-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
9 changed files
with
289 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| <jdbcroleservice> | ||
| <id>-6e75d003:18c584ed8f6:-7fee</id> | ||
| <name>layman_role_service</name> | ||
| <className>org.geoserver.security.jdbc.JDBCRoleService</className> | ||
| <propertyFileNameDDL>rolesddl.xml</propertyFileNameDDL> | ||
| <propertyFileNameDML>rolesdml.xml</propertyFileNameDML> | ||
| <jndi>false</jndi> | ||
| <driverClassName>org.postgresql.Driver</driverClassName> | ||
| <connectURL>xxx</connectURL> | ||
| <userName>xxx</userName> | ||
| <password>xxx</password> | ||
| <creatingTables>false</creatingTables> | ||
| <adminRoleName>ADMIN</adminRoleName> | ||
| <groupAdminRoleName>GROUP_ADMIN</groupAdminRoleName> | ||
| </jdbcroleservice> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd"> | ||
| <properties> | ||
| <comment>DDL statements for role database</comment> | ||
| <entry key="check.table">role_props</entry> | ||
| <entry key="roles.create"> | ||
| create table _role_service.roles(name varchar(64) not null,parent varchar(64), primary key(name)) | ||
| </entry> | ||
| <entry key="roleprops.create"> | ||
| create table _role_service.role_props(rolename varchar(64) not null,propname varchar(64) not null, propvalue varchar(2048),primary key (rolename,propname)) | ||
| </entry> | ||
|
|
||
| <entry key="userroles.create"> | ||
| create table _role_service.user_roles(username varchar(128) not null, rolename varchar(64) not null, primary key(username,rolename)) | ||
| </entry> | ||
| <entry key="userroles.indexcreate"> | ||
| create index _role_service.user_roles_idx on user_roles(rolename,username) | ||
| </entry> | ||
| <entry key="grouproles.create"> | ||
| create table _role_service.group_roles(groupname varchar(128) not null, rolename varchar(64) not null, primary key(groupname,rolename)) | ||
| </entry> | ||
| <entry key="grouproles.indexcreate"> | ||
| create index group_roles_idx on _role_service.group_roles(rolename,groupname) | ||
| </entry> | ||
|
|
||
|
|
||
|
|
||
| <entry key="roles.drop">drop table _role_service.roles</entry> | ||
| <entry key="roleprops.drop">drop table _role_service.role_props</entry> | ||
| <entry key="userroles.drop">drop table _role_service.user_roles</entry> | ||
| <entry key="grouproles.drop">drop table _role_service.group_roles</entry> | ||
|
|
||
| </properties> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,106 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd"> | ||
| <properties> | ||
| <comment>DML statements for role database</comment> | ||
|
|
||
| <entry key="roles.count"> | ||
| select count(*) from _role_service.roles | ||
| </entry> | ||
| <entry key="roles.all"> | ||
| select name,parent from _role_service.roles | ||
| </entry> | ||
| <entry key="roles.keyed"> | ||
| select parent from _role_service.roles where name = ? | ||
| </entry> | ||
| <entry key="roles.insert"> | ||
| insert into _role_service.roles (name) values (?) | ||
| </entry> | ||
| <!-- nothing to update at the moment, use dummy statement --> | ||
| <entry key="roles.update"> | ||
| update _role_service.roles set name=name where name = ? | ||
| </entry> | ||
| <entry key="roles.parentUpdate"> | ||
| update _role_service.roles set parent = ? where name = ? | ||
| </entry> | ||
| <entry key="roles.deleteParent"> | ||
| update _role_service.roles set parent = null where parent = ? | ||
| </entry> | ||
| <entry key="roles.delete"> | ||
| delete from _role_service.roles where name = ? | ||
| </entry> | ||
| <entry key="roles.deleteAll"> | ||
