From d8ed3275432ec7d9cb87fc588823228fa6fc8d3b Mon Sep 17 00:00:00 2001
From: lecorguille <gildas.le.corguille@gmail.com>
Date: Wed, 15 May 2019 14:57:08 +0200
Subject: [PATCH 1/5] add auth_conf.xml.sample

---
 templates/auth_conf.xml.sample | 128 +++++++++++++++++++++++++++++++++
 1 file changed, 128 insertions(+)
 create mode 100644 templates/auth_conf.xml.sample

diff --git a/templates/auth_conf.xml.sample b/templates/auth_conf.xml.sample
new file mode 100644
index 0000000..34d3069
--- /dev/null
+++ b/templates/auth_conf.xml.sample
@@ -0,0 +1,128 @@
+<?xml version="1.0"?>
+<auth>
+<!--<authenticator>
+        <type>ldap</type>
+-->
+        <!-- Replacement fields: instances of {email}, {username} and {password}
+             are replaced with the corresponding user's values inside the
+             <filter>, <server>, <ldap-options>, <search-fields>,
+             <search-filter>, <search-base>, <search-user> and <search-password>
+             elements. -->
+        <!-- Filter users for which this authenticator applies. This is a Python
+             expression which is evaluated after field replacement. -->
+<!--    <filter>'{email}'.endswith('@example.com')</filter>
+        <options>
+-->
+            <!-- Whether to allow user registration. Possible values are True,
+                 False and Challenge (i.e. allow registration in case of
+                 successful authentication). Default is True. -->
+<!--        <allow-register>False</allow-register>
+-->
+            <!-- Whether Galaxy should automatically register users when they
+                 first login. Default is False. -->
+<!--        <auto-register>True</auto-register>
+-->
+            <!-- Whether users are allowed to change their password. Default is
+                 False. -->
+<!--        <allow-password-change>False</allow-password-change>
+-->
+            <!-- Whether roles should be automatically created if
+                 the attribute specified under auto-register-roles can be found.
+                 Default is False. -->
+<!--        <auto-create-roles>False</auto-create-roles>
+-->
+            <!-- Whether groups should be automatically created if
+                 the attribute specified under auto-register-roles can be found.
+                 Can be used in combination with auto-create-roles
+                 Default is False. -->
+<!--        <auto-create-groups>False</auto-create-groups>
+-->
+            <!-- If set, roles will be assigned to the auto generated groups,
+            not to the individual users. Can only be used if auto-create-roles and
+            auto-create-groups are True. Default is False. -->
+<!--        <auto-assign-roles-to-groups-only>False</auto-assign-roles-to-groups-only>
+-->
+
+            <!-- LDAP-specific options -->
+<!--        <server>ldap://dc1.example.com</server>
+-->
+            <!-- Additional options for the LDAP connection. The syntax is:
+                 option1=value1,option2=value2,...
+                 Options and values should match those from the python-ldap
+                 documentation.
+                 The following example allows connecting to ldaps:// (SSL/TLS)
+                 when self-signed certificates are used -->
+<!--        <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
+-->
+            <!-- Whether unregistered users should use their LDAP username
+                 instead of the email at their first login when auto-register is
+                 True. Default is False. -->
+<!--        <login-use-username>False</login-use-username>
+-->
+            <!-- Whether to continue with the following authenticators if LDAP
+                 fails. Default is False. -->
+<!--        <continue-on-failure>False</continue-on-failure>
+-->
+            <!-- If search-fields is not specified, all other search-* elements
+                 are ignored.
+                 If search-user is not specified, Galaxy will bind anonymously
+                 to the LDAP server for search. -->
+            <!-- For Active Directory: -->
+<!--        <search-fields>sAMAccountName,mail</search-fields>
+            <search-base>dc=dc1,dc=example,dc=com</search-base>
+-->
+            <!-- If login-use-username is False -->
+<!--        <search-filter>(&amp;(objectClass=user)(mail={email}))</search-filter>
+-->
+            <!-- If login-use-username is True -->
+<!--        <search-filter>(&amp;(objectClass=user)(sAMAccountName={username}))</search-filter>
+-->
+<!--        <search-user>jsmith@dc1.example.com</search-user>
+            <search-password>mysecret</search-password>
+-->
+            <!-- For OpenLDAP: -->
+<!--        <search-fields>uid,mail</search-fields>
+            <search-base>ou=People,dc=example,dc=com</search-base>
+-->
+            <!-- If login-use-username is False -->
+<!--        <search-filter>(mail={email})</search-filter>
+-->
+            <!-- If login-use-username is True -->
+<!--        <search-filter>(uid={username})</search-filter>
+-->
+<!--        <search-user>cn=jsmith,ou=People,dc=domain,dc=com</search-user>
+            <search-password>mysecret</search-password>
+-->
+
+            <!-- Replacement fields: instances of {email}, {username},
+                 {password}, {dn} plus all fields defined in <search-fields> are
+                 replaced with the corresponding user's values inside the
+                 <bind-user>, <bind-password>, <auto-register-username> and
+                 <auto-register-email> elements. -->
+            <!-- For Active Directory: -->
+<!--        <bind-user>{sAMAccountName}@dc1.example.com</bind-user>
+            <bind-password>{password}</bind-password>
+            <auto-register-username>{sAMAccountName}</auto-register-username>
+            <auto-register-email>{mail}</auto-register-email>
+            <auto-register-roles>{gidNumber}</auto-register-roles>
+-->
+            <!-- For OpenLDAP: -->
+<!--        <bind-user>{dn}</bind-user>
+            <bind-password>{password}</bind-password>
+            <auto-register-username>{uid}</auto-register-username>
+            <auto-register-email>{mail}</auto-register-email>
+            <auto-register-roles>{gid}</auto-register-roles>
+-->
+<!--    </options>
+    </authenticator>
+-->
+
+    <authenticator>
+        <type>localdb</type>
+        <options>
+            <!-- Whether users are allowed to change their password. Default is
+                 False. -->
+            <allow-password-change>true</allow-password-change>
+        </options>
+    </authenticator>
+</auth>

