feat(x2a): GitLab authentication and token for jobs

Signed-off-by: Marek Libra <marek.libra@gmail.com>

Author: mareklibra

workspaces/x2a/README.md

@@ -40,6 +40,11 @@ See the [backend plugin README](./plugins/x2a-backend/README.md) for detailed co
    export AUTH_GITHUB_CLIENT_ID=.... # Optional if "guest" user is not enough
    export AUTH_GITHUB_CLIENT_SECRET=... # Optional if "guest" user is not enough
 
+   # For GitLab auth:
+   # Create on https://gitlab.com/-/user_settings/applications
+   export AUTH_GITLAB_CLIENT_ID=...
+   export AUTH_GITLAB_CLIENT_SECRET=...
+
    yarn dev
    ```
 

workspaces/x2a/app-config.yaml

@@ -33,15 +33,18 @@ backend:
   # workingDirectory: /tmp # Use this to configure a working directory for the scaffolder, defaults to the OS temp-dir
 
 integrations:
-  github:
-    - host: github.com
-      # This is a Personal Access Token or PAT from GitHub. You can find out how to generate this token, and more information
-      # about setting up the GitHub integration here: https://backstage.io/docs/integrations/github/locations#configuration
-      token: ${GITHUB_TOKEN}
-    ### Example for how to add your GitHub Enterprise instance using the API:
-    # - host: ghe.example.net
-    #   apiBaseUrl: https://ghe.example.net/api/v3
-    #   token: ${GHE_TOKEN}
+#  github:
+#    - host: github.com
+#      # This is a Personal Access Token or PAT from GitHub. You can find out how to generate this token, and more information
+#      # about setting up the GitHub integration here: https://backstage.io/docs/integrations/github/locations#configuration
+#      token: ${GITHUB_TOKEN}
+#  gitlab:
+#    - host: gitlab.cee.redhat.com
+#      token: ${GITLAB_TOKEN}
+### Example for how to add your GitHub Enterprise instance using the API:
+# - host: ghe.example.net
+#   apiBaseUrl: https://ghe.example.net/api/v3
+#   token: ${GHE_TOKEN}
 
 proxy:
   ### Example for how to add a proxy endpoint for the frontend.
@@ -62,6 +65,10 @@ techdocs:
   publisher:
     type: 'local' # Alternatives - 'googleGcs' or 'awsS3'. Read documentation for using alternatives.
 
+# Use redirect flow instead of popup; fixes "Missing session cookie" on refresh
+# when the popup and main window have different cookie contexts
+#enableExperimentalRedirectFlow: true
+
 auth:
   # see https://backstage.io/docs/auth/ to learn about auth providers
   environment: development
@@ -70,12 +77,14 @@ auth:
     guest: {}
     gitlab:
       development:
+        # Create an OAuth app on https://gitlab.com/-/user_settings/applications
         clientId: ${AUTH_GITLAB_CLIENT_ID}
         clientSecret: ${AUTH_GITLAB_CLIENT_SECRET}
+        audience: https://gitlab.com
+        # audience: https://gitlab.cee.redhat.com
         signIn:
           resolvers:
-            - resolver: emailMatchingUserEntityProfileEmail
-            # - resolver: usernameMatchingUserEntityName
+            - resolver: usernameMatchingUserEntityName
     github:
       development:
         clientId: ${AUTH_GITHUB_CLIENT_ID}

workspaces/x2a/examples/org.yaml

@@ -37,6 +37,16 @@ spec:
 ---
 apiVersion: backstage.io/v1alpha1
 kind: User
+metadata:
+  name: mlibra
+spec:
+  profile:
+    displayName: Marek Libra
+    email: foo@bar.com
+  memberOf: [x2a-admin-group]
+---
+apiVersion: backstage.io/v1alpha1
+kind: User
 metadata:
   name: elai-shalev
 spec:

workspaces/x2a/package.json

@@ -59,7 +59,8 @@
     "@backstage/backend-defaults": "0.13.1",
     "@backstage/backend-plugin-api": "1.5.0",
     "@backstage-community/plugin-rbac-backend": "~7.4.0",
-    "@backstage/plugin-permission-react": "0.4.36"
+    "@backstage/plugin-permission-react": "0.4.36",
+    "@backstage/plugin-auth-backend-module-gitlab-provider": "0.3.9"
   },
   "prettier": "@backstage/cli/config/prettier",
   "lint-staged": {

