Loading...

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: quay-v3.11.0, quay-v3.12.0
Affects Version/s: quay-v3.11.0
Component/s: quay
Labels:
- triaged

Blocked:
False
Blocked Reason:
None
Ready:
False
Intelligence Requested:
Market:

RICE Score:
0

SFDC Cases Links:
SFDC Cases Counter:

Description:

This is an issue found in Quay 3.11 , when configured Quay to use OIDC authentication, on the Quay Console login page, Quay should only allow login Quay with OIDC authentication, but quay allow users to input username/password to login Quay, after input username/password, hit Quay 500 error page.

Login Quay hit 500 error page:

Quay: quay-operator-bundle-container-v3.11.0-12

Quay Config.yaml:

AUTHENTICATION_TYPE: OIDC
FEATURE_TEAM_SYNCING: true
FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP: true
AZUREID_LOGIN_CONFIG:
  CLIENT_ID: d38adba5-f32e-4342-b57e-bc0e6dcc4fbe
  CLIENT_SECRET: ******
  LOGIN_SCOPES: [ 'openid', 'roles' ]
  PREFERRED_GROUP_CLAIM_NAME: quay311
  OIDC_SERVER: https://login.microsoftonline.com/250926f3-c788-4a52-acfa-e3aac5386ac1/v2.0/
  SERVICE_NAME: AzureAD

Quay APP POD logs:

