Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GitLab] possible fix to #545 : unionize allowed lists in GitLab Oauth #546

Closed
wants to merge 3 commits into from
Closed

[GitLab] possible fix to #545 : unionize allowed lists in GitLab Oauth #546

wants to merge 3 commits into from

Conversation

floriandeboissieu
Copy link

This is a fix issue #545 : it adds the username to the set of allowed_users if it passes the allowed_gitlab_groups or the allowed_projects_ids .

I am not sure it is a good practice to edit the allowed_users set while in an async function, so I let the maintainers of oauthenticator review that solution, but it is working as expected when tested on my side.

@welcome
Copy link

welcome bot commented Nov 5, 2022

Thanks for submitting your first pull request! You are awesome! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please make sure you followed the pull request template, as this will help us review your contribution more quickly.
welcome
You can meet the other Jovyans by joining our Discourse forum. There is also a intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

@floriandeboissieu floriandeboissieu changed the title possible fix to #545 : unionize allowed lists in GitLab Oauth [GitLab] possible fix to #545 : unionize allowed lists in GitLab Oauth Nov 5, 2022
@consideRatio consideRatio mentioned this pull request Apr 25, 2023
Merged
1 task
floriandeboissieu and others added 2 commits June 8, 2023 03:22
@floriandeboissieu
Update gitlab.py
0b0af03 
fix case of no_config_specified: let authenticator decide
@pre-commit-ci
[pre-commit.ci] auto fixes from pre-commit.com hooks
d563163 
for more information, see https://pre-commit.ci
minrk
minrk reviewed Jun 8, 2023
View reviewed changes
Copy link
Member

@minrk minrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is the simplest path to a solution, and makes sense to me

oauthenticator/gitlab.py
@@ -179,6 +179,11 @@ async def authenticate(self, handler, data=None):

no_config_specified = not (is_group_specified or is_project_id_specified)

if (is_group_specified and user_in_group) or (
is_project_id_specified and user_in_project
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add allowed_users to this condition, because we don't want to start populating it if it's empty and unused?

@minrk
Copy link
Member

minrk commented Jun 8, 2023

Cases to check:

  • if user is in blocked_users, they should stay blocked (blocked_users should be more specific than allowed_projects)
  • empty allowed_users is left empty, since once it starts getting filled, it should have everyone in it.

@floriandeboissieu
Copy link
Author

@minrk Thanks for your comments and sorry for the late answer. As you can see the version is several commits late, but I still update this patch as a temporary solution for gitlab users like me until #594 reaches a consensus and a general solution.

Can you add allowed_users to this condition, because we don't want to start populating it if it's empty and unused?

In the proposed patch, I considered that allowed_users was the only "entrypoint" of Authenticator.
The behavior I would expect is that:

  • if the user is a member of allowed_gitlab_groups or allowed_gitlab_projects then it is added to allowed_users (even if allowed_users is empty at the hub startup), because I would not like to have to fill allowed_users in config.py if I wanted to invite only a group or project members.
  • blocked_users takes precedence over allowed_*, in particular over allowed_users. I hope it is done that way in Authenticator (I would have to check).

@minrk
Copy link
Member

minrk commented Jun 14, 2023

The reason I asked for an if allowed_users check is that allowed_users is only non-empty when it's being used. An empty set means allowing all. As soon as it is non-empty, it will start excluding everything not already in the set, so adding one user to an empty set is immediately blocking everyone else. There's no reason to add the name to the empty set, so we can skip it in that case because it's already allowed.

I checked, and blocked_users does indeed take precedence, so no need to worry about that.

@minrk minrk mentioned this pull request Jun 15, 2023
Closed
@consideRatio
Copy link
Member

#594 developed to resolve this as well for all authenticators and is now merged. For GitLab it means that a user part of allowed_users, allowed_gitlab_groups, or allowed_projects_ids will be authorized access.

Thank you @floriandeboissieu for working this, and thanks for writing up a PR description that for example linked to other issues. Your work has helped me develop an understanding of the needs and behaviors for various authenticators in this project!

If you have time to contribute further, feedback on if #594 works out correctly would be great!

@floriandeboissieu
Copy link
Author

@minrk, sorry, I did not find the time to study the cases you were suggesting...
@consideRatio, thanks for notifying me. I'll have a try as soon as possible and tell you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@minrk minrk minrk left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@floriandeboissieu @minrk @consideRatio