FIX: Better error when SSO fails due to blank secret (#7946)

* FIX: Better error when SSO fails due to blank secret * Update spec/requests/session_controller_spec.rb Co-Authored-By: Robin Ward <robin.ward@gmail.com>
2019-07-26 17:37:23 +03:00 · 2019-07-26 17:37:23 +03:00 · 525920a979
parent fe7f0982af
commit 525920a979
4 changed files with 23 additions and 1 deletions
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@ -49,7 +49,12 @@ class SessionController < ApplicationController
    payload ||= request.query_string

    if SiteSetting.enable_sso_provider
-      sso = SingleSignOnProvider.parse(payload)
+      begin
+        sso = SingleSignOnProvider.parse(payload)
+      rescue SingleSignOnProvider::BlankSecret
+        render plain: I18n.t("sso.missing_secret"), status: 400
+        return
+      end

      if sso.return_sso_url.blank?
        render plain: "return_sso_url is blank, it must be provided", status: 400
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -2120,6 +2120,7 @@ en:
    timeout_expired: "Account login timed out, please try logging in again."
    no_email: "No email address was provided. Please contact the site's administrator."
    email_error: "An account could not be registered with the email address <b>%{email}</b>. Please contact the site's administrator."
+    missing_secret: "SSO authentication failed due to missing secret. Contact the site administrators to fix this problem."

  original_poster: "Original Poster"
  most_posts: "Most Posts"
--- a/lib/single_sign_on_provider.rb
+++ b/lib/single_sign_on_provider.rb
@ -3,9 +3,15 @@
 require_dependency 'single_sign_on'

 class SingleSignOnProvider < SingleSignOn
+  class BlankSecret < RuntimeError; end

  def self.parse(payload, sso_secret = nil)
    set_return_sso_url(payload)
+    if sso_secret.blank? && self.sso_secret.blank?
+      host = URI.parse(@return_sso_url).host
+      Rails.logger.warn("SSO failed; website #{host} is not in the `sso_provider_secrets` site settings")
+      raise BlankSecret
+    end

    super
  end
--- a/spec/requests/session_controller_spec.rb
+++ b/spec/requests/session_controller_spec.rb
@ -816,6 +816,16 @@ RSpec.describe SessionController do
        expect(response.status).to eq(500)
      end

+      it "fails with a nice error message if secret is blank" do
+        SiteSetting.sso_provider_secrets = ""
+        sso = SingleSignOnProvider.new
+        sso.nonce = "mynonce"
+        sso.return_sso_url = "http://website.without.secret.com/sso"
+        get "/session/sso_provider", params: Rack::Utils.parse_query(sso.payload("aasdasdasd"))
+        expect(response.status).to eq(400)
+        expect(response.body).to eq(I18n.t("sso.missing_secret"))
+      end
+
      it "successfully redirects user to return_sso_url when the user is logged in" do
        sign_in(@user)