pgls 1.0.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 6f104a973e164b2aaba303b6fc06e5542e541e23c29055f019a44d75649609a5
+  data.tar.gz: 394a2949ea3b585bac7a4581cff6ab616a2b679cf141813aac63121a278d515e
+SHA512:
+  metadata.gz: 662a763dcd1614efe14550b274f111329689d0103db1aead88a67c3da796edc6540000d3edf49a36c0016eba08e61c2079d1697aeeb2a4a5e4a01ff7af088059
+  data.tar.gz: c1fc847625ad14df078c7395f8702f634c2dc9fc49ed3a64b3fb79a9f712ea645dca69559849346b20f5c4353a2b12e60bb70ee456ef9c1c2446c605018eab9c

data/.autotest

@@ -0,0 +1,23 @@
+# -*- ruby -*-
+
+require 'autotest/restart'
+
+# Autotest.add_hook :initialize do |at|
+#   at.extra_files << "../some/external/dependency.rb"
+#
+#   at.libs << ":../some/external"
+#
+#   at.add_exception 'vendor'
+#
+#   at.add_mapping(/dependency.rb/) do |f, _|
+#     at.files_matching(/test_.*rb$/)
+#   end
+#
+#   %w(TestA TestB).each do |klass|
+#     at.extra_class_map[klass] = "test/test_misc.rb"
+#   end
+# end
+
+# Autotest.add_hook :run_command do |at|
+#   system "rake build"
+# end

data/.github/workflows/ci.yml

@@ -0,0 +1,81 @@
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  job_test_gem:
+    name: Test built gem
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: windows
+            ruby: "head"
+            PGVERSION: 15.1-1-windows-x64
+            PGVER: "15"
+          - os: windows
+            ruby: "2.4"
+            PGVERSION: 9.4.26-1-windows-x64
+            PGVER: "9.4"
+          - os: ubuntu
+            ruby: "head"
+            PGVER: "15"
+          - os: ubuntu
+            os_ver: "20.04"
+            ruby: "2.3"
+            PGVER: "9.3"
+          - os: macos
+            ruby: "head"
+            PGVERSION: 15.1-1-osx
+            PGVER: "15"
+
+    runs-on: ${{ matrix.os }}-${{ matrix.os_ver || 'latest' }}
+    env:
+      PGVERSION: ${{ matrix.PGVERSION }}
+      PGVER: ${{ matrix.PGVER }}
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+
+      - name: Download PostgreSQL Windows
+        if: matrix.os == 'windows'
+        run: |
+          Add-Type -AssemblyName System.IO.Compression.FileSystem
+          function Unzip {
+              param([string]$zipfile, [string]$outpath)
+              [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)
+          }
+
+          $(new-object net.webclient).DownloadFile("http://get.enterprisedb.com/postgresql/postgresql-$env:PGVERSION-binaries.zip", "postgresql-binaries.zip")
+          Unzip "postgresql-binaries.zip" "."
+          echo "$pwd/pgsql/bin"  | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+          echo "PGUSER=$env:USERNAME"  | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          echo "PGPASSWORD="  | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          md temp
+          icacls temp /grant "Everyone:(OI)(CI)F" /T
+
+      - name: Download PostgreSQL Ubuntu
+        if: matrix.os == 'ubuntu'
+        run: |
+          echo "deb http://apt.postgresql.org/pub/repos/apt/ $(lsb_release -cs)-pgdg main $PGVER" | sudo tee -a /etc/apt/sources.list.d/pgdg.list
+          wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
+          sudo apt-get -y update
+          sudo apt-get -y --allow-downgrades install postgresql-$PGVER libpq5=$PGVER* libpq-dev=$PGVER*
+          echo /usr/lib/postgresql/$PGVER/bin >> $GITHUB_PATH
+
+      - name: Download PostgreSQL Macos
+        if: matrix.os == 'macos'
+        run: |
+          wget https://get.enterprisedb.com/postgresql/postgresql-$PGVERSION-binaries.zip && \
+          sudo mkdir -p /Library/PostgreSQL && \
+          sudo unzip postgresql-$PGVERSION-binaries.zip -d /Library/PostgreSQL/$PGVER && \
+          echo /Library/PostgreSQL/$PGVER/bin >> $GITHUB_PATH
+
+      - run: bundle install
+
+      - name: Run specs
+        run: bundle exec rake test

