utfpr · edvaldoszy · Apr 8, 2026 · Mar 25, 2026 · Mar 25, 2026 · Mar 27, 2026
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -45,7 +45,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Run scanner
-        uses: aquasecurity/trivy-action@0.34.2
+        uses: aquasecurity/trivy-action@0.35.0
         with:
           scan-type: filesystem
           scan-ref: .

diff --git a/ansible/playbooks/02_readonly_access.yml b/ansible/playbooks/02_readonly_access.yml
@@ -1,29 +1,47 @@
-- name: Setup readonly access to MySQL
+- name: Setup readonly access to PostgreSQL
   hosts: all
   become: yes
+  vars:
+    database_port: 5432
+
+  pre_tasks:
+    - name: Ensure required Python packages are installed
+      tags:
+        - always
+      ansible.builtin.apt:
+        name:
+          - python3-psycopg2
+        update_cache: yes
+        state: present
 
   tasks:
     - name: Ensure readonly_tunnel user is present
-      user:
+      tags:
+        - host
+      ansible.builtin.user:
         name: readonly_tunnel
         create_home: yes
         shell: /bin/false
         system: yes
 
     - name: Ensure readonly_tunnel user authorization key is present
-      authorized_key:
+      tags:
+        - host
+      ansible.posix.authorized_key:
         user: readonly_tunnel
         key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARuxJ71FWsdjwVaZgoXILWRmVSdVEJBKfZi8kAYUkVA readonly_tunnel"
 
     - name: Ensure SSH access is strict
-      blockinfile:
+      tags:
+        - host
+      ansible.builtin.blockinfile:
         path: /etc/ssh/sshd_config.d/10-readonly-tunnel.conf
         block: |
           Match User readonly_tunnel
             PermitTTY no
             PermitTunnel no
             GatewayPorts no
-            PermitOpen localhost:3306
+            PermitOpen localhost:{{ database_port }}
             ForceCommand /bin/false
             X11Forwarding no
             AllowAgentForwarding no
@@ -36,8 +54,180 @@
       register: sshd_config_file
 
