diff options
author | Sebastian Arcila Valenzuela <sarcila@gitlab.com> | 2019-08-19 15:19:19 +0200 |
---|---|---|
committer | Yorick Peterse <yorick@yorickpeterse.com> | 2019-09-30 14:22:06 +0200 |
commit | 3692e9f8a23386c627942ca2a9edd8c00af7e904 (patch) | |
tree | 0d092bdbdfc954e1a9e2b520291a7244c0cd679e /spec/lib/omni_auth | |
parent | 010e3c5ed41db96f68549e01373a9aacadd995d7 (diff) | |
download | gitlab-ce-3692e9f8a23386c627942ca2a9edd8c00af7e904.tar.gz |
Validate that SAML requests are originated from gitlab
If the request wasn't initiated by gitlab we shouldn't add the new
identity to the user, and instead show that we weren't able to link
the identity to the user.
This should fix: https://gitlab.com/gitlab-org/gitlab-ce/issues/56509
Diffstat (limited to 'spec/lib/omni_auth')
-rw-r--r-- | spec/lib/omni_auth/strategies/saml_spec.rb | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/spec/lib/omni_auth/strategies/saml_spec.rb b/spec/lib/omni_auth/strategies/saml_spec.rb new file mode 100644 index 00000000000..3c59de86d98 --- /dev/null +++ b/spec/lib/omni_auth/strategies/saml_spec.rb @@ -0,0 +1,22 @@ +require 'spec_helper' + +describe OmniAuth::Strategies::SAML, type: :strategy do + let(:idp_sso_target_url) { 'https://login.example.com/idp' } + let(:strategy) { [OmniAuth::Strategies::SAML, { idp_sso_target_url: idp_sso_target_url }] } + + describe 'POST /users/auth/saml' do + it 'redirects to the provider login page' do + post '/users/auth/saml' + + expect(last_response).to redirect_to(/\A#{Regexp.quote(idp_sso_target_url)}/) + end + + it 'stores request ID during request phase' do + request_id = double + allow_any_instance_of(OneLogin::RubySaml::Authrequest).to receive(:uuid).and_return(request_id) + + post '/users/auth/saml' + expect(session['last_authn_request_id']).to eq(request_id) + end + end +end |