Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Always whitelist the login fallback for SSO #7153

Merged
merged 5 commits into from
Mar 27, 2020
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/7153.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Always whitelist the login fallback in the SSO configuration if `public_baseurl` is set.
6 changes: 5 additions & 1 deletion docs/sample_config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1392,7 +1392,11 @@ sso:
# phishing attacks from evil.site. To avoid this, include a slash after the
# hostname: "https://my.client/".
#
# By default, this list is empty.
# If public_baseurl is set, then the login fallback page (used by clients
# that don't have full support for SSO) is always included in this list.
#
# By default, this list is empty, except if public_baseurl is set (in which
# case the login fallback page is the only element in the list).
babolivier marked this conversation as resolved.
Show resolved Hide resolved
babolivier marked this conversation as resolved.
Show resolved Hide resolved
#
#client_whitelist:
# - https://riot.im/develop
Expand Down
17 changes: 16 additions & 1 deletion synapse/config/sso.py
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,17 @@ def read_config(self, config, **kwargs):

self.sso_client_whitelist = sso_config.get("client_whitelist") or []

# Attempt to also whitelist the server's login fallback, since that fallback sets
# the redirect URL to itself (so it can process the login token then return
# gracefully to the client). This would make it pointless to ask the user for
# confirmation, since the URL the confirmation page would be showing wouldn't be
# the client's.
# public_baseurl is an optional setting, so we only add the fallback's URL to the
# list if it's provided (because we can't figure out what that URL is otherwise).
if self.public_baseurl:
login_fallback_url = self.public_baseurl + "_matrix/static/client/login"
self.sso_client_whitelist.append(login_fallback_url)

def generate_config_section(self, **kwargs):
return """\
# Additional settings to use with single-sign on systems such as SAML2 and CAS.
Expand All @@ -54,7 +65,11 @@ def generate_config_section(self, **kwargs):
# phishing attacks from evil.site. To avoid this, include a slash after the
# hostname: "https://my.client/".
#
# By default, this list is empty.
# If public_baseurl is set, then the login fallback page (used by clients
# that don't have full support for SSO) is always included in this list.
#
# By default, this list is empty, except if public_baseurl is set (in which
# case the login fallback page is the only element in the list).
#
#client_whitelist:
# - https://riot.im/develop
Expand Down
9 changes: 8 additions & 1 deletion tests/rest/client/v1/test_login.py
Original file line number Diff line number Diff line change
Expand Up @@ -350,7 +350,14 @@ def test_cas_redirect_confirm(self):
def test_cas_redirect_whitelisted(self):
"""Tests that the SSO login flow serves a redirect to a whitelisted url
"""
redirect_url = "https://legit-site.com/"
self._test_redirect("https://legit-site.com/")

@override_config({"public_baseurl": "https://example.com"})
def test_cas_redirect_login_fallback(self):
self._test_redirect("https://example.com/_matrix/static/client/login")

def _test_redirect(self, redirect_url):
"""Tests that the SSO login flow serves a redirect for the given redirect URL."""
cas_ticket_url = (
"/_matrix/client/r0/login/cas/ticket?redirectUrl=%s&ticket=ticket"
% (urllib.parse.quote(redirect_url))
Expand Down