WIP: support for GitLab kerberos

palkerecsenyi · palkerecsenyi · commit cf12ab59b1a8 · 2025-10-31T11:31:21.000+01:00
diff --git a/Pipfile b/Pipfile
@@ -0,0 +1,32 @@
+[[source]]
+name = "pypi"
+url = "https://pypi.org/simple"
+verify_ssl = true
+
+[dev-packages]
+check-manifest = ">=0.25"
+
+[packages]
+invenio-app-rdm = {version = "~=14.0.0b1.dev3", extras = ["opensearch2"]}
+invenio-checks = ">=2.0.0,<3.0.0"
+invenio-collections = "==1.1.0" # see https://github.com/inveniosoftware/invenio-app-rdm/issues/3194
+invenio-vocabularies = {version=">=9.0.0,<10.0.0", extras = ["s3fs"]}
+invenio-preservation-sync = "==0.2.0"
+invenio-cern-sync = {git = "https://github.com/cerndocumentserver/invenio-cern-sync.git", ref = "v0.3.0"}
+cds-rdm = {editable=true, path="./site"}
+sentry-sdk = ">=1.45,<2.0.0"
+lxml = ">=4.6.5"
+ipython = "!=8.1.0"
+uwsgi = ">=2.0"
+uwsgitop = ">=0.11"
+uwsgi-tools = ">=1.1.1"
+flask-mail = ">=0.9.0,<0.10.0"
+invenio-preservation-sync = "==0.2.0"
+invenio-cern-sync = {git = "https://github.com/cerndocumentserver/invenio-cern-sync.git", ref = "v0.3.0"}
+invenio-vcs = ">=4.0.0,<5.0.0"
+
+[requires]
+python_version = "3.9"
+
+[pipenv]
+allow_prereleases = false
diff --git a/site/cds_rdm/errors.py b/site/cds_rdm/errors.py
@@ -29,7 +29,11 @@ def __init__(self, user_id: str) -> None:
 
 class GitLabIdentityNotFoundError(Exception):
     def __init__(self, user_id: str) -> None:
-        super().__init__(_(f"GitLab user {user_id} did not have CERN SSO identity"))
+        super().__init__(
+            _(
+                f"GitLab user {user_id} did not have CERN OpenID or Kerberos identity (LDAP-only accounts are not supported)"
+            )
+        )
 
 
 class KeycloakGitLabMismatchError(Exception):
diff --git a/site/cds_rdm/vcs/handlers.py b/site/cds_rdm/vcs/handlers.py
@@ -29,11 +29,16 @@ def inner(remote, resp, user_info, **kwargs):
         gl_identities = user_info["identities"]
         gl_extern_uid: str | None = None
         for identity in gl_identities:
-            if identity["provider"] != "openid_connect":
+            prov = identity["provider"]
+
+            if prov == "openid_connect":
+                gl_extern_uid = identity["extern_uid"]
+            elif prov == "kerberos":
+                # {'provider': 'kerberos', 'extern_uid': 'username@CERN.CH', 'saml_provider_id': None}
+                gl_extern_uid = identity["extern_uid"].removesuffix("@CERN.CH")
+            else:
                 continue
 
-            gl_extern_uid = identity["extern_uid"]
-
         if gl_extern_uid is None:
             raise GitLabIdentityNotFoundError(gl_user_id)
 
