Skip to content

GitLab: add sudo auth provider

Warren Gifford requested to merge bl/gl-sudo-authz into master

Created by: beyang

This adds back the GitLab sudo-token-based permissions checking that was taken out in e9cd0086517d6fd2d069cf6239fdbebd37e21531. Now we have two mechanisms for computing GitLab permissions:

  • OAuth-based, which requires GitLab to be configured as an authentication provider.
  • Sudo-token-based, which requires the admin to provide a sudo-level token in the Sourcegraph GitLab connection config.

Each of these uses the same mechanism to compute permissions (authenticating as a user and using the GitLab API GetProject and ListTree endpoints). The OAuth-based mechanism uses the user's OAuth login token to authenticate to GitLab; the sudo-token-based mechanism uses the sudo-level token and the Sudo HTTP header to impersonate the user.

The Sourcegraph config has been updated so that the external service config for GitLab now include a authorization.identityProvider field, which in turn has a type subfield that is one of the following:

  • oauth: Use OAuth-based authentication to identify the user to GitLab
  • external: Use another SSO provider (the fields of this config object will then identify that provider among the auth.providers list)
  • username: User exact username matching, which is generally insecure, but can be secure when HTTP header auth is the only element of auth.providers.

Merge request reports

Loading