Bug: Gokapi crashes if OIDC returns null in groups

[domingo13]

I have setup OIDC authentication with a limit on group membership.

If a user is not in a group the returned value is "null" which crashes Gokapi consistently:

██████  ██████   ██  ██  █████  ██████  ██  ██       ██    ██ ██  ██  ██   ██ ██   ██ ██  ██  ███ ██  ██ █████   ███████ ██████  ██  ██  ██ ██  ██ ██  ██  ██   ██ ██      ██   ██████   ██████  ██  ██ ██  ██ ██  ██                                       

Gokapi v1.9.0 starting Saving new files to local storage Binding webserver to :53842 Webserver can be accessed at https://share.xxx/admin Press CTRL+C to stop Gokapi 2024/07/28 18:08:30 http: panic serving 172.23.0.2:50044: interface conversion: interface {} is nil, not []interface {} goroutine 73 [running]: net/http.(conn).serve.func1() /usr/local/go/src/net/http/server.go:1898 +0xbe panic({0xdaf940?, 0xc0004fd4d0?}) /usr/local/go/src/runtime/panic.go:770 +0x132 github.com/forceu/gokapi/internal/webserver/authentication.extractOauthGroups({0x2cb1d40, 0xc000486640}, {0xc0003c82a6, 0x6}) /compile/internal/webserver/authentication/Authentication.go:174 +0x285 github.com/forceu/gokapi/internal/webserver/authentication.CheckOauthUserAndRedirect({{0xc000533020, 0x24}, {0x0, 0x0}, {0x2cb1d40, 0xc000486640}}, {0x2cb66d8, 0xc0000a0000}) /compile/internal/webserver/authentication/Authentication.go:237 +0xfb github.com/forceu/gokapi/internal/webserver/authentication/oauth.HandlerCallback({0x2cb66d8, 0xc0000a0000}, 0xc0003aa120) /compile/internal/webserver/authentication/oauth/Oauth.go:105 +0x2bd net/http.HandlerFunc.ServeHTTP(0xc00048f1e0?, {0x2cb66d8?, 0xc0000a0000?}, 0x9b17da?) /usr/local/go/src/net/http/server.go:2166 +0x29 net/http.(ServeMux).ServeHTTP(0x46a6d9?, {0x2cb66d8, 0xc0000a0000}, 0xc0003aa120) /usr/local/go/src/net/http/server.go:2683 +0x1ad net/http.serverHandler.ServeHTTP({0xc00062ec30?}, {0x2cb66d8?, 0xc0000a0000?}, 0x6?) /usr/local/go/src/net/http/server.go:3137 +0x8e net/http.(conn).serve(0xc0003c67e0, {0x2cb6f88, 0xc00062e420}) /usr/local/go/src/net/http/server.go:2039 +0x5e8 created by net/http.(Server).Serve in goroutine 28 /usr/local/go/src/net/http/server.go:3285 +0x4b4 Shutting down...

If I use a user with any group membership this doesn't occur, and the right membership gives the user access.

The authentication server is Authelia, the Gokapi config looks like this:

{ "Authentication": { "Method": 1, "SaltAdmin": "xx", "SaltFiles": "xx", "Username": "zz", "Password": "zz", "HeaderKey": "", "OauthProvider": "https://auth.xxx", "OAuthClientId": "gokapi", "OAuthClientSecret": "xxx", "OauthUserScope": "", "OauthGroupScope": "groups", "OAuthRecheckInterval": 12, "HeaderUsers": null, "OAuthGroups": [ "gokapi" ], "OauthUsers": [] }, "Port": ":53842", "ServerUrl": "https://share.xxx/", "RedirectUrl": "https://lnxgeek.org/", "PublicName": "Gokapi", "DataDir": "data", "DatabaseUrl": "redis://redis:6379?prefix=gokapi_", "ConfigVersion": 21, "LengthId": 15, "MaxFileSizeMB": 102400, "MaxMemory": 50, "ChunkSize": 45, "MaxParallelUploads": 4, "Encryption": { "Level": 0, "Cipher": null, "Salt": "", "Checksum": "", "ChecksumSalt": "" }, "UseSsl": false, "PicturesAlwaysLocal": false, "SaveIp": true, "IncludeFilename": true }

