Merge pull request #25 from GitGuardian/ybensafia/sync-gitlab-users

Synchronization script for Gitlab

Author: GG-Yanne

README.md

@@ -6,10 +6,11 @@ Should you have any inquiries or need assistance, please don't hesitate to conta
 
 Below is a brief overview of the tools available in this repository:
 
-Tools | Description
------------- | -------------
-[api-migration](./api-migration) | Facilitates the migration of incident remediation progress across different environments, including SaaS ↔ Self-Hosted, Self-Hosted ↔ Self-Hosted, and SaaS ↔ SaaS.
-[new-arch-migration](./new-arch-migration) | Assists in transitioning from the legacy GitGuardian architecture to the new architecture for Self-Hosted environments.
-[helm-preflights](./helm-preflights) | Ensures GitGuardian requirements are met prior installation or upgrade via [Helm on existing clusters](https://docs.gitguardian.com/self-hosting/installation/installation-existing-helm) by conducting tests from both the local user and the Kubernetes cluster.
-[honeytoken-tools](./honeytoken-tools) | Script to disseminate honeytokens in your repositories via Pull Requests
-[team-mapping-github-gitguardian](./team-mapping-github-gitguardian) | An example script using the GitHub and GitGuardian APIs to map GitHub Teams and the repositories they own to GitGuardian Teams and their perimeters.
+| Tools                                                                | Description                                                                                                                                                                                                                                                        |
+| -------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| [api-migration](./api-migration)                                     | Facilitates the migration of incident remediation progress across different environments, including SaaS ↔ Self-Hosted, Self-Hosted ↔ Self-Hosted, and SaaS ↔ SaaS.                                                                                             |
+| [new-arch-migration](./new-arch-migration)                           | Assists in transitioning from the legacy GitGuardian architecture to the new architecture for Self-Hosted environments.                                                                                                                                            |
+| [helm-preflights](./helm-preflights)                                 | Ensures GitGuardian requirements are met prior installation or upgrade via [Helm on existing clusters](https://docs.gitguardian.com/self-hosting/installation/installation-existing-helm) by conducting tests from both the local user and the Kubernetes cluster. |
+| [honeytoken-tools](./honeytoken-tools)                               | Script to disseminate honeytokens in your repositories via Pull Requests                                                                                                                                                                                           |
+| [team-mapping-github-gitguardian](./team-mapping-github-gitguardian) | An example script using the GitHub and GitGuardian APIs to map GitHub Teams and the repositories they own to GitGuardian Teams and their perimeters.                                                                                                               |
+| [team-mapping-gitlab-gitguardian](./team-mapping-gitlab-gitguardian) | An example script using the Gitlab and GitGuardian APIs to map Gitlab Groups and the repositories they own to GitGuardian Teams and their perimeters.                                                                                                              |

team-mapping-gitlab-gitguardian/CHANGELOG.md

@@ -0,0 +1,10 @@
+# Changelog
+
+## 2025-01-02
+
+### Added
+
+- Support user and user team synchronization.
+- Support project and team sources synchronization.
+- Rely on python Logging and support logging level in the configuration.
+- Use py-gitguardian for calls made to the GitGuardian API.

