GoogleCloudPlatform
diff --git a/‎README.md‎
Lines changed: 22 additions & 6 deletions b/‎README.md‎
Lines changed: 22 additions & 6 deletions
diff --git a/‎app.py‎
Lines changed: 29 additions & 9 deletions b/‎app.py‎
Lines changed: 29 additions & 9 deletions
diff --git a/‎iam_groups_authn/mysql.py‎
Lines changed: 14 additions & 13 deletions b/‎iam_groups_authn/mysql.py‎
Lines changed: 14 additions & 13 deletions
diff --git a/‎iam_groups_authn/postgres.py‎
Lines changed: 160 additions & 0 deletions b/‎iam_groups_authn/postgres.py‎
Lines changed: 160 additions & 0 deletions
@@ -4,7 +4,13 @@
 This project is a self-deployed service that provides support for managing [Cloud SQL IAM Database Authentication](https://cloud.google.com/sql/docs/mysql/authentication) for groups. This service leverages [Cloud Run](https://cloud.google.com/run), [Cloud Scheduler](https://cloud.google.com/scheduler), and the [Cloud SQL Python Connector](https://github.com/googlecloudplatform/cloud-sql-python-connector) to consistently update and sync Cloud SQL instances based on IAM groups. It will create missing database IAM users, GRANT roles to database IAM users based on their IAM groups, and REVOKE roles from database IAM users no longer in IAM groups.
 
 ## Supported Databases
-Currently only **MySQL 8.0** databases are supported.
+Currently only the following databases are supported:
+- **MySQL 8.0**
+- **PostgreSQL 13**
+- **PostgreSQL 12**
+- **PostgreSQL 11**
+- **PostgreSQL 10**
+- **PostgreSQL 9.6**
 
 ## Overview
 The Cloud SQL IAM Database Authentication for Groups service at an overview is made of Cloud Scheduler Job(s) and Cloud Run instance(s). 
@@ -141,7 +147,7 @@ To properly manage the database users on each Cloud SQL instance that is configu
 Add the service account as an IAM authenticated database user on each Cloud SQL instance that needs managing through IAM groups. Can be done both manually through the Google Cloud Console or through the following `gcloud` command.
 
 Replace the following values:
-- `SERVICE_ACCOUNT_EMAIL`: The email address for the service account.
+- `SERVICE_ACCOUNT_EMAIL`: The email address for the service account. (**NOTE**: For Postgres instances, remove the `.gserviceaccount.com` suffix from service account email.)
 - `INSTANCE_NAME`: The name of a Cloud SQL instance.
 ```
 gcloud sql users create <SERVICE_ACCOUNT_EMAIL> \
@@ -156,7 +162,8 @@ Connect to all Cloud SQL instances in question with an admin user or another dat
 
 Once connected, grant the service account IAM database user the following permissions:
 
-Replace the following values in the above commands:
+#### MySQL Instance
+Replace the following values in the below commands:
 - `SERVICE_ACCOUNT_ID`: The ID (name) for the service account (everything before the **@** portion of email)
 Allow the service account to read database users and their roles.
 ```
@@ -173,6 +180,15 @@ Allow the service account to **GRANT/REVOKE** roles to users through being a **R
 GRANT ROLE_ADMIN ON *.* TO '<SERVICE_ACCOUNT_ID>';
 ```
 
+#### PostgreSQL Instance
+Postgres allows a role or user to easily be granted the appropriate permissions for **CREATE**, and **GRANT/REVOKE** that are needed for creating and managing the group roles for IAM groups with one single command.
+
+Replace the following values:
+- `SERVICE_ACCOUNT_EMAIL`: The email address for the service account with the `.gserviceaccount.com` suffix removed.
+```
+ALTER ROLE "<SERVICE_ACCOUNT_EMAIL>" WITH CREATEROLE;
+```
+
 ## Deploying to Cloud Run
 To build and deploy the service to Cloud Run, run the following commands:
 
@@ -189,7 +205,7 @@ gcloud builds submit \
 Deploy Cloud Run Service from container image:
 
 Replace the following values:
-- `SERVICE_ACCOUNT_EMAIL`: The email address for the service account.
+- `SERVICE_ACCOUNT_EMAIL`: The email address for the service account created above.
