Skip to content

NPE on sign-in via SAML if user lacks access rights on IdP

Summary

NPE on sign-in via SAML if user lacks access rights on IdP

Steps to reproduce

  1. Setup login via SAML
  2. The user does not exist in GitLab's local user base
  3. User signup is not enabled
  4. Try login with a user that lacks access rights on IdP

What is the current bug behavior?

500 error, NPE on production.log

What is the expected correct behavior?

Maybe 500 error is the correct user-facing behavior, but the exception message could be more specific

Relevant logs and/or screenshots

NoMethodError (undefined method `build_user_synced_attributes_metadata' for nil:NilClass):
  lib/gitlab/auth/o_auth/user.rb:231:in `update_profile'
  lib/gitlab/auth/o_auth/user.rb:19:in `initialize'
  app/controllers/omniauth_callbacks_controller.rb:125:in `new'
  app/controllers/omniauth_callbacks_controller.rb:125:in `sign_in_user_flow'
  app/controllers/omniauth_callbacks_controller.rb:102:in `omniauth_flow'
  app/controllers/omniauth_callbacks_controller.rb:40:in `saml'
  lib/gitlab/i18n.rb:51:in `with_locale'
  lib/gitlab/i18n.rb:57:in `with_user_locale'
  app/controllers/application_controller.rb:370:in `set_locale'
  lib/gitlab/middleware/multipart.rb:97:in `call'
  lib/gitlab/request_profiler/middleware.rb:14:in `call'
  ee/lib/gitlab/jira/middleware.rb:15:in `call'
  lib/gitlab/middleware/go.rb:17:in `call'
  lib/gitlab/etag_caching/middleware.rb:11:in `call'
  lib/gitlab/middleware/read_only/controller.rb:38:in `call'
  lib/gitlab/middleware/read_only.rb:16:in `call'
  lib/gitlab/request_context.rb:18:in `call'
  lib/gitlab/metrics/requests_rack_middleware.rb:27:in `call'
  lib/gitlab/middleware/release_env.rb:10:in `call'

Output of checks

(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)

Results of GitLab environment info

Expand for output related to GitLab environment info 
System information


System:


Proxy: http_proxy: http://oldproxy:8080/


ftp_proxy: http://oldproxy:8080/


https_proxy: http://oldproxy:8080/


no_proxy: pulp.cma-cgm.com


Current User: git


Using RVM: no


Ruby Version: 2.4.4p296


Gem Version: 2.7.6


Bundler Version:1.16.2


Rake Version: 12.3.1


Redis Version: 3.2.11


Git Version: 2.17.1


Sidekiq Version:5.1.3


Go Version: unknown


GitLab information


Version: 11.1.4-ee


Revision: d17962f


Directory: /opt/gitlab/embedded/service/gitlab-rails


DB Adapter: postgresql


DB Version: 9.6.8


URL: https://***


HTTP Clone URL: https://***/some-group/some-project.git


SSH Clone URL: git@***:some-group/some-project.git


Elasticsearch: no


Geo: no


Using LDAP: yes


Using Omniauth: yes


Omniauth Providers: saml


GitLab Shell


Version: 7.1.4


Repository storage paths:
  • default: /var/opt/gitlab/git-data/repositories

Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks

Git: /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab Shell ...


GitLab Shell version >= 7.1.4 ? ... OK (7.1.4)


Repo base directory exists?


default... yes


Repo storage directories are symlinks?


default... no


Repo paths owned by git:root, or git:git?


default... yes


Repo paths access is drwxrws---?


default... yes


hooks directories in repos are links: ... can't check, you have no projects


Running /opt/gitlab/embedded/service/gitlab-shell/bin/check


Check GitLab API access: OK


Redis available via internal API: OK


Access to /var/opt/gitlab/.ssh/authorized_keys: OK


gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Sidekiq ...


Running? ... yes


Number of Sidekiq processes ... 1


Checking Sidekiq ... Finished


Reply by email is disabled in config/gitlab.yml


Checking LDAP ...


Server: ldapmain


LDAP authentication... Success


LDAP users with access to your GitLab server (only showing the first 100 results)


...


Checking LDAP ... Finished


Checking GitLab ...


Git configured correctly? ... yes


Database config exists? ... yes


All migrations up? ... yes


Database contains orphaned GroupMembers? ... no


GitLab config exists? ... yes


GitLab config up to date? ... yes


Log directory writable? ... yes


Tmp directory writable? ... yes


Uploads directory exists? ... yes


Uploads directory has correct permissions? ... yes


Uploads directory tmp has correct permissions? ... yes


Init script exists? ... skipped (omnibus-gitlab has no init script)


Init script up-to-date? ... skipped (omnibus-gitlab has no init script)


Projects have namespace: ... can't check, you have no projects


Redis version >= 2.8.0? ... yes


Ruby version >= 2.3.5 ? ... yes (2.4.4)


Git version >= 2.9.5 ? ... yes (2.17.1)


Git user has default SSH configuration? ... yes


Active users: ... 9


Elasticsearch version 5.1 - 5.5? ... skipped (elasticsearch is disabled)


Checking GitLab ... Finished

Possible fixes

(If you can, link to the line of code that might be responsible for the problem)

ZD https://gitlab.zendesk.com/agent/tickets/101709

Edited by Alexandr Tanayno