From fb52a7d3cbc28500e4c56786ac7b762a5946cb5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Teemu=20M=C3=A4kinen?= <teemu.makinen@vincit.fi>
Date: Fri, 22 Sep 2023 10:17:01 +0300
Subject: [PATCH] Add timetables API user permissions

---
 README.md                                     | 21 +++---
 .../down.sql                                  | 63 ++++++++++++++++++
 .../up.sql                                    | 65 +++++++++++++++++++
 3 files changed, 139 insertions(+), 10 deletions(-)
 create mode 100644 migrations/generic/timetables/1694620856287_add-api-user-permissions/down.sql
 create mode 100644 migrations/generic/timetables/1694620856287_add-api-user-permissions/up.sql

diff --git a/README.md b/README.md
index 80ece9d1..23fce0b9 100644
--- a/README.md
+++ b/README.md
@@ -489,16 +489,17 @@ the secrets and delivers them to Hasura.
 
 Our Docker image expects the following secrets to be bound to the container:
 
-| Secret file               | Description                                                             |
-| ------------------------- | ----------------------------------------------------------------------- |
-| hasura-admin-secret       | Password with which admins can access the console and other features    |
-| db-hostname               | Hostname/IP address for the default database                            |
-| db-name                   | Name of the database instance to connect to within the default database |
-| db-timetables-name        | Name of the logical database for timetables                             |
-| db-username               | Username for the default database                                       |
-| db-password               | Password for the default database                                       |
-| db-auth-username          | Name of the sql user that is used by the auth backend service           |
-| db-jore3importer-username | Name of the sql user that is used by the jore3 importer service         |
+| Secret file                | Description                                                             |
+| -------------------------- | ----------------------------------------------------------------------- |
+| hasura-admin-secret        | Password with which admins can access the console and other features    |
+| db-hostname                | Hostname/IP address for the default database                            |
+| db-name                    | Name of the database instance to connect to within the default database |
+| db-timetables-name         | Name of the logical database for timetables                             |
+| db-username                | Username for the default database                                       |
+| db-password                | Password for the default database                                       |
+| db-auth-username           | Name of the sql user that is used by the auth backend service           |
+| db-jore3importer-username  | Name of the sql user that is used by the jore3 importer service         |
+| db-timetables-api-username | Name of the sql user that is used by the timetables API service         |
 
 ### Use of the Docker image
 
diff --git a/migrations/generic/timetables/1694620856287_add-api-user-permissions/down.sql b/migrations/generic/timetables/1694620856287_add-api-user-permissions/down.sql
new file mode 100644
index 00000000..4f05244e
--- /dev/null
+++ b/migrations/generic/timetables/1694620856287_add-api-user-permissions/down.sql
@@ -0,0 +1,63 @@
+REVOKE USAGE ON SCHEMA journey_pattern FROM xxx_db_timetables_api_username_xxx;
