*: improve error handling in ldap outpost, ignore additional errors

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/lib/sentry.py

@@ -1,4 +1,5 @@
 """authentik sentry integration"""
+from asyncio.exceptions import CancelledError
 from typing import Any, Optional
 
 from aioredis.errors import ConnectionClosedError, ReplyError
@@ -143,6 +144,8 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
         DockerException,
         # End-user errors
         Http404,
+        # AsyncIO
+        CancelledError,
     )
     exc_value = None
     if "exc_info" in hint:

authentik/sources/ldap/sync/groups.py

@@ -51,7 +51,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                     },
                     defaults,
                 )
-            except (IntegrityError, FieldError, TypeError) as exc:
+            except (IntegrityError, FieldError, TypeError, AttributeError) as exc:
                 Event.new(
                     EventAction.CONFIGURATION_ERROR,
                     message=(

authentik/sources/ldap/sync/users.py

@@ -45,7 +45,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                 ak_user, created = self.update_or_create_attributes(
                     User, {f"attributes__{LDAP_UNIQUENESS}": uniq}, defaults
                 )
-            except (IntegrityError, FieldError, TypeError) as exc:
+            except (IntegrityError, FieldError, TypeError, AttributeError) as exc:
                 Event.new(
                     EventAction.CONFIGURATION_ERROR,
                     message=(

internal/outpost/flow/executor.go

@@ -169,7 +169,11 @@ func (fe *FlowExecutor) getInitialChallenge() (*api.ChallengeTypes, error) {
 	if err != nil {
 		return nil, err
 	}
-	ch := challenge.GetActualInstance().(challengeInt)
+	i := challenge.GetActualInstance()
+	if i == nil {
+		return nil, errors.New("response instance was null")
+	}
+	ch := i.(challengeInt)
 	fe.log.WithField("component", ch.GetComponent()).WithField("type", ch.GetType()).Debug("Got challenge")
 	gcsp.SetTag("authentik.flow.challenge", string(ch.GetType()))
 	gcsp.SetTag("authentik.flow.component", ch.GetComponent())
@@ -185,7 +189,11 @@ func (fe *FlowExecutor) solveFlowChallenge(challenge *api.ChallengeTypes, depth
 	// Resole challenge
 	scsp := sentry.StartSpan(fe.Context, "authentik.outposts.flow_executor.solve_challenge")
 	responseReq := fe.api.FlowsApi.FlowsExecutorSolve(scsp.Context(), fe.flowSlug).Query(fe.Params.Encode())
-	ch := challenge.GetActualInstance().(challengeInt)
+	i := challenge.GetActualInstance()
+	if i == nil {
+		return false, errors.New("response request instance was null")
+	}
+	ch := i.(challengeInt)
 
 	// Check for any validation errors that we might've gotten
 	if len(ch.GetResponseErrors()) > 0 {
@@ -218,7 +226,11 @@ func (fe *FlowExecutor) solveFlowChallenge(challenge *api.ChallengeTypes, depth
 	if err != nil {
 		return false, fmt.Errorf("failed to submit challenge %w", err)
 	}
-	ch = response.GetActualInstance().(challengeInt)
+	i = response.GetActualInstance()
+	if i == nil {
+		return false, errors.New("response instance was null")
+	}
+	ch = i.(challengeInt)
 	fe.log.WithField("component", ch.GetComponent()).WithField("type", ch.GetType()).Debug("Got response")
 	scsp.SetTag("authentik.flow.challenge", string(ch.GetType()))
 	scsp.SetTag("authentik.flow.component", ch.GetComponent())

internal/outpost/ldap/entries.go

@@ -11,6 +11,12 @@ func (pi *ProviderInstance) UserEntry(u api.User) *ldap.Entry {
 	dn := pi.GetUserDN(u.Username)
 	attrs := utils.AKAttrsToLDAP(u.Attributes)
 
+	if u.IsActive == nil {
+		u.IsActive = api.PtrBool(false)
+	}
+	if u.Email == nil {
+		u.Email = api.PtrString("")
+	}
 	attrs = utils.EnsureAttributes(attrs, map[string][]string{
 		"memberOf":                      pi.GroupsForUser(u),
 		"goauthentik.io/ldap/active":    {utils.BoolToString(*u.IsActive)},

web/src/common/sentry.ts

@@ -24,6 +24,7 @@ export async function configureSentry(canDoPpi = false): Promise<Config> {
                 /instantSearchSDKJSBridgeClearHighlight/gi,
                 // Seems to be an issue in Safari and Firefox
                 /MutationObserver.observe/gi,
+                /NS_ERROR_FAILURE/gi,
             ],
             release: `authentik@${VERSION}`,
             tunnel: "/api/v3/sentry/",