Skip to content

Setting User Cap causes SAML user to be blocked during first sign in

Summary

When SAML is appropriately configured on a self-managed GitLab instance, a new user can sign in with their SAML identity and have the account automatically created. If there are no "block auto-created users" settings enabled, the user can directly sign into GitLab on the first attempt.

However, if the "user cap" setting is specified, the user is redirected to the sign in page and shown a "blocked pending Approval" message: BlockedPendingApproval This happens even if the user cap is set to say 50 and the current number of users is 5.

The problem is that the user is not actually blocked - viewing the admin dashboard shows user has been created and is active. Also, the user will be signed in if they immediately refresh the page.

Based on my testing and research, I feel that this behaviour may be related to this commit: c312fd3e

Note The current workaround is to either remove User Cap settings (not great from a user management perspective) or ask all new users to try signing in again upon seeing that banner.

Steps to reproduce

  1. Set up SAML with GitLab SM.
  2. Sign in with new user
    • User account is created and user is signed in without any issues
  3. Change User Cap settings in admin dashboard to some arbitrarily high number (say 100)
  4. Sign in with another new user
    • User will be redirected back to sign in page with Blocked Pending Approval warning
    • Simultaneously, on another browser, check admin dashboard - User is not blocked and is shown as active
    • Also if user refreshes page, they will be signed in

What is the current bug behavior?

On first sign-in via SAML, user is redirected to the sign-in page and shown a "Blocked Pending Approval" banner.

What is the expected correct behavior?

User should be signed in. User should not be redirected to the sign in page and should not see the Blocked banner.

Relevant logs and/or screenshots

==> /var/log/gitlab/gitlab-rails/application.log <==
2021-08-19T04:58:55.093Z: User "alvinsaml" (alvinsaml@gitlab.agounder.com) was created

==> /var/log/gitlab/gitlab-rails/application_json.log <==
{"severity":"INFO","time":"2021-08-19T04:58:55.093Z","correlation_id":"01FDECDGDG34EPXBKMNYW4GMVK","message":"User \"alvinsaml\" (alvinsaml@gitlab.agounder.com) was created"}

==> /var/log/gitlab/sidekiq/current <==
{"severity":"INFO","time":"2021-08-19T04:58:55.093Z","class":"SetUserStatusBasedOnUserCapSettingWorker","args":["57"],"retry":3,"queue":"set_user_status_based_on_user_cap_setting","version":0,"jid":"5d9dcf6
a49dc73a9505b9bfb","created_at":"2021-08-19T04:58:55.090Z","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"222.155.71.33","meta.feature_category":"users","meta.client_id":"ip/222.155.7
1.33","correlation_id":"01FDECDGDG34EPXBKMNYW4GMVK","idempotency_key":"resque:gitlab:duplicate:set_user_status_based_on_user_cap_setting:190c53be8781f49e24bd5074bd50cffeb0420616b4549d03555b831b67499258","en
queued_at":"2021-08-19T04:58:55.091Z","job_size_bytes":4,"pid":491073,"message":"SetUserStatusBasedOnUserCapSettingWorker JID-5d9dcf6a49dc73a9505b9bfb: start","job_status":"start","scheduling_latency_s":0.0
01335}

==> /var/log/gitlab/gitlab-rails/application.log <==
2021-08-19T04:58:55.099Z: (SAML) saving user alvinsaml@gitlab.agounder.com from login with admin => false, extern_uid => d59309d7-ad69-418a-9f78-75176fb27248

==> /var/log/gitlab/gitlab-rails/application_json.log <==
{"severity":"INFO","time":"2021-08-19T04:58:55.099Z","correlation_id":"01FDECDGDG34EPXBKMNYW4GMVK","message":"(SAML) saving user alvinsaml@gitlab.agounder.com from login with admin =\u003e false, extern_uid
 =\u003e d59309d7-ad69-418a-9f78-75176fb27248"}

==> /var/log/gitlab/gitlab-rails/audit_json.log <==
{"severity":"INFO","time":"2021-08-19T04:58:55.105Z","correlation_id":"01FDECDGDG34EPXBKMNYW4GMVK","author_id":57,"author_name":"alvinsaml","entity_id":57,"entity_type":"User","ip_address":"222.155.71.33","
with":"saml","target_id":57,"target_type":"User","target_details":"alvinsaml","entity_path":"alvinsaml"}

==> /var/log/gitlab/sidekiq/current <==
{"severity":"INFO","time":"2021-08-19T04:58:55.133Z","class":"ActionMailer::MailDeliveryJob","queue":"mailers","args":["[FILTERED]"],"retry":3,"jid":"8ea4751b58399b5a2739c15b","created_at":"2021-08-19T04:58
:55.131Z","meta.caller_id":"SetUserStatusBasedOnUserCapSettingWorker","meta.remote_ip":"222.155.71.33","meta.feature_category":"users","meta.client_id":"ip/222.155.71.33","correlation_id":"01FDECDGDG34EPXBK
MNYW4GMVK","idempotency_key":"resque:gitlab:duplicate:mailers:8d7d704f9dee4270ae4b60d2637ead724aee9f3e0052e6d77a75900fd0ce070e","enqueued_at":"2021-08-19T04:58:55.132Z","job_size_bytes":412,"pid":491073,"me
ssage":"ActionMailer::MailDeliveryJob JID-8ea4751b58399b5a2739c15b: start","job_status":"start","scheduling_latency_s":0.001204}

