diff --git a/.github/workflows/liquibase_pro_ci_action.yml b/.github/workflows/liquibase_pro_ci_action.yml index f089eb4..d6bea8e 100644 --- a/.github/workflows/liquibase_pro_ci_action.yml +++ b/.github/workflows/liquibase_pro_ci_action.yml @@ -124,7 +124,7 @@ jobs: repository: liquibase/cs-impl-guide-examples-sql path: liquibase-sql - # Check out the Liquibase Configuration Repo to a folder, "liquibase-process" +# # Check out the Liquibase Configuration Repo to a folder, "liquibase-process" # - name: Checkout Liquibase Configuration repo # uses: actions/checkout@v4 # with: diff --git a/flowfiles/liquibase-deploy.flowfile.yaml b/flowfiles/liquibase-deploy.flowfile.yaml new file mode 100644 index 0000000..6fdf0c6 --- /dev/null +++ b/flowfiles/liquibase-deploy.flowfile.yaml @@ -0,0 +1,62 @@ +########## LIQUIBASE FLOWFILE ########## +########## learn more http://docs.liquibase.com/flow ########## + +## Note: Any command which fails in any stage below result in the command stopping, and endStage being run. +## A flow file can have one or more stages, each with multiple "actions", +## or your flow file can have multiple stages with fewer actions in each stage. + +## Call this flow using: liquibase flow --flow-file=flowfiles/liquibase-deploy.flowfile.yaml + +stages: + + Checks-Changelog: + actions: + - type: liquibase + command: checks run + cmdArgs: { + checks-scope: changelog, + checks-settings-file: "policychecks/liquibase.checks-settings.conf", + auto-update: "ON", + changeset-filter: "pending" + } + globalArgs: { + reports-name: "checks-report-deploy-changelog.html" + } + + Status: + actions: + - type: liquibase + command: status + cmdArgs: {verbose: true} + + Update-SQL: + actions: + - type: liquibase + command: update-sql + + Update: + actions: + - type: liquibase + command: update + + Checks-Database: + actions: + - type: liquibase + command: checks run + cmdArgs: { + checks-scope: database, + checks-settings-file: "policychecks/liquibase.checks-settings.conf", + auto-update: "ON" + } + globalArgs: { + reports-name: "checks-report-deploy-database.html" + } + +## The endStage ALWAYS RUNS. +## So put actions here which you desire to perform whether previous stages' actions succeed or fail. +## If you do not want any actions to ALWAYS RUN, simply delete the endStage from your flow file. + +endStage: + actions: + - type: liquibase + command: history \ No newline at end of file diff --git a/flowfiles/liquibase-postmerge.flowfile.yaml b/flowfiles/liquibase-postmerge.flowfile.yaml new file mode 100644 index 0000000..dc1c5db --- /dev/null +++ b/flowfiles/liquibase-postmerge.flowfile.yaml @@ -0,0 +1,49 @@ +########## LIQUIBASE FLOWFILE ########## +########## learn more http://docs.liquibase.com/flow ########## + +## Note: Any command which fails in any stage below result in the command stopping, and endStage being run. +## A flow file can have one or more stages, each with multiple "actions", +## or your flow file can have multiple stages with fewer actions in each stage. + +## Call this flow using: liquibase flow --flow-file=flowfiles/liquibase-postmerge.flowfile.yaml + +stages: + + Status: + actions: + - type: liquibase + command: status + cmdArgs: {verbose: true} + + Update-SQL: + actions: + - type: liquibase + command: update-sql + + Update: + actions: + - type: liquibase + command: update + + PostDeploy-Checks: + actions: + - type: liquibase + command: checks run + cmdArgs: { + checks-scope: database, + checks-settings-file: "policychecks/liquibase.checks-settings.conf", + auto-update: "ON", + changeset-filter: "pending" + } + globalArgs: { + reports-name: "checks-report-database.html" + } + +## The endStage ALWAYS RUNS. +## So put actions here which you desire to perform whether previous stages' actions succeed or fail. +## If you do not want any actions to ALWAYS RUN, simply delete the endStage from your flow file. + +endStage: + actions: + - type: liquibase + command: history \ No newline at end of file