rvanbruggen/securing the beergraph.cql

## securing the beergraph.cql
//create database
create database beergraph;

create index on :BeerBrand(name);
create index on :BeerType(name);
create index on :Brewery(name);
create index on :AlcoholPercentage(value);

//Automated import in one query
load csv with headers from
"https://docs.google.com/spreadsheets/d/1FwWxlgnOhOtrUELIzLupDFW7euqXfeh8x3BeiEY_sbI/export?format=csv&id=1FwWxlgnOhOtrUELIzLupDFW7euqXfeh8x3BeiEY_sbI&gid=0" as csv
with csv
where csv.BeerType is not null
merge (b:BeerType {name: csv.BeerType})
with csv
where csv.BeerBrand is not null
merge (b:BeerBrand {name: csv.BeerBrand})
with csv
where csv.Brewery is not null
merge (b:Brewery {name: csv.Brewery})
with csv
where csv.AlcoholPercentage is not null
merge (b:AlcoholPercentage {value: tofloat(replace(replace(csv.AlcoholPercentage,'%',''),',','.'))})
with csv
match (ap:AlcoholPercentage {value: tofloat(replace(replace(csv.AlcoholPercentage,'%',''),',','.'))}),
(br:Brewery {name: csv.Brewery}),
(bb:BeerBrand {name: csv.BeerBrand}),
(bt:BeerType {name: csv.BeerType})
merge (bb)-[:HAS_ALCOHOLPERCENTAGE]->(ap)
merge (bb)-[:IS_A]->(bt)
merge (bb)<-[:BREWS]-(br);

//create the in-graph index
MATCH (ap:AlcoholPercentage)
WITH ap
ORDER BY ap.value ASC
WITH collect(ap) as sorted_ap
FOREACH(i in RANGE(0, size(sorted_ap)-2) |
  FOREACH(sorted_ap1 in [sorted_ap[i]] |
    FOREACH(sorted_ap2 in [sorted_ap[i+1]] |
      MERGE (sorted_ap1)-[:PRECEDES]->(sorted_ap2))));


//create the childreader user
CREATE USER childreader SET PASSWORD "changeme" CHANGE NOT REQUIRED;
//create the childreaderrole based on the reader role
CREATE ROLE childreaderrole AS COPY OF reader;

//show the roles
SHOW ROLES;

//put the childreader user into the childreaderrole
GRANT ROLE childreaderrole TO childreader;

//Add read restriction on alcohol percentages for children
DENY READ {value} ON GRAPH `beergraph` NODES AlcoholPercentage TO childreaderrole;

//run pathfinding query between two beers
MATCH (o:BeerBrand {name:"Orval"}), (d:BeerBrand {name:"Duvel"}),
path = allshortestpaths ((o)-[*]-(d))
RETURN path;

//Additional restriction on security: traversal
DENY TRAVERSE ON GRAPH `beergraph` RELATIONSHIPS HAS_ALCOHOLPERCENTAGE to childreaderrole;


//in case you want to remove the restrictions and start over
REVOKE DENY READ {value} ON GRAPH `beergraph` NODES AlcoholPercentage from childreaderrole;
REVOKE DENY TRAVERSE ON GRAPH `beergraph` RELATIONSHIPS HAS_ALCOHOLPERCENTAGE from childreaderrole;
	//create database
	create database beergraph;

	create index on :BeerBrand(name);
	create index on :BeerType(name);
	create index on :Brewery(name);
	create index on :AlcoholPercentage(value);

	//Automated import in one query
	load csv with headers from
	"https://docs.google.com/spreadsheets/d/1FwWxlgnOhOtrUELIzLupDFW7euqXfeh8x3BeiEY_sbI/export?format=csv&id=1FwWxlgnOhOtrUELIzLupDFW7euqXfeh8x3BeiEY_sbI&gid=0" as csv
	with csv
	where csv.BeerType is not null
	merge (b:BeerType {name: csv.BeerType})
	with csv
	where csv.BeerBrand is not null
	merge (b:BeerBrand {name: csv.BeerBrand})
	with csv
	where csv.Brewery is not null
	merge (b:Brewery {name: csv.Brewery})
	with csv
	where csv.AlcoholPercentage is not null
	merge (b:AlcoholPercentage {value: tofloat(replace(replace(csv.AlcoholPercentage,'%',''),',','.'))})
	with csv
	match (ap:AlcoholPercentage {value: tofloat(replace(replace(csv.AlcoholPercentage,'%',''),',','.'))}),
	(br:Brewery {name: csv.Brewery}),
	(bb:BeerBrand {name: csv.BeerBrand}),
	(bt:BeerType {name: csv.BeerType})
	merge (bb)-[:HAS_ALCOHOLPERCENTAGE]->(ap)
	merge (bb)-[:IS_A]->(bt)
	merge (bb)<-[:BREWS]-(br);

	//create the in-graph index
	MATCH (ap:AlcoholPercentage)
	WITH ap
	ORDER BY ap.value ASC
	WITH collect(ap) as sorted_ap
	FOREACH(i in RANGE(0, size(sorted_ap)-2) \|
	FOREACH(sorted_ap1 in [sorted_ap[i]] \|
	FOREACH(sorted_ap2 in [sorted_ap[i+1]] \|
	MERGE (sorted_ap1)-[:PRECEDES]->(sorted_ap2))));


	//create the childreader user
	CREATE USER childreader SET PASSWORD "changeme" CHANGE NOT REQUIRED;
	//create the childreaderrole based on the reader role
	CREATE ROLE childreaderrole AS COPY OF reader;

	//show the roles
	SHOW ROLES;

	//put the childreader user into the childreaderrole
	GRANT ROLE childreaderrole TO childreader;

	//Add read restriction on alcohol percentages for children
	DENY READ {value} ON GRAPH `beergraph` NODES AlcoholPercentage TO childreaderrole;

	//run pathfinding query between two beers
	MATCH (o:BeerBrand {name:"Orval"}), (d:BeerBrand {name:"Duvel"}),
	path = allshortestpaths ((o)-[*]-(d))
	RETURN path;

	//Additional restriction on security: traversal
	DENY TRAVERSE ON GRAPH `beergraph` RELATIONSHIPS HAS_ALCOHOLPERCENTAGE to childreaderrole;


	//in case you want to remove the restrictions and start over
	REVOKE DENY READ {value} ON GRAPH `beergraph` NODES AlcoholPercentage from childreaderrole;
	REVOKE DENY TRAVERSE ON GRAPH `beergraph` RELATIONSHIPS HAS_ALCOHOLPERCENTAGE from childreaderrole;