diff --git a/backend/src/config/index.ts b/backend/src/config/index.ts index 07c2e7438e..5f055b73bd 100644 --- a/backend/src/config/index.ts +++ b/backend/src/config/index.ts @@ -1,3 +1,5 @@ +import { GITLAB_URL } from "../variables"; + import InfisicalClient from "infisical-node"; export const client = new InfisicalClient({ @@ -54,6 +56,7 @@ export const getClientIdGitHubLogin = async () => (await client.getSecret("CLIEN export const getClientSecretGitHubLogin = async () => (await client.getSecret("CLIENT_SECRET_GITHUB_LOGIN")).secretValue; export const getClientIdGitLabLogin = async () => (await client.getSecret("CLIENT_ID_GITLAB_LOGIN")).secretValue; export const getClientSecretGitLabLogin = async () => (await client.getSecret("CLIENT_SECRET_GITLAB_LOGIN")).secretValue; +export const getUrlGitLabLogin = async () => (await client.getSecret("URL_GITLAB_LOGIN")).secretValue || GITLAB_URL; export const getPostHogHost = async () => (await client.getSecret("POSTHOG_HOST")).secretValue || "https://app.posthog.com"; export const getPostHogProjectApiKey = async () => (await client.getSecret("POSTHOG_PROJECT_API_KEY")).secretValue || "phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE"; diff --git a/backend/src/routes/v2/users.ts b/backend/src/routes/v2/users.ts index 1723c1b4ba..41d4c8e6b9 100644 --- a/backend/src/routes/v2/users.ts +++ b/backend/src/routes/v2/users.ts @@ -33,17 +33,6 @@ router.put( requireAuth({ acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY], }), - body("authMethods").exists().isArray({ - min: 1, - }).custom((authMethods: AuthMethod[]) => { - return authMethods.every(provider => [ - AuthMethod.EMAIL, - AuthMethod.GOOGLE, - AuthMethod.GITHUB, - AuthMethod.GITLAB - ].includes(provider)) - }), - validateRequest, usersController.updateAuthMethods, ); diff --git a/backend/src/utils/auth.ts b/backend/src/utils/auth.ts index f30eb2137e..49a77cef65 100644 --- a/backend/src/utils/auth.ts +++ b/backend/src/utils/auth.ts @@ -20,11 +20,12 @@ import { getClientSecretGoogleLogin, getJwtProviderAuthLifetime, getJwtProviderAuthSecret, + getSiteURL, + getUrlGitLabLogin } from "../config"; import { getSSOConfigHelper } from "../ee/helpers/organizations"; import { InternalServerError, OrganizationNotFoundError } from "./errors"; import { ACCEPTED, INTEGRATION_GITHUB_API_URL, INVITED, MEMBER } from "../variables"; -import { getSiteURL } from "../config"; import { standardRequest } from "../config/request"; // eslint-disable-next-line @typescript-eslint/no-var-requires @@ -80,6 +81,7 @@ const initializePassport = async () => { const clientSecretGoogleLogin = await getClientSecretGoogleLogin(); const clientIdGitHubLogin = await getClientIdGitHubLogin(); const clientSecretGitHubLogin = await getClientSecretGitHubLogin(); + const urlGitLab = await getUrlGitLabLogin(); const clientIdGitLabLogin = await getClientIdGitLabLogin(); const clientSecretGitLabLogin = await getClientSecretGitLabLogin(); @@ -216,15 +218,15 @@ const initializePassport = async () => { )); } - if (clientIdGitLabLogin && clientSecretGitLabLogin) { + if (urlGitLab && clientIdGitLabLogin && clientSecretGitLabLogin) { passport.use(new GitLabStrategy({ passReqToCallback: true, clientID: clientIdGitLabLogin, clientSecret: clientSecretGitLabLogin, - callbackURL: "/api/v1/sso/gitlab" + callbackURL: "/api/v1/sso/gitlab", + baseURL: urlGitLab }, async (req : express.Request, accessToken : any, refreshToken : any, profile : any, done : any) => { - const email = profile.emails[0].value; let user = await User.findOne({ diff --git a/backend/src/variables/integration.ts b/backend/src/variables/integration.ts index 3adfad4a84..e6e20e73c2 100644 --- a/backend/src/variables/integration.ts +++ b/backend/src/variables/integration.ts @@ -84,7 +84,8 @@ export const INTEGRATION_BITBUCKET_TOKEN_URL = "https://bitbucket.org/site/oauth // integration apps endpoints export const INTEGRATION_GCP_API_URL = "https://cloudresourcemanager.googleapis.com"; export const INTEGRATION_HEROKU_API_URL = "https://api.heroku.com"; -export const INTEGRATION_GITLAB_API_URL = "https://gitlab.com/api"; +export const GITLAB_URL = "https://gitlab.com"; +export const INTEGRATION_GITLAB_API_URL = `${GITLAB_URL}/api`; export const INTEGRATION_GITHUB_API_URL = "https://api.github.com"; export const INTEGRATION_VERCEL_API_URL = "https://api.vercel.com"; export const INTEGRATION_NETLIFY_API_URL = "https://api.netlify.com"; diff --git a/docs/documentation/platform/sso/gitlab.mdx b/docs/documentation/platform/sso/gitlab.mdx new file mode 100644 index 0000000000..354948f7d7 --- /dev/null +++ b/docs/documentation/platform/sso/gitlab.mdx @@ -0,0 +1,37 @@ +--- +title: "GitLab SSO" +description: "Configure GitLab SSO for Infisical" +--- + +Using GitLab SSO on a