add oauth2 sso support

dac26c58 · nd · 6e106442 · dac26c58 · dac26c58 · dac26c58
Verified Commit dac26c58 authored Nov 1, 2020 by nd
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -12,6 +12,12 @@ gitlab:
  initial_root_password: "{{ lookup('password', '/dev/null length=64') }}"
  ldap:
    enabled: 'false'
+    prevent_ldap_sign_in: 'false'
    servers: {}
  groups: []
  api_token: ""
+  omniauth:
+    enabled: 'false'
+    allow_single_sign_on: ['oauth2_generic']
+    auto_link_ldap_user: 'true'
+    providers: []
--- a/templates/gitlab-ldap-groupsync.py.j2
+++ b/templates/gitlab-ldap-groupsync.py.j2
@@ -63,7 +63,12 @@ def gitlabSync(logger, gitlabApi, ldapConnection):
 		for member in gitlabGroup.members.list():
 			gitlabUser = gitlabApi.users.get(member.id)
 			try:
-				uid = gitlabUser.identities[0]['extern_uid']
+				uid = None
+				for identity in gitlabUser.identities:
+					if identity['provider'] == 'ldapmain':
+						uid = identity['extern_uid']
+				if not uid:
+					raise AttributeError
 			except AttributeError:
 				logger.debug('User %s is no ldap user, skipping', member.username)
 				continue

--- a/templates/gitlab.rb.j2
+++ b/templates/gitlab.rb.j2
@@ -351,7 +351,7 @@ gitlab_rails['gitlab_username_changing_enabled'] = false
 ###!   in yaml format and the spaces must be retained. Using tabs will not work.**

 gitlab_rails['ldap_enabled'] = {{ gitlab.ldap.enabled }}
-# gitlab_rails['prevent_ldap_sign_in'] = false
+ gitlab_rails['prevent_ldap_sign_in'] = {{ gitlab.ldap.prevent_ldap_sign_in }}

 gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
 {{ gitlab.ldap.servers|to_nice_yaml(indent=2) }}
@@ -413,18 +413,21 @@ EOS

 ### OmniAuth Settings
 ###! Docs: https://docs.gitlab.com/ee/integration/omniauth.html
-# gitlab_rails['omniauth_enabled'] = nil
-# gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
+gitlab_rails['omniauth_enabled'] = {{ gitlab.omniauth.enabled }}
+gitlab_rails['omniauth_allow_single_sign_on'] = {{ gitlab.omniauth.allow_single_sign_on }}
 # gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
 # gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
 # gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
 # gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
 # gitlab_rails['omniauth_block_auto_created_users'] = true
-# gitlab_rails['omniauth_auto_link_ldap_user'] = false
+gitlab_rails['omniauth_auto_link_ldap_user'] = {{ gitlab.omniauth.auto_link_ldap_user }}
 # gitlab_rails['omniauth_auto_link_saml_user'] = false
 # gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
 # gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']
-# gitlab_rails['omniauth_providers'] = [
+gitlab_rails['omniauth_providers'] = YAML.load <<-'EOS'
+{{ gitlab.omniauth.providers|to_nice_yaml(indent=2) }}
+EOS
+
 #   {
 #     "name" => "google_oauth2",
 #     "app_id" => "YOUR APP ID",