- Nov 22, 2024
-
-
The buildah/buildah image has seen its last update 4 years ago. Switch to the official Skopeo image instead Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
- Nov 21, 2024
-
-
Emanuele Aina authored
Since we were using some inline Python code anyway let's replace a good chunk of messy shell with a simple inline Python. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
Automate the process of creating the `root` admin user that will be used by the meditator to apply its membership changes. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
Use a mediator image and a LAVA image from their own registries rather than relying ton locally built images. This goes in the direction of making `docker-compose -f $FILE up` work out of the box with no required preliminary setup. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
We need to disable HTTPS requirements for cookies during our local tests since we do not really want to go through the pain of setting up a local CA just for testing. However, setting `LAVA_SETTINGS_CSRF_COOKIE_SECURE` to `false` causes the Python object to be a string which evaluates truthy, yielding plenty of confusion. Tell LAVA to use its YAML capabilities to convey the right type for the setting and get an actual falsy value. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
Be consistent with the exposed port mapping and tell LAVA to listen on port 80 on the internal compose network. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
Avoid SElinux blocking access to the bind-mounted configuration by marking the bind mount contents to be private and unshared: https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
Selenium Grid provides access its session via a VNC web interface that gets exposed at `localhost:7900` by the compose files, see https://github.com/SeleniumHQ/docker-selenium#using-a-vnc-client The password is hardcoded to `secret` in the Selenium Grid image, but since it does not add much it can be disabled completely, allowing developers to access the virtual display more easily. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
- Jul 17, 2024
-
-
With commit ad28b94f "Validate client_id and client_secret values" the mediator started paying attention to client authentication. Since our integration test cargo-culted some configuration parameter straight from the GitLab configuration examples the mediator ended up implementing what the OpenID-Connect spec calls the `client_secret_post` authentication method, see https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication Unfortunately, the spec also says that the actual default is `client_secret_basic`, so any real world usage is bound to fail unless some specific configuration is applied. To minimize confusion, let's drop the cargo-culted option from the example and add a note pointing to the spec and to the upstream GitLab documentation, while still keeping the `client_secret_post` usage in the GitLab integration test to exercise the codepath. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
- Jul 16, 2024
-
-
Ryan Gonzalez authored
Useful for testing purposes. Signed-off-by:
Ryan Gonzalez <ryan.gonzalez@collabora.com>
-
Ryan Gonzalez authored
Technically this is supposed to be the default method in the first place, and it's what qa-report-app uses. https://phabricator.apertis.org/T10554 Signed-off-by:
Ryan Gonzalez <ryan.gonzalez@collabora.com>
-
- Jul 03, 2024
-
-
Ryan Gonzalez authored
Because authz-mediator always passes its own client ID and secret to the backing provider, the client could previously given any values that it wanted, and the mediator wouldn't bother to check them itself. This changes the behavior to explicitly validate these credentials locally for the /token *and* /authorize calls before sending them to the destination. https://phabricator.apertis.org/T10554 Signed-off-by:
Ryan Gonzalez <ryan.gonzalez@collabora.com>
-
Ryan Gonzalez authored
This makes the tests easier to run locally. Signed-off-by:
Ryan Gonzalez <ryan.gonzalez@collabora.com>
-
Ryan Gonzalez authored
Signed-off-by:
Ryan Gonzalez <ryan.gonzalez@collabora.com>
-
Ryan Gonzalez authored
Signed-off-by:
Ryan Gonzalez <ryan.gonzalez@collabora.com>
-
- Jun 20, 2024
-
-
Emanuele Aina authored
Pin the selenium version installed with pip since the integration tests are currently failing due to a change introduced in selenium 4.10.0 (see https://github.com/SeleniumHQ/selenium/commit/9f5801c82fb3be3d585) which is being pulled via pip (for some reason the debian package is being ignored): ==================================== ERRORS ==================================== _____________________ ERROR at setup of test_native_login ______________________ request = <SubRequest 'driver' for <Function test_native_login>> driver_class = <class 'selenium.webdriver.remote.webdriver.WebDriver'> driver_kwargs = {'command_executor': 'http://docker:4444/wd/hub', 'desired_capabilities': {'browserName': 'firefox', 'moz:firefoxOptions': {}}} @pytest.fixture def driver(request, driver_class, driver_kwargs): """Returns a WebDriver instance based on options and capabilities""" retries = int(request.config.getini("max_driver_init_attempts")) > for retry in Retrying( stop=stop_after_attempt(retries), wait=wait_exponential(), reraise=True ): /usr/local/lib/python3.9/dist-packages/pytest_selenium/pytest_selenium.py:201: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ /usr/local/lib/python3.9/dist-packages/tenacity/__init__.py:394: in __iter__ do = self.iter(retry_state=retry_state) /usr/local/lib/python3.9/dist-packages/tenacity/__init__.py:372: in iter raise retry_exc.reraise() /usr/local/lib/python3.9/dist-packages/tenacity/__init__.py:189: in reraise raise self.last_attempt.result() /usr/lib/python3.9/concurrent/futures/_base.py:433: in result return self.__get_result() /usr/lib/python3.9/concurrent/futures/_base.py:389: in __get_result raise self._exception _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ request = <SubRequest 'driver' for <Function test_native_login>> driver_class = <class 'selenium.webdriver.remote.webdriver.WebDriver'> driver_kwargs = {'command_executor': 'http://docker:4444/wd/hub ', 'desired_capabilities': {'browserName': 'firefox', 'moz:firefoxOptions': {}}} @pytest.fixture def driver(request, driver_class, driver_kwargs): """Returns a WebDriver instance based on options and capabilities""" retries = int(request.config.getini("max_driver_init_attempts")) for retry in Retrying( stop=stop_after_attempt(retries), wait=wait_exponential(), reraise=True ): with retry: LOGGER.info( f"Driver init, attempt {retry.retry_state.attempt_number}/{retries}" ) > driver = driver_class(**driver_kwargs) E TypeError: __init__() got an unexpected keyword argument 'desired_capabilities' /usr/local/lib/python3.9/dist-packages/pytest_selenium/pytest_selenium.py:208: TypeError Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
