Fix CAS redirect url (#6634)

Build the same service URL when requesting the CAS ticket and when calling the proxyValidate URL.
This commit is contained in:
Naugrimm 2020-03-24 12:59:04 +01:00 committed by GitHub
parent 190ab593b7
commit 1fcf9c6f95
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 11 deletions

1
changelog.d/6634.bugfix Normal file
View file

@ -0,0 +1 @@
Fix single-sign on with CAS systems: pass the same service URL when requesting the CAS ticket and when calling the `proxyValidate` URL. Contributed by @Naugrimm.

View file

@ -72,6 +72,14 @@ def login_id_thirdparty_from_phone(identifier):
return {"type": "m.id.thirdparty", "medium": "msisdn", "address": msisdn} return {"type": "m.id.thirdparty", "medium": "msisdn", "address": msisdn}
def build_service_param(cas_service_url, client_redirect_url):
return "%s%s?redirectUrl=%s" % (
cas_service_url,
"/_matrix/client/r0/login/cas/ticket",
urllib.parse.quote(client_redirect_url, safe=""),
)
class LoginRestServlet(RestServlet): class LoginRestServlet(RestServlet):
PATTERNS = client_patterns("/login$", v1=True) PATTERNS = client_patterns("/login$", v1=True)
CAS_TYPE = "m.login.cas" CAS_TYPE = "m.login.cas"
@ -427,18 +435,15 @@ class BaseSSORedirectServlet(RestServlet):
class CasRedirectServlet(BaseSSORedirectServlet): class CasRedirectServlet(BaseSSORedirectServlet):
def __init__(self, hs): def __init__(self, hs):
super(CasRedirectServlet, self).__init__() super(CasRedirectServlet, self).__init__()
self.cas_server_url = hs.config.cas_server_url.encode("ascii") self.cas_server_url = hs.config.cas_server_url
self.cas_service_url = hs.config.cas_service_url.encode("ascii") self.cas_service_url = hs.config.cas_service_url
def get_sso_url(self, client_redirect_url): def get_sso_url(self, client_redirect_url):
client_redirect_url_param = urllib.parse.urlencode( args = urllib.parse.urlencode(
{b"redirectUrl": client_redirect_url} {"service": build_service_param(self.cas_service_url, client_redirect_url)}
).encode("ascii") )
hs_redirect_url = self.cas_service_url + b"/_matrix/client/r0/login/cas/ticket"
service_param = urllib.parse.urlencode( return "%s/login?%s" % (self.cas_server_url, args)
{b"service": b"%s?%s" % (hs_redirect_url, client_redirect_url_param)}
).encode("ascii")
return b"%s/login?%s" % (self.cas_server_url, service_param)
class CasTicketServlet(RestServlet): class CasTicketServlet(RestServlet):
@ -458,7 +463,7 @@ class CasTicketServlet(RestServlet):
uri = self.cas_server_url + "/proxyValidate" uri = self.cas_server_url + "/proxyValidate"
args = { args = {
"ticket": parse_string(request, "ticket", required=True), "ticket": parse_string(request, "ticket", required=True),
"service": self.cas_service_url, "service": build_service_param(self.cas_service_url, client_redirect_url),
} }
try: try:
body = await self._http_client.get_raw(uri, args) body = await self._http_client.get_raw(uri, args)