Closed Miccia94 closed 4 years ago
The latest version of the plugin is trying to link the non-prefixed external-id to the prefixed one:
OAuth2: linking claimed identity to 1601
Email *@gmail.com is already assigned to account 1601;
cannot create external ID google-oauth:109031793006731947128 with the same email for account 1601.
Unless we drop this restriction in the gerrit core, see: [1], there seems to be only two workarounds:
[1] https://bugs.chromium.org/p/gerrit/issues/detail?id=9001
Thanks for the feedback Davido,
I will try to compile the pluging without the external id prefix ( fastest way, instead of bulk edit whole notedb )
I will try to look into it as well, and add aditional config option to unblock you and other plugin users who migrated to the latest Gerrit releases. This should be a trivial change.
Hello David,
I can confirm that removing GOOGLE_PROVIDER_PREFIX from https://github.com/davido/gerrit-oauth-provider/blob/master/src/main/java/com/googlesource/gerrit/plugins/oauth/GoogleOAuthService.java#L144 allow me to login
I went with option 2 - changed all accounts in NoteDb.
First, I've added a prefix with simple sed (lost it in bash history). But that was not enough - also needed to change filenames. That is what I've used to rehash file names (rehash.sh):
#!/bin/bash
while read filename
do
id="$(grep -UEo 'google-oauth:[[:digit:]]+' ${filename})"
new_hash=$(echo -n ${id} | sha1sum | cut -f 1 -d ' ')
echo "id ${id} renaming ${filename} to ${new_hash}"
mv ${filename} ${new_hash}
done < "/dev/stdin"
And call it with file names to rehash on the stdin:
grep -Er 'externalId "google-oauth:[[:digit:]]+"' . | cut -d ':' -f 1 | ~/gerrit-upgrade/rehash.sh
Althought not a full copy-and-run solution - hope it helps (should be easy to modify).
Decided to put together a complete solution since this issue should be relatively widespread (#123, #116 etc)..
Prerequisites:
How to use:
All-Users
project and checkout meta/external-ids
Use this script to patch all unprefixed external-ids to have some prefix. Optional arguments - path to All-Users (defaults to current dir) and oauth-prefix (defaults to google).
USERS_DIR="${1:-.}"
OAUTH_PREFIX="${2:-google-oauth}"
files="$(grep -Er 'externalId "[[:digit:]]+"' ${USERS_DIR} | cut -d ':' -f 1)"
while read -r filename
do
sed -Ei "s/externalId \"([[:digit:]]+)\"/externalId \"${OAUTH_PREFIX}:\1\"/" ${filename}
id=$(grep -UEo "${OAUTH_PREFIX}:[[:digit:]]+" ${filename})
new_hash=$(echo -n ${id} | sha1sum | cut -f 1 -d ' ')
mv ${filename} ${new_hash}
echo "patched id: ${id}, renamed ${filename} to ${new_hash}"
done <<< "${files}"
Thanks Jmennius for the script, I extended it somewhat:
USERS_DIR="${1:-.}"
OAUTH_PREFIX="${2:-google-oauth}"
MATCH="${3:-+}"
files="$(grep -Er 'externalId "[[:digit:]]'"${MATCH}"'"' ${USERS_DIR} | cut -d ':' -f 1)"
while read -r filename
do
sed -Ei "s/externalId \"([[:digit:]]+)\"/externalId \"${OAUTH_PREFIX}:\1\"/" ${filename}
id=$(grep -UEo "${OAUTH_PREFIX}:[[:digit:]]+" ${filename})
new_hash=$(echo -n ${id} | sha1sum | cut -f 1 -d ' ')
git mv ${filename} ${new_hash}
echo "patched id: ${id}, renamed ${filename} to ${new_hash}"
done <<< "${files}"
This allows running it with a third argument to help separate google and github ID:
script . google-oauth "{10,}"
script . github-oauth "{,9}"
assigns the right prefix to each ID. It also registers the renames with git.
@pgeorgi Glad it helped!
Thanks, @Jmennius, @pgeorgi great contribution.
How about to add this script to the plugin repository itself with documentation? Optionally also to the WIKI of this GH repository? Though, note, that I do not accept PRs here, but only CLs on the canonical git repository at: googlesource.com.
@pgeorgi Thanks, this was useful. I just noticed that at least in 3.0.1 the migration script would leave files in the root instead of at ${SHA:0:2}/${SHA:2:38}, I updated your script a bit:
USERS_DIR="${1:-.}"
OAUTH_PREFIX="${2:-google-oauth}"
MATCH="${3:-+}"
files="$(grep -Er 'externalId "[[:digit:]]'"${MATCH}"'"' ${USERS_DIR} | cut -d ':' -f 1)"
while read -r filename
do
sed -Ei "s/externalId \"([[:digit:]]+)\"/externalId \"${OAUTH_PREFIX}:\1\"/" ${filename}
id=$(grep -UEo "${OAUTH_PREFIX}:[[:digit:]]+" ${filename})
new_hash=$(echo -n ${id} | sha1sum | cut -f 1 -d ' ')
prefix=${new_hash:0:2}
remaining=${new_hash:2:38}
mkdir -p ${prefix}
git mv ${filename} ${prefix}/${remaining}
echo "patched id: ${id}, renamed ${filename} to ${prefix}/${remaining}"
done <<< "${files}"
Prerequisites:
- NoteDb
How to use:
- clone
All-Users
project and checkoutmeta/external-ids
Could you please tell the exact commands you used ? i'm stuck on this step and I wonder if it's due to my weak git level or to permission issues on all-users repository
have a nice day
Prerequisites:
- NoteDb
How to use:
- clone
All-Users
project and checkoutmeta/external-ids
Could you please tell the exact commands you used ? i'm stuck on this step and I wonder if it's due to my weak git level or to permission issues on all-users repository
have a nice day
forget about it, I just discovered the global privilege "Access Database" as told here : https://www.gerritcodereview.com/config-accounts.html#external-ids
:)
The problem was fixed in Gerrit: [1].
[1] https://gerrit-review.googlesource.com/c/gerrit/+/238833
Hello Davido,
Im running Gerrit 2.16.8 fully migrated to noteDB. Im still using gerrit-oauth-provider version 2.13.2 and all is fine. I was planning to upgrade the plugin but im having problems. Same as issue 123 This is what i have in gerrit.config:
If i try to use the latest version of the plugin i get this error while authenticating then a redirect to a forbidden page
Here the details for the same account retrived from api GET /accounts/1601/external.ids
Thanks in advance for help