search

gitpod-io / gitpod

The developer platform for on-demand cloud development environments to create software faster and more securely.
https://www.gitpod.io
GNU Affero General Public License v3.0
12.86k stars 1.24k forks source link

The BlockNewUsers param is no longer being respected by server #12738

Closed mrsimonemms closed 2 years ago

mrsimonemms commented 2 years ago

Bug description

The Installer has a BlockNewUsers block which is passed into the Server's config map. The purpose of this is to offer measure of security to self-hosted owners who do not wish for their instance to be used by people not authorised.

Steps to reproduce

1. In KOTS, enable the user management option and enter your domain (eg, simonemms.com)

image

2. Check that this is set

3. Login with your GitHub account, where the primary email is on the domain

This works

4. Get a friend (or a second GitHub account) not on the domain and get them to register

I got @adrienthebo to register who does not have a simonemms.com email address. He was able to login

Workspace affected

All. Using latest 2022.8.0 release in the stable channel

Expected behavior

@adrienthebo should not have been able to register

Example repository

No response

Anything else?

Workaround is to restart the server component:

kubectl rollout restart -n <namespace> deployment/server
gtsiolis commented 2 years ago

Ideally, we could also move this configuration to the admin dashboard instead of relying on KOTS. 💡

mrsimonemms commented 2 years ago

@gtsiolis yes, that's the long-term plan - still need to get the bug fixed though

corneliusludmann commented 2 years ago

Just to be sure: The config value in the installer is set correctly, the value is set in the server's config map correctly, and still, the server does not pick this config up, right?

That means that can be easily reproduced in an ordinary preview env by adding the config to the installer config or server config map without the need for the KOTS installation flow, right? (I mean, that could be easier for Team WebApp to reproduce. :thinking:)

geropl commented 2 years ago

thx @corneliusludmann and @MrSimonEmms for highlighting. Scheduled for next week. :calendar:

mrsimonemms commented 2 years ago

@corneliusludmann yes, you're correct - the config is set correctly so it can be deployed anywhere and the bug should still exist. If Team WebApp need a self-hosted instance, I'm sure we can oblige

AlexTugarev commented 2 years ago

@MrSimonEmms, for completeness, could you please paste an example of the blockNewUsers config json. I couldn't find any related changes made in this area in the past 5 months.

mrsimonemms commented 2 years ago

@AlexTugarev the configmap is:

apiVersion: v1
authProviders: []
blockNewUsers:
  enabled: true
  passlist:
  - simonemms.com
certificate:
  kind: secret
  name: https-certificates
containerRegistry:
  inCluster: true
  privateBaseImageAllowList: []
database:
  inCluster: true
disableDefinitelyGp: true
domain: k3s.gitpod.simonemms.com
kind: Full
license:
  kind: secret
  name: gitpod-license
metadata:
  region: local
  shortname: default
objectStorage:
  inCluster: true
  resources:
    requests:
      memory: 2Gi
observability:
  logLevel: info
openVSX:
  url: https://open-vsx.org
repository: eu.gcr.io/gitpod-core-dev/build
workspace:
  maxLifetime: 36h0m0s
  pvc:
    size: 30Gi
    snapshotClass: ""
    storageClass: ""
  resources:
    requests:
      cpu: "1"
      memory: 2Gi
  runtime:
    containerdRuntimeDir: /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io
    containerdSocket: /run/k3s/containerd/containerd.sock
    fsShiftMethod: fuse
mrsimonemms commented 2 years ago

The server configmap is:

