GitLab auth: Support custom root CA for https certificates signed in house

[exstral]

Hi,

I'm trying to use the GitLab authentication to authenticate with our own internal gitlab. It requests the auth correctly, I authorize it on GitLab but when it returns to the callback on HackMD gives me a 500 and logs this error:

InternalOAuthError: Failed to obtain access token
    at Strategy.OAuth2Strategy._createOAuthError (/hackmd/node_modules/passport-oauth2/lib/strategy.js:379:17)
    at /hackmd/node_modules/passport-oauth2/lib/strategy.js:166:45
    at /hackmd/node_modules/oauth/lib/oauth2.js:191:18
    at ClientRequest.<anonymous> (/hackmd/node_modules/oauth/lib/oauth2.js:162:5)
    at emitOne (events.js:96:13)
    at ClientRequest.emit (events.js:188:7)
    at TLSSocket.socketErrorListener (_http_client.js:310:9)
    at emitOne (events.js:96:13)
    at TLSSocket.emit (events.js:188:7)
    at emitErrorNT (net.js:1278:8)
    at _combinedTickCallback (internal/process/next_tick.js:74:11)
    at process._tickCallback (internal/process/next_tick.js:98:9)

I am sending the following environment variables to HackMD:

- HMD_URL_ADDPORT=true
- HMD_DB_URL=postgres://hackmd:hackmdpass@postgres:5432/hackmd
- HMD_IMAGE_UPLOAD_TYPE=filesystem
- HMD_ALLOW_ANONYMOUS=false
- HMD_ALLOW_FREEURL=true
- HMD_EMAIL=false
- HMD_GITLAB_BASEURL=https://gitlab.internal/
- HMD_GITLAB_CLIENTID=0da7d9dc0edd9cb9f7 (altered when posting here)
- HMD_GITLAB_CLIENTSECRET=c9a4aed19d16c1b (altered when posting here)

We are running the latest master of HackMD (d6822dd) and latest Gitlab version 8.16.4.

Any ideas on what could be wrong?

[jackycute]

Hi @esbite
If you're using GitLab.com to auth.
It should work without HMD_GITLAB_BASEURL env var.

[jackycute]

Huh, if you're using self-hosted gitlab.
It seems not our application's issue from the logs you've posted.
Did you make good application scope in gitlab?
Maybe you should check gitlab logs?

[exstral]

Hmm. Yes we're using self hosted Gitlab. But Gitlab doesn't give me an error, I get returned correctly to the callback on HackMD with the following URL:
GET http://localhost:3000/auth/gitlab/callback?code=0c592d84f143266d85252fc4385c65c8a9824bcdd1438fc8871366e459e7696d

And then I see the 500 error from HackMD. That code parameter should be the access token, right?

[jackycute]

Yeah, that should work.
Did you check the api or auth scope in gitlab settings of access tokens?

[exstral]

Yes I read your other issue about not supporting only the read_user scope so I checked both. If I only checked the read_user it didn't work with Gitlab giving me an error.

Any other ideas how I can debug this?

[jackycute]

Well, I just tested on my local server to auth via gitlab.com and it worked.

Could you check the connection logs before the OAuth error?
It would be really helpful if you could dig the the request and response logs between them.

I guess it might be some problem when the hackmd request with to code.
hackmd -> request for auth -> gitlab authorized with code back -> hackmd -> request for token and user profile with the given code -> failed.

[exstral]

Ah. Finally figured out what the underlying error was. Of course this is also a certificate problem (Error: unable to verify the first certificate). Because our internal Gitlab is also using a certificate signed by our custom root cert. And when the browser is accessing it to grant the first authorization it works. But when nodejs itself makes the request to get the access token it fails because of certificate error.

How can I supply our custom root cert here, like I did for LDAP? :)

[jackycute]

I think that means you need to use SSL connection.
There will be two ways to achieve that.

1. Build a proxy before hackmd, like nginx or apache and add cert on it.
2. Enable our built-in SSL server option. But it's only available via the config.json for now.
   you will need to need to turn on usessl and set sslcapath (or maybe more) see more here.

[exstral]

Are you saying that I need to put HackMD behind SSL? That seems unnecessary to me.

All I need is for the outgoing OAuth request for https://gitlab.internal/oauth/access_token to be able to verify the certificate we have running on gitlab. Node cannot verify this using the public Root Certificate Authorities that are automatically included with node so it cannot open a https connection. Our certificate can only be verified using our own Root Certificate Authority since we have signed it ourselves, which is common practice in bigger organisations.

I'm new to Node so I'm not sure how to supply a custom root CA for a request, but seems like you would need to use a library like this.
https://www.npmjs.com/package/ssl-root-cas

Because this is a problem in node core, see issue here:
nodejs/node#4175

This issue actually seems to be just about fixed in the absolute latest nodejs release:
nodejs/node#11062

[jackycute]

So maybe you could try on node v7.5.0?

[exstral]

Haha, yeah, I guess I could. But do you yet officially support node 7? I mean the Dockerfile you have is based on 6.9 :)

[jackycute]

Yes we do support node 7, actually our service is running it now.
The dockerfile use node 6 for better stability in LTS.

[jackycute]

Hey @esbite how's going?

[exstral]

Sorry no time to test, we decided we are happy with LDAP auth for now.