Feature/pam oauth2 (#127)

* Spilo with pam_oauth2.so
zalando · Feb 1, 2017 · 0a2c2f2 · 0a2c2f2
1 parent e772859
commit 0a2c2f2
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 8 deletions.
diff --git a/postgres-appliance/Dockerfile b/postgres-appliance/Dockerfile
@@ -52,8 +52,9 @@ ENV PATH=$PATH:/usr/lib/postgresql/${PGVERSION}/bin
 ## 3 Remove tools only required for build
 ENV PATRONIVERSION=1.2.3
 ENV WALE_VERSION=1.0.2
+ENV PAM_OAUTH_COMMIT=bed1f8d31840d1fda49365921449112a7421b8ca JSMN_COMMIT=1682c32e9ae5990ddd0f0e907270a0f6dde5cbe9
 RUN export DEBIAN_FRONTEND=noninteractive \
-    export BUILD_PACKAGES="postgresql-server-dev-${PGVERSION} python3-pip python3-dev build-essential pgxnclient" \
+    export BUILD_PACKAGES="postgresql-server-dev-${PGVERSION} python3-pip python3-dev build-essential pgxnclient libcurl4-openssl-dev libpam0g-dev unzip" \
     export PGXN_EXTENSIONS="quantile trimmed_aggregates" \
     && apt-get update \
     && apt-get install -y \
@@ -63,6 +64,17 @@ RUN export DEBIAN_FRONTEND=noninteractive \
             python3 python3-pkg-resources python3-setuptools \
             ${BUILD_PACKAGES} \
 
+    # install pam_oauth2.so
+    && curl -s -L https://github.com/zalando-incubator/pam-oauth2/archive/$PAM_OAUTH_COMMIT.zip > pam-oauth2.zip \
+    && unzip pam-oauth2.zip \
+    && cd pam-oauth2-$PAM_OAUTH_COMMIT \
+    && curl -s -L https://github.com/zserge/jsmn/archive/$JSMN_COMMIT.zip > jsmn.zip \
+    && unzip jsmn.zip \
+    && rm -fr jsmn && mv jsmn-$JSMN_COMMIT jsmn \
+    && make install \
+    && cd .. \
+    && rm -fr pam-oauth2* \
+
     # install extensions for old postgres versions
     && export OLD_PATH=$PATH \
     && for version in ${PGOLDVERSIONS}; do \
@@ -74,7 +86,7 @@ RUN export DEBIAN_FRONTEND=noninteractive \
     && export PATH=$OLD_PATH \
 
     && pip3 install pip --upgrade \
-    && pip3 install --upgrade requests pystache patroni==$PATRONIVERSION \
+    && pip3 install --upgrade packaging appdirs requests pystache patroni==$PATRONIVERSION \
             gcloud boto wal-e==$WALE_VERSION \
     && for extension in ${PGXN_EXTENSIONS}; do pgxn install $extension; done \
     # Clean up

diff --git a/postgres-appliance/configure_spilo.py b/postgres-appliance/configure_spilo.py
@@ -24,7 +24,7 @@
 
 
 def parse_args():
-    sections = ['all', 'patroni', 'patronictl', 'certificate', 'wal-e', 'crontab', 'ldap']
+    sections = ['all', 'patroni', 'patronictl', 'certificate', 'wal-e', 'crontab', 'ldap', 'pam-oauth2']
     argp = argparse.ArgumentParser(description='Configures Spilo',
                                    epilog="Choose from the following sections:\n\t{}".format('\n\t'.join(sections)),
                                    formatter_class=argparse.RawDescriptionHelpFormatter)
@@ -426,14 +426,11 @@ def write_etcd_configuration(placeholders, overwrite=False):
 def write_ldap_configuration(placeholders, overwrite):
     ldap_url = placeholders.get('LDAP_URL')
     if ldap_url is None:
-        logging.info("No LDAP_URL was specified, skipping LDAP configuration")
-        return
+        return logging.info("No LDAP_URL was specified, skipping LDAP configuration")
 
     r = urlparse(ldap_url)
     if not r.scheme:
-        logging.error('LDAP_URL should contain a scheme')
-        logging.info(r)
-        return
+        return logging.error('LDAP_URL should contain a scheme: %s', r)
 
     host, port = r.hostname, r.port
     if not port:
@@ -465,6 +462,22 @@ def write_ldap_configuration(placeholders, overwrite):
     write_file(supervisord_config, '/etc/supervisor/conf.d/ldaptunnel.conf', overwrite)
 
 
+def write_pam_oauth2_configuration(placeholders, overwrite):
+    pam_oauth2_args = placeholders.get('PAM_OAUTH2') or ''
+    t = pam_oauth2_args.split()
+    if len(t) < 2:
+        return logging.info("No PAM_OAUTH2 configuration was specified, skipping")
+
+    r = urlparse(t[0])
+    if not r.scheme or r.scheme != 'https':
+        return logging.error('First argument of PAM_OAUTH2 must be a valid https url: %s', r)
+
+    pam_oauth2_config = 'auth sufficient pam_oauth2.so {0}\n'.format(pam_oauth2_args)
+    pam_oauth2_config += 'account sufficient pam_oauth2.so\n'
+
+    write_file(pam_oauth2_config, '/etc/pam.d/postgresql', overwrite)
+
+
 def main():
     debug = os.environ.get('DEBUG', '') in ['1', 'true', 'on', 'ON']
     args = parse_args()
@@ -517,6 +530,8 @@ def main():
                 write_crontab(placeholders, os.environ.get('PATH'), args['force'])
         elif section == 'ldap':
             write_ldap_configuration(placeholders, args['force'])
+        elif section == 'pam-oauth2':
+            write_pam_oauth2_configuration(placeholders, args['force'])
         else:
             raise Exception('Unknown section: {}'.format(section))