From 1d8a46493cec4cfe95f93c2a8e7e5521d0fa778a Mon Sep 17 00:00:00 2001
From: atisne <aurelien.tisne@csgroup.eu>
Date: Fri, 27 Nov 2020 16:17:35 +0100
Subject: [PATCH] Add configuration details to use LL:NG SSO with Gerrit

---
 doc/sources/admin/applications.rst            |   2 +
 doc/sources/admin/applications/gerrit.rst     |  89 ++++++++++++++++++
 .../admin/applications/gerrit_logo.png        | Bin 0 -> 1087 bytes
 3 files changed, 91 insertions(+)
 create mode 100644 doc/sources/admin/applications/gerrit.rst
 create mode 100644 doc/sources/admin/applications/gerrit_logo.png

diff --git a/doc/sources/admin/applications.rst b/doc/sources/admin/applications.rst
index 0baef94e0..ac8384031 100644
--- a/doc/sources/admin/applications.rst
+++ b/doc/sources/admin/applications.rst
@@ -15,6 +15,7 @@ Applications
    applications/dokuwiki
    applications/drupal
    applications/fusiondirectory
+   applications/gerrit
    applications/gitlab
    applications/glpi
    applications/googleapps
@@ -89,6 +90,7 @@ Application                                                       Configuration
 .. image:: applications/dokuwiki_logo.png                         :doc:`Dokuwiki<applications/dokuwiki>`               ✔
 .. image:: applications/drupal_logo.png                           :doc:`Drupal<applications/drupal>`                   ✔
 .. image:: applications/fusiondirectory-logo.jpg                  :doc:`FusionDirectory<applications/fusiondirectory>` ✔
+.. image:: applications/gerrit_logo.png                           :doc:`Gerrit<applications/gerrit>`                                                          ✔
 .. image:: applications/gitlab_logo.png                           :doc:`Gitlab<applications/gitlab>`                                                     ✔    ✔
 .. image:: applications/glpi_logo.png                             :doc:`GLPI<applications/glpi>`                       ✔
 .. image:: applications/googleapps_logo.png                       :doc:`Google Apps<applications/googleapps>`                                            ✔
diff --git a/doc/sources/admin/applications/gerrit.rst b/doc/sources/admin/applications/gerrit.rst
new file mode 100644
index 000000000..0a9816221
--- /dev/null
+++ b/doc/sources/admin/applications/gerrit.rst
@@ -0,0 +1,89 @@
+Gerrit
+======
+
+|image0|
+
+Presentation
+------------
+
+`Gerrit <https://www.gerritcodereview.com/>`__ allows to review commits before they are integrated into a target branch.
+
+With the `OAuth2 provider plugin <https://gerrit.googlesource.com/plugins/oauth/>`__ Gerrit can use OAuth2 protocol for authentication.
+
+Configuration
+-------------
+
+Gerrit
+------
+
+`Install <https://gerrit-review.googlesource.com/Documentation/config-plugins.html#installation>`__ the OAuth Provider plugin.
+
+.. tip::
+
+   The LemonLDAP::NG support was added on February 23, 2020.
+   If you can't find a prebuilt package, you can use this `dockerfile <https://github.com/atisne/gerrit-oauth-build>`__ to build your own.
+
+Then, configure Gerrit:
+
+In ``/var/gerrit/etc/gerrit.config``
+
+::
+
+   ...
+   [auth]
+     type = OAUTH
+     gitBasicAuthPolicy = HTTP
+   ...
+   [plugin "gerrit-oauth-provider-lemonldap-oauth"]
+     root-url = https://auth.<LLNG_SERVER>
+     client-id = <GERRIT_CLIENT_ID>
+
+In ``/var/gerrit/etc/secret.config``
+
+::
+
+   ...
