Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitLab connector: add GitLab additional group with role #2763

Open
2 tasks done
wyttime04 opened this issue Dec 17, 2022 · 2 comments
Open
2 tasks done

GitLab connector: add GitLab additional group with role #2763

wyttime04 opened this issue Dec 17, 2022 · 2 comments
Labels
area/connector

Comments

@wyttime04
Copy link

wyttime04 commented Dec 17, 2022
edited
Loading

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

I'm using Argo CD integrates with Dex and I configure Dex to connect my GitLab. (config like the document Dex Connector - gitlab) I notice Dex can get the user's groups but cannot get the group role.

GitLab provide 3 types role (Owner, Maintainer, Developer) by api /oauth/userinfo (GitLab as OpenID Connect identity provider)

e.g.

  • user: dev1
  • groups: infra:reporter, product:owner
level=info msg="login successful: connector \"gitlab\", username=\"dev1\", ... , groups=[\"infra\" \"product\"]"

Proposed Solution

Maybe add group like [group]:[role] if user get the Owner, Maintainer or Developer role
e.g.

level=info msg="login successful: connector \"gitlab\", username=\"dev1\", ... , groups=[\"infra\" \"product\" \"product:owner\"]"

I'm not familiar with golang so I just offer my suggestion.

update gitlab.go#L258 userInfo

type userInfo struct {
	Groups     []string `json:"groups"`
	Owner      []string `json:"https://gitlab.org/claims/groups/owner"`
	Maintainer []string `json:"https://gitlab.org/claims/groups/maintainer"`
	Developer  []string `json:"https://gitlab.org/claims/groups/developer"`
}

update gitlab.go#L266 userGroups

// userGroups queries the GitLab API for group membership.
//
// The HTTP passed client is expected to be constructed by the golang.org/x/oauth2 package,
// which inserts a bearer token as part of the request.
func (c *gitlabConnector) userGroups(ctx context.Context, client *http.Client) ([]string, error) {

	// ...

       	var u userInfo
	if err := json.NewDecoder(resp.Body).Decode(&u); err != nil {
		return nil, fmt.Errorf("failed to decode response: %v", err)
	}

	for i, group := range u.Owner {
		u.Owner[i] = group + ":" + "owner"
	}
	for i, group := range u.Maintainer {
		u.Maintainer[i] = group + ":" + "maintainer"
	}
	for i, group := range u.Developer {
		u.Developer[i] = group + ":" + "developer"
	}

	u.Groups = append(u.Groups, u.Owner...)
	u.Groups = append(u.Groups, u.Maintainer...)
	u.Groups = append(u.Groups, u.Developer...)

	return u.Groups, nil
}

Alternatives Considered

No response

Additional Information

No response
@nabokihms
Copy link
Member

Hello, @wyttime04. Thank you for the feature request. I'm good with it if this is an opt-in feature.

@sagikazarmark
Copy link
Member

I'd rather have it implemented consistently with other providers. GitHub supports orgs and teams with an optional flag.

By default it just returns orgs, but it can return teams as well in the form of org:team in the same groups claim.

@zvlb zvlb mentioned this issue May 11, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/connector
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sagikazarmark @nabokihms @wyttime04