From 59f65c065a6d01f953b286444b69cd75d6522f73 Mon Sep 17 00:00:00 2001
From: Christian Elberfeld <6413499+elberfeld@users.noreply.github.com>
Date: Wed, 7 May 2025 23:20:50 +0200
Subject: [PATCH] switch gitlab authentication to uffd

---
 webserver/docker_gitlab/Documentation.md      | 14 ++++
 webserver/docker_gitlab/tasks/main.yml        |  6 +-
 .../docker_gitlab/templates/conf/gitlab.rb    | 77 ++++++++++++++-----
 3 files changed, 75 insertions(+), 22 deletions(-)
 create mode 100644 webserver/docker_gitlab/Documentation.md

diff --git a/webserver/docker_gitlab/Documentation.md b/webserver/docker_gitlab/Documentation.md
new file mode 100644
index 00000000..934f4109
--- /dev/null
+++ b/webserver/docker_gitlab/Documentation.md
@@ -0,0 +1,14 @@
+
+# Gitlab Access with uffd as Access Provider 
+
+Redirect URL: https://gitlab.warpzone.ms/users/auth/openid_connect/callback
+
+## Browsing without login 
+
+https://gitlab.warpzone.ms/explore
+
+## Features not supported in Community edition 
+
+- Set Admin Flag 
+- Manage Groups 
+
diff --git a/webserver/docker_gitlab/tasks/main.yml b/webserver/docker_gitlab/tasks/main.yml
index 36dbab8e..3a9085f3 100644
--- a/webserver/docker_gitlab/tasks/main.yml
+++ b/webserver/docker_gitlab/tasks/main.yml
@@ -2,9 +2,9 @@
 
 - include_tasks: ../functions/get_secret.yml
   with_items:
-   - { path: /srv/shared/noreply_email_pass,  length: -1 }
-   - { path: /srv/ldap/secret/ldap_readonly_pass,  length: -1 }
-   - { path: /srv/gitlab/runner_registration_token,  length: -1 }
+    - { path: /srv/shared/noreply_email_pass,  length: -1 }
+    - { path: /srv/gitlab/secret/oidc_client_secret,  length: 32 }
+    - { path: /srv/gitlab/secret/runner_registration_token,  length: -1 }
 
 # BenÃ¶tigte Verzeichnisstrukturen erstellen
 
diff --git a/webserver/docker_gitlab/templates/conf/gitlab.rb b/webserver/docker_gitlab/templates/conf/gitlab.rb
index f2d76895..2de54aa1 100644
--- a/webserver/docker_gitlab/templates/conf/gitlab.rb
+++ b/webserver/docker_gitlab/templates/conf/gitlab.rb
@@ -455,7 +455,7 @@ gitlab_rails['object_store']['objects']['pages']['bucket'] = nil
 
 # gitlab_rails['ldap_enabled'] = false
 # gitlab_rails['prevent_ldap_sign_in'] = false
-gitlab_rails['ldap_enabled'] = true
+# gitlab_rails['ldap_enabled'] = true
 
 
 ###! **remember to close this block with 'EOS' below**
@@ -503,24 +503,24 @@ gitlab_rails['ldap_enabled'] = true
 #     sync_ssh_keys: false
 # EOS
 
-gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
-  main:
-    label: 'LDAP'
-    host: '{{ ldap_ip_ext }}'
-    port: 389
-    uid: 'uid'
-    method: 'plain'
-    bind_dn: '{{ ldap_readonly_bind_dn }}'
-    password: '{{ ldap_readonly_pass }}'
-    base: '{{ ldap_base_dn }}'
-    user_filter: '(&(objectClass=inetOrgPerson)(memberof=CN=active,OU=groups,DC=warpzone,DC=ms))'
-    attributes:
-      username: ['uid', 'cn']
-      email: ['mail', 'email']
-      name: 'cn'
-      first_name: 'givenName'
-      last_name: 'sn'
-EOS
+# gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
+#   main:
+#     label: 'LDAP'
+#     host: '{{ ldap_ip_ext }}'
+#     port: 389
+#     uid: 'uid'
+#     method: 'plain'
+#     bind_dn: '{{ ldap_readonly_bind_dn }}'
+#     password: '{ { ldap_readonly_pass } }'
+#     base: '{{ ldap_base_dn }}'
+#     user_filter: '(&(objectClass=inetOrgPerson)(memberof=CN=active,OU=groups,DC=warpzone,DC=ms))'
+#     attributes:
+#       username: ['uid', 'cn']
+#       email: ['mail', 'email']
+#       name: 'cn'
+#       first_name: 'givenName'
+#       last_name: 'sn'
+# EOS
 
 
 ### Smartcard authentication settings
@@ -555,6 +555,45 @@ EOS
 #   }
 # ]
 
+
+gitlab_rails['omniauth_enabled'] = true
+gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
+gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"]
+gitlab_rails['omniauth_auto_link_ldap_user'] = true
+gitlab_rails['omniauth_auto_link_saml_user'] = true
+gitlab_rails['omniauth_block_auto_created_users'] = false
+gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
+gitlab_rails['omniauth_sync_profile_attributes'] = ['name', 'email']
+gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
+
+gitlab_rails['omniauth_providers'] = [
+  {
+    name: "openid_connect",
+    label: "uffd",
+    args: {
+      name: "openid_connect",
+      scope: ["openid", "profile", "email", "groups"],
+      response_type: "code",
+      issuer: "{{ oidc_global.provider_url }}",
+      discovery: true,
+      uid_field: "preferred_username",
+      gitlab_username_claim: "name",
+      send_scope_to_token_endpoint: "true",
+      client_options: {
+        identifier: "gitlab",
+        secret: "{{ oidc_client_secret }}",
+        redirect_uri: "https://{{ domain }}/users/auth/openid_connect/callback",
+        gitlab: {
+          groups_attribute: "groups",
+          required_groups: ["gitlab_access"],
+          admin_groups: ["gitlab_admin"]
+        }
+      }
+    }
+  }
+]
+
+
 ### Backup Settings
 ###! Docs: https://docs.gitlab.com/omnibus/settings/backups.html
 
-- 
GitLab