Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Pin the selenium version installed with pip since the integration tests
are currently failing due to a change introduced in selenium 4.10.0
(see https://github.com/SeleniumHQ/selenium/commit/9f5801c82fb3be3d585)
which is being pulled via pip (for some reason the debian package is
being ignored):

    ==================================== ERRORS ====================================
    _____________________ ERROR at setup of test_native_login ______________________
    request = <SubRequest 'driver' for <Function test_native_login>>
    driver_class = <class 'selenium.webdriver.remote.webdriver.WebDriver'>
    driver_kwargs = {'command_executor': 'http://docker:4444/wd/hub', 'desired_capabilities': {'browserName': 'firefox', 'moz:firefoxOptions': {}}}
        @pytest.fixture
        def driver(request, driver_class, driver_kwargs):
            """Returns a WebDriver instance based on options and capabilities"""

            retries = int(request.config.getini("max_driver_init_attempts"))
    >       for retry in Retrying(
                stop=stop_after_attempt(retries), wait=wait_exponential(), reraise=True
            ):
    /usr/local/lib/python3.9/dist-packages/pytest_selenium/pytest_selenium.py:201:
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    /usr/local/lib/python3.9/dist-packages/tenacity/__init__.py:394: in __iter__
        do = self.iter(retry_state=retry_state)
    /usr/local/lib/python3.9/dist-packages/tenacity/__init__.py:372: in iter
        raise retry_exc.reraise()
    /usr/local/lib/python3.9/dist-packages/tenacity/__init__.py:189: in reraise
        raise self.last_attempt.result()
    /usr/lib/python3.9/concurrent/futures/_base.py:433: in result
        return self.__get_result()
    /usr/lib/python3.9/concurrent/futures/_base.py:389: in __get_result
        raise self._exception
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    request = <SubRequest 'driver' for <Function test_native_login>>
    driver_class = <class 'selenium.webdriver.remote.webdriver.WebDriver'>
    driver_kwargs = {'command_executor': 'http://docker:4444/wd/hub

', 'desired_capabilities': {'browserName': 'firefox', 'moz:firefoxOptions': {}}}
        @pytest.fixture
        def driver(request, driver_class, driver_kwargs):
            """Returns a WebDriver instance based on options and capabilities"""

            retries = int(request.config.getini("max_driver_init_attempts"))
            for retry in Retrying(
                stop=stop_after_attempt(retries), wait=wait_exponential(), reraise=True
            ):
                with retry:
                    LOGGER.info(
                        f"Driver init, attempt {retry.retry_state.attempt_number}/{retries}"
                    )
    >               driver = driver_class(**driver_kwargs)
    E               TypeError: __init__() got an unexpected keyword argument 'desired_capabilities'
    /usr/local/lib/python3.9/dist-packages/pytest_selenium/pytest_selenium.py:208: TypeError

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

The testsuite build currently fails with:

    $ ginkgo -r --randomize-all --randomize-suites --fail-on-pending --cover --trace --race --progress -v
    Failed to compile mediator:
    # github.com/onsi/gomega/internal
    /go/pkg/mod/github.com/onsi/gomega@v1.33.1/internal/async_assertion.go:556:19: undefined: context.Cause
    note: module requires Go 1.20
    # github.com/onsi/ginkgo/v2/internal
    /go/pkg/mod/github.com/onsi/ginkgo/v2@v2.19.0/internal/spec_context.go:20:17: undefined: context.CancelCauseFunc
    /go/pkg/mod/github.com/onsi/ginkgo/v2@v2.19.0/internal/spec_context.go:33:25: undefined: context.WithCancelCause
    note: module requires Go 1.20

Update to the latest `golang` images to fix the issue.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

When applying groups membership the LAVA backend was directly applying
what was present in the claim.

However users may be members of manually created groups that are not
supposed to be managed by the mediator, and those memberships should be
preserved.

This is specially useful when transitioning from manually set up groups
to automatic synchronization with the mediator, to ensure that
permissions are retained while the managed groups get set up.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Make the LAVA backend respect the `included_groups` configuration option
and only apply the subset of the groups in the claim that match the
specified pattern.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Update deps with:

    go get -u ./...
    go mod tidy

Then fix the msgraphsdkgo breaking change in v0.63.0:

    membership/azure.go:172:26: c.client.GroupsById undefined (type *msgraphsdkgo.GraphServiceClient has no field or method GroupsById)

See https://github.com/microsoftgraph/msgraph-sdk-go/commit/d1f39a780d36d4e

And then fix msgraphsdkgo-core breaking changes in v0.35.0:

    membership/azure.go:123:19: cannot infer T (/go/pkg/mod/github.com/microsoftgraph/msgraph-sdk-go-core@v0.36.1/page_iterator.go:48:1)

See https://github.com/microsoftgraph/msgraph-sdk-go-core/commit/ffd76dc45e



And finally address a deprecation:

    gitlab/gitlab_test.go:361:46: SA1019: ggl.MasterPermissions is deprecated: Renamed to MaintainerPermissions in GitLab 11.0

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Set `AUTHZ_MEDIATOR_ENFORCE_GROUPS_AUDIT_ONLY=true` to test-run the
out-of-band group enforcement logic, so you get some time to review who
is going to be kicked out before actually turning it on.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

In some cases it is desirable to preserve particular users that are not
backed by any entity in the authoritative user directory.

