Automatic merge of gitlab-org/gitlab-ce master

1233fa44 · GitLab Bot · 33fc50e1 · 8b02d58e · 1233fa44 · 1233fa44
Commit 1233fa44 authored Feb 05, 2019 by GitLab Bot
3 changed files
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -4,7 +4,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
  include AuthenticatesWithTwoFactor
  include Devise::Controllers::Rememberable

-  protect_from_forgery except: [:kerberos, :saml, :cas3], prepend: true
+  protect_from_forgery except: [:kerberos, :saml, :cas3, :failure], with: :exception, prepend: true

  def handle_omniauth
    omniauth_flow(Gitlab::Auth::OAuth)

--- a/changelogs/unreleased/jej-avoid-csrf-check-on-saml-failure.yml
+++ b/changelogs/unreleased/jej-avoid-csrf-check-on-saml-failure.yml
+---
+title: Display SAML failure messages instead of expecting CSRF token
+merge_request: 24509
+author:
+type: fixed
--- a/spec/controllers/omniauth_callbacks_controller_spec.rb
+++ b/spec/controllers/omniauth_callbacks_controller_spec.rb
@@ -45,6 +45,29 @@ describe OmniauthCallbacksController, type: :controller do
      end
    end

+    context 'when sign in fails' do
+      include RoutesHelpers
+
+      let(:extern_uid) { 'my-uid' }
+      let(:provider) { :saml }
+
+      def stub_route_as(path)
+        allow(@routes).to receive(:generate_extras) { [path, []] }
+      end
+
+      it 'it calls through to the failure handler' do
+        request.env['omniauth.error'] = OneLogin::RubySaml::ValidationError.new("Fingerprint mismatch")
+        request.env['omniauth.error.strategy'] = OmniAuth::Strategies::SAML.new(nil)
+        stub_route_as('/users/auth/saml/callback')
+
+        ForgeryProtection.with_forgery_protection do
+          post :failure
+        end
+
+        expect(flash[:alert]).to match(/Fingerprint mismatch/)
+      end
+    end
+
    context 'when a redirect fragment is provided' do
      let(:provider) { :jwt }
      let(:extern_uid) { 'my-uid' }