Add docs for gitlab sso, add support for self-hosted gitlab instance sso

backend/src/config/index.ts

@@ -1,3 +1,5 @@
+import { GITLAB_URL } from "../variables";
+
 import InfisicalClient from "infisical-node";
 
 export const client = new InfisicalClient({
@@ -54,6 +56,7 @@ export const getClientIdGitHubLogin = async () => (await client.getSecret("CLIEN
 export const getClientSecretGitHubLogin = async () => (await client.getSecret("CLIENT_SECRET_GITHUB_LOGIN")).secretValue;
 export const getClientIdGitLabLogin = async () => (await client.getSecret("CLIENT_ID_GITLAB_LOGIN")).secretValue;
 export const getClientSecretGitLabLogin = async () => (await client.getSecret("CLIENT_SECRET_GITLAB_LOGIN")).secretValue;
+export const getUrlGitLabLogin = async () => (await client.getSecret("URL_GITLAB_LOGIN")).secretValue || GITLAB_URL;
 
 export const getPostHogHost = async () => (await client.getSecret("POSTHOG_HOST")).secretValue || "https://app.posthog.com";
 export const getPostHogProjectApiKey = async () => (await client.getSecret("POSTHOG_PROJECT_API_KEY")).secretValue || "phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE";

backend/src/routes/v2/users.ts

@@ -33,17 +33,6 @@ router.put(
     requireAuth({
         acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY],
     }),
-    body("authMethods").exists().isArray({
-        min: 1,
-    }).custom((authMethods: AuthMethod[]) => {
-        return authMethods.every(provider => [
-            AuthMethod.EMAIL,
-            AuthMethod.GOOGLE,
-            AuthMethod.GITHUB,
-            AuthMethod.GITLAB
-        ].includes(provider))
-    }),
-    validateRequest,
     usersController.updateAuthMethods,
 );
 

backend/src/utils/auth.ts

@@ -20,11 +20,12 @@ import {
   getClientSecretGoogleLogin,
   getJwtProviderAuthLifetime,
   getJwtProviderAuthSecret,
+  getSiteURL,
+  getUrlGitLabLogin
 } from "../config";
 import { getSSOConfigHelper } from "../ee/helpers/organizations";
 import { InternalServerError, OrganizationNotFoundError } from "./errors";
 import { ACCEPTED, INTEGRATION_GITHUB_API_URL, INVITED, MEMBER } from "../variables";
-import { getSiteURL } from "../config";
 import { standardRequest } from "../config/request";
 
 // eslint-disable-next-line @typescript-eslint/no-var-requires
@@ -80,6 +81,7 @@ const initializePassport = async () => {
   const clientSecretGoogleLogin = await getClientSecretGoogleLogin();
   const clientIdGitHubLogin = await getClientIdGitHubLogin();
   const clientSecretGitHubLogin = await getClientSecretGitHubLogin();
+  const urlGitLab = await getUrlGitLabLogin();
   const clientIdGitLabLogin = await getClientIdGitLabLogin();
   const clientSecretGitLabLogin = await getClientSecretGitLabLogin();
 
@@ -216,15 +218,15 @@ const initializePassport = async () => {
     ));
   }
 
-  if (clientIdGitLabLogin && clientSecretGitLabLogin) {
+  if (urlGitLab && clientIdGitLabLogin && clientSecretGitLabLogin) {
     passport.use(new GitLabStrategy({
       passReqToCallback: true,
       clientID: clientIdGitLabLogin,
       clientSecret: clientSecretGitLabLogin,
-      callbackURL: "/api/v1/sso/gitlab"
+      callbackURL: "/api/v1/sso/gitlab",
+      baseURL: urlGitLab
     },
     async (req : express.Request, accessToken : any, refreshToken : any, profile : any, done : any) => {
-      
       const email = profile.emails[0].value;
       
