Authentication with OpenID using GitLab as IAM

Users authentication with OpenID and GitLab

If you are going to implement this type of authentication this action implies you clearly understand what you are doing.

Prerequisites

  1. You need to have administrative access to GitLab instance or an admin near you.
  2. You need to have the access to Allure TestOps configuration files.
  3. You need to be able to apply the changes in the configuration, which could require some downtime.
  4. Allure TestOps needs to work behind HTTPS, i.e. there must be something like reverse proxy between Allure TestOps and GitLab servers. Please consult your network administrator or DevOps to ensure proper configuration on the network side.

Integration of Allure TestOps and GitLab as IAM

Given

  1. Allure TestOps is deployed and accessible on http://allure.local (your real URLs will be different).
  2. GitLab URL for your organization is deployed and accessible on https://<gitlab> (your URLs will be different).

Creation of the new application in GitLab

  1. In your GitLab instance jump to Admin section

if you see this text, report to support.qameta.io

  1. Jump to Applications > System OAuth applications and click Add new application

if you see this text, report to support.qameta.io

  1. Fill the fields as follows:
    1. Name: Allure TestOps
    2. Redirect URI: https://<allure>/login/oauth2/code/gitlab
    3. Trusted: true
    4. Confidential: true
    5. Expire access tokens: true
    6. Scopes:
      1. openid
      2. profile
  2. Save the changes.

Results

On the previous steps we’ve got this:

if you see this text, report to support.qameta.io

To proceed with Allure TestOps settings we need these:

  1. Application ID
  2. Secret

Copy these two attributes.

Configuring Allure TestOps

To integrate Allure TestOps with GitLab you need to pass the environment variables to gateway service.

See below for the deployment specific examples.

Deployment in Kubernetes

For k8s deployment you need to add the parameters to environment of gateway service of values.yaml file used to pass user’s configuration to Helm.

<snip>
services:
  <snip>
  gateway:
    <snip>
    environment:
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_CLIENTNAME: GitLab
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_CLIENTID: <Applicatoin ID>
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_CLIENTSECRET: <Secret>
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_REDIRECTURI: https://<allure>/login/oauth2/code/gitlab
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_AUTHORIZATIONGRANTTYPE: authorization_code
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_SCOPE: openid,profile
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_USERNAMEATTRIBUTE: nickname
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_TOKENURI: https://<gitlab>/oauth/token
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_AUTHORIZATIONURI: https://<gitlab>/oauth/authorize
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_USERINFOURI: https://<gitlab>/oauth/userinfo
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_JWKSETURI: https://<gitlab>/oauth/discovery/keys
<snip>

Now, you need to update your Allure TestOps configuration as usual for Kubernetes deployment using Helm’s commands.

After application deployment has completed, you need to check if the authentication is working:

  1. Proceed to the following URL: https://<allure>/login/openid.
  2. Check if the authentication is working for you.

Setting GitLab authentication as default way

This should be done only in the case, if previous check has been completed successfully.

Update uaa service settings as follows:

  • add ALLURE_LOGIN_PRIMARY: openid
services:
  <snip>
  uaa:
    <snip>
    environment:
      ALLURE_LOGIN_PRIMARY: openid
<snip>

After this action will be completed, to log-in as a local Allure TestOps user (e.g. admin), you need to access the following URL: https://<allure>/login/system.

Deployment via docker-compose

For the deployment done via docker-compose you need to update docker-compose.yaml configuration file by adding the parameters to gateway service.

Updating of the configuration requires downtime to properly stop and run the application.

  gateway:
    image: allure/allure-gateway:${VERSION}
    environment:
      # settings
    <snip>
gateway:
  env:
    secret:
      # security
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_CLIENTNAME: GitLab
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_CLIENTID: <Applicatoin ID>
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_CLIENTSECRET: <Secret>
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_REDIRECTURI: https://<allure>/login/oauth2/code/gitlab
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_AUTHORIZATIONGRANTTYPE: authorization_code
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLAB_SCOPE: openid,profile
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_USERNAMEATTRIBUTE: nickname
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_TOKENURI: https://<gitlab>/oauth/token
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_AUTHORIZATIONURI: https://<gitlab>/oauth/authorize
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_USERINFOURI: https://<gitlab>/oauth/userinfo
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GITLAB_JWKSETURI: https://<gitlab>/oauth/discovery/keys
<snip>

Now, we need to apply the changes and check these were applied successfully. By restarting the applications using docker-compose commands.

  1. Stop docker-compose deployment using docker-compose down
  2. Start docker-compose deployment using docker-compose up -d

After application has started, you need to check if the authentication is working:

  1. Proceed to the following URL: https://<allure>/login/openid.
  2. Check if the authentication is working for you.

Setting GitLab authentication as the default way

This should be done only in the case, if previous check has been completed successfully.

Update uaa service settings as follows:

  • add ALLURE_LOGIN_PRIMARY: openid
uaa:
  env:
    open:
      ALLURE_LOGIN_PRIMARY: openid
<snip>

After this action will be completed, to log-in as a local Allure TestOps user (e.g. admin), you need to access the following URL: https://<allure>/login/system.

Deployment via packages

To use GitLab as identity provider for the packages installation, you need to update properties file /opt/allure-ee/gateway/conf/allure-gateway.properties with the following strings:

registration.gitlab.clientName=GitLab
spring.security.oauth2.client.registration.gitlab.clientId=<Applicatoin ID>
spring.security.oauth2.client.registration.gitlab.clientSecret=<Secret>
spring.security.oauth2.client.registration.gitlab.redirectUri=ttps://<allure>/login/oauth2/code/gitlab
spring.security.oauth2.client.registration.gitlab.scope=openid,profile
spring.security.oauth2.client.provider.gitlab.usernameAttribute=nickname
spring.security.oauth2.client.provider.gitlab.authorizationUri=https://<gitlab>/oauth/authorize
spring.security.oauth2.client.provider.gitlab.tokenUri=https://<gitlab>/oauth/token
spring.security.oauth2.client.provider.gitlab.userInfoUri=https://<gitlab>/oauth/userinfo
spring.security.oauth2.client.provider.gitlab.jwkSetUri=https://<gitlab>/oauth/discovery/keys

Now, we need to apply the changes and check these were applied successfully. Please restart all the applications related to Allure TestOps (report, gateway, uaa).

After application has started, you need to check if the authentication is working:

  1. Proceed to the following URL: https://<allure>/login/openid.
  2. Check if the authentication is working for you.

Setting GitLab authentication as the default way

This should be done only in the case, if previous check has been completed successfully.

Update uaa service settings as follows:

  • add allure.login.primary: openid to the uaa properties file /opt/allure-ee/uaa/conf/allure-uaa.properties
<snip>
allure.login.primary=openid
<snip>

Applications need to be restarted to apply the changes.

After this action will be completed, to log-in as a local Allure TestOps user (e.g. admin), you need to access the following URL: https://<allure>/login/system.

Setting the default role for new user registering via OpenID/gitlab

Why

If no additional setting made all new users will have ROLE_USER by default and will consume 1 license.

What

To prevent new users consuming the licenses you need to define the default role for them, when they register in the system using OpenID/gitlab

How

The following parameter should be set for UAA service: ALLURE_LOGIN_OPENID_DEFAULTROLE

For docker-compose and Kubernetes deployment

ALLURE_LOGIN_OPENID_DEFAULTROLE: ROLE_AUDITOR

For the deployment using packages

allure.login.openid.defaultRole: ROLE_AUDITOR