better error handling

5a4ade92 · Gabriel Mazetto · 627a9a9c · 5a4ade92 · 5a4ade92 · 5a4ade92
Commit 5a4ade92 authored May 13, 2016 by Gabriel Mazetto
4 changed files
--- a/app/controllers/oauth/geo_auth_controller.rb
+++ b/app/controllers/oauth/geo_auth_controller.rb
@@ -37,7 +37,10 @@ class Oauth::GeoAuthController < ActionController::Base
    oauth = Gitlab::Geo::OauthSession.new(state: params[:state])
    token_string = oauth.extract_logout_token

-    access_token_error('invalid') unless token_string.is_utf8?
+    unless token_string && token_string.is_utf8?
+      access_token_error('invalid')
+    end
+
    access_token = Doorkeeper::AccessToken.by_token(token_string)
    access_token_status = Oauth2::AccessTokenValidationService.validate(access_token)

@@ -48,7 +51,7 @@ class Oauth::GeoAuthController < ActionController::Base
        sign_out current_user
      end
    else
-
+      access_token_error('invalid')
    end

    redirect_to root_path

--- a/app/models/geo_node.rb
+++ b/app/models/geo_node.rb
@@ -69,9 +69,9 @@ class GeoNode < ActiveRecord::Base
    URI.join(uri, "#{uri.path}/", 'oauth/geo/callback').to_s
  end

-  def oauth_logout_url(access_token)
+  def oauth_logout_url(state)
    logout_uri = URI.join(uri, "#{uri.path}/", 'oauth/geo/logout')
-    logout_uri.query = "state=#{access_token}"
+    logout_uri.query = "state=#{state}"
    logout_uri.to_s
  end


--- a/lib/gitlab/geo/oauth_session.rb
+++ b/lib/gitlab/geo/oauth_session.rb
@@ -36,6 +36,8 @@ module Gitlab
        salt, encrypted = state.split(':', 2)
        decipher = logout_token_cipher(salt, :decrypt)
        decipher.update(Base64.urlsafe_decode64(encrypted)) + decipher.final
+      rescue OpenSSL::OpenSSLError
+        return false
      end

      def get_oauth_state_return_to

--- a/spec/lib/gitlab/geo/oauth_session_spec.rb
+++ b/spec/lib/gitlab/geo/oauth_session_spec.rb
@@ -83,6 +83,13 @@ describe Gitlab::Geo::OauthSession do
      expect(subject.extract_logout_token).to be_nil
    end

+    it 'returns false when decryptation fails' do
+      subject.generate_logout_state
+      allow_any_instance_of(OpenSSL::Cipher::AES).to receive(:final) { raise OpenSSL::OpenSSLError }
+      
+      expect(subject.extract_logout_token).to be_falsey
+    end
+
    it 'encrypted access token is recoverable' do
      subject.generate_logout_state