From 93151a593de098077fbe257742f4c57c0e08d116 Mon Sep 17 00:00:00 2001
From: GoCD User <go@medusa.jcolebrand.info>
Date: Thu, 30 Mar 2023 02:03:04 -0700
Subject: [PATCH] update ldap2pg.yml into source

---
 root/database/pgsql/ldap2pg.yml | 182 ++++++++++++++++++++++++++++++++
 1 file changed, 182 insertions(+)
 create mode 100644 root/database/pgsql/ldap2pg.yml

diff --git a/root/database/pgsql/ldap2pg.yml b/root/database/pgsql/ldap2pg.yml
new file mode 100644
index 0000000..4171b54
--- /dev/null
+++ b/root/database/pgsql/ldap2pg.yml
@@ -0,0 +1,182 @@
+#
+#
+#       L D A P 2 P G   S A M P L E   C O N F I G U R A T I O N
+#
+#
+# This is a starting point configuration file for ldap2pg.yml. Including static
+# roles, groups, privilege and LDAP search.
+#
+# This configuration assumes the following principles:
+#
+# - All LDAP users are grouped in `ldap_roles` group.
+# - Read privileges are granted to `readers` group.
+# - Write privileges are granted to `writers` group.
+# - DDL privileges are granted to `owners` group.
+# - We have one or more databases with public and maybe a schema.
+# - Grants are not specific to a schema. Once you're writer in a database, you
+#   are writer to all schemas in it.
+#
+# The LDAP directory content is described in fixtures/openldap-data.ldif
+#
+# Adapt to your needs! See also full documentation on how to configure ldap2pg
+# at https://ldap2pg.readthedocs.io/en/latest/config/.
+#
+# Don't hesitate to suggest improvements for this starting configuration at
+# https://github.com/dalibo/ldap2pg/issues/new . Thanks for your contribution !
+#
+
+#
+# File format version. Allows ldap2pg to check whether the file is supported.
+#
+version: 5
+
+ldap:
+  uri: ldaps://jcolebrand.info
+  binddn: cn=postgres,ou=services,dc=jcolebrand,dc=info
+  password: "*H9sHZughaS*Kqhm"
+
+#
+#       1.   P O S T G R E S   I N S P E C T I O N
+#
+#  See https://ldap2pg.readthedocs.io/en/latest/postgres/
+#
+
+postgres:
+  dsn: postgres://postgres@%2fvar%2frun%2fpostgresql:5432/
+  databases_query: "SELECT datname FROM pg_catalog.pg_database;"
+  # List of role names which can be dropped from cluster. Privileges on these
+  # roles can be revoked.
+  managed_roles_query: |
+    SELECT ('public')
+    UNION
+    SELECT ('ldap_roles')
+    UNION
+    SELECT DISTINCT role.rolname
+    FROM pg_roles AS role
+    LEFT OUTER JOIN pg_auth_members AS ms ON ms.member = role.oid
+    LEFT OUTER JOIN pg_roles AS ldap_roles
+      ON ldap_roles.rolname = 'ldap_roles' AND ldap_roles.oid = ms.roleid
+    WHERE role.rolname IN ('ldap_roles', 'readers', 'writers', 'owners')
+        OR ldap_roles.oid IS NOT NULL
+    ORDER BY 1;
+  # List of object owners that requires default privileges configuration. Since
+  # readers/writer/owners groups are globals to cluster, we have a global
+  # owners_query.
+  owners_query: |
+    SELECT DISTINCT role.rolname
+    FROM pg_catalog.pg_roles AS role
+    JOIN pg_catalog.pg_auth_members AS ms ON ms.member = role.oid
+    JOIN pg_catalog.pg_roles AS owners
+      ON owners.rolname = 'owners' AND owners.oid = ms.roleid
+    ORDER BY 1;
+  # Exclude information_schema, pg_catalog, pg_toast, and other system schemas
+  # from privilege management.
+  schemas_query: |
+    SELECT nspname FROM pg_catalog.pg_namespace
+    WHERE nspname NOT LIKE 'pg_%' AND nspname <> 'information_schema'
+    ORDER BY 1;
+#
+#       2.   P R I V I L E G E S   D E F I N I T I O N
+#
+# See https://ldap2pg.readthedocs.io/en/latest/privileges/. Privileges wrapped
+# in double underscores are well-known privileges built-in ldap2pg. See
+# https://ldap2pg.readthedocs.io/en/latest/wellknown/ for a documentation of
+# each of them.
+#
+
+privileges:
+  # Define `ro` privilege group with read-only grants
+  ro:
+  - __connect__
+  - __select_on_tables__
+  - __select_on_sequences__
+  - __usage_on_schemas__
+  - __usage_on_types__
+
+  # `rw` privilege group lists write-only grants
+  rw:
+  - __temporary__
+  - __all_on_tables__
+  - __all_on_sequences__
+
+  # `ddl` privilege group lists DDL only grants.
+  ddl:
+  - __create_on_schemas__
+
+
+#
+#       3.   S Y N C H R O N I S A T I O N   M A P
+#
+# This list contains rules to declare roles and grants. Each role or grant rule
+# can be templated with attributes from LDAP entries returned by a search
+# query.
+#
+# Any role found in cluster and not generated by sync_map will be dropped. Any
+# grant found in cluster and not generated by sync_map will be revoked.
+#
+
+sync_map:
+- description: "Setup static roles and grants."
+  roles:
+  - names:
+    - ldap_roles
+    - readers
+    options: NOLOGIN
+  - name: writers
+    # Grant reading to writers
+    parent: readers
+    options: NOLOGIN
+  - name: owners
+    # Grant read/write to owners
+    parent: writers
+    options: NOLOGIN
+
+  grant:
+  - privilege: ro
+    role: readers
+    schemas: __all__
+  - privilege: rw
+    role: writers
+    schema: __all__
+  - privilege: ddl
+    role: owners
+    schema: __all__
+
+- description: "Query LDAP to create superusers."
+  ldapsearch:
+    base: ou=ldap2pg,ou=groups,dc=jcolebrand,dc=info
+    filter: "(cn=superuser)"
+  role:
+    # LDAP attribute member is a Distinguished Name. Use CN component of the
+    # member value.
+    name: '{member.cn}'
+    options: LOGIN SUPERUSER
+    parent:
+    - ldap_roles
+    - owners
+    comment: "From LDAP group {dn}"
+
+
+- description: "Query LDAP to create writers."
+  ldapsearch:
+    base: ou=ldap2pg,ou=groups,dc=jcolebrand,dc=info
+    filter: "(cn=writers)"
+    on_unexpected_dn: warn
+  role:
+    name: '{member.cn}'
+    options: LOGIN
+    parent:
+    - ldap_roles
+    - writers
+    comment: 'From LDAP groupe {dn}'
+
+- description: "Query LDAP to create readers."
+  ldapsearch:
+    base: ou=ldap2pg,ou=groups,dc=jcolebrand,dc=info
+    filter: "(cn=readers)"
+  role:
+    name: '{member.cn}'
+    options: LOGIN
+    parent:
+    - ldap_roles
+    - readers