src-auth-perms-sync/maps-example.yaml at main · sourcegraph/src-auth-perms-sync · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# User → Repo permission mapping rules

# Maintain your maps.yaml file, using the values from auth-providers.yaml and code-hosts.yaml,
# which are created by the --get command, under `src-auth-perms-sync-runs/<endpoint>/`

# Schema details:
# maps: list[map]
#   - name: string
#     users: map
#       authProvider: map
#         type: string
#         serviceID: string
#         clientID: string
#         displayName: string
#         configID: string
#         samlGroup: string
#       emails: list[string]           # exact verified email addresses
#       emailRegexes: list[string]     # Python regexes for verified email addresses
#       usernames: list[string]        # exact Sourcegraph usernames
#       usernameRegexes: list[string]  # Python regexes for Sourcegraph usernames
#     repos: map
#       codeHostConnection: map
#         displayName: string
#         kind: string
#         url: string
#         username: string
#       names: list[string]            # exact Sourcegraph repo names
#       nameRegexes: list[string]      # Python regexes for Sourcegraph repo names

# Filter scopes:
# - Children of lists are ORed together (casting a wider net)
# - Children of maps are ANDed together (casting a narrower net)

maps:

# Widest net
- name: All users get all repos
  users:
    usernameRegexes:
      - '.*'
  repos:
    nameRegexes:
      - '.*'

# Wide net
- name: All Okta SAML users get access to all Bitbucket repos
  users:
    authProvider:
      configID: okta
      type: saml
  repos:
    codeHostConnection:
      kind: BITBUCKETSERVER

# Medium net
- name: |
    Members of samlGroup LOB1-GROUP1, from any auth provider
    get any repos cloned using username LOB1-SA1, from any code host
  users:
    authProvider:
      samlGroup: LOB1-GROUP1
  repos:
    codeHostConnection:
      username: LOB1-SA1

# Narrower net
- name: |
    Members of samlGroup LOB1-GROUP1 from the okta saml provider
    get repos cloned from a specific Bitbucket code host connection
  users:
    authProvider:
      configID: okta
      samlGroup: LOB1-GROUP1
      type: saml
  repos:
    codeHostConnection:
      displayName: 'BITBUCKETSERVER #1'
      kind: BITBUCKETSERVER
      url: https://bitbucket.example.com/
      username: LOB1-SA1

# Even narrower net
- name: |
    Alice and Bob get access to bitbucket.example.com/example/private-repo,
    if they are members of LOB1-GROUP1 from okta saml
  users:
    authProvider:
      configID: okta
      samlGroup: LOB1-GROUP1
      type: saml
    emails:
      - alice@example.com
      - bob@example.com
  repos:
    codeHostConnection:
      displayName: Bitbucket
      kind: BITBUCKETSERVER
      url: https://bitbucket.example.com/
      username: LOB1-SA1
    names:
      - bitbucket.example.com/example/private-repo

# Narrowest net
- name: Alice gets private-repo repo, if all stars align
  users:
    authProvider:
      clientID: https://sourcegraph.example.com/.auth/saml/metadata
      configID: okta
      displayName: Okta
      samlGroup: LOB1-GROUP1
      serviceID: http://www.okta.com/example123
      type: saml
    emails:
      - alice@example.com
    emailRegexes:
      - '@example\.com$'
    usernames:
      - alice
    usernameRegexes:
      - '^alice$'
  repos:
    codeHostConnection:
      displayName: 'BITBUCKETSERVER #1'
      kind: BITBUCKETSERVER
      url: https://bitbucket.example.com/
      username: LOB1-SA1
    names:
      - bitbucket.example.com/example/private-repo
    nameRegexes:
      - '^bitbucket\.example\.com/example/private-repo$'