GitLab

Azure provides two emails for each user, one of them being the full
email and another one is <userid>@<domain>. Since users may use either,
fall back to the userid when no user could be found by the full email.
This change is modelled after 61553d0d

 which introduced lookup by the
username for the OBS backend.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Azure provides two emails for each user, one of them being the full
email and another one is <userid>@<domain>. Since users may use either,
fall back to the userid when no user could be found by the full email.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Some HTTP clients (e.g. Go’s) like to save traffic by requesting gzip
compression of the HTTP responses (Accept-Encoding: gzip). When the
server supports compression, it will set Content-Encoding: gzip and
compress the response body.

However, Go’s HTTP client only transparently decoded gzip-compressed
responses when it requests the compression on its own, but not when
the user sets Accept-Encoding header:

> DisableCompression, if true, prevents the Transport from
> requesting compression with an "Accept-Encoding: gzip"
> request header when the Request contains no existing
> Accept-Encoding value. If the Transport requests gzip on
> its own and gets a gzipped response, it's transparently
> decoded in the Response.Body. However, if the user
> explicitly requested gzip it is not automatically
> uncompressed.

As the result, the compressed body is returned as is, without the
mediator knowing about it; it then spits it out to the requester without
sett...

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Setting OBS_INSECURE_HTTPS=yes will print a warning and skip certificate
verification.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

OBS API lives directly at the root path, so it is enough to remove
the path from the URL — on the condition that the callback is actually
for the OBS.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This changes the client’s code to only serialise into XML for PUT, but
not e.g. POST, as very few API methods use POST with XML. This will
backfire at some point in future, so it will need to be refactored.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Supported commands:
 * group list
 * group get <name>
 * group new <name>
 * group delete <name>
 * user get <name>
 * user lookup <email>
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This reverts commit 4d7a98f0

.

The tag-latest-docker-image job actually does the right thing already,
but also only updates the latest tag when integration tests pass.

This revert removes per-branch tags.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Neither the OAuth 2.0 spec [1] nor OpenID Connect 1.0 spec [2] seem to
require scope parameter to be present

[1]: https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
[2]: https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Many applications expect this endpoint to automatically configure themselves.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

When the service runs under a prefix, respond on URL under that
prefix to avoid having the front-end proxy to strip it.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Some providers refer to groups not by their names, but only by their
IDs, which are sometimes UUIDs, as it is the case with Azure.
A group map setting allows to map these UUIDs (or any other identifiers)
into group names we expect, and to ignore unknown groups.

The mapping is only performed when the setting is specified.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This is useful for testing, hence this setting is non-default.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Go prefers a different tab and indentation style than Python which
prefers a different tab size than YAML. An .editorconfig file helps
alleviate individual users’ different editor settings.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

When running behind a NAT or a proxy, the host to listen on and
the publicly visible host may not be the same, so the host part
of the mediator URL should not be used to set the host to listen on.
Instead, allow setting a different port, but not host.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

This commit changes default AuthZ mediator behaviour: now it requires
membership mapping backend to be explicitly set. CI pipeline has been
adjusted to address this change.
Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

GitLab membership mapping could fail when given user logged in for the
first time. It was caused by requesting information on given user before
completing user creation on GitLab. Now user presence is checked prior
attempting to access user information.

Default behaviour is changed to query GitLab for user presence up to 10
times with 500 millisecond intervals. This can be adjusted with
configuration file or environmental variables.
Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

With increasing number of options required by the mediator it is no
longer feasible to store individual fields in its structure. Now
"config" structure will be used directly.

With endpoint discovery "Provider" field of the "config" structure is
unused by the mediator. It is the only field not in use.
Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

Most of the "test_oidc_login()" (excluding asserts) has been moved to
"_oidc_login()" to reuse it in membership mapping integration tests.

This patch also unifies line length for Python linters (to the default
value of the "black" utility: 88, i.e. 10% over 80 characters [1]).

[1] https://black.readthedocs.io/en/stable/the_black_code_style/current_style.html#line-length

Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

This patch moves GitLab client from "Gitlab" structure to the "Gitlaber"
interface. This way API calls can be mocked easily for testing purposes
(using fake interface implementation).
Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>