+REVOKE SELECT ON ALL TABLES IN SCHEMA journey_pattern FROM xxx_db_timetables_api_username_xxx;
+REVOKE INSERT ON ALL TABLES IN SCHEMA journey_pattern FROM xxx_db_timetables_api_username_xxx;
+REVOKE UPDATE ON ALL TABLES IN SCHEMA journey_pattern FROM xxx_db_timetables_api_username_xxx;
+REVOKE DELETE ON ALL TABLES IN SCHEMA journey_pattern FROM xxx_db_timetables_api_username_xxx;
+
+REVOKE USAGE ON SCHEMA passing_times FROM xxx_db_timetables_api_username_xxx;
+REVOKE SELECT ON ALL TABLES IN SCHEMA passing_times FROM xxx_db_timetables_api_username_xxx;
+REVOKE INSERT ON ALL TABLES IN SCHEMA passing_times FROM xxx_db_timetables_api_username_xxx;
+REVOKE UPDATE ON ALL TABLES IN SCHEMA passing_times FROM xxx_db_timetables_api_username_xxx;
+REVOKE DELETE ON ALL TABLES IN SCHEMA passing_times FROM xxx_db_timetables_api_username_xxx;
+
+REVOKE USAGE ON SCHEMA route FROM xxx_db_timetables_api_username_xxx;
+REVOKE SELECT ON ALL TABLES IN SCHEMA route FROM xxx_db_timetables_api_username_xxx;
+REVOKE INSERT ON ALL TABLES IN SCHEMA route FROM xxx_db_timetables_api_username_xxx;
+REVOKE UPDATE ON ALL TABLES IN SCHEMA route FROM xxx_db_timetables_api_username_xxx;
+REVOKE DELETE ON ALL TABLES IN SCHEMA route FROM xxx_db_timetables_api_username_xxx;
+
+REVOKE USAGE ON SCHEMA service_calendar FROM xxx_db_timetables_api_username_xxx;
+REVOKE SELECT ON ALL TABLES IN SCHEMA service_calendar FROM xxx_db_timetables_api_username_xxx;
+REVOKE INSERT ON ALL TABLES IN SCHEMA service_calendar FROM xxx_db_timetables_api_username_xxx;
+REVOKE UPDATE ON ALL TABLES IN SCHEMA service_calendar FROM xxx_db_timetables_api_username_xxx;
+REVOKE DELETE ON ALL TABLES IN SCHEMA service_calendar FROM xxx_db_timetables_api_username_xxx;
+
+REVOKE USAGE ON SCHEMA service_pattern FROM xxx_db_timetables_api_username_xxx;
+REVOKE SELECT ON ALL TABLES IN SCHEMA service_pattern FROM xxx_db_timetables_api_username_xxx;
+REVOKE INSERT ON ALL TABLES IN SCHEMA service_pattern FROM xxx_db_timetables_api_username_xxx;
+REVOKE UPDATE ON ALL TABLES IN SCHEMA service_pattern FROM xxx_db_timetables_api_username_xxx;
+REVOKE DELETE ON ALL TABLES IN SCHEMA service_pattern FROM xxx_db_timetables_api_username_xxx;
+
+REVOKE USAGE ON SCHEMA vehicle_journey FROM xxx_db_timetables_api_username_xxx;
+REVOKE SELECT ON ALL TABLES IN SCHEMA vehicle_journey FROM xxx_db_timetables_api_username_xxx;
+REVOKE INSERT ON ALL TABLES IN SCHEMA vehicle_journey FROM xxx_db_timetables_api_username_xxx;
+REVOKE UPDATE ON ALL TABLES IN SCHEMA vehicle_journey FROM xxx_db_timetables_api_username_xxx;
+REVOKE DELETE ON ALL TABLES IN SCHEMA vehicle_journey FROM xxx_db_timetables_api_username_xxx;
+
+REVOKE USAGE ON SCHEMA vehicle_schedule FROM xxx_db_timetables_api_username_xxx;
+REVOKE SELECT ON ALL TABLES IN SCHEMA vehicle_schedule FROM xxx_db_timetables_api_username_xxx;
+REVOKE INSERT ON ALL TABLES IN SCHEMA vehicle_schedule FROM xxx_db_timetables_api_username_xxx;
+REVOKE UPDATE ON ALL TABLES IN SCHEMA vehicle_schedule FROM xxx_db_timetables_api_username_xxx;
+REVOKE DELETE ON ALL TABLES IN SCHEMA vehicle_schedule FROM xxx_db_timetables_api_username_xxx;
+
+REVOKE USAGE ON SCHEMA vehicle_service FROM xxx_db_timetables_api_username_xxx;
+REVOKE SELECT ON ALL TABLES IN SCHEMA vehicle_service FROM xxx_db_timetables_api_username_xxx;
+REVOKE INSERT ON ALL TABLES IN SCHEMA vehicle_service FROM xxx_db_timetables_api_username_xxx;
+REVOKE UPDATE ON ALL TABLES IN SCHEMA vehicle_service FROM xxx_db_timetables_api_username_xxx;