workspaces/x2a/packages/app/src/App.tsx

@@ -56,7 +56,7 @@ import {
   X2APage,
   x2aPluginTranslations,
 } from '@red-hat-developer-hub/backstage-plugin-x2a';
-import { githubAuthApiRef } from '@backstage/core-plugin-api';
+import { githubAuthApiRef, gitlabAuthApiRef } from '@backstage/core-plugin-api';
 
 const app = createApp({
   apis,
@@ -90,6 +90,12 @@ const app = createApp({
             message: 'Sign in using GitHub',
             apiRef: githubAuthApiRef,
           },
+          {
+            id: 'gitlab-auth-provider',
+            title: 'GitLab',
+            message: 'Sign in using GitLab',
+            apiRef: gitlabAuthApiRef,
+          },
         ]}
       />
     ),

workspaces/x2a/packages/backend/package.json

@@ -27,6 +27,7 @@
     "@backstage/plugin-app-backend": "^0.5.8",
     "@backstage/plugin-auth-backend": "^0.25.6",
     "@backstage/plugin-auth-backend-module-github-provider": "^0.3.9",
+    "@backstage/plugin-auth-backend-module-gitlab-provider": "^0.3.9",
     "@backstage/plugin-auth-backend-module-guest-provider": "^0.2.14",
     "@backstage/plugin-auth-node": "^0.6.9",
     "@backstage/plugin-catalog-backend": "^3.2.0",
@@ -40,6 +41,7 @@
     "@backstage/plugin-proxy-backend": "^0.6.8",
     "@backstage/plugin-scaffolder-backend": "^3.0.1",
     "@backstage/plugin-scaffolder-backend-module-github": "^0.9.2",
+    "@backstage/plugin-scaffolder-backend-module-gitlab": "^0.11.3",
     "@backstage/plugin-scaffolder-backend-module-notifications": "^0.1.16",
     "@backstage/plugin-search-backend": "^2.0.8",
     "@backstage/plugin-search-backend-module-catalog": "^0.3.10",

workspaces/x2a/packages/backend/src/index.ts

@@ -24,6 +24,7 @@ backend.add(import('@backstage/plugin-proxy-backend'));
 // scaffolder plugin
 backend.add(import('@backstage/plugin-scaffolder-backend'));
 backend.add(import('@backstage/plugin-scaffolder-backend-module-github'));
+backend.add(import('@backstage/plugin-scaffolder-backend-module-gitlab'));
 backend.add(
   import('@backstage/plugin-scaffolder-backend-module-notifications'),
 );
@@ -36,6 +37,8 @@ backend.add(import('@backstage/plugin-auth-backend'));
 // See https://backstage.io/docs/backend-system/building-backends/migrating#the-auth-plugin
 backend.add(import('@backstage/plugin-auth-backend-module-guest-provider'));
 backend.add(import('@backstage/plugin-auth-backend-module-github-provider'));
+backend.add(import('@backstage/plugin-auth-backend-module-gitlab-provider'));
+
 // See https://backstage.io/docs/auth/guest/provider
 
 // catalog plugin

workspaces/x2a/templates/conversion-project-template.yaml

@@ -53,7 +53,7 @@ spec:
         sourceRepoUrl:
           title: Conversion source repository
           description: |
-            The Owner should be your GitHub username. The repository name should be a name that already exists in your GitHub account and contains a Chef cookbook or directory to convert.
+            The Owner should be your SCM (Source Code Management) username. The repository name should be a name that already exists in your SCM account and contains a Chef cookbook or directory to convert.
           type: string
           ui:field: RepoUrlPicker
           ui:options:
@@ -63,7 +63,10 @@ spec:
               #  github:
               #    - workflow
             allowedHosts:
-              - github.com
+              # This is to be updated per deployment
+              # - github.com
+              - gitlab.com
+              # - gitlab.cee.redhat.com
         sourceRepoBranch:
           title: Conversion source repository branch
           type: string
@@ -75,7 +78,7 @@ spec:
           description: If checked, the target repository will be the same as the source repository.
           default: true
 
