-
Notifications
You must be signed in to change notification settings - Fork 87
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #760 from mahadevan-karthi-dwp/feat-group-saml-links
feat: support for group SAML links - closes #549
- Loading branch information
Showing
7 changed files
with
232 additions
and
74 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
gitlab_rails['initial_root_password']='mK9JnG7jwYdFcBNoQ3W3' | ||
registry['enable']=false | ||
grafana['enable']=false | ||
prometheus_monitoring['enable']=false | ||
gitlab_rails['initial_license_file']='/etc/gitlab/Gitlab.gitlab-license' | ||
gitlab_kas['enable']=false | ||
gitlab_rails['omniauth_enabled'] = true | ||
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml'] | ||
gitlab_rails['omniauth_block_auto_created_users'] = false | ||
gitlab_rails['omniauth_auto_link_saml_user'] = true | ||
gitlab_rails['omniauth_providers'] = [ | ||
{ | ||
name: 'saml', | ||
args: { | ||
assertion_consumer_service_url: 'http://localhost/users/auth/saml/callback', | ||
idp_cert_fingerprint: '11:9B:9E:02:79:59:CD:B7:C6:62:CF:D0:75:D9:E2:EF:38:4E:44:5F', | ||
idp_sso_target_url: 'http://localhost:8080/simplesaml/saml2/idp/SSOService.php', | ||
issuer: 'http://app.example.com', | ||
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' | ||
}, | ||
label: 'SAML Login' | ||
} | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# Group SAML links | ||
|
||
!!! info | ||
|
||
This section requires GitLab Premium (paid). (This is a GitLab's limitation, not GitLabForm's.) | ||
|
||
This section purpose is to manage [group membership via SAML group links](https://docs.gitlab.com/ee/user/group/saml_sso/group_sync.html#configure-saml-group-links). | ||
|
||
Key names here are just any labels. | ||
|
||
Except if the key name is `enforce` and is set to `true` - then only the group SAML links defined here will remain in the group, all other will be deleted. | ||
|
||
Values are like documented at [SAML Group Links section of the Groups API docs](https://docs.gitlab.com/ee/api/groups.html#saml-group-links), **except the id**. | ||
|
||
The `saml_group_name` should be set to the SAML group name | ||
|
||
The `access_level` should be set to one of the [valid access levels](https://docs.gitlab.com/ee/api/members.html#valid-access-levels). | ||
|
||
Example: | ||
|
||
```yaml | ||
projects_and_groups: | ||
group_1/*: | ||
saml_group_links: | ||
devops_are_maintainers: # this is just a label | ||
saml_group_name: devops | ||
access_level: maintainer | ||
developers_are_developers: # this is just a label | ||
saml_group_name: developers | ||
access_level: developer | ||
|
||
enforce: true # optional | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
from logging import debug | ||
from typing import List | ||
|
||
|
||
from gitlabform.gitlab import GitLab | ||
from gitlab.base import RESTObject, RESTObjectList | ||
from gitlab.v4.objects import Group | ||
from gitlabform.processors.abstract_processor import AbstractProcessor | ||
|
||
|
||
class GroupSAMLLinksProcessor(AbstractProcessor): | ||
|
||
def __init__(self, gitlab: GitLab): | ||
super().__init__("saml_group_links", gitlab) | ||
|
||
def _process_configuration(self, group_path: str, configuration: dict) -> None: | ||
"""Process the SAML links configuration for a group.""" | ||
|
||
configured_links = configuration.get("saml_group_links", {}) | ||
enforce_links = configuration.get("saml_group_links|enforce", False) | ||
|
||
group: Group = self.gl.get_group_by_path_cached(group_path) | ||
existing_links: RESTObjectList | List[RESTObject] = self._fetch_saml_links( | ||
group | ||
) | ||
existing_link_names = [existing_link.name for existing_link in existing_links] | ||
|
||
# Remove 'enforce' key from the config so that it's not treated as a "link" | ||
if enforce_links: | ||
configured_links.pop("enforce") | ||
|
||
for link_name, link_configuration in configured_links.items(): | ||
if link_name not in existing_link_names: | ||
group.saml_group_links.create(link_configuration) | ||
group.save() | ||
|
||
if enforce_links: | ||
self._delete_extra_links(group, existing_links, configured_links) | ||
|
||
def _fetch_saml_links(self, group: Group) -> RESTObjectList | List[RESTObject]: | ||
"""Fetch the existing SAML links for a group.""" | ||
return group.saml_group_links.list() | ||
|
||
def _delete_extra_links( | ||
self, | ||
group: Group, | ||
existing: RESTObjectList | List[RESTObject], | ||
configured: dict, | ||
) -> None: | ||
"""Delete any SAML links that are not in the configuration.""" | ||
known_names = [ | ||
common_name["name"] | ||
for common_name in configured.values() | ||
if common_name != "enforce" | ||
] | ||
|
||
for link in existing: | ||
if link.name not in known_names: | ||
debug(f"Deleting extra SAML link: {link.name}") | ||
group.saml_group_links.delete(link.id) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters