Account autocreation from LDAP after reverse proxy authentication #18452
Conversation
Gitea allows autocreation of account from external source after successful basic auth but not after successful reverse proxy auth. This mod adds such feature. Unfortunaltely gitea does not sync all user attributes from LDAP for existing users on login like cron.sync_external_users does so changes of first name, surname, e-mail are not updated from LDAP on login for exiting users - only after first login and after sync_external_users task. Related: gogs/gogs#2498 Author-Change-Id: IB#1104925
|
This is simplified and adjusted for current main version of #12960. |
GiteaBot
added
the
lgtm/need 2
|
This is quick and dirty workaround for installations using reverse proxy auth with ldap user data backend. More elegant fixes will probably require gitea to separate auth/sync areas better like in |
|
If #18466 is accepted, than should be merged first, than this mod must use |
Gitea should synchronize same data from LDAP on user authentication that is synchronized in cron task. Fixes: a5c21f1 Related: go-gitea#18452 Author-Change-Id: IB#1104925
|
After ca00ec6 gitea is able also to reactivate user account on login if enabled in LDAP (without it user had to wait for cron task to unlock gitea account). Fullname and email are synchronized now on login also (like in cron task). |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions. |
lunny
added
the
issue/confirmed
`SessionUser` should be protected against passing `sess` = `nil` to avoid ``` PANIC: runtime error: invalid memory address or nil pointer dereference ``` in https://github.com/go-gitea/gitea/pull/18452/files#diff-a215b82aadeb8b4c4632fcf31215dd421f804eb1c0137ec6721b980136e4442aR69 after upgrade from gitea v1.16 to v1.17. Related: go-gitea#18452 Author-Change-Id: IB#1126459
`SessionUser` should be protected against passing `sess` = `nil` to avoid ``` PANIC: runtime error: invalid memory address or nil pointer dereference ``` in https://github.com/go-gitea/gitea/pull/18452/files#diff-a215b82aadeb8b4c4632fcf31215dd421f804eb1c0137ec6721b980136e4442aR69 after upgrade from gitea v1.16 to v1.17. Related: #18452 Author-Change-Id: IB#1126459
`SessionUser` should be protected against passing `sess` = `nil` to avoid. ``` PANIC: runtime error: invalid memory address or nil pointer dereference ``` in https://github.com/go-gitea/gitea/pull/18452/files#diff-a215b82aadeb8b4c4632fcf31215dd421f804eb1c0137ec6721b980136e4442aR69 after upgrade from gitea v1.16 to v1.17. Related: go-gitea#18452 Author-Change-Id: IB#1126459
Fixes: adac68d Related: go-gitea#21358 Related: go-gitea#18452 Author-Change-Id: IB#1126459
Backport #21358 `SessionUser` should be protected against passing `sess` = `nil` to avoid ``` PANIC: runtime error: invalid memory address or nil pointer dereference ``` in https://github.com/go-gitea/gitea/pull/18452/files#diff-a215b82aadeb8b4c4632fcf31215dd421f804eb1c0137ec6721b980136e4442aR69 after upgrade from gitea v1.16 to v1.17. Related: #18452
|
@pboguslawski What is the state of this PR? |
denyskon
added
the
issue/needs-feedback
The status of this PR is We use this extension and it works fine for us. Let us know if you want to merge it - will update to current main then. |
techknowlogick
removed
the
issue/needs-feedback
services/auth/reverseproxy.go
Outdated
| // Just return user if session is estabilshed already. | ||
| user := SessionUser(sess) | ||
| if user != nil { | ||
| return user | ||
| } |
There was a problem hiding this comment.
This mixes the Session provider into the reverse proxy. I think we should not do this. Is it needed for the new logic?
There was a problem hiding this comment.
This mixes the
Sessionprovider into the reverse proxy. I think we should not do this. Is it needed for the new logic?
Reverse proxy is/should be for user authentication stuff not Gitea's session handling IHMO. So there is no point in user verification if already verified (established session). Don't see problem with it.
There was a problem hiding this comment.
Then it's just a wrong execution order and the session provider should be checked first.
There was a problem hiding this comment.
SessionUser(sess) is called first and used if session is already estabilshed; if no session is established, new session is created. Don't see any problem here. If you see problem here, please propose exact code fix.
There was a problem hiding this comment.
The session handler is already called before the reverse proxy handler:
Lines 104 to 111 in cb10f27
There was a problem hiding this comment.
Fixed in dfc544c. Thanks for pointing.
denyskon
added
type/feature
Fixes: a5c21f1 Related: go-gitea#18452 (comment) Author-Change-Id: IB#1104925 Signed-off-by: Pawel Boguslawski <pawel.boguslawski@ib.pl>
pull-request-size
bot
added
the
size/M
Gitea allows autocreation of account from external source after successful
basic auth but not after successful reverse proxy auth. This mod adds such
feature.
It also adds full name, email and is_active synchronization from LDAP on
user login (as cron task already does).
Related: gogs/gogs#2498
Author-Change-Id: IB#1104925