From 8b9ca622f98e3cedbecfcfcd244393f30846f461 Mon Sep 17 00:00:00 2001 From: Ivan Baranov Date: Mon, 5 Sep 2022 21:46:20 +0900 Subject: [PATCH] Tested support for azure_activedirectory_v2 --- README.md | 18 ++++++++++++++++++ assets/runtime/config/gitlabhq/gitlab.yml | 6 ++++++ assets/runtime/env-defaults | 6 ++++++ assets/runtime/functions | 19 ++++++++++++++++++- 4 files changed, 48 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index beaa59b9..2b802be6 100644 --- a/README.md +++ b/README.md @@ -689,6 +689,8 @@ Once you have the Client ID, Client secret and Tenant ID generated, configure th For example, if your Client ID is `xxx`, the Client secret is `yyy` and the Tenant ID is `zzz`, then adding `--env 'OAUTH_AZURE_API_KEY=xxx' --env 'OAUTH_AZURE_API_SECRET=yyy' --env 'OAUTH_AZURE_TENANT_ID=zzz'` to the docker run command enables support for Microsoft Azure OAuth. +Also you can configure v2 endpoint (`azure_activedirectory_v2`) by using `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID`, `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET` and `OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID` environment variables. Optionally you can change label of login button using the `OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL`. + ##### Generic OAuth2 To enable the Generic OAuth2 provider, you must register your application with your provider. You also need to confirm OAuth2 provider app's ID and secret, the client options and the user's response structure. @@ -2194,6 +2196,22 @@ Azure Client secret. No defaults. Azure Tenant ID. No defaults. +#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID` + +Client ID for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults. + +#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET` + +Client secret for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults. + +#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID` + +Tenant ID for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults. + +#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL` + +Optional label for login button for `azure_activedirectory_v2`. Defaults to `Azure AD v2` + ##### `OAUTH2_GENERIC_APP_ID` Your OAuth2 App ID. No defaults. diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index a0c47891..49502277 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1023,6 +1023,12 @@ production: &base client_id: '{{OAUTH_AZURE_API_KEY}}', client_secret: '{{OAUTH_AZURE_API_SECRET}}', tenant_id: '{{OAUTH_AZURE_TENANT_ID}}' } } + - { name: 'azure_activedirectory_v2', + label: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL}}', + args: { + client_id: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID}}', + client_secret: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET}}', + tenant_id: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID}}' } } # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours. # cas3: diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 908d368f..46624eaf 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -479,6 +479,12 @@ OAUTH_AZURE_API_KEY=${OAUTH_AZURE_API_KEY:-} OAUTH_AZURE_API_SECRET=${OAUTH_AZURE_API_SECRET:-} OAUTH_AZURE_TENANT_ID=${OAUTH_AZURE_TENANT_ID:-} +## AZURE Active Directory V2 endpoint +OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL:-'Azure AD v2'} +OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID:-} +OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET:-} +OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID:-} + ### SAML case $GITLAB_HTTPS in true) diff --git a/assets/runtime/functions b/assets/runtime/functions index 07477a6a..90dbe191 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -688,6 +688,22 @@ gitlab_configure_oauth_azure() { fi } +gitlab_configure_oauth_azure_ad_v2() { + # we don't check if OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL because it is optional + if [[ -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID} && \ + -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET} && \ + -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID} ]]; then + echo "Configuring gitlab::oauth::azure_activedirectory_v2..." + update_template ${GITLAB_CONFIG} \ + OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL \ + OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID \ + OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET \ + OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID + else + exec_as_git sed -i "/name: 'azure_activedirectory_v2'/,/{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID}}/d" ${GITLAB_CONFIG} + fi +} + gitlab_configure_oauth() { echo "Configuring gitlab::oauth..." @@ -704,6 +720,7 @@ gitlab_configure_oauth() { gitlab_configure_oauth_crowd gitlab_configure_oauth_auth0 gitlab_configure_oauth_azure + gitlab_configure_oauth_azure_ad_v2 OAUTH_ENABLED=${OAUTH_ENABLED:-false} update_template ${GITLAB_CONFIG} \ @@ -716,7 +733,7 @@ gitlab_configure_oauth() { OAUTH_EXTERNAL_PROVIDERS case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in - cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|oauth2_generic|$OAUTH2_GENERIC_NAME) + cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME) update_template ${GITLAB_CONFIG} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER ;; *)