pgls 1.0.3

data/lib/pgls/application.rb

@@ -0,0 +1,497 @@
+#!/usr/bin/env ruby
+
+require 'net/ldap'
+require 'optparse'
+require 'yaml'
+require 'kwalify'
+require 'pg'
+require "pgls/logger"
+
+module PgLdapSync
+class Application
+  attr_accessor :config_fname
+  attr_accessor :groups_fname
+  attr_accessor :log
+  attr_accessor :test
+
+  def string_to_symbol(hash)
+    if hash.kind_of?(Hash)
+      return hash.inject({}) do |h, v|
+        raise "expected String instead of #{h.inspect}" unless v[0].kind_of?(String)
+        h[v[0].intern] = string_to_symbol(v[1])
+        h
+      end
+    else
+      return hash
+    end
+  end
+
+
+  def validate_config(config, schema, fname)
+    schema = YAML.load_file(schema)
+    validator = Kwalify::Validator.new(schema)
+    errors = validator.validate(config)
+    if errors && !errors.empty?
+      errors.each do |err|
+        log.fatal "error in #{fname}: [#{err.path}] #{err.message}"
+      end
+      raise InvalidConfig, 78 # EX_CONFIG
+    end
+  end
+
+  def read_config_file(fname)
+    raise "Config file #{fname.inspect} does not exist" unless File.exist?(fname)
+    config = YAML.load(File.read(fname))
+
+    schema_fname = File.join(File.dirname(__FILE__), '../../config/schema.yaml')
+    validate_config(config, schema_fname, fname)
+
+    @config = string_to_symbol(config)
+  end
+
+  LdapRole = Struct.new :name, :dn, :member_dns
+
+  def read_groups_from_file(fname)
+    groups = []
+    File.foreach(fname) do |line|
+      # Удалите пробелы и символы новой строки с помощью strip
+      group = line.strip
+      groups << group unless group.empty?
+    end
+    groups
+  end
+
+  def format_groups_for_ldap_users(groups, filter)
+    # Используйте метод map для преобразования каждой группы в соответствующий формат
+    formatted_groups = groups.map { |group| "(memberOf=CN=#{group},#{filter})" }
+    # Используйте метод join для объединения форматированных групп в одну строку с оператором "или" (|)
+    "(&(objectClass=organizationalPerson)(|" + formatted_groups.join + "))"
+  end
+
+  def format_groups_for_ldap_groups(groups)
+    # Используйте метод map для преобразования каждой группы в соответствующий формат
+    formatted_groups = groups.map { |group| "(cn=#{group})" }
+    # Используйте метод join для объединения форматированных групп в одну строку с оператором "или" (|)
+    "(|" + formatted_groups.join + ")"
+  end
+
+  def search_ldap_users
+    ldap_user_conf = @config[:ldap_users]
+    name_attribute = ldap_user_conf[:name_attribute]
+
+    users = []
+    
+    if @groups_fname != ''
+      @groups = read_groups_from_file(@groups_fname)
+
+      res = @ldap.search(
+            base: ldap_user_conf[:base],
+            filter: format_groups_for_ldap_users(@groups, ldap_user_conf[:filter]),
+            attributes: [name_attribute, :dn]
+      )
+    else
+      res = @ldap.search(
+            base: ldap_user_conf[:base],
+            filter: ldap_user_conf[:filter],
+            attributes: [name_attribute, :dn]
+      )
+    end
+    
+    res.each do |entry|
+      name = entry[name_attribute].first
+
+      unless name
+        log.warn "user attribute #{name_attribute.inspect} not defined for #{entry.dn}"
+        next
+      end
+      log.info "found user-dn: #{entry.dn}"
+
+      names = if ldap_user_conf[:bothcase_name]
+        [name, name.downcase].uniq
+      elsif ldap_user_conf[:lowercase_name]
+        [name.downcase]
+      elsif ldap_user_conf[:uppercase_name]
+        [name.upcase]
+      else
+        [name]
+      end
+
+      names.each do |n|
+        users << LdapRole.new(n, entry.dn)
+      end
+      entry.each do |attribute, values|
+        log.debug "   #{attribute}:"
+        values.each do |value|
+          log.debug "      --->#{value.inspect}"
+        end
+      end
+    end
+    raise LdapError, "LDAP: #{@ldap.get_operation_result.message}" unless res
+    return users
+  end
+
+  def retrieve_array_attribute(entry, attribute_name)