From b603581baf05640edcadfed0b851d0ca0f7b8c6f Mon Sep 17 00:00:00 2001
From: lecorguille <gildas.le.corguille@gmail.com>
Date: Wed, 15 May 2019 14:57:56 +0200
Subject: [PATCH 2/5] auth_conf.xml.sample to j2

---
 templates/{auth_conf.xml.sample => auth_conf.xml.j2} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename templates/{auth_conf.xml.sample => auth_conf.xml.j2} (100%)

diff --git a/templates/auth_conf.xml.sample b/templates/auth_conf.xml.j2
similarity index 100%
rename from templates/auth_conf.xml.sample
rename to templates/auth_conf.xml.j2

From 17d5dffa822e31215f3d560f434aa3ea2ed24cc3 Mon Sep 17 00:00:00 2001
From: lecorguille <gildas.le.corguille@gmail.com>
Date: Wed, 15 May 2019 16:19:12 +0200
Subject: [PATCH 3/5] auth_conf.xml template and task

---
 defaults/main.yml          |  32 ++++++++
 tasks/conf_template.yml    |  17 ++++
 tasks/main.yml             |   6 ++
 templates/auth_conf.xml.j2 | 162 +++++++++++++++++++++----------------
 4 files changed, 149 insertions(+), 68 deletions(-)
 create mode 100644 tasks/conf_template.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index 434f473..b49ad6c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -17,6 +17,7 @@ galaxy_manage_database: yes
 galaxy_fetch_dependencies: yes
 galaxy_build_client: yes
 galaxy_manage_errordocs: no
+galaxy_conf_template_setup: no
 galaxy_backup_configfiles: yes
 
 #
@@ -257,3 +258,34 @@ galaxy_uwsgi_config_default:
 # Options include: client / client-production / client-production-maps (default)
 galaxy_client_make_target: client-production-maps
 