diff --git a/flowfiles/liquibase-premerge.flowfile.yaml b/flowfiles/liquibase-premerge.flowfile.yaml new file mode 100644 index 0000000..aa45f02 --- /dev/null +++ b/flowfiles/liquibase-premerge.flowfile.yaml @@ -0,0 +1,23 @@ +########## LIQUIBASE FLOWFILE ########## +########## learn more http://docs.liquibase.com/flow ########## + +## Note: Any command which fails in any stage below result in the command stopping, and endStage being run. +## A flow file can have one or more stages, each with multiple "actions", +## or your flow file can have multiple stages with fewer actions in each stage. + +## Call this flow using: liquibase flow --flow-file=flowfiles/liquibase-premerge.flowfile.yaml + +stages: + + PreMerge-Checks: + actions: + - type: liquibase + command: checks run + cmdArgs: { checks-scope: changelog, + checks-settings-file: "policychecks/liquibase.checks-settings.conf", + auto-update: "ON", + changeset-filter: "pending" + } + globalArgs: { + reports-name: "checks-report-premerge.html" + } \ No newline at end of file diff --git a/flowfiles/liquibase-rollback.flowfile.yaml b/flowfiles/liquibase-rollback.flowfile.yaml new file mode 100644 index 0000000..abc891d --- /dev/null +++ b/flowfiles/liquibase-rollback.flowfile.yaml @@ -0,0 +1,32 @@ +########## LIQUIBASE FLOWFILE ########## +########## learn more http://docs.liquibase.com/flow ########## + +## Note: Any command which fails in any stage below result in the command stopping, and endStage being run. +## A flow file can have one or more stages, each with multiple "actions", +## or your flow file can have multiple stages with fewer actions in each stage. + +## Call this flow using: liquibase flow --flow-file=flowfiles/liquibase-rollback.flowfile.yaml + +stages: + + Rollback-SQL: + actions: + - type: liquibase + command: rollback-one-update-sql + + Rollback: + actions: + - type: liquibase + command: rollback-one-update + cmdArgs: { + force: true + } + +## The endStage ALWAYS RUNS. +## So put actions here which you desire to perform whether previous stages' actions succeed or fail. +## If you do not want any actions to ALWAYS RUN, simply delete the endStage from your flow file. + +endStage: + actions: + - type: liquibase + command: history \ No newline at end of file diff --git a/liquibase.properties b/liquibase.properties index 1f7c5f5..b6f0e80 100644 --- a/liquibase.properties +++ b/liquibase.properties @@ -3,7 +3,7 @@ # https://docs.liquibase.com/parameters/home.html # Specifies the root changelog file to execute. -liquibase.command.changelogFile: sqlcode_by_objects_schema/rootchangelog.yaml +liquibase.command.changelogFile: liquibase-sql/sqlcode_by_objects_schema/rootchangelog.yaml #Name of the default schema to use for the database connection. If defaultSchemaName # is set, then objects do not have to be fully qualified. diff --git a/policychecks/liquibase.checks-settings.conf b/policychecks/liquibase.checks-settings.conf index 7b66eec..e0641e6 100644 --- a/policychecks/liquibase.checks-settings.conf +++ b/policychecks/liquibase.checks-settings.conf @@ -54,7 +54,7 @@ ## USERNAME: fileCreated: 2024-02-23T17:05:17.619Z -fileModified: 2024-11-06T19:40:03.654Z +fileModified: 2024-12-31T18:40:26.141Z rules: - description: This check warns a user when SQL contains 'GRANT' statements so that they can ensure that the privilege being granted won't lead to security issues. @@ -110,26 +110,7 @@ rules: shortName: SqlSelectStarWarn - description: This check scans SQL for the presence of specific patterns and warns the user when they are found. - enabled: true - id: '90d174dc-eec8-3ff6-bebf-2859b8e73c19' - name: Check for specific patterns in sql - parameters: - - parameter: SEARCH_STRING - value: (?is)(?=.*\b(create)\b)(?=.*\b(sequence)\b).