Skip to content

Enhanced membership management and proxy support#12

Open
wadahiro wants to merge 11 commits intoEvolveum:masterfrom
openstandia:improvement
Open

Enhanced membership management and proxy support#12
wadahiro wants to merge 11 commits intoEvolveum:masterfrom
openstandia:improvement

Conversation

@wadahiro
Copy link
Copy Markdown
Contributor

@wadahiro wadahiro commented Aug 22, 2025

Summary

  • Enhanced group and project membership management
  • Added HTTP proxy and timeout configuration support
  • Improved error handling and code structure
  • Updated GitLab access levels to align with current API

Changes

Features

  • Group/Project Membership Management: Performance-optimized reimplementation of user membership management for GitLab groups and projects
  • HTTP Proxy Support: Added configuration options for HTTP proxy and connection timeouts
  • Groups/Projects Attributes: Added consolidated group/project attributes with configurable default access levels and support for id#accessLevel format to specify custom access levels
  • Regex Support: Added new configuration attributes for regex pattern matching alongside existing groupsToManage configuration

Improvements

  • Error Handling: Improved error handling for membership operations with better logging and recovery
  • Code Refactoring: Major refactoring of processing classes to reduce code duplication and improve maintainability
  • Access Levels: Updated to use current GitLab access levels (removed deprecated master role, now using maintainer, added planner role)

Bug Fixes

  • Removed inappropriate StringEscapeUtils.unescapeXml usage that was causing issues with special characters

Breaking Changes

  • The master access level has been replaced with maintainer to align with current GitLab terminology
  • Changed groupsToManage configuration from comma-separated string to String[] array type
  • Group/project membership associations in midPoint require different configuration - see sample configurations below for details

Sample MidPoint Configuration

Important: Unlike previous versions, we must now use subjectToObject direction for associations.

Group/Project Membership Association Example

<attribute>
    <c:ref>ri:groups_as_developer</c:ref>
    <fetchStrategy>explicit</fetchStrategy>
</attribute>
            
<association>
    <c:ref>ri:group-developer</c:ref>
    <displayName>Developer membership for group</displayName>
    <tolerant>false</tolerant>
    <kind>entitlement</kind>
    <intent>group</intent>
    <direction>subjectToObject</direction>
    <associationAttribute>ri:groups_as_developer</associationAttribute>
    <valueAttribute>icfs:uid</valueAttribute>
</association>

Note: We need to add <fetchStrategy>explicit</fetchStrategy> to the attribute configuration for proper operation. By default, membership data is not fetched for performance reasons, so explicit fetching is required to retrieve membership information.

The following attributes are available for different access levels:

For Groups:

  • ri:groups_as_guest - Guest access (10)
  • ri:groups_as_planner - Planner access (15)
  • ri:groups_as_reporter - Reporter access (20)
  • ri:groups_as_developer - Developer access (30)
  • ri:groups_as_maintainer - Maintainer access (40)
  • ri:groups_as_owner - Owner access (50)

For Projects:

  • ri:projects_as_guest - Guest access (10)
  • ri:projects_as_planner - Planner access (15)
  • ri:projects_as_reporter - Reporter access (20)
  • ri:projects_as_developer - Developer access (30)
  • ri:projects_as_maintainer - Maintainer access (40)
  • ri:projects_as_owner - Owner access (50)

Consolidated Groups/Projects Membership Association Example

For simpler use cases, we can use consolidated attributes where the access level is determined by the defaultAccessLevel configuration.
This is ideal when we want midPoint to control membership (add/remove users) while allowing GitLab administrators to manage access levels directly in GitLab:

<attribute>
    <c:ref>ri:groups</c:ref>
    <fetchStrategy>explicit</fetchStrategy>
</attribute>

<association>
    <c:ref>ri:group</c:ref>
    <displayName>Group membership (default access level)</displayName>
    <tolerant>false</tolerant>
    <kind>entitlement</kind>
    <intent>group</intent>
    <direction>subjectToObject</direction>
    <associationAttribute>ri:groups</associationAttribute>
    <valueAttribute>icfs:uid</valueAttribute>
</association>


