[DPE-6345] LDAP III: Define config and handlers (#825)

Author: sinclert-canonical

config.yaml

@@ -69,6 +69,12 @@ options:
       Enable synchronized sequential scans.
     type: boolean
     default: true
+  ldap_search_filter:
+    description: |
+      The LDAP search filter to match users with.
+      Example: (|(uid=$username)(email=$username))
+    type: string
+    default: "(uid=$username)"
   logging_client_min_messages:
     description: |
       Sets the message levels that are sent to the client.
@@ -889,4 +895,4 @@ options:
       Multixact age at which VACUUM should scan whole table to freeze tuples.
       Allowed values are: from 0 to 2000000000.
     type: int
-    default: 150000000
+    default: 150000000

src/charm.py

@@ -100,6 +100,7 @@
     USER,
     USER_PASSWORD_KEY,
 )
+from ldap import PostgreSQLLDAP
 from relations.async_replication import (
     REPLICATION_CONSUMER_RELATION,
     REPLICATION_OFFER_RELATION,
@@ -135,6 +136,7 @@ class CannotConnectError(Exception):
         PostgreSQL,
         PostgreSQLAsyncReplication,
         PostgreSQLBackups,
+        PostgreSQLLDAP,
         PostgreSQLProvider,
         PostgreSQLTLS,
         PostgreSQLUpgrade,
@@ -206,6 +208,7 @@ def __init__(self, *args):
         self.legacy_db_relation = DbProvides(self, admin=False)
         self.legacy_db_admin_relation = DbProvides(self, admin=True)
         self.backup = PostgreSQLBackups(self, "s3-parameters")
+        self.ldap = PostgreSQLLDAP(self, "ldap")
         self.tls = PostgreSQLTLS(self, PEER)
         self.async_replication = PostgreSQLAsyncReplication(self)
         self.restart_manager = RollingOpsManager(
@@ -909,6 +912,21 @@ def _patroni(self) -> Patroni:
             self.get_secret(APP_SCOPE, PATRONI_PASSWORD_KEY),
         )
 
+    @property
+    def is_connectivity_enabled(self) -> bool:
+        """Return whether this unit can be connected externally."""
+        return self.unit_peer_data.get("connectivity", "on") == "on"
+
+    @property
+    def is_ldap_charm_related(self) -> bool:
+        """Return whether this unit has an LDAP charm related."""
+        return self.app_peer_data.get("ldap_enabled", "False") == "True"
+
+    @property
+    def is_ldap_enabled(self) -> bool:
+        """Return whether this unit has LDAP enabled."""
+        return self.is_ldap_charm_related and self.is_cluster_initialised
+
     @property
     def is_primary(self) -> bool:
         """Return whether this unit is the primary instance."""
@@ -1407,12 +1425,16 @@ def _on_get_password(self, event: ActionEvent) -> None:
         If no user is provided, the password of the operator user is returned.
         """
         username = event.params.get("username", USER)
+        if username not in PASSWORD_USERS and self.is_ldap_enabled:
+            event.fail("The action can be run only for system users when LDAP is enabled")
+            return
         if username not in PASSWORD_USERS:
             event.fail(
-                f"The action can be run only for users used by the charm or Patroni:"
+                f"The action can be run only for system users or Patroni:"
                 f" {', '.join(PASSWORD_USERS)} not {username}"
             )
             return
+
         event.set_results({"password": self.get_secret(APP_SCOPE, f"{username}-password")})
 
     def _on_set_password(self, event: ActionEvent) -> None:
@@ -1423,9 +1445,12 @@ def _on_set_password(self, event: ActionEvent) -> None:
             return
 
         username = event.params.get("username", USER)
+        if username not in SYSTEM_USERS and self.is_ldap_enabled:
+            event.fail("The action can be run only for system users when LDAP is enabled")
+            return
         if username not in SYSTEM_USERS:
             event.fail(
-                f"The action can be run only for users used by the charm:"
+                f"The action can be run only for system users:"
                 f" {', '.join(SYSTEM_USERS)} not {username}"
             )
             return
@@ -1911,8 +1936,9 @@ def update_config(self, is_creating_backup: bool = False, no_peers: bool = False
 
