Group SAML skips forgery protection in production

d7c88ee1 · James Edwards-Jones · 61bbab8a · d7c88ee1 · d7c88ee1 · d7c88ee1
Commit d7c88ee1 authored May 08, 2018 by James Edwards-Jones
4 changed files
--- a/ee/app/controllers/groups/omniauth_callbacks_controller.rb
+++ b/ee/app/controllers/groups/omniauth_callbacks_controller.rb
 class Groups::OmniauthCallbacksController < OmniauthCallbacksController
  extend ::Gitlab::Utils::Override

+  skip_before_filter :verify_authenticity_token, only: :group_saml
+
  def group_saml
    @unauthenticated_group = Group.find_by_full_path(params[:group_id])
    saml_provider = @unauthenticated_group.saml_provider

--- a/ee/changelogs/unreleased/jej-group-saml-skip-forgery-protection.yml
+++ b/ee/changelogs/unreleased/jej-group-saml-skip-forgery-protection.yml
+---
+title: Group SAML skips forgery protection in production
+merge_request: 5621
+author:
+type: fixed
--- a/ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb
+++ b/ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb
@@ -2,6 +2,7 @@ require 'spec_helper'

 describe Groups::OmniauthCallbacksController do
  include LoginHelpers
+  include ForgeryProtection

  let(:uid) { 'my-uid' }
  let(:user) { create(:user) }
@@ -56,6 +57,15 @@ describe Groups::OmniauthCallbacksController do
        it 'uses existing linked identity' do
          expect { post provider, group_id: group }.not_to change(linked_accounts, :count)
        end
+
+        it 'skips authenticity token based forgery protection' do
+          with_forgery_protection do
+            post provider, group_id: group
+
+            expect(response).not_to be_client_error
+            expect(response).not_to be_server_error
+          end
+        end
      end

      context 'oauth already linked to another account' do

--- a/spec/support/forgery_protection.rb
+++ b/spec/support/forgery_protection.rb
-RSpec.configure do |config|
-  config.around(:each, :allow_forgery_protection) do |example|
-    begin
+module ForgeryProtection
+  def with_forgery_protection
    ActionController::Base.allow_forgery_protection = true
-
-      example.call
+    yield
  ensure
    ActionController::Base.allow_forgery_protection = false
  end
+
+  module_function :with_forgery_protection
+end
+
+RSpec.configure do |config|
+  config.around(:each, :allow_forgery_protection) do |example|
+    ForgeryProtection.with_forgery_protection do
+      example.call
+    end
  end
 end