feat(hasura): add audit tables (#329)

* feat(hasura): add audit tables

* fix: remove is_available from document trigger update

* fix: cleanup migration

* fix: add cleanup trigger

* Update targets/hasura/migrations/1613474820206_audit_trigger/up.sql

Co-authored-by: Martial Maillot <martial.maillot@gmail.com>

* Update targets/hasura/migrations/1613474820206_audit_trigger/up.sql

Co-authored-by: Martial Maillot <martial.maillot@gmail.com>

* fix: review

* fix: review

* fix: review2

* update: review3

* fix: review

* fix: is_available

Co-authored-by: Martial Maillot <martial.maillot@gmail.com>

README-dev.md

@@ -2,9 +2,9 @@
 
 ## URLs
 
-| Environnement                                              | URL                                                         |
-|------------------------------------------------------------|-------------------------------------------------------------|
-|    Production (access granted only for authorized IP)      |  <https://cdtn-admin.fabrique.social.gouv.fr/>              |
+| Environnement                                      | URL                                           |
+| -------------------------------------------------- | --------------------------------------------- |
+| Production (access granted only for authorized IP) | <https://cdtn-admin.fabrique.social.gouv.fr/> |
 
 ## Overview
 
@@ -19,16 +19,18 @@ See the [Hasura documentation](https://hasura.io/docs/1.0/graphql/core/index.htm
 We recommend to [install the hasura console](https://hasura.io/docs/1.0/graphql/core/hasura-cli/install-hasura-cli.html) which provides a graphql sandbox and an administration UI for hasura.
 
 ` ``
+
 ### Ingester
 
 Used to populate the database with documents provided by external sources.
 
 There is, at this moment (February 2021), 4 sources:
- * [@SocialGouv/contributions-data](https://github.com/SocialGouv/contributions-data)
- * [@SocialGouv/fiches-travail-data](https://github.com/SocialGouv/fiches-travail-data)
- * [@SocialGouv/fiches-vdd](https://github.com/SocialGouv/fiches-vdd)
- * [@SocialGouv/kali-data](https://github.com/SocialGouv/kali-data)
- * [@SocialGouv/legi-data](https://github.com/SocialGouv/legi-data)
+
+- [@SocialGouv/contributions-data](https://github.com/SocialGouv/contributions-data)
+- [@SocialGouv/fiches-travail-data](https://github.com/SocialGouv/fiches-travail-data)
+- [@SocialGouv/fiches-vdd](https://github.com/SocialGouv/fiches-vdd)
+- [@SocialGouv/kali-data](https://github.com/SocialGouv/kali-data)
+- [@SocialGouv/legi-data](https://github.com/SocialGouv/legi-data)
 
 Each GitHub repo uses releases to track changes. Each release exposes content as JSON.
 Ingester retrieves the last version and inject data into Hasura.
@@ -63,16 +65,17 @@ The docker compose performs several steps.
 A postgreSQL database is used to store the data exposed through a Hasura instance.
 
 > Start only the postgreSQL instance:
+>
 > ```sh
 > docker-compose up postgres
 > ```
 
 ### Configure a Hasura instance
 
-A Hasura instance is used to expose the data stored in postgreSQL through a GraphQL API. 
+A Hasura instance is used to expose the data stored in postgreSQL through a GraphQL API.
 See the [Hasura documentation](https://hasura.io/docs/1.0/graphql/core/index.html) for more information.
 
-This step creates a new Hasura instance with the schema, 
+This step creates a new Hasura instance with the schema,
 and some data (see [metadata](targets/hasura/metadata) and [migrations](targets/hasura/migrations) files of hasura target).
 
 To access to the Hasura console, run this command:
@@ -84,6 +87,7 @@ hasura console --envfile ../../.env --project targets/hasura
 A webpage is opened in your browser. The password is `admin1` as set in the `.env` file (`HASURA_GRAPHQL_ADMIN_SECRET` key).
 
 > Start only the Hasura instance (it starts the postgreSQL as dependency):
+>
 > ```sh
 > docker-compose up hasura
 > ```
@@ -97,6 +101,7 @@ This step runs the Ingester script and populate the documentation.
 This step doesn't work correctly at this moment, an (issue)[https://github.com/SocialGouv/cdtn-admin/issues/319] has been opened to fix it.
 
