Skip to content

Additional cleanup for external usernames on oAuth and LDAP sign up

Andrew Evans requested to merge 439623-strip-username-special-chars-on-ldap-signup into master

What does this MR do and why?

Additional cleanup for external usernames on oAuth and LDAP sign up

Currently if a user joins a GitLab instance via oAuth or LDAP and their username begins with multiple -- characters, these characters are removed to ensure a valid username can be created for the new user. Illegal characters such as *&^() are removed, and illegal extensions such as .git and .atom are also removed.

This change extends the behavior to include all leading legal characters: - , _ and . . It also trims from the end of the potential username, and removes consecutive legal characters so the username will result pass the check for Gitlab::Regex.oci_repository_path_regex .

The new behavior should apply for users created via LDAP, OAuth, and SCIM. It may be worth extending this behavior to ldap certificate auth and smart card auth, but since those didn't have exactly the same logic, I left them out for now.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
Screenshot_2024-02-16_at_11.45.47_AM Screenshot_2024-02-16_at_1.37.35_PM

How to set up and validate locally

  1. Configure your local GDK to allow LDAP sign-in as per the GDK howto
  2. in gitlab-openldap/frontend.example.com.ldif , alter user mary to have the following info: 
    dn: uid=mary--,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: Mary--
...
  3. run cd gitlab-openldap && make clean default to reload the data in LDAP
  4. ensure there is no pre-existing mary user in your local GDK install (use gdk reset-data if needed)
  5. attempt to log in via LDAP with the username mary-- and the default password
  6. On the main branch, this should fail with the error seen above. With this change, you should be able to log in as expected.

Related to #439623 (closed)

Edited by Andrew Evans

Merge request reports