Add private gitlab storage

[agaget]

Hi,
Thanks for the gitlab storage feature,
Is there a way to use a private gitlab ? When I click on "Authorize" it goes to "gitlab.com" but I would like it to store on my gitlab company (https://gitlab.example.fr/) ?
If not, can it be integrated ?

Thanks

[davidjgraph]

Happy to look at PR to add it.

[fhemberger]

References to 'gitlab.com' are in the following files:

• src/main/webapp/js/app.min.js
• src/main/webapp/js/diagramly/App.js
• src/main/webapp/js/diagramly/Dialogs.js
• src/main/webapp/js/diagramly/GitLabClient.js

You could for example modify the current Dockerfile like this:

FROM frekele/ant:1.10.3-jdk8 as BUILD

ARG GITLAB_DOMAIN=https://gitlab.com/
ENV DEBIAN_FRONTEND=noninteractive

# Download the latest draw.io release from GitHub
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN apt-get update \
  && apt-get install jq -y --no-install-recommends \
  && mkdir /usr/build \
  && curl -fsSL -o drawio.tar.gz --compressed "$(curl -fsSL --compressed "https://api.github.com/repos/jgraph/drawio/releases/latest" | jq -r ".tarball_url")" \
  && tar xzf drawio.tar.gz -C /usr/build --strip-components=1

# Replace all references to gitlab.com
WORKDIR /usr/build
RUN grep -rl 'https://gitlab.com/' | xargs sed -i "s|https://gitlab.com/|$GITLAB_DOMAIN|g"

# Continue to build like the official release 
WORKDIR /usr/build/etc/build/
RUN ant war

FROM tomcat:9.0 as TARGET
COPY --from=BUILD /usr/build/build/draw.war /usr/local/tomcat/webapps/
EXPOSE 8080
CMD ["catalina.sh", "run"]

Then build the Dockerfile with your custom URL:

docker build \
  --build-arg GITLAB_DOMAIN=https://gitlab.example.fr/ \
  -t drawio-custom-gitlab \
  .

Maybe not the nicest solution, but it should work. 😉

[m4r10k]

@fhemberger we did the first tries to do the same on Friday but weren't able to finish our testing. Therefore many thanks for your great summary - we will test it next week for our on-premises installation too. 🤗

[fhemberger]

@m4r10k Haven't tested it yet with our GitLab instance (maybe next week), just a quick idea I came up with. It should do the trick … looking forward for your feedback!

[m4r10k]

@fhemberger ... sure! Such ideas are great to exchange - you are some steps ahead. I just hacked this stuff quick and dirty into the draw.io Docker image directly for testing 🤣

The problem that we have is, that I know were to put the Client ID - but I am not sure about the Secret (from the Gitlab Applications...)

[davidjgraph]

Refreshing to see some constructive solutions in issues, but this one is a lot easier for us to deal with :). With 11.1.2 you can add a URL parameter "gitlab=yourURL" to set the path to your custom instance.

[fhemberger]

@davidjgraph Awesome, thanks!

[m4r10k]

@davidjgraph Many many thanks!

[yetanothern]

A stupid question: where should I add this parameter?

[fhemberger]

@stepkh http://draw.io?gitlab=https://mygitlab.example.com/

[yetanothern]

When I put url like http://my.drawio.local/?gitlab=http://my.gitlab.local I get "Save diagram to:" window, the same if I put drawio url without parameters.

[yetanothern]

This url works: http://my.drawio.local/?mode=gitlab&gitlab=http://my.gitlab.local. But when I authorize in gitlab, I get an error "Client authentication failed due to unkown client, no client authentication included, or unsupported authentication method". The same error was got by me when I manually changed 'gitlab.com' to 'my.gitlab.local' in previous version 11.1.1.

[davidjgraph]

OK, the main question is can anyone get this to work with the URL parameter? I don't have a local gitlab instance. If yes, authorizing in gitlab sounds off-topic for draw.io. If no, we need to debug.

[agaget]

Hi,
Come back from holiday and I see there already is a solution. Thanks for your prompt reaction :)
I encountered the same problem as @stepkh "client authentification blabla..." I'm not the administrator of our private instance so I will talk to my admin see if there is any right to unlock.

[yetanothern]

If it will help to debug, i glad to provide a couple test public containers with self-hosted draw.io and gitlab.

[davidjgraph]

Actually, I assumed with the above script that someone had this working, but probably not, reading it again. I should have explained the client ID.

At the top of GitLabClient.js there's a client ID. That's the ID for our application in Gitlab. It has custom redirect URLs for the authenication, so it won't work on your local URL.

I can tell you the setup using gitlab.com, I hope it's similiar on a local install. Under user settings there's an application option:

The redirect URI needs to point to the gitlab.html file in the root of the draw.io installation and you need to select the following scopes:

btw, if anyone can find a set of working scopes that doesn't include "API", please let us know.

When the app is saved, you need to swap out the clientID mentioned, but we'll add a URL parameter for that in a minute.

[m4r10k]

As I wrote in #493 (comment) , there is a setting for the ClientID in GitLabClient.js . You can generate this ID by creating an Application in the GitLab Admin Settings under "Applications" - but I have currently no idea where to put the Secret that is also provided by GitLab during Application creation :-)

[m4r10k]

@davidjgraph ups, ninja'd :)

[davidjgraph]

Added as d6c66c4

URL parameter is "gitlab-id"

Note that if you can inject these global variables in the docker image:

window.DRAWIO_GITLAB_URL
window.DRAWIO_GITLAB_ID

you don't have to use the URL parameters

[agaget]

In your example I think it shouldn't be MyGitlabPath but MyDrawIOPath.
I'm using the online version so I've configured the application as you said using as redirectURI https://draw.io/gitlab.html

When I entered this url with the client-ID given :
https://www.draw.io/?gitlab=https://mygitlab.fr&gitlab-id=94b55953cd3865a78dd6903e2adbd6095f2ac5646ec58aa46d0a76d848d18fa1
I create a new diagram, wanted to store to gitlab, when I "Authorize"

The url sent is the following, the id doesn't seem to be used ?
https://myGitlab.fr/oauth/authorize?client_id=5cdc018a32acddf6eba37592d9374945241e644b8368af847422d74c8709bc44&scope=api%20read_repository%20write_repository&redirect_uri=https%3A%2F%2Fwww.draw.io%2Fgitlab.html&response_type=token&state=123

[davidjgraph]

That won't work, because we haven't deployed this to the production version at draw.io yet...

[agaget]

That is a good reason :D

[davidjgraph]

Try the github pages version of this project for testing, https://jgraph.github.io/drawio/src/main/webapp/

[agaget]

Url for draw :
https://jgraph.github.io/drawio//src/main/webapp/?gitlab=https://mygitlab.fr&gitlab-id=94b55953cd3865a78dd6903e2adbd6095f2ac5646ec58aa46d0a76d848d18fa1

https://mygitlab.fr/oauth/authorize?client_id=5cdc018a32acddf6eba37592d9374945241e644b8368af847422d74c8709bc44&scope=api%20read_repository%20write_repository&redirect_uri=https%3A%2F%2Fjgraph.github.io%2Fgitlab.html&response_type=token&state=123

Still don't work, still a different id, I imagine that the client_id should be similar to the gitlab-id I indicate in the url, is it ?

[davidjgraph]

Ah, sorry my bad, it's not built. https://jgraph.github.io/drawio/src/main/webapp/?dev=1 , you need dev=1 in the URL parameters

[agaget]

your url result as "Page could not be loaded"

[rickywu]

Thanks, but I need an instance I can log into.

Docker image I don't know. https://github.com/fjudith/docker-draw.io is the recommended docker image, I think they process environment variables.

I think window.EXPORT_URL is a browser parameter not for docker container enviroment variable

Probally we need support read from enviroment variable?

[davidjgraph]

@rickywu Thanks. Yeah, it doesn't seem to be as easy as changing the URL and client ID.

@agaget That 404 is due to the draw.io domain not being on the jgraph.github.io root.

Let's try again with https://gitlab-test-dot-drawdotio.appspot.com/ . It's the github version, but the redirect will be at https://gitlab-test-dot-drawdotio.appspot.com/gitlab.html

[davidjgraph]

We don't use environment variables in our deployment. You're welcome to submit a PR, but it must work on Google App Engine, where our production draw.io runs.

[agaget]

🎉 it works !!
Just a strange details, in the selection menu of my repo it seems that it always select the last "projects" of the "groups"

For example if i click on ESS Modules /m-epics-PF704_Cpl_IPC it will select ESS Modules / PF704-dev (same for the other projects of the groups)

[davidjgraph]

@agaget can you open that as a new issue please? I'll close this one if the basics work.

