Skip to content
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

### Changed
- Anthropic thinking mode (adaptive vs. extended) is now resolved from the model's capabilities via the Anthropic Models API instead of a hardcoded model list. [#1294](https://github.com/sourcebot-dev/sourcebot/pull/1294)
- [**Breaking Change**] [EE] Removed support for configuring the GitHub, GitLab, Google, Okta, Keycloak, and Microsoft Entra ID identity providers via the deprecated `AUTH_EE_*` environment variables. Configure these providers through the `identityProviders` section of the config file instead. GCP IAP (`AUTH_EE_GCP_IAP_ENABLED` / `AUTH_EE_GCP_IAP_AUDIENCE`) is unaffected. [#1297](https://github.com/sourcebot-dev/sourcebot/pull/1297)

### Fixed
- Upgraded `protobufjs` to `^7.6.2`. [#1281](https://github.com/sourcebot-dev/sourcebot/pull/1281)
Expand Down
36 changes: 2 additions & 34 deletions packages/backend/src/ee/tokenRefresh.ts
Original file line number Diff line number Diff line change
Expand Up @@ -155,19 +155,9 @@ const refreshOAuthToken = async (
const identityProviders = config?.identityProviders ?? [];
const providerConfigs = identityProviders.filter(idp => idp.provider === provider);

// If no provider configs in the config file, try deprecated env vars.
// No provider configs in the config file — nothing to refresh against.
if (providerConfigs.length === 0) {
const envCredentials = getDeprecatedEnvCredentials(provider);
if (envCredentials) {
logger.debug(`Using deprecated env vars for ${provider} token refresh`);
const result = await tryRefreshToken(provider, refreshToken, envCredentials);
if (result) {
return result;
}
logger.error(`Failed to refresh ${provider} token using deprecated env credentials`);
return null;
}
logger.error(`No provider config or env credentials found for: ${provider}`);
logger.error(`No provider config found for: ${provider}`);
return null;
}

Expand Down Expand Up @@ -291,26 +281,4 @@ const tryRefreshToken = async (
}

return result.data;
}

/**
* Get credentials from deprecated environment variables.
* This is for backwards compatibility with deployments using env vars instead of config file.
*/
const getDeprecatedEnvCredentials = (provider: string): ProviderCredentials | null => {
if (provider === 'github' && env.AUTH_EE_GITHUB_CLIENT_ID && env.AUTH_EE_GITHUB_CLIENT_SECRET) {
return {
clientId: env.AUTH_EE_GITHUB_CLIENT_ID,
clientSecret: env.AUTH_EE_GITHUB_CLIENT_SECRET,
baseUrl: env.AUTH_EE_GITHUB_BASE_URL,
};
}
if (provider === 'gitlab' && env.AUTH_EE_GITLAB_CLIENT_ID && env.AUTH_EE_GITLAB_CLIENT_SECRET) {
return {
clientId: env.AUTH_EE_GITLAB_CLIENT_ID,
clientSecret: env.AUTH_EE_GITLAB_CLIENT_SECRET,
baseUrl: env.AUTH_EE_GITLAB_BASE_URL,
};
}
return null;
}
88 changes: 0 additions & 88 deletions packages/shared/src/env.server.ts
Original file line number Diff line number Diff line change
Expand Up @@ -385,94 +385,6 @@ const options = {
* ignored.
*/
SOURCEBOT_TELEMETRY_PII_COLLECTION_ENABLED: booleanSchema.default('false'),

//// DEPRECATED ////

/**
* @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_GITHUB_CLIENT_ID: z.string().optional(),

/**
* @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_GITHUB_CLIENT_SECRET: z.string().optional(),

/**
* @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_GITHUB_BASE_URL: z.string().optional(),

/**
* @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_GITLAB_CLIENT_ID: z.string().optional(),

/**
* @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_GITLAB_CLIENT_SECRET: z.string().optional(),

/**
* @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_GITLAB_BASE_URL: z.string().default("https://gitlab.com"),

/**
* @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_GOOGLE_CLIENT_ID: z.string().optional(),

/**
* @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_GOOGLE_CLIENT_SECRET: z.string().optional(),

/**
* @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_OKTA_CLIENT_ID: z.string().optional(),

/**
* @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_OKTA_CLIENT_SECRET: z.string().optional(),

/**
* @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_OKTA_ISSUER: z.string().optional(),

/**
* @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_KEYCLOAK_CLIENT_ID: z.string().optional(),

