SonarQube was authenticating (authn) users just fine through GitLab. Then our GitLab crashed and had to be partially rebuilt (all new users, though the source code itself was fine). Now some Qube users can authn through GitLab while others can’t.
This is from logs/web.log:
2021.02.05 21:32:51 WARN web[AXbfVzZ8NHCHadaOACU8][o.s.s.a.AuthenticationError] Fail to callback authentication with ‘gitlab’ org.apache.ibatis.exceptions.PersistenceException:
Error updating database. Cause: org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint “uniq_external_login”
Detail: Key (external_identity_provider, external_login)=(gitlab, johndoe) already exists.
The error may exist in org.sonar.db.user.UserMapper
The error may involve org.sonar.db.user.UserMapper.update-Inline
The error occurred while setting parameters
SQL: update users set login = ?, name = ?, email = ?, active = ?, scm_accounts = ?, external_id = ?, external_login = ?, external_identity_provider = ?, user_local = ?, onboarded = ?, salt = ?, crypted_password = ?, hash_method = ?, homepage_type = ?, homepage_parameter = ?, last_connection_date = ?, updated_at = ? where uuid = ?
Cause: org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint “uniq_external_login”
Detail: Key (external_identity_provider, external_login)=(gitlab, johndoe) already exists.
at org.apache.ibatis.exceptions.ExceptionFactory.wrapException(ExceptionFactory.java:30)
at org.apache.ibatis.session.defaults.DefaultSqlSession.update(DefaultSqlSession.java:199)
… lots more …
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint “uniq_external_login”
Detail: Key (external_identity_provider, external_login)=(gitlab, johndoe) already exists.
Version information: SonarQube CE Version 8.4.2 (build 36762), GitLab CE 12.4.1
How to duplicate the problem:
- Setup SonarQube to authenticate users through GitLab as normal (ALM integration).
- Prove it works: authenticate SonarQube using the “Log In with GitLab” button.
- Blow away GitLab, or make another one, with the same usernames as step 1. (Re)point SonarQube authentication to the new GitLab (as done in step 1). (In our case, the callback URL was the same, but the almintegration keys (Application ID and Secret) had to change since the GitLab instance was new.)
- Repeat step 2. It will fail with some users, giving the error message shown above (web.log).
Strangeness: I would think that the “duplicate key value” problem would be the same for all users, as all of them had to be recreated in the new GitLab instance. But that is not the case. Clearly the GitLab authn is setup correctly, or no users could get into Qube through GitLab.