feat: add gitlab provider templates (#5405)

* feat(api): add google provider template

* refactor reduce functions

* handle removed event

* linting

* fix projection

* feat(api): add generic oauth provider template

* feat(api): add github provider templates

* feat(api): add github provider templates

* fixes

* proto comment

* fix filtering

* requested changes

* feat(api): add generic oauth provider template

* remove wrongly committed message

* increase budget for angular build

* fix linting

* fixes

* fix merge

* fix merge

* fix projection

* fix merge

* updates from previous PRs

* enable github providers in login

* fix merge

* fix test and add github styling in login

* cleanup

* feat(api): add gitlab provider templates

* fix: merge

* fix display of providers in login

* implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it

* fix merge

* fix merge and add tests for command side

* requested changes

* requested changes

* Update internal/query/idp_template.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* fix merge

* requested changes

---------

Co-authored-by: Silvan <silvan.reusser@gmail.com>

proto/zitadel/admin.proto

@@ -1368,6 +1368,54 @@ service AdminService {
         };
     }
 
+    // Add a new GitLab identity provider on the instance
+    rpc AddGitLabProvider(AddGitLabProviderRequest) returns (AddGitLabProviderResponse) {
+        option (google.api.http) = {
+            post: "/idps/gitlab"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    // Change an existing GitLab identity provider on the instance
+    rpc UpdateGitLabProvider(UpdateGitLabProviderRequest) returns (UpdateGitLabProviderResponse) {
+        option (google.api.http) = {
+            post: "/idps/gitlab/{id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    // Add a new self hosted GitLab identity provider on the instance
+    rpc AddGitLabSelfHostedProvider(AddGitLabSelfHostedProviderRequest) returns (AddGitLabSelfHostedProviderResponse) {
+        option (google.api.http) = {
+            post: "/idps/gitlab_self_hosted"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    // Change an existing self hosted GitLab identity provider on the instance
+    rpc UpdateGitLabSelfHostedProvider(UpdateGitLabSelfHostedProviderRequest) returns (UpdateGitLabSelfHostedProviderResponse) {
+        option (google.api.http) = {
+            post: "/idps/gitlab_self_hosted/{id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
     // Add a new Google identity provider on the instance
     rpc AddGoogleProvider(AddGoogleProviderRequest) returns (AddGoogleProviderResponse) {
         option (google.api.http) = {
@@ -4538,6 +4586,63 @@ message UpdateGitHubEnterpriseServerProviderResponse {
     zitadel.v1.ObjectDetails details = 1;
 }
 
+message AddGitLabProviderRequest {
+    // GitLab will be used as default, if no name is provided
+    string name = 1 [(validate.rules).string = {max_len: 200}];
+    string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_secret = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string scopes = 4 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}];
+    zitadel.idp.v1.Options provider_options = 5;
+}
+
+message AddGitLabProviderResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    string id = 2;
+}
+
+message UpdateGitLabProviderRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string name = 2 [(validate.rules).string = {max_len: 200}];
+    string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    // client_secret will only be updated if provided
+    string client_secret = 4 [(validate.rules).string = {max_len: 200}];
+    repeated string scopes = 5 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}];
+    zitadel.idp.v1.Options provider_options = 6;
+}
+
+message UpdateGitLabProviderResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message AddGitLabSelfHostedProviderRequest {
+    string issuer = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string scopes = 5 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}];
+    zitadel.idp.v1.Options provider_options = 6;
+}
+
+message AddGitLabSelfHostedProviderResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    string id = 2;
+}
+
+message UpdateGitLabSelfHostedProviderRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string issuer = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_id = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    // client_secret will only be updated if provided
+    string client_secret = 5 [(validate.rules).string = {max_len: 200}];
+    repeated string scopes = 6 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}];
+    zitadel.idp.v1.Options provider_options = 7;
+}
+
+message UpdateGitLabSelfHostedProviderResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
 message AddGoogleProviderRequest {
     // Google will be used as default, if no name is provided
     string name = 1 [(validate.rules).string = {max_len: 200}];

proto/zitadel/idp.proto

@@ -269,6 +269,8 @@ message ProviderConfig {
         JWTConfig jwt = 6;
         GitHubConfig github = 7;
         GitHubEnterpriseServerConfig github_es = 8;
+        GitLabConfig gitlab = 9;
+        GitLabSelfHostedConfig gitlab_self_hosted = 10;
     }
 }
 message OAuthConfig {
@@ -304,6 +306,17 @@ message GoogleConfig {
     repeated string scopes = 2;
 }
 
