FIX: SSO provider secrets - check wildcard domains last, toggle secrets visibility

2018-10-15 12:57:45 +02:00 · 2018-10-15 12:57:45 +02:00 · c104256991
parent f6eff38c0e
commit c104256991
5 changed files with 7 additions and 4 deletions
--- a/app/assets/javascripts/admin/templates/components/secret-value-list.hbs
+++ b/app/assets/javascripts/admin/templates/components/secret-value-list.hbs
@ -7,7 +7,7 @@
                   icon="times"
                   class="remove-value-btn btn-small"}}
        {{input value=value.key class="value-input" focus-out=(action "changeKey" index)}}
-        {{input value=value.secret class="value-input" focus-out=(action "changeSecret" index) type="password"}}
+        {{input value=value.secret class="value-input" focus-out=(action "changeSecret" index) type=(if isSecret "password" "text")}}
      </div>
    {{/each}}
  </div>
--- a/app/assets/javascripts/admin/templates/components/site-settings/secret-list.hbs
+++ b/app/assets/javascripts/admin/templates/components/site-settings/secret-list.hbs
@ -1,3 +1,3 @@
-{{secret-value-list setting=setting values=value}}
+{{secret-value-list setting=setting values=value isSecret=isSecret}}
 {{setting-validation-message message=validationMessage}}
 <div class='desc'>{{{unbound setting.description}}}</div>
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -345,6 +345,7 @@ login:
    default: ''
    type: list
    list_type: secret
+    secret: true
    placeholder:
      key: "sso_provider.key_placeholder"
      value: "sso_provider.value_placeholder"
--- a/lib/single_sign_on.rb
+++ b/lib/single_sign_on.rb
@ -92,8 +92,10 @@ class SingleSignOn
    provider_secrets = SiteSetting.sso_provider_secrets.split(/[\|,\n]/)
    provider_secrets_hash = Hash[*provider_secrets]
    return_url_host = URI.parse(return_sso_url).host
+    # moves wildcard domains to the end of hash
+    sorted_secrets = provider_secrets_hash.sort_by { |k, _| k }.reverse.to_h

-    secret = provider_secrets_hash.select do |domain, _|
+    secret = sorted_secrets.select do |domain, _|
      WildcardDomainChecker.check_domain(domain, return_url_host)
    end
    secret.present? ? secret.values.first : nil
--- a/spec/requests/session_controller_spec.rb
+++ b/spec/requests/session_controller_spec.rb
@ -589,7 +589,7 @@ RSpec.describe SessionController do
        SiteSetting.enable_sso_provider = true
        SiteSetting.enable_sso = false
        SiteSetting.enable_local_logins = true
-        SiteSetting.sso_provider_secrets = "www.random.site|secretForRandomSite\nsomewhere.over.rainbow|secretForOverRainbow"
+        SiteSetting.sso_provider_secrets = "*|secretforAll\n*.rainbow|wrongSecretForOverRainbow\nwww.random.site|secretForRandomSite\nsomewhere.over.rainbow|secretForOverRainbow"

        @sso = SingleSignOn.new
        @sso.nonce = "mynonce"