When I am editing a job, I should be able to view a list of my existing credentials and select one.

When a user is not either an :admin or :superuser, accessing the User Management page (list of all users, editing a user that isn't themselves) should result in a Permission Denied page.

We need to determine a clean way of handling authorisation failures, with the equivalent of a 401 in LiveView.

We've had some success using BodyGuard, and think it makes sense to implement it here.

We can start with a simple UserPolicy module which has :view_all matcher, for more info see the BodyGuard docs.

If Stu picks this up, please talk it through with Elias when you're done.

As a superuser, I should be able to access the User management page (create, edit, etc).
As a regular user, I cannot see the user management page.

Given we have created components for all the form elements.
Also change the login controller layout to match the liveview layout/aka items are in the same locations on the page (using the top bar and main section).

The login pages do not use live view - but the partial templates should be compatible

Something like, but not quite:

plug :put_secure_browser_headers, %{"content-security-policy" => "default-src 'self'"}

ToDo:

• Add a sensible CSP to the router
• Remove the exception for this rule from sobelow and

Notes:

First attempt: nccgroup/sobelow#61 (comment)
Stu says: "The issue with this policy is that all inline styles, svgs etc are blocked. This also includes any DOM changes that LiveView sends that do things inline styles like display: none; also don't work."

A script (elixir, but maybe node) that maintains a list of remotely
available adaptors. The list is a file stored in (by default) the
current working directory of the application/process (e.g. ./adaptors.json)

Strategies:

• queries NPM for all @openfn/*-adaptor and versions
• queries github for all *-adaptor, and tags

Shape:

{ <name>: { 
  repo: "", 
  versions: [{version: "v1.0.0", sha1sum: ""}, ...],
  npm: "linky linky"
}}

Interface:
Create the AdaptorsList module with fetch()

AdaptorsList.fetch()

When the app boots and there are no users in the users table
present them with a setup page requiring password and confirm password.
Then create a superuser, and log them in (don’t prompt for password).

All user accessible routes (i.e. not webhooks) should have a plug added to the pipeline to perform this check and redirect to a 'First Setup' view.

While not explicitly included in this, the consideration for caching should be made.
This can be solved by a process that is added to the process tree on startup which checks the database and stores the result in memory - and the plug that checks if the first setup flow should be rendered will get it's answer from that.

However we solve this, there should be a function exposed from a Lightning.Instance namespace (i.e. Instance.has_superuser?/1)

Both before and after a Run is executed the user should be able to see the current status.

By accessing the Runs list, pending, in progress and finished runs should be visible.

When selecting a specific run, all the associated details should be visible:

• Started time
• Finished time
• Elapsed time
• Log output
• Exit code represented as both it's real exit code (number) as as a symbol (green for ok, red for anything else)

This information is found between the Run and the InvocationEvent that triggered it.

Links to the dataclip that was used for the initial state should be provided,
and also a link to the job.

NOTE while we to use the term Run a lot here, internally we may be basing most of our queries off Invocation.Event records.

Add the github repo url to mix.exs.

  ...,
  {:engine, github: "OpenFn/engine", tag: "v0.3.2"}

Ensure that mix openfn.install.runtime works.

Create runs model using a generator.

started_at
finished_at
exit_code
log
job_id
------------
message_id // initial_state (???) // source // [ input ]
------------
triggering_event

triggering_event samples:

{ "type": "webhook", "state": {"data": {a:1} } }, // this is an event that's generated/captured from an external system 
{ "type": "cron", "state": {"cursor" :123 } } // this is an event that's generated by the `cron_service`

From BPMN: A Process (JOB) can be executed or performed many times, but each time is expected to follow the steps laid out in the Process model (JOB EXPRESSION, OPERATIONS). For example, the Process in Figure 10.1 will occur every Friday, but each instance (RUN) is expected to perform Task “Receive Issue List,” then Task “Review Issue List,” and so on, as specified in the model. Each instance (RUN) of a Process is expected to be valid for the model, but some instances might not, for example if the Process has manual Activities, and the performers have not had proper instruction on how to carry out the Process.

there is a disabled field in the database - set to false by default - boolean.