The testsuite build currently fails with: $ ginkgo -r --randomize-all --randomize-suites --fail-on-pending --cover --trace --race --progress -v Failed to compile mediator: # github.com/onsi/gomega/internal /go/pkg/mod/github.com/onsi/gomega@v1.33.1/internal/async_assertion.go:556:19: undefined: context.Cause note: module requires Go 1.20 # github.com/onsi/ginkgo/v2/internal /go/pkg/mod/github.com/onsi/ginkgo/v2@v2.19.0/internal/spec_context.go:20:17: undefined: context.CancelCauseFunc /go/pkg/mod/github.com/onsi/ginkgo/v2@v2.19.0/internal/spec_context.go:33:25: undefined: context.WithCancelCause note: module requires Go 1.20 Update to the latest `golang` images to fix the issue. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
- Apr 28, 2023
-
-
Emanuele Aina authored
When applying groups membership the LAVA backend was directly applying what was present in the claim. However users may be members of manually created groups that are not supposed to be managed by the mediator, and those memberships should be preserved. This is specially useful when transitioning from manually set up groups to automatic synchronization with the mediator, to ensure that permissions are retained while the managed groups get set up. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
Make the LAVA backend respect the `included_groups` configuration option and only apply the subset of the groups in the claim that match the specified pattern. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
- Apr 21, 2023
-
-
Emanuele Aina authored
Update deps with: go get -u ./... go mod tidy Then fix the msgraphsdkgo breaking change in v0.63.0: membership/azure.go:172:26: c.client.GroupsById undefined (type *msgraphsdkgo.GraphServiceClient has no field or method GroupsById) See https://github.com/microsoftgraph/msgraph-sdk-go/commit/d1f39a780d36d4e And then fix msgraphsdkgo-core breaking changes in v0.35.0: membership/azure.go:123:19: cannot infer T (/go/pkg/mod/github.com/microsoftgraph/msgraph-sdk-go-core@v0.36.1/page_iterator.go:48:1) See https://github.com/microsoftgraph/msgraph-sdk-go-core/commit/ffd76dc45e And finally address a deprecation: gitlab/gitlab_test.go:361:46: SA1019: ggl.MasterPermissions is deprecated: Renamed to MaintainerPermissions in GitLab 11.0 Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
Set `AUTHZ_MEDIATOR_ENFORCE_GROUPS_AUDIT_ONLY=true` to test-run the out-of-band group enforcement logic, so you get some time to review who is going to be kicked out before actually turning it on. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
In some cases it is desirable to preserve particular users that are not backed by any entity in the authoritative user directory. For instance it may be useful to retain the `root` user created by default on GitLab during the initial setup for programmatic access from deployment tools like Helm and Ansible. Or the `ghost` user that GitLab uses as a placeholder for deleted users. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
- Apr 20, 2023
-
-
There are matching downstream changes to LAVA in order to support this, and it does not seem likely at this point that LAVA upstream will use usernames to communicate about individual users. Signed-off-by:
Ed Smith <ed.smith@collabora.com>
-
Signed-off-by:
Andrej Shadura <andrew.shadura@collabora.co.uk>
-
Emanuele Aina authored
In some places we have to transform usernames in the `username@domain` format to plain `username`: doing so with open coded string manipulation makes it harder to track where such conversions happen, so let's introduce an helper function so it is trivial to spot them. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
This allows us to test mediator backends that want to read the `preferred_username` claim, for example the newly reworked LAVA backend. Signed-off-by:
Ed Smith <ed.smith@collabora.com>
-
Emanuele Aina authored
Since we do a lot of splitting to go from `username@domain.tld` to `username` ids let's use different local parts so we catch errors due to splitting the email field rather than the username. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
On some setups like Azure the usernames in the user directory use a qualified username@domain.tld format and in many places we strip everything after the `@`, so let's exercise that part in the tests as well. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
Let people enable the out-of-band locking of users that get dropped from the required groups on the Azure AD side. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
- Apr 19, 2023
-
-
Signed-off-by:
Andrej Shadura <andrew.shadura@collabora.co.uk>
-
Using %w instead of %v makes Errorf store the original error, allowing the caller to extract and use it later. While there isn’t any immediate benefit from it, it may be useful in future. See: * https://go.dev/doc/go1.13#error_wrapping * https://github.com/golang/go/wiki/ErrorValueFAQ * https://go.googlesource.com/proposal/+/master/design/29934-error-values.md Signed-off-by:
Andrej Shadura <andrew.shadura@collabora.co.uk>
-
Emanuele Aina authored
Reference the `authz-mediator-lava` secret to back the `LAVA_SECRET` environment variable when the `lava` backend for group membership synchronization is in use. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
Emanuele Aina authored
Use the custom templating functions provided by Helm to reduce code duplication when referencing the secrets backing the `{GITLAB,OBS}_SECRET` environment variables. Signed-off-by:
Emanuele Aina <emanuele.aina@collabora.com>
-
- Mar 24, 2023
-
-
Andrej Shadura authored
Signed-off-by:
Andrej Shadura <andrew.shadura@collabora.co.uk>
-
- Mar 20, 2023
-
-
The existing code had two issues: * it parsed provider.Host instead of provider.Path * provider.Path always starts with a slash, so Cut() wouldn’t provide the first path component, but an empty string instead Signed-off-by:
Andrej Shadura <andrew.shadura@collabora.co.uk>
-