{
  "version": "release-2022.08.0.10",
  "hostUrl": "https://k3s.gitpod.simonemms.com",
  "installationShortname": "default",
  "devBranch": "",
  "insecureNoDomain": false,
  "license": "",
  "licenseFile": "/gitpod/license",
  "definitelyGpDisabled": true,
  "enableLocalApp": true,
  "disableDynamicAuthProviderLogin": false,
  "maxEnvvarPerUserCount": 4048,
  "maxConcurrentPrebuildsPerRef": 10,
  "makeNewUsersAdmin": false,
  "defaultBaseImageRegistryWhitelist": [],
  "runDbDeleter": true,
  "contentServiceAddr": "content-service:8080",
  "imageBuilderAddr": "image-builder-mk3:8080",
  "usageServiceAddr": "usage:9001",
  "vsxRegistryUrl": "https://open-vsx.k3s.gitpod.simonemms.com",
  "chargebeeProviderOptionsFile": "/chargebee/providerOptions",
  "stripeSecretsFile": "/stripe-secret/apikeys",
  "stripeConfigFile": "/stripe-config/config",
  "enablePayment": false,
  "workspaceHeartbeat": {
    "intervalSeconds": 60,
    "timeoutSeconds": 300
  },
  "workspaceDefaults": {
    "workspaceImage": "docker.io/gitpod/workspace-full:latest",
    "previewFeatureFlags": [],
    "defaultFeatureFlags": []
  },
  "session": {
    "maxAgeMs": 259200000,
    "secret": "Important!Really-Change-This-Key!"
  },
  "githubApp": {
    "enabled": false,
    "appId": 0,
    "baseUrl": "",
    "webhookSecret": "",
    "authProviderId": "",
    "certPath": "",
    "marketplaceName": "",
    "logLevel": "",
    "certSecretName": ""
  },
  "workspaceGarbageCollection": {
    "disabled": false,
    "startDate": 0,
    "chunkLimit": 1000,
    "minAgeDays": 14,
    "minAgePrebuildDays": 7,
    "contentRetentionPeriodDays": 21,
    "contentChunkLimit": 1000
  },
  "authProviderConfigFiles": [],
  "incrementalPrebuilds": {
    "repositoryPasslist": [],
    "commitHistory": 100
  },
  "blockNewUsers": {
    "enabled": true,
    "passlist": [
      "simonemms.com"
    ]
  },
  "oauthServer": {
    "enabled": true,
    "jwtSecret": "NaAKDqxf5P1Q5LMeXkPo"
  },
  "rateLimiter": {
    "groups": {
      "inWorkspaceUserAction": {
        "points": 10,
        "durationsSec": 2
      }
    },
    "functions": {
      "closePort": {
        "group": "inWorkspaceUserAction",
        "points": 0
      },
      "controlAdmission": {
        "group": "inWorkspaceUserAction",
        "points": 0
      },
      "openPort": {
        "group": "inWorkspaceUserAction",
        "points": 0
      },
      "shareSnapshot": {
        "group": "inWorkspaceUserAction",
        "points": 0
      }
    }
  },
  "codeSync": {
    "revLimit": 0,
    "contentLimit": 0,
    "resources": null
  },
  "prebuildLimiter": {
    "*": 50
  },
  "workspaceClasses": [
    {
      "id": "default",
      "category": "GENERAL PURPOSE",
      "displayName": "Default",
      "description": "Default workspace class",
      "powerups": 1,
      "isDefault": true,
      "deprecated": false
    }
  ]
}
mrsimonemms commented 2 years ago

Worked through the issue with @AlexTugarev and couldn't reproduce

mrsimonemms commented 2 years ago

I'm going to reopen as need to check that the configmaps are being reloaded correctly by the Installer

lucasvaltl commented 2 years ago

@MrSimonEmms what is the status of this? :)

mrsimonemms commented 2 years ago

@lucasvaltl going to have a look now

mrsimonemms commented 2 years ago

I cannot recreate this, so will close.

If you are experiencing this problem, please give as much detail as you can so we can recreate this issue properly

HuaxingL commented 2 years ago

@MrSimonEmms Hi,Mr.Simon. I'm not sure if this bug has been fixed.

mrsimonemms commented 2 years ago

@HuaxingL please explain

HuaxingL commented 2 years ago

@HuaxingL please explain @MrSimonEmms The problem I described still occurs: https://github.com/gitpod-io/gitpod/issues/12757

mrsimonemms commented 2 years ago

What version of Gitpod are you using? Have you restarted the server component?