         # Update and reload configuration based on TLS files availability.
         self._patroni.render_patroni_yml_file(
-            connectivity=self.unit_peer_data.get("connectivity", "on") == "on",
+            connectivity=self.is_connectivity_enabled,
             is_creating_backup=is_creating_backup,
+            enable_ldap=self.is_ldap_enabled,
             enable_tls=enable_tls,
             backup_id=self.app_peer_data.get("restoring-backup"),
             pitr_target=self.app_peer_data.get("restore-to-time"),
@@ -2177,6 +2203,35 @@ def get_plugins(self) -> list[str]:
                 plugins.append(ext)
         return plugins
 
+    def get_ldap_parameters(self) -> dict:
+        """Returns the LDAP configuration to use."""
+        if not self.is_cluster_initialised:
+            return {}
+        if not self.is_ldap_charm_related:
+            logger.debug("LDAP is not enabled")
+            return {}
+
+        data = self.ldap.get_relation_data()
+        if data is None:
+            return {}
+
+        params = {
+            "ldapbasedn": data.base_dn,
+            "ldapbinddn": data.bind_dn,
+            "ldapbindpasswd": data.bind_password,
+            "ldaptls": data.starttls,
+            "ldapurl": data.urls[0],
+        }
+
+        # LDAP authentication parameters that are exclusive to
+        # one of the two supported modes (simple bind or search+bind)
+        # must be put at the very end of the parameters string
+        params.update({
+            "ldapsearchfilter": self.config.ldap_search_filter,
+        })
+
+        return params
+
 
 if __name__ == "__main__":
     main(PostgresqlOperatorCharm)

src/cluster.py

@@ -162,6 +162,17 @@ def _patroni_url(self) -> str:
         """Patroni REST API URL."""
         return f"{'https' if self.tls_enabled else 'http'}://{self.unit_ip}:8008"
 
+    @staticmethod
+    def _dict_to_hba_string(_dict: dict[str, Any]) -> str:
+        """Transform a dictionary into a Host Based Authentication valid string."""
+        for key, value in _dict.items():
+            if isinstance(value, bool):
+                _dict[key] = int(value)
+            if isinstance(value, str):
+                _dict[key] = f'"{value}"'
+
+        return " ".join(f"{key}={value}" for key, value in _dict.items())
+
     def bootstrap_cluster(self) -> bool:
         """Bootstrap a PostgreSQL cluster using Patroni."""
         # Render the configuration files and start the cluster.
@@ -610,6 +621,7 @@ def render_patroni_yml_file(
         self,
         connectivity: bool = False,
         is_creating_backup: bool = False,
+        enable_ldap: bool = False,
         enable_tls: bool = False,
         stanza: str | None = None,
         restore_stanza: str | None = None,
@@ -626,6 +638,7 @@ def render_patroni_yml_file(
         Args:
             connectivity: whether to allow external connections to the database.
             is_creating_backup: whether this unit is creating a backup.
+            enable_ldap: whether to enable LDAP authentication.
             enable_tls: whether to enable TLS.
             stanza: name of the stanza created by pgBackRest.
             restore_stanza: name of the stanza used when restoring a backup.
@@ -640,6 +653,9 @@ def render_patroni_yml_file(
         # Open the template patroni.yml file.
         with open("templates/patroni.yml.j2") as file:
             template = Template(file.read())
+
+        ldap_params = self.charm.get_ldap_parameters()
+
         # Render the template file with the correct values.
         rendered = template.render(
             conf_path=PATRONI_CONF_PATH,
@@ -648,6 +664,7 @@ def render_patroni_yml_file(
             log_path=PATRONI_LOGS_PATH,
             postgresql_log_path=POSTGRESQL_LOGS_PATH,
             data_path=POSTGRESQL_DATA_PATH,
+            enable_ldap=enable_ldap,
             enable_tls=enable_tls,
             member_name=self.member_name,
             partner_addrs=self.charm.async_replication.get_partner_addresses()
@@ -677,6 +694,7 @@ def render_patroni_yml_file(
             primary_cluster_endpoint=self.charm.async_replication.get_primary_cluster_endpoint(),
             extra_replication_endpoints=self.charm.async_replication.get_standby_endpoints(),
             raft_password=self.raft_password,
+            ldap_parameters=self._dict_to_hba_string(ldap_params),
             patroni_password=self.patroni_password,
         )
         self.render_file(f"{PATRONI_CONF_PATH}/patroni.yaml", rendered, 0o600)