 - `PROJECT_ID`: The Google Cloud project ID.
 ```
 gcloud run deploy iam-db-authn-groups \
@@ -234,7 +250,7 @@ An example command creating a Cloud Scheduler job to run the IAM database authen
 Replace the following values:
 - `JOB_NAME`: The name for the Cloud Scheduler job.
 - `SERVICE_URL`: The service URL of the Cloud Run service.
-- `SERVICE_ACCOUNT_EMAIL`: The email address for the service account.
+- `SERVICE_ACCOUNT_EMAIL`: The email address for the service account created above.
 - `PATH_TO_PAYLOAD`: Path to payload JSON file.
 ```
 gcloud scheduler jobs create http \
@@ -264,7 +280,7 @@ The name of the mapped IAM group database role is the email of the IAM group wit
 
 The service verifies that a group role exists or creates one on the database if it does not exist. It is recommended to configure the Cloud Scheduler job(s) and after having it triggered **at least** once, have a Database Administrator or project admin verify the creation of the group roles and **GRANT** the group roles the appropriate privileges on each Cloud SQL instance that should be inherited by database users of those IAM groups on all consecutive Cloud Scheduler runs. 
 
-To verify the creation of group roles after Cloud Scheduler has triggered at least once, the following command can be run:
+To verify the creation of group roles after Cloud Scheduler has triggered at least once, the following command can be run for **MySQL** instances (**PostgreSQL** instances require connecting to the database to verify):
 
 Replace the following values:
 - `INSTANCE_NAME`: The name of a Cloud SQL instance that was configured in the Cloud Scheduler JSON payload.
 
@@ -31,15 +31,22 @@
     InstanceConnectionName,
 )
 from iam_groups_authn.iam_admin import get_iam_users
-from iam_groups_authn.mysql import init_connection_engine, RoleService, mysql_username
+from iam_groups_authn.utils import DatabaseVersion
+from iam_groups_authn.mysql import (
+    init_mysql_connection_engine,
+    MysqlRoleService,
+    mysql_username,
+)
+from iam_groups_authn.postgres import (
+    init_postgres_connection_engine,
+    PostgresRoleService,
+)
 
 # define scopes
 SCOPES = [
     "https://www.googleapis.com/auth/admin.directory.group.member.readonly",
     "https://www.googleapis.com/auth/sqlservice.admin",
 ]
-# supported database types
-SUPPORTED_DATABASES = ["MYSQL_8_0"]
 
 app = Quart(__name__)
 
@@ -125,10 +132,12 @@ async def run_groups_authn():
 
             # get database version of instance and check if supported
             database_version = await instance_tasks[instance][1]
-            if database_version not in SUPPORTED_DATABASES:
+            try:
+                database_version = DatabaseVersion(database_version)
+            except ValueError as e:
                 raise ValueError(
-                    f"Unsupported database version for instance `{instance}`. Current supported versions are: {SUPPORTED_DATABASES}"
-                )
+                    f"Unsupported database version for instance `{instance}`. Current supported versions are: {list(DatabaseVersion.__members__.keys())}"
+                ) from e
 
             # add missing IAM group members to database
             add_users_task = asyncio.create_task(
@@ -137,12 +146,21 @@ async def run_groups_authn():
                     group_tasks[group],
                     instance_tasks[instance][0],
                     instance,
+                    database_version,
                 )
             )
 
-            # initialize database engine
-            db = init_connection_engine(instance, updated_creds, ip_type)
-            role_service = RoleService(db)
+            # initialize database connection pool
+            if database_version.is_mysql():
+                db = init_mysql_connection_engine(instance, updated_creds, ip_type)
+                role_service = MysqlRoleService(db)
+            else:
+                db = init_postgres_connection_engine(instance, updated_creds, ip_type)
+                role_service = PostgresRoleService(db)
+            logging.debug(
+                "[%s][%s] Initialized a %s connection pool."
