Group SAML strips LRM chars from ADFS cert fingerprint

2fec9ba3 · James Edwards-Jones · 63b15013 · 2fec9ba3 · 2fec9ba3 · 2fec9ba3
Commit 2fec9ba3 authored Apr 23, 2018 by James Edwards-Jones
3 changed files
--- a/ee/app/models/saml_provider.rb
+++ b/ee/app/models/saml_provider.rb
@@ -21,6 +21,10 @@ class SamlProvider < ActiveRecord::Base
    NAME_IDENTIFIER_FORMAT
  end
+  def certificate_fingerprint=(value)
+    super(strip_left_to_right_chars(value))
+  end
  def settings
    {
      assertion_consumer_service_url: assertion_consumer_service_url,
@@ -44,4 +48,8 @@ class SamlProvider < ActiveRecord::Base
  def host
    @host ||= Gitlab.config.gitlab.url
  end
+  def strip_left_to_right_chars(input)
+    input&.gsub(/[\u200E]/, '')
+  end
 end
--- a/ee/changelogs/unreleased/jej-strip-lrm-for-adfs.yml
+++ b/ee/changelogs/unreleased/jej-strip-lrm-for-adfs.yml
+---
+title: Per-Group SAML (for GitLab.com) strips LRM chars from ADFS certificate fingerprints
+merge_request: 5466
+author:
+type: fixed
--- a/ee/spec/models/saml_provider_spec.rb
+++ b/ee/spec/models/saml_provider_spec.rb
@@ -29,6 +29,10 @@ describe SamlProvider do
      expect(subject).not_to allow_value(invalid_characters).for(:certificate_fingerprint)
    end
+    it 'strips left-to-right marks from certificate_fingerprint' do
+      expect(subject).to allow_value("\u200E00 00 30 ED C2 85 E0 1D 6B 5E A3 30 10 A7 9A DD 14 2F 50 04‎").for(:certificate_fingerprint)
+    end
    it 'requires group to be top-level' do
      group = create(:group)
      nested_group = create(:group, :nested)