maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(ops/keycloak): configure Forgejo Roles

Browse source 
There's two Roles for the Forgejo application, "Admin" and
"Contributors".
Everyone gets the "Contributor" role assigned automatically (it doesn't
really give you a ton of privileges).

Regarding mapping Gerrit groups, it seems there's no support for this in
the `gerrit-oauth-provider` plugin (yet) -
see https://github.com/davido/gerrit-oauth-provider/issues/170.

Fixes #73.

Change-Id: I3cbb968e664125b1f08235db3008d1dbf778922a
Reviewed-on: https://cl.snix.dev/c/snix/+/30477
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
This commit is contained in:
Florian Klink 2025-05-05 01:56:03 +03:00 committed by clbot
parent e20ff4cb60
commit d9ca20a5cc
3 changed files with 46 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

48
ops/keycloak/forgejo.tf
View file

@ -8,8 +8,9 @@ resource "keycloak_openid_client" "forgejo" {
base_url = "https://git.snix.dev" base_url = "https://git.snix.dev"
description = "snix project's code browsing, search and issue tracker" description = "snix project's code browsing, search and issue tracker"
direct_access_grants_enabled = true
exclude_session_state_from_auth_response = false // disable full scope, roles are assigned via keycloak_generic_client_role_mapper
full_scope_allowed = false
valid_redirect_uris = [ valid_redirect_uris = [
"https://git.snix.dev/*", "https://git.snix.dev/*",
@ -20,8 +21,41 @@ resource "keycloak_openid_client" "forgejo" {
] ]
} }
# resource "keycloak_role" "forgejo_admin" { resource "keycloak_role" "forgejo_admin" {
# } realm_id = keycloak_realm.snix.id
# client_id = keycloak_openid_client.forgejo.id
# resource "keycloak_role" "forgejo_trusted_contributor" { name = "Admin"
# } description = "Forgejo site admin and Snix Org Owner"
}
resource "keycloak_role" "forgejo_snix_contributors" {
realm_id = keycloak_realm.snix.id
client_id = keycloak_openid_client.forgejo.id
name = "Contributors"
description = "Snix contributors"
}
# Add the "Contributors" role to all users
resource "keycloak_openid_hardcoded_role_protocol_mapper" "forgejo_hardcoded_role_mapper" {
realm_id = keycloak_realm.snix.id
client_id = keycloak_openid_client.forgejo.id
name = "add forgejo contributors"
role_id = keycloak_role.forgejo_snix_contributors.id
}
# Expose the above two roles at `forgejo_roles`
resource "keycloak_openid_user_client_role_protocol_mapper" "forgejo_role_mapper" {
realm_id = keycloak_realm.snix.id
client_id = keycloak_openid_client.forgejo.id
name = "forgejo_roles mapper"
claim_name = "forgejo_roles"
claim_value_type = "String"
add_to_id_token = true
add_to_access_token = true
multivalued = true
# https://github.com/keycloak/terraform-provider-keycloak/issues/1016
client_id_for_role_mappings = keycloak_openid_client.forgejo.client_id
}

2
ops/keycloak/permissions.tf
View file

@ -28,7 +28,7 @@ resource "keycloak_group_roles" "snix_core_team_roles" {
# keycloak_role.is_local_admin, # keycloak_role.is_local_admin,
# keycloak_role.can_manage_snix, # keycloak_role.can_manage_snix,
keycloak_role.grafana_admin.id, keycloak_role.grafana_admin.id,
# keycloak_role.forgejo_admin.id, keycloak_role.forgejo_admin.id,
# keycloak_role.gerrit_admin.id # keycloak_role.gerrit_admin.id
] ]
} }

8
ops/modules/forgejo.nix
View file

@ -141,7 +141,6 @@ in
REGISTER_EMAIL_CONFIRM = false; REGISTER_EMAIL_CONFIRM = false;
ACCOUNT_LINKING = "login"; ACCOUNT_LINKING = "login";
USERNAME = "nickname"; USERNAME = "nickname";
OPENID_CONNECT_SCOPES = "email profile";
}; };
repository = { repository = {
@ -260,7 +259,6 @@ in
CLIENT_ID="forgejo" CLIENT_ID="forgejo"
CLIENT_SECRET=$(cat ${config.age.secrets.forgejo-oauth-secret.path}) CLIENT_SECRET=$(cat ${config.age.secrets.forgejo-oauth-secret.path})
DISCOVERY_URL="https://auth.snix.dev/realms/snix-project/.well-known/openid-configuration" DISCOVERY_URL="https://auth.snix.dev/realms/snix-project/.well-known/openid-configuration"
SCOPES=("openid" "profile" "email")
# Check if the OAuth2 source already exists # Check if the OAuth2 source already exists
if gitea admin auth list | grep -q "$NAME"; then if gitea admin auth list | grep -q "$NAME"; then
@ -275,8 +273,10 @@ in
--key "$CLIENT_ID" \ --key "$CLIENT_ID" \
--secret "$CLIENT_SECRET" \ --secret "$CLIENT_SECRET" \
--auto-discover-url "$DISCOVERY_URL" \ --auto-discover-url "$DISCOVERY_URL" \
$(printf -- '--scopes "%s" ' "''${SCOPES[@]}") \ --group-claim-name forgejo_roles \
--icon-url "$ICON_URL" --admin-group Admin \
--group-team-map '{"Admin":{"snix":["Owners"]},"Contributors":{"snix": ["Contributors"]}}' \
--group-team-map-removal true
echo "OAuth2 source '$NAME' added successfully." echo "OAuth2 source '$NAME' added successfully."
''; '';