diff options
author | Rémy Coutable <remy@rymai.me> | 2019-02-05 17:13:28 +0000 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2019-02-05 17:13:28 +0000 |
commit | 8b02d58edeab14cfce9af5fdf8bbd9defe7e0c4b (patch) | |
tree | 21e18d6ea6a5821dd5807882bcb054e948ce6f94 | |
parent | 22caeb58a49a7ed2ccef7e5191e5a8c3f9ff7d10 (diff) | |
parent | 6548e01f18c24ec8703bb85557d7509dbeace013 (diff) | |
download | gitlab-ce-8b02d58edeab14cfce9af5fdf8bbd9defe7e0c4b.tar.gz |
Merge branch 'jej/avoid-csrf-check-on-saml-failure' into 'master'
Skip CSRF check on SAML failure endpoint
Closes #56574
See merge request gitlab-org/gitlab-ce!24509
3 files changed, 29 insertions, 1 deletions
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb index f8e482937d5..97120273d6b 100644 --- a/app/controllers/omniauth_callbacks_controller.rb +++ b/app/controllers/omniauth_callbacks_controller.rb @@ -4,7 +4,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController include AuthenticatesWithTwoFactor include Devise::Controllers::Rememberable - protect_from_forgery except: [:kerberos, :saml, :cas3], prepend: true + protect_from_forgery except: [:kerberos, :saml, :cas3, :failure], with: :exception, prepend: true def handle_omniauth omniauth_flow(Gitlab::Auth::OAuth) diff --git a/changelogs/unreleased/jej-avoid-csrf-check-on-saml-failure.yml b/changelogs/unreleased/jej-avoid-csrf-check-on-saml-failure.yml new file mode 100644 index 00000000000..18cced2906a --- /dev/null +++ b/changelogs/unreleased/jej-avoid-csrf-check-on-saml-failure.yml @@ -0,0 +1,5 @@ +--- +title: Display SAML failure messages instead of expecting CSRF token +merge_request: 24509 +author: +type: fixed diff --git a/spec/controllers/omniauth_callbacks_controller_spec.rb b/spec/controllers/omniauth_callbacks_controller_spec.rb index 59463462e5a..232a5e2793b 100644 --- a/spec/controllers/omniauth_callbacks_controller_spec.rb +++ b/spec/controllers/omniauth_callbacks_controller_spec.rb @@ -45,6 +45,29 @@ describe OmniauthCallbacksController, type: :controller do end end + context 'when sign in fails' do + include RoutesHelpers + + let(:extern_uid) { 'my-uid' } + let(:provider) { :saml } + + def stub_route_as(path) + allow(@routes).to receive(:generate_extras) { [path, []] } + end + + it 'it calls through to the failure handler' do + request.env['omniauth.error'] = OneLogin::RubySaml::ValidationError.new("Fingerprint mismatch") + request.env['omniauth.error.strategy'] = OmniAuth::Strategies::SAML.new(nil) + stub_route_as('/users/auth/saml/callback') + + ForgeryProtection.with_forgery_protection do + post :failure + end + + expect(flash[:alert]).to match(/Fingerprint mismatch/) + end + end + context 'when a redirect fragment is provided' do let(:provider) { :jwt } let(:extern_uid) { 'my-uid' } |