* - - parameter: MESSAGE - value: Creation of Sequences is not permitted. - - parameter: STRIP_COMMENTS - value: true - - parameter: PATH_FILTER_REGEX - value: null - - parameter: SPLIT_STATEMENTS - value: false - parentRuleId: '6fe07581-c90d-3add-9057-1547a1439727' - severity: '4' - shortName: NoCreateSequences -- description: This check scans SQL for the presence of specific patterns and warns - the user when they are found. - enabled: true + enabled: false id: '6fe07581-c90d-3add-9057-1547a1439727' name: Check for specific patterns in sql parameters: @@ -147,26 +128,6 @@ rules: parentRuleId: null severity: '0' shortName: SqlUserDefinedPatternCheck -- description: This check triggers when a changeset contains the supplied pattern - string or regex, but does not have an end delimiter set specifically in the changeset - or via options such as 'pro-global-end-delimiter' or 'endDelimiter' attribute - in a modifyChangesets tag. - enabled: false - id: 'd2fc6f01-8ddd-35f3-bc03-f516a8f611ac' - name: End delimiter exists when pattern exists - parameters: - - parameter: SEARCH_STRING - value: null - - parameter: CASE_SENSITIVE - value: true - - parameter: STRIP_COMMENTS - value: true - - parameter: MESSAGE - value: The pattern '' was found without an end delimiter in Changeset - ''. - parentRuleId: null - severity: '0' - shortName: EndDelimiterExistsWhenPatternExists - description: Check triggers if the user-supplied regex pattern A is followed by the user-supplied regex pattern B enabled: false @@ -285,51 +246,6 @@ rules: parentRuleId: null severity: '0' shortName: TableColumnLimit -- description: This checks triggers when the Max Affected Rows Allowed value is exceeded - by the number of rows DELETED by a SQL statement. The SQL statement is executed - against the database, and then rolled back. - enabled: false - id: '99b1c0d2-6dda-3acb-85f3-68002c3b07c1' - name: Check Affected Rows Count on Delete - parameters: - - parameter: MAX_ROWS - value: 50 - - parameter: MESSAGE - value: rows will be affected, which is more than the allowed '' - rows. The SQL statement is '' in ''. - parentRuleId: null - severity: '0' - shortName: MaxAffectedRowsAllowedDelete -- description: This checks triggers when the Max Affected Rows Allowed value is exceeded - by the number of rows INSERTED by a SQL statement. The SQL statement is executed - against the database, and then rolled back. - enabled: false - id: 'bbd74a72-77d4-3517-9125-c771f790178b' - name: Check Affected Rows Count on Insert - parameters: - - parameter: MAX_ROWS - value: 50 - - parameter: MESSAGE - value: rows will be affected, which is more than the allowed '' - rows. The SQL statement is '' in ''. - parentRuleId: null - severity: '0' - shortName: MaxAffectedRowsAllowedInsert -- description: This checks triggers when the Max Affected Rows Allowed value is exceeded - by the number of rows UPDATED by a SQL statement. The SQL statement is executed - against the database, and then rolled back. - enabled: false - id: 'e9e2055d-e837-3418-96ac-352416cd43ee' - name: Check Affected Rows Count on Update - parameters: - - parameter: MAX_ROWS - value: 50 - - parameter: MESSAGE - value: rows will be affected, which is more than the allowed '' - rows. The SQL statement is '' in ''. - parentRuleId: null - severity: '0' - shortName: MaxAffectedRowsAllowedUpdate - description: This check confirms the listed object names conform to the supplied pattern. enabled: false @@ -347,28 +263,6 @@ rules: parentRuleId: null severity: '0' shortName: ObjectNameMustMatch -- description: Executes a custom check script. - enabled: false - id: '68592fc1-8c79-3026-990f-da80c1c6d6e0' - name: Custom Check Template - parameters: - - parameter: SCRIPT_DESCRIPTION - value: Custom check - - parameter: SCRIPT_SCOPE - value: CHANGELOG - - parameter: SCRIPT_MESSAGE - value: The message to display when the check is triggered - - parameter: SCRIPT_TYPE - value: PYTHON - - parameter: SCRIPT_PATH - value: null - - parameter: SCRIPT_ARGS - value: null - - parameter: REQUIRES_SNAPSHOT - value: false - parentRuleId: null - severity: '0' - shortName: CustomCheckTemplate - description: This check confirms the listed object names do