"Stack level too deep" error shown when trying to login as a blocked SAML user if system hooks are configured

Summary

Steps to reproduce

configure your instance to use SAML for authentication
configure any system hook on your GitLab instance via Menu > Admin > System Hooks
block one of the users that uses SAML for authentication and try to login as this user via SAML

What is the current bug behavior?

Error 500 will be shown in UI.

What is the expected correct behavior?

Instead of the error 500, you should get Your account has been blocked. Please contact your GitLab administrator if you think this is an error.

Relevant logs and/or screenshots

GET request to /users/auth/google_oauth2/callback fails with the following error:

1 {
2   "method": "GET",
3   "path": "/users/auth/google_oauth2/callback",
4   "format": "html",
5   "controller": "OmniauthCallbacksController",
6   "action": "google_oauth2",
7   "status": 500,
8   ...
9   "exception.message": "stack level too deep",
10   "exception.backtrace": [
11     "lib/gitlab/database.rb:65:in `config'",
12     "lib/gitlab/database/load_balancing.rb:39:in `configuration'",
13     "lib/gitlab/database/load_balancing.rb:60:in `hosts'",
14     "lib/gitlab/database/load_balancing.rb:100:in `configured?'",
15     "lib/gitlab/database/load_balancing.rb:89:in `enable?'",
16     "lib/gitlab/metrics/subscribers/active_record.rb:51:in `sql'",
17     "app/controllers/concerns/impersonation.rb:7:in `current_user'",
18     "app/controllers/omniauth_callbacks_controller.rb:292:in `context_user'",
19     "app/controllers/application_controller.rb:459:in `block in set_current_context'",
20     "lib/gitlab/utils/lazy_attributes.rb:29:in `block (2 levels) in define_lazy_reader'",
21     "lib/gitlab/utils/strong_memoize.rb:30:in `strong_memoize'",
22     "lib/gitlab/utils/lazy_attributes.rb:27:in `block in define_lazy_reader'",
23     "lib/gitlab/application_context.rb:97:in `username'",
24     "lib/gitlab/application_context.rb:62:in `block (2 levels) in to_lazy_hash'",
25     "lib/gitlab/sidekiq_middleware/worker_context.rb:9:in `wrap_in_optional_context'",
26     "lib/gitlab/sidekiq_middleware/worker_context/client.rb:18:in `call'",
27     "config/initializers/forbid_sidekiq_in_transactions.rb:38:in `block (2 levels) in <module:NoEnqueueingFromTransactions     27 >'",
28     "app/workers/concerns/application_worker.rb:59:in `perform_async'",
29     "app/services/web_hook_service.rb:98:in `block in async_execute'",
30     "lib/gitlab/application_context.rb:74:in `block in use'",
31     "lib/gitlab/application_context.rb:74:in `use'",
32     "lib/gitlab/application_context.rb:27:in `with_context'",
33     "app/services/web_hook_service.rb:95:in `async_execute'",
34     "app/models/hooks/web_hook.rb:50:in `async_execute'",
35     "app/services/system_hooks_service.rb:14:in `block in execute_hooks'",
36     "app/services/system_hooks_service.rb:13:in `execute_hooks'",
37     "app/services/system_hooks_service.rb:8:in `block in execute_hooks_for'",
38     "lib/after_commit_queue.rb:29:in `instance_eval'",
39     "lib/after_commit_queue.rb:29:in `run_after_commit_or_now'",
40     "app/services/system_hooks_service.rb:7:in `execute_hooks_for'",
41     "lib/gitlab/auth/blocked_user_tracker.rb:17:in `log_activity!'",
42     "config/initializers/warden.rb:60:in `block (2 levels) in <top (required)>'",
43     ...
43 }

The part starting from the line 42 to line 17 is repeated multiple times in the logs as we seem to stuck in the loop there.

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

System information
System:   Ubuntu 18.04
Proxy:    no
Current User: git
Using RVM:  no
Ruby Version: 2.7.2p137
Gem Version:  3.1.4
Bundler Version:2.1.4
Rake Version: 13.0.3
Redis Version:  6.0.14
Git Version:  2.32.0
Sidekiq Version:5.2.9
Go Version: unknown
GitLab information
Version:  14.0.2-ee
Revision: 2504e045362
Directory:  /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 12.6
URL:    https://domain.tld
HTTP Clone URL: https://domain.tld/some-group/some-project.git
SSH Clone URL:  git@domain.tld:some-group/some-project.git
Elasticsearch:  no
Geo:    no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers: google_oauth2

Results of GitLab application Check

Expand for output related to the GitLab application check

Checking GitLab subtasks ...

Checking GitLab Shell ...

GitLab Shell: ... GitLab Shell version >= 13.19.0 ? ... OK (13.19.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Gitaly ...

Gitaly: ... default ... OK

Checking Gitaly ... Finished

Checking Sidekiq ...

Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1

Checking Sidekiq ... Finished

Checking Incoming Email ...

Incoming Email: ... Reply by email is disabled in config/gitlab.yml

Checking Incoming Email ... Finished

Checking LDAP ...

LDAP: ... LDAP is disabled in config/gitlab.yml

Checking LDAP ... Finished

Checking GitLab App ...

Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... ... Redis version >= 5.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.2) Git version >= 2.31.0 ? ... yes (2.32.0) Git user has default SSH configuration? ... yes Active users: ... 38 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 7.x (6.4 - 6.x deprecated to be removed in 13.8)? ... skipped (elasticsearch is disabled) Checking GitLab App ... Finished Checking GitLab subtasks ... Finished

Possible workaround

Delete system hooks.

Customer impact

Setting Severity/Priority 2 for this issue because it can potentially be important problem: for instance, the customer who reported was using system hooks to unblock users. Now system hooks are not being fired, thus breaking their workflow to re-enable the users that have again 'right' to access our Gitlab instance.

Edited Jul 19, 2021 by Alexandr Tanayno