Fix CSP when using `ONE_CLICK_SSO_LOGIN` (#26901)
parent
921c6fe654
commit
a04ae16201
|
@ -37,7 +37,7 @@ Layout/HashAlignment:
|
||||||
Layout/LeadingCommentSpace:
|
Layout/LeadingCommentSpace:
|
||||||
Exclude:
|
Exclude:
|
||||||
- 'config/application.rb'
|
- 'config/application.rb'
|
||||||
- 'config/initializers/omniauth.rb'
|
- 'config/initializers/3_omniauth.rb'
|
||||||
|
|
||||||
# This cop supports safe autocorrection (--autocorrect).
|
# This cop supports safe autocorrection (--autocorrect).
|
||||||
# Configuration parameters: Max, AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, AllowedPatterns.
|
# Configuration parameters: Max, AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, AllowedPatterns.
|
||||||
|
@ -86,7 +86,7 @@ Lint/UnusedBlockArgument:
|
||||||
Lint/UselessAssignment:
|
Lint/UselessAssignment:
|
||||||
Exclude:
|
Exclude:
|
||||||
- 'app/services/activitypub/process_status_update_service.rb'
|
- 'app/services/activitypub/process_status_update_service.rb'
|
||||||
- 'config/initializers/omniauth.rb'
|
- 'config/initializers/3_omniauth.rb'
|
||||||
- 'db/migrate/20190511134027_add_silenced_at_suspended_at_to_accounts.rb'
|
- 'db/migrate/20190511134027_add_silenced_at_suspended_at_to_accounts.rb'
|
||||||
- 'db/post_migrate/20190511152737_remove_suspended_silenced_account_fields.rb'
|
- 'db/post_migrate/20190511152737_remove_suspended_silenced_account_fields.rb'
|
||||||
- 'spec/controllers/api/v1/favourites_controller_spec.rb'
|
- 'spec/controllers/api/v1/favourites_controller_spec.rb'
|
||||||
|
@ -573,11 +573,11 @@ Style/FetchEnvVar:
|
||||||
- 'config/environments/development.rb'
|
- 'config/environments/development.rb'
|
||||||
- 'config/environments/production.rb'
|
- 'config/environments/production.rb'
|
||||||
- 'config/initializers/2_limited_federation_mode.rb'
|
- 'config/initializers/2_limited_federation_mode.rb'
|
||||||
|
- 'config/initializers/3_omniauth.rb'
|
||||||
- 'config/initializers/blacklists.rb'
|
- 'config/initializers/blacklists.rb'
|
||||||
- 'config/initializers/cache_buster.rb'
|
- 'config/initializers/cache_buster.rb'
|
||||||
- 'config/initializers/content_security_policy.rb'
|
- 'config/initializers/content_security_policy.rb'
|
||||||
- 'config/initializers/devise.rb'
|
- 'config/initializers/devise.rb'
|
||||||
- 'config/initializers/omniauth.rb'
|
|
||||||
- 'config/initializers/paperclip.rb'
|
- 'config/initializers/paperclip.rb'
|
||||||
- 'config/initializers/vapid.rb'
|
- 'config/initializers/vapid.rb'
|
||||||
- 'lib/mastodon/premailer_webpack_strategy.rb'
|
- 'lib/mastodon/premailer_webpack_strategy.rb'
|
||||||
|
@ -811,7 +811,7 @@ Style/StringLiterals:
|
||||||
# AllowedMethods: define_method, mail, respond_to
|
# AllowedMethods: define_method, mail, respond_to
|
||||||
Style/SymbolProc:
|
Style/SymbolProc:
|
||||||
Exclude:
|
Exclude:
|
||||||
- 'config/initializers/omniauth.rb'
|
- 'config/initializers/3_omniauth.rb'
|
||||||
|
|
||||||
# This cop supports safe autocorrection (--autocorrect).
|
# This cop supports safe autocorrection (--autocorrect).
|
||||||
# Configuration parameters: EnforcedStyle, AllowSafeAssignment.
|
# Configuration parameters: EnforcedStyle, AllowSafeAssignment.
|
||||||
|
|
|
@ -1,5 +1,9 @@
|
||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
# OmniAuth providers need to be initialized before the CSP initializer
|
||||||
|
# in `config/initializers/content_security_policy.rb`, which sets the
|
||||||
|
# `form-action` directive based on them.
|
||||||
|
|
||||||
Rails.application.config.middleware.use OmniAuth::Builder do
|
Rails.application.config.middleware.use OmniAuth::Builder do
|
||||||
# Vanilla omniauth strategies
|
# Vanilla omniauth strategies
|
||||||
end
|
end
|
|
@ -26,12 +26,14 @@ def sso_host
|
||||||
|
|
||||||
provider = Devise.omniauth_configs[Devise.omniauth_providers[0]]
|
provider = Devise.omniauth_configs[Devise.omniauth_providers[0]]
|
||||||
@sso_host ||= begin
|
@sso_host ||= begin
|
||||||
# using CAS
|
case provider.provider
|
||||||
provider.cas_url if ENV['CAS_ENABLED'] == 'true'
|
when :cas
|
||||||
# using SAML
|
provider.cas_url
|
||||||
provider.options[:idp_sso_target_url] if ENV['SAML_ENABLED'] == 'true'
|
when :saml
|
||||||
# or using OIDC
|
provider.options[:idp_sso_target_url]
|
||||||
ENV['OIDC_AUTH_ENDPOINT'] || (OpenIDConnect::Discovery::Provider::Config.discover!(ENV['OIDC_ISSUER']).authorization_endpoint if ENV['OIDC_ENABLED'] == 'true')
|
when :openid_connect
|
||||||
|
provider.options.dig(:client_options, :authorization_endpoint) || OpenIDConnect::Discovery::Provider::Config.discover!(provider.options[:issuer]).authorization_endpoint
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Reference in New Issue