+#
+# Authentification configuration
+# authen_conf.xml
+# https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample
+#
+galaxy_auth:
+  authenticator:
+    localdb:
+      allow-password-change: True
+    ldap:
+      filter: '{email}'.endswith('@example.com')
+      allow-register: True
+      auto-register: False
+      allow-password-change: False
+      auto-create-roles: False
+      auto-create-groups: False
+      auto-assign-roles-to-groups-only: False
+      server: ldap://dc1.example.com
+      ldap-options: OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW
+      login-use-username: False
+      continue-on-failure: False
+      search-fields: uid,mail
+      search-base: ou=People,dc=example,dc=com
+      search-filter: (mail={email})
+      search-user: cn=jsmith,ou=People,dc=domain,dc=com
+      search-password: mysecret
+      bind-user: {dn}
+      bind-password: {password}
+      auto-register-username: {uid}
+      auto-register-email: {mail}
+      auto-register-roles: {gid}
diff --git a/tasks/conf_template.yml b/tasks/conf_template.yml
new file mode 100644
index 0000000..aa82574
--- /dev/null
+++ b/tasks/conf_template.yml
@@ -0,0 +1,17 @@
+---
+# Manage some Galaxy configuration files
+
+- name: Configuration files from templates setup
+  block:
+
+    - name: Create Galaxy auth_conf.xml file
+      template:
+        src: "auth_conf.xml.j2"
+        dest: "{{ galaxy_config_file }}"
+        backup: "{{ galaxy_backup_configfiles }}"
+      notify:
+        - "{{ galaxy_restart_handler_name | default('default restart galaxy handler') }}"
+
+  remote_user: "{{ galaxy_remote_users.errdocs | default(omit) }}"
+  become: "{{ true if galaxy_become_users.errdocs is defined else __galaxy_become }}"
+  become_user: "{{ galaxy_become_users.errdocs | default(ansible_user_id) }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index e58fa5f..d9e2195 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -75,3 +75,9 @@
   when: galaxy_manage_errordocs
   tags:
     - galaxy_manage_errordocs
+
+- name: Include configuration files from templates setup
+  include_tasks: conf_template.yml
+  when: galaxy_conf_template_setup
+  tags:
+    - galaxy_conf_template_setup
diff --git a/templates/auth_conf.xml.j2 b/templates/auth_conf.xml.j2
index 34d3069..2f897a3 100644
--- a/templates/auth_conf.xml.j2
+++ b/templates/auth_conf.xml.j2
@@ -1,8 +1,17 @@
 <?xml version="1.0"?>
+<!--
+%
+% This file is managed by Ansible.
+% Do not edit this file manually.
+% Any changes will be automatically reverted.
+%
+-->
 <auth>
-<!--<authenticator>
+{% if 'ldap' in galaxy_auth['authenticator'] %}
+    <authenticator>
         <type>ldap</type>
--->
+        {% set ldap = galaxy_auth['authenticator']['ldap'] %}
+
         <!-- Replacement fields: instances of {email}, {username} and {password}
              are replaced with the corresponding user's values inside the
              <filter>, <server>, <ldap-options>, <search-fields>,
@@ -10,119 +19,136 @@
              elements. -->
         <!-- Filter users for which this authenticator applies. This is a Python
              expression which is evaluated after field replacement. -->
-<!--    <filter>'{email}'.endswith('@example.com')</filter>
+    {% if ldap['filter'] is defined %}
+        <filter>ldap['filter']</filter>
+    {% endif %}
         <options>
--->
+
             <!-- Whether to allow user registration. Possible values are True,
                  False and Challenge (i.e. allow registration in case of
                  successful authentication). Default is True. -->
-<!--        <allow-register>False</allow-register>
--->
+        {% if ldap['allow-register'] is defined %}
+            <allow-register>ldap['allow-register']</allow-register>
+        {% endif %}
+
             <!-- Whether Galaxy should automatically register users when they
                  first login. Default is False. -->
-<!--        <auto-register>True</auto-register>
--->
+        {% if ldap['auto-register'] is defined %}
+            <auto-register>ldap['auto-register']</auto-register>
+        {% endif %}
+
             <!-- Whether users are allowed to change their password. Default is
                  False. -->
-<!--        <allow-password-change>False</allow-password-change>
--->
+         {% if ldap['allow-password-change'] is defined %}
+             <allow-password-change>ldap['allow-password-change']</allow-password-change>
+         {% endif %}
+
             <!-- Whether roles should be automatically created if
                  the attribute specified under auto-register-roles can be found.
                  Default is False. -->
-<!--        <auto-create-roles>False</auto-create-roles>
--->
+        {% if ldap['auto-create-roles'] is defined %}
+            <auto-create-roles>ldap['auto-create-roles']</auto-create-roles>
+        {% endif %}
+
             <!-- Whether groups should be automatically created if
                  the attribute specified under auto-register-roles can be found.
                  Can be used in combination with auto-create-roles
                  Default is False. -->
-<!--        <auto-create-groups>False</auto-create-groups>
--->
+        {% if ldap['auto-create-groups'] is defined %}
+            <auto-create-groups>ldap['auto-create-groups']</auto-create-groups>
+        {% endif %}
+
             <!-- If set, roles will be assigned to the auto generated groups,
             not to the individual users. Can only be used if auto-create-roles and
             auto-create-groups are True. Default is False. -->
-<!--        <auto-assign-roles-to-groups-only>False</auto-assign-roles-to-groups-only>
--->
+        {% if ldap['auto-assign-roles-to-groups-only'] is defined %}
+            <auto-assign-roles-to-groups-only>ldap['auto-assign-roles-to-groups-only']</auto-assign-roles-to-groups-only>
+        {% endif %}
 
