switch gitlab authentication to uffd

59f65c06 · Christian Elberfeld · 737eb395 · 59f65c06 · 59f65c06 · 59f65c06
Commit 59f65c06 authored 1 month ago by Christian Elberfeld
--- a/webserver/docker_gitlab/Documentation.md
+++ b/webserver/docker_gitlab/Documentation.md
+# Gitlab Access with uffd as Access Provider 
+Redirect URL: https://gitlab.warpzone.ms/users/auth/openid_connect/callback
+## Browsing without login 
+https://gitlab.warpzone.ms/explore
+## Features not supported in Community edition 
+- Set Admin Flag 
+- Manage Groups 
--- a/webserver/docker_gitlab/tasks/main.yml
+++ b/webserver/docker_gitlab/tasks/main.yml
@@ -2,9 +2,9 @@
 - include_tasks: ../functions/get_secret.yml
  with_items:
-   - { path: /srv/shared/noreply_email_pass,  length: -1 }
+    - { path: /srv/shared/noreply_email_pass,  length: -1 }
-   - { path: /srv/ldap/secret/ldap_readonly_pass,  length: -1 }
+    - { path: /srv/gitlab/secret/oidc_client_secret,  length: 32 }
-   - { path: /srv/gitlab/runner_registration_token,  length: -1 }
+    - { path: /srv/gitlab/secret/runner_registration_token,  length: -1 }
 # Benötigte Verzeichnisstrukturen erstellen

--- a/webserver/docker_gitlab/templates/conf/gitlab.rb
+++ b/webserver/docker_gitlab/templates/conf/gitlab.rb
@@ -455,7 +455,7 @@ gitlab_rails['object_store']['objects']['pages']['bucket'] = nil
 # gitlab_rails['ldap_enabled'] = false
 # gitlab_rails['prevent_ldap_sign_in'] = false
-gitlab_rails['ldap_enabled'] = true
+# gitlab_rails['ldap_enabled'] = true
 ###! **remember to close this block with 'EOS' below**
@@ -503,24 +503,24 @@ gitlab_rails['ldap_enabled'] = true
 #     sync_ssh_keys: false
 # EOS
-gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
+# gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
-  main:
+#   main:
-    label: 'LDAP'
+#     label: 'LDAP'
-    host: '{{ ldap_ip_ext }}'
+#     host: '{{ ldap_ip_ext }}'
-    port: 389
+#     port: 389
-    uid: 'uid'
+#     uid: 'uid'
-    method: 'plain'
+#     method: 'plain'
-    bind_dn: '{{ ldap_readonly_bind_dn }}'
+#     bind_dn: '{{ ldap_readonly_bind_dn }}'
-    password: '{{ ldap_readonly_pass }}'
+#     password: '{ { ldap_readonly_pass } }'
-    base: '{{ ldap_base_dn }}'
+#     base: '{{ ldap_base_dn }}'
-    user_filter: '(&(objectClass=inetOrgPerson)(memberof=CN=active,OU=groups,DC=warpzone,DC=ms))'
+#     user_filter: '(&(objectClass=inetOrgPerson)(memberof=CN=active,OU=groups,DC=warpzone,DC=ms))'
-    attributes:
+#     attributes:
-      username: ['uid', 'cn']
+#       username: ['uid', 'cn']
-      email: ['mail', 'email']
+#       email: ['mail', 'email']
-      name: 'cn'
+#       name: 'cn'
-      first_name: 'givenName'
+#       first_name: 'givenName'
-      last_name: 'sn'
+#       last_name: 'sn'
-EOS
+# EOS
 ### Smartcard authentication settings
@@ -555,6 +555,45 @@ EOS
 #   }
 # ]
+gitlab_rails['omniauth_enabled'] = true
+gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
+gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"]
+gitlab_rails['omniauth_auto_link_ldap_user'] = true
+gitlab_rails['omniauth_auto_link_saml_user'] = true
+gitlab_rails['omniauth_block_auto_created_users'] = false
+gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
+gitlab_rails['omniauth_sync_profile_attributes'] = ['name', 'email']
+gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
+gitlab_rails['omniauth_providers'] = [
+  {
+    name: "openid_connect",
+    label: "uffd",
+    args: {
+      name: "openid_connect",
+      scope: ["openid", "profile", "email", "groups"],
+      response_type: "code",
+      issuer: "{{ oidc_global.provider_url }}",
+      discovery: true,
+      uid_field: "preferred_username",
+      gitlab_username_claim: "name",
+      send_scope_to_token_endpoint: "true",
+      client_options: {
+        identifier: "gitlab",
+        secret: "{{ oidc_client_secret }}",
+        redirect_uri: "https://{{ domain }}/users/auth/openid_connect/callback",
+        gitlab: {
+          groups_attribute: "groups",
+          required_groups: ["gitlab_access"],
+          admin_groups: ["gitlab_admin"]
+        }
+      }
+    }
+  }
+]
 ### Backup Settings
 ###! Docs: https://docs.gitlab.com/omnibus/settings/backups.html