+    array = entry[attribute_name]
+    if array.empty?
+      # Possibly an attribute, which must be retrieved in several ranges
+
+      ranged_attr = entry.attribute_names.find { |n| n =~ /\A#{Regexp.escape(attribute_name)};range=/ }
+      if ranged_attr
+        entry_dn = entry.dn
+
+        loop do
+          array += entry[ranged_attr]
+          log.debug "retrieved attribute range #{ranged_attr.inspect} of dn #{entry_dn}"
+
+          if ranged_attr =~ /;range=\d\-\*\z/
+            break
+          end
+
+          attribute_with_range = ranged_attr.to_s.gsub(/;range=.*/, ";range=#{array.size}-*")
+          entry = @ldap.search(
+            base: entry_dn,
+            scope: Net::LDAP::SearchScope_BaseObject,
+            attributes: attribute_with_range).first
+
+          ranged_attr = entry.attribute_names.find { |n| n =~ /\A#{Regexp.escape(attribute_name)};range=/ }
+        end
+      end
+    else
+      # Values already received -> No ranged attribute
+    end
+    return array
+  end
+
+  def search_ldap_groups
+    ldap_group_conf = @config[:ldap_groups]
+    name_attribute = ldap_group_conf[:name_attribute]
+    member_attribute = ldap_group_conf[:member_attribute]
+
+    groups = []
+
+    if @groups_fname != ''
+      res = @ldap.search(
+            base: ldap_group_conf[:base],
+            filter: format_groups_for_ldap_groups(@groups),
+            attributes: [name_attribute, member_attribute, :dn]
+      )
+    else
+      res = @ldap.search(
+            base: ldap_group_conf[:base],
+            filter: ldap_group_conf[:filter],
+            attributes: [name_attribute, member_attribute, :dn]
+      )
+    end
+
+    res.each do |entry|
+      name = entry[name_attribute].first
+
+      unless name
+        log.warn "user attribute #{name_attribute.inspect} not defined for #{entry.dn}"
+        next
+      end
+
+      log.info "found group-dn: #{entry.dn}"
+
+      names = if ldap_group_conf[:bothcase_name]
+        [name, name.downcase].uniq
+      elsif ldap_group_conf[:lowercase_name]
+        [name.downcase]
+      elsif ldap_group_conf[:uppercase_name]
+         [name.upcase]
+      else
+        [name]
+      end
+
+      names.each do |n|
+        group_members = retrieve_array_attribute(entry, member_attribute)
+        groups << LdapRole.new(n, entry.dn, group_members)
+      end
+      entry.each do |attribute, values|
+        log.debug "   #{attribute}:"
+        values.each do |value|
+          log.debug "      --->#{value.inspect}"
+        end
+      end
+    end
+    raise LdapError, "LDAP: #{@ldap.get_operation_result.message}" unless res
+    return groups
+  end
+
+  PgRole = Struct.new :name, :member_names
+
+  # List of default roles taken from https://www.postgresql.org/docs/current/predefined-roles.html
+  PG_BUILTIN_ROLES = %w[ pg_read_all_data pg_write_all_data pg_read_all_settings pg_read_all_stats pg_stat_scan_tables pg_monitor pg_database_owner pg_signal_backend pg_read_server_files pg_write_server_files pg_execute_server_program pg_checkpoint]
+
+  def search_pg_users
+    pg_users_conf = @config[:pg_users]
+
+    users = []
+    res = pg_exec "SELECT rolname FROM pg_roles WHERE #{pg_users_conf[:filter]}"
+    res.each do |tuple|
+      user = PgRole.new tuple[0]
+      next if PG_BUILTIN_ROLES.include?(user.name)
+      log.info{ "found pg-user: #{user.name.inspect}"}
+      users << user
+    end
+    return users
+  end
+
+  def search_pg_groups
+    pg_groups_conf = @config[:pg_groups]
+
+    groups = []
+    res = pg_exec "SELECT rolname, oid FROM pg_roles WHERE #{pg_groups_conf[:filter]}"
+    res.each do |tuple|
+      res2 = pg_exec "SELECT pr.rolname FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.member WHERE pam.roleid=#{@pgconn.escape_string(tuple[1])}"
+      member_names = res2.map{|row| row[0] }
+      group = PgRole.new tuple[0], member_names
+      next if PG_BUILTIN_ROLES.include?(group.name)
+      log.info{ "found pg-group: #{group.name.inspect} with members: #{member_names.inspect}"}
