Skip to content

GitLab connector: add GitLab additional group with role #2763

New issue
New issue
Open
Open
GitLab connector: add GitLab additional group with role#2763
Labels
area/connector
@wyttime04

Description

@wyttime04
wyttime04
opened on Dec 17, 2022

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

I'm using Argo CD integrates with Dex and I configure Dex to connect my GitLab. (config like the document Dex Connector - gitlab) I notice Dex can get the user's groups but cannot get the group role.

GitLab provide 3 types role (Owner, Maintainer, Developer) by api /oauth/userinfo (GitLab as OpenID Connect identity provider)

e.g.

  • user: dev1
  • groups: infra:reporter, product:owner
level=info msg="login successful: connector \"gitlab\", username=\"dev1\", ... , groups=[\"infra\" \"product\"]"

Proposed Solution

Maybe add group like [group]:[role] if user get the Owner, Maintainer or Developer role
e.g.

level=info msg="login successful: connector \"gitlab\", username=\"dev1\", ... , groups=[\"infra\" \"product\" \"product:owner\"]"

I'm not familiar with golang so I just offer my suggestion.

update gitlab.go#L258 userInfo

type userInfo struct {
	Groups     []string `json:"groups"`
	Owner      []string `json:"https://gitlab.org/claims/groups/owner"`
	Maintainer []string `json:"https://gitlab.org/claims/groups/maintainer"`
	Developer  []string `json:"https://gitlab.org/claims/groups/developer"`
}

update gitlab.go#L266 userGroups

// userGroups queries the GitLab API for group membership.
//
// The HTTP passed client is expected to be constructed by the golang.org/x/oauth2 package,
// which inserts a bearer token as part of the request.
func (c *gitlabConnector) userGroups(ctx context.Context, client *http.Client) ([]string, error) {

	// ...

       	var u userInfo
	if err := json.NewDecoder(resp.Body).Decode(&u); err != nil {
		return nil, fmt.Errorf("failed to decode response: %v", err)
	}

	for i, group := range u.Owner {
		u.Owner[i] = group + ":" + "owner"
	}
	for i, group := range u.Maintainer {
		u.Maintainer[i] = group + ":" + "maintainer"
	}
	for i, group := range u.Developer {
		u.Developer[i] = group + ":" + "developer"
	}

	u.Groups = append(u.Groups, u.Owner...)
	u.Groups = append(u.Groups, u.Maintainer...)
	u.Groups = append(u.Groups, u.Developer...)

	return u.Groups, nil
}

Alternatives Considered

No response

Additional Information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/connector

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions