If we, for example, only synchronise groups matching group_*, but a user
was locally added to a group local_group, we don’t want to undo this.
For this reason, filter the existing groups the users are members of,
and only act on the group we care about.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

The /keys endpoint returns a redirect, but this redirect sometimes causes
liveness/readiness probe warnings.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This adds a new configuration option, included_groups. If specified,
only groups matching at least one of the patterns specified are
synchronised.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Sjoerd Simons authored Jul 13, 2022 and Andrej Shadura committed Jul 13, 2022

The stable Docker is too old to work correctly with cgroups v2.
Signed-off-by: Sjoerd Simons <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

While path.Match is designed to work on slash-separated paths only,
path/filepath.Match adapts to the platform-dependent path separator,
leading to different results on different platforms. While this is
not an issue with deployment, it may pose difficulties for developers
trying to debug things on a platform with non-slash separators.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Erroring out without details makes it difficult to diagnose errors.
Improperly formatted errors are usually caused by unhandled exceptions
and other unexpected situations, so the actual text may be useful for
getting it fixed.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Some OBS versions have a bug that prevents a non-empty group from being
deleted:

    ActiveRecord::StatementInvalid (Mysql2::Error: Column 'group_id' cannot
    be null: UPDATE `groups_users` SET `groups_users`.`group_id` = NULL WHERE
    `groups_users`.`group_id` = 34)

To work this around, remove users from a group before deleting the group
itself.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This is to only allow a subset of users to log in.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Since upstream errors are dumped to the client anyway, it’s best if
they are returned verbatim, since if they’re JSON-formatted, the client
can parse them.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

OAuth 2.0 (RFC 6749) requires errors to be formatted as JSON so that
clients can parse them and react accordingly.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

The access level parameter defines the maximum level the user may reach
by the membership in the group, so if it’s set to the minimum level
(Guest) it cannot be elevated other than by overriding it manually.
On the other hand, Maintainer or Owner give potentially unwanted access
rights to the group itself, so Developer seems a better fit.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Azure provides two emails for each user, one of them being the full
email and another one is <userid>@<domain>. Since users may use either,
fall back to the userid when no user could be found by the full email.
This change is modelled after 61553d0d

 which introduced lookup by the
username for the OBS backend.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Azure provides two emails for each user, one of them being the full
email and another one is <userid>@<domain>. Since users may use either,
fall back to the userid when no user could be found by the full email.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Some HTTP clients (e.g. Go’s) like to save traffic by requesting gzip
compression of the HTTP responses (Accept-Encoding: gzip). When the
server supports compression, it will set Content-Encoding: gzip and
compress the response body.

However, Go’s HTTP client only transparently decoded gzip-compressed
responses when it requests the compression on its own, but not when
the user sets Accept-Encoding header:

> DisableCompression, if true, prevents the Transport from
> requesting compression with an "Accept-Encoding: gzip"
> request header when the Request contains no existing
> Accept-Encoding value. If the Transport requests gzip on
> its own and gets a gzipped response, it's transparently
> decoded in the Response.Body. However, if the user
> explicitly requested gzip it is not automatically
> uncompressed.

As the result, the compressed body is returned as is, without the
mediator knowing about it; it then spits it out to the requester without
setting Content-Encoding header; however, if Content-Type header wasn’t
set, Go’s HTTP server would automatically detect that the response body
is compressed, and set Content-Type: application/x-gzip.

Apertis: T8346
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Setting OBS_INSECURE_HTTPS=yes will print a warning and skip certificate
verification.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

OBS API lives directly at the root path, so it is enough to remove
the path from the URL — on the condition that the callback is actually
for the OBS.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This changes the client’s code to only serialise into XML for PUT, but
not e.g. POST, as very few API methods use POST with XML. This will
backfire at some point in future, so it will need to be refactored.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Supported commands:
 * group list
 * group get <name>
 * group new <name>
 * group delete <name>
 * user get <name>
 * user lookup <email>
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This reverts commit 4d7a98f0

.

The tag-latest-docker-image job actually does the right thing already,
but also only updates the latest tag when integration tests pass.

This revert removes per-branch tags.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>