GitLab Pages does not regenerate OAuth
Summary
GitLab Pages does not regenerate its OAauth client ID and client secret if the OAuth Application entry is deleted from GitLab.
Steps to reproduce
- Enable GitLab Pages access control.
- Delete the corresponding OAuth application.
- Navigate to Pages that are not accessible to everyone
Example Project
N/A
What is the current bug behavior?
Deleting the OAuth application permanently breaks GitLab Pages access control.
What is the expected correct behavior?
Deleting the OAuth application does not permanent break GitLab Pages access control. I.e. GitLab Pages discovers that its OAuth application is not a thing and makes a new one.
Relevant logs and/or screenshots
Sometimes I get 404s instead. On my instance, if I navigate to http://projects.pages.example.com/auth
, I get the same error as the image above, after being redirected to http://gitlab.example.com/oauth/authorize?client_id=****&redirect_uri=http://projects.pages.example.com/auth&response_type=code&state=****
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Proxy: no Current User: git Using RVM: no Ruby Version: 2.4.5p335 Gem Version: 2.7.6 Bundler Version:1.16.6 Rake Version: 12.3.1 Redis Version: 3.2.12 Git Version: 2.18.1 Sidekiq Version:5.2.1 Go Version: unknownGitLab information Version: 11.5.0-ee Revision: cb71fca Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql DB Version: 9.6.8 URL: http://gitlab.example.com HTTP Clone URL: http://gitlab.example.com/some-group/some-project.git SSH Clone URL: git@gitlab.example.com:some-group/some-project.git Elasticsearch: no Geo: yes Geo node: Primary Using LDAP: yes Using Omniauth: yes Omniauth Providers: saml
GitLab Shell Version: 8.4.1 Repository storage paths:
- default: /data/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab Shell ...GitLab Shell version >= 8.4.1 ? ... OK (8.4.1) hooks directories in repos are links: ... ... 9/900 ... ok 3/901 ... repository is empty ... Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Reply by email ...
IMAP server credentials are correct? ... no Try fixing it: An error occurred: Net::IMAP::NoResponseError: Authentication failed. Check that the information in config/gitlab.yml is correct For more information see: doc/administration/reply_by_email.md Please fix the error above and rerun the checks. Init.d configured correctly? ... skipped MailRoom running? ... skipped
Checking Reply by email ... Finished
Checking LDAP ...
Server: ldapmain not verifying SSL hostname of LDAPS server 'mss-dc01.MillenniumSpaceSystems.local:636' LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results)
...
Checking LDAP ... Finished
Checking GitLab ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... no Try fixing it: sudo chown -R git /data/gitlab-rails/uploads sudo find /data/gitlab-rails/uploads -type f -exec chmod 0644 {} ; sudo find /data/gitlab-rails/uploads -type d -not -path /data/gitlab-rails/uploads -exec chmod 0700 {} ; For more information see: doc/install/installation.md in section "GitLab" Please fix the error above and rerun the checks. Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ...
207/904 ... yes 3/905 ... yes 82/908 ... yes 207/909 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.4.5) Git version >= 2.9.5 ? ... yes (2.18.1) Git user has default SSH configuration? ... yes Active users: ... 210 Elasticsearch version 5.1 - 5.5? ... skipped (elasticsearch is disabled)
Checking GitLab ... Finished
Possible fixes
This can be manually fixed by setting gitlab_secret
and gitlab_id
to null
in gitlab_pages
in /etc/gitlab/gitlab-secrets.json