SolarArbiter
diff --git a/‎datastore/migrations/0030_job_user.down.sql‎
Lines changed: 8 additions & 0 deletions b/‎datastore/migrations/0030_job_user.down.sql‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎datastore/migrations/0030_job_user.up.sql‎
Lines changed: 154 additions & 0 deletions b/‎datastore/migrations/0030_job_user.up.sql‎
Lines changed: 154 additions & 0 deletions
diff --git a/‎datastore/tests/test_admin_procedures.py‎
Lines changed: 177 additions & 0 deletions b/‎datastore/tests/test_admin_procedures.py‎
Lines changed: 177 additions & 0 deletions
diff --git a/‎setup.py‎
Lines changed: 2 additions & 1 deletion b/‎setup.py‎
Lines changed: 2 additions & 1 deletion
@@ -0,0 +1,8 @@
+DROP PROCEDURE grant_job_role;
+DROP PROCEDURE create_forecast_generation_role;
+DROP PROCEDURE create_data_validation_role;
+DROP PROCEDURE create_report_creation_role;
+DROP PROCEDURE create_job_user;
+DROP PROCEDURE store_token;
+DROP USER 'token_user'@'localhost';
+DROP TABLE arbiter_data.job_tokens;
@@ -0,0 +1,154 @@
+CREATE TABLE arbiter_data.job_tokens(
+  id BINARY(16) NOT NULL,
+  token VARCHAR(256) NOT NULL,
+  created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  modified_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+
+  PRIMARY KEY (id),
+  FOREIGN KEY (id)
+    REFERENCES users(id)
+    ON DELETE CASCADE ON UPDATE RESTRICT
+) ENGINE=INNODB ENCRYPTION='Y' ROW_FORMAT=COMPRESSED;
+
+
+CREATE USER 'token_user'@'localhost' IDENTIFIED WITH caching_sha2_password as '$A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED' ACCOUNT LOCK;
+
+
+CREATE DEFINER = 'token_user'@'localhost' PROCEDURE store_token (IN auth0id VARCHAR(32), IN token VARCHAR(256))
+COMMENT 'Store the encrypted token in the table'
+MODIFIES SQL DATA SQL SECURITY DEFINER
+BEGIN
+    DECLARE user_id BINARY(16);
+    SET user_id = (SELECT id FROM arbiter_data.users WHERE auth0_id = auth0id);
+    INSERT INTO arbiter_data.job_tokens (id, token) VALUES (user_id, token)
+      ON DUPLICATE KEY UPDATE token = VALUES(token);
+END;
+
+GRANT SELECT(id, auth0_id) ON arbiter_data.users TO 'token_user'@'localhost';
+GRANT SELECT, INSERT, UPDATE(token) ON arbiter_data.job_tokens TO 'token_user'@'localhost';
+GRANT EXECUTE ON PROCEDURE arbiter_data.store_token TO 'token_user'@'localhost';
+GRANT EXECUTE ON PROCEDURE arbiter_data.store_token TO 'frameworkadmin'@'%';
+
+
+CREATE DEFINER = 'insert_rbac'@'localhost' PROCEDURE create_job_user(IN auth0id VARCHAR(32), IN orgid CHAR(36))
+COMMENT 'Inserts a new job user into the organization and add permission to read reference data only, returning new user id'
+MODIFIES SQL DATA SQL SECURITY DEFINER
+BEGIN
+    DECLARE userid BINARY(16);
+    DECLARE binorgid BINARY(16);
+    SET userid = UUID_TO_BIN(UUID(), 1);
+    SET binorgid = UUID_TO_BIN(orgid, 1);
+    INSERT INTO arbiter_data.users (id, auth0_id, organization_id) VALUES (
+        userid, auth0id, binorgid);
+    CALL arbiter_data.add_reference_role_to_user(userid);
+    CALL arbiter_data.create_default_user_role(userid, binorgid);
+    SELECT BIN_TO_UUID(userid, 1);
+END;
+
+GRANT EXECUTE ON PROCEDURE arbiter_data.create_job_user TO 'insert_rbac'@'localhost';
+GRANT EXECUTE ON PROCEDURE arbiter_data.create_job_user TO 'frameworkadmin'@'%';
+
+
+-- role for automatic report generation
+CREATE DEFINER = 'insert_rbac'@'localhost' PROCEDURE create_report_creation_role(IN orgid BINARY(16))
