GitLab

Rename the SSO config example into .example, add guard conditions
to not fail on missing or empty file.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

A front-end is what it really is, and it’s also the name the upstream
uses for their container.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

When the container is deployed, it will have a real HTTP server in front
of it, so there is no need to have Apache and TLS inside.

Since Passenger (at least of the version in Debian stretch) cannot be
easily used without Apache, use the standard solution for such cases
which is Puma, and expose OBS_FRONTEND_WORKERS (default: 4) to allow
scaling it.

Drop no longer necessary supervisord.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

There’s no need to keep the database inside when it can be a separate
container.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

When logging in with e.g. OpenID Connect/Azure, two email addresses
may be provided, one in "email" field and another in "username" or
"nickname". Since this is exactly the opposite of what the separate
Azure backend does, migration from Azure to OpenID Connect/Azure
needs to try both emails which may be different.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Add omniauth_openid_connect and other related gems in order to support
OpenID Connect in OmniAuth. This version of omniauth_openid_connect is
the oldest version available supporting Debiab stretch with upstream
fixes backported.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Add a new "hash type" for invalid passwords, which is never equal to
normal passwords, but nevertheless can be changed without being known by
the user.

This "invalid" password can only be set by directly setting the password
hash type. When updating the password using update_password method, it will
always be upgrade it to the strongest hash type, sha256crypt.

To allow changing this "invalid" password to a normal one, stop
requiring a non-empty current password in the password change dialog
when changing a password from an "invalid" one. Don’t show the current
password box either, as it is not used anyway in this case, making
it better not to show it to avoid confusion.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Mark-passwords-for-SSO-only-users-as-invalid-to-allow-cha.patch

Backports of upstream commits 5524ffcc and 362bdc3a

 moved some validation
code into a validate method which was never called. A simple fix makes
this code run again.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic backports
Gbp-Pq: Name Unbreak-the-validators.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Allow-passing-SSO-auth-configuration-as-a-secret.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora
Gbp-Pq: Name Allow-changing-the-session-lifetime.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora
Gbp-Pq: Name Install-and-configure-mstmp.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora
Gbp-Pq: Name Clean-up-stale-pid-files-on-start.patch

Some providers set username or nickname to an email address.
For this reason, first collect the best possible user name we can find,
and only then fix it to match our requirements.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Try-harder-to-derive-the-username-from-email-addresses.patch

The generator requires Python 3 and pyyaml
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Generate-the-SSO-config-from-the-environment-variables.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Move-Docker-related-files-under-docker.patch

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Split-docker-entrypoint.sh-into-three-separate-files.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Preinstall-gems-for-Azure-OAuth2.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Build-Docker-images-in-GitLab-CI.patch

Create a Docker image with a Debian package built from the current Git
source. This eliminates an extra round trip with a manual upload to OBS
and the package getting published and fetched from apt repos.
Unfortunately, doing this in a way compatible with what was previously
done requires some non-trivial hacks.

Since we want fairly recent OmniAuth gems, we install them from external
sources directly into the resulting Docker image.

ruby-faraday is used by the OAuth2 auth backend, but new versions
require newer Ruby than what stretch has, so we preinstall it from
packages to avoid pinning it.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Build-a-Docker-image-with-the-Web-UI-only.patch

OmniAuth 2.x breaks CSRF, needs more investigation.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Limit-OmniAuth-to-1.x-only.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Implement-login-flow.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Add-SSO-callback-to-allow-existing-users-log-in-with-an-e.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name user-model-add-find_with_omniauth-create_with_omniauth.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Rename-create_ldap_user-to-create_external_user.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Add-SSO-buttons-to-the-normal-login-page.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Add-a-link-to-the-SSO-login-to-the-dropdown-login-box.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Add-an-SSO-login-page-so-that-users-can-choose-between-pr.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Parse-SSO-authentication-config-on-startup.patch

Björn Geuken authored Aug 09, 2017 and Andrej Shadura committed Jun 29, 2021

We already have a method for creating users with fake passwords. Let's
use it.

Cherry-picked from 86473a4b

Gbp-Pq: Topic backports
Gbp-Pq: Name api-DRY-code-by-using-existing-methods.patch

Björn Geuken authored Apr 12, 2017 and Andrej Shadura committed Jun 29, 2021

Cherry-picked from 1c264f59

Gbp-Pq: Topic backports
Gbp-Pq: Name webui-Drop-validation-of-user-s-email-address.patch

Björn Geuken authored Apr 12, 2017 and Andrej Shadura committed Jun 29, 2021

Cherry-pick from 7967fe46

Gbp-Pq: Topic backports
Gbp-Pq: Name api-Use-SecureRandom-to-generate-a-random-fake-password.patch

Eduardo Navarro authored Apr 12, 2017 and Andrej Shadura committed Jun 29, 2021

Add basic tests for the new method.

Cherry-picked from 51ac16ad

Gbp-Pq: Topic backports
Gbp-Pq: Name api-ci-Move-creation-of-user-with-fake-pw-to-model.patch

Björn Geuken authored Aug 09, 2017 and Andrej Shadura committed Jun 29, 2021

* Moves ldap related code into new method that handles creation of LDAP
users
* Cleans up setting attributes

Cherry-picked from b6d9a59f

Gbp-Pq: Topic backports
Gbp-Pq: Name api-Refactor-creation-of-LDAP-users.patch

Björn Geuken authored Aug 09, 2017 and Andrej Shadura committed Jun 29, 2021

After a successful login OBS is updating user data fetched from the LDAP
instance. This simplifies the code a bit.

Cherry-picked from c349da0a

Gbp-Pq: Topic backports
Gbp-Pq: Name api-Refactor-updating-user-data-in-LDAP-mode.patch