Merge branch 'feat/v2'

* feat/v2: (221 commits)
  small updates
  add security definer for job triggers
  token default time
  tags and comments
  arrays
  delete field
  update field name and type
  updates
  updated jobs
  trigger
  scheduled jobs
  rename
  update hashes
  build
  cleanup
  better hashing
  better hashing
  cleanup
  cleanup
  transactor
  ...

Author: pyramation

.travis.yml

@@ -23,17 +23,15 @@ env:
     - APP_PASSWORD=app_password
   matrix:
     - PACKAGE=packages/yourpackage1
-    - PACKAGE=packages/yourpackage2
 
 before_install:
   - yarn install
-  - docker run -p 7777:5432 --name postgres -v `pwd`/packages:/sql-extensions -v `pwd`/node_modules:/sql-modules -d pyramation/postgres-plv8
+  - docker run -p 7777:5432 --name postgres -v `pwd`/packages:/sql-extensions -d pyramation/postgres
   - sleep 3
   - while ! docker exec -it postgres pg_isready -U postgres -h 127.0.0.1; do echo "$(date) - waiting for database to start"; sleep 1; done
   - while ! docker exec postgres /sql-extensions/install.sh; do echo "installing plugins"; sleep 3; done
   - psql -f ./bootstrap-roles.sql postgres
 script:
   - cd $PACKAGE
   - yarn install
-  - export PGEXTENSIONS=$(cat .env | grep PGEXTENSIONS | awk -F'=' '{print $2}')
   - yarn test

Makefile

@@ -1,7 +1,7 @@
 
 def:
-	./build.sh skitch plan
-	./build.sh skitch package --version 0.0.1
+	./build.sh lql plan
+	./build.sh lql package --version 0.0.1
 	make install
 
 up:
@@ -16,19 +16,34 @@ ssh:
 install:
 	$(MAKE) docker-install || $(MAKE) k8-install
 
+dinstall:
+	$(MAKE) docker-install
+
 docker-install:
-	docker exec webinc-postgres /sql-extensions/install.sh
+	docker exec launchql-postgres /sql-extensions/install.sh
 
 k8-install:
 	$(eval POD_NAME := $(shell kubectl get pods -l app=postgres -n webinc -o jsonpath="{.items[*].metadata.name}"))
 	kubectl exec -n webinc -it $(POD_NAME) /sql-extensions/install.sh
 
 all:
-	./build.sh skitch package --version 0.0.1
-	./build.sh skitch plan
+	./build.sh lql package --version 0.0.1
+	./build.sh lql plan
 
 dump:
-	skitch dump --deps --project dbs --path $(WEBINC_PATH)/services/packages/graphql-server-service/bootstrap/app.sql
+	lql dump --deps --project dbs --path $(WEBINC_PATH)/services/packages/graphql-server-service/bootstrap/app.sql
 
 deploy:
-	@echo skitch deploy --recursive --createdb --yes --project dbs --database webinc-db
+	@echo lql deploy --recursive --createdb --yes --project dbs --database launchql-db
+	@echo lql deploy --recursive --createdb --yes --project dbs_rls --database launchql-db
+
+generate:
+	@cd packages/db_text && ./generate/generate.js
+	@cd packages/db_text && lql package --version 0.0.1
+	@cd packages/db_utils && lql package --version 0.0.1
+	@cd packages/db_deps && lql package --version 0.0.1
+	@cd packages/db_migrate && lql package --version 0.0.1
+	$(MAKE) install
+
+gen:
+	@cd packages/db_text && ./generate/generate.js