+COMMENT 'Create a role that provides the necessary access to create reports from any fx/obs'
+MODIFIES SQL DATA SQL SECURITY DEFINER
+BEGIN
+   -- relying on default permissions already created on create organization
+   DECLARE roleid BINARY(16);
+   SET roleid = UUID_TO_BIN(UUID(), 1);
+   INSERT INTO arbiter_data.roles (name, description, id, organization_id) VALUES (
+       'Create reports', 'Create reports for any pairs of forecasts/prob. forecasts/observations/aggregates',
+       roleid, orgid);
+   INSERT INTO arbiter_data.role_permission_mapping (role_id, permission_id)
+     SELECT roleid, id FROM arbiter_data.permissions WHERE applies_to_all AND organization_id = orgid
+     AND description IN (
+       'Read all sites', 'Read all observations', 'Read all observation values', 'Read all forecasts',
+       'Read all forecast values', 'Read all probabilistic forecasts', 'Read all probabilistic forecast values',
+       'Read all aggregates', 'Read all aggregate values', 'Create reports');
+    SELECT BIN_TO_UUID(roleid, 1);
+END;
+
+GRANT SELECT(id, applies_to_all, description, organization_id) ON arbiter_data.permissions TO 'insert_rbac'@'localhost';
+GRANT EXECUTE ON PROCEDURE arbiter_data.create_report_creation_role TO 'insert_rbac'@'localhost';
+GRANT EXECUTE ON PROCEDURE arbiter_data.create_report_creation_role TO 'frameworkadmin'@'%';
+
+
+-- role for data validation
+CREATE DEFINER = 'insert_rbac'@'localhost' PROCEDURE create_data_validation_role(IN orgid BINARY(16))
+COMMENT 'Create a role that provides the necessary access (read, read_values, write_values) to validate observations'
+MODIFIES SQL DATA SQL SECURITY DEFINER
+BEGIN
+   -- relying on default permissions already created on create organization
+   DECLARE roleid BINARY(16);
+   SET roleid = UUID_TO_BIN(UUID(), 1);
+   INSERT INTO arbiter_data.roles (name, description, id, organization_id) VALUES (
+       'Validate observations', 'Enable observation data validation for all observations',
+       roleid, orgid);
+   INSERT INTO arbiter_data.role_permission_mapping (role_id, permission_id)
+     SELECT roleid, id FROM arbiter_data.permissions WHERE applies_to_all AND organization_id = orgid
+     AND description IN (
+       'Read all sites', 'Read all observations', 'Read all observation values',
+       'Submit values to all observations');
+    SELECT BIN_TO_UUID(roleid, 1);
+END;
+
+GRANT EXECUTE ON PROCEDURE arbiter_data.create_data_validation_role TO 'insert_rbac'@'localhost';
+GRANT EXECUTE ON PROCEDURE arbiter_data.create_data_validation_role TO 'frameworkadmin'@'%';
+
+
+-- role for automatic forecast generation
+CREATE DEFINER = 'insert_rbac'@'localhost' PROCEDURE create_forecast_generation_role(IN orgid BINARY(16))
+COMMENT 'Create a role that provides the necessary access to generate reference NWP or persistence forecast values'
+MODIFIES SQL DATA SQL SECURITY DEFINER
+BEGIN
+   -- relying on default permissions already created on create organization
+   DECLARE roleid BINARY(16);
+   SET roleid = UUID_TO_BIN(UUID(), 1);
+   INSERT INTO arbiter_data.roles (name, description, id, organization_id) VALUES (
+       'Generate reference forecasts', 'Enable writing forecast values for automatic reference forecasts',
+       roleid, orgid);
+   INSERT INTO arbiter_data.role_permission_mapping (role_id, permission_id)
