This adds support for two new low-level LAVA XMLRPC calls:

- system.get_all_users to find all the users present on a LAVA
  instance by email

- system.set_user_active to lock or unlock a user account on a LAVA
  server.

Signed-off-by: Ed Smith <ed.smith@collabora.com>
Co-authored-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This allows simplifying the logging a bit

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

MS Graph API SDK ships huge autogenerated files which require a lot
of memory, so lightweight runners are not enough anymore.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

The MS Graph API packages are huge, causing the linter to time out.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This brings a couple of bug fixes and removes false positives.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

We actually report error here.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This implementation assumes users are not allowed to change their
usernames.

MS Graph API provides a few different elements to identify users:

 - the oid, which is guaranteed to uniquely map to a single user
   in a tenant, and globally if combined with the tid (tenant id)
 - the userPrincipalName, in the form <username@tenant.domain>
 - the free-form email address

Ideally, all services should use the oid+tid as an internal user
identifier, the userPrincipalName as a username, and the free-form
email for notifications.

When federation of tenants is out of scope, the oid and the
username part of the userPrincipalName would be enough.

Due to various reasons, the services the mediator is used
with on our setup use those elements differently:

* OBS uses <username> for user IDs, but *usually* the free-form email
  for emails.
* GitLab uses integers for user IDs, the free-form email for primary
  emails, <username> as the username and the full userPrincipalName for the
  openid_connect authentication method (which, arguably, should be changed to
  use the oid+tid), but has no easy way to retrieve users by such identifier
  (however, it is exposed in some of the user listing API when using
  administrator’s rights)
* LAVA currently uses the free-form email and should be fixed to use the
  username from the userPrincipalName

Since in our setup the userPrincipalName cannot be changed and
cannot be re-used, and federation is not in scope, using the
username part of the userPrincipalName is enough to reliably identify
users across services, and it is also what users expect.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

The new version exposes more object fields of the GitLab API. In
particular, we need bot: true to be able to filter out bot users.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

The backend will also have some per-backend group sync functionality, so
this name is more appropriate.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This is a typo fix that was just overlooked. The URL used in
newLavaClient was hardcoded to be the one for the docker image in the
compose test, rather than using the configured URL.

Note that the URL the lava backend is receiving is the callback URL,
not the root LAVA url. There's no obvious nice way to do this, one
option would be to add another config option with the LAVA root URL,
but instead I've pruned off the (fixed) callback portion.

This adds the ability for mediator-managed groups to be all children of
a single parent group.

https://phabricator.apertis.org/T8937



Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

Previously, the tests didn't actually go through the complete addition
and removal flow. This enhances the current addition test to actually
check for an added group, and it adds a new test to check for a removed
group.

https://phabricator.apertis.org/T8937



Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

Ryan Gonzalez authored Nov 23, 2022 and Andrej Shadura committed Nov 29, 2022

These type arguments aren't needed, resulting in the "unnecessary type
arguments" lint being triggered.

https://phabricator.apertis.org/T8937

Ryan Gonzalez authored Nov 23, 2022 and Andrej Shadura committed Nov 29, 2022

The client package already does this, so double-escaping gives invalid
results.

https://phabricator.apertis.org/T8937

A lot of these files hadn't yet been run through it.

https://phabricator.apertis.org/T8937



Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Stringifying a GitLab error needs a valid Request URL. This used to work
as nothing tried to stringify the fake error, but now that we have
structured logging plugged in, it attempts to log the error and panics.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Use apex/log for logs: this allows less repetition and more context in
the logs.

Wrap HTTP request handlers to log basic request data.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Move the HTTP server into a goroutine, stop it upon a termination
signal.

Golint has to be silenced to prevent a false positive from failing the
build.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Edmund Smith authored Oct 10, 2022 and Andrej Shadura committed Nov 09, 2022

This is considerably simpler than it might be, because LAVA exports
the API we want - set all the groups to which a user belongs.

The main complication here is that LAVA uses basic authentication,
which means we need an XMLRPC library which supports setting this
header. The majority of go XMLRPC libraries I looked at did not seem
to support this.

In !47 I fixed a regression that caused the CI pipelines for the
master branch to fail. I should have been more careful here in how I
described this error. In that commit I mistakenly said that selenium
had been upgraded silently; in fact we fix the version of the selenium
docker image.

The real issue is that *python*-selenium was silently upgraded, even
though it ought to be more or less version fixed by virtue of using
the Apertis package of it. This happens because we did not version fix
pytest-selenium, which is installed from pip. When pytest-selenium
transitioned to v4.0.0, it caused pip to automatically upgrade the
python-selenium module, replacing the distro installed version.

This avoids having tests silently regress without any changes being
made to the repository. The versions are the current tags at the time
of writing.

In Selenium 4.3.0, the `find_element_by_*` family of methods, which
had been deprecated, were removed. The preferred form (now, the only
form) is `find_element(key, value)`.

Group creation got dropped, so get rid of some leftovers.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored Aug 22, 2022 and Sjoerd Simons committed Aug 22, 2022

In the past, when a user should have been added as member to a group and
the group was missing on GitLab, the mediator took care of creating it.

The previous commit changes the behaviour to ignore groups that are
missing from GitLab, even if the user login token has a matching claim.

Tweak the test to ensure that the previous assumption that for each
matching claim there was an actual GitLab group does not bite us now
that it does no longer hold true.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Sjoerd Simons authored Aug 19, 2022 and Sjoerd Simons committed Aug 22, 2022

As groups have to be configured by hand anyway (to give them relevant
permissions etc) auto-creating groups isn't actually that helpful and
may cause unintended groups to be created. So revert to only adding
users to (existing) groups rather then creating them on demand

Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>