From 9dedd9304de28f848f2d659927eed7dc6262ba83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Calvi=C3=B1o=20S=C3=A1nchez?= Date: Tue, 26 Nov 2024 13:32:27 +0100 Subject: [PATCH 1/2] Handle LoginException when authenticating with Apache MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit "handleApacheAuth()" can throw a LoginException when trying to authenticate as a disabled user. This needs to be explicitly handled to redirect to an error page, as otherwise the login page will try to be loaded which, in turn, will try to authenticate again and cause an endless loop. Signed-off-by: Daniel Calviño Sánchez --- appinfo/app.php | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/appinfo/app.php b/appinfo/app.php index 60d7698fd..aa17b8935 100644 --- a/appinfo/app.php +++ b/appinfo/app.php @@ -4,6 +4,7 @@ * SPDX-License-Identifier: AGPL-3.0-or-later */ +use OC\User\LoginException; use OCA\User_SAML\GroupBackend; use OCA\User_SAML\SAMLSettings; use OCA\User_SAML\UserBackend; @@ -63,7 +64,21 @@ return; } - OC_User::handleApacheAuth(); + try { + OC_User::handleApacheAuth(); + } catch (LoginException $e) { + if ($request->getPathInfo() === '/apps/user_saml/saml/error') { + return; + } + $targetUrl = $urlGenerator->linkToRouteAbsolute( + 'user_saml.SAML.genericError', + [ + 'message' => $e->getMessage() + ] + ); + header('Location: ' . $targetUrl); + exit(); + } } if ($returnScript === true) { From 2e9f5bc11acbdfd446564058366993a5c9e9e36b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Calvi=C3=B1o=20S=C3=A1nchez?= Date: Tue, 3 Dec 2024 17:55:11 +0100 Subject: [PATCH 2/2] Add integration test for authenticating as a disabled user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Daniel Calviño Sánchez --- .../features/EnvironmentVariable.feature | 10 ++++++++++ .../features/bootstrap/FeatureContext.php | 15 +++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/tests/integration/features/EnvironmentVariable.feature b/tests/integration/features/EnvironmentVariable.feature index ceb84f3bf..5e5e3edb9 100644 --- a/tests/integration/features/EnvironmentVariable.feature +++ b/tests/integration/features/EnvironmentVariable.feature @@ -27,3 +27,13 @@ Feature: EnvironmentVariable And The environment variable "REMOTE_USER" is set to "certainly-not-provisioned-user" When I send a GET request to "http://localhost:8080/index.php/login" Then I should be redirected to "http://localhost:8080/index.php/apps/user_saml/saml/notProvisioned" + + Scenario: Authenticating using environment variable with SSO as a disabled user on backend + Given A local user with uid "provisioned-disabled-user" exists + And A local user with uid "provisioned-disabled-user" is disabled + And The setting "type" is set to "environment-variable" + And The setting "general-require_provisioned_account" is set to "1" + And The setting "general-uid_mapping" is set to "REMOTE_USER" + And The environment variable "REMOTE_USER" is set to "provisioned-disabled-user" + When I send a GET request to "http://localhost:8080/index.php/login" + Then I should be redirected to "http://localhost:8080/index.php/apps/user_saml/saml/error" diff --git a/tests/integration/features/bootstrap/FeatureContext.php b/tests/integration/features/bootstrap/FeatureContext.php index 7adf12ade..27b847312 100644 --- a/tests/integration/features/bootstrap/FeatureContext.php +++ b/tests/integration/features/bootstrap/FeatureContext.php @@ -493,6 +493,21 @@ public function aLocalUserWithUidExists($uid) { ); } + /** + * @Given A local user with uid :uid is disabled + * @param string $uid + */ + public function aLocalUserWithUidIsDisabled($uid) { + shell_exec( + sprintf( + 'OC_PASS=password %s %s user:disable %s', + PHP_BINARY, + __DIR__ . '/../../../../../../occ', + $uid + ) + ); + } + /** * @Then I hack :uid into existence */