+     SELECT roleid, id FROM arbiter_data.permissions WHERE applies_to_all AND organization_id = orgid
+     AND description IN (
+       'Read all sites', 'Read all forecasts', 'Read all probabilistic forecasts', 'Read all aggregates',
+       -- for persistence
+       'Read all observations', 'Read all observation values', 'Read all aggregate values',
+       'Submit values to all forecasts', 'Submit values to all probabilistic forecasts');
+    SELECT BIN_TO_UUID(roleid, 1);
+END;
+
+GRANT EXECUTE ON PROCEDURE arbiter_data.create_forecast_generation_role TO 'insert_rbac'@'localhost';
+GRANT EXECUTE ON PROCEDURE arbiter_data.create_forecast_generation_role TO 'frameworkadmin'@'%';
+
+
+CREATE DEFINER = 'insert_rbac'@'localhost' PROCEDURE grant_job_role (IN userstrid CHAR(36), IN role_name VARCHAR(32))
+COMMENT 'Grant one of the background job roles to a user'
+MODIFIES SQL DATA SQL SECURITY DEFINER
+BEGIN
+    DECLARE userid BINARY(16);
+    DECLARE orgid BINARY(16);
+    DECLARE roleid BINARY(16) DEFAULT NULL;
+    SET userid = UUID_TO_BIN(userstrid, 1);
+    SET orgid = get_object_organization(userid, 'users');
+    SET roleid = (SELECT id FROM arbiter_data.roles WHERE organization_id = orgid AND name = role_name
+        AND name in ('Create reports', 'Validate observations', 'Generate reference forecasts'));
+    IF roleid IS NULL THEN
+        IF role_name = 'Create reports' THEN
+            CALL create_report_creation_role(orgid);
+        ELSEIF role_name = 'Validate observations' THEN
+            CALL create_data_validation_role(orgid);
+        ELSEIF role_name = 'Generate reference forecasts' THEN
+            CALL create_forecast_generation_role(orgid);
+        ELSE
+            SIGNAL SQLSTATE '42000' SET MESSAGE_TEXT = 'Cannot create and assign job role',
+            MYSQL_ERRNO = 1142;
+        END IF;
+        SET roleid = (SELECT id FROM arbiter_data.roles WHERE organization_id = orgid AND name = role_name);
+    END IF;
+    INSERT INTO arbiter_data.user_role_mapping (user_id, role_id) VALUES (userid, roleid);
+END;
+
+GRANT EXECUTE ON PROCEDURE arbiter_data.grant_job_role TO 'insert_rbac'@'localhost';
+GRANT SELECT(id, organization_id, name) ON arbiter_data.roles TO 'insert_rbac'@'localhost';
+GRANT EXECUTE ON PROCEDURE arbiter_data.grant_job_role TO 'frameworkadmin'@'%';
@@ -682,3 +682,180 @@ def test_set_org_accepted_tou_org_dne(dictcursor):
         dictcursor.callproc('set_org_accepted_tou', (str(bin_to_uuid(orgid)),))
     assert e.value.args[0] == 1305
     assert e.value.args[1] == "Organization does not exist"
+
+
+def test_store_token(dictcursor, new_user):
+    user = new_user()
+    dictcursor.callproc('store_token', (user['auth0_id'], 'testtoken'))
+    dictcursor.execute('SELECT * FROM job_tokens')
+    out = dictcursor.fetchall()
+    assert len(out) == 1
+    assert out[0]['id'] == user['id']
+    assert out[0]['token'] == 'testtoken'
+
+    dictcursor.callproc('store_token', (user['auth0_id'], 'newtoken'))
+    dictcursor.execute('SELECT * FROM job_tokens')
+    out = dictcursor.fetchall()
+    assert len(out) == 1
+    assert out[0]['id'] == user['id']
+    assert out[0]['token'] == 'newtoken'
+
+
+def test_create_job_user(cursor, new_organization):
+    org = new_organization()
+    orgid = bin_to_uuid(org['id'])
+    auth0_id = 'auth0|testid'
+    cursor.callproc('create_job_user', (auth0_id, orgid))
+    user_id = cursor.fetchone()[0]
+    cursor.execute(