any subsequent action against the server results in a logout

• form
• formfield (the element that wraps a form input, should take an element/input as a child slot)
• text input
• select input
• checkbox
• hint
• button (submit) - already done
• text area (code input - the one from the job form)

All live views should use these components.

http://openhim.org/docs/5.2.x/user-guide/auditing/

https://github.com/jembi/openhim-core-js/search?p=2&q=atna

https://www.google.com/url?sa=i&url=https%3A%2F%2Fwiki.ohie.org%2Fdownload%2Fattachments%2F28838583%2FOpenHIM%2520Product%2520Overview%2520-%2520Presentation.pdf%3Fapi%3Dv2&psig=AOvVaw3A1LBzOcfbqE3gJ_2dywjO&ust=1649835909165000&source=images&cd=vfe&ved=0CAoQjRxqFwoTCMiT1-2DjvcCFQAAAAAdAAAAABAD

link to their API - http://openhim.org/docs/api/audits/overview/

What does OpenHIM have ? Audit repository, audit logs viewer, audit events on application start, stop, and user authentication

Provide a plan (or set of plans) for implementing (high-level) an ATNA repository.
Discuss afterwards how this may meet the requirements of the grant.

DICOM? Do we need to support it from the beginning?

See .sobelow-conf - https://hexdocs.pm/sobelow/readme.html

• using a separate ‘User Settings’ page
• must enter existing password (once) and then a new password + confirm (twice)

The singleton root should be /profile

Using the adaptors list, present two dropdowns containing:

• the adaptor's name
• a list of versions starting with latest as the default

These cannot be blank, and the selected option must be present in the
adaptors list.

AdaptorsList.versions_for("@openfn/language-http")
AdaptorsList.valid?("@openfn/[email protected]")

We should be using phoenix_gen_auth, this was a community library that has since been merged into Phoenix since 1.6.

As an unauthenticated user, accessing the web frontend I will get a login screen page. Once I enter my email or username (one input) and correct password, I am redirected to the original address I tried to access.
If I enter my details incorrectly, I am presented with a flash message.

This appears to be a very thorough article:

https://www.leanpanda.com/blog/authentication-and-authorisation-in-phoenix-liveview/

Make sure to skip over the authorisation parts and implement only the parts required to enforce that a user must be logged in to access any page.

When a Run is about to be processed, the expression and state for the job need to be persisted to disk.

There are some examples of this inside Engine here https://github.com/OpenFn/engine/blob/v0.3.2/lib/engine/run_dispatcher.ex#L111

However the above code is only used when Engine is also taking care of the queuing as well.

So in order to keep focus on a PoC for now, lets install Engine as a supervised process.

See: #34 for more detail on invocation.

Big hand wave here

While going through the source code for microservice and engine, it appears that credentials being merged into state only happens if jobs are configured via YAML file - which is how Microservice works. However we will likely need a place to process a message using Engines queue but still maintain control over what jobs and credentials look like.

or we don't use the queuing facilities and write our own file storage code based on the example mentioned at the top.

• #63
• to
• do
• here

• https://luizdamim.com/blog/tracking-changes-with-context-using-phoenix-and-ecto/

add audit table for credentials
create audit module for credentials
call audit functions on all credentials change functions: job create, edit, delete, read

Decision: separate tables for audit credentials and jobs because complexity needed to pull everything together into one table down the line is lower than having one big table to unpick

In order to distinguish jobs, a user needs to be able to set the jobs name.
The name can be up to 100 characters long and must be unique.
It cannot be blank and cannot contain non-url safe characters(?)

Validation failures should appear on the form when any
of the rules are not satisfied.

Validation goes here:
https://github.com/OpenFn/lightning/blob/main/lib/lightning/jobs/job.ex#L19

Live view here:
https://github.com/OpenFn/lightning/blob/main/lib/lightning_web/live/job_live/edit.ex

We need to offer auditing for all sensitive models in the system, tracking changes for when, who, why and how.

Instead of using a library like Papertrail we are opting for a roll your own approach in order to give us more flexibility in terms of database structure and an easier to understand implementation.