+      groups << group
+    end
+    return groups
+  end
+
+  def uniq_names(list)
+    names = {}
+    new_list = list.select do |entry|
+      name = entry.name
+      if names[name]
+        log.warn{ "duplicated group/user #{name.inspect} (#{entry.inspect})" }
+        next false
+      else
+        names[name] = true
+        next true
+      end
+    end
+    return new_list
+  end
+
+  MatchedRole = Struct.new :ldap, :pg, :name, :state, :type
+
+  def match_roles(ldaps, pgs, type)
+    ldap_by_name = ldaps.inject({}){|h,u| h[u.name] = u; h }
+    pg_by_name = pgs.inject({}){|h,u| h[u.name] = u; h }
+
+    roles = []
+    ldaps.each do |ld|
+      pg = pg_by_name[ld.name]
+      role = MatchedRole.new ld, pg, ld.name
+      roles << role
+    end
+    pgs.each do |pg|
+      ld = ldap_by_name[pg.name]
+      next if ld
+      role = MatchedRole.new ld, pg, pg.name
+      roles << role
+    end
+
+    roles.each do |r|
+      r.state = case
+        when r.ldap && !r.pg then :create
+        when !r.ldap && r.pg then :drop
+        when r.pg && r.ldap then :keep
+        else raise "invalid user #{r.inspect}"
+      end
+      r.type = type
+    end
+
+    log.info do
+      roles.each do |role|
+        log.debug{ "#{role.state} #{role.type}: #{role.name}" }
+      end
+      "#{type} stat: create: #{roles.count{|r| r.state==:create }} drop: #{roles.count{|r| r.state==:drop }} keep: #{roles.count{|r| r.state==:keep }}"
+    end
+    return roles
+  end
+
+  def try_sql(text)
+    begin
+      @pgconn.exec "SAVEPOINT try_sql;"
+      @pgconn.exec text
+    rescue PG::Error => err
+      @pgconn.exec "ROLLBACK TO try_sql;"
+
+      log.error{ "#{err} (#{err.class})" }
+    end
+  end
+
+  def pg_exec_modify(sql)
+    log.info{ "SQL: #{sql}" }
+    unless self.test
+      try_sql sql
+    end
+  end
+
+  def pg_exec(sql)
+    res = @pgconn.exec sql
+    (0...res.num_tuples).map{|t| (0...res.num_fields).map{|i| res.getvalue(t, i) } }
+  end
+
+  def create_pg_role(role)
+    pg_conf = @config[role.type==:user ? :pg_users : :pg_groups]
+    pg_exec_modify "CREATE ROLE \"#{role.name}\" #{pg_conf[:create_options]}"
+  end
+
+  def drop_pg_role(role)
+    pg_exec_modify "DROP ROLE \"#{role.name}\""
+  end
+
+  def sync_roles_to_pg(roles, for_state)
+    roles.sort{|a,b| a.name<=>b.name }.each do |role|
+      create_pg_role(role) if role.state==:create && for_state==:create
+      drop_pg_role(role) if role.state==:drop && for_state==:drop
+    end
+  end
+
+  MatchedMembership = Struct.new :role_name, :has_member, :state
+
+  def match_memberships(ldap_roles, pg_roles)
+    ldap_group_conf = @config[:ldap_groups]
+    hash_of_arrays = Hash.new { |h, k| h[k] = [] }
+    if ldap_group_conf[:ald_domain]
+      ldap_by_dn = ldap_roles.inject(hash_of_arrays){|h,r| h[r.name] << r; h }
+    else
+      ldap_by_dn = ldap_roles.inject(hash_of_arrays){|h,r| h[r.dn] << r; h }
+    end
+    ldap_by_m2m = ldap_roles.inject([]) do |a,r|
+      next a unless r.member_dns
+      a + r.member_dns.flat_map do |dn|
+        has_members = ldap_by_dn[dn]
+        log.warn{"ldap member with dn #{dn} is unknown"} if has_members.empty?
+        has_members.map do |has_member|
+          [r.name, has_member.name]
+        end
+      end
+    end
+
+    hash_of_arrays = Hash.new { |h, k| h[k] = [] }
+    pg_by_name = pg_roles.inject(hash_of_arrays){|h,r| h[r.name] << r; h }
+    pg_by_m2m = pg_roles.inject([]) do |a,r|
+      next a unless r.member_names
+      a + r.member_names.flat_map do |name|
+        has_members = pg_by_name[name]
+        log.warn{"pg member with name #{name} is unknown"} if has_members.empty?
+        has_members.map do |has_member|
+          [r.name, has_member.name]
+        end
+      end
+    end
+
+    memberships  = (ldap_by_m2m & pg_by_m2m).map{|r,mo| MatchedMembership.new r, mo, :keep }
+    memberships += (ldap_by_m2m - pg_by_m2m).map{|r,mo| MatchedMembership.new r, mo, :grant }
