Kerberos Spnego authentication is broken since a code refactoring
Summary
A regression has been introduced in 1adb5bca : kerberos authentication (spnego) does not work anymore on 11.7.0-ee.
Steps to reproduce
With Kerberos authentication activated, click on "Sign-in with Kerberos Spnego" on the login page.
What is the current bug behavior?
An HTTP Error 500 is raised on authentication attempt.
What is the expected correct behavior?
The authentication should proceed normally.
Relevant logs and/or screenshots
gitlab-rails/production.log
error :
Processing by OmniauthKerberosSpnegoController#negotiate as HTML
Completed 500 Internal Server Error in 7ms (ActiveRecord: 0.0ms | Elasticsearch: 0.0ms)
NoMethodError (undefined method `config' for EE::Gitlab:Module
Did you mean? concerning):
ee/app/helpers/ee/kerberos_spnego_helper.rb:69:in `spnego_credentials!'
ee/app/controllers/omniauth_kerberos_spnego_controller.rb:9:in `negotiate'
lib/gitlab/i18n.rb:55:in `with_locale'
lib/gitlab/i18n.rb:61:in `with_user_locale'
app/controllers/application_controller.rb:417:in `set_locale'
lib/gitlab/middleware/rails_queue_duration.rb:24:in `call'
lib/gitlab/metrics/rack_middleware.rb:17:in `block in call'
lib/gitlab/metrics/transaction.rb:55:in `run'
lib/gitlab/metrics/rack_middleware.rb:17:in `call'
lib/gitlab/middleware/multipart.rb:103:in `call'
lib/gitlab/request_profiler/middleware.rb:16:in `call'
ee/lib/gitlab/jira/middleware.rb:15:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:13:in `call'
lib/gitlab/middleware/correlation_id.rb:16:in `block in call'
lib/gitlab/correlation_id.rb:15:in `use_id'
lib/gitlab/middleware/correlation_id.rb:15:in `call'
lib/gitlab/middleware/read_only/controller.rb:42:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/request_context.rb:20:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:29:in `call'
lib/gitlab/middleware/release_env.rb:13:in `call'
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Debian 9.7 Proxy: no Current User: git Using RVM: no Ruby Version: 2.5.3p105 Gem Version: 2.7.6 Bundler Version:1.16.6 Rake Version: 12.3.2 Redis Version: 3.2.12 Git Version: 2.18.1 Sidekiq Version:5.2.3 Go Version: unknown
GitLab information Version: 11.7.0-ee Revision: c02f0d4 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql DB Version: 9.6.11 URL: https://poolailler1.domain.loc/gitlab HTTP Clone URL: https://poolailler1.domain.loc/gitlab/some-group/some-project.git SSH Clone URL: git@poolailler1.domain.loc:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: kerberos_spnego
GitLab Shell Version: 8.4.4 Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ...Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 8.4.4 ? ... OK (8.4.4) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 2/5 ... yes 10/6 ... yes 5/7 ... yes 5/9 ... yes 5/10 ... yes 6/13 ... yes 5/14 ... yes 5/15 ... yes 20/17 ... yes 20/18 ... yes 5/19 ... yes 20/20 ... yes 20/21 ... yes 5/22 ... yes 5/24 ... yes 5/25 ... yes 19/26 ... yes 5/27 ... yes 20/28 ... yes 5/29 ... yes 5/31 ... yes 5/32 ... yes 5/33 ... yes 5/34 ... yes 19/36 ... yes 6/37 ... yes 5/38 ... yes 5/39 ... yes 2/41 ... yes 6/43 ... yes 6/44 ... yes 22/45 ... yes 22/46 ... yes 22/47 ... yes 22/48 ... yes 6/50 ... yes 6/51 ... yes 6/52 ... yes 2/54 ... yes 9/55 ... yes 5/56 ... yes 5/57 ... yes 5/58 ... yes 5/59 ... yes 13/60 ... yes 13/65 ... yes 2/66 ... yes 34/67 ... yes 10/68 ... yes 5/69 ... yes 9/70 ... yes 21/71 ... yes 9/72 ... yes 6/73 ... yes 21/74 ... yes 20/75 ... yes 28/76 ... yes 52/77 ... yes 9/78 ... yes 58/79 ... yes 2/80 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.5.3) Git version >= 2.18.0 ? ... yes (2.18.1) Git user has default SSH configuration? ... yes Active users: ... 49 Elasticsearch version 5.6 - 6.x? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
From my understanding, the error has been introduced in 1adb5bca. A ::
is missing before Gitlab.config.kerberos.service_principal_name
at line 69 of ee/app/helpers/ee/kerberos_spnego_helper.rb
.
See :
- Before refactoring : https://gitlab.com/gitlab-org/gitlab-ee/commit/1adb5bca74a17d7cb1b71eedf086e2c5efe4c2e3#9cf091d4637702a7ba1fc9ad2d3e9f00911f38fa_64_9
- After refactoring : https://gitlab.com/gitlab-org/gitlab-ee/commit/1adb5bca74a17d7cb1b71eedf086e2c5efe4c2e3#08bac84fda400ba15e4e76fed69cbbc14e425860_0_69
Disclaimer : I don't know anything about Ruby nor GitLab code base, so I might be wrong. But it seems to be a simple refactoring error, and adding the missing ::
solved the problem on my setup.