auto_link_ldap_user (and therefore login) fails if no email attribute is set on the LDAP object
Summary
Logging in to GitLab with SAML and auto-linking of LDAP accounts set up, GitLab failed to finish sign-up/log-in for one user whose LDAP entry lacks a mail attribute.
Steps to reproduce
- Set up a GitLab instance with SAML and LDAP login, along with auto linking of LDAP accounts on SAML login.
- Create a valid LDAP user only without its email attribute set
- Attempt to log in the user with SAML
What is the current bug behavior?
GitLab fails to log in with a 500 error
What is the expected correct behavior?
The user is logged in correctly, only without an email address set
Relevant logs and/or screenshots
Completed 500 Internal Server Error in 65ms (ActiveRecord: 5.1ms | Elasticsearch: 0.0ms)
NoMethodError (undefined method `first' for nil:NilClass):
lib/gitlab/auth/o_auth/user.rb:205:in `user_attributes'
lib/gitlab/auth/o_auth/user.rb:196:in `build_new_user'
lib/gitlab/auth/o_auth/user.rb:116:in `find_or_build_ldap_user'
lib/gitlab/auth/saml/user.rb:24:in `find_user'
ee/lib/ee/gitlab/auth/saml/user.rb:12:in `find_user'
lib/gitlab/auth/o_auth/user.rb:61:in `gl_user'
lib/gitlab/auth/o_auth/user.rb:257:in `clear_user_synced_attributes_metadata'
lib/gitlab/auth/o_auth/user.rb:230:in `update_profile'
lib/gitlab/auth/o_auth/user.rb:21:in `initialize'
app/controllers/omniauth_callbacks_controller.rb:127:in `new'
app/controllers/omniauth_callbacks_controller.rb:127:in `build_auth_user'
app/controllers/omniauth_callbacks_controller.rb:131:in `sign_in_user_flow'
app/controllers/omniauth_callbacks_controller.rb:100:in `omniauth_flow'
app/controllers/omniauth_callbacks_controller.rb:42:in `saml'
ee/lib/gitlab/ip_address_state.rb:10:in `with'
ee/app/controllers/ee/application_controller.rb:28:in `set_current_ip_address'
lib/gitlab/session.rb:11:in `with_session'
app/controllers/application_controller.rb:445:in `set_session_storage'
lib/gitlab/i18n.rb:55:in `with_locale'
lib/gitlab/i18n.rb:61:in `with_user_locale'
app/controllers/application_controller.rb:439:in `set_locale'
lib/gitlab/middleware/rails_queue_duration.rb:27:in `call'
lib/gitlab/metrics/rack_middleware.rb:17:in `block in call'
lib/gitlab/metrics/transaction.rb:57:in `run'
lib/gitlab/metrics/rack_middleware.rb:17:in `call'
lib/gitlab/middleware/multipart.rb:103:in `call'
lib/gitlab/request_profiler/middleware.rb:16:in `call'
ee/lib/gitlab/jira/middleware.rb:17:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:13:in `call'
lib/gitlab/middleware/correlation_id.rb:16:in `block in call'
lib/gitlab/middleware/correlation_id.rb:15:in `call'
lib/gitlab/middleware/read_only/controller.rb:42:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/request_context.rb:26:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:29:in `call'
lib/gitlab/middleware/release_env.rb:12:in `call'
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: CentOS 7.6.1810 Proxy: no Current User: git Using RVM: no Ruby Version: 2.6.3p62 Gem Version: 2.7.9 Bundler Version:1.17.3 Rake Version: 12.3.2 Redis Version: 3.2.12 Git Version: 2.21.0 Sidekiq Version:5.2.7 Go Version: unknownGitLab information Version: 12.0.2-ee Revision: ef76b54fc1e Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 10.7 URL: https://gitlab.liu.se HTTP Clone URL: https://gitlab.liu.se/some-group/some-project.git SSH Clone URL: git@gitlab.liu.se:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: yes Using Omniauth: yes Omniauth Providers: saml
GitLab Shell Version: 9.3.0 Repository storage paths:
- cephfs: /mnt/gitlab.liu.se/git-data/repositories
- default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ...Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 9.3.0 ? ... OK (9.3.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... cephfs ... OK default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Checking Reply by email ...
IMAP server credentials are correct? ... yes Init.d configured correctly? ... skipped MailRoom running? ... skipped
Checking Reply by email ... Finished
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) [redacted]
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 1/1 ... yes 1/3 ... yes 39/4 ... yes 75/6 ... yes 75/7 ... yes 77/8 ... yes 30/9 ... yes 85/12 ... yes 87/13 ... yes 77/14 ... yes 77/15 ... yes 25/16 ... yes 3/18 ... yes 1/20 ... yes
[truncated]
456/1513 ... yes 1658/1514 ... yes 291/1515 ... yes 1314/1516 ... yes 928/1517 ... yes 284/1518 ... yes 1658/1519 ... yes 1622/1520 ... yes 488/1521 ... yes 488/1522 ... yes 1236/1523 ... yes 278/1524 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.5.3 ? ... yes (2.6.3) Git version >= 2.21.0 ? ... yes (2.21.0) Git user has default SSH configuration? ... yes Active users: ... 1453 Elasticsearch version 5.6 - 6.x? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
I've deployed a small patch to work around the issue for us for now;
--- a/lib/gitlab/auth/o_auth/user.rb
+++ b/lib/gitlab/auth/o_auth/user.rb
@@ -202,7 +202,7 @@
if creating_linked_ldap_user?
username = ldap_person.username.presence
name = ldap_person.name.presence
- email = ldap_person.email.first.presence
+ email = ldap_person.email&.first.presence
end
username ||= auth_hash.username
@@ -248,7 +248,7 @@
if creating_linked_ldap_user?
metadata.set_attribute_synced(:name, true) if gl_user.name == ldap_person.name
- metadata.set_attribute_synced(:email, true) if gl_user.email == ldap_person.email.first
+ metadata.set_attribute_synced(:email, true) if gl_user.email == ldap_person.email&.first
metadata.provider = ldap_person.provider
end
end