Getenv("AUTH_BOT_ROLE"),
+		AdminRoleName:   os.Getenv("AUTH_ADMIN_ROLE"),
+		ServiceRoleName: os.Getenv("AUTH_SERVICE_ROLE"),
 	}
 
 	dbType, exist := os.LookupEnv("DB_SERVICE")

api/handlers/handlers.go

@@ -633,8 +633,8 @@ func (rh *RESTHandler) JobStatusUpdateHandler(c echo.Context) error {
 	if rh.AuthLevel > 0 {
 		roles := strings.Split(c.Request().Header.Get("X-ProcessAPI-User-Roles"), ",")
 
-		// admins are allowed to execute all processes, else you need to have same role as processId
-		if !utils.StringInSlice(rh.BotRoleName, roles) && !utils.StringInSlice(rh.AdminRoleName, roles) {
+		// only service accounts or admins can post status updates
+		if !utils.StringInSlice(rh.ServiceRoleName, roles) && !utils.StringInSlice(rh.AdminRoleName, roles) {
 			return c.JSON(http.StatusUnauthorized, errResponse{Message: "unauthorized"})
 		}
 	}

example.env

@@ -29,7 +29,6 @@ AUTH_SERVICE=''                             # Options: ['', 'keycloak'] (Optiona
 AUTH_LEVEL='0'                              # Options: [0, 1, 2] corresponds to [no auth, some routes protected, all routes protected] (Optional).
 AUTH_ADMIN_ROLE='admin'
 AUTH_SERVICE_ROLE='service_account'
-AUHT_BOT_ROLE='bot'
 
 # --- Plugins
 PLUGINS_LOAD_DIR=''                         # Load plugins from this directory at startup (Optional).

tests/e2e/tests.postman_collection.json

@@ -169,6 +169,30 @@
 					},
 					"response": []
 				},
+				{
+					"name": "delete-startup-process",
+					"request": {
+						"method": "DELETE",
+						"header": [],
+						"url": {
+							"raw": "{{url}}/processes/:processID",
+							"host": [
+								"{{url}}"
+							],
+							"path": [
+								"processes",
+								":processID"
+							],
+							"variable": [
+								{
+									"key": "processID",
+									"value": "pywrite"
+								}
+							]
+						}
+					},
+					"response": []
+				},
 				{
 					"name": "add-process",
 					"request": {