*: improve error handling in ldap outpost, ignore additional errors

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-09-23 22:11:47 +02:00
parent 0cc6a24c90
commit 50819ae0f0
6 changed files with 27 additions and 5 deletions

View file

@ -1,4 +1,5 @@
"""authentik sentry integration""" """authentik sentry integration"""
from asyncio.exceptions import CancelledError
from typing import Any, Optional from typing import Any, Optional
from aioredis.errors import ConnectionClosedError, ReplyError from aioredis.errors import ConnectionClosedError, ReplyError
@ -143,6 +144,8 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
DockerException, DockerException,
# End-user errors # End-user errors
Http404, Http404,
# AsyncIO
CancelledError,
) )
exc_value = None exc_value = None
if "exc_info" in hint: if "exc_info" in hint:

View file

@ -51,7 +51,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
}, },
defaults, defaults,
) )
except (IntegrityError, FieldError, TypeError) as exc: except (IntegrityError, FieldError, TypeError, AttributeError) as exc:
Event.new( Event.new(
EventAction.CONFIGURATION_ERROR, EventAction.CONFIGURATION_ERROR,
message=( message=(

View file

@ -45,7 +45,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
ak_user, created = self.update_or_create_attributes( ak_user, created = self.update_or_create_attributes(
User, {f"attributes__{LDAP_UNIQUENESS}": uniq}, defaults User, {f"attributes__{LDAP_UNIQUENESS}": uniq}, defaults
) )
except (IntegrityError, FieldError, TypeError) as exc: except (IntegrityError, FieldError, TypeError, AttributeError) as exc:
Event.new( Event.new(
EventAction.CONFIGURATION_ERROR, EventAction.CONFIGURATION_ERROR,
message=( message=(

View file

@ -169,7 +169,11 @@ func (fe *FlowExecutor) getInitialChallenge() (*api.ChallengeTypes, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
ch := challenge.GetActualInstance().(challengeInt) i := challenge.GetActualInstance()
if i == nil {
return nil, errors.New("response instance was null")
}
ch := i.(challengeInt)
fe.log.WithField("component", ch.GetComponent()).WithField("type", ch.GetType()).Debug("Got challenge") fe.log.WithField("component", ch.GetComponent()).WithField("type", ch.GetType()).Debug("Got challenge")
gcsp.SetTag("authentik.flow.challenge", string(ch.GetType())) gcsp.SetTag("authentik.flow.challenge", string(ch.GetType()))
gcsp.SetTag("authentik.flow.component", ch.GetComponent()) gcsp.SetTag("authentik.flow.component", ch.GetComponent())
@ -185,7 +189,11 @@ func (fe *FlowExecutor) solveFlowChallenge(challenge *api.ChallengeTypes, depth
// Resole challenge // Resole challenge
scsp := sentry.StartSpan(fe.Context, "authentik.outposts.flow_executor.solve_challenge") scsp := sentry.StartSpan(fe.Context, "authentik.outposts.flow_executor.solve_challenge")
responseReq := fe.api.FlowsApi.FlowsExecutorSolve(scsp.Context(), fe.flowSlug).Query(fe.Params.Encode()) responseReq := fe.api.FlowsApi.FlowsExecutorSolve(scsp.Context(), fe.flowSlug).Query(fe.Params.Encode())
ch := challenge.GetActualInstance().(challengeInt) i := challenge.GetActualInstance()
if i == nil {
return false, errors.New("response request instance was null")
}
ch := i.(challengeInt)
// Check for any validation errors that we might've gotten // Check for any validation errors that we might've gotten
if len(ch.GetResponseErrors()) > 0 { if len(ch.GetResponseErrors()) > 0 {
@ -218,7 +226,11 @@ func (fe *FlowExecutor) solveFlowChallenge(challenge *api.ChallengeTypes, depth
if err != nil { if err != nil {
return false, fmt.Errorf("failed to submit challenge %w", err) return false, fmt.Errorf("failed to submit challenge %w", err)
} }
ch = response.GetActualInstance().(challengeInt) i = response.GetActualInstance()
if i == nil {
return false, errors.New("response instance was null")
}
ch = i.(challengeInt)
fe.log.WithField("component", ch.GetComponent()).WithField("type", ch.GetType()).Debug("Got response") fe.log.WithField("component", ch.GetComponent()).WithField("type", ch.GetType()).Debug("Got response")
scsp.SetTag("authentik.flow.challenge", string(ch.GetType())) scsp.SetTag("authentik.flow.challenge", string(ch.GetType()))
scsp.SetTag("authentik.flow.component", ch.GetComponent()) scsp.SetTag("authentik.flow.component", ch.GetComponent())

View file

@ -11,6 +11,12 @@ func (pi *ProviderInstance) UserEntry(u api.User) *ldap.Entry {
dn := pi.GetUserDN(u.Username) dn := pi.GetUserDN(u.Username)
attrs := utils.AKAttrsToLDAP(u.Attributes) attrs := utils.AKAttrsToLDAP(u.Attributes)
if u.IsActive == nil {
u.IsActive = api.PtrBool(false)
}
if u.Email == nil {
u.Email = api.PtrString("")
}
attrs = utils.EnsureAttributes(attrs, map[string][]string{ attrs = utils.EnsureAttributes(attrs, map[string][]string{
"memberOf": pi.GroupsForUser(u), "memberOf": pi.GroupsForUser(u),
"goauthentik.io/ldap/active": {utils.BoolToString(*u.IsActive)}, "goauthentik.io/ldap/active": {utils.BoolToString(*u.IsActive)},

View file

@ -24,6 +24,7 @@ export async function configureSentry(canDoPpi = false): Promise<Config> {
/instantSearchSDKJSBridgeClearHighlight/gi, /instantSearchSDKJSBridgeClearHighlight/gi,
// Seems to be an issue in Safari and Firefox // Seems to be an issue in Safari and Firefox
/MutationObserver.observe/gi, /MutationObserver.observe/gi,
/NS_ERROR_FAILURE/gi,
], ],
release: `authentik@${VERSION}`, release: `authentik@${VERSION}`,
tunnel: "/api/v3/sentry/", tunnel: "/api/v3/sentry/",