-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Account autocreation from LDAP after reverse proxy authentication #18452
base: main
Are you sure you want to change the base?
Conversation
Gitea allows autocreation of account from external source after successful basic auth but not after successful reverse proxy auth. This mod adds such feature. Unfortunaltely gitea does not sync all user attributes from LDAP for existing users on login like cron.sync_external_users does so changes of first name, surname, e-mail are not updated from LDAP on login for exiting users - only after first login and after sync_external_users task. Related: gogs/gogs#2498 Author-Change-Id: IB#1104925
This is simplified and adjusted for current main version of #12960. |
This is quick and dirty workaround for installations using reverse proxy auth with ldap user data backend. More elegant fixes will probably require gitea to separate auth/sync areas better like in |
If #18466 is accepted, than should be merged first, than this mod must use |
Gitea should synchronize same data from LDAP on user authentication that is synchronized in cron task. Fixes: a5c21f1 Related: go-gitea#18452 Author-Change-Id: IB#1104925
After ca00ec6 gitea is able also to reactivate user account on login if enabled in LDAP (without it user had to wait for cron task to unlock gitea account). Fullname and email are synchronized now on login also (like in cron task). |
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions. |
`SessionUser` should be protected against passing `sess` = `nil` to avoid ``` PANIC: runtime error: invalid memory address or nil pointer dereference ``` in https://github.com/go-gitea/gitea/pull/18452/files#diff-a215b82aadeb8b4c4632fcf31215dd421f804eb1c0137ec6721b980136e4442aR69 after upgrade from gitea v1.16 to v1.17. Related: go-gitea#18452 Author-Change-Id: IB#1126459
`SessionUser` should be protected against passing `sess` = `nil` to avoid ``` PANIC: runtime error: invalid memory address or nil pointer dereference ``` in https://github.com/go-gitea/gitea/pull/18452/files#diff-a215b82aadeb8b4c4632fcf31215dd421f804eb1c0137ec6721b980136e4442aR69 after upgrade from gitea v1.16 to v1.17. Related: #18452 Author-Change-Id: IB#1126459
`SessionUser` should be protected against passing `sess` = `nil` to avoid. ``` PANIC: runtime error: invalid memory address or nil pointer dereference ``` in https://github.com/go-gitea/gitea/pull/18452/files#diff-a215b82aadeb8b4c4632fcf31215dd421f804eb1c0137ec6721b980136e4442aR69 after upgrade from gitea v1.16 to v1.17. Related: go-gitea#18452 Author-Change-Id: IB#1126459
Fixes: adac68d Related: go-gitea#21358 Related: go-gitea#18452 Author-Change-Id: IB#1126459
Backport #21358 `SessionUser` should be protected against passing `sess` = `nil` to avoid ``` PANIC: runtime error: invalid memory address or nil pointer dereference ``` in https://github.com/go-gitea/gitea/pull/18452/files#diff-a215b82aadeb8b4c4632fcf31215dd421f804eb1c0137ec6721b980136e4442aR69 after upgrade from gitea v1.16 to v1.17. Related: #18452
@pboguslawski What is the state of this PR? |
The status of this PR is We use this extension and it works fine for us. Let us know if you want to merge it - will update to current main then. |
services/auth/reverseproxy.go
Outdated
// Just return user if session is estabilshed already. | ||
user := SessionUser(sess) | ||
if user != nil { | ||
return user | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This mixes the Session
provider into the reverse proxy. I think we should not do this. Is it needed for the new logic?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This mixes the
Session
provider into the reverse proxy. I think we should not do this. Is it needed for the new logic?
Reverse proxy is/should be for user authentication stuff not Gitea's session handling IHMO. So there is no point in user verification if already verified (established session). Don't see problem with it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then it's just a wrong execution order and the session provider should be checked first.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SessionUser(sess)
is called first and used if session is already estabilshed; if no session is established, new session is created. Don't see any problem here. If you see problem here, please propose exact code fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The session handler is already called before the reverse proxy handler:
Lines 104 to 111 in cb10f27
group := auth_service.NewGroup( | |
&auth_service.OAuth2{}, // FIXME: this should be removed and only applied in download and oauth related routers | |
&auth_service.Basic{}, // FIXME: this should be removed and only applied in download and git/lfs routers | |
&auth_service.Session{}, | |
) | |
if setting.Service.EnableReverseProxyAuth { | |
group.Add(&auth_service.ReverseProxy{}) | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in dfc544c. Thanks for pointing.
Fixes: a5c21f1 Related: go-gitea#18452 (comment) Author-Change-Id: IB#1104925 Signed-off-by: Pawel Boguslawski <pawel.boguslawski@ib.pl>
Gitea allows autocreation of account from external source after successful
basic auth but not after successful reverse proxy auth. This mod adds such
feature.
It also adds full name, email and is_active synchronization from LDAP on
user login (as cron task already does).
Related: gogs/gogs#2498
Author-Change-Id: IB#1104925