From c59c2736af9c32c1b543fa12a307892821198eed Mon Sep 17 00:00:00 2001
From: index-git <sileny.index@gmail.com>
Date: Tue, 5 Dec 2023 11:03:40 +0100
Subject: [PATCH] Create and use LAYMAN_ROLE_SERVICE_URI env

---
 .env.demo                        | 1 +
 .env.dev                         | 1 +
 .env.test                        | 1 +
 CHANGELOG.md                     | 1 +
 doc/env-settings.md              | 3 +++
 src/layman/authz/role_service.py | 4 ++--
 src/layman_settings.py           | 7 ++++++-
 7 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/.env.demo b/.env.demo
index 34f0e7951..af5d8fee0 100644
--- a/.env.demo
+++ b/.env.demo
@@ -16,6 +16,7 @@ LAYMAN_AUTHN_MODULES=layman.authn.http_header
 LAYMAN_AUTHN_HTTP_HEADER_NAME=a0468616f9968eaecdc3377988aba650
 GRANT_CREATE_PUBLIC_WORKSPACE=EVERYONE
 GRANT_PUBLISH_IN_PUBLIC_WORKSPACE=EVERYONE
+LAYMAN_ROLE_SERVICE_URI=postgresql://docker:docker@postgresql:5432/layman_test?schema=_role_service
 
 # connection parameters to PostgreSQL database
 LAYMAN_PG_HOST=postgresql
diff --git a/.env.dev b/.env.dev
index 6b54684a2..200880373 100644
--- a/.env.dev
+++ b/.env.dev
@@ -16,6 +16,7 @@ LAYMAN_AUTHN_MODULES=layman.authn.oauth2,layman.authn.http_header
 LAYMAN_AUTHN_HTTP_HEADER_NAME=a0468616f9968eaecdc3377988aba650
 GRANT_CREATE_PUBLIC_WORKSPACE=EVERYONE
 GRANT_PUBLISH_IN_PUBLIC_WORKSPACE=EVERYONE
+LAYMAN_ROLE_SERVICE_URI=postgresql://docker:docker@postgresql:5432/layman_test?schema=_role_service
 
 # connection parameters to PostgreSQL database
 LAYMAN_PG_HOST=postgresql
diff --git a/.env.test b/.env.test
index 87414b6c8..94615adc2 100644
--- a/.env.test
+++ b/.env.test
@@ -16,6 +16,7 @@ LAYMAN_AUTHN_MODULES=layman.authn.http_header
 LAYMAN_AUTHN_HTTP_HEADER_NAME=a0468616f9968eaecdc3377988aba650
 GRANT_CREATE_PUBLIC_WORKSPACE=EVERYONE
 GRANT_PUBLISH_IN_PUBLIC_WORKSPACE=EVERYONE
+LAYMAN_ROLE_SERVICE_URI=postgresql://docker:docker@postgresql:5432/layman_test?schema=_role_service
 
 # connection parameters to PostgreSQL database
 LAYMAN_PG_HOST=postgresql
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 335ad8c7d..8bde90c7d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@
   LAYMAN_CLIENT_VERSION=v1.17.1
   ```
   It was already required in v1.22.2.
+- Set new environment variable [LAYMAN_ROLE_SERVICE_URI](doc/env-settings.md#LAYMAN_ROLE_SERVICE_URI)
 ### Migrations and checks
 #### Schema migrations
 - [#165](https://github.com/LayerManager/layman/issues/165) Add column `role_name` to table `rights` in prime DB schema. Add constraint that exactly one of columns `role_name` and `id_user` is not null.
diff --git a/doc/env-settings.md b/doc/env-settings.md
index b47fc6f8d..cc49dc551 100644
--- a/doc/env-settings.md
+++ b/doc/env-settings.md
@@ -99,6 +99,9 @@ List of [users](models.md#user) and [roles](models.md#role) giving them permissi
 ### GRANT_PUBLISH_IN_PUBLIC_WORKSPACE
 List of [users](models.md#user) and [roles](models.md#role) giving them permission to publish new [publication](models.md#publication) in already created [public workspace](models.md#public-workspace).
 
+### LAYMAN_ROLE_SERVICE_URI
+URL of Role Service with schema in format `postgresql://<username>:<password>@<host>:<port>/<dbname>?schema=<schema_name>`. If you want to use internal Role Service, set it to `postgresql://{LAYMAN_PG_USER}:{LAYMAN_PG_PASSWORD}@{LAYMAN_PG_HOST}:{LAYMAN_PG_PORT}/{LAYMAN_PG_DBNAME}?schema=_role_service`.
+
 ## Layman Test Client Settings
 
 ### LTC_BASEPATH
diff --git a/src/layman/authz/role_service.py b/src/layman/authz/role_service.py
index 10bd6709d..218f43769 100644
--- a/src/layman/authz/role_service.py
+++ b/src/layman/authz/role_service.py
@@ -27,11 +27,11 @@ def ensure_admin_roles():
 
 def get_user_roles(username):
     query = f"""
-select rolename from {ROLE_SERVICE_SCHEMA}.user_roles
+select rolename from {settings.LAYMAN_ROLE_SERVICE_SCHEMA}.user_roles
 where username = %s
   and rolename not in (%s, %s, %s)
   and LEFT(rolename, 5) != 'USER_'
   and rolename ~ %s
 """
-    roles = db_util.run_query(query, (username, 'ADMIN', 'GROUP_ADMIN', settings.LAYMAN_GS_ROLE, ROLE_NAME_PATTERN))
+    roles = db_util.run_query(query, (username, 'ADMIN', 'GROUP_ADMIN', settings.LAYMAN_GS_ROLE, ROLE_NAME_PATTERN), uri_str=settings.LAYMAN_ROLE_SERVICE_URI)
     return {role[0] for role in roles}
diff --git a/src/layman_settings.py b/src/layman_settings.py
index 8162520c5..512c87a59 100644
--- a/src/layman_settings.py
+++ b/src/layman_settings.py
@@ -1,6 +1,6 @@
 import os
 import re
-from urllib.parse import urljoin, urlparse
+from urllib.parse import urljoin, urlparse, parse_qs
 from enum import Enum
 import redis
 
@@ -226,6 +226,11 @@ class EnumWfsWmsStatus(Enum):
 if RIGHTS_EVERYONE_ROLE not in GRANT_PUBLISH_IN_PUBLIC_WORKSPACE:
     assert not GRANT_CREATE_PUBLIC_WORKSPACE.difference(GRANT_PUBLISH_IN_PUBLIC_WORKSPACE)
 
+# Name of schema, where Layman maintains internal GS JDBC Role Service.
+LAYMAN_INTERNAL_ROLE_SERVICE_SCHEMA = '_role_service'
+LAYMAN_ROLE_SERVICE_URI = os.environ['LAYMAN_ROLE_SERVICE_URI']
+LAYMAN_ROLE_SERVICE_SCHEMA = parse_qs(urlparse(LAYMAN_ROLE_SERVICE_URI).query).pop('schema', [None])[0]
+
 # UPLOAD_MAX_INACTIVITY_TIME = 10 # 10 seconds
 UPLOAD_MAX_INACTIVITY_TIME = 5 * 60  # 5 minutes