src/config.py

@@ -29,6 +29,7 @@ class CharmConfig(BaseConfigModel):
     instance_max_locks_per_transaction: int | None
     instance_password_encryption: str | None
     instance_synchronize_seqscans: bool | None
+    ldap_search_filter: str | None
     logging_client_min_messages: str | None
     logging_log_connections: bool | None
     logging_log_disconnections: bool | None

src/ldap.py

@@ -0,0 +1,66 @@
+# Copyright 2025 Canonical Ltd.
+# See LICENSE file for licensing details.
+
+"""LDAP implementation."""
+
+import logging
+
+from charms.glauth_k8s.v0.ldap import (
+    LdapProviderData,
+    LdapReadyEvent,
+    LdapRequirer,
+    LdapUnavailableEvent,
+)
+from ops import Relation
+from ops.framework import Object
+from ops.model import ActiveStatus
+
+logger = logging.getLogger(__name__)
+
+
+class PostgreSQLLDAP(Object):
+    """In this class, we manage PostgreSQL LDAP access."""
+
+    def __init__(self, charm, relation_name: str):
+        """Manager of PostgreSQL LDAP."""
+        super().__init__(charm, "ldap")
+        self.charm = charm
+        self.relation_name = relation_name
+
+        # LDAP relation handles the config options for LDAP access
+        self.ldap = LdapRequirer(self.charm, self.relation_name)
+        self.framework.observe(self.ldap.on.ldap_ready, self._on_ldap_ready)
+        self.framework.observe(self.ldap.on.ldap_unavailable, self._on_ldap_unavailable)
+
+    @property
+    def _relation(self) -> Relation:
+        """Return the relation object."""
+        return self.model.get_relation(self.relation_name)
+
+    def _on_ldap_ready(self, _: LdapReadyEvent) -> None:
+        """Handler for the LDAP ready event."""
+        logger.debug("Enabling LDAP connection")
+        if self.charm.unit.is_leader():
+            self.charm.app_peer_data.update({"ldap_enabled": "True"})
+
+        self.charm.update_config()
+        self.charm.unit.status = ActiveStatus()
+
+    def _on_ldap_unavailable(self, _: LdapUnavailableEvent) -> None:
+        """Handler for the LDAP unavailable event."""
+        logger.debug("Disabling LDAP connection")
+        if self.charm.unit.is_leader():
+            self.charm.app_peer_data.update({"ldap_enabled": "False"})
+
+        self.charm.update_config()
+
+    def get_relation_data(self) -> LdapProviderData | None:
+        """Get the LDAP info from the LDAP Provider class."""
+        data = self.ldap.consume_ldap_relation_data(relation=self._relation)
+        if data is None:
+            logger.warning("LDAP relation is not ready")
+
+        if not self.charm.is_connectivity_enabled:
+            logger.warning("LDAP server will not be accessible")
+
+        return data

