authenticate/providers : add gitlab support (#28)

- Add UserInfo struct and implementation to gather additional user information if the endpoint exists. - Add example docker-compose.yml for on-prem gitlab. - Add gitlab docs. - Removed explicit email checks in handlers. - Providers are now a protected type on provider data. - Alphabetized provider list. - Refactored authenticate.New to be more concise.
2025-08-02 00:10:45 +02:00 · 2019-01-24 15:10:16 -08:00 · 2019-01-24 15:10:16 -08:00 · b9c298d278
commit b9c298d278
parent 426e003b03
16 changed files with 510 additions and 182 deletions
--- a/docs/examples/gitlab.docker-compose.yml
+++ b/docs/examples/gitlab.docker-compose.yml
@ -0,0 +1,102 @@
+version: "3"
+
+services:
+  # NGINX routes to pomerium's services depending on the request.
+  nginx:
+    image: jwilder/nginx-proxy:latest
+    ports:
+      - "443:443"
+    volumes:
+      # NOTE!!! : nginx must be supplied with your wildcard certificates. And it expects
+      # it in the format of whatever your wildcard domain name is in.
+      # see : https://github.com/jwilder/nginx-proxy#wildcard-certificates
+      # So, if your subdomain is corp.beyondperimeter.com, you'd have the following :
+      - ./cert.pem:/etc/nginx/certs/corp.beyondperimeter.com.crt:ro
+      - ./privkey.pem:/etc/nginx/certs/corp.beyondperimeter.com.key:ro
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+
+  pomerium-authenticate:
+    build: .
+    restart: always
+    depends_on:
+      - "gitlab"
+    environment:
+      - POMERIUM_DEBUG=true
+      - SERVICES=authenticate
+      # auth settings
+      - REDIRECT_URL=https://sso-auth.corp.beyondperimeter.com/oauth2/callback
+      - IDP_PROVIDER="gitlab"
+      - IDP_PROVIDER_URL=https://gitlab.corp.beyondperimeter.com
+      - IDP_CLIENT_ID=022dbbd09402441dc7af1924b679bc5e6f5bf0d7a555e55b38c51e2e4e6cee76
+      - IDP_CLIENT_SECRET=fb7598c520c346915ee369eee57688938fe4f31329a308c4669074da562714b2
+      - PROXY_ROOT_DOMAIN=beyondperimeter.com
+      - ALLOWED_DOMAINS=*
+      - SKIP_PROVIDER_BUTTON=false
+      # shared service settings
+      # Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
+      - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
+      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
+      - VIRTUAL_PROTO=https
+      - VIRTUAL_HOST=sso-auth.corp.beyondperimeter.com
+      - VIRTUAL_PORT=443
+    volumes: # volumes is optional; used if passing certificates as files
+      - ./cert.pem:/pomerium/cert.pem:ro
+      - ./privkey.pem:/pomerium/privkey.pem:ro
+    expose:
+      - 443
+
+  pomerium-proxy:
+    build: .
+    restart: always
+    environment:
+      - POMERIUM_DEBUG=true
+      - SERVICES=proxy
+      # proxy settings
+      - AUTHENTICATE_SERVICE_URL=https://sso-auth.corp.beyondperimeter.com
+      - ROUTES=https://httpbin.corp.beyondperimeter.com=http://httpbin,https://hello.corp.beyondperimeter.com=http://hello-world/
+      # Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
+      - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
+      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
+      - SIGNING_KEY=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU0zbXBaSVdYQ1g5eUVneFU2czU3Q2J0YlVOREJTQ0VBdFFGNWZVV0hwY1FvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFaFBRditMQUNQVk5tQlRLMHhTVHpicEVQa1JyazFlVXQxQk9hMzJTRWZVUHpOaTRJV2VaLwpLS0lUdDJxMUlxcFYyS01TYlZEeXI5aWp2L1hoOThpeUV3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+      # nginx settings
+      - VIRTUAL_PROTO=https
+      - VIRTUAL_HOST=*.corp.beyondperimeter.com
+      - VIRTUAL_PORT=443
+    volumes: # volumes is optional; used if passing certificates as files
+      - ./cert.pem:/pomerium/cert.pem:ro
+      - ./privkey.pem:/pomerium/privkey.pem:ro
+    expose:
+      - 443
+
+  # https://httpbin.corp.beyondperimeter.com
+  httpbin:
+    image: kennethreitz/httpbin:latest
+    expose:
+      - 80
+  # https://hello.corp.beyondperimeter.com
+  hello-world:
+    image: tutum/hello-world:latest
+    expose:
+      - 80
+  gitlab:
+    hostname: gitlab.corp.beyondperimeter.com
+    image: gitlab/gitlab-ce:latest
+    restart: always
+    expose:
+      - 443
+      - 80
+      - 22
+    environment:
+      GITLAB_OMNIBUS_CONFIG: |
+        external_url 'https://gitlab.corp.beyondperimeter.com'
+        nginx['ssl_certificate'] = '/etc/gitlab/trusted-certs/corp.beyondperimeter.com.crt'
+        nginx['ssl_certificate_key'] = '/etc/gitlab/trusted-certs/corp.beyondperimeter.com.key'
+      VIRTUAL_PROTO: https
+      VIRTUAL_HOST: gitlab.corp.beyondperimeter.com
+      VIRTUAL_PORT: 443
+    volumes:
+      - ./cert.pem:/etc/gitlab/trusted-certs/corp.beyondperimeter.com.crt
+      - ./privkey.pem:/etc/gitlab/trusted-certs/corp.beyondperimeter.com.key
+      - $HOME/gitlab/config:/etc/gitlab
+      - $HOME/gitlab/logs:/var/log/gitlab
+      - $HOME/gitlab/data:/var/opt/gitlab