     - name: Reload SSH
-      service:
+      tags:
+        - host
+      ansible.builtin.service:
         name: sshd
         enabled: yes
         state: reloaded
       when: sshd_config_file.changed
+
+    - name: Ensure PostgreSQL readonly_tunnel user is present
+      tags:
+        - postgres
+      community.postgresql.postgresql_user:
+        name: "{{ postgres.readonly_user.name }}"
+        password: "{{ postgres.readonly_user.password }}"
+        login_user: "{{ postgres.login_user }}"
+        login_host: "{{ postgres.login_host }}"
+        login_port: "{{ postgres.login_port }}"
+        login_password: "{{ postgres.login_password }}"
+        state: present
+
+    - name: Grant all privileges on herbario_dev database
+      tags:
+        - postgres
+      community.postgresql.postgresql_privs:
+        database: herbario_dev
+        type: database
+        privs: ALL
+        roles: "{{ postgres.readonly_user.name }}"
+        login_user: "{{ postgres.login_user }}"
+        login_host: "{{ postgres.login_host }}"
+        login_port: "{{ postgres.login_port }}"
+        login_password: "{{ postgres.login_password }}"
+
+    - name: Grant usage on schemas in herbario_dev
+      tags:
+        - postgres
+      community.postgresql.postgresql_privs:
+        database: herbario_dev
+        type: schema
+        objs: "{{ item }}"
+        privs: ALL
+        roles: "{{ postgres.readonly_user.name }}"
+        login_user: "{{ postgres.login_user }}"
+        login_host: "{{ postgres.login_host }}"
+        login_port: "{{ postgres.login_port }}"
+        login_password: "{{ postgres.login_password }}"
+      loop:
+        - public
+        - topology
+
+    - name: Grant all privileges on all tables in herbario_dev
+      tags:
+        - postgres
+      community.postgresql.postgresql_privs:
+        database: herbario_dev
+        type: table
+        objs: ALL_IN_SCHEMA
+        privs: ALL
+        roles: "{{ postgres.readonly_user.name }}"
+        login_user: "{{ postgres.login_user }}"
+        login_host: "{{ postgres.login_host }}"
+        login_port: "{{ postgres.login_port }}"
+        login_password: "{{ postgres.login_password }}"
+
+    - name: Set default privileges for future tables in herbario_dev
+      tags:
+        - postgres
+      community.postgresql.postgresql_privs:
+        database: herbario_dev
+        type: default_privs
+        objs: tables
+        privs: ALL
+        roles: "{{ postgres.readonly_user.name }}"
+        login_user: "{{ postgres.login_user }}"
+        login_host: "{{ postgres.login_host }}"
+        login_port: "{{ postgres.login_port }}"
+        login_password: "{{ postgres.login_password }}"
+
+    - name: Set default privileges for future sequences in herbario_dev
+      tags:
+        - postgres
+      community.postgresql.postgresql_privs:
+        database: herbario_dev
+        type: default_privs
+        objs: sequences
+        privs: ALL
+        roles: "{{ postgres.readonly_user.name }}"
+        login_user: "{{ postgres.login_user }}"
+        login_host: "{{ postgres.login_host }}"
+        login_port: "{{ postgres.login_port }}"
+        login_password: "{{ postgres.login_password }}"
+
+    - name: Grant CONNECT on herbario_prod database
+      tags:
+        - postgres
+      community.postgresql.postgresql_privs:
+        database: herbario_prod
+        type: database
+        privs: CONNECT
+        roles: "{{ postgres.readonly_user.name }}"
+        login_user: "{{ postgres.login_user }}"
+        login_host: "{{ postgres.login_host }}"
+        login_port: "{{ postgres.login_port }}"
+        login_password: "{{ postgres.login_password }}"
+
+    - name: Grant usage on schemas in herbario_prod
+      tags:
+        - postgres
+      community.postgresql.postgresql_privs:
+        database: herbario_prod
+        type: schema
+        objs: "{{ item }}"
+        privs: USAGE
+        roles: "{{ postgres.readonly_user.name }}"
+        login_user: "{{ postgres.login_user }}"
+        login_host: "{{ postgres.login_host }}"
+        login_port: "{{ postgres.login_port }}"
+        login_password: "{{ postgres.login_password }}"
+      loop:
+        - public
+        - topology
+
+    - name: Grant SELECT on all tables in herbario_prod
+      tags:
+        - postgres
+      community.postgresql.postgresql_privs:
+        database: herbario_prod
+        type: table
+        objs: ALL_IN_SCHEMA
+        privs: SELECT
+        roles: "{{ postgres.readonly_user.name }}"
+        login_user: "{{ postgres.login_user }}"
+        login_host: "{{ postgres.login_host }}"
+        login_port: "{{ postgres.login_port }}"
+        login_password: "{{ postgres.login_password }}"
+
+    - name: Grant SELECT on all sequences in herbario_prod
+      tags:
+        - postgres
+      community.postgresql.postgresql_privs:
+        database: herbario_prod
+        type: sequence
+        objs: ALL_IN_SCHEMA
+        privs: SELECT
+        roles: "{{ postgres.readonly_user.name }}"
+        login_user: "{{ postgres.login_user }}"
+        login_host: "{{ postgres.login_host }}"
+        login_port: "{{ postgres.login_port }}"
+        login_password: "{{ postgres.login_password }}"
+
+    - name: Set default privileges for future tables in herbario_prod
+      tags:
+        - postgres
+      community.postgresql.postgresql_privs:
+        database: herbario_prod
+        type: default_privs
+        objs: tables
+        privs: SELECT
+        roles: "{{ postgres.readonly_user.name }}"
+        login_user: "{{ postgres.login_user }}"
+        login_host: "{{ postgres.login_host }}"
+        login_port: "{{ postgres.login_port }}"
+        login_password: "{{ postgres.login_password }}"
+
+    - name: Set default privileges for future sequences in herbario_prod
+      tags:
+        - postgres
+      community.postgresql.postgresql_privs:
+        database: herbario_prod
+        type: default_privs
+        objs: sequences
+        privs: SELECT
+        roles: "{{ postgres.readonly_user.name }}"
+        login_user: "{{ postgres.login_user }}"
+        login_host: "{{ postgres.login_host }}"
+        login_port: "{{ postgres.login_port }}"
+        login_password: "{{ postgres.login_password }}"
diff --git a/src/controllers/coletor-controller.js b/src/controllers/coletor-controller.js
@@ -117,3 +117,34 @@ export const desativaColetor = async (req, res, next) => {
         next(error);
     }
 };
+
+export const listaNumerosColetaPorColetor = async (req, res, next) => {
+    try {
+        const { coletorId } = req.params;
+        const { Tombo } = models;
+        const coletor = await Coletor.findByPk(coletorId);
+        if (!coletor) {
+            return res.status(404).json({ mensagem: 'Coletor não encontrado.' });
+        }
+        const numerosColeta = await Tombo.findAll({
+            attributes: ['numero_coleta'],
+            where: {
+                coletor_id: coletorId,
+                rascunho: false,
+                numero_coleta: { [Op.not]: null },
+            },
+            raw: true,
+            order: [['numero_coleta', 'ASC']],
+        });
+        const numerosUnicos = [...new Set(numerosColeta.map(item => item.numero_coleta))].map((numero, index) => ({
+            id: index,
+            numero,
+        }));
+
+        res.status(200).json({
+            numerosColeta: numerosUnicos,
+        });
+    } catch (error) {
+        next(error);
+    }
+};