• add audit table for jobs
• create audit module for jobs
• call audit functions on all Job change functions: job create, edit, delete, read

Invocation events represent a 'request' to run a job.

inserted_at
type
dataclip_id

type can be one of cron, webhook or retry - this represents how the invocation was triggered.

It takes 4 minutes each time. That's too long.

Ideas:

• https://blog.dnsimple.com/2018/10/elixir-dialyzer-in-ci/
• https://www.erlang-solutions.com/blog/using-circleci-for-continuous-integration-of-elixir-projects/

See .formatter.exs - https://hexdocs.pm/mix/main/Mix.Tasks.Format.html

From Circle: "We detected the store_test_results key but there is an issue with the output. We recommend checking to see that your output was saved correctly."

The dataclip that is being written to disk needs to be merged with the jobs selected credentials

In order to allow a job to be triggered via a webhook, a user must be able to specify
that the job is invoked via a webhook.

This option cannot be blank (disabling a job is the preferred way to 'stop' it).

Initially we present a dropdown with two options:

• None (blank)
• Webhook

When a webhook is selected, a trigger record is created in the database associated
with the job.

The job show/edit page must show a URL for the webhook.
<hostname>/webhook/<job.id>

See: https://github.com/OpenFn/engine/#running-without-a-supervisor

When using Engine directly, we need to provide a %Engine.RunSpec{} struct (more detail)

This implies the following:

• The adaptors are installed and available
• The state has been created and persisted (see #38)

One a RunSpec has been assembled calling the handler that was setup in #38 (Something.start(run_spec)).

Also required:

• Nodejs is installed in our test runner.
• We have a way to install language packs

In order to create a run (via an invocation) we need to be able to have a dataclip.
A dataclip is a persisted chunk of data that can be used (at present) to be fed into a run.

inserted_at
updated_at
body
type

• has a menu item that takes you to the user list with a create user form too
• using generators we get a list and all create/edit/delete functionality

create user form initial fields:

• first name
• last name
• email
• password

As a user concerned about security, I want to ensure all users have strong/secure passwords.

It should be at least 8 characters long.

Here is an interesting article from Microsoft around password policies: https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide

They claim that overly strict policies have negative effects as users work around them using repetition or easy to guess replacements (a to @, i|l to !).

Preferred mechanisms to support security is common word dictionaries and 2FA.

Create a credentials model via the live view context editor which has a

name (string)
body (map/jsonb)
The name cannot be blank, and the body must at least be {} (empty map'ish)
Create a credentials form which contains

name
body (is a textarea in json for now)
We are limiting this to the bare minimum for now, so different types of credentials etc is beyond the scope of this issue.

implementation notes

1. text area input comes from the front-end as a string, but it must be saved in ecto as a map.

• Install dependencies
• Set mix phx.server as entrypoint
• Ensure static assets are served to browser
• Provide instructions on README
• Provide docker-compose example (for Postgres)

Resources

• https://github.com/nickjj/docker-phoenix-example - big and beefy
• https://gist.github.com/petelacey/b8a1aacdc33c8718ba9366733e16a8c2
• https://github.com/dogweather/phoenix-docker-compose

Using Ecto.Enum allow a users role field can be one of:

• :superuser
• :admin
• :user

By default it should a :user, and cannot be blank.

Add a Roles dropdown on the user form component.

Add a credentials section/menu item to the top menu.
When this is clicked, I should see a list of existing credentials and a create button which takes me to the credentials form

@stuartc , gave this a "13" per yesterday + today. feel free to create sub-issues and close this at EOD today, or add a comment and keep in progress.

See .sobelow-conf - https://hexdocs.pm/credo/config_file.html

1. https://app.codecov.io/gh/OpenFn/lightning
2. https://coveralls.io/github/OpenFn/lightning

In order to present customised blocks to users, the BlockEditor needs to be able to be given a set of components that can resolve certain patterns (an AST node containing certain types and properties).

Possibly the best way to start this would be to create a component for something built into ECMAScript, like a for loop. By creating the component inside the project, but not including it in Node's nodeComponents list and passing it in via somewhere upstream we can exercise the resolving of the component (determining which component to render) and the ability to extend the list of components from which to choose from.