From 35874002b09f8c05a916fa81aac1caa0bef824dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Loraine=20Brillet-Gu=C3=A9guen?= Date: Fri, 2 Aug 2024 11:10:05 +0200 Subject: [PATCH] Add ldap group authentication (#27) - Fix https://github.com/abims-sbr/ansible-sequenceserver/issues/16 - Update nginx and git role - Update molecule files --- .github/workflows/ci.yml | 8 +++---- README.md | 7 +++--- defaults/main.yml | 4 ++-- meta/main.yml | 4 ++-- molecule/default/molecule.yml | 7 ++++-- molecule/default/prepare.yml | 5 +++++ molecule/default/requirements.yml | 5 +++-- tasks/main.yml | 2 +- templates/nginx_sequenceserver.conf.j2 | 31 +++++++++++++++----------- 9 files changed, 44 insertions(+), 29 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index abd5ade..427dd63 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,12 +17,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the codebase. - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: path: 'abims_sbr.sequenceserver' - name: Set up Python 3 - uses: actions/setup-python@v2 + uses: actions/setup-python@v5 with: python-version: '3.x' @@ -44,12 +44,12 @@ jobs: steps: - name: Check out the codebase. - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: path: 'abims_sbr.sequenceserver' - name: Set up Python 3 - uses: actions/setup-python@v2 + uses: actions/setup-python@v5 with: python-version: '3.x' diff --git a/README.md b/README.md index d2b2c7b..010fea5 100644 --- a/README.md +++ b/README.md @@ -52,11 +52,12 @@ Each database is defined as a dictionary of the following parameters: - `path` Absolute path to the directory where one or multiple formatted databases are located - `users` Optional. Useful if the database needs restricted access. List of authorized users (LDAP "uid"). - `ldap_businesscategory` Optional. Useful if the database needs restricted access. A ldap businessCategory value. LDAP users with this "businessCategory" value will have access to the database. +- `group` Optional. Useful if the database needs restricted access. An LDAP group ("gid"). LDAP users who are member of this group will have access to the database. - `web_page_title` Optional. The title displayed at the top of the web page. If not provided, the default title is "BLAST server for `name`". - `placeholders` Optional. A list of placeholder dictionaries `{key: 'key_item', value: 'value_item'}` that are used to customize top or bottom supplementary HTML code (see `sequenceserver_top_web_page_html_path` and `sequenceserver_bottom_web_page_html_path`). For example `placeholders: [{key: 'key1', value: 'value1'}, {key: 'key2', value: 'value2'}]`. Unique `name` and `port` are mandatory for each database. -`users` and `ldap_businesscategory` are optional and can be used to add an authentication layer with the nginx-auth-ldap module. It is planned to add a `groups` parameter soon to list authorized groups. +`users`, `ldap_businesscategory` and `group` are optional and can be used to add an authentication layer with the nginx-auth-ldap module. Choose one single authentication mode for each database. The BLAST server title can be customized with the `web_page_title` parameter. If not provided, the default title is "BLAST server for `name`". SequenceServer logs are stored in `/var/log/sequenceserver/sequenceserver.log`. @@ -101,12 +102,12 @@ Variable to define the user running the sequenceserver service and submitting th ```yaml # proxy_read_timeout (nginx directive) sequenceserver_proxy_read_timeout: 180 -# Authentication with LDAP - Mandatory if users, groups or ldap_businesscategory are used in variable sequenceserver_blast_db +# Authentication with LDAP - Mandatory if users or groups are used in variable sequenceserver_blast_db # Sequenceserver_ldap_url: "ldap://ldap.my-domain.org/o=my-domain,c=org?uid?sub?" sequenceserver_ldap_url: "" ``` Variables to configure the NGINX reverse-proxy. -`sequenceserver_ldap_url` must be set if one of the database has restricted access (use of parameter `users`, `groups` or `ldap_businesscategory` in `sequenceserver_blast_db`). +`sequenceserver_ldap_url` must be set if one of the database has restricted access (use of parameter `users` or `group` in `sequenceserver_blast_db`). ## Dependencies diff --git a/defaults/main.yml b/defaults/main.yml index 752519f..96e6afc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -12,7 +12,7 @@ sequenceserver_version: 2.0.0 # port: A unique unused port # path: Path to the formatted database # users: Optional. Useful if the database needs restricted access. List of authorized users (ldap uid). -# groups: TODO. Optional. Useful if the database needs restricted access. List of authorized groups. +# group: Optional. Useful if the database needs restricted access. Authorized group (ldap gid). # ldap_businesscategory: Optional. Useful if the database needs restricted access. A ldap businessCategory value. Ldap users with this businessCategory value will have access to the database. # web_page_title: Optional. The title displayed at the top of the web page. If not provided, the default title is "BLAST server for ". # placeholders: Optional. A list of placeholder dictionaries `{key: 'key_item', value: 'value_item'}` that are used to customize top or bottom supplementary HTML