For instance it may be useful to retain the `root` user created by
default on GitLab during the initial setup for programmatic access
from deployment tools like Helm and Ansible.

Or the `ghost` user that GitLab uses as a placeholder for deleted users.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Edmund Smith authored 2 years ago and Emanuele Aina committed 2 years ago

There are matching downstream changes to LAVA in order to support
this, and it does not seem likely at this point that LAVA upstream
will use usernames to communicate about individual users.

Signed-off-by: Ed Smith <ed.smith@collabora.com>

Andrej Shadura authored 2 years ago and Emanuele Aina committed 2 years ago

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

In some places we have to transform usernames in the `username@domain`
format to plain `username`: doing so with open coded string manipulation
makes it harder to track where such conversions happen, so let's
introduce an helper function so it is trivial to spot them.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Edmund Smith authored 2 years ago and Emanuele Aina committed 2 years ago

This allows us to test mediator backends that want to read the
`preferred_username` claim, for example the newly reworked
LAVA backend.

Signed-off-by: Ed Smith <ed.smith@collabora.com>

Since we do a lot of splitting to go from `username@domain.tld` to
`username` ids let's use different local parts so we catch errors due to
splitting the email field rather than the username.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

On some setups like Azure the usernames in the user directory use a
qualified username@domain.tld format and in many places we strip
everything after the `@`, so let's exercise that part in the tests
as well.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Let people enable the out-of-band locking of users that get dropped from
the required groups on the Azure AD side.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Andrej Shadura authored 2 years ago and Emanuele Aina committed 2 years ago

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Andrej Shadura authored 2 years ago and Emanuele Aina committed 2 years ago

Using %w instead of %v makes Errorf store the original error, allowing
the caller to extract and use it later. While there isn’t any immediate
benefit from it, it may be useful in future.

See:
 * https://go.dev/doc/go1.13#error_wrapping
 * https://github.com/golang/go/wiki/ErrorValueFAQ
 * https://go.googlesource.com/proposal/+/master/design/29934-error-values.md



Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Reference the `authz-mediator-lava` secret to back the `LAVA_SECRET`
environment variable when the `lava` backend for group membership
synchronization is in use.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Use the custom templating functions provided by Helm to reduce code
duplication when referencing the secrets backing the
`{GITLAB,OBS}_SECRET` environment variables.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Andrej Shadura authored 2 years ago and Emanuele Aina committed 2 years ago

The existing code had two issues:

* it parsed provider.Host instead of provider.Path
* provider.Path always starts with a slash, so Cut() wouldn’t provide
  the first path component, but an empty string instead

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This adds support for two new low-level LAVA XMLRPC calls:

- system.get_all_users to find all the users present on a LAVA
  instance by email

- system.set_user_active to lock or unlock a user account on a LAVA
  server.

Signed-off-by: Ed Smith <ed.smith@collabora.com>
Co-authored-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This allows simplifying the logging a bit

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

MS Graph API SDK ships huge autogenerated files which require a lot
of memory, so lightweight runners are not enough anymore.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

The MS Graph API packages are huge, causing the linter to time out.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This brings a couple of bug fixes and removes false positives.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

We actually report error here.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

This implementation assumes users are not allowed to change their
usernames.

MS Graph API provides a few different elements to identify users:

 - the oid, which is guaranteed to uniquely map to a single user
   in a tenant, and globally if combined with the tid (tenant id)
 - the userPrincipalName, in the form <username@tenant.domain>
 - the free-form email address

Ideally, all services should use the oid+tid as an internal user
identifier, the userPrincipalName as a username, and the free-form
email for notifications.

When federation of tenants is out of scope, the oid and the
username part of the userPrincipalName would be enough.

Due to various reasons, the services the mediator is used
with on our setup use those elements differently:

* OBS uses <username> for user IDs, but *usually* the free-form email
  for emails.
* GitLab uses integers for user IDs, the free-form email for primary
  emails, <username> as the username and the full userPrincipalName for the
  openid_connect authentication method (which, arguably, should be changed to
  use the oid+tid), but has no easy way to retrieve users by such identifier
  (however, it is exposed in some of the user listing API when using
  administrator’s rights)
* LAVA currently uses the free-form email and should be fixed to use the
  username from the userPrincipalName

Since in our setup the userPrincipalName cannot be changed and
cannot be re-used, and federation is not in scope, using the
username part of the userPrincipalName is enough to reliably identify
users across services, and it is also what users expect.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

The new version exposes more object fields of the GitLab API. In
particular, we need bot: true to be able to filter out bot users.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>