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/temp/
+Gemfile.lock

data/.travis.yml

@@ -0,0 +1,20 @@
+sudo: required
+dist: focal
+language: ruby
+rvm:
+  - "2.4.0"
+  - ruby-head
+env:
+  - "PGVERSION=14"
+  - "PGVERSION=9.6"
+before_install:
+  - gem install bundler --no-doc --conservative
+  - bundle install
+  # Download and install postgresql version to test against in /opt (for non-cross compile only)
+  - echo "deb http://apt.postgresql.org/pub/repos/apt/ ${TRAVIS_DIST}-pgdg main $PGVERSION" | sudo tee -a /etc/apt/sources.list.d/pgdg.list
+  - wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
+  - sudo apt -y update
+  - sudo apt -y --allow-downgrades install postgresql-$PGVERSION libpq-dev
+  - export PATH=/usr/lib/postgresql/$PGVERSION/bin:$PATH
+
+script: rake test

data/CHANGELOG.md

@@ -0,0 +1,45 @@
+## 0.5.0 / 2023-02-03
+
+* Add Kerberos and NTLM authentication support
+
+
+## 0.4.0 / 2022-12-02
+
+* Support groups with over 1500 users in Active Directory server. #32
+* Retrieve only necessary attributes from LDAP server.
+* Add error text to exception, so that it's visible even if nothing is logged.
+* Fix compatibility with PostgreSQL-15
+* Require ruby-2.3+
+
+
+## 0.3.0 / 2022-01-18
+
+* Add config option :bothcase_name .
+  This adds both spellings "Fred_Flintstone" and "fred_flintstone" as PostgreSQL users/groups.
+* Update gem dependencies
+* Fix compatibility with PostgreSQL-14
+* Require ruby-2.4+
+
+
+## 0.2.0 / 2018-03-13
+
+* Update gem dependencies
+* Fix compatibility to pg-1.0 gem
+* Add `pg_ldap_sync --version`
+* Fix compatibility with PostgreSQL-10
+* Don't abort on SQL errors, but print ERROR notice
+* Run sync within a SQL transaction, so that no partial sync happens
+* Lots of improvements to the test suite
+* Run automated tests on Travis-CI and Appveyor
+* Remove support for postgres-pr, since it's no longer maintained
+
+
+## 0.1.1 / 2012-11-15
+
+* Add ability to lowercase the LDAP name for use as PG role name
+
+
+## 0.1.0 / 2011-07-13
+
+* Birthday!
+

data/Gemfile

@@ -0,0 +1,8 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in pg_ldap_sync.gemspec
+gemspec
+
+group :development do
+  gem "debug"
+end

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 Lars Kanis
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/Manifest.txt

@@ -0,0 +1,16 @@
+.autotest
+History.txt
+Manifest.txt
+README.rdoc
+Rakefile
+bin/pgls
+config/krb5-cfg.yml
+config/sample-config.yaml
+config/sample-config2.yaml
+config/schema.yaml
+lib/pgls.rb
+lib/pgls/application.rb
+test/fixtures/config-ldapdb.yaml
+test/fixtures/ldapdb.yaml
+test/ldap_server.rb
+test/test_pgls.rb

