search

tpitale / mail_room

Forward mail from gmail IMAP to a callback URL or job worker, simply.
MIT License
195 stars 51 forks source link

Support Azure Government tenants with Microsoft Graph #139

Closed smccutchen closed 2 years ago

smccutchen commented 2 years ago

Hey there. I'm trying to get GitLab incoming email working via Microsoft Graph, where my Azure tenant is in the government "GCC High" cloud.

The main difference between Azure government versus public clouds would be the primary endpoint URL. Instead of say, "graph.microsoft.com", government cloud tenants use "graph.microsoft.us"

When incoming email is configured to use the Microsoft Graph API according to the GitLab documentation, the following error is produced in my MailRoom log file:

2022-03-14_16:57:49.22500 {"error":"invalid_request","error_description":"AADSTS900382: Confidential Client is not supported in Cross Cloud request.\\r\\nTrace ID: 04b0bb87-9cc0-4f9a-aae0-5fd8d63bd400\\r\\nCorrelation ID: 30fd63f4-8330-4ba5-8ae6-0190d56fd637\\r\\nTimestamp: 2022-03-14 16:57:49Z","error_codes":[900382],"timestamp":"2022-03-14 16:57:49Z","trace_id":"04b0bb87-9cc0-4f9a-aae0-5fd8d63bd400","correlation_id":"30fd63f4-8330-4ba5-8ae6-0190d56fd637"} 2022-03-14_16:57:49.22501 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/oauth2-1.4.7/lib/oauth2/client.rb:164:inget_token' 2022-03-14_16:57:49.22502 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/oauth2-1.4.7/lib/oauth2/strategy/client_credentials.rb:20:in get_token' 2022-03-14_16:57:49.22502 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/microsoft_graph/connection.rb:79:insetup' 2022-03-14_16:57:49.22502 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/microsoft_graph/connection.rb:21:in initialize' 2022-03-14_16:57:49.22502 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/mailbox_watcher.rb:69:innew' 2022-03-14_16:57:49.22502 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/mailbox_watcher.rb:69:in connection' 2022-03-14_16:57:49.22502 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/mailbox_watcher.rb:31:inrun' 2022-03-14_16:57:49.22503 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/coordinator.rb:22:in each' 2022-03-14_16:57:49.22503 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/coordinator.rb:22:inrun' 2022-03-14_16:57:49.22504 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/cli.rb:58:in start' 2022-03-14_16:57:49.22504 from /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/bin/mail_room:5:in<top (required)>' 2022-03-14_16:57:49.22504 from /opt/gitlab/embedded/bin/mail_room:23:in load' 2022-03-14_16:57:49.22504 from /opt/gitlab/embedded/bin/mail_room:23:in

'`

Specifically, if you go look at this file @ /opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-mail_room-0.0.19/lib/mail_room/microsoft_graph/connection.rb

you'll see that the microsoft graph URLs have been hard-coded to search the public ".com" tenant, and there is no available override to support Azure government tenants (or any other region, for that matter).

Is there a workaround for this, short of editing the file manually?

stanhu commented 2 years ago

Is there a workaround for this, short of editing the file manually?

Not yet.

My trial Azure government tenant has expired. Would you be able to test out https://github.com/tpitale/mail_room/pull/140?

smccutchen commented 2 years ago

I can confirm that it's fully functional once I manually modify the "connection.rb" file to use the correct endpoint URLs for GCC High - in my case it's "graph.microsoft.us" and "login.microsoftonline.us" .

Commit #140 looks great (exactly what we'd want) but I'm not sure how to test it within the context of GitLab (I suspect they'd need to do some changes on their end to also support this, since I pass my tenant id + client id through the gitlab.rb config file).

Either way, great work!

stanhu commented 2 years ago

Yeah, you'd need to replace connection.rb with that file and then manually edit /opt/gitlab/embedded/service/gitlab-rails/config/mail_room.yml with those options.

I'll see if I can get Microsoft to reactivate my Microsoft Government Cloud account in the interim.

stanhu commented 2 years ago

@smccutchen GitLab 14.9 shipped with the updated MailRoom that has the graph_endpoint and azure_ad_endpoint config options. Would you mind testing whether the documentation in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83242/diffs is correct?

smccutchen commented 2 years ago

I can confirm the config options available in 14.9 are working as expected.

Thanks for the fast effort!