Hi,
can some one help on this issue. We are using the latest 8.9.1LTS version (Version 8.9.1 (build 44547)).
We have many groups in Gitlab. When logging in via OAUTH/Gitlab, not all groups are found and thus not all assignments to Sonarqube groups are done.
The reason is the case-sensitive evaluation of the response headers in Sonarqube. Currently only “Link” is evaluated:
server/sonar-auth-common/src/main/java/org/sonar/auth/OAuthRestClient.java
...
String link = response.getHeader("Link");
...
We use HAPROXY which converts all responses to lower case.
According to the documentation this is standard and the workaround (works only for HTTP/1) in the settings should not be used permanently.
The method should be changed to case-insensitive evaluation.
Extract from the HAPROXY documentation:
“When HAProxy receives an HTTP/1 request, its header names are converted to
lower case and manipulated and sent this way to the servers.
…
There is no standard case for header names because, as stated in RFC7230,
they are case-insensitive. So applications must handle them in a case-
insensitive manner.
…
… it is possible to transform the lower case eader names to a
different format when the request is formatted and sent to the server, …
using the global directives “h1-case-adjust”
…
This must only be a temporary workaround for the time it takes the client to be
fixed, because clients which require such workarounds might be vulnerable to
content smuggling attacks and must absolutely be fixed.”
Thanks for any help in advance
Cheers