+        'SELECT 1 as one FROM users WHERE auth0_id = %s '
+        'AND organization_id = UUID_TO_BIN(%s, 1)',
+        (auth0_id, orgid))
+    assert cursor.fetchall()[0]
+    cursor.execute(
+        'SELECT name FROM roles WHERE id IN'
+        '(select role_id from user_role_mapping where '
+        'user_id = UUID_TO_BIN(%s, 1))',
+        (user_id,)
+    )
+    roles = [r[0] for r in cursor.fetchall()]
+    assert len(roles) == 2
+    assert 'Read Reference Data' in roles
+    assert f'DEFAULT User role {user_id}' in roles
+
+
+def test_create_report_creation_role(dictcursor):
+    dictcursor.callproc('create_organization', ('test_org',))
+    dictcursor.execute('SELECT * FROM arbiter_data.organizations '
+                       'WHERE name = "test_org"')
+    org = dictcursor.fetchone()
+    orgid = org['id']
+
+    dictcursor.callproc('create_report_creation_role', (orgid,))
+    dictcursor.execute(
+        'SELECT * FROM roles WHERE name = "Create reports" and organization_id = %s',  # NOQA
+        orgid)
+    create_roles = dictcursor.fetchall()
+    assert len(create_roles) == 1
+    create_role = create_roles[0]
+    assert 'Create reports' in create_role['description']
+    assert create_role['organization_id'] == orgid
+    role_id = create_role['id']
+    dictcursor.execute(
+        'SELECT permission_id FROM role_permission_mapping WHERE role_id = %s',
+        role_id)
+    permission_ids = dictcursor.fetchall()
+    assert len(permission_ids) == 10
+    perm_objects = []
+    for permid in [p['permission_id'] for p in permission_ids]:
+        dictcursor.execute('SELECT * FROM permissions WHERE id = %s', permid)
+        perm = dictcursor.fetchone()
+        perm_objects.append(perm)
+    perms = {p['description']: p for p in perm_objects}
+    for perm in perms.values():
+        assert perm['applies_to_all'] == 1
+        assert perm['organization_id'] == orgid
+    assert {'Read all sites', 'Read all observations',
+            'Read all observation values', 'Read all forecasts',
+            'Read all forecast values', 'Read all probabilistic forecasts',
+            'Read all probabilistic forecast values',
+            'Read all aggregates', 'Read all aggregate values',
+            'Create reports'} == set(perms.keys())
+
+
+def test_create_data_validation_role(dictcursor):
+    dictcursor.callproc('create_organization', ('test_org',))
+    dictcursor.execute('SELECT * FROM arbiter_data.organizations '
+                       'WHERE name = "test_org"')
+    org = dictcursor.fetchone()
+    orgid = org['id']
+
+    dictcursor.callproc('create_data_validation_role', (orgid,))
+    dictcursor.execute(
+        'SELECT * FROM roles WHERE name = "Validate observations" and organization_id = %s',  # NOQA
+        orgid)
+    create_roles = dictcursor.fetchall()
+    assert len(create_roles) == 1
+    create_role = create_roles[0]
+    assert 'Enable observation data validation' in create_role['description']
+    assert create_role['organization_id'] == orgid
+    role_id = create_role['id']
+    dictcursor.execute(
+        'SELECT permission_id FROM role_permission_mapping WHERE role_id = %s',
+        role_id)
+    permission_ids = dictcursor.fetchall()
+    assert len(permission_ids) == 4
+    perm_objects = []
+    for permid in [p['permission_id'] for p in permission_ids]:
+        dictcursor.execute('SELECT * FROM permissions WHERE id = %s', permid)
