{"id":29376509,"url":"https://github.com/twitter/gatekeeper-service","last_synced_at":"2025-07-09T22:43:18.654Z","repository":{"id":65659962,"uuid":"129774006","full_name":"twitter/gatekeeper-service","owner":"twitter","description":"GateKeeper is a service built to automate the manual steps involved in onboarding, offboarding, and lost asset scenarios.","archived":false,"fork":false,"pushed_at":"2023-02-19T21:23:35.000Z","size":107,"stargazers_count":36,"open_issues_count":3,"forks_count":20,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-05-09T19:35:18.585Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/twitter.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-04-16T16:31:11.000Z","updated_at":"2023-07-25T14:16:28.000Z","dependencies_parsed_at":"2023-02-18T01:01:04.917Z","dependency_job_id":null,"html_url":"https://github.com/twitter/gatekeeper-service","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/twitter/gatekeeper-service","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/twitter%2Fgatekeeper-service","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/twitter%2Fgatekeeper-service/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/twitter%2Fgatekeeper-service/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/twitter%2Fgatekeeper-service/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/twitter","download_url":"https://codeload.github.com/twitter/gatekeeper-service/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/twitter%2Fgatekeeper-service/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264504616,"owners_count":23618831,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-07-09T22:43:17.927Z","updated_at":"2025-07-09T22:43:18.642Z","avatar_url":"https://github.com/twitter.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# GateKeeper\n\n[![status: unmaintained](https://opensource.twitter.dev/status/unmaintained.svg)](https://opensource.twitter.dev/status/#unmaintained)\n\nGateKeeper is a service built to automate the manual steps involved in onboarding, offboarding, or lost asset scenarios. The service will handle the flow of letting internal and external services know that a user needs to be activated, suspended, or deleted.\n\nThis project is built with Flask, Gevent, Gunicorn, and Jinja2 templating.  \n\n\n## Sections\n\n1. [Features](#features)\n2. [Prerequisites](#prerequisites)\n3. [Installation](#installation)\n4. [Configuration](#configuration)\n5. [Logs](#logging)\n6. [Support](#support)\n7. [Authors](#authors)\n8. [License](#license)\n9. [Security](#security)\n10. [To-Do](#to-do)\n\n\n## Features\n\n* **Services currently supported:**  \n  * LDAP\n  * Google Apps (Admin, Gmail, Calendar, Drive)\n  * PagerDuty\n  * DUO\n  \n* **Actions currently implemented:**\n  * LDAP\n    - Used to extract user information, and perform data validation against the GApps directory.\n  * Google Admin (Directory)\n    - Reset Google apps password \n    - Purge application specific passwords \n    - Purge 3rd party access tokens \n    - Invalidate backup (verification) codes \n    - Move a user to a custom Organizational Unit \n    - Restore a user back to the default \"/\" OU\n  * Google GMail\n    - Set Out Of Office message (with a configurable message)\n    - Disable IMAP email \n    - Disable POP email\n  * Google Calendar\n    - Change events ownership (with a configurable assignee) \n    - Delete future dated events (to free up resources like booked meeting rooms, equipment, etc)\n  * Google Drive\n    - Transfer ownership of files to another user (with regex filtered search)\n  * PagerDuty\n    - Remove from OnCall rotas\n  * DUO Admin\n    - Remove user from DUO\n  \n* **Deployment methods available:**\n  * Locally on MacOS/Linux (or a Virtual Machine)\n  * Docker container\n  * Mesos, via Aurora\n\n## Prerequisites\n\n1. Linux or MacOS  \nLinux is highly recommended for a production installation.  \nMacOS is also supported, but should only be used on local deployments, or for testing, due to performance and security concerns.  \nNote: If you are installing GateKeeper on MacOS, you will also need to have the XCode Command Line Tools installed:  ``` xcode-select --install ```\n\n2. Python 2.7.x  \nYou can get it via your package manager, or from [here](https://www.python.org/downloads/).\n\n3. OpenJDK or Oracle JDK 7 or greater  \nYou can get it via your package manager, or from [OpenJDK](http://openjdk.java.net/install/) or [Oracle](https://www.oracle.com/downloads/index.html) respectively.