Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Account autocreation from LDAP after reverse proxy authentication #18452

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

pboguslawski
Copy link
Contributor

@pboguslawski pboguslawski commented Jan 29, 2022

Gitea allows autocreation of account from external source after successful
basic auth but not after successful reverse proxy auth. This mod adds such
feature.

It also adds full name, email and is_active synchronization from LDAP on
user login (as cron task already does).

Related: gogs/gogs#2498
Author-Change-Id: IB#1104925

Gitea allows autocreation of account from external source after successful
basic auth but not after successful reverse proxy auth. This mod adds such
feature.

Unfortunaltely gitea does not sync all user attributes from LDAP for
existing users on login like cron.sync_external_users does so changes
of first name, surname, e-mail are not updated from LDAP on login for
exiting users - only after first login and after sync_external_users task.

Related: gogs/gogs#2498
Author-Change-Id: IB#1104925
@pboguslawski
Copy link
Contributor Author

This is simplified and adjusted for current main version of #12960.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jan 29, 2022
@pboguslawski
Copy link
Contributor Author

This is quick and dirty workaround for installations using reverse proxy auth with ldap user data backend.

More elegant fixes will probably require gitea to separate auth/sync areas better like in
#18453

@pboguslawski
Copy link
Contributor Author

If #18466 is accepted, than should be merged first, than this mod must use UpdateForceUserCols instead of UpdateUserCols.

Gitea should synchronize same data from LDAP on user
authentication that is synchronized in cron task.

Fixes: a5c21f1
Related: go-gitea#18452
Author-Change-Id: IB#1104925
@pboguslawski
Copy link
Contributor Author

After ca00ec6 gitea is able also to reactivate user account on login if enabled in LDAP (without it user had to wait for cron task to unlock gitea account). Fullname and email are synchronized now on login also (like in cron task).

@stale
Copy link

stale bot commented Apr 17, 2022

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions.

@stale stale bot added the issue/stale label Apr 17, 2022
@lunny lunny added the issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented label Apr 18, 2022
@stale stale bot removed the issue/stale label Apr 18, 2022
pboguslawski added a commit to ibpl/gitea that referenced this pull request Oct 6, 2022
`SessionUser` should be protected against passing `sess` = `nil` to avoid

```
PANIC: runtime error: invalid memory address or nil pointer dereference
```

in

https://github.com/go-gitea/gitea/pull/18452/files#diff-a215b82aadeb8b4c4632fcf31215dd421f804eb1c0137ec6721b980136e4442aR69

after upgrade from gitea v1.16 to v1.17.

Related: go-gitea#18452
Author-Change-Id: IB#1126459
zeripath pushed a commit that referenced this pull request Oct 6, 2022
`SessionUser` should be protected against passing `sess` = `nil` to
avoid

```
PANIC: runtime error: invalid memory address or nil pointer dereference
```

in


https://github.com/go-gitea/gitea/pull/18452/files#diff-a215b82aadeb8b4c4632fcf31215dd421f804eb1c0137ec6721b980136e4442aR69

after upgrade from gitea v1.16 to v1.17.

Related: #18452
Author-Change-Id: IB#1126459
pboguslawski added a commit to ibpl/gitea that referenced this pull request Oct 24, 2022
`SessionUser` should be protected against passing `sess` = `nil` to avoid.

```
PANIC: runtime error: invalid memory address or nil pointer dereference
```

in

https://github.com/go-gitea/gitea/pull/18452/files#diff-a215b82aadeb8b4c4632fcf31215dd421f804eb1c0137ec6721b980136e4442aR69

after upgrade from gitea v1.16 to v1.17.

Related: go-gitea#18452
Author-Change-Id: IB#1126459
pboguslawski added a commit to ibpl/gitea that referenced this pull request Oct 24, 2022
Fixes: adac68d
Related: go-gitea#21358
Related: go-gitea#18452
Author-Change-Id: IB#1126459
zeripath pushed a commit that referenced this pull request Oct 24, 2022
Backport #21358 

`SessionUser` should be protected against passing `sess` = `nil` to
avoid

```
PANIC: runtime error: invalid memory address or nil pointer dereference
```

in


https://github.com/go-gitea/gitea/pull/18452/files#diff-a215b82aadeb8b4c4632fcf31215dd421f804eb1c0137ec6721b980136e4442aR69

after upgrade from gitea v1.16 to v1.17.

Related: #18452
@denyskon
Copy link
Member

denyskon commented Aug 2, 2023

@pboguslawski What is the state of this PR?

@denyskon denyskon added the issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail label Aug 2, 2023
@pboguslawski
Copy link
Contributor Author

pboguslawski commented Sep 8, 2023

What is the state of this PR?

The status of this PR is Open for over year now as you can see.

We use this extension and it works fine for us. Let us know if you want to merge it - will update to current main then.

@techknowlogick techknowlogick removed the issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail label Sep 8, 2023
Comment on lines 68 to 72
// Just return user if session is estabilshed already.
user := SessionUser(sess)
if user != nil {
return user
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This mixes the Session provider into the reverse proxy. I think we should not do this. Is it needed for the new logic?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This mixes the Session provider into the reverse proxy. I think we should not do this. Is it needed for the new logic?

Reverse proxy is/should be for user authentication stuff not Gitea's session handling IHMO. So there is no point in user verification if already verified (established session). Don't see problem with it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then it's just a wrong execution order and the session provider should be checked first.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SessionUser(sess) is called first and used if session is already estabilshed; if no session is established, new session is created. Don't see any problem here. If you see problem here, please propose exact code fix.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The session handler is already called before the reverse proxy handler:

gitea/routers/web/web.go

Lines 104 to 111 in cb10f27

group := auth_service.NewGroup(
&auth_service.OAuth2{}, // FIXME: this should be removed and only applied in download and oauth related routers
&auth_service.Basic{}, // FIXME: this should be removed and only applied in download and git/lfs routers
&auth_service.Session{},
)
if setting.Service.EnableReverseProxyAuth {
group.Add(&auth_service.ReverseProxy{})
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in dfc544c. Thanks for pointing.

@denyskon denyskon added type/feature Completely new functionality. Can only be merged if feature freeze is not active. and removed issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented labels Sep 10, 2023
Fixes: a5c21f1
Related: go-gitea#18452 (comment)
Author-Change-Id: IB#1104925
Signed-off-by: Pawel Boguslawski <pawel.boguslawski@ib.pl>
@pull-request-size pull-request-size bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Mar 28, 2024
@github-actions github-actions bot added the modifies/go Pull requests that update Go code label Mar 28, 2024
@denyskon denyskon requested a review from KN4CK3R July 9, 2024 20:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. modifies/go Pull requests that update Go code size/M Denotes a PR that changes 30-99 lines, ignoring generated files. type/feature Completely new functionality. Can only be merged if feature freeze is not active.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants