From 9a70cac9debf31e9cc379b6a67d793346c978a76 Mon Sep 17 00:00:00 2001 From: CSDUMMI <31551856+CSDUMMI@users.noreply.github.com> Date: Tue, 12 Sep 2023 13:04:51 +0200 Subject: [PATCH] Fix #26849 by adding the domain of the current SSO provider to the form-action CSP (#26857) --- .../concerns/web_app_controller_concern.rb | 2 +- app/serializers/initial_state_serializer.rb | 2 +- .../initializers/content_security_policy.rb | 24 ++++++++++++++++++- 3 files changed, 25 insertions(+), 3 deletions(-) diff --git a/app/controllers/concerns/web_app_controller_concern.rb b/app/controllers/concerns/web_app_controller_concern.rb index 3a40ea38236..273d7344caa 100644 --- a/app/controllers/concerns/web_app_controller_concern.rb +++ b/app/controllers/concerns/web_app_controller_concern.rb @@ -11,7 +11,7 @@ module WebAppControllerConcern end def skip_csrf_meta_tags? - !(ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1) && current_user.nil? + !(ENV['ONE_CLICK_SSO_LOGIN'] == 'true' && ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1) && current_user.nil? end def set_app_body_class diff --git a/app/serializers/initial_state_serializer.rb b/app/serializers/initial_state_serializer.rb index 56d45c588e2..b707d6fcb6a 100644 --- a/app/serializers/initial_state_serializer.rb +++ b/app/serializers/initial_state_serializer.rb @@ -113,6 +113,6 @@ class InitialStateSerializer < ActiveModel::Serializer end def sso_redirect - "/auth/auth/#{Devise.omniauth_providers[0]}" if ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1 + "/auth/auth/#{Devise.omniauth_providers[0]}" if ENV['ONE_CLICK_SSO_LOGIN'] == 'true' && ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1 end end diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 59ac3bdea26..5b32ee49b3a 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -19,6 +19,22 @@ media_host ||= host_to_url(ENV['AZURE_ALIAS_HOST']) media_host ||= host_to_url(ENV['S3_HOSTNAME']) if ENV['S3_ENABLED'] == 'true' media_host ||= assets_host +def sso_host + return unless ENV['ONE_CLICK_SSO_LOGIN'] == 'true' + return unless ENV['OMNIAUTH_ONLY'] == 'true' + return unless Devise.omniauth_providers.length == 1 + + provider = Devise.omniauth_configs[Devise.omniauth_providers[0]] + @sso_host ||= begin + # using CAS + provider.cas_url if ENV['CAS_ENABLED'] == 'true' + # using SAML + provider.options[:idp_sso_target_url] if ENV['SAML_ENABLED'] == 'true' + # or using OIDC + ENV['OIDC_AUTH_ENDPOINT'] || (OpenIDConnect::Discovery::Provider::Config.discover!(ENV['OIDC_ISSUER']).authorization_endpoint if ENV['OIDC_ENABLED'] == 'true') + end +end + Rails.application.config.content_security_policy do |p| p.base_uri :none p.default_src :none @@ -29,7 +45,13 @@ Rails.application.config.content_security_policy do |p| p.media_src :self, :https, :data, assets_host p.frame_src :self, :https p.manifest_src :self, assets_host - p.form_action :self + + if sso_host.present? + p.form_action :self, sso_host + else + p.form_action :self + end + p.child_src :self, :blob, assets_host p.worker_src :self, :blob, assets_host