+   [plugin "gerrit-oauth-provider-lemonldap-oauth"]
+     client-secret = <GERRIT_CLIENT_SECRET>
+
+LL::NG
+------
+
+Add an Open ID Connect Relying Party for Gerrit
+
+.. code-block:: bash
+
+   # Exported attributes (the values must fit your LDAP schema)
+   lemonldap-ng-cli -yes 1 \
+      addKey \
+        oidcRPMetaDataExportedVars/gerrit preferred_username uid \
+        oidcRPMetaDataExportedVars/gerrit name cn \
+        oidcRPMetaDataExportedVars/gerrit email mail \
+        oidcRPMetaDataExportedVars/gerrit sub email
+
+   # Options > Basic > Allowed redirection addresses for login
+   #         > Logout > Allowed redirection addresses for logout
+   lemonldap-ng-cli -yes 1 \
+      addKey \
+        oidcRPMetaDataOptions/gerrit oidcRPMetaDataOptionsRedirectUris 'http://<GERRIT_SERVER>/oauth' \
+        oidcRPMetaDataOptions/gerrit oidcRPMetaDataOptionsPostLogoutRedirectUris 'https://<GERRIT_SERVER>/'
+
+   # Options > Basic > Client ID
+   #         > Basic > Client Secret
+   lemonldap-ng-cli -yes 1 \
+      addKey \
+        oidcRPMetaDataOptions/gerrit oidcRPMetaDataOptionsClientID '<GERRIT_OAUTH_ID>' \
+        oidcRPMetaDataOptions/gerrit oidcRPMetaDataOptionsClientSecret '<GERRIT_OAUTH_SECRET>'
+
+   # Timeout > ID Token expiration
+   #         > Access Token expiration
+   # Security > ID Token signature algorithm
+   lemonldap-ng-cli -yes 1 \
+      addKey \
+        oidcRPMetaDataOptions/gerrit oidcRPMetaDataOptionsIDTokenExpiration 3600 \
+        oidcRPMetaDataOptions/gerrit oidcRPMetaDataOptionsAccessTokenExpiration 3600 \
+        oidcRPMetaDataOptions/gerrit oidcRPMetaDataOptionsIDTokenSignAlg RS512
+
+
+.. |image0| image:: /applications/gerrit_logo.png
+   :class: align-center
diff --git a/doc/sources/admin/applications/gerrit_logo.png b/doc/sources/admin/applications/gerrit_logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..cfc27f067eeaa9711a3e815c26d345afc6c8ead7
GIT binary patch
literal 1087
zcmV-F1i<@=P)<h;3K|Lk000e1NJLTq002+`002-31^@s6juG;$00006VoOIv0RI60
z0RN!9r;`8x010qNS#tmY4c7nw4c7reD4Tcy000McNliru<O>=PCKE+T@EHIA1I$T8
zK~#9!?VQhR6ImR<KVuW@tj)&S(iB9hY`ZQk)Y`37VHJOXcnV%R?4bwgafQ082iZSh
z#gnjjXqQ4^S-d1DrLBj>Xw-TT)MD-0SStO2yF!a~8<R9vO~*sV!!l!OHm|=j-w)*S
zoymKdPv-rY_uf1W3o{({V4A0ZR-h5^vGK_Oe*-sxOMTJk(_lx3(hM{JGZZQVdVudJ
zTo!;IHN)ssD$u&~q6IGR6N`YM8OBvr32w5AtsCTJuNQtb!(m-zf~~lV?U?3Kl>!@a
z9}Ox6`dlc`r&6FG0!5$*6oG;W6oDd81PUTh1a2raGZZpcBH?5y%myH>V-4G`9}*?p
zpA2w2*GmE(1Gfy#NUxZ{cRCC;!Bi!fg?ZDx1lkQPJ1DDE;5!}e9D%tl1z&O(fzv}b
zhB}oBd~gsZD_v9lEdY(m8j)maw%EFe&A?e@0%rpSTjwpsF=YbNI&Nf#GJ&S%N`Xbv
zk(MVB5hwyhpdbQ8;0DFBnwfbQ-lNCo)jT?G^Rei$|Nmda=kYAO&pZ8$w}@0}$@&tw
zeSDgIwP%&2_2+aKZz}w@_`WN5sW{!8cl!VS93*m~Rf@3Gfg(@@3L<djP&T9=YlOeP
zk~>fkfg(@@ia<dGia-(Q4m|7OM<i28dir`CkF|cU=3U5<ry~pw58C4O-_%pzP`|MS
zW<F%-9qn}%sOV+V#G8a;9#xf9QiP=r6oDd8$fFU-07a{j+1%?nhMx@E;`47mKT|hw
zd%!W?)ZB!w+t<{M#zvW$p0UNprp6r8iH*k`<NmGwWwp*8viqu3t%ks4GRfsTmvj2g
z=g#li+vO;5Vtj(`hs&Rpi@b;sc@eS2gS&&v61WM7NI}f64!lHm!L;yy1olOvBfuH5
zOZSCb1qM4h&<x`@pv9^Wg&g?L%4Rbh)~!ux8i0~q5_)im!;=B_FLh3QF3z*qGg~~B
zPSH8wyrtE-<L4aXd-m?3xVYFBe?In{*;ljn)_G!-{;_^r{KU=^)O}rNi~GLxQCnA=
z+q1CN(vk+QTc4Z=nW2lYv_St>Kg|c4?PB9`aPF-*p1%~;HPuwtR68DX5?E7JlXD)@
zk(MVB5hwx$hel+r@Or(pHMOm19%bcaj(JoBD%5pj^1*6_&r1;&M4$*1fg(^?1Az$_
z`b(%3_}GO42UQBZ1^nYOfqy6yXl;koj(bM7?*YFnZA1*sxCZ<{;m@($15O&6@j>}~
zaQV08k9O_eb&c%CG~38-dR+*ueFC@-{Gy@#WN1bT;3Hv^3J7>#$z}im002ovPDHLk
FV1fu{^}hfB

literal 0
HcmV?d00001