 > Run the Ingester (it starts Hasura as dependency):
+>
 > ```sh
 > docker-compose up ingester
 > ```
@@ -105,31 +110,55 @@ This step doesn't work correctly at this moment, an (issue)[https://github.com/S
 
 An administration website is available to configure and inject custom data.
 
-This step starts the frontend project (based on `next.js`). 
+This step starts the frontend project (based on `next.js`).
 User and admin accounts are automatically created by the Hasura step.
 
-| Type         | Username                                | Password |
-|--------------|-----------------------------------------|----------|
-|    Admin     |  codedutravailnumerique@travail.gouv.fr | admin1   | 
-|    User      |  utilisateur@travail.gouv.fr            | ???      |
+| Type  | Username                               | Password |
+| ----- | -------------------------------------- | -------- |
+| Admin | codedutravailnumerique@travail.gouv.fr | admin1   |
+| User  | utilisateur@travail.gouv.fr            | user     |
 
 Frontend is reachable at the address <http://localhost:3000>
 
 > Run the frontend (it starts Hasura as dependency):
+>
 > ```sh
 > docker-compose up www
 > ```
+>
 > or via npm
+>
 > ```sh
 > yarn workspace frontend dev
 > ```
 
 That's all 🎉
 
+## Auditabilité
+
+Lorsqu'on rajoute une table, ne pas oublier de rajouter dans la migration l'appel à la fonction d'audit
+
+```sql
+
+-- ajout des triggers d'audit sur la table documents
+select audit.audit_table('documents');
+
+-- Le trigger peut être configuré pour
+select audit.audit_table('documents',
+-- se declencher au niveau ROW ou STATEMENT
+'false',
+-- enregistrer le text de la requête
+'false',
+-- ignorer d'enregistrer certains champs
+'{text}');
+```
+
+Pour voir la [configuration du trigger](targets/hasura/migrations/1613474820206_audit_trigger/up.sql)
+
 ## How to ?
 
 ### How to retrieve CDTN data from production ?
 
-At this moment, the database is populated only by external documents (contributions, code du travail...). 
+At this moment, the database is populated only by external documents (contributions, code du travail...).
 All CDTN data (written by the CDTN team) are not populated in the database.
 An [issue](https://github.com/SocialGouv/cdtn-admin/issues/320) has been opened to find the better way to import data from the production into a dev environment.

targets/hasura/metadata/actions.yaml

@@ -1,36 +1,36 @@
 actions:
-  - name: email_account_activation
-    definition:
-      kind: asynchronous
-      handler: "{{API_URL}}/actions/email_account_activation"
-      forward_client_headers: true
-      headers:
-        - name: actions-secret
-          value_from_env: ACTIONS_SECRET
-  - name: email_password_request
-    definition:
-      kind: asynchronous
-      handler: "{{API_URL}}/actions/email_password_request"
-      forward_client_headers: true
-      headers:
-        - name: actions-secret
-          value_from_env: ACTIONS_SECRET
-    permissions:
-      - role: public
-  - name: preview_document
-    definition:
-      kind: synchronous
-      handler: "{{API_URL}}/actions/preview"
-      headers:
-        - name: preview-secret
-          value_from_env: PUBLICATION_SECRET
-    permissions:
-      - role: user
+- name: email_account_activation
+  definition:
+    kind: asynchronous
+    handler: '{{API_URL}}/actions/email_account_activation'
+    forward_client_headers: true
+    headers:
+    - name: actions-secret
+      value_from_env: ACTIONS_SECRET
+- name: email_password_request
+  definition:
+    kind: asynchronous
+    handler: '{{API_URL}}/actions/email_password_request'
+    forward_client_headers: true
+    headers:
+    - name: actions-secret
+      value_from_env: ACTIONS_SECRET
+  permissions:
+  - role: public
+- name: preview_document
+  definition:
+    kind: synchronous
+    handler: '{{API_URL}}/actions/preview'
+    headers:
+    - name: preview-secret
+      value_from_env: PUBLICATION_SECRET
+  permissions:
+  - role: user
 custom_types:
   enums: []
   input_objects:
-    - name: PreviewDocument
-    - name: EmailInput
+  - name: PreviewDocument
+  - name: EmailInput
   objects:
-    - name: Status
+  - name: Status
   scalars: []

targets/hasura/migrations/1613474820206_audit_trigger/down.sql

@@ -0,0 +1 @@
+DROP SCHEMA audit CASCADE;