bootstrap-roles.sql

@@ -1,6 +1,62 @@
-CREATE ROLE administrator;
+-- anonymous
 CREATE ROLE anonymous;
+
+ALTER USER anonymous WITH NOCREATEDB;
+
+ALTER USER anonymous WITH NOSUPERUSER;
+
+ALTER USER anonymous WITH NOCREATEROLE;
+
+ALTER USER anonymous WITH NOLOGIN;
+
+ALTER USER anonymous WITH NOREPLICATION;
+
+ALTER USER anonymous WITH NOBYPASSRLS;
+
+-- authenticated
 CREATE ROLE authenticated;
+
+ALTER USER authenticated WITH NOCREATEDB;
+
+ALTER USER authenticated WITH NOSUPERUSER;
+
+ALTER USER authenticated WITH NOCREATEROLE;
+
+ALTER USER authenticated WITH NOLOGIN;
+
+ALTER USER authenticated WITH NOREPLICATION;
+
+ALTER USER authenticated WITH NOBYPASSRLS;
+
+-- administrator
+CREATE ROLE administrator;
+
+ALTER USER administrator WITH NOCREATEDB;
+
+ALTER USER administrator WITH NOSUPERUSER;
+
+ALTER USER administrator WITH NOCREATEROLE;
+
+ALTER USER administrator WITH NOLOGIN;
+
+ALTER USER administrator WITH NOREPLICATION;
+
+-- they CAN bypass RLS
+ALTER USER administrator WITH BYPASSRLS;
+
+-- app user
 CREATE ROLE app_user LOGIN PASSWORD 'app_password';
+
 GRANT anonymous TO app_user;
+
 GRANT authenticated TO app_user;
+
+-- admin user
+CREATE ROLE app_admin LOGIN PASSWORD 'admin_password';
+
+GRANT anonymous TO administrator;
+
+GRANT authenticated TO administrator;
+
+GRANT administrator TO app_admin;
+

docker-compose.yml

@@ -1,8 +1,8 @@
 version: '2'
 services:
   postgres:
-    container_name: webinc-postgres
-    image: pyramation/postgres-plv8
+    container_name: launchql-postgres
+    image: pyramation/postgres
     environment:
       - "POSTGRES_USER=postgres"
       - "POSTGRES_PASSWORD=password"
@@ -12,37 +12,3 @@ services:
       - "5432"
     volumes:
       - ./packages:/sql-extensions
-      - ./node_modules:/sql-modules
-  # prest:
-  #   container_name: webinc-prest
-  #   image: prest/prest
-  #   links:
-  #       - "postgres:webinc-postgres"
-  #   environment:
-  #       - PREST_DEBUG=true # remove comment for enable DEBUG mode (disable JWT)
-  #       - PREST_PG_HOST=postgres
-  #       - PREST_PG_USER=postgres
-  #       - PREST_PG_PASS=password
-  #       - PREST_PG_DATABASE=webinc-db
-  #       - PREST_PG_PORT=5432
-  #       - PREST_JWT_DEFAULT=false # remove if need jwt
-  #   depends_on:
-  #       - postgres
-  #   ports:
-  #       - "3333:3000"
-  # postgrest:
-  #   container_name: webinc-postgrest
-  #   image: postgrest/postgrest:latest
-  #   ports:
-  #     - "4444:3000"
-  #   environment:
-  #     # The standard connection URI format, documented at
-  #     # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
-  #     - PGRST_DB_URI=postgres://postgres:password@postgres:5432/webinc-db
-  #     # The name of which database schema to expose to REST clients
-  #     - PGRST_DB_SCHEMA=collections_public
-  #     # The database role to use when no client authentication is provided
-  #     - PGRST_DB_ANON_ROLE=postgres
-  #   depends_on:
-  #     - postgres
-  #   restart: always

package.json

@@ -1,9 +1,5 @@
 {
-  "name": "webinc",
+  "name": "webql",
   "dependencies": {
-    "skitch-extension-defaults": "latest",
-    "skitch-extension-default-roles": "latest",
-    "skitch-extension-verify": "latest",
-    "skitch-extension-utils": "latest"
   }
-}
+}

packages/dbs_rls/.babelrc

@@ -0,0 +1,11 @@
+{
+  "plugins": [
+    "dynamic-import-node",
+    "syntax-dynamic-import",
+    "transform-class-properties",
+    "transform-object-rest-spread",
+    "transform-regenerator",
+    "transform-runtime"
+  ],
+  "presets": ["env"]
+}