             <!-- LDAP-specific options -->
-<!--        <server>ldap://dc1.example.com</server>
--->
+        {% if ldap['server'] is defined %}
+            <server>ldap['server']</server>
+        {% endif %}
+
             <!-- Additional options for the LDAP connection. The syntax is:
                  option1=value1,option2=value2,...
                  Options and values should match those from the python-ldap
                  documentation.
                  The following example allows connecting to ldaps:// (SSL/TLS)
                  when self-signed certificates are used -->
-<!--        <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
--->
+        {% if ldap['ldap-options'] is defined %}
+            <ldap-options>ldap['ldap-options']</ldap-options>
+        {% endif %}
+
             <!-- Whether unregistered users should use their LDAP username
                  instead of the email at their first login when auto-register is
                  True. Default is False. -->
-<!--        <login-use-username>False</login-use-username>
--->
+        {% if ldap['login-use-username'] is defined %}
+            <login-use-username>ldap['login-use-username']</login-use-username>
+        {% endif %}
+
             <!-- Whether to continue with the following authenticators if LDAP
                  fails. Default is False. -->
-<!--        <continue-on-failure>False</continue-on-failure>
--->
+        {% if ldap['continue-on-failure'] is defined %}
+            <continue-on-failure>ldap['continue-on-failure']</continue-on-failure>
+        {% endif %}
+
             <!-- If search-fields is not specified, all other search-* elements
                  are ignored.
                  If search-user is not specified, Galaxy will bind anonymously
                  to the LDAP server for search. -->
-            <!-- For Active Directory: -->
-<!--        <search-fields>sAMAccountName,mail</search-fields>
-            <search-base>dc=dc1,dc=example,dc=com</search-base>
--->
-            <!-- If login-use-username is False -->
-<!--        <search-filter>(&amp;(objectClass=user)(mail={email}))</search-filter>
--->
-            <!-- If login-use-username is True -->
-<!--        <search-filter>(&amp;(objectClass=user)(sAMAccountName={username}))</search-filter>
--->
-<!--        <search-user>jsmith@dc1.example.com</search-user>
-            <search-password>mysecret</search-password>
--->
-            <!-- For OpenLDAP: -->
-<!--        <search-fields>uid,mail</search-fields>
-            <search-base>ou=People,dc=example,dc=com</search-base>
--->
-            <!-- If login-use-username is False -->
-<!--        <search-filter>(mail={email})</search-filter>
--->
-            <!-- If login-use-username is True -->
-<!--        <search-filter>(uid={username})</search-filter>
--->
-<!--        <search-user>cn=jsmith,ou=People,dc=domain,dc=com</search-user>
-            <search-password>mysecret</search-password>
--->
+        {% if ldap['search-fields'] is defined %}
+            <search-fields>ldap['search-fields']</search-fields>
+        {% endif %}
+        {% if ldap['search-base'] is defined %}
+            <search-base>ldap['search-base']</search-base>
+        {% endif %}
+
+        {% if ldap['search-filter'] is defined %}
+            <search-filter>ldap['search-filter']</search-filter>
+        {% endif %}
+
+        {% if ldap['search-user'] is defined %}
+            <search-user>ldap['search-user']</search-user>
+        {% endif %}
+        {% if ldap['search-password'] is defined %}
+            <search-password>ldap['search-password']</search-password>
+        {% endif %}
+
 