data/README.md

@@ -0,0 +1,93 @@
+# Использование разрешений LDAP в PostgreSQL
+
+* http://github.com/fruworg/pgls
+
+## Описание:
+
+LDAP часто используется для централизованного управления пользователями и ролями в корпоративной среде.
+PostgreSQL предлагает различные методы аутентификации, такие как LDAP, SSPI, GSSAPI или SSL.
+Однако при любом методе пользователь должен уже существовать в базе данных, прежде чем аутентификация может быть использована.
+В настоящее время не существует прямой авторизации пользователей базы данных по LDAP.
+Поэтому роли и членство приходится администрировать дважды.
+
+Данная программа позволяет решить эту проблему путем синхронизации пользователей, групп и их членства из LDAP в PostgreSQL.
+Доступ к LDAP используется только для чтения.
+Для синхронизации пользователей и групп `pgls` выдает соответствующие команды CREATE ROLE, DROP ROLE, GRANT и REVOKE.
+
+Она предназначена для запуска в качестве cron-задания.
+
+## Возможности:
+
+* Создание, удаление пользователей и групп, а также изменения в членстве синхронизируются из LDAP в PostgreSQL.
+* Поддерживаются вложенные группы/роли
+* Настраивается в конфигурационном файле YAML
+* Возможность использования Active Directory в качестве LDAP-сервера
+* Установка области видимости рассматриваемых пользователей/групп на стороне LDAP и PG
+* Тестовый режим, не вносящий никаких изменений в СУБД
+* Соединения между LDAP и PG могут быть защищены с помощью SSL/TLS
+* NTLM и Kerberos аутентификация на LDAP-сервере
+
+## Требования:
+
+* Ruby-2.0+
+* LDAP-v3-сервер
+* PostgreSQL-сервер v9.0+
+
+## Установка:
+
+Установить Ruby:
+
+* под Windows: http://rubyinstaller.org
+* на Debian/Ubuntu: `apt-get install ruby libpq-dev`.
+
+### Установка gem:
+```
+gem install pgls
+```
+
+### Установка из Git:
+```sh
+git clone https://github.com/fruworg/pgls.git
+cd pgls
+gem install bundler
+bundle install
+bundle exec rake install
+```
+
+## Использование:
+
+Создать файл конфигурации на основе
+[config/sample-config.yaml](https://github.com/fruworg/pgls/blob/master/config/sample-config.yaml)
+или еще лучше
+[config/sample-config2.yaml](https://github.com/fruworg/pgls/blob/master/config/sample-config2.yaml).
+
+Запустить в тестовом режиме:
+```sh
+  pgls -c my_config.yaml -vv -t
+```
+Запуск в режиме модификации:
+```sh
+  pgls -c my_config.yaml -vv
+```
+
+Рекомендуется не предоставлять права синхронизируемым пользователям на сервере PostgreSQL, а предоставлять права группам.
+Это связано с тем, что операторы `DROP USER`, вызываемые при уходе пользователя, в противном случае терпят неудачу из-за наличия зависимых объектов.
+Оператор `DROP GROUP` также не работает при наличии зависимых объектов, но группы, как правило, более стабильны и удаляются редко.
+
+
+## Тестирование:
+В каталоге `test` находится небольшой тестовый набор, который работает с внутренним LDAP-сервером и сервером PostgreSQL. Убедитесь, что команды `pg_ctl`, `initdb` и `psql` находятся в `PATH` следующим образом:
+```sh
+  cd pgls
+  установить пакет
+  PATH=$PATH:/usr/lib/postgresql/10/bin/ bundle exec rake test
+```
+
+## Проблемы:
+
+* В настоящее время нет возможности установить определенные атрибуты пользователя в PG на основе индивидуальных атрибутов в LDAP (срок действия и т.д.).
+
+
+## Лицензия
+
+Гем доступен с открытым исходным кодом на условиях [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,13 @@
+# -*- ruby -*-
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+CLEAN.include "temp"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/test_*.rb"]
+end
+
+task :gem => :build

data/appveyor.yml

@@ -0,0 +1,27 @@
+image: Visual Studio 2019
+
+init:
+  - set PATH=C:/Ruby%ruby_version%/bin;c:/Program Files/Git/cmd;c:/Windows/system32;C:/Windows/System32/WindowsPowerShell/v1.0
+  - set RUBYOPT=--verbose
+
+install:
+  - ver
+  - ruby --version
+  - gem --version
+  - gem install bundler --no-doc --conservative
+  - bundle install
+
+build_script:
+  - set PATH=C:/Program Files/PostgreSQL/%PGVER%/bin;%PATH%
+  - md temp
+  - icacls temp /grant Everyone:(OI)(CI)F /T
+
+test_script:
+  - bundle exec rake test
+
+environment:
+  matrix:
+    - ruby_version: "27-x64"
+      PGVER: 13
+    - ruby_version: "24"
+      PGVER: 10

