Merge pull request #2735 from GSA-TTS/main

.github/workflows/new-relic-deployment.yml

@@ -17,7 +17,7 @@ jobs:
         run: echo "RELEASE_VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
       # This step creates a new Change Tracking Marker
       - name: Add New Relic Application Deployment Marker
-        uses: newrelic/deployment-marker-action@v2.3.0
+        uses: newrelic/deployment-marker-action@v2.5.0
         with:
           apiKey: ${{ secrets.NEW_RELIC_API_KEY }}
           guid: ${{ secrets.NEW_RELIC_DEPLOYMENT_ENTITY_GUID }}

.github/workflows/trivy.yml

@@ -39,7 +39,7 @@ jobs:
         run: docker build -t ${{ env.DOCKER_NAME }}:${{ steps.date.outputs.date }} .
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/[email protected].0
+        uses: aquasecurity/[email protected].1
         with:
           image-ref: '${{ env.DOCKER_NAME }}:${{ steps.date.outputs.date }}'
           scan-type: 'image'
@@ -74,7 +74,7 @@ jobs:
         run: docker pull ${{ matrix.image.name }}
 
       - name: Run Trivy vulnerability scanner on Third Party Images
-        uses: aquasecurity/[email protected].0
+        uses: aquasecurity/[email protected].1
         with:
           image-ref: '${{ matrix.image.name }}'
           scan-type: 'image'

.github/workflows/zap-scan.yml

@@ -18,7 +18,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: ZAP Scan of ${{ env.url }}
-        uses: zaproxy/action-baseline@v0.9.0
+        uses: zaproxy/action-baseline@v0.10.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           docker_name: 'owasp/zap2docker-stable'

backend/dissemination/api/api_v1_0_3/base.sql

@@ -0,0 +1,29 @@
+DO
+$do$
+BEGIN
+   IF EXISTS (
+      SELECT FROM pg_catalog.pg_roles
+      WHERE  rolname = 'authenticator') THEN
+      RAISE NOTICE 'Role "authenticator" already exists. Skipping.';
+   ELSE
+      CREATE ROLE authenticator LOGIN NOINHERIT NOCREATEDB NOCREATEROLE NOSUPERUSER;
+   END IF;
+END
+$do$;
+
+DO
+$do$
+BEGIN
+   IF EXISTS (
+      SELECT FROM pg_catalog.pg_roles
+      WHERE  rolname = 'api_fac_gov') THEN
+      RAISE NOTICE 'Role "api_fac_gov" already exists. Skipping.';
+   ELSE
+      CREATE ROLE api_fac_gov NOLOGIN;
+   END IF;
+END
+$do$;
+
+GRANT api_fac_gov TO authenticator;
+
+NOTIFY pgrst, 'reload schema';

backend/dissemination/api/api_v1_0_3/create_functions.sql

@@ -0,0 +1,60 @@
+-- WARNING
+-- Under PostgreSQL 12, the functions below work.
+-- Under PostgreSQL 14, these will break.
+--
+-- Note the differences:
+--
+-- raise info 'Works under PostgreSQL 12';
+-- raise info 'request.header.x-magic %', (SELECT current_setting('request.header.x-magic', true));
+-- raise info 'request.jwt.claim.expires %', (SELECT current_setting('request.jwt.claim.expires', true));
+-- raise info 'Works under PostgreSQL 14';
+-- raise info 'request.headers::json->>x-magic %', (SELECT current_setting('request.headers', true)::json->>'x-magic');
+-- raise info 'request.jwt.claims::json->expires %', (SELECT current_setting('request.jwt.claims', true)::json->>'expires');
+--
+-- To quote the work of Dav Pilkey, "remember this now."
+
+create or replace function getter(base text, item text) returns text 
+as $getter$
+begin 
+	return current_setting(concat(base, '.', item), true);
+end;
+$getter$ language plpgsql;
+
+create or replace function get_jwt_claim(item text) returns text 
+as $get_jwt_claim$
+begin 
+	return getter('request.jwt.claim', item);
+end;
+$get_jwt_claim$ language plpgsql;
+
+create or replace function get_header(item text) returns text
+as $get_header$
+begin 
+	raise info 'request.header % %', item, getter('request.header', item);
+	return getter('request.header', item);
+end;
+$get_header$ LANGUAGE plpgsql;
+
+-- https://api-umbrella.readthedocs.io/en/latest/admin/api-backends/http-headers.html
+-- I'd like to go to a model where we provide the API keys. 
+-- However, for now, we're going to look for a role attached to an api.data.gov account.
+-- These come in on `X-Api-Roles` as a comma-separated string.
+create or replace function has_tribal_data_access() returns boolean
+as $has_tribal_data_access$
+declare 
+    roles text;
+begin 
+	select get_header('x-api-roles') into roles;
+    return (roles like '%fac_gov_tribal_access%');
+end;
+$has_tribal_data_access$ LANGUAGE plpgsql;
+
+create or replace function has_public_data_access_only() returns boolean
+as $has_public_data_access_only$
+begin 
+    return not has_tribal_data_access();
+end;
+$has_public_data_access_only$ LANGUAGE plpgsql;
+
+
+NOTIFY pgrst, 'reload schema';

backend/dissemination/api/api_v1_0_3/create_schema.sql

@@ -0,0 +1,48 @@
+begin;
+
+do
+$$
+begin
+    DROP SCHEMA IF EXISTS api_v1_0_3 CASCADE;
+
+    if not exists (select schema_name from information_schema.schemata where schema_name = 'api_v1_0_3') then
+        create schema api_v1_0_3;
+
+        -- Grant access to tables and views
+        alter default privileges
+            in schema api_v1_0_3
+            grant select
+        -- this includes views
+        on tables
+        to api_fac_gov;
+
+        -- Grant access to sequences, if we have them
+        grant usage on schema api_v1_0_3 to api_fac_gov;
+        grant select, usage on all sequences in schema api_v1_0_3 to api_fac_gov;
+        alter default privileges
+            in schema api_v1_0_3
+            grant select, usage
+        on sequences
+        to api_fac_gov;
+    end if;
+end
+$$
+;
+
+-- This is the description
+COMMENT ON SCHEMA api_v1_0_3 IS
+    'The FAC dissemation API version 1.0.3.'
+;
+
+-- https://postgrest.org/en/stable/references/api/openapi.html
+-- This is the title
+COMMENT ON SCHEMA api_v1_0_3 IS
+$$v1.0.3
+
+A RESTful API that serves data from the SF-SAC.$$;
+
+commit;
+
+notify pgrst,
+       'reload schema';
+