From a04ae162014650cb3bc467a508f2a4c4676b67c8 Mon Sep 17 00:00:00 2001 From: Claire Date: Wed, 13 Sep 2023 19:54:04 +0200 Subject: [PATCH] Fix CSP when using `ONE_CLICK_SSO_LOGIN` (#26901) --- .rubocop_todo.yml | 8 ++++---- config/initializers/{omniauth.rb => 3_omniauth.rb} | 4 ++++ config/initializers/content_security_policy.rb | 14 ++++++++------ 3 files changed, 16 insertions(+), 10 deletions(-) rename config/initializers/{omniauth.rb => 3_omniauth.rb} (97%) diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index 945d7514a..adfd47689 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -37,7 +37,7 @@ Layout/HashAlignment: Layout/LeadingCommentSpace: Exclude: - 'config/application.rb' - - 'config/initializers/omniauth.rb' + - 'config/initializers/3_omniauth.rb' # This cop supports safe autocorrection (--autocorrect). # Configuration parameters: Max, AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, AllowedPatterns. @@ -86,7 +86,7 @@ Lint/UnusedBlockArgument: Lint/UselessAssignment: Exclude: - 'app/services/activitypub/process_status_update_service.rb' - - 'config/initializers/omniauth.rb' + - 'config/initializers/3_omniauth.rb' - 'db/migrate/20190511134027_add_silenced_at_suspended_at_to_accounts.rb' - 'db/post_migrate/20190511152737_remove_suspended_silenced_account_fields.rb' - 'spec/controllers/api/v1/favourites_controller_spec.rb' @@ -573,11 +573,11 @@ Style/FetchEnvVar: - 'config/environments/development.rb' - 'config/environments/production.rb' - 'config/initializers/2_limited_federation_mode.rb' + - 'config/initializers/3_omniauth.rb' - 'config/initializers/blacklists.rb' - 'config/initializers/cache_buster.rb' - 'config/initializers/content_security_policy.rb' - 'config/initializers/devise.rb' - - 'config/initializers/omniauth.rb' - 'config/initializers/paperclip.rb' - 'config/initializers/vapid.rb' - 'lib/mastodon/premailer_webpack_strategy.rb' @@ -811,7 +811,7 @@ Style/StringLiterals: # AllowedMethods: define_method, mail, respond_to Style/SymbolProc: Exclude: - - 'config/initializers/omniauth.rb' + - 'config/initializers/3_omniauth.rb' # This cop supports safe autocorrection (--autocorrect). # Configuration parameters: EnforcedStyle, AllowSafeAssignment. diff --git a/config/initializers/omniauth.rb b/config/initializers/3_omniauth.rb similarity index 97% rename from config/initializers/omniauth.rb rename to config/initializers/3_omniauth.rb index 0f968bd66..7520f09e5 100644 --- a/config/initializers/omniauth.rb +++ b/config/initializers/3_omniauth.rb @@ -1,5 +1,9 @@ # frozen_string_literal: true +# OmniAuth providers need to be initialized before the CSP initializer +# in `config/initializers/content_security_policy.rb`, which sets the +# `form-action` directive based on them. + Rails.application.config.middleware.use OmniAuth::Builder do # Vanilla omniauth strategies end diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 5b32ee49b..6ce84a6e4 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -26,12 +26,14 @@ def sso_host provider = Devise.omniauth_configs[Devise.omniauth_providers[0]] @sso_host ||= begin - # using CAS - provider.cas_url if ENV['CAS_ENABLED'] == 'true' - # using SAML - provider.options[:idp_sso_target_url] if ENV['SAML_ENABLED'] == 'true' - # or using OIDC - ENV['OIDC_AUTH_ENDPOINT'] || (OpenIDConnect::Discovery::Provider::Config.discover!(ENV['OIDC_ISSUER']).authorization_endpoint if ENV['OIDC_ENABLED'] == 'true') + case provider.provider + when :cas + provider.cas_url + when :saml + provider.options[:idp_sso_target_url] + when :openid_connect + provider.options.dig(:client_options, :authorization_endpoint) || OpenIDConnect::Discovery::Provider::Config.discover!(provider.options[:issuer]).authorization_endpoint + end end end