data/config/krb5-cfg.yml

@@ -0,0 +1,35 @@
+ldap_connection:
+  host: <dc>
+  port: 636
+  auth:
+    method: :gssapi
+    hostname: <dc.doma.in>
+  encryption:
+    method: :simple_tls
+
+ldap_users:
+  base: DC=<doma>,DC=<in>
+  filter: CN=Users,DC=<doma>,DC=<in>
+  name_attribute: sAMAccountName
+  uppercase_name: true
+
+ldap_groups:
+  base: DC=<doma>,DC=<in>
+  filter: fruw.org
+  name_attribute: cn
+  uppercase_name: true
+  member_attribute: "memberuid"
+  
+pg_connection:
+  host: <db.doma.in>
+  dbname: postgres
+  user: <db-username>
+
+pg_users:
+  filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_users')
+  create_options: LOGIN IN ROLE ldap_users
+
+pg_groups:
+  filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_groups')
+  create_options: NOLOGIN IN ROLE ldap_groups
+  grant_options:

data/config/sample-config.yaml

@@ -0,0 +1,68 @@
+# With this sample config the distinction between PG groups and users is
+# done by the LOGIN/NOLOGIN attribute. Any non-superuser account
+# is considered as LDAP-synchronized.
+
+# Connection parameters to LDAP server
+# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
+ldap_connection:
+  host: ldapserver
+  port: 389
+  auth:
+    method: :simple
+    username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de
+    password: secret
+
+  # or GSSAPI / Kerberos authentication:
+  auth:
+    method: :gssapi
+    hostname: ldapserver.company.de
+    servicename: ldap # optional, defaults to "ldap"
+
+  # or GSS-SPNEGO / NTLM authentication
+  auth:
+    method: :gss_spnego
+    username: 'myuser'
+    password: 'secret'
+    domain: 'company.de' # optional
+
+# Search parameters for LDAP users which should be synchronized
+ldap_users:
+  base: OU=company,OU=company,DC=company,DC=de
+  # LDAP filter (according to RFC 2254)
+  # defines to users in LDAP to be synchronized
+  filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*))
+  # this attribute is used as PG role name
+  name_attribute: sAMAccountName
+
+# Search parameters for LDAP groups which should be synchronized
+ldap_groups:
+  base: OU=company,OU=company,DC=company,DC=de
+  filter: (|(cn=group1)(cn=group2)(cn=group3))
+  # this attribute is used as PG role name
+  name_attribute: cn
+  # this attribute must reference to all member DN's of the given group
+  member_attribute: member
+
+# Connection parameters to PostgreSQL server
+# see also: http://rubydoc.info/gems/pg/PG/Connection#initialize-instance_method
+pg_connection:
+  host:
+  dbname: postgres
+  user: db-username
+  password:
+
+pg_users:
+  # Filter for identifying LDAP generated users in the database.
+  # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
+  filter: rolcanlogin AND NOT rolsuper
+  # Options for CREATE RULE statements
+  create_options: LOGIN
+
+pg_groups:
+  # Filter for identifying LDAP generated groups in the database.
+  # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
+  filter: NOT rolcanlogin AND NOT rolsuper
+  # Options for CREATE RULE statements
+  create_options: NOLOGIN
+  # Options for GRANT <role> TO <group> statements
+  grant_options:

