Skip to content
Snippets Groups Projects
Select Git revision
  • f906c9ba422eb720514721b559c01f840ca34a0c
  • ballinvoher default protected
  • client-http-server-for-token
  • master
  • gitlab-auth-issue
  • windows
  • microsoft
  • message
  • azure_auth
  • prometheus
  • permission-templates
  • no-datastore
  • save-public-keys
  • gitlab-group-level-start
  • v1.1.0
  • v1.0.0
  • v0.1
17 results

gitlab.go

Blame
  • gitlab.go 3.45 KiB
    package gitlab
    
    import (
    	"errors"
    	"strconv"
    
    	"github.com/nsheridan/cashier/server/config"
    	"github.com/nsheridan/cashier/server/metrics"
    
    	gitlabapi "github.com/xanzy/go-gitlab"
    	"golang.org/x/oauth2"
    )
    
    const (
    	name = "gitlab"
    )
    
    // Config is an implementation of `auth.Provider` for authenticating using a
    // Gitlab account.
    type Config struct {
    	config    *oauth2.Config
    	baseurl   string
    	group     string
    	whitelist map[string]bool
    	allusers  bool
    }
    
    // New creates a new Gitlab provider from a configuration.
    func New(c *config.Auth) (*Config, error) {
    	uw := make(map[string]bool)
    	for _, u := range c.UsersWhitelist {
    		uw[u] = true
    	}
    	allUsers, _ := strconv.ParseBool(c.ProviderOpts["allusers"])
    	if !allUsers && c.ProviderOpts["group"] == "" && len(uw) == 0 {
    		return nil, errors.New("gitlab_opts group and the users whitelist must not be both empty if allusers isn't true")
    	}
    	siteURL := "https://gitlab.com/"
    	if c.ProviderOpts["siteurl"] != "" {
    		siteURL = c.ProviderOpts["siteurl"]
    		if siteURL[len(siteURL)-1] != '/' {
    			return nil, errors.New("gitlab_opts siteurl must end in /")
    		}
    	} else {
    		if allUsers {
    			return nil, errors.New("gitlab_opts if allusers is set, siteurl must be set")
    		}
    	}
    
    	return &Config{
    		config: &oauth2.Config{
    			ClientID:     c.OauthClientID,
    			ClientSecret: c.OauthClientSecret,
    			RedirectURL:  c.OauthCallbackURL,
    			Endpoint: oauth2.Endpoint{
    				AuthURL:  siteURL + "oauth/authorize",
    				TokenURL: siteURL + "oauth/token",
    			},
    			Scopes: []string{
    				"api",
    			},
    		},
    		group:     c.ProviderOpts["group"],
    		whitelist: uw,
    		allusers:  allUsers,
    		baseurl:   siteURL + "api/v3/",
    	}, nil
    }
    
    // Name returns the name of the provider.
    func (c *Config) Name() string {
    	return name
    }
    
    // Valid validates the oauth token.
    func (c *Config) Valid(token *oauth2.Token) bool {
    	if !token.Valid() {
    		return false
    	}
    	if c.allusers {
    		metrics.M.AuthValid.WithLabelValues("gitlab").Inc()
    		return true
    	}
    	if len(c.whitelist) > 0 && !c.whitelist[c.Username(token)] {
    		return false
    	}
    	if c.group == "" {
    		// There's no group and token is valid.  Can only reach
    		// here if user whitelist is set and user is in whitelist.
    		metrics.M.AuthValid.WithLabelValues("gitlab").Inc()
    		return true
    	}
    	client := gitlabapi.NewOAuthClient(nil, token.AccessToken)
    	client.SetBaseURL(c.baseurl)
    	groups, _, err := client.Groups.SearchGroup(c.group)
    	if err != nil {
    		return false
    	}
    	for _, g := range groups {
    		if g.Path == c.group {
    			metrics.M.AuthValid.WithLabelValues("gitlab").Inc()
    			return true
    		}
    	}
    	return false
    }
    
    // Revoke is a no-op revoke method. Gitlab doesn't allow token
    // revocation - tokens live for an hour.
    // Returns nil to satisfy the Provider interface.
    func (c *Config) Revoke(token *oauth2.Token) error {
    	return nil
    }
    
    // StartSession retrieves an authentication endpoint from Gitlab.
    func (c *Config) StartSession(state string) string {
    	return c.config.AuthCodeURL(state)
    }
    
    // Exchange authorizes the session and returns an access token.
    func (c *Config) Exchange(code string) (*oauth2.Token, error) {
    	t, err := c.config.Exchange(oauth2.NoContext, code)
    	if err == nil {
    		metrics.M.AuthExchange.WithLabelValues("gitlab").Inc()
    	}
    	return t, err
    }
    
    // Username retrieves the username of the Gitlab user.
    func (c *Config) Username(token *oauth2.Token) string {
    	client := gitlabapi.NewOAuthClient(nil, token.AccessToken)
    	client.SetBaseURL(c.baseurl)
    	u, _, err := client.Users.CurrentUser()
    	if err != nil {
    		return ""
    	}
    	return u.Username
    }