       let user = await User.findOne({

backend/src/variables/integration.ts

@@ -84,7 +84,8 @@ export const INTEGRATION_BITBUCKET_TOKEN_URL = "https://bitbucket.org/site/oauth
 // integration apps endpoints
 export const INTEGRATION_GCP_API_URL = "https://cloudresourcemanager.googleapis.com";
 export const INTEGRATION_HEROKU_API_URL = "https://api.heroku.com";
-export const INTEGRATION_GITLAB_API_URL = "https://gitlab.com/api";
+export const GITLAB_URL = "https://gitlab.com";
+export const INTEGRATION_GITLAB_API_URL = `${GITLAB_URL}/api`;
 export const INTEGRATION_GITHUB_API_URL = "https://api.github.com";
 export const INTEGRATION_VERCEL_API_URL = "https://api.vercel.com";
 export const INTEGRATION_NETLIFY_API_URL = "https://api.netlify.com";

docs/documentation/platform/sso/gitlab.mdx

@@ -0,0 +1,37 @@
+---
+title: "GitLab SSO"
+description: "Configure GitLab SSO for Infisical"
+---
+
+Using GitLab SSO on a self-hosted instance of Infisical requires configuring an OAuth application in GitLab and registering your instance with it.
+
+## Create an OAuth application in GitLab
+
+Navigate to your user Settings > Applications to create a new GitLab application.
+
+![sso gitlab config](../../images/sso/gitlab/edit-profile.png) 
+![sso gitlab config](../../images/sso/gitlab/new-app.png) 
+
+Create the application. As part of the form, set the **Redirect URI** to `https://your-domain.com/api/v1/sso/gitlab`.
+Note that only `read_user` is required as part of the **Scopes** configuration.
+
+![sso gitlab config](../../images/sso/gitlab/new-app-form.png) 
+
+<Note>
+    If you have a GitLab group, you can create an OAuth application under it
+    in your group Settings > Applications.
+</Note>
+
+## Add your OAuth application credentials to Infisical
+
+Obtain the **Application ID** and **Secret** for your GitLab application.
+
+![sso gitlab config](../../images/sso/gitlab/credentials.png) 
+
+Back in your Infisical instance, add 2-3 new environment variables for the credentials of your GitLab application:
+
+- `CLIENT_ID_GITLAB_LOGIN`: The **Client ID** of your GitLab application.
+- `CLIENT_SECRET_GITLAB_LOGIN`: The **Secret** of your GitLab application.
+- (optional) `URL_GITLAB_LOGIN`: The URL of your self-hosted instance of GitLab where the OAuth application is registered. If no URL is passed in, this will default to `https://gitlab.com`.
+   
+Once added, restart your Infisical instance and log in with GitLab.

docs/documentation/platform/sso/overview.mdx

@@ -19,6 +19,7 @@ your IdP cannot and will not have access to the decryption key needed to decrypt
 
 - [Google SSO](/documentation/platform/sso/google)
 - [GitHub SSO](/documentation/platform/sso/github)
+- [GitLab SSO](/documentation/platform/sso/gitlab)
 - [Okta SAML](/documentation/platform/sso/okta)
 - [Azure SAML](/documentation/platform/sso/azure)
 - [JumpCloud SAML](/documentation/platform/sso/jumpcloud)

docs/integrations/cicd/gitlab.mdx

@@ -107,7 +107,7 @@ build-job:
    Back in your Infisical instance, add two new environment variables for the credentials of your GitLab application:
 
    - `CLIENT_ID_GITLAB`: The **Client ID** of your GitLab application.
-   - `CLIENT_SECRET_GITLAB`: The **Client Secret** of your GitLab application.
+   - `CLIENT_SECRET_GITLAB`: The **Secret** of your GitLab application.
    
   Once added, restart your Infisical instance and use the GitLab integration.
   

docs/mint.json

@@ -126,6 +126,7 @@
             "documentation/platform/sso/overview",
             "documentation/platform/sso/google",
             "documentation/platform/sso/github",
+            "documentation/platform/sso/gitlab",
             "documentation/platform/sso/okta",
             "documentation/platform/sso/azure",
             "documentation/platform/sso/jumpcloud"

docs/self-hosting/configuration/sso.mdx

@@ -15,6 +15,7 @@ You can view specific documentation for how to set up each SSO authentication me
 
 - [Google SSO](/documentation/platform/sso/google)
 - [GitHub SSO](/documentation/platform/sso/github)
+- [GitLab SSO](/documentation/platform/sso/gitlab)
 - [Okta SAML](/documentation/platform/sso/okta)
 - [Azure SAML](/documentation/platform/sso/azure)
 - [JumpCloud SAML](/documentation/platform/sso/jumpcloud)