Gerrit

image0

Presentation

Gerrit allows to review commits before they are integrated into a target branch.

With the OAuth2 provider plugin Gerrit can use OAuth2 protocol for authentication.

Configuration

Gerrit

Install the OAuth Provider plugin. A prebuilt package of the plugin can be found on the Gerrit CI.

Then, configure Gerrit:

In /var/gerrit/etc/gerrit.config

...
[auth]
  type = OAUTH
  gitBasicAuthPolicy = HTTP
...
[plugin "gerrit-oauth-provider-lemonldap-oauth"]
  root-url = https://auth.<LLNG_SERVER>
  client-id = <GERRIT_CLIENT_ID>

In /var/gerrit/etc/secret.config

...
[plugin "gerrit-oauth-provider-lemonldap-oauth"]
  client-secret = <GERRIT_CLIENT_SECRET>

LL::NG

Add an Open ID Connect Relying Party for Gerrit

# Exported attributes (the values must fit your LDAP schema)
lemonldap-ng-cli -yes 1 \
   addKey \
     oidcRPMetaDataExportedVars/gerrit preferred_username uid \
     oidcRPMetaDataExportedVars/gerrit name cn \
     oidcRPMetaDataExportedVars/gerrit email mail \
     oidcRPMetaDataExportedVars/gerrit sub email

# Options > Basic > Allowed redirection addresses for login
#         > Logout > Allowed redirection addresses for logout
lemonldap-ng-cli -yes 1 \
   addKey \
     oidcRPMetaDataOptions/gerrit oidcRPMetaDataOptionsRedirectUris 'http://<GERRIT_SERVER>/oauth' \
     oidcRPMetaDataOptions/gerrit oidcRPMetaDataOptionsPostLogoutRedirectUris 'https://<GERRIT_SERVER>/'

# Options > Basic > Client ID
#         > Basic > Client Secret
lemonldap-ng-cli -yes 1 \
   addKey \
     oidcRPMetaDataOptions/gerrit oidcRPMetaDataOptionsClientID '<GERRIT_OAUTH_ID>' \
     oidcRPMetaDataOptions/gerrit oidcRPMetaDataOptionsClientSecret '<GERRIT_OAUTH_SECRET>'

# Timeout > ID Token expiration
#         > Access Token expiration
# Security > ID Token signature algorithm
lemonldap-ng-cli -yes 1 \
   addKey \
     oidcRPMetaDataOptions/gerrit oidcRPMetaDataOptionsIDTokenExpiration 3600 \
     oidcRPMetaDataOptions/gerrit oidcRPMetaDataOptionsAccessTokenExpiration 3600 \
     oidcRPMetaDataOptions/gerrit oidcRPMetaDataOptionsIDTokenSignAlg RS512