Skip to content

Commit

Permalink
Add ldap group authentication (#27)
Browse files Browse the repository at this point in the history
- Fix #16
- Update nginx and git role
- Update molecule files
  • Loading branch information
loraine-gueguen authored Aug 2, 2024
1 parent 1954af6 commit 3587400
Show file tree
Hide file tree
Showing 9 changed files with 44 additions and 29 deletions.
8 changes: 4 additions & 4 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
path: 'abims_sbr.sequenceserver'

- name: Set up Python 3
uses: actions/setup-python@v2
uses: actions/setup-python@v5
with:
python-version: '3.x'

Expand All @@ -44,12 +44,12 @@ jobs:

steps:
- name: Check out the codebase.
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
path: 'abims_sbr.sequenceserver'

- name: Set up Python 3
uses: actions/setup-python@v2
uses: actions/setup-python@v5
with:
python-version: '3.x'

Expand Down
7 changes: 4 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,11 +52,12 @@ Each database is defined as a dictionary of the following parameters:
- `path` Absolute path to the directory where one or multiple formatted databases are located
- `users` Optional. Useful if the database needs restricted access. List of authorized users (LDAP "uid").
- `ldap_businesscategory` Optional. Useful if the database needs restricted access. A ldap businessCategory value. LDAP users with this "businessCategory" value will have access to the database.
- `group` Optional. Useful if the database needs restricted access. An LDAP group ("gid"). LDAP users who are member of this group will have access to the database.
- `web_page_title` Optional. The title displayed at the top of the web page. If not provided, the default title is "BLAST server for `name`".
- `placeholders` Optional. A list of placeholder dictionaries `{key: 'key_item', value: 'value_item'}` that are used to customize top or bottom supplementary HTML code (see `sequenceserver_top_web_page_html_path` and `sequenceserver_bottom_web_page_html_path`). For example `placeholders: [{key: 'key1', value: 'value1'}, {key: 'key2', value: 'value2'}]`.
Unique `name` and `port` are mandatory for each database.
`users` and `ldap_businesscategory` are optional and can be used to add an authentication layer with the nginx-auth-ldap module. It is planned to add a `groups` parameter soon to list authorized groups.
`users`, `ldap_businesscategory` and `group` are optional and can be used to add an authentication layer with the nginx-auth-ldap module. Choose one single authentication mode for each database.
The BLAST server title can be customized with the `web_page_title` parameter. If not provided, the default title is "BLAST server for `name`".
SequenceServer logs are stored in `/var/log/sequenceserver/sequenceserver.log`.
Expand Down Expand Up @@ -101,12 +102,12 @@ Variable to define the user running the sequenceserver service and submitting th
```yaml
# proxy_read_timeout (nginx directive)
sequenceserver_proxy_read_timeout: 180
# Authentication with LDAP - Mandatory if users, groups or ldap_businesscategory are used in variable sequenceserver_blast_db
# Authentication with LDAP - Mandatory if users or groups are used in variable sequenceserver_blast_db
# Sequenceserver_ldap_url: "ldap://ldap.my-domain.org/o=my-domain,c=org?uid?sub?"
sequenceserver_ldap_url: ""
```
Variables to configure the NGINX reverse-proxy.
`sequenceserver_ldap_url` must be set if one of the database has restricted access (use of parameter `users`, `groups` or `ldap_businesscategory` in `sequenceserver_blast_db`).
`sequenceserver_ldap_url` must be set if one of the database has restricted access (use of parameter `users` or `group` in `sequenceserver_blast_db`).

## Dependencies

Expand Down
4 changes: 2 additions & 2 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ sequenceserver_version: 2.0.0
# port: A unique unused port
# path: Path to the formatted database
# users: Optional. Useful if the database needs restricted access. List of authorized users (ldap uid).
# groups: TODO. Optional. Useful if the database needs restricted access. List of authorized groups.
# group: Optional. Useful if the database needs restricted access. Authorized group (ldap gid).
# ldap_businesscategory: Optional. Useful if the database needs restricted access. A ldap businessCategory value. Ldap users with this businessCategory value will have access to the database.

Check warning on line 16 in defaults/main.yml

View workflow job for this annotation

GitHub Actions / Lint

16:161 [line-length] line too long (191 > 160 characters)
# web_page_title: Optional. The title displayed at the top of the web page. If not provided, the default title is "BLAST server for <name>".
# placeholders: Optional. A list of placeholder dictionaries `{key: 'key_item', value: 'value_item'}` that are used to customize top or bottom supplementary HTML code (`sequenceserver_top_web_page_html_path` and `sequenceserver_bottom_web_page_html_path`)

