Commit 8b02d58e authored by Rémy Coutable's avatar Rémy Coutable

Merge branch 'jej/avoid-csrf-check-on-saml-failure' into 'master'

Skip CSRF check on SAML failure endpoint

Closes #56574

See merge request gitlab-org/gitlab-ce!24509
parents 22caeb58 6548e01f
...@@ -4,7 +4,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController ...@@ -4,7 +4,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
include AuthenticatesWithTwoFactor include AuthenticatesWithTwoFactor
include Devise::Controllers::Rememberable include Devise::Controllers::Rememberable
protect_from_forgery except: [:kerberos, :saml, :cas3], prepend: true protect_from_forgery except: [:kerberos, :saml, :cas3, :failure], with: :exception, prepend: true
def handle_omniauth def handle_omniauth
omniauth_flow(Gitlab::Auth::OAuth) omniauth_flow(Gitlab::Auth::OAuth)
......
---
title: Display SAML failure messages instead of expecting CSRF token
merge_request: 24509
author:
type: fixed
...@@ -45,6 +45,29 @@ describe OmniauthCallbacksController, type: :controller do ...@@ -45,6 +45,29 @@ describe OmniauthCallbacksController, type: :controller do
end end
end end
context 'when sign in fails' do
include RoutesHelpers
let(:extern_uid) { 'my-uid' }
let(:provider) { :saml }
def stub_route_as(path)
allow(@routes).to receive(:generate_extras) { [path, []] }
end
it 'it calls through to the failure handler' do
request.env['omniauth.error'] = OneLogin::RubySaml::ValidationError.new("Fingerprint mismatch")
request.env['omniauth.error.strategy'] = OmniAuth::Strategies::SAML.new(nil)
stub_route_as('/users/auth/saml/callback')
ForgeryProtection.with_forgery_protection do
post :failure
end
expect(flash[:alert]).to match(/Fingerprint mismatch/)
end
end
context 'when a redirect fragment is provided' do context 'when a redirect fragment is provided' do
let(:provider) { :jwt } let(:provider) { :jwt }
let(:extern_uid) { 'my-uid' } let(:extern_uid) { 'my-uid' }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment