Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Azure Government tenants with Microsoft Graph #139

Closed
smccutchen opened this issue Mar 14, 2022 · 5 comments · Fixed by #140
Closed

Support Azure Government tenants with Microsoft Graph #139

smccutchen opened this issue Mar 14, 2022 · 5 comments · Fixed by #140
Assignees
@stanhu

Comments

@smccutchen
Copy link

Hey there. I'm trying to get GitLab incoming email working via Microsoft Graph, where my Azure tenant is in the government "GCC High" cloud.

The main difference between Azure government versus public clouds would be the primary endpoint URL. Instead of say, "graph.microsoft.com", government cloud tenants use "graph.microsoft.us"

When incoming email is configured to use the Microsoft Graph API according to the GitLab documentation, the following error is produced in my MailRoom log file:

2022-03-14_16:57:49.22500 {"error":"invalid_request","error_description":"AADSTS900382: Confidential Client is not supported in Cross Cloud request.\\r\\nTrace ID: 04b0bb87-9cc0-4f9a-aae0-5fd8d63bd400\\r\\nCorrelation ID: 30fd63f4-8330-4ba5-8ae6-0190d56fd637\\r\\nTimestamp: 2022-03-14 16:57:49Z","error_codes":[900382],"timestamp":"2022-03-14 16:57:49Z","trace_id":"04b0bb87-9cc0-4f9a-aae0-5fd8d63bd400","correlation_id":"30fd63f4-8330-4ba5-8ae6-0190d56fd637"} 2022-03-14_16:57:49.22501 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/oauth2-1.4.7/lib/oauth2/client.rb:164:in get_token'
2022-03-14_16:57:49.22502 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/oauth2-1.4.7/lib/oauth2/strategy/client_credentials.rb:20:in get_token' 2022-03-14_16:57:49.22502 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/microsoft_graph/connection.rb:79:in setup'
2022-03-14_16:57:49.22502 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/microsoft_graph/connection.rb:21:in initialize' 2022-03-14_16:57:49.22502 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/mailbox_watcher.rb:69:in new'
2022-03-14_16:57:49.22502 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/mailbox_watcher.rb:69:in connection' 2022-03-14_16:57:49.22502 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/mailbox_watcher.rb:31:in run'
2022-03-14_16:57:49.22503 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/coordinator.rb:22:in each' 2022-03-14_16:57:49.22503 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/coordinator.rb:22:in run'
2022-03-14_16:57:49.22504 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/cli.rb:58:in start' 2022-03-14_16:57:49.22504 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/bin/mail_room:5:in <top (required)>'
2022-03-14_16:57:49.22504 from /opt/gitlab/embedded/bin/mail_room:23:in load' 2022-03-14_16:57:49.22504 from /opt/gitlab/embedded/bin/mail_room:23:in

'`

Specifically, if you go look at this file @ /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/microsoft_graph/connection.rb

you'll see that the microsoft graph URLs have been hard-coded to search the public ".com" tenant, and there is no available override to support Azure government tenants (or any other region, for that matter).

Is there a workaround for this, short of editing the file manually?
stanhu added a commit that referenced this issue Mar 14, 2022
@stanhu
Support alternative Azure deployments for Microsoft Graph
a5c0c5e 
Previously Microsoft Graph only worked for the default Azure
deployment. However, there are currently three other national clouds
supported in Azure
(https://docs.microsoft.com/en-us/graph/deployments).

This commit adds support for the `graph_endpoint` and
`azure_ad_endpoint` to enable support for these alternative Azure
deployments.

Closes #139
@stanhu stanhu mentioned this issue Mar 14, 2022
Merged
@stanhu
Copy link
Collaborator

stanhu commented Mar 14, 2022

Is there a workaround for this, short of editing the file manually?

Not yet.

My trial Azure government tenant has expired. Would you be able to test out #140?

@stanhu stanhu self-assigned this Mar 14, 2022
@smccutchen
Copy link
Author

smccutchen commented Mar 14, 2022
edited
Loading

I can confirm that it's fully functional once I manually modify the "connection.rb" file to use the correct endpoint URLs for GCC High - in my case it's "graph.microsoft.us" and "login.microsoftonline.us" .

Commit #140 looks great (exactly what we'd want) but I'm not sure how to test it within the context of GitLab (I suspect they'd need to do some changes on their end to also support this, since I pass my tenant id + client id through the gitlab.rb config file).

Either way, great work!

@stanhu
Copy link
Collaborator

stanhu commented Mar 14, 2022

Yeah, you'd need to replace connection.rb with that file and then manually edit /opt/gitlab/embedded/service/gitlab-rails/config/mail_room.yml with those options.

I'll see if I can get Microsoft to reactivate my Microsoft Government Cloud account in the interim.

maxlazio pushed a commit to gitlabhq/omnibus-gitlab that referenced this issue Mar 16, 2022
@stanhu
Upgrade MailRoom to v0.0.20
5f505cd 
Previously Microsoft Graph only worked for the default Azure
deployment. However, there are currently three other national clouds
supported in Azure
(https://docs.microsoft.com/en-us/graph/deployments).

This update adds support for the `graph_endpoint` and
`azure_ad_endpoint` to enable support for these alternative Azure
deployments.

This pulls in tpitale/mail_room#140 to address
tpitale/mail_room#139.

Changelog: changed
@stanhu
Copy link
Collaborator

stanhu commented Mar 22, 2022

@smccutchen GitLab 14.9 shipped with the updated MailRoom that has the graph_endpoint and azure_ad_endpoint config options. Would you mind testing whether the documentation in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83242/diffs is correct?

@smccutchen
Copy link
Author

I can confirm the config options available in 14.9 are working as expected.

Thanks for the fast effort!

tnir pushed a commit to tnir/charts-gitlab that referenced this issue May 16, 2022
@stanhu
Add support for configuring Microsoft Graph endpoints
2cb3a25 
Previously Microsoft Graph only worked for the default Azure
deployment. However, there are currently three other national clouds
supported in Azure
(https://docs.microsoft.com/en-us/graph/deployments).

This commit upgrades MailRoom to v0.0.20 to pull in
tpitale/mail_room#140 to make it possible to
configure endpoints for alternative Azure deployments.

This update also adds support for the `azureAdEndpoint` and
`graphEndpoint` configuration settings for incoming e-mail and Service
Desk.

Related CNG change:
https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/931

Related Omnibus change:
https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/5978

Upstream issue:
tpitale/mail_room#139

Changelog: changed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stanhu stanhu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support alternative Azure deployments for Microsoft Graph tpitale/mail_room
2 participants
@stanhu @smccutchen