[agaget]

@davidjgraph done #510

[droub]

I am facing the same kind of issues but it's hard to understand what setup is finally working. Could someone summarize the solution please ?

[agaget]

I can try.. As it seems that it's not in production yet I will use the https://gitlab-test-dot-drawdotio.appspot.com url.
In your Gitlab instance :

The redirect URI needs to point to the gitlab.html file in the root of the draw.io installation and you need to select the following scopes:

(use https://gitlab-test-dot-drawdotio.appspot.com not draw.io)

Then it will give you an Application-id paste it.

Use
https://gitlab-test-dot-drawdotio.appspot.com/?gitlab=https://MyGitLab.com&gitlab-id=Application_id_just_pasted
Authorize the app

It should work.

[rickywu]

The latest version add PreConfig.js to let you config DRAWIO_GITLAB_URL and DRAWIO_GITLAB_ID before compile or before start docker container

window.DRAWIO_GITLAB_URL = 'blabla';
window.DRAWIO_GITLAB_ID = 'blabla';

[droub]

Thanks, I still get the : "The redirect URI included is not valid." after authorization.

My draw.io docker is not served on a root url i.e. https://myapps.mycomp.com/draw could that be a problem ? My redirection does point to https://myapps.myconm.com/draw/gitlab.html

Also, I can see a 404ed request to the gitlab:
/oauth/undefined#search:1 Failed to load resource: the server responded with a status of 404 ()

I can't tell if my problem is on the draw.io side or on the gitlab side :(.

[rickywu]

You have to modify this line

drawio/src/main/webapp/js/diagramly/GitLabClient.js

Line 42 in c823b4f

var redirectUri = encodeURIComponent(window.location.origin + '/gitlab.html');

change window.location.origin to DRAWIO_GITLAB_URL
and set DRAWIO_GITLAB_URL = http://host.com/draw

see #515

[davidjgraph]

We'll change that to:

var href = window.location.href;
var dir = href.substring(0, href.lastIndexOf('/'));

in the next release.

[davidjgraph]

In 12.2.1

[LilTrublMakr]

I am unable to get a self hosted Draw.io and GitLab to work. I have tried all the suggestions I have seen and @agaget's instructions.

I have gone in to my gitlab > created new application > Named it > Set redirect uri to "https://draw.mydomain.com/gitlab.html" > Unticked "Confidential" (Maybe new since this feature was released?) > Ticked "api", "read_repository", and "write_repository" > Clicked on "Save application"

I then went to https://draw.mydomain.com.com/?gitlab=https://gitlab.mydomain.com&gitlab-id=(application key from newly created application in GitLab)

It opens up draw.io and gives me the option to create new or open existing. I create new > Blank > Click on "Authorize" > (GitLab window opens) and all I get is an error in GitLab that says "The redirect URI included is not valid."

I have tried doing everything fresh (deleted both containers for Draw.io and Gitlab) and deleted the config folder for GitLab (it does not seem that Draw.io has one for the unraid version at least) and started as fresh as I could to reach the same place.

Any help to get this working would be appreciated.

[davidjgraph]

What is the redirect URL used that is invalid? Is your custom application ID being used? How did you set it?

[LilTrublMakr]

What is the redirect URL used that is invalid?

https://draw.mydomain.com/gitlab.html
If I visit the page manually, I get This window will be closed automatically. which is expected but the page never closes.

Is your custom application ID being used?

Yes.

How did you set it?

I have tried both doing it by going through the menu that first pops up > selecting GitLab > and clicking on the Authorize button and by going to https://draw.mydomain.com.com/?gitlab=https://gitlab.mydomain.com&gitlab-id=(application key from GitLab) which basically takes me to the startup screen and I follow the process mentioned above.

[apmikroel]

We came upon the same error as @LilTrublMakr, and the error is from the redirect URL that draw.io generates.

When opening local instance by opening URL from browser https://<draw.io-CUSTOM-URL>/?gitlab=https://<CUSTOM-GITLAB-ADDRESS>&gitlab-id=<GENERATED-APP-ID> we cannot sign into our Gitlab installation.