+REVOKE DELETE ON ALL TABLES IN SCHEMA vehicle_service FROM xxx_db_timetables_api_username_xxx;
+
+REVOKE USAGE ON SCHEMA vehicle_type FROM xxx_db_timetables_api_username_xxx;
+REVOKE SELECT ON ALL TABLES IN SCHEMA vehicle_type FROM xxx_db_timetables_api_username_xxx;
+REVOKE INSERT ON ALL TABLES IN SCHEMA vehicle_type FROM xxx_db_timetables_api_username_xxx;
+REVOKE UPDATE ON ALL TABLES IN SCHEMA vehicle_type FROM xxx_db_timetables_api_username_xxx;
+REVOKE DELETE ON ALL TABLES IN SCHEMA vehicle_type FROM xxx_db_timetables_api_username_xxx;
+
+ALTER DEFAULT PRIVILEGES IN SCHEMA journey_pattern REVOKE SELECT ON TABLES FROM xxx_db_timetables_api_username_xxx;
+ALTER DEFAULT PRIVILEGES IN SCHEMA passing_times REVOKE SELECT ON TABLES FROM xxx_db_timetables_api_username_xxx;
+ALTER DEFAULT PRIVILEGES IN SCHEMA route REVOKE SELECT ON TABLES FROM xxx_db_timetables_api_username_xxx;
+ALTER DEFAULT PRIVILEGES IN SCHEMA service_calendar REVOKE SELECT ON TABLES FROM xxx_db_timetables_api_username_xxx;
+ALTER DEFAULT PRIVILEGES IN SCHEMA service_pattern REVOKE SELECT ON TABLES FROM xxx_db_timetables_api_username_xxx;
+ALTER DEFAULT PRIVILEGES IN SCHEMA vehicle_journey REVOKE SELECT ON TABLES FROM xxx_db_timetables_api_username_xxx;
+ALTER DEFAULT PRIVILEGES IN SCHEMA vehicle_schedule REVOKE SELECT ON TABLES FROM xxx_db_timetables_api_username_xxx;
+ALTER DEFAULT PRIVILEGES IN SCHEMA vehicle_service REVOKE SELECT ON TABLES FROM xxx_db_timetables_api_username_xxx;
+ALTER DEFAULT PRIVILEGES IN SCHEMA vehicle_type REVOKE SELECT ON TABLES FROM xxx_db_timetables_api_username_xxx;
diff --git a/migrations/generic/timetables/1694620856287_add-api-user-permissions/up.sql b/migrations/generic/timetables/1694620856287_add-api-user-permissions/up.sql
new file mode 100644
index 00000000..43cd46fc
--- /dev/null
+++ b/migrations/generic/timetables/1694620856287_add-api-user-permissions/up.sql
@@ -0,0 +1,65 @@
+GRANT USAGE ON SCHEMA journey_pattern TO xxx_db_timetables_api_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA journey_pattern TO xxx_db_timetables_api_username_xxx;
+GRANT INSERT ON ALL TABLES IN SCHEMA journey_pattern TO xxx_db_timetables_api_username_xxx;
+GRANT UPDATE ON ALL TABLES IN SCHEMA journey_pattern TO xxx_db_timetables_api_username_xxx;
+GRANT DELETE ON ALL TABLES IN SCHEMA journey_pattern TO xxx_db_timetables_api_username_xxx;
+
+GRANT USAGE ON SCHEMA passing_times TO xxx_db_timetables_api_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA passing_times TO xxx_db_timetables_api_username_xxx;
+GRANT INSERT ON ALL TABLES IN SCHEMA passing_times TO xxx_db_timetables_api_username_xxx;
+GRANT UPDATE ON ALL TABLES IN SCHEMA passing_times TO xxx_db_timetables_api_username_xxx;
+GRANT DELETE ON ALL TABLES IN SCHEMA passing_times TO xxx_db_timetables_api_username_xxx;
+
+GRANT USAGE ON SCHEMA route TO xxx_db_timetables_api_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA route TO xxx_db_timetables_api_username_xxx;
+GRANT INSERT ON ALL TABLES IN SCHEMA route TO xxx_db_timetables_api_username_xxx;
+GRANT UPDATE ON ALL TABLES IN SCHEMA route TO xxx_db_timetables_api_username_xxx;
+GRANT DELETE ON ALL TABLES IN SCHEMA route TO xxx_db_timetables_api_username_xxx;
+
+GRANT USAGE ON SCHEMA service_calendar TO xxx_db_timetables_api_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA service_calendar TO xxx_db_timetables_api_username_xxx;
+GRANT INSERT ON ALL TABLES IN SCHEMA service_calendar TO xxx_db_timetables_api_username_xxx;
+GRANT UPDATE ON ALL TABLES IN SCHEMA service_calendar TO xxx_db_timetables_api_username_xxx;
