Set `AUTHZ_MEDIATOR_ENFORCE_GROUPS_AUDIT_ONLY=true` to test-run the
out-of-band group enforcement logic, so you get some time to review who
is going to be kicked out before actually turning it on.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

In some cases it is desirable to preserve particular users that are not
backed by any entity in the authoritative user directory.

For instance it may be useful to retain the `root` user created by
default on GitLab during the initial setup for programmatic access
from deployment tools like Helm and Ansible.

Or the `ghost` user that GitLab uses as a placeholder for deleted users.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Andrej Shadura authored 2 years ago and Emanuele Aina committed 2 years ago

Using %w instead of %v makes Errorf store the original error, allowing
the caller to extract and use it later. While there isn’t any immediate
benefit from it, it may be useful in future.

See:
 * https://go.dev/doc/go1.13#error_wrapping
 * https://github.com/golang/go/wiki/ErrorValueFAQ
 * https://go.googlesource.com/proposal/+/master/design/29934-error-values.md



Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This implementation assumes users are not allowed to change their
usernames.

MS Graph API provides a few different elements to identify users:

 - the oid, which is guaranteed to uniquely map to a single user
   in a tenant, and globally if combined with the tid (tenant id)
 - the userPrincipalName, in the form <username@tenant.domain>
 - the free-form email address

Ideally, all services should use the oid+tid as an internal user
identifier, the userPrincipalName as a username, and the free-form
email for notifications.

When federation of tenants is out of scope, the oid and the
username part of the userPrincipalName would be enough.

Due to various reasons, the services the mediator is used
with on our setup use those elements differently:

* OBS uses <username> for user IDs, but *usually* the free-form email
  for emails.
* GitLab uses integers for user IDs, the free-form email for primary
  emails, <username> as the username and the full userPrincipalName for the
  openid_connect authentication method (which, arguably, should be changed to
  use the oid+tid), but has no easy way to retrieve users by such identifier
  (however, it is exposed in some of the user listing API when using
  administrator’s rights)
* LAVA currently uses the free-form email and should be fixed to use the
  username from the userPrincipalName

Since in our setup the userPrincipalName cannot be changed and
cannot be re-used, and federation is not in scope, using the
username part of the userPrincipalName is enough to reliably identify
users across services, and it is also what users expect.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This adds the ability for mediator-managed groups to be all children of
a single parent group.

https://phabricator.apertis.org/T8937



Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This adds a new configuration option, included_groups. If specified,
only groups matching at least one of the patterns specified are
synchronised.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This is to only allow a subset of users to log in.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Some providers refer to groups not by their names, but only by their
IDs, which are sometimes UUIDs, as it is the case with Azure.
A group map setting allows to map these UUIDs (or any other identifiers)
into group names we expect, and to ignore unknown groups.

The mapping is only performed when the setting is specified.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

When running behind a NAT or a proxy, the host to listen on and
the publicly visible host may not be the same, so the host part
of the mediator URL should not be used to set the host to listen on.
Instead, allow setting a different port, but not host.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This commit changes default AuthZ mediator behaviour: now it requires
membership mapping backend to be explicitly set. CI pipeline has been
adjusted to address this change.

Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

GitLab membership mapping could fail when given user logged in for the
first time. It was caused by requesting information on given user before
completing user creation on GitLab. Now user presence is checked prior
attempting to access user information.

Default behaviour is changed to query GitLab for user presence up to 10
times with 500 millisecond intervals. This can be adjusted with
configuration file or environmental variables.

Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

This patch allows appending request for "groups" scope to the traffic
relayed to the identity provider.

Explicit request can be made by:

- command line flag ("groups"),
- environmental variable ("AUTHZ_MEDIATOR_GROUPS"),
- configuration file argument ("groups").

Command line flag argument takes precedence over environmental variable
which takes precedence over configuration file argument. Argument should
be a valid YAML boolean (yes/true, no/false).

Default behaviour remains unchanged, i.e. no additional scopes are
appended to the communication unless explicitly requested.

This patch also makes FakeVerifier structure part of "mediator" package
for testing purposes of both internal as well as exported functions.

Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>

Signed-off-by: Paweł Wieczorek <pawel.wieczorek@collabora.com>