gunicorn-web stdout | 2024-02-29 04:50:33,340 [239] [ERROR] [gunicorn.error] Error handling request /api/v1/signin
gunicorn-web stdout | Traceback (most recent call last):
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/gunicorn/workers/base_async.py", line 55, in handle
gunicorn-web stdout |     self.handle_request(listener_name, req, client, addr)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/gunicorn/workers/ggevent.py", line 128, in handle_request
gunicorn-web stdout |     super().handle_request(listener_name, req, sock, addr)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/gunicorn/workers/base_async.py", line 108, in handle_request
gunicorn-web stdout |     respiter = self.wsgi(environ, resp.start_response)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask/app.py", line 2213, in __call__
gunicorn-web stdout |     return self.wsgi_app(environ, start_response)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/werkzeug/middleware/proxy_fix.py", line 182, in __call__
gunicorn-web stdout |     return self.app(environ, start_response)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask/app.py", line 2193, in wsgi_app
gunicorn-web stdout |     response = self.handle_exception(e)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask_restful/__init__.py", line 298, in error_router
gunicorn-web stdout |     return original_handler(e)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask/app.py", line 2190, in wsgi_app
gunicorn-web stdout |     response = self.full_dispatch_request()
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask/app.py", line 1486, in full_dispatch_request
gunicorn-web stdout |     rv = self.handle_user_exception(e)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask_restful/__init__.py", line 298, in error_router
gunicorn-web stdout |     return original_handler(e)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask/app.py", line 1484, in full_dispatch_request
gunicorn-web stdout |     rv = self.dispatch_request()
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask/app.py", line 1469, in dispatch_request
gunicorn-web stdout |     return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
gunicorn-web stdout |   File "/quay-registry/endpoints/decorators.py", line 285, in wrapper
gunicorn-web stdout |     return func(*args, **kwargs)
gunicorn-web stdout |   File "/quay-registry/auth/decorators.py", line 68, in wrapper
gunicorn-web stdout |     return func(*args, **kwargs)
gunicorn-web stdout |   File "/quay-registry/util/request.py", line 64, in wrapper
gunicorn-web stdout |     return decorator(func)(*args, **kwargs)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask_restful/utils/cors.py", line 35, in wrapped_function
gunicorn-web stdout |     resp = make_response(f(*args, **kwargs))
gunicorn-web stdout |   File "/quay-registry/endpoints/csrf.py", line 71, in wrapper
gunicorn-web stdout |     resp = func(*args, **kwargs)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask_restful/__init__.py", line 489, in wrapper
gunicorn-web stdout |     resp = resource(*args, **kwargs)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask/views.py", line 109, in view
gunicorn-web stdout |     return current_app.ensure_sync(self.dispatch_request)(**kwargs)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask_restful/__init__.py", line 604, in dispatch_request
gunicorn-web stdout |     resp = meth(*args, **kwargs)
gunicorn-web stdout |   File "/quay-registry/endpoints/decorators.py", line 189, in wrapper
gunicorn-web stdout |     return func(*args, **kwargs)
gunicorn-web stdout |   File "/quay-registry/endpoints/decorators.py", line 164, in wrapper 
gunicorn-web stdout |     return func(*args, **kwargs)
gunicorn-web stdout |   File "/quay-registry/endpoints/api/__init__.py", line 573, in wrapped
gunicorn-web stdout |     return func(self, *args, **kwargs)
gunicorn-web stdout |   File "/quay-registry/endpoints/api/user.py", line 865, in post
gunicorn-web stdout |     return conduct_signin(username, password, invite_code=invite_code)
gunicorn-web stdout |   File "/quay-registry/endpoints/api/user.py", line 700, in conduct_signin
gunicorn-web stdout |     (found_user, error_message) = authentication.verify_and_link_user(username_or_email, password)
gunicorn-web stdout |   File "/quay-registry/data/users/__init__.py", line 349, in verify_and_link_user
gunicorn-web stdout |     (result, err_msg) = self.state.verify_and_link_user(username_or_email, password)
gunicorn-web stdout |   File "/quay-registry/data/users/federated.py", line 82, in verify_and_link_user
gunicorn-web stdout |     (credentials, err_msg) = self.verify_credentials(username_or_email, password)
gunicorn-web stdout | TypeError: cannot unpack non-iterable NoneType object
gunicorn-web stdout | 2024-02-29 04:50:33,342 [239] [INFO] [gunicorn.access]  - - [29/Feb/2024:04:50:33 +0000] "POST /api/v1/signin HTTP/1.0" 500 0 "-" "-"
nginx stdout | 10.131.0.28 (-) - - [29/Feb/2024:04:50:33 +0000] "POST /api/v1/signin HTTP/1.1" 500 141 "https://quayregistry-quay-quay-enterprise-2145.apps.quayfipstest-2145.qe.devcluster.openshift.com/repository/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0" (0.005 1907 0.005)
gunicorn-web stdout | 2024-02-29 04:50:33,608 [240] [DEBUG] [app] Starting request: urn:request:5da4e1c0-59c6-4a03-9541-f74d10f3cd7d (/500) {'X-Forwarded-For': '221.218.181.255, 10.131.0.28'}
gunicorn-web stdout | 2024-02-29 04:50:33,613 [240] [DEBUG] [app] Ending request: urn:request:5da4e1c0-59c6-4a03-9541-f74d10f3cd7d (/500) {'endpoint': 'web.internal_error_display', 'request_id': 'urn:request:5da4e1c0-59c6-4a03-9541-f74d10f3cd7d', 'remote_addr': '10.131.0.28', 'http_method': 'GET', 'original_url': 'https://quayregistry-quay-quay-enterprise-2145.apps.quayfipstest-2145.qe.devcluster.openshift.com/500', 'path': '/500', 'parameters': {}, 'json_body': None, 'confsha': 'd42b6c8c', 'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0'}
gunicorn-web stdout | 2024-02-29 04:50:33,613 [240] [INFO] [gunicorn.access] 10.131.0.28 - - [29/Feb/2024:04:50:33 +0000] "GET /500 HTTP/1.0" 200 2629 "https://quayregistry-quay-quay-enterprise-2145.apps.quayfipstest-2145.qe.devcluster.openshift.com/repository/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
nginx stdout | 10.131.0.28 (-) - - [29/Feb/2024:04:50:33 +0000] "GET /500 HTTP/1.1" 200 992 "https://quayregistry-quay-quay-enterprise-2145.apps.quayfipstest-2145.qe.devcluster.openshift.com/repository/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0" (0.006 1662 0.007)