Enabling roles also for local development & docker setup (#552)

.env

@@ -6,6 +6,15 @@ POSTGRES_DB=cwa
 POSTGRES_USER=postgres
 POSTGRES_PASSWORD=postgres
 
+POSTGRES_DISTRIBUTION_USER=local_setup_distribution
+POSTGRES_DISTRIBUTION_PASSWORD=local_setup_distribution
+
+POSTGRES_SUBMISSION_USER=local_setup_submission
+POSTGRES_SUBMISSION_PASSWORD=local_setup_submission
+
+POSTGRES_FLYWAY_USER=local_setup_flyway
+POSTGRES_FLYWAY_PASSWORD=local_setup_flyway
+
 # Docker Compose PgAdmin settings
 PGADMIN_DEFAULT_EMAIL=[email protected]
 PGADMIN_DEFAULT_PASSWORD=password

README.md

@@ -97,6 +97,30 @@ To prepare your machine to run the CWA project locally, we recommend that you fi
 * [Postgres]
 * [Zenko CloudServer]
 
+If you are already running a local Postgres, you need to create a database `cwa` and run the following setup scripts:
+
+* Create the different CWA roles first by executing [create-roles.sql](setup/create-roles.sql).
+* Create local database users for the specific roles by running [create-users.sql](./local-setup/create-users.sql).
+* It is recommended to also run [enable-test-data-docker-compose.sql](./local-setup/enable-test-data-docker-compose.sql)
+, which enables the test data generation profile. If you already had CWA running before and an existing `diagnosis-key`
+table on your database, you need to run [enable-test-data.sql](./local-setup/enable-test-data.sql) instead.
+
+You can also use `docker-compose` to start Postgres and Zenko. If you do that, you have to
+set the following environment-variables when running the Spring project:
+
+For the distribution module:
+
+```bash
+POSTGRESQL_SERVICE_PORT=8001
+VAULT_FILESIGNING_SECRET=</path/to/your/private_key>
+```
+
+For the submission module:
+
+```bash
+POSTGRESQL_SERVICE_PORT=8001
+```
+
 #### Configure
 
 After you made sure that the specified dependencies are running, configure them in the respective configuration files.

common/persistence/src/main/resources/db/specific/h2/V2__createPermissions.sql

@@ -0,0 +1 @@
+-- no permissions on H2 necessary

common/persistence/src/main/resources/db/specific/postgresql/V2__createPermissions.sql

@@ -0,0 +1,2 @@
+GRANT SELECT, DELETE ON TABLE diagnosis_key TO "cwa_distribution";
+GRANT INSERT ON TABLE diagnosis_key TO "cwa_submission";

docker-compose.yml

@@ -15,10 +15,10 @@ services:
       POSTGRESQL_SERVICE_PORT: '5432'
       POSTGRESQL_SERVICE_HOST: postgres
       POSTGRESQL_DATABASE: ${POSTGRES_DB}
-      POSTGRESQL_PASSWORD_SUBMISION: ${POSTGRES_PASSWORD}
-      POSTGRESQL_USER_SUBMISION: ${POSTGRES_USER}
-      POSTGRESQL_PASSWORD_FLYWAY: ${POSTGRES_PASSWORD}
-      POSTGRESQL_USER_FLYWAY: ${POSTGRES_USER}
+      POSTGRESQL_PASSWORD_SUBMISION: ${POSTGRES_SUBMISSION_PASSWORD}
+      POSTGRESQL_USER_SUBMISION: ${POSTGRES_SUBMISSION_USER}
+      POSTGRESQL_PASSWORD_FLYWAY: ${POSTGRES_FLYWAY_PASSWORD}
+      POSTGRESQL_USER_FLYWAY: ${POSTGRES_FLYWAY_USER}
       VERIFICATION_BASE_URL: http://verification-fake:8004
   distribution:
     build:
@@ -33,10 +33,10 @@ services:
       POSTGRESQL_SERVICE_PORT: '5432'
       POSTGRESQL_SERVICE_HOST: postgres
       POSTGRESQL_DATABASE: ${POSTGRES_DB}
-      POSTGRESQL_PASSWORD_DISTRIBUTION: ${POSTGRES_PASSWORD}
-      POSTGRESQL_USER_DISTRIBUTION: ${POSTGRES_USER}
-      POSTGRESQL_PASSWORD_FLYWAY: ${POSTGRES_PASSWORD}
-      POSTGRESQL_USER_FLYWAY: ${POSTGRES_USER}
+      POSTGRESQL_PASSWORD_DISTRIBUTION: ${POSTGRES_DISTRIBUTION_PASSWORD}
+      POSTGRESQL_USER_DISTRIBUTION: ${POSTGRES_DISTRIBUTION_USER}
+      POSTGRESQL_PASSWORD_FLYWAY: ${POSTGRES_FLYWAY_PASSWORD}
+      POSTGRESQL_USER_FLYWAY: ${POSTGRES_FLYWAY_USER}
       # Settings for the S3 compatible objectstore
       CWA_OBJECTSTORE_ACCESSKEY: ${OBJECTSTORE_ACCESSKEY}
       CWA_OBJECTSTORE_SECRETKEY: ${OBJECTSTORE_SECRETKEY}
@@ -60,6 +60,9 @@ services:
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
     volumes:
        - postgres_volume:/data/postgres
+       - ./setup/setup-roles.sql:/docker-entrypoint-initdb.d/1-roles.sql
+       - ./local-setup/create-users.sql:/docker-entrypoint-initdb.d/2-users.sql
+       - ./local-setup/enable-test-data-docker-compose.sql:/docker-entrypoint-initdb.d/3-enable-testdata.sql
   pgadmin:
     container_name: pgadmin_container
     image: dpage/pgadmin4

