Merge branch 'jej/group-saml-skip-forgery-protection' into 'master'

Group SAML skips forgery protection in production See merge request gitlab-org/gitlab-ee!5621

Merge branch 'jej/group-saml-skip-forgery-protection' into 'master'
Group SAML skips forgery protection in production See merge request gitlab-org/gitlab-ee!5621
10fa143f · Douwe Maan · fab1c1bc · d7c88ee1 · 10fa143f · 10fa143f
Commit 10fa143f authored May 10, 2018 by Douwe Maan
4 changed files
--- a/ee/app/controllers/groups/omniauth_callbacks_controller.rb
+++ b/ee/app/controllers/groups/omniauth_callbacks_controller.rb
 class Groups::OmniauthCallbacksController < OmniauthCallbacksController
  extend ::Gitlab::Utils::Override

+  skip_before_filter :verify_authenticity_token, only: :group_saml
+
  def group_saml
    @unauthenticated_group = Group.find_by_full_path(params[:group_id])
    saml_provider = @unauthenticated_group.saml_provider

--- a/ee/changelogs/unreleased/jej-group-saml-skip-forgery-protection.yml
+++ b/ee/changelogs/unreleased/jej-group-saml-skip-forgery-protection.yml
+---
+title: Group SAML skips forgery protection in production
+merge_request: 5621
+author:
+type: fixed
--- a/ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb
+++ b/ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb
@@ -2,6 +2,7 @@ require 'spec_helper'

 describe Groups::OmniauthCallbacksController do
  include LoginHelpers
+  include ForgeryProtection

  let(:uid) { 'my-uid' }
  let(:user) { create(:user) }
@@ -56,6 +57,15 @@ describe Groups::OmniauthCallbacksController do
        it 'uses existing linked identity' do
          expect { post provider, group_id: group }.not_to change(linked_accounts, :count)
        end
+
+        it 'skips authenticity token based forgery protection' do
+          with_forgery_protection do
+            post provider, group_id: group
+
+            expect(response).not_to be_client_error
+            expect(response).not_to be_server_error
+          end
+        end
      end

      context 'oauth already linked to another account' do

--- a/spec/support/forgery_protection.rb
+++ b/spec/support/forgery_protection.rb
+module ForgeryProtection
+  def with_forgery_protection
+    ActionController::Base.allow_forgery_protection = true
+    yield
+  ensure
+    ActionController::Base.allow_forgery_protection = false
+  end
+
+  module_function :with_forgery_protection
+end
+
 RSpec.configure do |config|
  config.around(:each, :allow_forgery_protection) do |example|
-    begin
-      ActionController::Base.allow_forgery_protection = true
-
+    ForgeryProtection.with_forgery_protection do
      example.call
-    ensure
-      ActionController::Base.allow_forgery_protection = false
    end
  end
 end