Skip to content

[org] Disallow logins with organizational Git Auth #16874

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 16, 2023
Merged

[org] Disallow logins with organizational Git Auth #16874

merged 1 commit into from
Mar 16, 2023

Conversation

AlexTugarev
Copy link
Member

@AlexTugarev AlexTugarev commented Mar 16, 2023
edited
Loading

Description

We need to make sure that login with organizational Git Auth is not permitted. Those organizational Git Auth providers are limited to be used for Git operations and API calls only.

Related Issue(s)

Fixes #16873

How to test

  1. Create an org
  2. Create Git Auth for that org (doesn't need to be a valid Git provider, a random but reachable GitLab would work)
  3. Try to login by navigating to /api/login?host=some-gitlab.com
  4. See no redirect attempt to the Git provider happens.

Release Notes

NONE

Documentation

Build Options:

  • /werft with-werft
    Run the build with werft instead of GHA
  • leeway-no-cache
  • /werft no-test
    Run Leeway with --dont-test
Publish Options
  • /werft publish-to-npm
  • /werft publish-to-jb-marketplace
Installer Options
  • with-ee-license
  • with-dedicated-emulation
  • with-ws-manager-mk2
  • workspace-feature-flags
    Add desired feature flags to the end of the line above, space separated

Preview Environment Options:

  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-gce-vm
    If enabled this will create the environment on GCE infra
  • /werft with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh

@AlexTugarev AlexTugarev requested a review from a team March 16, 2023 07:41
@github-actions github-actions bot added the team: webapp Issue belongs to the WebApp team label Mar 16, 2023
@werft-gitpod-dev-com
Copy link

started the job as gitpod-build-at-org-git.1 because the annotations in the pull request description changed
(with .werft/ from main)

geropl
geropl reviewed Mar 16, 2023
View reviewed changes
easyCZ
easyCZ reviewed Mar 16, 2023
View reviewed changes
components/server/src/auth/authenticator.ts
"authorize-flow": true,
ap: authProvider.info,
});
res.redirect(this.getSorryUrl(`Login with "${host}" is not permitted.`));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a better call to action we can include? What should the user do when this happens?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great question.
The response here is what's done on bad requests in that area. The legacy sorry page is used as a sink where we're lacking proper rending on the dashboard.
Why calling that a bad request? Those organizational Git Auth providers won't be available on the Login screen, they are not meant to be included there. Here we are guarding from forged requests to the /api/login endpoint parameterized with the host of an organizational Git Auth provider.
Given that one cannot reach this point by navigating any link, I don't think it make sense to provide any CTA. But that's definitely biased, so if find anything helpful, let's do that.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm ok with this, given that it's a not a case a user can end up with in a regular case.

☁️ To better highlight this, we could also just return a 400 (Bad Request). But I think it's more cosmetics.

@geropl
Copy link
Member

geropl commented Mar 16, 2023

Trying to test this now...

@geropl
Copy link
Member

geropl commented Mar 16, 2023
edited
Loading

Works in the test.

A tad weird:

  • I get redirected to the sorry page, but as Im not logged in, I get the login page rendered (while the URL stays the sorry URL).
  • What's not so nice is that once I follow the login, I see the error page because we re-direct to it after login (although I already moved beyond that error).

But again, this is a weird edge case in the first place. 🧘

geropl
geropl approved these changes Mar 16, 2023
View reviewed changes
Copy link
Member

@geropl geropl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM, tested and works ✔️

@roboquat roboquat merged commit b39902f into main Mar 16, 2023
@roboquat roboquat deleted the at/org-git branch March 16, 2023 13:07
@roboquat roboquat added deployed: webapp Meta team change is running in production deployed Change is completely running in production labels Mar 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@easyCZ easyCZ easyCZ left review comments

@geropl geropl geropl approved these changes

Assignees
No one assigned
Labels
deployed: webapp Meta team change is running in production deployed Change is completely running in production release-note-none size/S team: webapp Issue belongs to the WebApp team
Projects
🍎 WebApp Team
Status: No status
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[org] Disallow login with Git Auth providers
4 participants
@AlexTugarev @geropl @easyCZ @roboquat