local-setup/create-users.sql

@@ -0,0 +1,5 @@
+/* Creates default users for local development */
+
+CREATE USER "local_setup_flyway" WITH INHERIT IN ROLE cwa_flyway ENCRYPTED PASSWORD 'local_setup_flyway';
+CREATE USER "local_setup_submission" WITH INHERIT IN ROLE cwa_submission ENCRYPTED PASSWORD 'local_setup_submission';
+CREATE USER "local_setup_distribution" WITH INHERIT IN ROLE cwa_distribution ENCRYPTED PASSWORD 'local_setup_distribution';

local-setup/enable-test-data-docker-compose.sql

@@ -0,0 +1,3 @@
+/* Testdata creation requires INSERT permission - this is only active on local deployments */
+/* Since the Diagnosis Key Table does not yet exist, this is a workaround to still allow inserts */
+ALTER DEFAULT PRIVILEGES FOR USER local_setup_flyway IN SCHEMA public GRANT INSERT ON TABLES TO cwa_distribution;

local-setup/enable-test-data.sql

@@ -0,0 +1,2 @@
+/* Test Data profile requires insert permissions on diagnois key table */
+GRANT INSERT ON diagnosis_key TO cwa_distribution;

services/distribution/src/main/resources/application-cloud.yaml

@@ -1,8 +1,6 @@
 ---
 spring:
   flyway:
-    enabled: true
-    locations: classpath:db/migration/postgres
     password: ${POSTGRESQL_PASSWORD_FLYWAY}
     user: ${POSTGRESQL_USER_FLYWAY}
   datasource:

services/distribution/src/main/resources/application.yaml

@@ -61,12 +61,12 @@ spring:
       ddl-auto: validate
   flyway:
     enabled: true
-    locations: classpath:db/migration/postgres
-    password: ${POSTGRESQL_PASSWORD_FLYWAY:postgres}
-    user: ${POSTGRESQL_USER_FLYWAY:postgres}
+    locations: classpath:/db/migration, classpath:/db/specific/{vendor}
+    password: ${POSTGRESQL_PASSWORD_FLYWAY:local_setup_flyway}
+    user: ${POSTGRESQL_USER_FLYWAY:local_setup_flyway}
 
   datasource:
     driver-class-name: org.postgresql.Driver
     url: jdbc:postgresql://${POSTGRESQL_SERVICE_HOST:localhost}:${POSTGRESQL_SERVICE_PORT:5432}/${POSTGRESQL_DATABASE:cwa}
-    username: ${POSTGRESQL_USER_DISTRIBUTION:postgres}
-    password: ${POSTGRESQL_PASSWORD_DISTRIBUTION:postgres}
+    username: ${POSTGRESQL_USER_DISTRIBUTION:local_setup_distribution}
+    password: ${POSTGRESQL_PASSWORD_DISTRIBUTION:local_setup_distribution}

services/distribution/src/test/resources/application.yaml

@@ -55,8 +55,6 @@ spring:
     banner-mode: off
   flyway:
     enabled: true
-# default case is H2 - value will be overwritten by profile cloud or postgres
-    locations: classpath:db/migration/h2
   jpa:
     hibernate:
       ddl-auto: validate

