Whitelist the login fallback by default for SSO

This commit is contained in:
Brendan Abolivier 2020-03-26 18:58:58 +01:00
parent 88bb6c27e1
commit c2ab0b3066
No known key found for this signature in database
GPG Key ID: 1E015C145F1916CD
2 changed files with 28 additions and 2 deletions

View File

@ -39,6 +39,17 @@ class SSOConfig(Config):
self.sso_client_whitelist = sso_config.get("client_whitelist") or [] self.sso_client_whitelist = sso_config.get("client_whitelist") or []
# Attempt to also whitelist the server's login fallback, since that fallback sets
# the redirect URL to itself (so it can process the login token then return
# gracefully to the client). This would make it pointless to ask the user for
# confirmation, since the URL the confirmation page would be showing wouldn't be
# the client's.
# public_baseurl is an optional setting, so we only add the fallback's URL to the
# list if it's provided (because we can't figure out what that URL is otherwise).
if self.public_baseurl:
login_fallback_url = self.public_baseurl + "_matrix/static/client/login"
self.sso_client_whitelist.append(login_fallback_url)
def generate_config_section(self, **kwargs): def generate_config_section(self, **kwargs):
return """\ return """\
# Additional settings to use with single-sign on systems such as SAML2 and CAS. # Additional settings to use with single-sign on systems such as SAML2 and CAS.
@ -54,7 +65,11 @@ class SSOConfig(Config):
# phishing attacks from evil.site. To avoid this, include a slash after the # phishing attacks from evil.site. To avoid this, include a slash after the
# hostname: "https://my.client/". # hostname: "https://my.client/".
# #
# By default, this list is empty. # If public_baseurl is set, then the login fallback page (used by clients
# that don't have full support for SSO) is always included in this list.
#
# By default, this list is empty, except if public_baseurl is set (in which
# case the login fallback page is the only element in the list).
# #
#client_whitelist: #client_whitelist:
# - https://riot.im/develop # - https://riot.im/develop

View File

@ -350,7 +350,18 @@ class CASRedirectConfirmTestCase(unittest.HomeserverTestCase):
def test_cas_redirect_whitelisted(self): def test_cas_redirect_whitelisted(self):
"""Tests that the SSO login flow serves a redirect to a whitelisted url """Tests that the SSO login flow serves a redirect to a whitelisted url
""" """
redirect_url = "https://legit-site.com/" self._test_redirect("https://legit-site.com/")
@override_config(
{
"public_baseurl": "https://example.com"
}
)
def test_cas_redirect_login_fallback(self):
self._test_redirect("https://example.com/_matrix/static/client/login")
def _test_redirect(self, redirect_url):
"""Tests that the SSO login flow serves a redirect for the given redirect URL."""
cas_ticket_url = ( cas_ticket_url = (
"/_matrix/client/r0/login/cas/ticket?redirectUrl=%s&ticket=ticket" "/_matrix/client/r0/login/cas/ticket?redirectUrl=%s&ticket=ticket"
% (urllib.parse.quote(redirect_url)) % (urllib.parse.quote(redirect_url))