Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add options to configure internal repo handling for GitLab #57858

Merged
merged 17 commits into from Oct 31, 2023
Merged

Add options to configure internal repo handling for GitLab #57858

merged 17 commits into from Oct 31, 2023

Conversation

pjlast
Copy link
Contributor

@pjlast pjlast commented Oct 24, 2023
edited

Closes #57804

This PR adds an option to GitLab code host connections called markInternalReposAsPublic, which sets the visibility of all internal repos added by this code host connection to true, and an option to the GitLab auth provider called syncInternalRepoPermissions. syncInternalRepoPermissions are true by default, and can be set to false to optimise systems where markInternalReposAsPublic is set to true.

Test plan

Unit tests updated. Set up and tested locally as well.

@cla-bot cla-bot bot added the cla-signed label Oct 24, 2023
@github-actions github-actions bot added the team/source Tickets under the purview of Source - the one Source to graph it all label Oct 24, 2023
@pjlast pjlast requested a review from a team October 25, 2023 12:07
@pjlast pjlast marked this pull request as ready for review October 25, 2023 12:07
@sourcegraph-bot
Copy link
Contributor

sourcegraph-bot commented Oct 25, 2023
edited

Codenotify: Notifying subscribers in CODENOTIFY files for diff 17e8f2d...114d762.

Notify File(s)
@eseliger internal/repos/gitlab.go
internal/repos/gitlab_test.go
@unknwon cmd/repo-updater/internal/authz/integration_test.go
internal/authz/providers/authz_test.go
internal/authz/providers/authz_test.go
internal/authz/providers/gitlab/authz.go
internal/authz/providers/gitlab/authz.go
internal/authz/providers/gitlab/oauth.go
internal/authz/providers/gitlab/oauth.go
internal/authz/providers/gitlab/oauth_test.go
internal/authz/providers/gitlab/oauth_test.go
internal/authz/providers/gitlab/sudo.go
internal/authz/providers/gitlab/sudo.go
internal/authz/providers/gitlab/sudo_test.go
internal/authz/providers/gitlab/sudo_test.go

eseliger
eseliger approved these changes Oct 25, 2023
View reviewed changes
doc/admin/external_service/gitlab.md Outdated
}
```

If you would like internal repositories to remain private, but you're experiencing issues where user permission syncs aren't granting access to internal repositories, you can add the following field instead:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when would I experience these issues and how do I notice that I do?

internal/authz/providers/gitlab/sudo.go
Comment on lines +241 to +247
repoVisibility := []string{"private"}
if listInternalRepos {
repoVisibility = append(repoVisibility, "internal")
}

// This method is meant to return only private or internal projects
for _, visibility := range []string{"private", "internal"} {
for _, visibility := range repoVisibility {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This changes the default here, correct? Would this cause any trouble to existing instances?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I'm still thinking about this a bit. I'm flip-flopping a bit between what would be the better option.

I don't mind changing the default behaviour too much, as long as we mention it in the changelog. And the behavioural change won't be particularly destructive.

I'd just like to settle on a default behaviour that would work for most cases. Which might be: private internal repos with syncing enabled 🤔 will let it stew a bit

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could probably just condense the settings to the single markInternalReposAsPublic one? Since if they're public, you don't need permission syncs 🤔

internal/repos/gitlab.go Outdated
provider: provider,
client: client,
logger: logger,
markInternalReposAsPublic: (c.Authorization != nil) && c.Authorization.MarkInternalReposAsPublic,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm do we need that c.Authorization check here?
Is it to cover the case where someone sets it to false, but auth is off?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Authorization can be nil here if it is completely unset, so accessing .MarkInternalReposAsPublic would throw a nil pointer exception

internal/repos/gitlab.go Outdated Show resolved Hide resolved
@pjlast
Add options to configure internal repo handling for GitLab
66707fc
@pjlast
Adjust GitLabSource's makeRepo function to set repo visibility accord…
ddb4ea2 
…ing to config
@pjlast
GitLab permissions syncing respects flag that toggles internal permis…
5b230c2 
…sions syncing
@pjlast
Sync internal repo permissions in GitLab auth test
4ae885f
@pjlast
Add flag to sync internal repositories in integration test
f6a71a6
@pjlast
Add Internal Repositories section to GitLab docs
735a6cb
@pjlast
Update changelog
e970098
@pjlast
Remove empty test
8c08835
@pjlast
Remove syncInternalRepoPermissions setting
b6a9b12
@pjlast
Remove unnecessary config option from unit test
6577838
@pjlast
Update unit tests
8a97e49
@pjlast
Move syncInternalRepoPermissions config to auth providers
5c3754d
@pjlast
OIDC/SAML provider should still user markInternalReposAsPublic check
fff5011
@pjlast
Update changelog and docs
2527049
@pjlast
Fix doc links
66f946d
@pjlast pjlast force-pushed the pjlast/57804-default-permissions-gitlab-internal-repos branch from 4b0c373 to 66f946d Compare October 31, 2023 11:18
@pjlast pjlast merged commit 2ea61e5 into main Oct 31, 2023
10 checks passed
@pjlast pjlast deleted the pjlast/57804-default-permissions-gitlab-internal-repos branch October 31, 2023 12:37
@sourcegraph-release-guild-bot sourcegraph-release-guild-bot mentioned this pull request Oct 31, 2023
Merged
sourcegraph-release-guild-bot pushed a commit that referenced this pull request Oct 31, 2023
@pjlast @github-actions
Add options to configure internal repo handling for GitLab (#57858)
721cfb8 
(cherry picked from commit 2ea61e5)
camdencheek pushed a commit that referenced this pull request Nov 1, 2023
@sourcegraph-release-guild-bot @pjlast
[Backport 5.2] Add options to configure internal repo handling for Gi…
ec96a15 
…tLab (#58012)

Add options to configure internal repo handling for GitLab (#57858)

(cherry picked from commit 2ea61e5)

Co-authored-by: Petri-Johan Last <petri.last@sourcegraph.com>
vovakulikov pushed a commit that referenced this pull request Dec 12, 2023
@pjlast @vovakulikov
Add options to configure internal repo handling for GitLab (#57858)
c0d395e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eseliger eseliger eseliger approved these changes

Assignees
No one assigned
Labels
backport 5.2 cla-signed team/source Tickets under the purview of Source - the one Source to graph it all
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add option to set default permission value for GitLab internal repos (like we do for GitHub)
3 participants
@pjlast @sourcegraph-bot @eseliger