The buildbot POC wants to use Keycloak for user authentication. The
client is public, because it doesn't make sense to have a client secret,
which can't be kept under wrap anyway (it would need to be shipped with
the CLI[1]).

[1] https://gitlab.archlinux.org/foxboron/buildctl

When signing into GitLab, opting to create a new keycloak account
results in being able to sign into GitLab without setting up OTP.

Since any subsequent login will require configuring OTP, it seems
well advised to prompt for it as part of the registration process.

OpenID clients:
- 'use_refresh_tokens' set to false to preserve the values on live
- 'backchannel_logout_session_required' implicitly changed to true
  for the 'grafana_openid_client' and 'openid_gitlab' clients

SAML client (GitLab):
- 'front_channel_logout' set to false to preserve the live setting

Jelle van der Waa authored 3 years ago and Levente Polyak committed 2 years ago

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>

Kristian Klausen authored 3 years ago and Jelle van der Waa committed 3 years ago

We are onboarding "Project Maintainers" now[1].

[1] https://lists.archlinux.org/private/staff/2022-February/000881.html

The gluebuddy client is required for gluebuddy to retrieve users and
groups membership without being able to change other keycloak data. The
realm-management roles cannot be assigned yet via keycloak as it does
not know about the roles and realm-management client.

Now that misc/get_key.py checks if the vault file passed to it exists,
we cannot pass paths only resolvable from the root directory. Instead,
use paths that make sense relative to the current directory and avoid
calling chdir when loading the vault file.

Fixes: 77542146 ("Rewrite get_key.py to use click instead of typer")

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

This reverts commit 649568e7 ("Restrict Grafana access to Arch Linux
Staff group on Keycloak (fixes #151)").

Add our uptimerobot to terraform so it's managed in code and we can
easily extend it. This currently only adds our to be monitored sites and
leaves the status page as is now.

Deleting resources on uptimerobot will cause terraform unable to run
see: https://github.com/louy/terraform-provider-uptimerobot/issues/82

References: #209

Synapse only inspects the userinfo.

Closes #94

As our grafana now contains Loki logs, we don't want non devops to view
logs which potentially contain sensitive data. As Grafana does not have
a system to easily restrict data sources to roles we use Keycloak.

This adds a collaborative markdown editor as newly offered service which
is available via login for all Arch Linux Staff with an option to allow
anonymous edits by users (not default). Users are managed via keycloak
and require the Staff role to be allowed in, non staff keycloak users
currently will receive an internal server error due to an upstream
issue.

This process didn't need any source changes but it added the new Terraform lockfiles.

This is now possible because of terraform-provider-keycloak 2.0.0 :D

Kristian Klausen authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

Fix #120

Expand the Support group with subgroups for the Wiki, Forum, Security
Tracker and Archweb. The subgroups are just a placeholder for groups for
the roles which a user can be in for the service. New onboarded users
should be assigned to correct groups for their Support staff team.

Jelle van der Waa authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

Configure Grafana to use Keycloak OpenID Connect for authentication. For
now only DevOps is configured as admin and Arch Staff as general Viewer
roles.

We had to redesign all flows when discovering that we can't design flows exactly the way we wanted in Keycloak.

Kristian Klausen authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

Broken by the last commit

Kristian Klausen authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

Registering a new required action is currently not supported, so it
needs to be done manually.
See upstream bug: https://github.com/mrparkers/terraform-provider-keycloak/issues/354

Configuring the WebAuthn policy is currently not supported, so it needs
to be done manully.
See upstream bug: https://github.com/mrparkers/terraform-provider-keycloak/issues/355

Fix #28

I know this seems a bit weird but this is how the Keycloak templates work. :P

We do not want full scope to be allowed for the gitlab openid client. In
fact we already have it disabled, however the latest provider seems to
have changed something which makes terraform to have the desire to
change this to true. Set it explicitly to false to avoid changing
behavior.

This reverts commit 8e4eac7d.

Revert this feature as its part of a keycloak change that must go
through review via a merge request.