<attribute>
    <c:ref>ri:projects</c:ref>
    <fetchStrategy>explicit</fetchStrategy>
</attribute>

<association>
    <c:ref>ri:project</c:ref>
    <displayName>Project membership (default access level)</displayName>
    <tolerant>false</tolerant>
    <kind>entitlement</kind>
    <intent>project</intent>
    <direction>subjectToObject</direction>
    <associationAttribute>ri:projects</associationAttribute>
    <valueAttribute>icfs:uid</valueAttribute>
</association>

Note: When using ri:groups or ri:projects, members are added with the access level specified in the connector's defaultAccessLevel configuration.
After initial provisioning, access levels can be managed directly in GitLab while midPoint continues to control membership.

wadahiro added 11 commits August 22, 2025 10:18
@wadahiro
Add HTTP proxy and timeout configuration support
7632d35 
- Add HTTP proxy settings with authentication support
- Add configurable HTTP timeouts (connect, socket, connection request)
- Implement PoolableConnector interface
- Limit HTTP connection pool size to avoid redundant pooling
- Remove unused getMemberOf method from UserProcessing
- Fix typo and format
@wadahiro
Implement and improve group/project membership management
d8b3161 
- Add performance improvements for membership operations
- Fix membership processing when creating users
- Fix HTTP connection leaks
- Handle "Member already exists" errors gracefully
- Remove unused code from membership processing
- Ensure proper cleanup and error handling throughout
@wadahiro
Add groups and projects attributes
931ab95
@wadahiro
Refactor code structure and documentation
f52fd65 
- General code refactoring for better maintainability
- Fix Javadoc comment positioning
@wadahiro
Add option for groups/projects id format
a401e63
@wadahiro
Update GitLab access levels and remove deprecated master role
ec5c37e 
- Add support for Planner (15) access level
- Replace deprecated Master role with Maintainer role
- Update access level maps to include all current GitLab levels:
  Guest (10), Planner (15), Reporter (20), Developer (30), Maintainer (40), Owner (50)
- Remove all references to deprecated master role attributes
- Update schema builders and processing logic for new access levels

Breaking change: Configurations using master role attributes must migrate to maintainer.
@wadahiro
Refactor groupsToManage configuration and add regex support
be69554 
- Changed groupsToManage from comma-delimited String to String[] for better type safety
- Added groupsToManageRegex field to support regex pattern matching
- Implemented Predicate-based matching system for performance optimization
  - Patterns are compiled once during validation, not at runtime
  - Combined literal and regex matching with OR logic
- All matching is case-insensitive by default (Pattern.CASE_INSENSITIVE flag)
- Backward compatible with existing configurations
- Updated Messages.properties with new field descriptions
@wadahiro
Improve error handling for membership operations
4d1840c 
- Ignore 404 errors when removing memberships (already removed case)
- Convert UnknownUidException to InvalidAttributeValueException for membership add/update operations
- This prevents Midpoint from incorrectly thinking the user doesn't exist when it's actually a group/project ID issue
@wadahiro
Remove inappropriate StringEscapeUtils.unescapeXml usage
cbadd52 
- Remove XML unescaping from ObjectProcessing.addAttr method
- Remove XML unescaping from UserProcessing SSH key processing
- Remove XML unescaping from UserProcessing identity string processing
- Remove unused StringEscapeUtils imports

The code was incorrectly applying XML entity unescaping to JSON data
from GitLab REST API responses, which could corrupt legitimate data.
@wadahiro
Clean up pom.xml dependencies
b757f03 
- Remove unnecessary dependencies
- Keep ConnId version at 1.5.0.0 (sufficient for current codebase, it works with midPoint 4.8/4.9)
@wadahiro
Restore the accidentally removed protected modifier
fb5c937
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wadahiro