packages/dbs_rls/.env

@@ -0,0 +1,10 @@
+
+PGDATABASE=testing-db
+PGTEMPLATE_DATABASE=testing-template-db
+PGHOST=localhost
+PGPASSWORD=password
+PGPORT=5432
+PGUSER=postgres
+APP_USER=app_user
+APP_PASSWORD=app_password
+PGEXTENSIONS=plpgsql,uuid-ossp,pgcrypto,dbs,skitch-extension-default-roles,skitch-extension-defaults,skitch-extension-utils,skitch-extension-verify,webql-projects,webql-roles

packages/dbs_rls/Makefile

@@ -0,0 +1,7 @@
+EXTENSION = dbs_rls
+DATA = sql/dbs_rls--0.0.1.sql
+
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+  

packages/dbs_rls/dbs_rls.control

@@ -0,0 +1,8 @@
+# dbs_rls extension
+comment = 'dbs_rls extension'
+default_version = '0.0.1'
+module_pathname = '$libdir/dbs_rls'
+requires = 'plpgsql,uuid-ossp,pgcrypto,dbs,skitch-extension-default-roles,skitch-extension-defaults,skitch-extension-utils,skitch-extension-verify,webql-projects,webql-roles'
+relocatable = false
+superuser = false
+  

packages/dbs_rls/deploy/schemas/collections_private/grants/grant_schema_to_authenticated.sql

@@ -0,0 +1,12 @@
+-- Deploy schemas/collections_private/grants/grant_schema_to_authenticated to pg
+-- requires: schemas/collections_private/schema
+
+BEGIN;
+GRANT USAGE ON SCHEMA collections_private TO authenticated, anonymous;
+GRANT EXECUTE ON FUNCTION collections_private.get_available_schema_name TO authenticated;
+GRANT EXECUTE ON FUNCTION collections_private.database_name_hash TO authenticated;
+GRANT EXECUTE ON FUNCTION collections_private.table_name_hash TO authenticated;
+GRANT EXECUTE ON FUNCTION collections_private.get_schema_name_by_database_id TO authenticated;
+GRANT EXECUTE ON FUNCTION collections_private.is_valid_type TO authenticated;
+COMMIT;
+

packages/dbs_rls/deploy/schemas/collections_private/schema.sql

@@ -0,0 +1,2 @@
+-- Deploy schemas/collections_private/schema to pg
+

packages/dbs_rls/deploy/schemas/collections_public/grants/grant_schema_to_authenticated.sql

@@ -0,0 +1,9 @@
+-- Deploy schemas/collections_public/grants/grant_schema_to_authenticated to pg
+
+-- requires: schemas/collections_public/schema
+
+BEGIN;
+
+GRANT USAGE ON SCHEMA collections_public TO authenticated;
+
+COMMIT;

packages/dbs_rls/deploy/schemas/collections_public/schema.sql

@@ -0,0 +1,2 @@
+-- Deploy schemas/collections_public/schema to pg
+

packages/dbs_rls/deploy/schemas/collections_public/tables/constraint/alterations/alter_table_add_project_id.sql

@@ -0,0 +1,11 @@
+-- Deploy schemas/collections_public/tables/constraint/alterations/alter_table_add_project_id to pg
+
+-- requires: schemas/collections_public/schema
+-- requires: schemas/collections_public/tables/constraint/table
+
+BEGIN;
+
+ALTER TABLE collections_public.constraint
+    ADD COLUMN project_id uuid NOT NULL;
+
+COMMIT;

packages/dbs_rls/deploy/schemas/collections_public/tables/constraint/policies/enable_row_level_security.sql

@@ -0,0 +1,11 @@
+-- Deploy schemas/collections_public/tables/constraint/policies/enable_row_level_security to pg
+
+-- requires: schemas/collections_public/schema
+-- requires: schemas/collections_public/tables/constraint/table
+
+BEGIN;
+
+ALTER TABLE collections_public.constraint
+    ENABLE ROW LEVEL SECURITY;
+
+COMMIT;

packages/dbs_rls/deploy/schemas/collections_public/tables/constraint/policies/project_constraint_policy.sql