Gitlab URL that is generated from draw.io when clicking Authenticate:
https://<CUSTOM-GITLAB-ADDRESS>/oauth/authorize?client_id=<GENERATED-APP-ID>&scope=api%20read_repository%20write_repository&redirect_uri=https%3A%2F%2F<draw.io-CUSTOM-URL>%2F%3Fgitlab%3Dhttps%3A%2F%2Fgitlab.html&response_type=token&state=123

And it should be:
https://<CUSTOM-GITLAB-ADDRESS>/oauth/authorize?client_id=<GENERATED-APP-ID>&scope=api%20read_repository%20write_repository&redirect_uri=https%3A%2F%2F<draw.io-CUSTOM-URL>%2Fgitlab.html&response_type=token&state=123

draw.io was installed from the dockerhub image jgraph/drawio, image id ca3338cc1f0d

I have used the same sign-up process (create a gitlab application with the scope api, read_repository, write_repository). After fixing the URL I can add an app, edit diagrams from repositories and create new diagrams.

[davidjgraph]

URL parameters must be URL encoded, the specification states this. Encode your parameters and it should work.

[apmikroel]

Right, thank you for the reply, after testing the opening instance by entering a URL

https://<draw.io-CUSTOM-URL>/?gitlab=https%3A%2F%2F<CUSTOM-GITLAB-ADDRESS>&gitlab-id=<GENERATED-ID>

I can confirm that integration works properly.

[eremyja]

Im not sure if this should be a new issue but it seems similar.

Description:
selfhosted drawio (v13.8.2) (docker container jgraph/drawio on rancher) returns "access denied" from selfhosted gitlab (v13.7.1) (proxmox container from turnkeylinux)

Steps I took:

1. Created application in gitlab admin area with trusted, confidential, api, read_repo, write_repo selected and callback uri http://<docker_host>:<drawio_port>/gitlab.html
2. Copied application key to environment variable "DRAWIO_GITLAB_ID" and gitlab url to "DRAWIO_GITLAB_URL"
3. In drawio; save to > gitlab, create new, blank template create, authorize
4. Logged into my gitlab
5. returned to drawio but Access denied
6. Back in gitlab applications, a new client is shown for drawio application.

Troubleshooting:

1. Tried creating the gitlab application from the user settings menu vice admin area.
   Results: Additional screen in gitlab showing application creator and scope with another authorize button. Access still denied
2. Tried authorizing as a non-admin user.
   Result: no change.
3. Added every combination of scope, trusted, and confidential
   Result: no change
4. Tried https://<draw.io-CUSTOM-URL>/?gitlab=https%3A%2F%2F<CUSTOM-GITLAB-ADDRESS>&gitlab-id=<GENERATED-ID>
   Result: no change

[pepsifan]

@eremyja It's probably a problem with CSP (Content Security Policy) which was introduced in drawio since 13.1.7 (29-MAY-2020). The CSP forbids the browser to make HTTP-Requests to other domains. The allowed domains are defined in src/main/webapp/js/diagramly/Devel.js

To define your custom allowed domain list for CSP you can use the Docker environment variable DRAWIO_CSP_HEADER.
Just have a look into docker-entrypoint.sh next to the Dockerfile in jgraph/docker-drawio.

Here an example for setting the environment variable in docker-compose.xml:

version: '3.2'
services:
  drawio:
    image: jgraph/drawio
    container_name: drawio.example.com
    environment:
      - DRAWIO_BASE_URL=https://drawio.example.com
      - DRAWIO_GITLAB_URL=https://git.example.com
      - DRAWIO_GITLAB_ID=abcdef123456
      - DRAWIO_CSP_HEADER=default-src \'self\'; script-src \'self\' \'unsafe-inline\'; connect-src \'self\' https://git.example.com; img-src * data:; media-src * data:; font-src * about:; style-src \'self\' \'unsafe-inline\';

In this example, the most sources are restricted to same origin except images, media and fonts. But the browser is also allowed to invoke requests to https://git.example.com by scripts.

[eremyja]

That was it! Thank you! Is there some documentation for these kinds of things? This ticket is the only place I could find any relevant information about setting up a self hosted instance.

[agaget]

Hi,
Come back to test this solution for various reasons (that was working when I wrote my last message #493 (comment))

Is this feature was included on the public instance app.diagrams.net/ ?

Cause when I use:
https://app.diagrams.net//?gitlab=https%3A%2F%2F&gitlab-id=

I got the redirection URI error.

I can't change nothing on this instance and I don't really want to install and manage my own instance.

Any idea ? Do i reopen the issue ?