summaryrefslogtreecommitdiff
path: root/lib/omni_auth
diff options
context:
space:
mode:
authorSebastian Arcila Valenzuela <sarcila@gitlab.com>2019-08-19 15:19:19 +0200
committerSebastian Arcila Valenzuela <sarcila@gitlab.com>2019-09-20 16:53:51 +0200
commit2b94f55325c737c6acc6866799a0188abc180cf3 (patch)
treee11f76b30d23afee90fbb4deeaf29cb6033b3b85 /lib/omni_auth
parent2cacd021284f9396360a4ac9ef99cee5b96e4ef2 (diff)
downloadgitlab-ce-2b94f55325c737c6acc6866799a0188abc180cf3.tar.gz
Validate that SAML requests are originated from gitlab
If the request wasn't initiated by gitlab we shouldn't add the new identity to the user, and instead show that we weren't able to link the identity to the user. This should fix: https://gitlab.com/gitlab-org/gitlab-ce/issues/56509
Diffstat (limited to 'lib/omni_auth')
-rw-r--r--lib/omni_auth/strategies/saml.rb29
1 files changed, 29 insertions, 0 deletions
diff --git a/lib/omni_auth/strategies/saml.rb b/lib/omni_auth/strategies/saml.rb
new file mode 100644
index 00000000000..ebe062f17e0
--- /dev/null
+++ b/lib/omni_auth/strategies/saml.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module OmniAuth
+ module Strategies
+ class SAML
+ extend ::Gitlab::Utils::Override
+
+ # NOTE: This method duplicates code from omniauth-saml
+ # so that we can access authn_request to store it
+ # See: https://github.com/omniauth/omniauth-saml/issues/172
+ override :request_phase
+ def request_phase
+ authn_request = OneLogin::RubySaml::Authrequest.new
+
+ store_authn_request_id(authn_request)
+
+ with_settings do |settings|
+ redirect(authn_request.create(settings, additional_params_for_authn_request))
+ end
+ end
+
+ private
+
+ def store_authn_request_id(authn_request)
+ Gitlab::Auth::Saml::OriginValidator.new(session).store_origin(authn_request)
+ end
+ end
+ end
+end