search

bufferoverflow / verdaccio-gitlab

private npm registry (Verdaccio) using gitlab-ce as authentication and authorization provider
MIT License
160 stars 55 forks source link

Invalid projects URL prevent authentication #74

Open simon-jouet opened 5 years ago

simon-jouet commented 5 years ago

First off, thanks for verdaccio-gitlab it's been great to use!

I just migrated my gitlab from one server to another and moved verdaccio with it. At the same time I upgraded the version of both gitlab and verdaccio but I'm running into some issues now with the authentication.

Looking a bit into it I get this error from verdaccio

[2019-05-10 09:04:20]  info <-- 10.0.1.4 requested 'PUT /-/user/org.couchdb.user:simon-jouet'
[2019-05-10 09:04:20]  error--- [gitlab] user: simon-jouet error querying gitlab: StatusCodeError: 404 - {"error":"404 Not Found"}
[2019-05-10 09:04:20]  http <-- 401, user: null(62.30.156.32 via 10.0.1.4), req: 'PUT /-/user/org.couchdb.user:simon-jouet', error: error authenticating user
[2019-05-10 09:04:20]  http <-- 401, user: null(62.30.156.32 via 10.0.1.4), req: 'PUT /-/user/org.couchdb.user:simon-jouet', error: error authenticating user

and looking into gitlab API logs, I noticed that url called to get the projects is incorrect

10.0.3.4 - - [10/May/2019:09:04:20 +0000] "GET /api/v4/user HTTP/1.1" 200 810 "" "-"
10.0.3.4 - - [10/May/2019:09:04:20 +0000] "GET /api/v4/groups?min_access_level=40 HTTP/1.1" 200 563 "" "-"
10.0.3.4 - - [10/May/2019:09:04:20 +0000] "GET /api/v4/projects?min_access_level=40 HTTP/1.1" 200 39581 "" "-"
10.0.3.4 - - [10/May/2019:09:04:20 +0000] "GET /api/v4/https://<my_gitlab_url>/api/v4/projects?membership=false&min_access_level=40&order_by=created_at&owned=false&page=2&per_page=20&simple=false&sort=desc&starred=false&statistics=false&with_custom_attributes=false&with_issues_enabled=false&with_merge_requests_enabled=false HTTP/1.1" 404 25 "" "-"

In that you can see that the final call is /api/v4 but then the aboslute url to the gitlab project is used.

For the time being I reverted to the previous version of verdaccio-gitlab with image: bufferoverflow/verdaccio-gitlab@sha256:1a5c2e910cff98f2ab3c8030c868c8d2013274f0a0edaf83ba6a01270f5900ef and it seems to be working.

dlouzan commented 5 years ago

This is a quite funny effect. Seems to have been introduced by #62 but caused by the Gitlab library itself, not us. One of the changes in that PR was to use the projects API call, but somehow it builds the query to gitlab incorrectly. I wasn't myself able to reproduce the issue.

I checked the changelog of the gitlab library but didn't find anything in this direction.

@bufferoverflow @jstarry What do you think?

dlouzan commented 5 years ago

@simon-jouet No sorry, my mistake, I'm diving deeper into this but I don't think the request comes from verdaccio-gitlab, the correct projects call is just before the funny query. I don't think the query in gitlab is coming from us, and in fact you can see in the logs that verdaccio-gitlab reports a 401 (missing auth).

Are you sure you don't have some extra plugin around querying that?

dlouzan commented 5 years ago

Otherwise this might have to do with the latest changes in verdaccio, or the logs are out of order :-?

dlouzan commented 5 years ago

@simon-jouet Are you by chance using url_prefix in verdaccio with a full url? If so, this might be a regression somehow caused by https://github.com/verdaccio/verdaccio/pull/1299

simon-jouet commented 5 years ago

Thanks @dlouzan, getting back to you on the points you've made

Are you sure you don't have some extra plugin around querying that?

Yeah no other plugins, just a docker stack for verdaccio-gitlab with verdaccio.yaml nothing else

  verdaccio:
    image: bufferoverflow/verdaccio-gitlab@sha256:1a5c2e910cff98f2ab3c8030c868c8d2013274f0a0edaf83ba6a01270f5900ef
    configs:
      - source: verdaccio-config
        target: /verdaccio/conf/config.yaml
    networks:
      - default
      - proxy
    volumes:
      - verdaccio:/verdaccio/storage
    deploy:
      placement:
        constraints: [node.labels.gitlab == true]

@simon-jouet Are you by chance using url_prefix in verdaccio with a full url? If so, this might be a regression somehow caused by verdaccio/verdaccio#1299

I'm not no, I've posted the config below and I think it's a fairly out-the-box one

storage: /verdaccio/storage/data

plugins: /verdaccio/plugins

listen:
  - 0.0.0.0:4873

auth:
  gitlab:
    url: http://gitlab
    authCache:
      enabled: true
      ttl: 300
    # publish: $developer

uplinks:
  npmjs:
    url: https://registry.npmjs.org/

packages:
  '@*/*':
    # scoped packages
    access: $authenticated
    publish: $authenticated
    proxy: npmjs
    gitlab: true

  '**':
    access: $authenticated
    publish: $authenticated
    proxy: npmjs
    gitlab: true

# Log level can be changed to info, http etc. for less verbose output
logs:
  - {type: stdout, format: pretty-timestamped, level: debug}

Otherwise this might have to do with the latest changes in verdaccio, or the logs are out of order :-?

I would think it's something to do with the latest changes considering that the exact same config with a rollback in version is working without any problems (using the same version of gitlab)