Closed
Description
When using GitLab as a provide and setting the option --gitlab-project=ska-telescope/ska-tango-images=30 there is a panic caused at https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/gitlab.go#L334 when the user has no access as perms is a nil value at this point.
Expected Behavior
No panic cause - user gets the expected 403 screen as they have no access.
Current Behavior
User gets a 502 gateway error. oauth2-proxy panics:
2021/03/18 06:58:01 http: panic serving 127.0.0.1:45824: runtime error: invalid memory address or nil pointer dereference
goroutine 568 [running]:
net/http.(*conn).serve.func1(0xc000124be0)
/usr/local/go/src/net/http/server.go:1824 +0x153
panic(0xc84f20, 0x135ed50)
/usr/local/go/src/runtime/panic.go:971 +0x499
github.com/oauth2-proxy/oauth2-proxy/v7/providers.(*GitLabProvider).addProjectsToSession(0xc00020fd00, 0xe89098, 0xc000507140, 0xc00018e480)
/go/src/github.com/oauth2-proxy/oauth2-proxy/providers/gitlab.go:335 +0x154
github.com/oauth2-proxy/oauth2-proxy/v7/providers.(*GitLabProvider).EnrichSession(0xc00020fd00, 0xe89098, 0xc000507140, 0xc00018e480, 0x1, 0x0)
/go/src/github.com/oauth2-proxy/oauth2-proxy/providers/gitlab.go:301 +0x174
main.(*OAuthProxy).enrichSessionState(0xc000142900, 0xe89098, 0xc000507140, 0xc00018e480, 0x0, 0x9)
/go/src/github.com/oauth2-proxy/oauth2-proxy/oauthproxy.go:882 +0x63
Possible Solution
diff --git a/providers/gitlab.go b/providers/gitlab.go
index f54430f..d0e090c 100644
--- a/providers/gitlab.go
+++ b/providers/gitlab.go
@@ -331,7 +331,7 @@ func (p *GitLabProvider) addProjectsToSession(ctx context.Context, s *sessions.S
perms = projectInfo.Permissions.GroupAccess
}
- if perms.AccessLevel >= project.AccessLevel {
+ if perms != nil && perms.AccessLevel >= project.AccessLevel {
s.Groups = append(s.Groups, fmt.Sprintf("project:%s", project.Name))
} else {
logger.Errorf("Warning: user %q does not have the minimum required access level for project %q", s.Email, project.Name)
Steps to Reproduce (for bugs)
Configure with an options like --gitlab-project=ska-telescope/ska-tango-images=30, and try to login with a user that has no access.
Your Environment
- Version used: affects current head and v7.
Activity
NickMeves commentedon Mar 18, 2021
Thanks for the report! Can you coordinate with @papey - they added this project authorization logic to the GitLab provider.
Neither @JoelSpeed nor myself use the GitLab provider, so we'll need someone from the community to make a PR that we can review.
piersharding commentedon Mar 19, 2021
Thanks @NickMeves . Hi @papey , does the
perms != nil(above) check make sense?papey commentedon Mar 19, 2021
Hi @piersharding, just to get more context, his the user member of the project with no access ?
Last time I checked Gitlab project description returns something like this in the response
And there is a fallback mechanism at
oauth2-proxy/providers/gitlab.go
Lines 329 to 332 in 4d9de06
piersharding commentedon Mar 19, 2021
Thanks for getting back to me. The user has no specific access to the project https://gitlab.com/ska-telescope/ska-tango-images , but the project is publicly readable.
It appears that the fallback (described at #1111 (comment)) is also returns
nilwhich then causes the panic as described.papey commentedon Mar 19, 2021
Thanks for the feedback, after querying Gitlab, I confirm that group_access is set to
nullin the API response when querying a public project.I think you're fix is the way to go, if you want to make the PR go for it, otherwise @ me and i will do it.
Thanks !
piersharding commentedon Mar 19, 2021
Thanks @papey - I created #1113 .
Cheers.