+    memberships += (pg_by_m2m - ldap_by_m2m).map{|r,mo| MatchedMembership.new r, mo, :revoke }
+
+    log.info do
+      memberships.each do |membership|
+        log.debug{ "#{membership.state} #{membership.role_name} to #{membership.has_member}" }
+      end
+      "membership stat: grant: #{memberships.count{|u| u.state==:grant }} revoke: #{memberships.count{|u| u.state==:revoke }} keep: #{memberships.count{|u| u.state==:keep }}"
+    end
+    return memberships
+  end
+
+  def grant_membership(role_name, add_members)
+    pg_conf = @config[:pg_groups]
+    add_members_escaped = add_members.map{|m| "\"#{m}\"" }.join(",")
+    pg_exec_modify "GRANT \"#{role_name}\" TO #{add_members_escaped} #{pg_conf[:grant_options]}"
+  end
+
+  def revoke_membership(role_name, rm_members)
+    rm_members_escaped = rm_members.map{|m| "\"#{m}\"" }.join(",")
+    pg_exec_modify "REVOKE \"#{role_name}\" FROM #{rm_members_escaped}"
+  end
+
+  def sync_membership_to_pg(memberships, for_state)
+    grants = {}
+    memberships.select{|ms| ms.state==for_state }.each do |ms|
+      grants[ms.role_name] ||= []
+      grants[ms.role_name] << ms.has_member
+    end
+
+    grants.each do |role_name, members|
+      grant_membership(role_name, members) if for_state==:grant
+      revoke_membership(role_name, members) if for_state==:revoke
+    end
+  end
+
+  def start!
+    read_config_file(@config_fname)
+
+    ldap_conf = @config[:ldap_connection]
+    auth_meth = ldap_conf.dig(:auth, :method).to_s
+    if auth_meth == "gssapi"
+      begin
+        require 'net/ldap/auth_adapter/gssapi'
+      rescue LoadError => err
+        raise "#{err}\nTo use GSSAPI authentication please run:\n  gem install net-ldap-auth_adapter-gssapi"
+      end
+    elsif auth_meth == "gss_spnego"
+      begin
+        require 'net-ldap-gss-spnego'
+        # This doesn't work since this file is defined in net-ldap as a placeholder:
+        #   require 'net/ldap/auth_adapter/gss_spnego'
+      rescue LoadError => err
+        raise "#{err}\nTo use GSSAPI authentication please run:\n  gem install net-ldap-gss-spnego"
+      end
+    end
+
+    # gather LDAP users and groups
+    @ldap = Net::LDAP.new ldap_conf
+    ldap_users = uniq_names search_ldap_users
+    ldap_groups = uniq_names search_ldap_groups
+
+    # gather PGs users and groups
+    @pgconn = PG.connect @config[:pg_connection]
+    begin
+      @pgconn.transaction do
+        pg_users = uniq_names search_pg_users
+        pg_groups = uniq_names search_pg_groups
+
+        # compare LDAP to PG users and groups
+        mroles = match_roles(ldap_users, pg_users, :user)
+        mroles += match_roles(ldap_groups, pg_groups, :group)
+
+        # compare LDAP to PG memberships
+        mmemberships = match_memberships(ldap_users+ldap_groups, pg_users+pg_groups)
+
+        # drop/revoke roles/memberships first
+        sync_membership_to_pg(mmemberships, :revoke)
+        sync_roles_to_pg(mroles, :drop)
+        # create/grant roles/memberships
+        sync_roles_to_pg(mroles, :create)
+        sync_membership_to_pg(mmemberships, :grant)
+      end
+    ensure
+      @pgconn.close
+    end
+
+    # Determine exitcode
+    if log.had_errors?
+      raise ErrorExit.new(1, log.first_error)
+    end
+  end
+
+  def self.run(argv)
+    s = self.new
+    s.config_fname = '/etc/pg_ldap_sync.yaml'
+    s.groups_fname = ''
+    s.log = Logger.new($stdout)
+    s.log.level = Logger::ERROR
+
+    OptionParser.new do |opts|
+      opts.version = VERSION
+      opts.banner = "Usage: #{$0} [options]"
+      opts.on("-v", "--[no-]verbose", "Increase verbose level"){|v| s.log.level += v ? -1 : 1 }
+      opts.on("-c", "--config FILE", "Config file [#{s.config_fname}]", &s.method(:config_fname=))
+      opts.on("-g", "--groups FILE", "Groups file [#{s.groups_fname}]", &s.method(:groups_fname=))
+      opts.on("-t", "--[no-]test", "Don't do any change in the database", &s.method(:test=))
+
+      opts.parse!(argv)
+    end
+
+    s.start!
+  end
+end
+end