data/config/sample-config2.yaml

@@ -0,0 +1,76 @@
+# With this sample config the distinction between LDAP-synchronized
+# groups/users from manually created PostgreSQL users is done by the
+# membership in ldap_user and ldap_group.
+# These two roles have to be defined manally before pg_ldap_sync can
+# run and all synchronized users/groups will become member of them
+# later on:
+#     CREATE GROUP ldap_groups;
+#     CREATE USER ldap_users;
+#
+
+# Connection parameters to LDAP server
+# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
+ldap_connection:
+  host: ldapserver
+  port: 636
+  auth:
+    method: :simple
+    username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de
+    password: secret
+  encryption:
+    method: :simple_tls
+
+# Search parameters for LDAP users which should be synchronized
+ldap_users:
+  base: OU=company,DC=company,DC=prod
+  # LDAP filter (according to RFC 2254)
+  # defines to users in LDAP to be synchronized
+  filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*)(sAMAccountName=*))
+  # this attribute is used as PG role name
+  name_attribute: sAMAccountName
+  # lowercase name for use as PG role name
+  lowercase_name: true
+  # uppercase name for use as PG role name
+  uppercase_name: false
+  # Add lowercase name *and* original name for use as PG role names (useful for migrating between case types)
+  bothcase_name: false
+
+# Search parameters for LDAP groups which should be synchronized
+ldap_groups:
+  base: OU=company,DC=company,DC=prod
+  filter: (cn=company.*)
+  # this attribute is used as PG role name
+  name_attribute: cn
+  # lowercase name for use as PG role name
+  lowercase_name: false
+  # uppercase name for use as PG role name
+  uppercase_name: false
+  # this attribute must reference to all member DN's of the given group
+  member_attribute: "memberuid"
+  # True if use Astra Linux Domain
+  ald_domain: true
+  
+
+# Connection parameters to PostgreSQL server
+# see also: http://rubydoc.info/gems/pg/PG/Connection#initialize-instance_method
+pg_connection:
+  host:
+  dbname: postgres
+  user:
+  password:
+
+pg_users:
+  # Filter for identifying LDAP generated users in the database.
+  # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
+  filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_users')
+  # Options for CREATE RULE statements
+  create_options: LOGIN IN ROLE ldap_users
+
+pg_groups:
+  # Filter for identifying LDAP generated groups in the database.
+  # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
+  filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_groups')
+  # Options for CREATE RULE statements
+  create_options: NOLOGIN IN ROLE ldap_groups
+  # Options for GRANT <role> TO <group> statements
+  grant_options:

data/config/schema.yaml

@@ -0,0 +1,83 @@
+type:       map
+mapping:
+  "ldap_connection":
+    type:      any
+    required:  yes
+
+  "ldap_users":
+    type: map
+    required: yes
+    mapping:
+      "base":
+        type: str
+        required:  yes
+      "filter":
+        type: str
+        required:  yes
+      "name_attribute":
+        type: str
+        required:  yes
+      "lowercase_name":
+        type: bool
+        required:  no
+      "bothcase_name":
+        type: bool
+        required:  no
+      "uppercase_name":
+        type: bool
+        required: no
+
+  "ldap_groups":
+    type: map
+    required: yes
+    mapping:
+      "base":
+        type: str
+        required:  yes
+      "filter":
+        type: str
+        required:  yes
+      "name_attribute":
+        type: str
+        required:  yes
+      "lowercase_name":
+        type: bool
+        required:  no
+      "bothcase_name":
+        type: bool
+        required:  no
+      "uppercase_name":
+        type: bool
+        required: no
+      "member_attribute":
+        type: str
+        required:  yes
+      "ald_domain":
+        type: bool
+        required: no
+
+  "pg_connection":
+    type:      any
+    required:  yes
+
+  "pg_users":
+    type: map
+    required: yes
+    mapping:
+      "filter":
+        type: str
+        required:  yes
+      "create_options":
+        type: str
+
+  "pg_groups":
+    type: map
+    required: yes
+    mapping:
+      "filter":
+        type: str
+        required:  yes
+      "create_options":
+        type: str
+      "grant_options":
+        type: str

data/exe/pgls

@@ -0,0 +1,9 @@
+#!/usr/bin/env ruby
+
+require 'pgls'
+
+begin
+  PgLdapSync::Application.run(ARGV)
+rescue PgLdapSync::ApplicationExit => ex
+  exit ex.exitcode
+end