From 3692e9f8a23386c627942ca2a9edd8c00af7e904 Mon Sep 17 00:00:00 2001 From: Sebastian Arcila Valenzuela Date: Mon, 19 Aug 2019 15:19:19 +0200 Subject: Validate that SAML requests are originated from gitlab If the request wasn't initiated by gitlab we shouldn't add the new identity to the user, and instead show that we weren't able to link the identity to the user. This should fix: https://gitlab.com/gitlab-org/gitlab-ce/issues/56509 --- app/controllers/omniauth_callbacks_controller.rb | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'app/controllers/omniauth_callbacks_controller.rb') diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb index ee2cf47d5cb..755ce3463c4 100644 --- a/app/controllers/omniauth_callbacks_controller.rb +++ b/app/controllers/omniauth_callbacks_controller.rb @@ -40,6 +40,8 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController def saml omniauth_flow(Gitlab::Auth::Saml) + rescue Gitlab::Auth::Saml::IdentityLinker::UnverifiedRequest + redirect_unverified_saml_initiation end def omniauth_error @@ -92,8 +94,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController return render_403 unless link_provider_allowed?(oauth['provider']) log_audit_event(current_user, with: oauth['provider']) - - identity_linker ||= auth_module::IdentityLinker.new(current_user, oauth) + identity_linker ||= auth_module::IdentityLinker.new(current_user, oauth, session) link_identity(identity_linker) @@ -194,6 +195,10 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController redirect_to new_user_session_path end + def redirect_unverified_saml_initiation + redirect_to profile_account_path, notice: _('Request to link SAML account must be authorized') + end + def handle_disabled_provider label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider']) flash[:alert] = _("Signing in using %{label} has been disabled") % { label: label } -- cgit v1.2.3