\n\n4. Bower  \nYou can get it via your package manager, or from [here](https://bower.io/).\n\n## Installation\n\n#### Initial Configuration \nThese steps apply to all the deployment methods listed below, and will need to be executed first.\n\n1. Clone this repository.\n   ```\n   git clone https://github.com/twitter/gatekeeper-service\n   ```\n\n2. You will need an Admin User for GApps, to be able to run GateKeeper operations.  \nThis can be achieved either by using a Super Admin User, or by creating a Custom Administration Role for the service.  \nThe latter is highly recommended, as it is a much more secure way of restricting access to your GApps environment.  \nYou can create a Custom Administration Role, by following the instructions [here](https://support.google.com/a/answer/2406043?hl=en).\n   \n3. For GateKeeper to be able to act as a user under your domain, you will need a Service Account with Domain-Wide Delegation of Authority.  \nClick [here](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) for a guide on how to obtain these credentials.  \n(Follow the guides under sections \"Create the service account and its credentials\", and \"Delegate domain-wide authority to your service account\")  \nA list of scopes needed for GateKeeper's operations can be found on the config.example.yml file:\n   ```\n   - \"https://www.googleapis.com/auth/admin.directory.user\"\n   - \"https://www.googleapis.com/auth/admin.directory.user.security\"\n   - \"https://www.googleapis.com/auth/admin.directory.group.member\"\n   - \"https://www.googleapis.com/auth/gmail.settings.basic\"\n   - \"https://www.googleapis.com/auth/gmail.settings.sharing\"\n   - \"https://www.googleapis.com/auth/calendar\"\n   - \"https://www.googleapis.com/auth/drive\"\n   ```\n   Once complete, place your google_api_service_account_keyfile.json file in the config/ folder.\n   \n4. Create an OrgUnit in your GApps space, where you will be sending your offboarded users to.  \nThis is good practice, and allows for easy move of an offboarded user back to the org, if necessary.  \nYou can find instructions on how to add an OU [here](https://support.google.com/a/answer/182537?hl=en). \n\n5. Create a copy of the file config.example.yml to config.yml and modify the file to reflect your settings and API keys.  \nConsult the [Configuration](#configuration) section below for a short description of their usage.  \nNote: It is advisable to create separate configs for your test, and production environments.\n   ```\n   cd config\n   cp config.example.yml config.yml\n   ```\n\n#### Docker\nThe following instructions will help you create and launch a Docker container of GateKeeper.\n\n1. Build the Docker image.\n   ```\n   docker build -t twitter/gatekeeper .\n   ```\n\n2. Create and execute a Docker container.\n   ```\n   docker run -d -p 5000:5000 --name=\"gatekeeper\" twitter/gatekeeper\n   ```\n   Wait until the service is up. (You can monitor the logs with ```docker logs -f gatekeeper```)  \n   You can then access the GateKeeper UI at ```\u003ccontainer_ip\u003e:5000``` (or the port you specified above, if different).  \n   \n3. You can start/stop/restart the service, with:\n   ```\n   docker start|stop|restart gatekeeper\n   ```\n\n4. _(Optional)_ Remove any untagged or intermediary images created during the build process. \n   ```\n   docker image prune\n   ```\n\n#### Local/VM Install \nThe following instructions will help you launch an instance of GateKeeper locally, or a Virtual Machine.\n\n1. Run the following command to install the javascript package dependencies.\n   ```\n   cd static\n   bower install\n   ```\n\n2. Run the tests\n   ```\n   ./pants test tests::\n   ```\n\n3. Run the service\n   ```\n   ./pants run :gatekeeper\n   ```\n   You can then access the GateKeeper UI at ```localhost:5000```\n   \n## Configuration\n\n```yaml\ndefaults:\n  debug:                      bool   (use for troubleshooting. default: false)\n  base_dir:                   string (base dir path. default: \".\")\n  http_proxy:\n    use_proxy:                bool   (for routing traffic via a proxy. default: false)\n    proxy_url:                string (http proxy url, without the 'http(s)://' prefix)\n    proxy_port:               int    (default: 8080)\n    proxy_user:               string (http proxy account username)\n    proxy_pass:               string (http proxy account password)\n\nldap:\n  base_dn:                    string (base dn for your LDAP)\n  uri:                        string (prefixed with \"ldap(s)://\")\n  user:                       string (username for LDAP login)\n  pass:                       string (password for LDAP login)\n  queries:\n    all_users:                string (LDAP query to return all active users. example: \"(|(gidNumber=1000) (gidNumber=1001))\". Leave empty when testing.)\n    user_is_valid:            string (LDAP query to return whether a user is valid, use \"USER\" as a var. example: \"(\u0026 (uid=USER) (|(gidNumber=1000) (gidNumber=1001)))\")\n    user_is_active:           string (LDAP query to return whether a user is active, use \"USER\" as a var. example: \"(\u0026 (uid=USER) (gidNumber=1001))\")\n    user_info:                string (LDAP query to return user attributes, use \"USER\" as a var. example: \"(uid=USER)\")\n  fields:\n    full_name:                string (LDAP field for full name. example: \"cn\")\n    first_name:               string (LDAP field for first nane. example: \"givenName\")\n    role:                     string (LDAP field for role.)\n    team:                     string (LDAP field for team.)\n    org:                      string (LDAP field for org.)\n    location:                 string (LDAP field for location.)\n    start_date:               string (LDAP field for start date.)\n    uid_number:               string (LDAP field for uid. example: \"uidNumber\")\n    groups:                   string (LDAP field for LDAP groups a user is a member of. example: \"memberOf\")\n    photo_url:                string (Optional - LDAP field for a user's profile photo/avatar location.)\n\npagerduty:\n  base_url:                   string (default: \"https://api.pagerduty.com/\")\n  api_key:                    string (API Key for PagerDuty. Must be v2, and have R/W permissions.)\n  \nduo:\n  host:                       string (Hostname to the DUO Secure server.)\n  ikey:                       string (Integration Key for DUO Secure.)\n  skey:                       string (Secure Key for DUO Secure.) \n  ca_certs:                   string (Custom SSL Certs location for use with DUO. Leave empty to use the default certs. default: \"\")\n\ngoogle_apps:\n  admin_user:                 string (GApps Account that will own and run the service. See the Installation section for more info. example: \"gatekeeper-admin\")\n  offboarded_ou:              string (GApps OrgUnit where the offboarded users will fall under. default: \"/Offboarded Users\")\n  domain:                     string (Your GApps domain. example: \"somedomain.com\")\n  credentials_keyfile:        string (default: \"config/google_api_service_account_keyfile.json\")\n```\n\n## Logging\n\nLogs are stored under /var/tmp, and will persist system reboots.  \nIf you are running GateKeeper on Docker, you can also get to the access logs with ```docker logs -f gatekeeper```  \nBe sure to include the relevant log line(s) with any issues submitted.\n\n## Support\n\nPlease create an issue on GitHub\n\n## Authors\n\n* Harry Kantas \u003chttps://github.com/harrykantas\u003e\n* Mat Clinton \u003chttps://github.com/matc\u003e\n\nFollow [@twitteross](https://twitter.com/twitteross) on Twitter for updates.\n\n## License\n\nCopyright 2013-2018 Twitter, Inc.\n\nLicensed under the Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0\n\n## Security\n\nPlease report sensitive security issues via Twitter's bug-bounty program (https://hackerone.com/twitter).\n\nBe mindful of the file ownership and permissions for your \"google_api_service_account_keyfile.json\" and \"config.yml\" files.  \nThese files will contain sensitive data that can grant API access to your platform and services.  \nPlease practise caution when choosing a deployment method to better suit your environment's security conditions.\n\nThe WebUI is currently served in HTTP, since this service is meant to be deployed within your internal network.  \nIf your use case requires accessing GateKeeper via HTTPS, that can be achieved by redirecting all traffic to HTTPS with your own public facing proxy. \n\n## To-Do\n\n* Implement more services.\n* Integration with JIRA and other ticketing systems.\n* Add the option to parse a batch of users at once, via a CSV file.\n* Expose a REST API for services to talk to GateKeeper directly.\n* Make the service independent to the presence of LDAP, for orgs that do not make use of it.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftwitter%2Fgatekeeper-service","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftwitter%2Fgatekeeper-service","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftwitter%2Fgatekeeper-service/lists"}