             <!-- Replacement fields: instances of {email}, {username},
                  {password}, {dn} plus all fields defined in <search-fields> are
                  replaced with the corresponding user's values inside the
                  <bind-user>, <bind-password>, <auto-register-username> and
                  <auto-register-email> elements. -->
-            <!-- For Active Directory: -->
-<!--        <bind-user>{sAMAccountName}@dc1.example.com</bind-user>
-            <bind-password>{password}</bind-password>
-            <auto-register-username>{sAMAccountName}</auto-register-username>
-            <auto-register-email>{mail}</auto-register-email>
-            <auto-register-roles>{gidNumber}</auto-register-roles>
--->
-            <!-- For OpenLDAP: -->
-<!--        <bind-user>{dn}</bind-user>
-            <bind-password>{password}</bind-password>
-            <auto-register-username>{uid}</auto-register-username>
-            <auto-register-email>{mail}</auto-register-email>
-            <auto-register-roles>{gid}</auto-register-roles>
--->
-<!--    </options>
-    </authenticator>
--->
+        {% if ldap['bind-user'] is defined %}
+             <bind-user>ldap['bind-user']</bind-user>
+        {% endif %}
+        {% if ldap['bind-password'] is defined %}
+             <bind-password>ldap['bind-password']</bind-password>
+        {% endif %}
+        {% if ldap['auto-register-username'] is defined %}
+             <auto-register-username>ldap['auto-register-username']</auto-register-username>
+        {% endif %}
+        {% if ldap['auto-register-email'] is defined %}
+             <auto-register-email>ldap['auto-register-email']</auto-register-email>
+        {% endif %}
+        {% if ldap['auto-register-roles'] is defined %}
+             <auto-register-roles>ldap['auto-register-roles']</auto-register-roles>
+        {% endif %}
 
+        </options>
+    </authenticator>
+{% endif %}
+{% if 'localdb' in galaxy_auth['authenticator'] %}
     <authenticator>
         <type>localdb</type>
+        {% set localdb = galaxy_auth['authenticator']['localdb'] %}
         <options>
             <!-- Whether users are allowed to change their password. Default is
                  False. -->
-            <allow-password-change>true</allow-password-change>
+            <allow-password-change>{{ localdb['allow-password-change']|default("True", true) }}</allow-password-change>
         </options>
     </authenticator>
+{% endif %}
 </auth>

From c41ecfebe5976f8913dfaab346eef915971c76f0 Mon Sep 17 00:00:00 2001
From: lecorguille <gildas.le.corguille@gmail.com>
Date: Wed, 15 May 2019 16:32:24 +0200
Subject: [PATCH 4/5] auth_cong comment ldap settings