-        # TODO: Can be replaced by RepoBranchPicker but it does not work nicely. https://backstage.io/docs/features/software-templates/writing-templates#the-repository-branch-picker
+        # Can be replaced by RepoBranchPicker but it does not work nicely. https://backstage.io/docs/features/software-templates/writing-templates#the-repository-branch-picker
         targetRepoBranch:
           title: Conversion target repository branch
           type: string
@@ -93,15 +96,17 @@ spec:
                   targetRepoUrl:
                     title: Conversion target repository
                     description: |
-                      The Owner should be your GitHub username. The repository name should be a name that already exists in your GitHub account. It will be populated by converted Ansible sources and intermediary artifacts.
+                      The Owner should be your SCM (Source Code Management) username. The repository name should be a name that already exists in your SCM account. It will be populated by converted Ansible sources and intermediary artifacts.
                     type: string
                     ui:field: RepoUrlPicker
                     ui:options:
                       requestUserCredentials:
                         secretsKey: TGT_USER_OAUTH_TOKEN
                       allowedHosts:
-                        - github.com
-
+                        # This is to be updated per deployment
+                        # - github.com
+                        - gitlab.com
+                        # - gitlab.cee.redhat.com
     - title: Conversion parameters
       properties:
         userPrompt:

workspaces/x2a/yarn.lock

@@ -3030,6 +3030,20 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@backstage/plugin-auth-backend-module-gitlab-provider@npm:0.3.9":
+  version: 0.3.9
+  resolution: "@backstage/plugin-auth-backend-module-gitlab-provider@npm:0.3.9"
+  dependencies:
+    "@backstage/backend-plugin-api": "npm:^1.5.0"
+    "@backstage/plugin-auth-node": "npm:^0.6.9"
+    express: "npm:^4.18.2"
+    passport: "npm:^0.7.0"
+    passport-gitlab2: "npm:^5.0.0"
+    zod: "npm:^3.22.4"
+  checksum: 10c0/6547514048e0f71e973996e259e4fc43e3c00b2443cec613a273d03ee32f2993b461f7fa694cf997f19fc02b9e6b7f94dcc0f02604feeda246e8f38db3d0a8c3
+  languageName: node
+  linkType: hard
+
 "@backstage/plugin-auth-backend-module-guest-provider@npm:^0.2.14":
   version: 0.2.15
   resolution: "@backstage/plugin-auth-backend-module-guest-provider@npm:0.2.15"
@@ -3902,6 +3916,24 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@backstage/plugin-scaffolder-backend-module-gitlab@npm:^0.11.3":
+  version: 0.11.3
+  resolution: "@backstage/plugin-scaffolder-backend-module-gitlab@npm:0.11.3"
+  dependencies:
+    "@backstage/backend-plugin-api": "npm:^1.7.0"
+    "@backstage/config": "npm:^1.3.6"
+    "@backstage/errors": "npm:^1.2.7"
+    "@backstage/integration": "npm:^1.20.0"
+    "@backstage/plugin-scaffolder-node": "npm:^0.12.5"
+    "@gitbeaker/requester-utils": "npm:^41.2.0"
+    "@gitbeaker/rest": "npm:^41.2.0"
+    luxon: "npm:^3.0.0"
+    yaml: "npm:^2.0.0"
+    zod: "npm:^3.25.76"
+  checksum: 10c0/83c6a7889c2e0051e71691426fb5e8f9e3f2cb4b6f546711dce7636cc8d2e85cbcdce75c63738b1c7d5003f8160ec30a61c7356ed3ee5de6aef51bdc9d38179e
+  languageName: node
+  linkType: hard
+
 "@backstage/plugin-scaffolder-backend-module-notifications@npm:^0.1.16":
   version: 0.1.18
   resolution: "@backstage/plugin-scaffolder-backend-module-notifications@npm:0.1.18"
@@ -4071,6 +4103,34 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@backstage/plugin-scaffolder-node@npm:^0.12.5":
+  version: 0.12.5
+  resolution: "@backstage/plugin-scaffolder-node@npm:0.12.5"
+  dependencies:
+    "@backstage/backend-plugin-api": "npm:^1.7.0"
+    "@backstage/catalog-model": "npm:^1.7.6"
+    "@backstage/errors": "npm:^1.2.7"
+    "@backstage/integration": "npm:^1.20.0"
+    "@backstage/plugin-permission-common": "npm:^0.9.6"
+    "@backstage/plugin-scaffolder-common": "npm:^1.7.6"
+    "@backstage/types": "npm:^1.2.2"
+    "@isomorphic-git/pgp-plugin": "npm:^0.0.7"
+    concat-stream: "npm:^2.0.0"
+    fs-extra: "npm:^11.2.0"
+    globby: "npm:^11.0.0"
+    isomorphic-git: "npm:^1.23.0"
+    jsonschema: "npm:^1.5.0"
+    lodash: "npm:^4.17.21"
+    p-limit: "npm:^3.1.0"
+    tar: "npm:^7.5.6"
+    winston: "npm:^3.2.1"
+    winston-transport: "npm:^4.7.0"
+    zod: "npm:^3.25.76"
+    zod-to-json-schema: "npm:^3.25.1"
+  checksum: 10c0/f1e401744991049f9f7bbc0fb1c8d1cdff85082748004b7d428f0681e0944b865c61484285730e28b483443b6595128b45379a24d9cc4967940b21068bfd2b49
+  languageName: node
+  linkType: hard
+
 "@backstage/plugin-scaffolder-react@npm:^1.19.7":
   version: 1.19.7
   resolution: "@backstage/plugin-scaffolder-react@npm:1.19.7"
@@ -17148,6 +17208,7 @@ __metadata:
     "@backstage/plugin-app-backend": "npm:^0.5.8"
     "@backstage/plugin-auth-backend": "npm:^0.25.6"
     "@backstage/plugin-auth-backend-module-github-provider": "npm:^0.3.9"
+    "@backstage/plugin-auth-backend-module-gitlab-provider": "npm:^0.3.9"
     "@backstage/plugin-auth-backend-module-guest-provider": "npm:^0.2.14"
     "@backstage/plugin-auth-node": "npm:^0.6.9"
     "@backstage/plugin-catalog-backend": "npm:^3.2.0"
@@ -17161,6 +17222,7 @@ __metadata:
     "@backstage/plugin-proxy-backend": "npm:^0.6.8"
     "@backstage/plugin-scaffolder-backend": "npm:^3.0.1"
     "@backstage/plugin-scaffolder-backend-module-github": "npm:^0.9.2"
+    "@backstage/plugin-scaffolder-backend-module-gitlab": "npm:^0.11.3"
     "@backstage/plugin-scaffolder-backend-module-notifications": "npm:^0.1.16"
     "@backstage/plugin-search-backend": "npm:^2.0.8"
     "@backstage/plugin-search-backend-module-catalog": "npm:^0.3.10"
@@ -29251,7 +29313,16 @@ __metadata:
   languageName: node
   linkType: hard
 