team-mapping-gitlab-gitguardian/README.md

@@ -0,0 +1,65 @@
+# Team mapping: Gitlab to GitGuardian
+
+The included scripts provide an example of using the Gitlab and GitGuardian
+APIs to map Gitlab groups and the repositories they own to GitGuardian Teams and
+their perimeters.
+
+> [!CAUTION]
+> This is example code that can be used as a starting point for your own
+> solution. While we're happy to answer questions about it _it is not a
+> supported part of the product_.
+
+### Installation
+
+The easiest method of installation is to use Python virtual environment (venv):
+
+```
+unzip team-mapping-gitlab-gitguardian.zip
+cd team-mapping-gitlab-gitguardian
+python3 -mvenv .venv
+source .venv/bin/activate
+pip install -r requirements.txt
+```
+
+### Configuration
+
+Three environment variables must be set to configure the connection:
+
+- `GITLAB_URL` - The base URL for your Gitlab instance.
+- `GITLAB_ACCESS_TOKEN` - A Gitlab PAT with `read_api` and `read_user` permissions.
+- `GITGUARDIAN_API_KEY` - A GitGuardian API Service Account Token with `members:read`, `members:write`, `teams:read`, `teams:write`, `sources:read` and `sources:write` permissions.
+
+> [!TIP]
+> If a Personal Access Token is used, the user who owns the PAT will be added
+> to all teams when they're created. SATs are preferred for this reason.
+
+Optional environment variables:
+
+- `GITGUARDIAN_INSTANCE` - The URL of a self-hosted GitGuardian instance. Just the scheme and hostname: https://gitguardian.example.com
+- `SEND_EMAIL` - Defines whether we should send an email to users when sending invitations
+- `REMOVE_MEMBERS` - Defines whether we should delete users from teams if they are not in any Gitlab group
+- `EXCLUDE_ADMIN` - Defines whether we should exclude admin users from sync
+- `DEFAULT_INCIDENT_PERMISSION` - Defines the default incident permission level for team members, defaults to `can_edit`, it's value must be one of :
+  - `can_view` : For read permissions
+  - `can_edit` : For read and write permissions
+  - `full_access` : For manager permissions
+
+In order to ensure you have the correct configuration, you can run the following command to display the configuration:
+
+```
+python config.py
+```
+
+### Nested groups
+
+Teams in GitGuardian will be created based on the full path of the group of every user's group.
+
+This means that if a user is in `top-group / middle-group / bottom-group`, he will be added to the team `top-group / middle-group / bottom-group` in GitGuardian.
+
+### Invoking
+
+Upon invocation, the script will sync teams and their perimeters from Gitlab to GitGuardian. It can be invoked like this:
+
+```
+python sync_gitlab.py
+```

team-mapping-gitlab-gitguardian/config.py

@@ -0,0 +1,72 @@
+import logging
+import os
+
+from pygitguardian.client import GGClient
+from functools import cached_property
+from dataclasses import dataclass
+
+from pygitguardian.models import IncidentPermission
+
+
+@dataclass
+class Config:
+    gitlab_token: str
+    gitguardian_api_key: str
+    gitguardian_url: str
+
+    gitlab_url: str
+
+    send_email: bool
+    exclude_admin: bool
+    default_incident_permission: IncidentPermission = IncidentPermission.EDIT
+    logger_level: str = logging.INFO
+    remove_members: bool = False
+    pagination_size: int = 100
+
+    @classmethod
+    def from_env(cls):
+        incident_permission = cls.default_incident_permission
+        if incident_permission_env := os.environ.get("DEFAULT_INCIDENT_PERMISSION"):
+            incident_permission = IncidentPermission(incident_permission_env)
+
+        logger_level = logging._nameToLevel[
+            os.environ.get("LOG_LEVEL", logging._levelToName[cls.logger_level])
+        ]
+
+        return cls(
+            gitlab_token=os.environ["GITLAB_ACCESS_TOKEN"],
+            gitguardian_api_key=os.environ["GITGUARDIAN_API_KEY"],
+            gitlab_url=os.environ.get("GITLAB_URL", "https://gitlab.com"),
+            gitguardian_url=os.environ.get(
+                "GITGUARDIAN_INSTANCE", "https://api.gitguardian.com"
+            ),
+            send_email=os.environ.get("SEND_EMAIL", "True") == "True",
+            exclude_admin=os.environ.get("EXCLUDE_ADMIN", "True") == "True",
+            default_incident_permission=incident_permission,
+            logger_level=logger_level,
+        )
+
+    @cached_property
+    def client(self):
+        return GGClient(api_key=self.gitguardian_api_key, base_uri=self.gitguardian_url)
+
+    def __repr__(self):
+        return (
+            "Config("
+            f"send_email={self.send_email}, "
+            f"gitlab_url={self.gitlab_url}, "
+            f"gitlab_token={self.gitlab_token}, "
+            f"logger_level={logging._levelToName[self.logger_level]}, "
+            f"exclude_admin={self.exclude_admin}, "
+            f"remove_members={self.remove_members}, "
+            f"gitguardian_url={self.gitguardian_url}, "
+            f"gitguardian_api_key={self.gitguardian_api_key}, "
+            f"default_incident_permission={self.default_incident_permission}"
+            ")"
+        )
+
+
+CONFIG = Config.from_env()
+
+if __name__ == "__main__":
+    print(CONFIG)