templates/patroni.yml.j2

@@ -161,10 +161,14 @@ postgresql:
     {%- if not connectivity %}
     - {{ 'hostssl' if enable_tls else 'host' }} all all 0.0.0.0/0 reject
     - {{ 'hostssl' if enable_tls else 'host' }} all all {{ self_ip }} md5
-    {% else %}
-    - {{ 'hostssl' if enable_tls else 'host' }} replication replication 127.0.0.1/32 md5
-    {%- endif %}
+    {%- elif enable_ldap %}
+    - {{ 'hostssl' if enable_tls else 'host' }} all +identity_access 0.0.0.0/0 ldap {{ ldap_parameters }}
+    - {{ 'hostssl' if enable_tls else 'host' }} all +internal_access 0.0.0.0/0 md5
+    - {{ 'hostssl' if enable_tls else 'host' }} all +relation_access 0.0.0.0/0 md5
+    {%- else %}
     - {{ 'hostssl' if enable_tls else 'host' }} all all 0.0.0.0/0 md5
+    {%- endif %}
+    - {{ 'hostssl' if enable_tls else 'host' }} replication replication 127.0.0.1/32 md5
     # Allow replications connections from other cluster members.
     {%- for endpoint in extra_replication_endpoints %}
     - {{ 'hostssl' if enable_tls else 'host' }} replication replication {{ endpoint }}/32 md5

tests/unit/test_charm.py

@@ -1301,6 +1301,7 @@ def test_update_config(harness):
         _render_patroni_yml_file.assert_called_once_with(
             connectivity=True,
             is_creating_backup=False,
+            enable_ldap=False,
             enable_tls=False,
             backup_id=None,
             stanza=None,
@@ -1325,6 +1326,7 @@ def test_update_config(harness):
         _render_patroni_yml_file.assert_called_once_with(
             connectivity=True,
             is_creating_backup=False,
+            enable_ldap=False,
             enable_tls=True,
             backup_id=None,
             stanza=None,
@@ -2845,3 +2847,35 @@ def test_on_promote_to_primary(harness):
         harness.charm._on_promote_to_primary(event)
         _raft_reinitialisation.assert_called_once_with()
         assert harness.charm.unit_peer_data["raft_candidate"] == "True"
+
+
+def test_get_ldap_parameters(harness):
+    with (
+        patch("charm.PostgreSQLLDAP.get_relation_data") as _get_relation_data,
+        patch(
+            target="charm.PostgresqlOperatorCharm.is_cluster_initialised",
+            new_callable=PropertyMock,
+            return_value=True,
+        ) as _cluster_initialised,
+    ):
+        with harness.hooks_disabled():
+            harness.update_relation_data(
+                harness.model.get_relation(PEER).id,
+                harness.charm.app.name,
+                {"ldap_enabled": "False"},
+            )
+
+        harness.charm.get_ldap_parameters()
+        _get_relation_data.assert_not_called()
+        _get_relation_data.reset_mock()
+
+        with harness.hooks_disabled():
+            harness.update_relation_data(
+                harness.model.get_relation(PEER).id,
+                harness.charm.app.name,
+                {"ldap_enabled": "True"},
+            )
+
+        harness.charm.get_ldap_parameters()
+        _get_relation_data.assert_called_once()
+        _get_relation_data.reset_mock()

tests/unit/test_cluster.py

@@ -181,6 +181,24 @@ def test_get_postgresql_version(peers_ips, patroni):
         _get_installed_snaps.assert_called_once_with()
 
 
+def test_dict_to_hba_string(harness, patroni):
+    mock_data = {
+        "ldapbasedn": "dc=example,dc=net",
+        "ldapbinddn": "cn=serviceuser,dc=example,dc=net",
+        "ldapbindpasswd": "password",
+        "ldaptls": False,
+        "ldapurl": "ldap://0.0.0.0:3893",
+    }
+
+    assert patroni._dict_to_hba_string(mock_data) == (
+        'ldapbasedn="dc=example,dc=net" '
+        'ldapbinddn="cn=serviceuser,dc=example,dc=net" '
+        'ldapbindpasswd="password" '
+        "ldaptls=0 "
+        'ldapurl="ldap://0.0.0.0:3893"'
+    )
+
+
 def test_get_primary(peers_ips, patroni):
     with (
         patch("requests.get", side_effect=mocked_requests_get) as _get,