| delete from _role_service.roles | ||
| </entry> | ||
|
|
||
|
|
||
| <entry key="roleprops.all"> | ||
| select rolename,propname,propvalue from _role_service.role_props | ||
| </entry> | ||
| <entry key="roleprops.selectForRole"> | ||
| select propname,propvalue from _role_service.role_props where rolename = ? | ||
| </entry> | ||
| <entry key="roleprops.selectForUser"> | ||
| select p.rolename,p.propname,p.propvalue from _role_service.role_props p,_role_service.user_roles u where u.rolename = p.rolename and u.username = ? | ||
| </entry> | ||
| <entry key="roleprops.selectForGroup"> | ||
| select p.rolename,p.propname,p.propvalue from _role_service.role_props p,_role_service.group_roles g where g.rolename = p.rolename and g.groupname = ? | ||
| </entry> | ||
| <entry key="roleprops.deleteForRole"> | ||
| delete from _role_service.role_props where rolename=? | ||
| </entry> | ||
| <entry key="roleprops.insert"> | ||
| insert into _role_service.role_props(rolename,propname,propvalue) values (?,?,?) | ||
| </entry> | ||
| <entry key="roleprops.deleteAll"> | ||
| delete from _role_service.role_props | ||
| </entry> | ||
|
|
||
|
|
||
| <entry key="userroles.rolesForUser"> | ||
| select u.rolename,r.parent from _role_service.user_roles u ,_role_service.roles r where r.name=u.rolename and u.username = ? | ||
| </entry> | ||
| <entry key="userroles.usersForRole"> | ||
| select username from _role_service.user_roles where rolename = ? | ||
| </entry> | ||
| <entry key="userroles.insert"> | ||
| insert into _role_service.user_roles(rolename,username) values (?,?) | ||
| </entry> | ||
| <entry key="userroles.delete"> | ||
| delete from _role_service.user_roles where rolename=? and username = ? | ||
| </entry> | ||
| <entry key="userroles.deleteRole"> | ||
| delete from _role_service.user_roles where rolename=? | ||
| </entry> | ||
| <entry key="userroles.deleteUser"> | ||
| delete from _role_service.user_roles where username = ? | ||
| </entry> | ||
| <entry key="userroles.deleteAll"> | ||
| delete from _role_service.user_roles | ||
| </entry> | ||
|
|
||
|
|
||
|
|
||
| <entry key="grouproles.rolesForGroup"> | ||
| select g.rolename,r.parent from _role_service.group_roles g,r_role_service.oles r where g.rolename = r.name and g.groupname = ? | ||
| </entry> | ||
| <entry key="grouproles.groupsForRole"> | ||
| select groupname from _role_service.group_roles where rolename = ? | ||
| </entry> | ||
| <entry key="grouproles.insert"> | ||
| insert into _role_service.group_roles(rolename,groupname) values (?,?) | ||
| </entry> | ||
| <entry key="grouproles.delete"> | ||
| delete from _role_service.group_roles where rolename=? and groupname = ? | ||
| </entry> | ||
| <entry key="grouproles.deleteRole"> | ||
| delete from _role_service.group_roles where rolename=? | ||
| </entry> | ||
| <entry key="grouproles.deleteGroup"> | ||
| delete from _role_service.group_roles where groupname = ? | ||
| </entry> | ||
| <entry key="grouproles.deleteAll"> | ||
| delete from _role_service.group_roles | ||
| </entry> | ||
|
|
||
|
|
||
| </properties> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,97 @@ | ||
| from distutils.dir_util import copy_tree | ||
| import logging | ||
| import os | ||
| import shutil | ||
| import sys | ||
| import time | ||
| from urllib.parse import urlparse | ||
| from lxml import etree as ET | ||
|
|
||
| from db import util as db_util | ||
| from requests_util import url_util | ||
| from . import authn | ||
|
|
||
| logger = logging.getLogger(__name__) | ||
| logging.basicConfig(stream=sys.stdout, level=logging.DEBUG) | ||