self-hosted instance of Infisical requires configuring an OAuth application in GitLab and registering your instance with it. + +## Create an OAuth application in GitLab + +Navigate to your user Settings > Applications to create a new GitLab application. + +![sso gitlab config](../../images/sso/gitlab/edit-profile.png) +![sso gitlab config](../../images/sso/gitlab/new-app.png) + +Create the application. As part of the form, set the **Redirect URI** to `https://your-domain.com/api/v1/sso/gitlab`. +Note that only `read_user` is required as part of the **Scopes** configuration. + +![sso gitlab config](../../images/sso/gitlab/new-app-form.png) + + + If you have a GitLab group, you can create an OAuth application under it + in your group Settings > Applications. + + +## Add your OAuth application credentials to Infisical + +Obtain the **Application ID** and **Secret** for your GitLab application. + +![sso gitlab config](../../images/sso/gitlab/credentials.png) + +Back in your Infisical instance, add 2-3 new environment variables for the credentials of your GitLab application: + +- `CLIENT_ID_GITLAB_LOGIN`: The **Client ID** of your GitLab application. +- `CLIENT_SECRET_GITLAB_LOGIN`: The **Secret** of your GitLab application. +- (optional) `URL_GITLAB_LOGIN`: The URL of your self-hosted instance of GitLab where the OAuth application is registered. If no URL is passed in, this will default to `https://gitlab.com`. + +Once added, restart your Infisical instance and log in with GitLab. \ No newline at end of file diff --git a/docs/documentation/platform/sso/overview.mdx b/docs/documentation/platform/sso/overview.mdx index 359f09fb3b..917bb7e194 100644 --- a/docs/documentation/platform/sso/overview.mdx +++ b/docs/documentation/platform/sso/overview.mdx @@ -19,6 +19,7 @@ your IdP cannot and will not have access to the decryption key needed to decrypt - [Google SSO](/documentation/platform/sso/google) - [GitHub SSO](/documentation/platform/sso/github) +- [GitLab SSO](/documentation/platform/sso/gitlab) - [Okta SAML](/documentation/platform/sso/okta) - [Azure SAML](/documentation/platform/sso/azure) - [JumpCloud SAML](/documentation/platform/sso/jumpcloud) \ No newline at end of file diff --git a/docs/images/sso/gitlab/credentials.png b/docs/images/sso/gitlab/credentials.png new file mode 100644 index 0000000000..f44223a1ef Binary files /dev/null and b/docs/images/sso/gitlab/credentials.png differ diff --git a/docs/images/sso/gitlab/edit-profile.png b/docs/images/sso/gitlab/edit-profile.png new file mode 100644 index 0000000000..c6eb4d95ae Binary files /dev/null and b/docs/images/sso/gitlab/edit-profile.png differ diff --git a/docs/images/sso/gitlab/new-app-form.png b/docs/images/sso/gitlab/new-app-form.png new file mode 100644 index 0000000000..988778b907 Binary files /dev/null and b/docs/images/sso/gitlab/new-app-form.png differ diff --git a/docs/images/sso/gitlab/new-app.png b/docs/images/sso/gitlab/new-app.png new file mode 100644 index 0000000000..fac7490a60 Binary files /dev/null and b/docs/images/sso/gitlab/new-app.png differ diff --git a/docs/integrations/cicd/gitlab.mdx b/docs/integrations/cicd/gitlab.mdx index 9c3df97208..8635a55274 100644 --- a/docs/integrations/cicd/gitlab.mdx +++ b/docs/integrations/cicd/gitlab.mdx @@ -107,7 +107,7 @@ build-job: Back in your Infisical instance, add two new environment variables for the credentials of your GitLab application: - `CLIENT_ID_GITLAB`: The **Client ID** of your GitLab application. - - `CLIENT_SECRET_GITLAB`: The **Client Secret** of your GitLab application. + - `CLIENT_SECRET_GITLAB`: The **Secret** of your GitLab application. Once added, restart your Infisical instance and use the GitLab integration. diff --git a/docs/mint.json b/docs/mint.json index 41c406bc68..9ed8b8ab42 100644 --- a/docs/mint.json +++ b/docs/mint.json @@ -126,6 +126,7 @@ "documentation/platform/sso/overview", "documentation/platform/sso/google", "documentation/platform/sso/github", + "documentation/platform/sso/gitlab", "documentation/platform/sso/okta", "documentation/platform/sso/azure", "documentation/platform/sso/jumpcloud" diff --git a/docs/self-hosting/configuration/sso.mdx b/docs/self-hosting/configuration/sso.mdx index 2497e368b6..2d663790d2 100644 --- a/docs/self-hosting/configuration/sso.mdx +++ b/docs/self-hosting/configuration/sso.mdx @@ -15,6 +15,7 @@ You can view specific documentation for how to set up each SSO authentication me - [Google SSO](/documentation/platform/sso/google) - [GitHub SSO](/documentation/platform/sso/github) +- [GitLab SSO](/documentation/platform/sso/gitlab) - [Okta SAML](/documentation/platform/sso/okta) - [Azure SAML](/documentation/platform/sso/azure) - [JumpCloud SAML](/documentation/platform/sso/jumpcloud) \ No newline at end of file