Merge pull request #9627 from opf/fix/auth-source-sso-case

[38706] Fix and test auth-source-sso case insensitivity
opf · Sep 2, 2021 · b52a2d7 · b52a2d7
2 parents 5c9ff2d + a117770
commit b52a2d7
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 3 deletions.
diff --git a/app/controllers/concerns/auth_source_sso.rb b/app/controllers/concerns/auth_source_sso.rb
@@ -26,7 +26,7 @@ def find_current_user
 
   def match_sso_with_logged_user(login, user)
     return if user.nil?
-    return user if user.login == login
+    return user if user.login.casecmp?(login)
 
     Rails.logger.warn { "Header-based auth source SSO user changed from #{user.login} to #{login}. Re-authenticating" }
     ::Users::LogoutService.new(controller: self).call(user)

diff --git a/spec/controllers/concerns/auth_source_sso_spec.rb b/spec/controllers/concerns/auth_source_sso_spec.rb
@@ -44,6 +44,7 @@
   let!(:auth_source) { DummyAuthSource.create name: "Dummy LDAP" }
   let!(:user) { FactoryBot.create :user, login: login, auth_source_id: auth_source.id, last_login_on: 5.days.ago }
   let(:login) { "h.wurst" }
+  let(:header_login_value) { login }
 
   shared_examples 'should log in the user' do
     it "logs in given user" do
@@ -94,7 +95,7 @@ def attrs(user)
     end
 
     separator = secret ? ':' : ''
-    request.headers[header] = "#{login}#{separator}#{secret}"
+    request.headers[header] = "#{header_login_value}#{separator}#{secret}"
   end
 
   describe 'login' do
@@ -117,7 +118,7 @@ def attrs(user)
     end
 
     context 'when the header values does not match the case' do
-      let(:login) { 'H.wUrSt' }
+      let(:header_login_value) { 'H.wUrSt' }
 
       it_behaves_like 'should log in the user'
     end
@@ -162,6 +163,34 @@ def attrs(user)
     end
   end
 
+  context 'when the logged-in user differs in case' do
+    let(:header_login_value) { 'h.WURST' }
+    let(:session_update_time) { 1.minute.ago }
+    let(:last_login) { 1.minute.ago }
+
+    before do
+      user.update_column(:last_login_on, last_login)
+      session[:user_id] = user.id
+      session[:updated_at] = session_update_time
+      session[:should_be_kept] = true
+    end
+
+    it 'logs in the user' do
+      get :account
+
+      expect(response).not_to be_redirect
+      expect(response).to be_successful
+      expect(session[:user_id]).to eq user.id
+      expect(session[:updated_at]).to be > session_update_time
+
+      # User not is not relogged
+      expect(user.reload.last_login_on).to be_within(1.second).of(last_login)
+
+      # Session values are kept
+      expect(session[:should_be_kept]).to eq true
+    end
+  end
+
   context 'when the logged-in user differs from the header' do
     let(:other_user) { FactoryBot.create :user, login: 'other_user' }
     let(:session_update_time) { 1.minute.ago }