Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure OIDC is broken since Harbor 2.7 if your username has special characters #19356

Closed
Xaseron opened this issue Sep 13, 2023 · 4 comments · Fixed by #19505
Closed

Azure OIDC is broken since Harbor 2.7 if your username has special characters #19356

Xaseron opened this issue Sep 13, 2023 · 4 comments · Fixed by #19505
Assignees
@stonezdj
Labels
area/oidc kind/bug needs/follow-up

Comments

@Xaseron
Copy link

Xaseron commented Sep 13, 2023

If you are reporting a problem, please make sure the following information are provided:

Expected behavior and actual behavior:
OIDC users with special characters should be able to access repositories after 2.7 (or later) upgrade.
e.g. username: Werner,M.,SNL_IT_P&P,_4610,DD

Steps to reproduce the problem:
It is possible to recreated this issue with a db_auth.

  • Create a new user with the following username Werner,M.,SNL_IT_P&P,_4610,DD
  • Click on Library
  • Nothing happens/ http 500 in Browser and panic in harbor core

Versions:
Please specify the versions of following systems.

  • harbor version: 2.7.2
  • aks: 1.26.6

Additional context:

  • Harbor config files: Fresh Harbor installation with Helm
  • Log files: You can get them by package the /var/log/harbor/ .
    harbor core log:
2023-09-13T13:39:31Z [DEBUG] [/server/middleware/log/log.go:30]: attach request id ea08ba0c1213e76547b35f37f250da2c to the logger for the request GET /api/v2.0/statistics
2023-09-13T13:39:31Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:54]: In artifact info middleware, url: /api/v2.0/statistics
2023-09-13T13:39:31Z [DEBUG] [/server/middleware/security/session.go:47][requestID="ea08ba0c1213e76547b35f37f250da2c"]: a session security context generated for request GET /api/v2.0/statistics
2023-09-13T13:39:31Z [DEBUG] [/server/middleware/log/log.go:30]: attach request id 386fadd9b4c5987f980b8e0f34c82b21 to the logger for the request GET /api/v2.0/projects
2023-09-13T13:39:31Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:54]: In artifact info middleware, url: /api/v2.0/projects?page=1&page_size=15
2023-09-13T13:39:31Z [DEBUG] [/server/middleware/security/session.go:47][requestID="386fadd9b4c5987f980b8e0f34c82b21"]: a session security context generated for request GET /api/v2.0/projects
2023-09-13T13:39:31Z [DEBUG] [/server/middleware/log/log.go:30]: attach request id e1dcdd5dd6d6889d0c46476de6d2043a to the logger for the request GET /api/v2.0/export/cve/executions
2023-09-13T13:39:31Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:54]: In artifact info middleware, url: /api/v2.0/export/cve/executions
2023-09-13T13:39:31Z [DEBUG] [/server/middleware/security/session.go:47][requestID="e1dcdd5dd6d6889d0c46476de6d2043a"]: a session security context generated for request GET /api/v2.0/export/cve/executions
2023-09-13T13:39:31Z [DEBUG] [/pkg/config/manager.go:140]: failed to get key oidc_groups_claim, error: the configure value is not set, maybe default value not defined before get
2023-09-13T13:39:31Z [DEBUG] [/pkg/config/manager.go:140]: failed to get key oidc_group_filter, error: the configure value is not set, maybe default value not defined before get
2023-09-13T13:39:31Z [DEBUG] [/pkg/config/manager.go:140]: failed to get key oidc_admin_group, error: the configure value is not set, maybe default value not defined before get
2023-09-13T13:39:31Z [DEBUG] [/server/middleware/log/log.go:30]: attach request id 55f19503-918a-42cf-a372-695d7cfceb2c to the logger for the request GET /api/v2.0/ping
2023-09-13T13:39:31Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:54]: In artifact info middleware, url: /api/v2.0/ping
2023-09-13T13:39:31Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="55f19503-918a-42cf-a372-695d7cfceb2c"]: an unauthorized security context generated for request GET /api/v2.0/ping
2023-09-13T13:39:31Z [DEBUG] [/server/middleware/log/log.go:30]: attach request id f98c3c9d-0d41-4c5c-bf23-9ccd196c6d0a to the logger for the request GET /api/v2.0/ping
2023-09-13T13:39:31Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:54]: In artifact info middleware, url: /api/v2.0/ping
2023-09-13T13:39:31Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="f98c3c9d-0d41-4c5c-bf23-9ccd196c6d0a"]: an unauthorized security context generated for request GET /api/v2.0/ping
2023-09-13T13:39:32Z [DEBUG] [/server/middleware/log/log.go:30]: attach request id 9514c1e1a67938d6dc581620596d19d0 to the logger for the request GET /api/v2.0/projects/1
2023-09-13T13:39:32Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:54]: In artifact info middleware, url: /api/v2.0/projects/1
2023-09-13T13:39:32Z [DEBUG] [/server/middleware/security/session.go:47][requestID="9514c1e1a67938d6dc581620596d19d0"]: a session security context generated for request GET /api/v2.0/projects/1
2023/09/13 13:39:32 Model:
2023/09/13 13:39:32 r.r: sub, obj, act
2023/09/13 13:39:32 p.p: sub, obj, act, eft
2023/09/13 13:39:32 e.e: some(where (p_eft == allow)) && !some(where (p_eft == deny))
2023/09/13 13:39:32 m.m: g(r_sub, p_sub) && keyMatch2(r_obj, p_obj) && (r_act == p_act || p_act == '*')
2023/09/13 13:39:32 g.g: _, _
2023/09/13 13:39:32 Policy:
2023/09/13 13:39:32 p: sub, obj, act, eft: [[Werner M. SNL_IT_P&P _4610 DD /project/1 read allow] [Werner M. SNL_IT_P&P _4610 DD /project/1/label read allow] [Werner M. SNL_IT_P&P _4610 DD /project/1/label list allow] [Werner M. SNL_IT_P&P _4610 DD /project/1/repository list allow] [Werner M. SNL_IT_P&P _4610 DD /project/1/repository pull allow] [Werner M. SNL_IT_P&P _4610 DD /project/1/helm-chart read allow] [Werner M. SNL_IT_P&P _4610 DD /project/1/helm-chart list allow] [Werner M. SNL_IT_P&P _4610 DD /project/1/helm-chart-version read allow] [Werner M. SNL_IT_P&P _4610 DD /project/1/helm-chart-version list allow] [Werner M. SNL_IT_P&P _4610 DD /project/1/scan read allow] [Werner M. SNL_IT_P&P _4610 DD /project/1/scanner read allow] [Werner M. SNL_IT_P&P _4610 DD /project/1/tag list allow] [Werner M. SNL_IT_P&P _4610 DD /project/1/artifact read allow] [Werner M. SNL_IT_P&P _4610 DD /project/1/artifact list allow] [Werner M. SNL_IT_P&P _4610 DD /project/1/artifact-addition read allow] [Werner M. SNL_IT_P&P _4610 DD /project/1/accessory list allow]]
2023/09/13 13:39:32 g: _, _: []
2023/09/13 13:39:32 Role links for: g
2023/09/13 13:39:32
2023/09/13 13:39:32.837 [C] [config.go:500]  the request url is  /api/v2.0/projects/1
2023/09/13 13:39:32.837 [C] [config.go:501]  Handler crashed with error Invalid Policy Rule size: expected 4 got 8 pvals: [Werner M. SNL_IT_P&P _4610 DD /project/1 read allow]
2023/09/13 13:39:32.837 [C] [config.go:507]  /usr/local/go/src/runtime/panic.go:884
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/vendor/github.com/casbin/casbin/enforcer.go:354
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/pkg/permission/evaluator/rbac/rbac.go:42
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/pkg/permission/evaluator/namespace/namespace.go:53
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/pkg/permission/evaluator/evaluator.go:60
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/common/security/local/context.go:99
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/v2.0/handler/base.go:74
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/v2.0/handler/base.go:103
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/v2.0/handler/base.go:109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/v2.0/handler/project.go:336
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/v2.0/restapi/configure_harbor.go:2285
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/v2.0/restapi/operations/project/get_project.go:19
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/v2.0/restapi/operations/project/get_project.go:69
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/v2.0/restapi/operations/harbor_api.go:1922
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/vendor/github.com/go-openapi/runtime/middleware/operation.go:28
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/vendor/github.com/go-openapi/runtime/middleware/router.go:77
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/vendor/github.com/go-openapi/runtime/middleware/redoc.go:72
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/vendor/github.com/go-openapi/runtime/middleware/spec.go:46
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/apiversion/api_version.go:29
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/router/router.go:92
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/vendor/github.com/beego/beego/v2/server/web/router.go:1149
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/vendor/github.com/beego/beego/v2/server/web/filter.go:83
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/vendor/github.com/beego/beego/v2/server/web/router.go:1002
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/middleware.go:52
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/security/security.go:75
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/middleware.go:57
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/security/security.go:62
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/middleware.go:57
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/artifactinfo/artifact_info.go:61
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/middleware.go:52
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/notification/notification.go:31
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/middleware.go:57
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/orm/orm.go:54
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/middleware.go:57
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/csrf/csrf.go:48
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/vendor/github.com/gorilla/csrf/csrf.go:297
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/csrf/csrf.go:68
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/middleware.go:57
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/session/session.go:35
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/log/log.go:33
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/middleware.go:57
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/requestid/requestid.go:43
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/middleware.go:57
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/metric/metric.go:67
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/trace/trace.go:28
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/mergeslash/mergeslash.go:17
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/middleware.go:57
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/url/parse.go:22
2023/09/13 13:39:32.838 [C] [config.go:507]  /harbor/src/server/middleware/middleware.go:57
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2109
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:2947
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/net/http/server.go:1991
2023/09/13 13:39:32.838 [C] [config.go:507]  /usr/local/go/src/runtime/asm_amd64.s:1594
@stonezdj stonezdj self-assigned this Sep 14, 2023
@Xaseron Xaseron mentioned this issue Sep 14, 2023
Closed
3 tasks
@stonezdj
Copy link
Contributor