not match the supplied pattern. enabled: false @@ -399,21 +293,6 @@ rules: parentRuleId: null severity: '0' shortName: SqlGrantSpecificPrivsWarn -- description: ' This check triggers when a changeset contains the user-specified - runInTransactions value of ''true'' or ''false''. Note: Changesets without a runInTransactions - value are not checked.' - enabled: false - id: '1fdc2bbb-67a4-3d45-baad-09e69f1108cd' - name: Check Changeset runInTransaction value - parameters: - - parameter: RUN_IN_TRANSACTION_VALUE - value: false - - parameter: MESSAGE - value: A match for regular expression was detected in Changeset - . - parentRuleId: null - severity: '0' - shortName: CheckRunInTransactionValue - description: This check warns a user when a table is being truncated so that they can ensure that truncating the table won't lead to unintentional loss of data. enabled: true @@ -636,19 +515,6 @@ rules: name: Table must have a comment severity: '0' shortName: TableCommentCheck -- description: This check triggers when specified attributes do not match TRUE or - FALSE, as configured by the user. - enabled: false - id: '8339bc72-ae9e-3678-8a86-2af1b8aa2d1c' - name: Changeset attributes set true or false - parameters: - - parameter: ATTRIBUTE - value: null - - parameter: SEARCH_STRING - value: null - parentRuleId: null - severity: '0' - shortName: ChangesetAttributesSetTrueOrFalse - description: This check triggers when specific user-supplied patterns are found in Table Comments. enabled: false @@ -664,32 +530,6 @@ rules: parentRuleId: null severity: '0' shortName: TableCommentPatternCheck -- description: This check triggers when specified attributes do not match the user-supplied - string or regex pattern. - enabled: false - id: '84092e22-894a-3452-a778-5bfae8ba03ca' - name: Changeset attributes and value - parameters: - - parameter: ATTRIBUTE - value: null - - parameter: SEARCH_STRING - value: null - parentRuleId: null - severity: '0' - shortName: ChangesetAttributesAndValue -- description: This check triggers when the logic conditional evaluates to true - enabled: false - id: 'b3fc0c29-7070-345d-acdd-761e28e99766' - name: Chained checks template - parameters: - - parameter: LOGIC_CONDITIONAL - value: null - - parameter: MESSAGE - value: The conditions in '' were met for ''. The - chained checks include . - parentRuleId: null - severity: '0' - shortName: ChainedChecksTemplate - description: Check for and alert when specified table does not contain the required constraint(s). enabled: false @@ -719,23 +559,145 @@ rules: name: Require Changeset ID is valid UUID severity: '0' shortName: RequireChangesetIDisUUID -- description: This check scans SQL for the presence of specific patterns and warns - the user when they are found. - enabled: true - id: '6605a50c-045e-366e-a640-320b76b0ef1d' - name: Check for specific patterns in sql +- description: This check triggers when a changeset contains the supplied pattern + string or regex, but does not have an end delimiter set specifically in the changeset + or via options such as 'pro-global-end-delimiter' or 'endDelimiter' attribute + in a modifyChangesets tag. + enabled: false + id: 'd2fc6f01-8ddd-35f3-bc03-f516a8f611ac' + name: End delimiter exists when pattern exists parameters: - parameter: SEARCH_STRING - value: (?is)(?=.*\b(create)\b)(?=.*\b(sequence)\b).* - - parameter: MESSAGE - value: No sequences allowed + value: null + - parameter: CASE_SENSITIVE + value: true - parameter: STRIP_COMMENTS value: true - - parameter: PATH_FILTER_REGEX + - parameter: MESSAGE + value: The pattern '' was found without an end delimiter in Changeset + ''. + parentRuleId: null + severity: '0' + shortName: EndDelimiterExistsWhenPatternExists +- description: ' This check triggers when a changeset contains the user-specified + runInTransactions value of ''true'' or ''false''. Note: Changesets without a runInTransactions + value are not checked.' + enabled: false + id: '1fdc2bbb-67a4-3d45-baad-09e69f1108cd' + name: Check Changeset runInTransaction value + parameters: + - parameter: RUN_IN_TRANSACTION_VALUE + value: false + - parameter: MESSAGE + value: A match for regular expression was detected in Changeset + . + parentRuleId: null + severity: '0' + shortName: CheckRunInTransactionValue +- description: This check triggers when the logic conditional evaluates to true + enabled: false + id: 'b3fc0c29-7070-345d-acdd-761e28e99766' + name: Chained checks template + parameters: + - parameter: LOGIC_CONDITIONAL value: null - - parameter: SPLIT_STATEMENTS + - parameter: MESSAGE + value: The conditions in '' were met for ''. The + chained checks include . + parentRuleId: null + severity: '0' + shortName: ChainedChecksTemplate +- description: This checks triggers when the Max Affected Rows Allowed value is exceeded + by the number of rows DELETED by a SQL statement. The SQL statement is executed + against the database, and then rolled back. + enabled: false + id: '99b1c0d2-6dda-3acb-85f3-68002c3b07c1' + name: Check Affected Rows Count on Delete + parameters: + - parameter: MAX_ROWS + value: 50 + - parameter: MESSAGE + value: rows will be affected, which is more than the allowed '' + rows. The SQL statement is '' in ''. + parentRuleId: null + severity: '0' + shortName: MaxAffectedRowsAllowedDelete +- description: This checks triggers when the Max Affected Rows Allowed value is exceeded + by the number of rows INSERTED by a SQL statement. The SQL statement is executed + against the database, and then rolled back. + enabled: false + id: 'bbd74a72-77d4-3517-9125-c771f790178b' + name: Check Affected Rows Count on Insert + parameters: + - parameter: MAX_ROWS + value: 50 + - parameter: MESSAGE + value: rows will be affected, which is more than the allowed '' + rows. The SQL statement is '' in ''. + parentRuleId: null + severity: '0' + shortName: MaxAffectedRowsAllowedInsert +- description: This checks triggers when the Max Affected Rows Allowed value is exceeded + by the number of rows UPDATED by a SQL statement. The SQL statement is executed + against the database, and then rolled back. + enabled: false + id: 'e9e2055d-e837-3418-96ac-352416cd43ee' + name: Check Affected Rows Count on Update + parameters: + - parameter: MAX_ROWS + value: 50 + - parameter: MESSAGE + value: rows will be affected, which is more than the allowed '' + rows. The SQL statement is '' in ''. + parentRuleId: null + severity: '0' + shortName: MaxAffectedRowsAllowedUpdate +- description: Executes a custom check script. + enabled: false + id: '68592fc1-8c79-3026-990f-da80c1c6d6e0' + name: Custom Check Template + parameters: + - parameter: SCRIPT_DESCRIPTION + value: Custom check + - parameter: SCRIPT_SCOPE + value: CHANGELOG + - parameter: SCRIPT_MESSAGE + value: The message to display when the check is triggered + - parameter: SCRIPT_TYPE + value: PYTHON + - parameter: SCRIPT_PATH + value: null + - parameter: SCRIPT_ARGS + value: null + - parameter: REQUIRES_SNAPSHOT value: false - parentRuleId: '6fe07581-c90d-3add-9057-1547a1439727' - severity: '3' - shortName: NoSequences + parentRuleId: null + severity: '0' + shortName: CustomCheckTemplate +- description: This check triggers when specified attributes do not match TRUE or + FALSE, as configured by the user. + enabled: false + id: '8339bc72-ae9e-3678-8a86-2af1b8aa2d1c' + name: Changeset attributes set true or false + parameters: + - parameter: ATTRIBUTE + value: null + - parameter: SEARCH_STRING + value: null + parentRuleId: null + severity: '0' + shortName: ChangesetAttributesSetTrueOrFalse +- description: This check triggers when specified attributes do not match the user-supplied + string or regex pattern. + enabled: false + id: '84092e22-894a-3452-a778-5bfae8ba03ca' + name: Changeset attributes and value + parameters: + - parameter: ATTRIBUTE + value: null + - parameter: SEARCH_STRING + value: null + parentRuleId: null + severity: '0' + shortName: ChangesetAttributesAndValue version: '1.1'