SECURITY: Do not allow authentication with disabled plugin-supplied a… (#6071)

Do not allow authentication with disabled plugin-supplied auth providers
This commit is contained in:
David Taylor 2018-07-09 05:25:58 +01:00 committed by Sam
parent 849b4b5685
commit 6f25421a06
3 changed files with 43 additions and 2 deletions

View File

@ -93,16 +93,19 @@ class Users::OmniauthCallbacksController < ApplicationController
def self.find_authenticator(name)
BUILTIN_AUTH.each do |authenticator|
if authenticator.name == name
raise Discourse::InvalidAccess.new("provider is not enabled") unless SiteSetting.send("enable_#{name}_logins?")
raise Discourse::InvalidAccess.new(I18n.t("provider_not_enabled")) unless SiteSetting.send("enable_#{name}_logins?")
return authenticator
end
end
Discourse.auth_providers.each do |provider|
unless provider.enabled_setting.nil? || SiteSetting.send(provider.enabled_setting)
raise Discourse::InvalidAccess.new(I18n.t("provider_not_enabled"))
end
return provider.authenticator if provider.name == name
end
raise Discourse::InvalidAccess.new("provider is not found")
raise Discourse::InvalidAccess.new(I18n.t("provider_not_found"))
end
protected

View File

@ -198,6 +198,8 @@ en:
not_found: "The requested URL or resource could not be found."
invalid_access: "You are not permitted to view the requested resource."
invalid_api_credentials: "You are not permitted to view the requested resource. The API username or key is invalid."
provider_not_enabled: "You are not permitted to view the requested resource. The authentication provider is not enabled."
provider_not_found: "You are not permitted to view the requested resource. The authentication provider does not exist."
read_only_mode_enabled: "The site is in read only mode. Interactions are disabled."
reading_time: "Reading time"

View File

@ -33,6 +33,42 @@ RSpec.describe Users::OmniauthCallbacksController do
expect(Users::OmniauthCallbacksController.find_authenticator("twitter"))
.not_to eq(nil)
end
context "with a plugin-contributed auth provider" do
let :provider do
provider = Plugin::AuthProvider.new
provider.authenticator = Auth::OpenIdAuthenticator.new('ubuntu', 'https://login.ubuntu.com', trusted: true)
provider.enabled_setting = "ubuntu_login_enabled"
provider
end
before do
Discourse.stubs(:auth_providers).returns [provider]
end
it "finds an authenticator when enabled" do
SiteSetting.stubs(:ubuntu_login_enabled).returns(true)
expect(Users::OmniauthCallbacksController.find_authenticator("ubuntu"))
.to be(provider.authenticator)
end
it "fails if an authenticator is disabled" do
SiteSetting.stubs(:ubuntu_login_enabled).returns(false)
expect { Users::OmniauthCallbacksController.find_authenticator("ubuntu") }
.to raise_error(Discourse::InvalidAccess)
end
it "succeeds if an authenticator does not have a site setting" do
provider.enabled_setting = nil
SiteSetting.stubs(:ubuntu_login_enabled).returns(false)
expect(Users::OmniauthCallbacksController.find_authenticator("ubuntu"))
.to be(provider.authenticator)
end
end
end
context 'Google Oauth2' do