handle decription failures and make token validation more standard implementation

b3e53024 · Gabriel Mazetto · f6300b21 · b3e53024 · b3e53024 · b3e53024
Commit b3e53024 authored May 18, 2016 by Gabriel Mazetto
3 changed files
--- a/app/controllers/oauth/geo_auth_controller.rb
+++ b/app/controllers/oauth/geo_auth_controller.rb
@@ -15,14 +15,14 @@ class Oauth::GeoAuthController < ActionController::Base
  def callback
    oauth = Gitlab::Geo::OauthSession.new(state: params[:state])
    unless oauth.is_oauth_state_valid?
-      redirect_to new_user_sessions_path
+      redirect_to new_user_session_path
      return
    end

    token = oauth.get_token(params[:code], redirect_uri: oauth_geo_callback_url)
    remote_user = oauth.authenticate_with_gitlab(token)

-    user = User.find(remote_user['id'])
+    user = User.find_by(id: remote_user['id'])

    if user && sign_in(user, bypass: true)
      session[:access_token] = token
@@ -38,17 +38,22 @@ class Oauth::GeoAuthController < ActionController::Base
    token_string = oauth.extract_logout_token

    logout = Oauth2::LogoutTokenValidationService.new(current_user, token_string)
-    if logout.valid?
+    result = logout.validate
+    if result[:status] == :success
      sign_out current_user
+      redirect_to root_path
    else
-      access_token_error(logout.status)
+      access_token_error(result[:error])
    end
-
-    redirect_to root_path
  end

  private

+  def invalid_credentials
+    @error = 'Cannot find user to login. Your account must have been deleted.'
+    render :error, layout: 'errors'
+  end
+
  def undefined_oauth_application
    @error = 'There are no OAuth application defined for this Geo node. Please ask your administrator to visit "Geo Nodes" on admin screen and click on "Repair authentication".'
    render :error, layout: 'errors'

--- a/app/services/oauth2/logout_token_validation_service.rb
+++ b/app/services/oauth2/logout_token_validation_service.rb
 module Oauth2
-  class LogoutTokenValidationService
+  class LogoutTokenValidationService < ::BaseService
    attr_reader :status, :current_user

    def initialize(user, access_token_string)
@@ -10,16 +10,16 @@ module Oauth2
    def validate
      return false unless access_token

-      @status = Oauth2::AccessTokenValidationService.validate(access_token)
+      status = Oauth2::AccessTokenValidationService.validate(access_token)

-      if @status == Oauth2::AccessTokenValidationService::VALID
+      if status == Oauth2::AccessTokenValidationService::VALID
        user = User.find(access_token.resource_owner_id)

        if current_user == user
-          true
+          success
        end
      else
-        false
+        error(status)
      end
    end


--- a/lib/gitlab/geo/oauth_session.rb
+++ b/lib/gitlab/geo/oauth_session.rb
@@ -28,6 +28,8 @@ module Gitlab
        cipher = logout_token_cipher(oauth_salt, :encrypt)
        encrypted = cipher.update(access_token) + cipher.final
        self.state = "#{oauth_salt}:#{Base64.urlsafe_encode64(encrypted)}"
+      rescue OpenSSL::OpenSSLError
+        return false
      end

      def extract_logout_token