/**
* @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_KEYCLOAK_CLIENT_SECRET: z.string().optional(),

/**
* @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_KEYCLOAK_ISSUER: z.string().optional(),

/**
* @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_ID: z.string().optional(),

/**
* @deprecated
* This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_SECRET: z.string().optional(),

/**
* @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
*/
AUTH_EE_MICROSOFT_ENTRA_ID_ISSUER: z.string().optional(),
},
runtimeEnv,
emptyStringAsUndefined: true,
Expand Down
65 changes: 0 additions & 65 deletions packages/web/src/ee/features/sso/sso.ts
Original file line number Diff line number Diff line change
Expand Up @@ -160,72 +160,7 @@ export const getEEIdentityProviders = async (): Promise<IdentityProvider[]> => {
}
}

// @deprecate in favor of defining identity providers throught the identityProvider object in the config file. This was done to allow for more control over
// which identity providers are defined and their purpose. We've left this logic here to support backwards compat with deployments that expect these env vars,
// but this logic will be removed in the future
// We only go through this path if no identityProviders are defined in the config to prevent accidental duplication of providers
if (identityProviders.length == 0) {
if (env.AUTH_EE_GITHUB_CLIENT_ID && env.AUTH_EE_GITHUB_CLIENT_SECRET) {
const baseUrl = (env.AUTH_EE_GITHUB_BASE_URL ?? 'https://github.com').replace(/\/+$/, '');
providers.push({
provider: await createGitHubProvider(
env.AUTH_EE_GITHUB_CLIENT_ID,
env.AUTH_EE_GITHUB_CLIENT_SECRET,
baseUrl
),
purpose: "sso",
issuerUrl: baseUrl
});
}

if (env.AUTH_EE_GITLAB_CLIENT_ID && env.AUTH_EE_GITLAB_CLIENT_SECRET) {
const baseUrl = (env.AUTH_EE_GITLAB_BASE_URL ?? 'https://gitlab.com').replace(/\/+$/, '');
providers.push({
provider: await createGitLabProvider(
env.AUTH_EE_GITLAB_CLIENT_ID,
env.AUTH_EE_GITLAB_CLIENT_SECRET,
baseUrl,
),
purpose: "sso",
issuerUrl: baseUrl
});
}

if (env.AUTH_EE_GOOGLE_CLIENT_ID && env.AUTH_EE_GOOGLE_CLIENT_SECRET) {
providers.push({
provider: createGoogleProvider(env.AUTH_EE_GOOGLE_CLIENT_ID, env.AUTH_EE_GOOGLE_CLIENT_SECRET),
purpose: "sso",
issuerUrl: 'https://accounts.google.com'
});
}

if (env.AUTH_EE_OKTA_CLIENT_ID && env.AUTH_EE_OKTA_CLIENT_SECRET && env.AUTH_EE_OKTA_ISSUER) {
const issuer = env.AUTH_EE_OKTA_ISSUER.replace(/\/+$/, '');
providers.push({
provider: createOktaProvider(env.AUTH_EE_OKTA_CLIENT_ID, env.AUTH_EE_OKTA_CLIENT_SECRET, issuer),
purpose: "sso",
issuerUrl: issuer
});
}

if (env.AUTH_EE_KEYCLOAK_CLIENT_ID && env.AUTH_EE_KEYCLOAK_CLIENT_SECRET && env.AUTH_EE_KEYCLOAK_ISSUER) {
const issuer = env.AUTH_EE_KEYCLOAK_ISSUER.replace(/\/+$/, '');
providers.push({
provider: createKeycloakProvider(env.AUTH_EE_KEYCLOAK_CLIENT_ID, env.AUTH_EE_KEYCLOAK_CLIENT_SECRET, issuer),
purpose: "sso",
issuerUrl: issuer
});
}

if (env.AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_ID && env.AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_SECRET && env.AUTH_EE_MICROSOFT_ENTRA_ID_ISSUER) {
const issuer = env.AUTH_EE_MICROSOFT_ENTRA_ID_ISSUER.replace(/\/+$/, '');
providers.push({
provider: createMicrosoftEntraIDProvider(env.AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_ID, env.AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_SECRET, issuer),
purpose: "sso",
issuerUrl: issuer
});
}

if (env.AUTH_EE_GCP_IAP_ENABLED && env.AUTH_EE_GCP_IAP_AUDIENCE) {
providers.push({
provider: createGCPIAPProvider(env.AUTH_EE_GCP_IAP_AUDIENCE),
Expand Down
Loading