500 Internal server error when Duplicate entry

[oleksiilopasov]

Hi,
I've tried these docker-containers https://github.com/openSUSE/docker-containers for my production purposes and found an issue with authentication in versions 2.1 and 2.2 (2.0 seems to be working fine but I need version not older then 2.1 for new features)

Service is integrated with LDAP server.

When I login into web UI using ldap credentials, everything works, but if I try to login using with the same email_address, I get a mysql duplicate error. It's ok - I understand the email_address record must be unique.
BUT...
In version prior to 2.1 I've got code 401 from ActiveRecord and a page "sign_in" code 200 with a message "Email has already been used":

6/20/2017 10:57:36 AMApp 99 stderr: Started POST "/users/sign_in" for 10.42.190.237 at 2017-06-20 07:57:36 +0000
6/20/2017 10:57:36 AMApp 99 stderr: Processing by Auth::SessionsController#create as HTML
6/20/2017 10:57:36 AMApp 99 stderr:   Parameters: {"utf8"=>"✓", "authenticity_token"=>"gc3jS/t9SpH69cgukWEbYBQbrzPc7g/gy2pGn7k4nXrHAYNUJZ5BjnVSVLoKTnOrwX2NtP3p8VyNoPjRl+Unfg==", "user"=>{"username"=>"<user2>", "password"=>"[FILTERED]"}, "button"=>""}
6/20/2017 10:57:36 AMApp 99 stderr: Completed 401 Unauthorized in 20ms (ActiveRecord: 0.0ms)
6/20/2017 10:57:36 AMApp 99 stderr: Processing by Auth::SessionsController#new as HTML
6/20/2017 10:57:36 AMApp 99 stderr:   Parameters: {"utf8"=>"✓", "authenticity_token"=>"gc3jS/t9SpH69cgukWEbYBQbrzPc7g/gy2pGn7k4nXrHAYNUJZ5BjnVSVLoKTnOrwX2NtP3p8VyNoPjRl+Unfg==", "user"=>{"username"=>"<user2>", "password"=>"[FILTERED]"}, "button"=>""}
6/20/2017 10:57:36 AMApp 99 stderr:   Rendered shared/_notification.html.slim (0.1ms)
6/20/2017 10:57:36 AMApp 99 stderr:   Rendered shared/_notification.html.slim (0.1ms)
6/20/2017 10:57:36 AMApp 99 stderr:   Rendered shared/_notifications.html.slim (0.5ms)
6/20/2017 10:57:36 AMApp 99 stderr:   Rendered devise/sessions/new.html.slim within layouts/authentication (3.1ms)
6/20/2017 10:57:36 AMApp 99 stderr: Completed 200 OK in 85ms (Views: 4.2ms | ActiveRecord: 0.6ms)
6/20/2017 10:57:36 AM10.42.190.237 - - [20/Jun/2017:07:57:35 +0000] "POST /users/sign_in HTTP/1.1" 200 4207 "https://docker-hub-test.example-domain.com/users/sign_in" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36"

In versions 2.1 and 2.2 I've got 500 Internal server error:

6/20/2017 10:52:34 AMApp 116 stdout: Started POST "/users/sign_in" for 10.42.190.237 at 2017-06-20 07:52:34 +0000
6/20/2017 10:52:34 AMApp 116 stdout: Processing by Auth::SessionsController#create as HTML
6/20/2017 10:52:34 AMApp 116 stdout:   Parameters: {"utf8"=>"✓", "authenticity_token"=>"D/YI3rO7YE4OEnS48xk1G+C1n2pjfXyZoz8drJhp3rFJOmjBbVhrUYG16CxoNl3QNdO97UJ6giXl9aPitrRktQ==", "user"=>{"username"=>"<user2>", "password"=>"[FILTERED]"}, "button"=>""}
6/20/2017 10:52:34 AMApp 116 stdout: Mysql2::Error: Duplicate entry '<user2>@example-domain.com' for key 'index_users_on_email': INSERT INTO `users` (`username`, `email`, `encrypted_password`, `created_at`, `updated_at`) VALUES ('<user2>', '<user2>@example-domain.com', '$2a$10$tFOMMP18qEXjBnFPQNiB1uxld50..cgXBZRbHrLp6CiDXL4811CWK', '2017-06-20 07:52:34', '2017-06-20 07:52:34')
6/20/2017 10:52:34 AMApp 116 stdout: Completed 500 Internal Server Error in 173ms (ActiveRecord: 48.9ms)
6/20/2017 10:52:34 AMApp 116 stdout:
6/20/2017 10:52:34 AMApp 116 stdout: ActiveRecord::RecordNotUnique (Mysql2::Error: Duplicate entry '<user2>@example-domain.com' for key 'index_users_on_email': INSERT INTO `users` (`username`, `email`, `encrypted_password`, `created_at`, `updated_at`) VALUES ('<user2>', '<user2>@example-domain.com', '$2a$10$tFOMMP18qEXjBnFPQNiB1uxld50..cgXBZRbHrLp6CiDXL4811CWK', '2017-06-20 07:52:34', '2017-06-20 07:52:34')):
6/20/2017 10:52:34 AMApp 116 stdout:   lib/portus/ldap.rb:171:in `find_or_create_user!'
6/20/2017 10:52:34 AMApp 116 stdout:   lib/portus/ldap.rb:153:in `portus_login!'
6/20/2017 10:52:34 AMApp 116 stdout:   lib/portus/ldap.rb:38:in `authenticate!'
6/20/2017 10:52:34 AMApp 116 stdout:   app/controllers/application_controller.rb:36:in `force_update_profile!'
6/20/2017 10:52:34 AMApp 116 stdout:
6/20/2017 10:52:34 AMApp 116 stdout:
6/20/2017 10:52:34 AM10.42.190.237 - - [20/Jun/2017:07:52:34 +0000] "POST /users/sign_in HTTP/1.1" 500 - "https://docker-hub-test.example-domain/users/sign_in" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36"

Is it code bug or my loss?
Please help to fix that

[mssola]

When I login into web UI using ldap credentials, everything works, but if I try to login using with the same email_address, I get a mysql duplicate error. It's ok - I understand the email_address record must be unique.

I'm getting a bit lost here 😕 Could you go step by step how you have reproduced this ? I've tried the following:

1. Go to login page and introduce your username and password.
2. I had to enter the email.
3. Logged out and went to the login page again.
4. I entered the same credentials and it worked.

What am I missing ?

[oleksiilopasov]

OK

1. Connect your Portus to LDAP
2. Create two users with the same email attribute (user1 and user2 have the same email [email protected])
3. Login into Portus as user 1 - this user doesn't exist, so the application will automatically create new record in database using attributes received from LDAP server
4. Login into Portus as user 2 - this user also doesn't exist so the app will try to create this user in database but it will receive duplicate error from mysql because of the same values in 'email' field

[mssola]

@aleksejlopasov just to be sure, could you paste your LDAP config, just in case you are using email guessing or something 😉

[oleksiilopasov]

Will it be enough to post my portus_ldap_* env vars? Because in my case everything is configured via env vars

[mssola]

@aleksejlopasov sure. Also note that we have the portus:info rake task, so running the following in your container (with exec command) might be useful as well:

$ portusctl exec rake portus:info

[oleksiilopasov]

@mssola Here it is, man ;-)

[Mailer config] Host:     docker-hub.************.com
[Mailer config] Protocol: https://
Users to be updated:
None. Doing nothing...

Portus version: 2.2.0
Portus has evaluated the following configuration:
---
email:
  from: [email protected]
  name: Portus
  reply_to: [email protected]
  smtp:
    enabled: false
    address: smtp.example.com
    port: 587
    user_name: [email protected]
    password: "****"
    domain: example.com
gravatar:
  enabled: true
delete:
  enabled: true
ldap:
  enabled: true
  hostname: ipa.************.com
  port: 389
  method: starttls
  base: cn=users,cn=accounts,dc=************,dc=com
  filter: memberOf=cn=portus,cn=groups,cn=accounts,dc=************,dc=com
  uid: uid
  authentication:
    enabled: true
    bind_dn: uid=portus_service,cn=users,cn=accounts,dc=************,dc=com
    password: "****"
  guess_email:
    enabled: true
    attr: mail
first_user_admin:
  enabled: true
signup:
  enabled: true
check_ssl_usage:
  enabled: true
registry:
  jwt_expiration_time:
    value: 5
  catalog_page:
    value: 100
machine_fqdn:
  value: docker-hub.************.com
display_name:
  enabled: false
user_permission:
  change_visibility:
    enabled: true
  manage_team:
    enabled: true
  manage_namespace:
    enabled: true

I think email guessing is not necessary when using ldap because email attribute is received from ldap-server

[mssola]

PR #1306 should fix this situation.

[oleksiilopasov]

Thanks, man. You're the best=)