+        perm = dictcursor.fetchone()
+        perm_objects.append(perm)
+    perms = {p['description']: p for p in perm_objects}
+    for perm in perms.values():
+        assert perm['applies_to_all'] == 1
+        assert perm['organization_id'] == orgid
+    assert {'Read all sites', 'Read all observations', 'Read all observation values',
+            'Submit values to all observations'} == set(perms.keys())
+
+
+def test_create_forecast_generation_role(dictcursor):
+    dictcursor.callproc('create_organization', ('test_org',))
+    dictcursor.execute('SELECT * FROM arbiter_data.organizations '
+                       'WHERE name = "test_org"')
+    org = dictcursor.fetchone()
+    orgid = org['id']
+
+    dictcursor.callproc('create_forecast_generation_role', (orgid,))
+    dictcursor.execute(
+        'SELECT * FROM roles WHERE name = "Generate reference forecasts" and organization_id = %s',  # NOQA
+        orgid)
+    create_roles = dictcursor.fetchall()
+    assert len(create_roles) == 1
+    create_role = create_roles[0]
+    assert 'Enable writing forecast values for ' in create_role['description']
+    assert create_role['organization_id'] == orgid
+    role_id = create_role['id']
+    dictcursor.execute(
+        'SELECT permission_id FROM role_permission_mapping WHERE role_id = %s',
+        role_id)
+    permission_ids = dictcursor.fetchall()
+    assert len(permission_ids) == 9
+    perm_objects = []
+    for permid in [p['permission_id'] for p in permission_ids]:
+        dictcursor.execute('SELECT * FROM permissions WHERE id = %s', permid)
+        perm = dictcursor.fetchone()
+        perm_objects.append(perm)
+    perms = {p['description']: p for p in perm_objects}
+    for perm in perms.values():
+        assert perm['applies_to_all'] == 1
+        assert perm['organization_id'] == orgid
+
+    assert {'Read all sites', 'Read all forecasts',
+            'Read all probabilistic forecasts', 'Read all aggregates',
+            'Read all observations', 'Read all observation values',
+            'Read all aggregate values',
+            'Submit values to all forecasts',
+            'Submit values to all probabilistic forecasts'} == set(perms.keys())
+
+
+@pytest.mark.parametrize('role,precreate', [
+    ('Create reports', None),
+    ('Validate observations', None),
+    ('Generate reference forecasts', None),
+    pytest.param('Read all', None, marks=pytest.mark.xfail),
+    ('Create reports', 'create_report_creation_role'),
+    ('Validate observations', 'create_report_creation_role'),
+    ('Validate observations', 'create_data_validation_role')
+])
+def test_grant_job_role(cursor, new_user, role, precreate):
+    user = new_user()
+    struserid = str(bin_to_uuid(user['id']))
+    if precreate is not None:
+        cursor.callproc(precreate, (user['organization_id'],))
+
+    cursor.callproc('grant_job_role', (struserid, role))
+    cursor.execute(
+        'SELECT 1 FROM user_role_mapping WHERE user_id = %s AND role_id = '
+        '(SELECT id FROM roles WHERE name = %s AND organization_id = %s)',
+        (user['id'], role, user['organization_id']))
+    assert cursor.fetchone()[0]
@@ -47,7 +47,8 @@
         'pymysql',
         'solarforecastarbiter',
         'sentry_sdk',
-        'blinker'
+        'blinker',
+        'cryptography'
     ],
     extras_require=EXTRAS_REQUIRE,
     project_urls={