MS Teams Notification can't use special characters in username and/or password for authenticating with proxy
Problem to solve
Customers /Organizations that use Microsoft Windows usernames for proxy authentication (format domain\login) will need to URL encode their URL values in http_proxy
and https_proxy
since they contain special characters.
However, Gitlab does not attempt to URL-decode those values and then base64 encodes them to be placed in the authentication header, which will result in a 407 Proxy Authentication Required
error since the username and password are incorrect.
Example:
Let's assume that we need to authenticate to our proxy with username YYYYY\XXXX
and password: RBr%S]axMD-F1S?
We will need to add our credentials to the proxy URL (the gitlab.rb
file).
The URL will need to be URL-encoded otherwise we will get errors (not on reconfigure but we we want to bring up the rails console, or run rake tasks)
So then we need to have the following entries:
gitlab_rails['env'] = {
"http_proxy" => 'http://YYYYY%5CXXXX:RBr%25S%5DaxMD-F1S%3F@127.0.0.1:3128' ,
"https_proxy" => 'http://YYYY%5CXXXXX:RBr%25S%5vxMD-F1S%3F@127.0.0.1:3128' ,
"no_proxy" => "localhost,127.0.0.1"
}
The problem is that certain proxies expect a base64 value the credentials that is URL-decoded , but Gitlab sends the base64 encoded value of the URL-encoded http(s)_proxy URL.
So in our example Gitlab will send:
WVlZWVklNUNYWFhYOlJCciUyNVMlNURheE1ELUYxUyUzRg==
which is the equivalent of
echo -n "YYYYY%5CXXXX:RBr%25S%5DaxMD-F1S%3F" | base64
but it should actually send:
WVlZWVlcWFhYWDpSQnIlU11heE1ELUYxUz8=
which is the equivalent of:
echo -n "YYYYY\XXXX:RBr%S]axMD-F1S?" | base64
As a reference, running:
curl -v --proxy 'http://YYYYY%5CXXXX:RBr%25S%5DaxMD-F1S%3F@127.0.0.1:3128/' https://outlook.office.com
Yields:
Proxy auth using Basic with user 'YYYYY\XXXX'
CONNECT outlook.office.com:443 HTTP/1.1 Host: outlook.office.com:443 Proxy-Authorization: Basic WVlZWVlcWFhYWDpSQnIlU11heE1ELUYxUz8=
(the Proxy-Authorization headed value is the URL-decoded one and the proxy is able to properly authenticate the user).
Intended users
User experience goal
The user should be able to use a username or a password that have special characters like \
or ?
or ]
to authenticate with their proxy.
Proposal
Gitlab should URL-decode the http(s)_proxy
values before moving on to base64 encoding it for the Basic authentication header.
Availability & Testing
What does success look like, and how can we measure that?
Users will be able to use a username and/or a password that have special characters like \
or ?
or ]
to authenticate with a proxy.
Is this a cross-stage feature?
don't think that it is