Merge branch 'jej/group-saml-metadata-disabled' into 'master'

Prevent access to Group SAML metadata/SLO endpoints Closes #5900 See merge request gitlab-org/gitlab-ee!5765

Merge branch 'jej/group-saml-metadata-disabled' into 'master'
Prevent access to Group SAML metadata/SLO endpoints Closes #5900 See merge request gitlab-org/gitlab-ee!5765
2d577d1c · Nick Thomas · 1189ecfc · dab03e73 · 2d577d1c · 2d577d1c
Commit 2d577d1c authored May 22, 2018 by Nick Thomas
Showing with 38 additions and 2 deletions

ee/lib/omni_auth/strategies/group_saml.rb ee/lib/omni_auth/strategies/group_saml.rb +6 -0

ee/spec/lib/omni_auth/strategies/group_saml_spec.rb ee/spec/lib/omni_auth/strategies/group_saml_spec.rb +32 -2

No files found.
--- a/ee/lib/omni_auth/strategies/group_saml.rb
+++ b/ee/lib/omni_auth/strategies/group_saml.rb
@@ -21,6 +21,12 @@ module OmniAuth
        super
      end

+      # Prevent access to SLO and metadata endpoints
+      # These will need addtional work to securely support
+      def other_phase
+        call_app!
+      end
+
      def self.callback?(env)
        env['PATH_INFO'] =~ Gitlab::PathRegex.saml_callback_regex
      end

--- a/ee/spec/lib/omni_auth/strategies/group_saml_spec.rb
+++ b/ee/spec/lib/omni_auth/strategies/group_saml_spec.rb
@@ -60,7 +60,7 @@ describe OmniAuth::Strategies::GroupSaml, type: :strategy do
      end
    end

-    it 'returns 404 when if group is not found' do
+    it 'returns 404 when the group is not found' do
      expect do
        post "/groups/not-a-group/-/saml/callback", SAMLResponse: saml_response
      end.to raise_error(ActionController::RoutingError)
@@ -92,7 +92,7 @@ describe OmniAuth::Strategies::GroupSaml, type: :strategy do
      end.to raise_error(ActionController::RoutingError)
    end

-    it 'returns 404 when if group is not found' do
+    it 'returns 404 when the group is not found' do
      expect do
        post '/users/auth/group_saml', group_path: 'not-a-group'
      end.to raise_error(ActionController::RoutingError)
@@ -104,4 +104,34 @@ describe OmniAuth::Strategies::GroupSaml, type: :strategy do
      end.to raise_error(ActionController::RoutingError)
    end
  end
+
+  describe 'POST /users/auth/group_saml/metadata' do
+    it 'returns 404 when the group is not found' do
+      post '/users/auth/group_saml/metadata', group_path: 'not-a-group'
+
+      expect(last_response).to be_not_found
+    end
+
+    it 'returns 404 to avoid disclosing group existence' do
+      post '/users/auth/group_saml/metadata', group_path: 'my-group'
+
+      expect(last_response).to be_not_found
+    end
+  end
+
+  describe 'POST /users/auth/group_saml/slo' do
+    it 'returns 404 to avoid disclosing group existence' do
+      post '/users/auth/group_saml/slo', group_path: 'my-group'
+
+      expect(last_response).to be_not_found
+    end
+  end
+
+  describe 'POST /users/auth/group_saml/spslo' do
+    it 'returns 404 to avoid disclosing group existence' do
+      post '/users/auth/group_saml/spslo', group_path: 'my-group'
+
+      expect(last_response).to be_not_found
+    end
+  end
 end