==> /var/log/gitlab/gitlab-rails/production.log <==
[ActiveJob] [ActionMailer::MailDeliveryJob] [2da1d55f-5c41-49e7-a8d3-d5268590501d] Performing ActionMailer::MailDeliveryJob (Job ID: 2da1d55f-5c41-49e7-a8d3-d5268590501d) from Sidekiq(mailers) enqueued at 2021-08-19T04:58:55Z with arguments: "DeviseMailer", "user_admin_approval", "deliver_now", {:args=>[#<GlobalID:0x00007efe2a1b10c8 @uri=#<URI::GID gid://gitlab/User/57>>]}
[ActiveJob] Enqueued ActionMailer::MailDeliveryJob (Job ID: 2da1d55f-5c41-49e7-a8d3-d5268590501d) to Sidekiq(mailers) with arguments: "DeviseMailer", "user_admin_approval", "deliver_now", {:args=>[#<GlobalID:0x00007efe2a13fc98 @uri=#<URI::GID gid://gitlab/User/57>>]}

==> /var/log/gitlab/sidekiq/current <==
{"severity":"INFO","time":"2021-08-19T04:58:55.144Z","class":"SetUserStatusBasedOnUserCapSettingWorker","args":["57"],"retry":3,"queue":"set_user_status_based_on_user_cap_setting","version":0,"jid":"5d9dcf6a49dc73a9505b9bfb","created_at":"2021-08-19T04:58:55.090Z","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"222.155.71.33","meta.feature_category":"users","meta.client_id":"ip/222.155.71.33","correlation_id":"01FDECDGDG34EPXBKMNYW4GMVK","idempotency_key":"resque:gitlab:duplicate:set_user_status_based_on_user_cap_setting:190c53be8781f49e24bd5074bd50cffeb0420616b4549d03555b831b67499258","enqueued_at":"2021-08-19T04:58:55.091Z","job_size_bytes":4,"pid":491073,"message":"SetUserStatusBasedOnUserCapSettingWorker JID-5d9dcf6a49dc73a9505b9bfb: done: 0.051845 sec","job_status":"done","scheduling_latency_s":0.001335,"redis_calls":4,"redis_duration_s":0.001244,"redis_read_bytes":60,"redis_write_bytes":1686,"redis_queues_calls":3,"redis_queues_duration_s":0.00101,"redis_queues_read_bytes":60,"redis_queues_write_bytes":1595,"redis_shared_state_calls":1,"redis_shared_state_duration_s":0.000234,"redis_shared_state_write_bytes":91,"db_count":11,"db_write_count":3,"db_cached_count":1,"cpu_s":0.030672,"mem_objects":11671,"mem_bytes":816112,"mem_mallocs":2381,"mem_total_bytes":1282952,"duration_s":0.051845,"completed_at":"2021-08-19T04:58:55.144Z","db_duration_s":0.008677}

==> /var/log/gitlab/gitlab-rails/production.log <==
[ActiveJob] [ActionMailer::MailDeliveryJob] [2da1d55f-5c41-49e7-a8d3-d5268590501d]   Rendered layout layouts/mailer/devise.html.haml (Duration: 12.6ms | Allocations: 5536)
[ActiveJob] [ActionMailer::MailDeliveryJob] [2da1d55f-5c41-49e7-a8d3-d5268590501d]   Rendered layout ee/app/views/layouts/mailer/devise.text.erb (Duration: 1.1ms | Allocations: 487)

==> /var/log/gitlab/gitlab-rails/application.log <==
2021-08-19T04:58:55.177Z: "Failed login for blocked user: user=alvinsaml ip=222.155.71.33")

==> /var/log/gitlab/gitlab-rails/application_json.log <==
{"severity":"INFO","time":"2021-08-19T04:58:55.177Z","correlation_id":"01FDECDGDG34EPXBKMNYW4GMVK","message":"\"Failed login for blocked user: user=alvinsaml ip=222.155.71.33\")\n"}

==> /var/log/gitlab/gitlab-rails/production.log <==
Completed 401 Unauthorized in 366ms (ActiveRecord: 127.0ms | Elasticsearch: 0.0ms | Allocations: 117882)

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 
System information
System:		Ubuntu 20.04
Proxy:		no
Current User:	git
Using RVM:	no
Ruby Version:	2.7.2p137
Gem Version:	3.1.4
Bundler Version:2.1.4
Rake Version:	13.0.3
Redis Version:	6.0.14
Git Version:	2.32.0
Sidekiq Version:5.2.9
Go Version:	unknown

GitLab information
Version:	14.1.1-ee
Revision:	f331f932688
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	PostgreSQL
DB Version:	12.6
URL:		https://gitlab....com
HTTP Clone URL:	https://gitlab....com/some-group/some-project.git
SSH Clone URL:	git@gitlab....com:some-group/some-project.git
Elasticsearch:	no
Geo:		yes
Geo node:	Primary
Using LDAP:	yes
Using Omniauth:	yes
Omniauth Providers: saml, azure_activedirectory_v2

GitLab Shell
Version:	13.19.0
Repository storage paths:
- default: 	/var/opt/gitlab/git-data/repositories
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell
Git:		/opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by Alvin Gounder