|
|
||
|
|
||
| ROLE_SERVICE_PATH = 'security/role/' | ||
| DIRECTORY = os.path.dirname(os.path.abspath(__file__)) | ||
|
|
||
|
|
||
| def wait_for_db(conn_dict): | ||
| max_attempts = 10 | ||
| attempt = 0 | ||
|
|
||
| while True: | ||
| import psycopg2 | ||
| try: | ||
| with psycopg2.connect(**conn_dict): | ||
| pass | ||
| logger.info(f" Attempt {attempt}/{max_attempts} successful.") | ||
| break | ||
| except psycopg2.OperationalError: | ||
| if attempt >= max_attempts: | ||
| logger.info(f" Reaching max attempts when waiting for DB") | ||
| sys.exit(1) | ||
| time.sleep(2) | ||
| attempt += 1 | ||
|
|
||
|
|
||
| def setup_role_service(data_dir, db_conn, uri_str, internal_service_schema, layman_pg_user, layman_gs_user, layman_gs_role, service_url, role_service_name): | ||
| logger.info(f"Ensuring GeoServer DB role service '{role_service_name}' " | ||
| f"for URL: {service_url}.") | ||
|
|
||
| logger.info(f" Waiting for DB") | ||
| wait_for_db(db_conn) | ||
|
|
||
| logger.info(f" Checking internal role service DB schema") | ||
| schema_query = f'''SELECT COUNT(*) FROM information_schema.schemata WHERE schema_name = '{internal_service_schema}';''' | ||
| schema_exists = db_util.run_query(schema_query, uri_str=uri_str)[0][0] | ||
| if schema_exists == 0: | ||
| logger.info(f" Setting up internal role service DB schema") | ||
| statement = f""" | ||
| CREATE SCHEMA "{internal_service_schema}" AUTHORIZATION {layman_pg_user}; | ||
| create view {internal_service_schema}.roles as select 'ADMIN' as name, null as parent | ||
| union all select 'GROUP_ADMIN', null | ||
| union all select 'LAYMAN_ROLE', null | ||
| ; | ||
| create view {internal_service_schema}.role_props as select null::varchar as rolename, null::varchar as propname, null::varchar as propvalue; | ||
| create view {internal_service_schema}.user_roles as select 'layman' as username, 'ADMIN' as rolename | ||
| union all select 'layman', 'LAYMAN_ROLE' | ||
| union all select 'admin', 'ADMIN' | ||
| ; | ||
| create view {internal_service_schema}.group_roles as select null::varchar as groupname, null::varchar as rolename; | ||
| """ | ||
| db_util.run_statement(statement, uri_str=uri_str) | ||
|
|
||
| logger.info(f" Setting up files") | ||
| role_service_path = os.path.join(data_dir, ROLE_SERVICE_PATH) | ||
| layman_role_service_path = os.path.join(role_service_path, role_service_name) | ||
| if os.path.exists(layman_role_service_path): | ||
| shutil.rmtree(layman_role_service_path) | ||
| source_path = os.path.join(DIRECTORY, role_service_name) | ||
| os.mkdir(layman_role_service_path) | ||
| copy_tree(source_path, layman_role_service_path) | ||
|
|
||
| role_service_config_path = os.path.join(layman_role_service_path, 'config.xml') | ||
| role_service_xml = ET.parse(role_service_config_path) | ||
|
|
||
| parsed_url = urlparse(service_url) | ||
|
|
||
| element = role_service_xml.find('userName') | ||
| element.text = parsed_url.username | ||
|
|
||
| element = role_service_xml.find('password') | ||
| element.text = parsed_url.password | ||
|
|
||
| element = role_service_xml.find('connectURL') | ||
| element.text = f'jdbc:{url_util.redact_uri(service_url, remove_username=True)}' | ||
|
|
||
| role_service_xml.write(role_service_config_path) | ||
|
|
||
| security_xml = authn.get_security(data_dir) | ||
| element = security_xml.find('roleServiceName') | ||
| element.text = role_service_name | ||
| security_path = os.path.join(data_dir, 'security/config.xml') | ||
| security_xml.write(security_path) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.