+                % (instance, group, database_version.value)
+            )
 
             # verify role for IAM group exists on database, create if does not exist
             role = mysql_username(group)
@@ -176,6 +194,7 @@ async def run_groups_authn():
                     role,
                     users_with_roles_task,
                     group_tasks[group],
+                    database_version,
                 )
             )
 
@@ -186,6 +205,7 @@ async def run_groups_authn():
                     role,
                     users_with_roles_task,
                     group_tasks[group],
+                    database_version,
                 )
             )
             results = await asyncio.gather(
 
@@ -18,7 +18,7 @@
 import sqlalchemy
 from google.cloud.sql.connector import connector
 from google.cloud.sql.connector.instance_connection_manager import IPTypes
-from iam_groups_authn.utils import async_wrap
+from iam_groups_authn.utils import RoleService, async_wrap
 from google.auth.transport.requests import Request
 
 
@@ -38,11 +38,11 @@ def mysql_username(iam_email):
     return username
 
 
-class RoleService:
-    """Class for managing a DB user's role grants."""
+class MysqlRoleService(RoleService):
+    """Class for managing a MySQL DB user's role grants."""
 
     def __init__(self, db):
-        """Initialize a RoleService object.
+        """Initialize a MysqlRoleService object.
 
         Args:
             db: Database connection object.
@@ -59,12 +59,13 @@ def fetch_role_grants(self, group_name):
         Returns:
             results: List of results for given query.
         """
+        # mysql query to get users with group role
+        stmt = sqlalchemy.text(
+            "SELECT FROM_USER, TO_USER FROM mysql.role_edges WHERE FROM_USER= :group_name"
+        )
         # create connection to db instance
         with self.db.connect() as db_connection:
-            # query role_edges table
-            stmt = sqlalchemy.text(
-                "SELECT FROM_USER, TO_USER FROM mysql.role_edges WHERE FROM_USER= :group_name"
-            )
+            # query users with roles
             results = db_connection.execute(stmt, {"group_name": group_name}).fetchall()
         return results
 
@@ -78,9 +79,8 @@ def create_group_role(self, role):
         Args:
             role: Name of group role to be verified or created as new role.
         """
-        # create connection to db instance
+        stmt = sqlalchemy.text("CREATE ROLE IF NOT EXISTS :role")
         with self.db.connect() as db_connection:
-            stmt = sqlalchemy.text("CREATE ROLE IF NOT EXISTS :role")
             db_connection.execute(stmt, {"role": role})
 
     @async_wrap
@@ -116,8 +116,10 @@ def revoke_group_role(self, role, users):
                 db_connection.execute(stmt, {"role": role, "user": user})
 
 
-def init_connection_engine(instance_connection_name, creds, ip_type=IPTypes.PUBLIC):
-    """Configure and initialize database connection pool.
+def init_mysql_connection_engine(
+    instance_connection_name, creds, ip_type=IPTypes.PUBLIC
+):
+    """Configure and initialize MySQL database connection pool.
 
     Configures the parameters for the database connection pool. Initiliazes the
     database connection pool using the Cloud SQL Python Connector.
@@ -145,7 +147,6 @@ def init_connection_engine(instance_connection_name, creds, ip_type=IPTypes.PUBL
 
     # service account email to access DB, mysql truncates usernames to before '@' sign
     service_account_email = mysql_username(creds.service_account_email)
-
     # build connection for db using Python Connector
     connection = lambda: connector.connect(
         instance_connection_name,
 
@@ -0,0 +1,160 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# postgres.py contains all database specific functions for connecting
+# and querying a postgreSQL database
+
+import sqlalchemy
+from google.cloud.sql.connector import connector
+from google.cloud.sql.connector.instance_connection_manager import IPTypes
+from iam_groups_authn.utils import RoleService, async_wrap
+from google.auth.transport.requests import Request
+
+
+class PostgresRoleService(RoleService):
+    """Class for managing a Postgres DB user's role grants."""
+
+    def __init__(self, db):
+        """Initialize a PostgresRoleService object.
+
+        Args:
+            db: Database connection object.
+        """
+        self.db = db
+
+    @async_wrap
+    def fetch_role_grants(self, group_name):
+        """Fetch mappings of group roles granted to DB users.
+
+        Args:
+            group_name: IAM group name prefix of email that is used as group role.
+
+        Returns:
+            results: List of results for given query.
