Gitlab reports 'NoMethodError' triggered by error CAS server behavior
Summary
Gitlab reports 500 error if received non-existent ticket from CAS authentication server, while Gitlab should ignore it.
Steps to reproduce
Post logout request to Gitlab by CAS server, and ticket 'ST-667006-ujrJssdKOjHDTncSsxf3-sso01' did not exist in Rails.Cache.
Parameters: {"logoutRequest"=>"<samlp:LogoutRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"LR-518457-CF9qYyH1Q6rfjilZOqegKgnIxQSiZYgiLKT\" Version=\"2.0\" IssueInstant=\"2018-05-14T08:26:29Z\"><saml:NameID xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-667006-ujrJssdKOjHDTncSsxf3-sso01</samlp:SessionIndex></samlp:LogoutRequest>", "url"=>"http://gitlab.example.com/users/sign_in", "name_id"=>"@NOT_USED@", "session_index"=>"ST-667006-ujrJssdKOjHDTncSsxf3-sso01"}
What is the current bug behavior?
If CAS post error ticket to Gitlab, Gitlab will raise "Service Ticket not found." error, and a 'NoMethodError'.
raise "Service Ticket not found." unless Gitlab::Auth::OAuth::Session.valid?(:cas3, ticket)
NoMethodError (undefined method `[]' for nil:NilClass):
lib/gitlab/etag_caching/middleware.rb:11:in `call'
lib/gitlab/request_context.rb:18:in `call'
What is the expected correct behavior?
Gitlab should not report errors of that.
It should ignore ticket which not exist in Rails.Cache, stop to next procedure and reports WARNING, rather than report 500 error.
Relevant logs and/or screenshots
production.log reports 'NoMethodError'
Started POST "/users/auth/cas3/callback?url=http%3A%2F%2Fgitlab.example.com%2Fusers%2Fsign_in" for 10.136.150.57 at 2018-05-14 08:26:29 +0800
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {"logoutRequest"=>"<samlp:LogoutRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"LR-518457-CF9qYyH1Q6rfjilZOqegKgnIxQSiZYgiLKT\" Version=\"2.0\" IssueInstant=\"2018-05-14T08:26:29Z\"><saml:NameID xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-667006-ujrJssdKOjHDTncSsxf3-sso01</samlp:SessionIndex></samlp:LogoutRequest>", "url"=>"http://gitlab.example.com/users/sign_in", "name_id"=>"@NOT_USED@", "session_index"=>"ST-667006-ujrJssdKOjHDTncSsxf3-sso01"}
Can't verify CSRF token authenticity
Redirected to http://gitlab.example.com/users/sign_in
Completed 302 Found in 19ms (ActiveRecord: 0.7ms)
NoMethodError (undefined method `[]' for nil:NilClass):
lib/gitlab/etag_caching/middleware.rb:11:in `call'
lib/gitlab/request_context.rb:18:in `call'
unicorn.stdout.log reports 'Service Ticket'
E, [2018-05-14T08:26:29.447736 #162251] ERROR -- omniauth: (cas3) Authentication failure! logout_request: RuntimeError, Service Ticket not found.
14/May/2018:08:26:29 +0800 gitlab.example.com POST 500
logoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-518457-CF9qYyH1Q6rfjilZOqegKgnIxQSiZYgiLKT%22+Version%3D%222.0%22+IssueInstant%3D%222018-05-14T08%3A26%3A29Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-667006-ujrJssdKOjHDTncSsxf3-sso01%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E
unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket
- 500 0.0.0.0 0.0.0.0 0.0.0.0 909 0.052 3276 0.052
/users/auth/cas3/callback?url=http%3A%2F%2Fgitlab.example.com%2Fusers%2Fsign_in
Java/1.7.0_91
Output of checks
Results of GitLab environment info
System information
System: CentOS 6.6
Current User: git
Using RVM: no
Ruby Version: 2.3.3p222
Gem Version: 2.5.2
Bundler Version:1.16.2
Rake Version: 10.5.0
Redis Version: 4.0.9
Git Version: 2.16.3
Sidekiq Version:5.0.0
Go Version: go1.9.6 linux/amd64
GitLab information
Version: 9.3.11
Revision: 8e65e4bd59
Directory: /home/git/gitlab
DB Adapter: mysql2
URL: http://gitlab.example.com
HTTP Clone URL: http://gitlab.example.com/some-group/some-project.git
SSH Clone URL: git@gitlab.example.com:some-group/some-project.git
Using LDAP: no
Using Omniauth: yes
Omniauth Providers: cas3
GitLab Shell
Version: 5.1.1
Repository storage paths:
- default: /home/git/repositories
Hooks: /home/git/gitlab-shell/hooks
Git: /usr/bin/git
Results of GitLab application Check
No error report.
Possible fixes
"Service Ticket not found." error is triggered by
lib/gitlab/omniauth_initializer.rb:56 (>10.7)
or
config/initializers/devise.rb:246 (<10.7)
but it don't know where triggered "NoMethodError"
gitlab-ce~2278648