WIP: support for GitLab kerberos

Author: palkerecsenyi

Pipfile

@@ -21,6 +21,9 @@ uwsgi = ">=2.0"
 uwsgitop = ">=0.11"
 uwsgi-tools = ">=1.1.1"
 flask-mail = ">=0.9.0,<0.10.0"
+invenio-preservation-sync = "==0.2.0"
+invenio-cern-sync = {git = "https://github.com/cerndocumentserver/invenio-cern-sync.git", ref = "v0.3.0"}
+invenio-vcs = ">=4.0.0,<5.0.0"
 
 [requires]
 python_version = "3.9"

site/cds_rdm/errors.py

@@ -29,7 +29,11 @@ def __init__(self, user_id: str) -> None:
 
 class GitLabIdentityNotFoundError(Exception):
     def __init__(self, user_id: str) -> None:
-        super().__init__(_(f"GitLab user {user_id} did not have CERN SSO identity"))
+        super().__init__(
+            _(
+                f"GitLab user {user_id} did not have CERN OpenID or Kerberos identity (LDAP-only accounts are not supported)"
+            )
+        )
 
 
 class KeycloakGitLabMismatchError(Exception):

site/cds_rdm/vcs/handlers.py

@@ -29,11 +29,16 @@ def inner(remote, resp, user_info, **kwargs):
         gl_identities = user_info["identities"]
         gl_extern_uid: str | None = None
         for identity in gl_identities:
-            if identity["provider"] != "openid_connect":
+            prov = identity["provider"]
+
+            if prov == "openid_connect":
+                gl_extern_uid = identity["extern_uid"]
+            elif prov == "kerberos":
+                # {'provider': 'kerberos', 'extern_uid': '[email protected]', 'saml_provider_id': None}
+                gl_extern_uid = identity["extern_uid"].removesuffix("@CERN.CH")
+            else:
                 continue
 
-            gl_extern_uid = identity["extern_uid"]
-
         if gl_extern_uid is None:
             raise GitLabIdentityNotFoundError(gl_user_id)