[domingo13]

Here is the response from Authelia when it crashes:

{"amr":["pwd","otp","mfa"],"aud":["gokapi"],"auth_time":1722190082,"azp":"gokapi","client_id":"gokapi","groups":null,"iat":1722190088,"iss":"https://auth.xxx","name":"User1","preferred_username":"user1","sub":"316697f5-7f64-4bd9-ac8b-bc84d7df423a"}

[Forceu]

Thank you for the bug report! I will have a look at it tomorrow

[Forceu]

@domingo13 Unfortunately I was unable to reproduce the problem with Authelia. Can you post your (redacted) Authelia configuration as well? Also what version of Gokapi and Authelia are you using? And have you been following this guide? https://gokapi.readthedocs.io/en/stable/examples.html#server-configuration

[domingo13]

Sure :-)

Gokapi v. 1.9.0 Authelia v. 4.38.9

This is the Authelia configuration:

---

theme: auto default_2fa_method: totp default_redirection_url: https://auth.xxx server: address: tcp://0.0.0.0:9091/ log: level: info totp: disable: false algorithm: sha1 digits: 6 period: 30 skew: 1 secret_size: 32 webauthn: disable: false display_name: 'Authelia' timeout: 60s attestation_conveyance_preference: indirect user_verification: preferred authentication_backend: password_reset: disable: false refresh_interval: 5m ldap: implementation: custom timeout: 5s start_tls: false attributes: username: uid display_name: displayName group_name: cn mail: mail additional_users_dn: ou=people users_filter: "(&({username_attribute}={input})(objectClass=person))" additional_groups_dn: ou=groups groups_filter: "(member={dn})" password_policy: standard: enabled: false min_length: 8 max_length: 0 require_uppercase: true require_lowercase: true require_number: true require_special: false access_control: default_policy: two_factor session: name: authelia_session redis: host: redis port: 6379 regulation: max_retries: 3 find_time: 2m ban_time: 5m storage: local: path: /config/db.sqlite3 notifier: disable_startup_check: false

identity_providers: oidc: enable_client_debug_messages: true

cors:
  endpoints:
    - authorization
    - token
    - revocation
    - introspection
    - userinfo
  allowed_origins:
    - https://auth.xxx
  allowed_origins_from_client_redirect_uris: false
clients:

  - client_id: 'xxx'
    client_name: 'Gokapi'
    client_secret: '$argon2xxx'
    public: false
    authorization_policy: 'two_factor'
    redirect_uris:
      - 'https://share.xxx/oauth-callback'
    scopes:
      - 'openid'
      - 'profile'
      - 'email'
      - 'groups'
    userinfo_signed_response_alg: 'none'
    token_endpoint_auth_method: 'client_secret_basic'
    consent_mode: 'auto'
    pre_configured_consent_duration: '1M'

All the secrets are provided by envirionments in the docker-compose file.

I tried to follow the guide as good as I could.

Let me know if you need anything else.

[Forceu]

Okay, I assume the problem is your group filter for LDAP. In the Authelia documentation they use

 additional_groups_dn: 'OU=groups'
    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
    group_search_mode: 'filter' 

Does that work? At least that would explain why the groups are sent as null instead of an empty array.

[Forceu]

Fixed in 3130917

[domingo13]

It seem to be the way Authelia handles an emtpy object when the ldap search doesn't return anything. I have tried your version of group filter and one which matches lldap (which is the backend) "(&(member={dn})(objectClass=groupOfUniqueNames))" but it ends up the same place.

Looking forward to try out your fix :-)

[Forceu]

Yes, that is indeed a strange behaviour. I don't think it is supposed to be that way, in the end I was able to reproduce it even without LDAP. I might open an issue at their project later on.

If you are using the docker image, you can already try the fix with the tag gokapi:latest-dev

[domingo13]

And it does the trick :-) No more crashing

[Forceu]

Great to hear, thanks! :)