Revert "Merge pull request #7153 from matrix-org/babolivier/sso_whitelist_login_fallback"
This was incorrectly merged to master. This reverts commitpull/7232/head319c41f573
, reversing changes made to229eb81498
.
parent
8d4cbdeaa9
commit
0122ef1037
|
@ -1 +0,0 @@
|
||||||
Always whitelist the login fallback in the SSO configuration if `public_baseurl` is set.
|
|
|
@ -1392,10 +1392,6 @@ sso:
|
||||||
# phishing attacks from evil.site. To avoid this, include a slash after the
|
# phishing attacks from evil.site. To avoid this, include a slash after the
|
||||||
# hostname: "https://my.client/".
|
# hostname: "https://my.client/".
|
||||||
#
|
#
|
||||||
# If public_baseurl is set, then the login fallback page (used by clients
|
|
||||||
# that don't natively support the required login flows) is whitelisted in
|
|
||||||
# addition to any URLs in this list.
|
|
||||||
#
|
|
||||||
# By default, this list is empty.
|
# By default, this list is empty.
|
||||||
#
|
#
|
||||||
#client_whitelist:
|
#client_whitelist:
|
||||||
|
|
|
@ -39,17 +39,6 @@ class SSOConfig(Config):
|
||||||
|
|
||||||
self.sso_client_whitelist = sso_config.get("client_whitelist") or []
|
self.sso_client_whitelist = sso_config.get("client_whitelist") or []
|
||||||
|
|
||||||
# Attempt to also whitelist the server's login fallback, since that fallback sets
|
|
||||||
# the redirect URL to itself (so it can process the login token then return
|
|
||||||
# gracefully to the client). This would make it pointless to ask the user for
|
|
||||||
# confirmation, since the URL the confirmation page would be showing wouldn't be
|
|
||||||
# the client's.
|
|
||||||
# public_baseurl is an optional setting, so we only add the fallback's URL to the
|
|
||||||
# list if it's provided (because we can't figure out what that URL is otherwise).
|
|
||||||
if self.public_baseurl:
|
|
||||||
login_fallback_url = self.public_baseurl + "_matrix/static/client/login"
|
|
||||||
self.sso_client_whitelist.append(login_fallback_url)
|
|
||||||
|
|
||||||
def generate_config_section(self, **kwargs):
|
def generate_config_section(self, **kwargs):
|
||||||
return """\
|
return """\
|
||||||
# Additional settings to use with single-sign on systems such as SAML2 and CAS.
|
# Additional settings to use with single-sign on systems such as SAML2 and CAS.
|
||||||
|
@ -65,10 +54,6 @@ class SSOConfig(Config):
|
||||||
# phishing attacks from evil.site. To avoid this, include a slash after the
|
# phishing attacks from evil.site. To avoid this, include a slash after the
|
||||||
# hostname: "https://my.client/".
|
# hostname: "https://my.client/".
|
||||||
#
|
#
|
||||||
# If public_baseurl is set, then the login fallback page (used by clients
|
|
||||||
# that don't natively support the required login flows) is whitelisted in
|
|
||||||
# addition to any URLs in this list.
|
|
||||||
#
|
|
||||||
# By default, this list is empty.
|
# By default, this list is empty.
|
||||||
#
|
#
|
||||||
#client_whitelist:
|
#client_whitelist:
|
||||||
|
|
|
@ -350,14 +350,7 @@ class CASRedirectConfirmTestCase(unittest.HomeserverTestCase):
|
||||||
def test_cas_redirect_whitelisted(self):
|
def test_cas_redirect_whitelisted(self):
|
||||||
"""Tests that the SSO login flow serves a redirect to a whitelisted url
|
"""Tests that the SSO login flow serves a redirect to a whitelisted url
|
||||||
"""
|
"""
|
||||||
self._test_redirect("https://legit-site.com/")
|
redirect_url = "https://legit-site.com/"
|
||||||
|
|
||||||
@override_config({"public_baseurl": "https://example.com"})
|
|
||||||
def test_cas_redirect_login_fallback(self):
|
|
||||||
self._test_redirect("https://example.com/_matrix/static/client/login")
|
|
||||||
|
|
||||||
def _test_redirect(self, redirect_url):
|
|
||||||
"""Tests that the SSO login flow serves a redirect for the given redirect URL."""
|
|
||||||
cas_ticket_url = (
|
cas_ticket_url = (
|
||||||
"/_matrix/client/r0/login/cas/ticket?redirectUrl=%s&ticket=ticket"
|
"/_matrix/client/r0/login/cas/ticket?redirectUrl=%s&ticket=ticket"
|
||||||
% (urllib.parse.quote(redirect_url))
|
% (urllib.parse.quote(redirect_url))
|
||||||
|
|
Loading…
Reference in New Issue