+message GitLabConfig {
+    string client_id = 1;
+    repeated string scopes = 2;
+}
+
+message GitLabSelfHostedConfig {
+    string issuer = 1;
+    string client_id = 2;
+    repeated string scopes = 3;
+}
+
 message LDAPConfig {
     string host = 1;
     string port = 2;

proto/zitadel/management.proto

@@ -6584,6 +6584,54 @@ service ManagementService {
         };
     }
 
+    // Add a new GitLab identity provider in the organization
+    rpc AddGitLabProvider(AddGitLabProviderRequest) returns (AddGitLabProviderResponse) {
+        option (google.api.http) = {
+            post: "/idps/gitlab"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.idp.write"
+        };
+    }
+
+    // Change an existing GitLab identity provider in the organization
+    rpc UpdateGitLabProvider(UpdateGitLabProviderRequest) returns (UpdateGitLabProviderResponse) {
+        option (google.api.http) = {
+            put: "/idps/gitlab/{id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.idp.write"
+        };
+    }
+
+    // Add a new self hosted GitLab identity provider in the organization
+    rpc AddGitLabSelfHostedProvider(AddGitLabSelfHostedProviderRequest) returns (AddGitLabSelfHostedProviderResponse) {
+        option (google.api.http) = {
+            post: "/idps/gitlab_self_hosted"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.idp.write"
+        };
+    }
+
+    // Change an existing self hosted GitLab identity provider in the organization
+    rpc UpdateGitLabSelfHostedProvider(UpdateGitLabSelfHostedProviderRequest) returns (UpdateGitLabSelfHostedProviderResponse) {
+        option (google.api.http) = {
+            put: "/idps/gitlab_self_hosted/{id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.idp.write"
+        };
+    }
+
     // Add a new Google identity provider in the organization
     rpc AddGoogleProvider(AddGoogleProviderRequest) returns (AddGoogleProviderResponse) {
         option (google.api.http) = {
@@ -11212,6 +11260,63 @@ message UpdateGitHubEnterpriseServerProviderResponse {
     zitadel.v1.ObjectDetails details = 1;
 }
 
+message AddGitLabProviderRequest {
+    // GitLab will be used as default, if no name is provided
+    string name = 1 [(validate.rules).string = {max_len: 200}];
+    string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_secret = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string scopes = 4 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}];
+    zitadel.idp.v1.Options provider_options = 5;
+}
+
+message AddGitLabProviderResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    string id = 2;
+}
+
+message UpdateGitLabProviderRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string name = 2 [(validate.rules).string = {max_len: 200}];
+    string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    // client_secret will only be updated if provided
+    string client_secret = 4 [(validate.rules).string = {max_len: 200}];
+    repeated string scopes = 5 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}];
+    zitadel.idp.v1.Options provider_options = 6;
+}
+
+message UpdateGitLabProviderResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message AddGitLabSelfHostedProviderRequest {
+    string issuer = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string scopes = 5 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}];
+    zitadel.idp.v1.Options provider_options = 6;
+}
+
+message AddGitLabSelfHostedProviderResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    string id = 2;
+}
+
+message UpdateGitLabSelfHostedProviderRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string issuer = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_id = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    // client_secret will only be updated if provided
+    string client_secret = 5 [(validate.rules).string = {max_len: 200}];
+    repeated string scopes = 6 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}];
+    zitadel.idp.v1.Options provider_options = 7;
+}
+
+message UpdateGitLabSelfHostedProviderResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
 message AddGoogleProviderRequest {
     // Google will be used as default, if no name is provided
     string name = 1 [(validate.rules).string = {max_len: 200}];