From a1177700b689868fd0b4e844484b7ab26b7af880 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Thu, 2 Sep 2021 13:52:15 +0200 Subject: [PATCH] Fix and test auth-source-sso case insensitivity --- app/controllers/concerns/auth_source_sso.rb | 2 +- .../concerns/auth_source_sso_spec.rb | 33 +++++++++++++++++-- 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/app/controllers/concerns/auth_source_sso.rb b/app/controllers/concerns/auth_source_sso.rb index 443bacb223..c3e6afa029 100644 --- a/app/controllers/concerns/auth_source_sso.rb +++ b/app/controllers/concerns/auth_source_sso.rb @@ -26,7 +26,7 @@ module AuthSourceSSO def match_sso_with_logged_user(login, user) return if user.nil? - return user if user.login == login + return user if user.login.casecmp?(login) Rails.logger.warn { "Header-based auth source SSO user changed from #{user.login} to #{login}. Re-authenticating" } ::Users::LogoutService.new(controller: self).call(user) diff --git a/spec/controllers/concerns/auth_source_sso_spec.rb b/spec/controllers/concerns/auth_source_sso_spec.rb index a00ab41a03..808a36acf0 100644 --- a/spec/controllers/concerns/auth_source_sso_spec.rb +++ b/spec/controllers/concerns/auth_source_sso_spec.rb @@ -44,6 +44,7 @@ describe MyController, type: :controller do let!(:auth_source) { DummyAuthSource.create name: "Dummy LDAP" } let!(:user) { FactoryBot.create :user, login: login, auth_source_id: auth_source.id, last_login_on: 5.days.ago } let(:login) { "h.wurst" } + let(:header_login_value) { login } shared_examples 'should log in the user' do it "logs in given user" do @@ -94,7 +95,7 @@ describe MyController, type: :controller do end separator = secret ? ':' : '' - request.headers[header] = "#{login}#{separator}#{secret}" + request.headers[header] = "#{header_login_value}#{separator}#{secret}" end describe 'login' do @@ -117,7 +118,7 @@ describe MyController, type: :controller do end context 'when the header values does not match the case' do - let(:login) { 'H.wUrSt' } + let(:header_login_value) { 'H.wUrSt' } it_behaves_like 'should log in the user' end @@ -162,6 +163,34 @@ describe MyController, type: :controller do end end + context 'when the logged-in user differs in case' do + let(:header_login_value) { 'h.WURST' } + let(:session_update_time) { 1.minute.ago } + let(:last_login) { 1.minute.ago } + + before do + user.update_column(:last_login_on, last_login) + session[:user_id] = user.id + session[:updated_at] = session_update_time + session[:should_be_kept] = true + end + + it 'logs in the user' do + get :account + + expect(response).not_to be_redirect + expect(response).to be_successful + expect(session[:user_id]).to eq user.id + expect(session[:updated_at]).to be > session_update_time + + # User not is not relogged + expect(user.reload.last_login_on).to be_within(1.second).of(last_login) + + # Session values are kept + expect(session[:should_be_kept]).to eq true + end + end + context 'when the logged-in user differs from the header' do let(:other_user) { FactoryBot.create :user, login: 'other_user' } let(:session_update_time) { 1.minute.ago }