Check warning on line 18 in defaults/main.yml

View workflow job for this annotation

GitHub Actions / Lint

18:161 [line-length] line too long (255 > 160 characters)
Expand Down Expand Up @@ -63,6 +63,6 @@ sequenceserver_user: "sequenceserver"
#
# proxy_read_timeout (nginx directive)
sequenceserver_proxy_read_timeout: 180
# Authentication with LDAP - Mandatory if users, groups or ldap_businesscategory are used in variable sequenceserver_blast_db
# Authentication with LDAP - Mandatory if users or groups are used in variable sequenceserver_blast_db
# Sequenceserver_ldap_url: "ldap://ldap.my-domain.org/o=my-domain,c=org?uid?sub?"
sequenceserver_ldap_url: ""
4 changes: 2 additions & 2 deletions meta/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@

dependencies:
- role: nginxinc.nginx
version: 0.12.0
version: 0.24.3
tags: never
- role: geerlingguy.git
version: 2.1.0
version: 3.0.1
tags: never

galaxy_info:
Expand Down
7 changes: 5 additions & 2 deletions molecule/default/molecule.yml
Original file line number Diff line number Diff line change
@@ -1,11 +1,14 @@
---
role_name_check: 1
dependency:
name: galaxy
options:
ignore-errors: true
driver:
name: docker
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux9}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
Expand All @@ -15,4 +18,4 @@ platforms:
provisioner:
name: ansible
playbooks:
converge: converge.yml
converge: ${MOLECULE_PLAYBOOK:-converge.yml}
5 changes: 5 additions & 0 deletions molecule/default/prepare.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,8 @@
dest: /tmp/
owner: root
mode: 0644
# https://github.com/geerlingguy/docker-ubuntu2004-ansible/issues/24
- name: Set right permissions for /tmp dir, needed for apt-get update used in role nginxinc.nginx
ansible.builtin.file:
path: /tmp
mode: '1777'
5 changes: 3 additions & 2 deletions molecule/default/requirements.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
- name: robertdebock.rsyslog
- name: andrewrothstein.miniconda
- name: andrewrothstein.conda-env
- name: andrewrothstein.bash
- name: nginxinc.nginx
version: 0.12.0
version: 0.24.3
- name: geerlingguy.git
version: 2.1.0
version: 3.0.1
2 changes: 1 addition & 1 deletion tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -200,4 +200,4 @@
src: nginx_sequenceserver.conf.j2
dest: /etc/nginx/conf.d/sequenceserver.conf
mode: 0644
notify: "(Handler: All OSs) Reload NGINX"
notify: "(Handler) Start/reload NGINX"
31 changes: 18 additions & 13 deletions templates/nginx_sequenceserver.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -3,22 +3,27 @@
#

{% for item in sequenceserver_blast_db %}
{% if (item.users is defined and item.users) or (item.ldap_businesscategory is defined and item.ldap_businesscategory) %}
{% if (item.users is defined and item.users) or (item.ldap_businesscategory is defined and item.ldap_businesscategory) or (item.group is defined and item.group) %}
ldap_server {{ item.name }}ldap {
{# if only users are defined #}
{% if item.users is defined and item.users %}
url {{ sequenceserver_ldap_url }}(&(objectClass=person)(|{% for user in item.users %}(uid={{ user }}){% endfor %}));
{% endif %}
{# if only a business category is defined #}
{% if item.ldap_businesscategory is defined and item.ldap_businesscategory %}
{# if a group is defined #}
{% if item.group is defined and item.group %}
url {{ sequenceserver_ldap_url }}(&(objectClass=person));
group_attribute memberUid
group_attribute_is_dn on;
require group cn={{ item.group }},ou=projects,ou=groups,dc=sb-roscoff,dc=fr;
require valid_user;
satisfy all;
{# if a business category is defined #}
{% elif item.ldap_businesscategory is defined and item.ldap_businesscategory %}
url {{ sequenceserver_ldap_url }}(&(objectClass=person)(businessCategory={{ item.ldap_businesscategory }}));
{% endif %}
{# if both users and a business category are defined #}
{% if (item.users is defined and item.users) and (item.ldap_businesscategory is defined and item.ldap_businesscategory) %}
url {{ sequenceserver_ldap_url }}(&(objectClass=person)(|{% for user in item.users %}(uid={{ user }}){% endfor %}(businessCategory={{ item.ldap_businesscategory }})));
{% endif %}
require valid_user;
satisfy all;
{# if users are defined #}
{% elif item.users is defined and item.users %}
url {{ sequenceserver_ldap_url }}(&(objectClass=person)(|{% for user in item.users %}(uid={{ user }}){% endfor %}));
require valid_user;
satisfy all;
{% endif %}
}
{% endif %}
{% endfor %}
Expand All @@ -39,7 +44,7 @@ server {
{% if sequenceserver_proxy_intercept_errors is defined and sequenceserver_proxy_intercept_errors %}
proxy_intercept_errors {{ sequenceserver_proxy_intercept_errors }};
{% endif %}
{% if (item.users is defined and item.users) or (item.ldap_businesscategory is defined and item.ldap_businesscategory) %}
{% if (item.users is defined and item.users) or (item.ldap_businesscategory is defined and item.ldap_businesscategory) or (item.group is defined and item.group) %}
auth_ldap "Restricted access";
auth_ldap_servers {{ item.name }}ldap;
{% endif %}
Expand Down

0 comments on commit 3587400

Please sign in to comment.