+GRANT DELETE ON ALL TABLES IN SCHEMA service_calendar TO xxx_db_timetables_api_username_xxx;
+
+GRANT USAGE ON SCHEMA service_pattern TO xxx_db_timetables_api_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA service_pattern TO xxx_db_timetables_api_username_xxx;
+GRANT INSERT ON ALL TABLES IN SCHEMA service_pattern TO xxx_db_timetables_api_username_xxx;
+GRANT UPDATE ON ALL TABLES IN SCHEMA service_pattern TO xxx_db_timetables_api_username_xxx;
+GRANT DELETE ON ALL TABLES IN SCHEMA service_pattern TO xxx_db_timetables_api_username_xxx;
+
+GRANT USAGE ON SCHEMA vehicle_journey TO xxx_db_timetables_api_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA vehicle_journey TO xxx_db_timetables_api_username_xxx;
+GRANT INSERT ON ALL TABLES IN SCHEMA vehicle_journey TO xxx_db_timetables_api_username_xxx;
+GRANT UPDATE ON ALL TABLES IN SCHEMA vehicle_journey TO xxx_db_timetables_api_username_xxx;
+GRANT DELETE ON ALL TABLES IN SCHEMA vehicle_journey TO xxx_db_timetables_api_username_xxx;
+
+GRANT USAGE ON SCHEMA vehicle_schedule TO xxx_db_timetables_api_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA vehicle_schedule TO xxx_db_timetables_api_username_xxx;
+GRANT INSERT ON ALL TABLES IN SCHEMA vehicle_schedule TO xxx_db_timetables_api_username_xxx;
+GRANT UPDATE ON ALL TABLES IN SCHEMA vehicle_schedule TO xxx_db_timetables_api_username_xxx;
+GRANT DELETE ON ALL TABLES IN SCHEMA vehicle_schedule TO xxx_db_timetables_api_username_xxx;
+
+GRANT USAGE ON SCHEMA vehicle_service TO xxx_db_timetables_api_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA vehicle_service TO xxx_db_timetables_api_username_xxx;
+GRANT INSERT ON ALL TABLES IN SCHEMA vehicle_service TO xxx_db_timetables_api_username_xxx;
+GRANT UPDATE ON ALL TABLES IN SCHEMA vehicle_service TO xxx_db_timetables_api_username_xxx;
+GRANT DELETE ON ALL TABLES IN SCHEMA vehicle_service TO xxx_db_timetables_api_username_xxx;
+
+GRANT USAGE ON SCHEMA vehicle_type TO xxx_db_timetables_api_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA vehicle_type TO xxx_db_timetables_api_username_xxx;
+GRANT INSERT ON ALL TABLES IN SCHEMA vehicle_type TO xxx_db_timetables_api_username_xxx;
+GRANT UPDATE ON ALL TABLES IN SCHEMA vehicle_type TO xxx_db_timetables_api_username_xxx;
+GRANT DELETE ON ALL TABLES IN SCHEMA vehicle_type TO xxx_db_timetables_api_username_xxx;
+
+-- Note: ALTER DEFAULT PRIVILEGES IN SCHEMA only adds GRANTs to *new* tables created after this migration
+-- if using GRANT, it'll only apply to the *existing* tables
+ALTER DEFAULT PRIVILEGES IN SCHEMA journey_pattern GRANT SELECT ON TABLES TO xxx_db_timetables_api_username_xxx;
+ALTER DEFAULT PRIVILEGES IN SCHEMA passing_times GRANT SELECT ON TABLES TO xxx_db_timetables_api_username_xxx;
+ALTER DEFAULT PRIVILEGES IN SCHEMA route GRANT SELECT ON TABLES TO xxx_db_timetables_api_username_xxx;
+ALTER DEFAULT PRIVILEGES IN SCHEMA service_calendar GRANT SELECT ON TABLES TO xxx_db_timetables_api_username_xxx;
+ALTER DEFAULT PRIVILEGES IN SCHEMA service_pattern GRANT SELECT ON TABLES TO xxx_db_timetables_api_username_xxx;
+ALTER DEFAULT PRIVILEGES IN SCHEMA vehicle_journey GRANT SELECT ON TABLES TO xxx_db_timetables_api_username_xxx;
+ALTER DEFAULT PRIVILEGES IN SCHEMA vehicle_schedule GRANT SELECT ON TABLES TO xxx_db_timetables_api_username_xxx;
+ALTER DEFAULT PRIVILEGES IN SCHEMA vehicle_service GRANT SELECT ON TABLES TO xxx_db_timetables_api_username_xxx;
+ALTER DEFAULT PRIVILEGES IN SCHEMA vehicle_type GRANT SELECT ON TABLES TO xxx_db_timetables_api_username_xxx;