GitLab: add sudo auth provider
Created by: beyang
This adds back the GitLab sudo-token-based permissions checking that was taken out in e9cd0086517d6fd2d069cf6239fdbebd37e21531. Now we have two mechanisms for computing GitLab permissions:
- OAuth-based, which requires GitLab to be configured as an authentication provider.
- Sudo-token-based, which requires the admin to provide a sudo-level token in the Sourcegraph GitLab connection config.
Each of these uses the same mechanism to compute permissions (authenticating as a user and using the GitLab API GetProject and ListTree endpoints). The OAuth-based mechanism uses the user's OAuth login token to authenticate to GitLab; the sudo-token-based mechanism uses the sudo-level token and the Sudo HTTP header to impersonate the user.
The Sourcegraph config has been updated so that the external service config for GitLab now include a authorization.identityProvider field, which in turn has a type subfield that is one of the following:
-
oauth: Use OAuth-based authentication to identify the user to GitLab -
external: Use another SSO provider (the fields of this config object will then identify that provider among theauth.providerslist) -
username: User exact username matching, which is generally insecure, but can be secure when HTTP header auth is the only element ofauth.providers.