services/submission/src/main/resources/application-cloud.yaml

@@ -1,8 +1,6 @@
 ---
 spring:
   flyway:
-    enabled: true
-    locations: classpath:db/migration/postgres
     password: ${POSTGRESQL_PASSWORD_FLYWAY}
     user: ${POSTGRESQL_USER_FLYWAY}
   datasource:

services/submission/src/main/resources/application.yaml

@@ -26,15 +26,15 @@ spring:
       ddl-auto: validate
   flyway:
     enabled: true
-    locations: classpath:db/migration/postgres
-    password: ${POSTGRESQL_PASSWORD_FLYWAY:postgres}
-    user: ${POSTGRESQL_USER_FLYWAY:postgres}
+    locations: classpath:/db/migration, classpath:/db/specific/{vendor}
+    password: ${POSTGRESQL_PASSWORD_FLYWAY:local_setup_flyway}
+    user: ${POSTGRESQL_USER_FLYWAY:local_setup_flyway}
 # Postgres configuration
   datasource:
     driver-class-name: org.postgresql.Driver
     url: jdbc:postgresql://${POSTGRESQL_SERVICE_HOST:localhost}:${POSTGRESQL_SERVICE_PORT:5432}/${POSTGRESQL_DATABASE:cwa}
-    username: ${POSTGRESQL_USER_SUBMISSION:postgres}
-    password: ${POSTGRESQL_PASSWORD_SUBMISSION:postgres}
+    username: ${POSTGRESQL_USER_SUBMISSION:local_setup_submission}
+    password: ${POSTGRESQL_PASSWORD_SUBMISSION:local_setup_submission}
 
 management:
   server:
@@ -64,4 +64,4 @@ management:
 feign:
   httpclient:
     maxConnections: 200
-    maxConnectionsPerRoute: 200
+    maxConnectionsPerRoute: 200

services/submission/src/test/resources/application.yaml

@@ -9,8 +9,6 @@ spring:
     banner-mode: off
   flyway:
     enabled: true
-    # default case is H2 - value will be overwritten by profile cloud or postgres
-    locations: classpath:db/migration/h2
   datasource:
     url: jdbc:h2:mem:test;MODE=PostgreSQL
     driverClassName: org.h2.Driver

setup/create-users.sql

@@ -0,0 +1,5 @@
+/* Creates CWA users */
+
+CREATE USER "<change me>" WITH INHERIT IN ROLE cwa_flyway ENCRYPTED PASSWORD '<change me>';
+CREATE USER "<change me>" WITH INHERIT IN ROLE cwa_submission ENCRYPTED PASSWORD '<change me>';
+CREATE USER "<change me>" WITH INHERIT IN ROLE cwa_distribution ENCRYPTED PASSWORD '<change me>';

setup/setup-roles.sql

@@ -0,0 +1,50 @@
+/*
+ * This SQL file needs to be executed when a new CWA database is set up.
+ * It will create the necessary roles & restrict permissions to the CWA scope.
+ */
+
+/* Revoke all default access to the database */
+REVOKE ALL ON DATABASE cwa FROM PUBLIC;
+REVOKE USAGE ON SCHEMA public FROM PUBLIC;
+
+/* Create roles */
+CREATE ROLE cwa_user
+  NOLOGIN
+  NOSUPERUSER
+  NOINHERIT
+  NOCREATEDB
+  NOCREATEROLE
+  NOREPLICATION;
+
+GRANT CONNECT ON DATABASE cwa TO cwa_user;
+GRANT USAGE ON SCHEMA public TO cwa_user;
+
+CREATE ROLE cwa_flyway
+  NOLOGIN
+  NOSUPERUSER
+  INHERIT
+  NOCREATEDB
+  NOCREATEROLE
+  NOREPLICATION
+  IN ROLE cwa_user;
+
+/* Flyway user needs to have full access to schema */
+GRANT CREATE ON SCHEMA public TO cwa_flyway;
+
+CREATE ROLE cwa_submission
+  NOLOGIN
+  NOSUPERUSER
+  INHERIT
+  NOCREATEDB
+  NOCREATEROLE
+  NOREPLICATION
+  IN ROLE cwa_user;
+
+CREATE ROLE cwa_distribution
+  NOLOGIN
+  NOSUPERUSER
+  INHERIT
+  NOCREATEDB
+  NOCREATEROLE
+  NOREPLICATION
+  IN ROLE cwa_user;