code (`sequenceserver_top_web_page_html_path` and `sequenceserver_bottom_web_page_html_path`) @@ -63,6 +63,6 @@ sequenceserver_user: "sequenceserver" # # proxy_read_timeout (nginx directive) sequenceserver_proxy_read_timeout: 180 -# Authentication with LDAP - Mandatory if users, groups or ldap_businesscategory are used in variable sequenceserver_blast_db +# Authentication with LDAP - Mandatory if users or groups are used in variable sequenceserver_blast_db # Sequenceserver_ldap_url: "ldap://ldap.my-domain.org/o=my-domain,c=org?uid?sub?" sequenceserver_ldap_url: "" diff --git a/meta/main.yml b/meta/main.yml index bb54340..92acb71 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -2,10 +2,10 @@ dependencies: - role: nginxinc.nginx - version: 0.12.0 + version: 0.24.3 tags: never - role: geerlingguy.git - version: 2.1.0 + version: 3.0.1 tags: never galaxy_info: diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 6f90a63..3c2f1e5 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -1,11 +1,14 @@ --- +role_name_check: 1 dependency: name: galaxy + options: + ignore-errors: true driver: name: docker platforms: - name: instance - image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux9}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw @@ -15,4 +18,4 @@ platforms: provisioner: name: ansible playbooks: - converge: converge.yml + converge: ${MOLECULE_PLAYBOOK:-converge.yml} diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 470a9fe..7a578f2 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -49,3 +49,8 @@ dest: /tmp/ owner: root mode: 0644 + # https://github.com/geerlingguy/docker-ubuntu2004-ansible/issues/24 + - name: Set right permissions for /tmp dir, needed for apt-get update used in role nginxinc.nginx + ansible.builtin.file: + path: /tmp + mode: '1777' diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml index 97c69b3..cc92c4c 100644 --- a/molecule/default/requirements.yml +++ b/molecule/default/requirements.yml @@ -2,7 +2,8 @@ - name: robertdebock.rsyslog - name: andrewrothstein.miniconda - name: andrewrothstein.conda-env +- name: andrewrothstein.bash - name: nginxinc.nginx - version: 0.12.0 + version: 0.24.3 - name: geerlingguy.git - version: 2.1.0 + version: 3.0.1 diff --git a/tasks/main.yml b/tasks/main.yml index 51d9728..0596305 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -200,4 +200,4 @@ src: nginx_sequenceserver.conf.j2 dest: /etc/nginx/conf.d/sequenceserver.conf mode: 0644 - notify: "(Handler: All OSs) Reload NGINX" + notify: "(Handler) Start/reload NGINX" diff --git a/templates/nginx_sequenceserver.conf.j2 b/templates/nginx_sequenceserver.conf.j2 index e1d8cd5..b0af20e 100644 --- a/templates/nginx_sequenceserver.conf.j2 +++ b/templates/nginx_sequenceserver.conf.j2 @@ -3,22 +3,27 @@ # {% for item in sequenceserver_blast_db %} -{% if (item.users is defined and item.users) or (item.ldap_businesscategory is defined and item.ldap_businesscategory) %} +{% if (item.users is defined and item.users) or (item.ldap_businesscategory is defined and item.ldap_businesscategory) or (item.group is defined and item.group) %} ldap_server {{ item.name }}ldap { -{# if only users are defined #} -{% if item.users is defined and item.users %} - url {{ sequenceserver_ldap_url }}(&(objectClass=person)(|{% for user in item.users %}(uid={{ user }}){% endfor %})); -{% endif %} -{# if only a business category is defined #} -{% if item.ldap_businesscategory is defined and item.ldap_businesscategory %} +{# if a group is defined #} +{% if item.group is defined and item.group %} + url {{ sequenceserver_ldap_url }}(&(objectClass=person)); + group_attribute memberUid + group_attribute_is_dn on; + require group cn={{ item.group }},ou=projects,ou=groups,dc=sb-roscoff,dc=fr; + require valid_user; + satisfy all; +{# if a business category is defined #} +{% elif item.ldap_businesscategory is defined and item.ldap_businesscategory %} url {{ sequenceserver_ldap_url }}(&(objectClass=person)(businessCategory={{ item.ldap_businesscategory }})); -{% endif %} -{# if both users and a business category are defined #} -{% if (item.users is defined and item.users) and (item.ldap_businesscategory is defined and item.ldap_businesscategory) %} - url {{ sequenceserver_ldap_url }}(&(objectClass=person)(|{% for user in item.users %}(uid={{ user }}){% endfor %}(businessCategory={{ item.ldap_businesscategory }}))); -{% endif %} require valid_user; satisfy all; +{# if users are defined #} +{% elif item.users is defined and item.users %} + url {{ sequenceserver_ldap_url }}(&(objectClass=person)(|{% for user in item.users %}(uid={{ user }}){% endfor %})); + require valid_user; + satisfy all; +{% endif %} } {% endif %} {% endfor %} @@ -39,7 +44,7 @@ server { {% if sequenceserver_proxy_intercept_errors is defined and sequenceserver_proxy_intercept_errors %} proxy_intercept_errors {{ sequenceserver_proxy_intercept_errors }}; {% endif %} -{% if (item.users is defined and item.users) or (item.ldap_businesscategory is defined and item.ldap_businesscategory) %} +{% if (item.users is defined and item.users) or (item.ldap_businesscategory is defined and item.ldap_businesscategory) or (item.group is defined and item.group) %} auth_ldap "Restricted access"; auth_ldap_servers {{ item.name }}ldap; {% endif %}