---
 defaults/main.yml | 44 ++++++++++++++++++++++----------------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index b49ad6c..0a10186 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -267,25 +267,25 @@ galaxy_auth:
   authenticator:
     localdb:
       allow-password-change: True
-    ldap:
-      filter: '{email}'.endswith('@example.com')
-      allow-register: True
-      auto-register: False
-      allow-password-change: False
-      auto-create-roles: False
-      auto-create-groups: False
-      auto-assign-roles-to-groups-only: False
-      server: ldap://dc1.example.com
-      ldap-options: OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW
-      login-use-username: False
-      continue-on-failure: False
-      search-fields: uid,mail
-      search-base: ou=People,dc=example,dc=com
-      search-filter: (mail={email})
-      search-user: cn=jsmith,ou=People,dc=domain,dc=com
-      search-password: mysecret
-      bind-user: {dn}
-      bind-password: {password}
-      auto-register-username: {uid}
-      auto-register-email: {mail}
-      auto-register-roles: {gid}
+    # ldap:
+    #   filter: "'{email}'.endswith('@example.com')"
+    #   allow-register: True
+    #   auto-register: False
+    #   allow-password-change: False
+    #   auto-create-roles: False
+    #   auto-create-groups: False
+    #   auto-assign-roles-to-groups-only: False
+    #   server: "ldap://dc1.example.com"
+    #   ldap-options: "OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW"
+    #   login-use-username: False
+    #   continue-on-failure: False
+    #   search-fields: "uid,mail"
+    #   search-base: "ou=People,dc=example,dc=com"
+    #   search-filter: "(mail={email})"
+    #   search-user: "cn=jsmith,ou=People,dc=domain,dc=com"
+    #   search-password: "mysecret"
+    #   bind-user: "{dn}"
+    #   bind-password: "{password}"
+    #   auto-register-username: "{uid}"
+    #   auto-register-email: "{mail}"
+    #   auto-register-roles: "{gid}"

From 6846b4135c131819aa0c5ea4d34b9f8dfd2c253a Mon Sep 17 00:00:00 2001
From: lecorguille <gildas.le.corguille@gmail.com>
Date: Sun, 30 Jun 2019 09:24:04 +0200
Subject: [PATCH 5/5] auth - remove the task since it existed

---
 defaults/main.yml       |  1 -
 tasks/conf_template.yml | 17 -----------------
 tasks/main.yml          |  6 ------
 3 files changed, 24 deletions(-)
 delete mode 100644 tasks/conf_template.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index 0a10186..0accaa5 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -17,7 +17,6 @@ galaxy_manage_database: yes
 galaxy_fetch_dependencies: yes
 galaxy_build_client: yes
 galaxy_manage_errordocs: no
-galaxy_conf_template_setup: no
 galaxy_backup_configfiles: yes
 
 #
diff --git a/tasks/conf_template.yml b/tasks/conf_template.yml
deleted file mode 100644
index aa82574..0000000
--- a/tasks/conf_template.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-# Manage some Galaxy configuration files
-
-- name: Configuration files from templates setup
-  block:
-
-    - name: Create Galaxy auth_conf.xml file
-      template:
-        src: "auth_conf.xml.j2"
-        dest: "{{ galaxy_config_file }}"
-        backup: "{{ galaxy_backup_configfiles }}"
-      notify:
-        - "{{ galaxy_restart_handler_name | default('default restart galaxy handler') }}"
-
-  remote_user: "{{ galaxy_remote_users.errdocs | default(omit) }}"
-  become: "{{ true if galaxy_become_users.errdocs is defined else __galaxy_become }}"
-  become_user: "{{ galaxy_become_users.errdocs | default(ansible_user_id) }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index d9e2195..e58fa5f 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -75,9 +75,3 @@
   when: galaxy_manage_errordocs
   tags:
     - galaxy_manage_errordocs
-
-- name: Include configuration files from templates setup
-  include_tasks: conf_template.yml
-  when: galaxy_conf_template_setup
-  tags:
-    - galaxy_conf_template_setup