data/lib/pgls/compat.rb

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+class Hash
+  # transform_keys was added in ruby-2.5
+  def transform_keys
+    map do |k, v|
+      [yield(k), v]
+    end.to_h
+  end unless method_defined? :transform_keys
+end

data/lib/pgls/logger.rb

@@ -0,0 +1,28 @@
+require 'logger'
+
+module PgLdapSync
+class Logger < ::Logger
+  def initialize(io)
+    super(io)
+    @counters = {}
+  end
+
+  def add(severity, *args, &block)
+    super
+    return unless [Logger::FATAL, Logger::ERROR].include?(severity)
+    @counters[severity] ||= block ? block.call : args.first
+  end
+
+  def had_logged?(severity)
+    !!@counters[severity]
+  end
+
+  def had_errors?
+    had_logged?(Logger::FATAL) || had_logged?(Logger::ERROR)
+  end
+
+  def first_error
+    @counters[Logger::FATAL] || @counters[Logger::ERROR]
+  end
+end
+end

data/lib/pgls/version.rb

@@ -0,0 +1,3 @@
+module PgLdapSync
+  VERSION = "1.0.3"
+end

data/lib/pgls.rb

@@ -0,0 +1,23 @@
+require "pgls/application"
+require "pgls/compat"
+require "pgls/version"
+
+module PgLdapSync
+  class LdapError < RuntimeError
+  end
+
+  class ApplicationExit < RuntimeError
+    attr_reader :exitcode
+
+    def initialize(exitcode, error=nil)
+      super(error)
+      @exitcode = exitcode
+    end
+  end
+
+  class InvalidConfig < ApplicationExit
+  end
+
+  class ErrorExit < ApplicationExit
+  end
+end

data/pgls.gemspec

@@ -0,0 +1,33 @@
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "pgls/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "pgls"
+  spec.version       = PgLdapSync::VERSION
+  spec.authors       = ["fruworg"]
+  spec.email         = ["im@fruw.org"]
+
+  spec.summary       = %q{Use LDAP permissions in PostgreSQL}
+  spec.homepage      = "https://github.com/fruworg/pgls"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+  spec.rdoc_options = %w[--main README.md --charset=UTF-8]
+  spec.required_ruby_version = ">= 2.3"
+
+  spec.add_runtime_dependency "net-ldap", "~> 0.16"
+  spec.add_runtime_dependency "kwalify", "~> 0.7"
+  spec.add_runtime_dependency "pg", ">= 0.14", "<= 1.0.0"
+  spec.add_runtime_dependency "net-ldap-auth_adapter-gssapi", "~> 0.2.0"
+  spec.add_development_dependency "ruby-ldapserver", "~> 0.3"
+  spec.add_development_dependency "minitest", "~> 5.0"
+  spec.add_development_dependency "bundler", ">= 1.16", "< 3.0"
+  spec.add_development_dependency "rake", "~> 13.0"
+  spec.add_development_dependency "minitest-hooks", "~> 1.4"
+end