diff options
author | Kamil Trzcinski <ayufan@ayufan.eu> | 2015-07-08 15:41:09 +0200 |
---|---|---|
committer | Kamil Trzcinski <ayufan@ayufan.eu> | 2015-07-08 15:41:09 +0200 |
commit | 809c4a10ccd51a7bec3b7bbc22b4f95238a32553 (patch) | |
tree | 776cfb0154cd64dba7e70c7887d4be2571e304b9 /app | |
parent | 65b38e5bc1b575c104a4209501b48dda60a3ca89 (diff) | |
download | gitlab-ci-809c4a10ccd51a7bec3b7bbc22b4f95238a32553.tar.gz |
Don't use return_to, but instead pass state with signed return_to parameter
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/application_controller.rb | 4 | ||||
-rw-r--r-- | app/controllers/user_sessions_controller.rb | 9 | ||||
-rw-r--r-- | app/helpers/user_sessions_helper.rb | 15 | ||||
-rw-r--r-- | app/views/projects/_public.html.haml | 2 | ||||
-rw-r--r-- | app/views/user_sessions/new.html.haml | 2 |
5 files changed, 19 insertions, 13 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 9852736..0d27134 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,4 +1,6 @@ class ApplicationController < ActionController::Base + include UserSessionsHelper + rescue_from Network::UnauthorizedError, with: :invalid_token before_filter :default_headers before_filter :check_config @@ -39,7 +41,7 @@ class ApplicationController < ActionController::Base def authenticate_public_page! unless project.public unless current_user - redirect_to(new_user_sessions_path(return_to: request.fullpath)) and return + redirect_to(new_user_sessions_path(state: generate_oauth_state(request.fullpath))) and return end unless current_user.can_access_project?(project.gitlab_id) diff --git a/app/controllers/user_sessions_controller.rb b/app/controllers/user_sessions_controller.rb index e486b24..23e4182 100644 --- a/app/controllers/user_sessions_controller.rb +++ b/app/controllers/user_sessions_controller.rb @@ -1,6 +1,4 @@ class UserSessionsController < ApplicationController - include UserSessionsHelper - before_filter :authenticate_user!, except: [:new, :callback, :auth] def show @@ -11,9 +9,14 @@ class UserSessionsController < ApplicationController end def auth + unless is_oauth_state_valid?(params[:state]) + redirect_to new_user_sessions_path + return + end + redirect_to client.auth_code.authorize_url({ redirect_uri: callback_user_sessions_url, - state: generate_oauth_state(params[:return_to]) + state: params[:state] }) end diff --git a/app/helpers/user_sessions_helper.rb b/app/helpers/user_sessions_helper.rb index e5853b5..df158c6 100644 --- a/app/helpers/user_sessions_helper.rb +++ b/app/helpers/user_sessions_helper.rb @@ -3,17 +3,18 @@ module UserSessionsHelper SecureRandom.hex(16) end - def generate_oauth_secret(salt, return_to) + def generate_oauth_hmac(salt, return_to) return unless return_to - message = GitlabCi::Application.config.secret_key_base + salt + return_to - Digest::SHA256.hexdigest message + digest = OpenSSL::Digest.new('sha256') + key = GitlabCi::Application.config.secret_key_base + salt + OpenSSL::HMAC.hexdigest(digest, key, return_to) end def generate_oauth_state(return_to) return unless return_to salt = generate_oauth_salt - secret = generate_oauth_secret(salt, return_to) - "#{salt}:#{secret}:#{return_to}" + hmac = generate_oauth_hmac(salt, return_to) + "#{salt}:#{hmac}:#{return_to}" end def get_ouath_state_return_to(state) @@ -22,8 +23,8 @@ module UserSessionsHelper def is_oauth_state_valid?(state) return true unless state - salt, secret, return_to = state.split(':', 3) + salt, hmac, return_to = state.split(':', 3) return false unless return_to - secret == generate_oauth_secret(salt, return_to) + hmac == generate_oauth_hmac(salt, return_to) end end diff --git a/app/views/projects/_public.html.haml b/app/views/projects/_public.html.haml index 11eccbd..9662cc9 100644 --- a/app/views/projects/_public.html.haml +++ b/app/views/projects/_public.html.haml @@ -3,7 +3,7 @@ Public projects .bs-callout - = link_to new_user_sessions_path(return_to: request.fullpath) do + = link_to new_user_sessions_path(state: generate_oauth_state(request.fullpath)) do %strong Login with GitLab to see your private projects diff --git a/app/views/user_sessions/new.html.haml b/app/views/user_sessions/new.html.haml index b457e93..c5be95b 100644 --- a/app/views/user_sessions/new.html.haml +++ b/app/views/user_sessions/new.html.haml @@ -4,5 +4,5 @@ Make sure you have account on GitLab server = link_to GitlabCi.config.gitlab_server.url, GitlabCi.config.gitlab_server.url, no_turbolink %hr - = link_to "Login with GitLab", auth_user_sessions_path(return_to: params[:return_to]), no_turbolink.merge( class: 'btn btn-login btn-success' ) + = link_to "Login with GitLab", auth_user_sessions_path(state: params[:state]), no_turbolink.merge( class: 'btn btn-login btn-success' ) |