feat(ops/keycloak): configure Forgejo Roles

There's two Roles for the Forgejo application, "Admin" and "Contributors". Everyone gets the "Contributor" role assigned automatically (it doesn't really give you a ton of privileges). Regarding mapping Gerrit groups, it seems there's no support for this in the `gerrit-oauth-provider` plugin (yet) - see https://github.com/davido/gerrit-oauth-provider/issues/170. Fixes #73. Change-Id: I3cbb968e664125b1f08235db3008d1dbf778922a Reviewed-on: https://cl.snix.dev/c/snix/+/30477 Tested-by: besadii Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com> Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-05 01:56:03 +03:00 · 2025-05-05 01:56:03 +03:00 · d9ca20a5cc
commit d9ca20a5cc
parent e20ff4cb60
3 changed files with 46 additions and 12 deletions
--- a/ops/keycloak/forgejo.tf
+++ b/ops/keycloak/forgejo.tf
@ -8,8 +8,9 @@ resource "keycloak_openid_client" "forgejo" {
  base_url                                 = "https://git.snix.dev"

  description                              = "snix project's code browsing, search and issue tracker"
-  direct_access_grants_enabled             = true
-  exclude_session_state_from_auth_response = false
+
+  // disable full scope, roles are assigned via keycloak_generic_client_role_mapper
+  full_scope_allowed    = false

  valid_redirect_uris = [
    "https://git.snix.dev/*",
@ -20,8 +21,41 @@ resource "keycloak_openid_client" "forgejo" {
  ]
 }

-# resource "keycloak_role" "forgejo_admin" {
-# }
-#
-# resource "keycloak_role" "forgejo_trusted_contributor" {
-# }
+resource "keycloak_role" "forgejo_admin" {
+  realm_id    = keycloak_realm.snix.id
+  client_id   = keycloak_openid_client.forgejo.id
+  name        = "Admin"
+  description = "Forgejo site admin and Snix Org Owner"
+}
+
+resource "keycloak_role" "forgejo_snix_contributors" {
+  realm_id    = keycloak_realm.snix.id
+  client_id   = keycloak_openid_client.forgejo.id
+  name        = "Contributors"
+  description = "Snix contributors"
+}
+
+
+# Add the "Contributors" role to all users
+resource "keycloak_openid_hardcoded_role_protocol_mapper" "forgejo_hardcoded_role_mapper" {
+  realm_id = keycloak_realm.snix.id
+  client_id = keycloak_openid_client.forgejo.id
+  name = "add forgejo contributors"
+  role_id = keycloak_role.forgejo_snix_contributors.id
+}
+
+# Expose the above two roles at `forgejo_roles`
+resource "keycloak_openid_user_client_role_protocol_mapper" "forgejo_role_mapper" {
+  realm_id = keycloak_realm.snix.id
+  client_id = keycloak_openid_client.forgejo.id
+  name = "forgejo_roles mapper"
+
+  claim_name = "forgejo_roles"
+  claim_value_type = "String"
+  add_to_id_token = true
+  add_to_access_token = true
+  multivalued = true
+
+  # https://github.com/keycloak/terraform-provider-keycloak/issues/1016
+  client_id_for_role_mappings = keycloak_openid_client.forgejo.client_id
+}
--- a/ops/keycloak/permissions.tf
+++ b/ops/keycloak/permissions.tf
@ -28,7 +28,7 @@ resource "keycloak_group_roles" "snix_core_team_roles" {
    # keycloak_role.is_local_admin,
    # keycloak_role.can_manage_snix,
    keycloak_role.grafana_admin.id,
-    # keycloak_role.forgejo_admin.id,
+    keycloak_role.forgejo_admin.id,
    # keycloak_role.gerrit_admin.id
  ]
 }
--- a/ops/modules/forgejo.nix
+++ b/ops/modules/forgejo.nix
@ -141,7 +141,6 @@ in
          REGISTER_EMAIL_CONFIRM = false;
          ACCOUNT_LINKING = "login";
          USERNAME = "nickname";
-          OPENID_CONNECT_SCOPES = "email profile";
        };

        repository = {
@ -260,7 +259,6 @@ in
        CLIENT_ID="forgejo"
        CLIENT_SECRET=$(cat ${config.age.secrets.forgejo-oauth-secret.path})
        DISCOVERY_URL="https://auth.snix.dev/realms/snix-project/.well-known/openid-configuration"
-        SCOPES=("openid" "profile" "email")

        # Check if the OAuth2 source already exists
        if gitea admin auth list | grep -q "$NAME"; then
@ -275,8 +273,10 @@ in
          --key "$CLIENT_ID" \
          --secret "$CLIENT_SECRET" \
          --auto-discover-url "$DISCOVERY_URL" \
-          $(printf -- '--scopes "%s" ' "''${SCOPES[@]}") \
-          --icon-url "$ICON_URL"
+          --group-claim-name forgejo_roles \
+          --admin-group Admin \
+          --group-team-map '{"Admin":{"snix":["Owners"]},"Contributors":{"snix": ["Contributors"]}}' \
+          --group-team-map-removal true

        echo "OAuth2 source '$NAME' added successfully."
      '';