@@ -0,0 +1,40 @@
+-- Deploy schemas/collections_public/tables/constraint/policies/project_constraint_policy to pg
+
+-- requires: schemas/collections_public/schema
+-- requires: schemas/collections_public/tables/constraint/table
+-- requires: schemas/collections_public/tables/constraint/policies/enable_row_level_security
+-- requires: schemas/collections_public/tables/constraint/alterations/alter_table_add_project_id 
+BEGIN;
+
+CREATE POLICY can_select_constraint ON collections_public.constraint
+  FOR SELECT
+  USING (
+    collaboration_private.permitted_on_project ('read', 'database', project_id)
+  );
+
+CREATE POLICY can_insert_constraint ON collections_public.constraint
+  FOR INSERT
+  WITH CHECK (
+    collaboration_private.permitted_on_project ('add', 'database', project_id)
+  );
+
+CREATE POLICY can_update_constraint ON collections_public.constraint
+  FOR UPDATE
+  USING (
+    collaboration_private.permitted_on_project ('edit', 'database', project_id)
+  );
+
+CREATE POLICY can_delete_constraint ON collections_public.constraint
+  FOR DELETE
+  USING (
+    collaboration_private.permitted_on_project ('destroy', 'database', project_id)
+  );
+
+
+GRANT INSERT ON TABLE collections_public.constraint TO authenticated;
+GRANT SELECT ON TABLE collections_public.constraint TO authenticated;
+GRANT UPDATE ON TABLE collections_public.constraint TO authenticated;
+GRANT DELETE ON TABLE collections_public.constraint TO authenticated;
+
+
+COMMIT;

packages/dbs_rls/deploy/schemas/collections_public/tables/constraint/table.sql

@@ -0,0 +1,3 @@
+-- Deploy schemas/collections_public/tables/constraint/table to pg
+
+-- requires: schemas/collections_public/schema

packages/dbs_rls/deploy/schemas/collections_public/tables/constraint/triggers/before_insert_constraint_set_project_id.sql

@@ -0,0 +1,30 @@
+-- Deploy schemas/collections_public/tables/constraint/triggers/before_insert_constraint_set_project_id to pg
+
+-- requires: schemas/collections_public/schema
+-- requires: schemas/collections_public/tables/constraint/table
+-- requires: schemas/collections_public/tables/constraint/alterations/alter_table_add_project_id 
+
+BEGIN;
+
+CREATE FUNCTION collections_private.tg_before_insert_constraint_set_project_id()
+RETURNS TRIGGER AS $$
+DECLARE
+  proj_id uuid;
+BEGIN
+  SELECT project_id FROM collections_public.table 
+    WHERE id = NEW.table_id
+  INTO proj_id;
+
+  NEW.project_id = proj_id;
+
+ RETURN NEW;
+END;
+$$
+LANGUAGE 'plpgsql' VOLATILE;
+
+CREATE TRIGGER before_insert_constraint_set_project_id
+BEFORE INSERT ON collections_public.constraint
+FOR EACH ROW
+EXECUTE PROCEDURE collections_private.tg_before_insert_constraint_set_project_id ();
+
+COMMIT;

packages/dbs_rls/deploy/schemas/collections_public/tables/database/alterations/add_foreign_key_project_id.sql

@@ -0,0 +1,19 @@
+-- Deploy schemas/collections_public/tables/database/alterations/add_foreign_key_project_id to pg
+
+-- requires: schemas/collections_public/schema
+-- requires: schemas/projects_public/schema
+-- requires: schemas/collections_public/tables/database/table
+-- requires: schemas/projects_public/tables/project/table
+-- requires: schemas/collections_public/tables/database/alterations/alter_table_add_project_id 
+
+BEGIN;
+
+
+ALTER TABLE collections_public.database
+    ADD CONSTRAINT fk_collections_public_database_project_id
+    FOREIGN KEY (project_id)
+    REFERENCES projects_public.project (id)
+    ON DELETE CASCADE;
+
+
+COMMIT;

packages/dbs_rls/deploy/schemas/collections_public/tables/database/alterations/alter_table_add_project_id.sql

@@ -0,0 +1,11 @@
+-- Deploy schemas/collections_public/tables/database/alterations/alter_table_add_project_id to pg
+
+-- requires: schemas/collections_public/schema
+-- requires: schemas/collections_public/tables/database/table
+
+BEGIN;
+
+ALTER TABLE collections_public.database
+    ADD COLUMN project_id uuid NOT NULL;
+
+COMMIT;