-"passport-oauth2@npm:1.x.x, passport-oauth2@npm:^1.7.0":
+"passport-gitlab2@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "passport-gitlab2@npm:5.0.0"
+  dependencies:
+    passport-oauth2: "npm:^1.4.0"
+  checksum: 10c0/703b1c26e7cc085fb089b6d00111765b9ca5695c1cf73c1d2d352996ae8ea70e737c4e759f6d43814053633dabf5fe299498dca0c26ecc79f7a32c9cccbd8257
+  languageName: node
+  linkType: hard
+
+"passport-oauth2@npm:1.x.x, passport-oauth2@npm:^1.4.0, passport-oauth2@npm:^1.7.0":
   version: 1.8.0
   resolution: "passport-oauth2@npm:1.8.0"
   dependencies:
@@ -33960,6 +34031,19 @@ __metadata:
   languageName: node
   linkType: hard
 
+"tar@npm:^7.5.6":
+  version: 7.5.9
+  resolution: "tar@npm:7.5.9"
+  dependencies:
+    "@isaacs/fs-minipass": "npm:^4.0.0"
+    chownr: "npm:^3.0.0"
+    minipass: "npm:^7.1.2"
+    minizlib: "npm:^3.1.0"
+    yallist: "npm:^5.0.0"
+  checksum: 10c0/e870beb1b2477135ca2abe86b2d18f7b35d0a4e3a37bbc523d3b8f7adca268dfab543f26528a431d569897f8c53a7cac745cdfbc4411c2f89aeeacc652b81b0a
+  languageName: node
+  linkType: hard
+
 "tarn@npm:^3.0.2":
   version: 3.0.2
   resolution: "tarn@npm:3.0.2"