+        """
+        # postgres query to get users with group role
+        stmt = sqlalchemy.text(
+            "SELECT pg_roles.rolname, (SELECT pg_roles.rolname FROM pg_roles WHERE oid = pg_auth_members.member) FROM pg_roles, pg_auth_members WHERE pg_auth_members.roleid = (SELECT oid FROM pg_roles WHERE rolname= :group_name) and pg_roles.rolname= :group_name"
+        )
+        # create connection to db instance
+        with self.db.connect() as db_connection:
+            # query users with roles
+            results = db_connection.execute(stmt, {"group_name": group_name}).fetchall()
+        return results
+
+    @async_wrap
+    def create_group_role(self, role):
+        """Verify or create DB role.
+
+        Given a group role, verify existance of role on DB or create new role
+        to manage DB users.
+
+        Args:
+            role: Name of group role to be verified or created as new role.
+        """
+        # check if group role exists, otherwise create it
+        check_stmt = sqlalchemy.text("SELECT 1 FROM pg_roles WHERE rolname= :role")
+        stmt = sqlalchemy.text(f'CREATE ROLE "{role}"')
+        # create connection to db instance
+        with self.db.connect() as db_connection:
+            # check if role already exists
+            role_check = db_connection.execute(check_stmt, {"role": role}).fetchone()
+            # if role does not exist, create it
+            if not role_check:
+                db_connection.execute(stmt)
+
+    @async_wrap
+    def grant_group_role(self, role, users):
+        """Grant DB group role to DB users.
+
+        Given a DB group role and a list of DB users, grant the DB role to each user.
+
+        Args:
+            role: Name of DB role to grant to users.
+            users: List of DB users' usernames.
+        """
+        with self.db.connect() as db_connection:
+            # if there are users to grant group role to, grant role to users
+            if users:
+                users = '"' + '", "'.join(users) + '"'
+                stmt = sqlalchemy.text(f'GRANT "{role}" TO {users}')
+                db_connection.execute(stmt)
+
+    @async_wrap
+    def revoke_group_role(self, role, users):
+        """Revoke DB group role to DB users.
+
+        Given a DB group role and a list of DB users, revoke the DB role from each user.
+
+        Args:
+            role: Name of DB role to revoke from users.
+            users: List of DB users' usernames.
+        """
+        # create connection to db instance
+        with self.db.connect() as db_connection:
+            # if there are users to revoke group role from, revoke role from users
+            if users:
+                users = '"' + '", "'.join(users) + '"'
+                stmt = sqlalchemy.text(f'REVOKE "{role}" FROM {users}')
+                db_connection.execute(stmt)
+
+
+def init_postgres_connection_engine(
+    instance_connection_name, creds, ip_type=IPTypes.PUBLIC
+):
+    """Configure and initialize Postgres database connection pool.
+
+    Configures the parameters for the database connection pool. Initiliazes the
+    database connection pool using the Cloud SQL Python Connector.
+
+    Args:
+        instance_connection_name: Instance connection name of Cloud SQL instance.
+            (e.g. "<PROJECT-NAME>:<INSTANCE-REGION>:<INSTANCE-NAME>")
+        creds: Credentials to get OAuth2 access token from, needed for IAM service
+            account authentication to DB.
+        ip_type: IP address type for instance connection.
+            (IPTypes.PUBLIC or IPTypes.PRIVATE)
+    Returns:
+        A database connection pool instance.
+    """
+    db_config = {
+        "pool_size": 2,
+        "max_overflow": 2,
+        "pool_timeout": 30,  # 30 seconds
+        "pool_recycle": 1800,  # 30 minutes
+    }
+    # refresh credentials if not valid
+    if not creds.valid:
+        request = Request()
+        creds.refresh(request)
+
+    # service account to access DB, postgres removes suffix
+    service_account_email = (creds.service_account_email).removesuffix(
+        ".gserviceaccount.com"
+    )
+    # build connection for db using Python Connector
+    connection = lambda: connector.connect(
+        instance_connection_name,
+        "pg8000",
+        ip_types=ip_type,
+        user=service_account_email,
+        db="postgres",
+        enable_iam_auth=True,
+    )
+
+    # create connection pool
+    pool = sqlalchemy.create_engine(
+        "postgresql+pg8000://", creator=connection, **db_config
+    )
+    return pool