Skip to content

`undefined method `[]' for nil:NilClass` exception on groups page after upgrade to 15

Summary

After merging !85209 (merged), specifically this change to group_policy.rb, we surfaced a bug in these methods.

When a customer configures SAML providers with a name value different from saml, these methods would raise exceptions like these:

irb(main):006:0> pp Gitlab::Auth::Saml::Config.group_sync_enabled?
Traceback (most recent call last):
        3: from (irb):6
        2: from ee/lib/ee/gitlab/auth/saml/config.rb:20:in `group_sync_enabled?'
        1: from lib/gitlab/auth/saml/config.rb:21:in `groups'
NoMethodError (undefined method `[]' for nil:NilClass)

This is now a big problem because such customers start receiving 500 errors when they visit groups pages after upgrading to 15.1.0+.

Example customer ticket: https://gitlab.zendesk.com/agent/tickets/301480

Steps to reproduce

  1. Make sure you have GitLab 15.1+ running, apply a license.

  2. Configure SAML Provider with a name value != saml. Example config:

    gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml2']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
    name: 'saml2',
    args: {
            assertion_consumer_service_url: 'http://localhost/users/auth/saml/callback',
            idp_cert_fingerprint: 'SANITIZED',
            idp_sso_target_url: 'http://localhost:8080/simplesaml/saml2/idp/SSOService.php',
            issuer: 'http://app.example.com',
            strategy_class: 'OmniAuth::Strategies::SAML',
            name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
        },
    label: 'SAML Login'
}
]

  3. Go to any group page -> 500 with the bellow exception:

Traceback (most recent call last):
        3: from (irb):6
        2: from ee/lib/ee/gitlab/auth/saml/config.rb:20:in `group_sync_enabled?'
        1: from lib/gitlab/auth/saml/config.rb:21:in `groups'
NoMethodError (undefined method `[]' for nil:NilClass)

Example Project

Can only replicate on SM instance.

What is the current bug behavior?

Users getting 500 errors on Group pages

What is the expected correct behavior?

We should support detection of custom SAML providers names so that customers who use such names do not receive 500 errors.

Possible fixes

Edited by Alvin Gounder