How the OIDC username contain the comma character?
there is a check before creating the OIDC user:

harbor/src/core/controllers/oidc.go

Lines 250 to 253 in ebac530

if utils.IsContainIllegalChar(username, []string{",", "~", "#", "$", "%"}) {
oc.SendBadRequestError(errors.New("username contains illegal characters"))
return
}

What's your Harbor version?

@Xaseron
Copy link
Author

Xaseron commented Sep 18, 2023

At the moment 2.7.2 and i just recreated my account in the test environment.
grafik

@Xaseron
Copy link
Author

Xaseron commented Sep 26, 2023

Maybe this is related: https://lists.cncf.io/g/harbor-users/message/345

stonezdj pushed a commit to stonezdj/harbor that referenced this issue Oct 30, 2023
Replace comma in username to avoid casbin issue
df0a225 
   fixes goharbor#19356

Signed-off-by: stonezdj <daojunz@vmware.com>
stonezdj pushed a commit to stonezdj/harbor that referenced this issue Oct 30, 2023
Replace comma in username to avoid casbin issue
1f2ff89 
   fixes goharbor#19356

Signed-off-by: stonezdj <daojunz@vmware.com>
stonezdj pushed a commit to stonezdj/harbor that referenced this issue Oct 30, 2023
Replace comma in username to avoid casbin issue
973bfc7 
   fixes goharbor#19356

Signed-off-by: stonezdj <daojunz@vmware.com>
stonezdj pushed a commit to stonezdj/harbor that referenced this issue Oct 31, 2023
Replace comma in username to avoid casbin issue
48732f8 
   Check username when create user by API
   Replace comma with underscore when CreateUser
   Fixes goharbor#19356

Signed-off-by: stonezdj <daojunz@vmware.com>
stonezdj pushed a commit to stonezdj/harbor that referenced this issue Oct 31, 2023
Replace comma in username to avoid casbin issue
89ae4f6 
   Check username when creating user by API
   Replace comma with underscore in username for OnboardUser
   Fixes goharbor#19356

Signed-off-by: stonezdj <daojunz@vmware.com>
stonezdj pushed a commit to stonezdj/harbor that referenced this issue Oct 31, 2023
Replace comma in username to avoid casbin issue
cac40f8 
   Check username when creating user by API
   Replace comma with underscore in username for OnboardUser
   Fixes goharbor#19356

Signed-off-by: stonezdj <daojunz@vmware.com>
@stonezdj stonezdj mentioned this issue Oct 31, 2023
Merged
5 tasks
stonezdj pushed a commit to stonezdj/harbor that referenced this issue Oct 31, 2023
Replace comma in username to avoid casbin issue
1da6af1 
   Check username when creating user by API
   Replace comma with underscore in username for OnboardUser
   Fixes goharbor#19356

Signed-off-by: stonezdj <daojunz@vmware.com>
stonezdj pushed a commit to stonezdj/harbor that referenced this issue Oct 31, 2023
Replace comma in username to avoid casbin issue
0eea05e 
   Check username when creating user by API
   Replace comma with underscore in username for OnboardUser
   Fixes goharbor#19356

Signed-off-by: stonezdj <daojunz@vmware.com>
stonezdj pushed a commit to stonezdj/harbor that referenced this issue Nov 2, 2023
@stonezdj
Replace comma in username to avoid casbin issue
88ed1b3 
   Check username when creating user by API
   Replace comma with underscore in username for OnboardUser
   Fixes goharbor#19356

Signed-off-by: stonezdj <daojunz@vmware.com>
stonezdj added a commit that referenced this issue Nov 2, 2023
@stonezdj
Replace comma in username to avoid casbin issue (#19505)
b337f51 
Check username when creating user by API
   Replace comma with underscore in username for OnboardUser
   Fixes #19356

Signed-off-by: stonezdj <daojunz@vmware.com>
@Xaseron
Copy link
Author

Xaseron commented Nov 9, 2023

But this only resolves the problem for new users and not for existing, am i right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stonezdj stonezdj

Labels
area/oidc kind/bug needs/follow-up
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Replace comma in username to avoid casbin issue stonezdj/harbor
2 participants
@Xaseron @stonezdj