FIX: Ensure JS script path is correct for subfolder (#57)

The change in 245b70d4 means that the CSP middleware now activates for the `/auth/saml` route. That's good, but it also broke things for subfolder installations because the CSP includes the base_path, while the SAML script path did not. This commit fixes that, and adds an integration spec to ensure the script is included in the script_src directive for regular and subfolder sites.

FIX: Ensure JS script path is correct for subfolder (#57)
The change in 245b70d4 means that the CSP middleware now activates for the `/auth/saml` route. That's good, but it also broke things for subfolder installations because the CSP includes the base_path, while the SAML script path did not. This commit fixes that, and adds an integration spec to ensure the script is included in the script_src directive for regular and subfolder sites.
7792d1eb · David Taylor · GitHub · 21a23caa · 7792d1eb · 7792d1eb
Unverified Commit 7792d1eb authored 3 years ago by David Taylor Committed by GitHub 3 years ago
--- a/lib/discourse_saml/saml_omniauth_strategy.rb
+++ b/lib/discourse_saml/saml_omniauth_strategy.rb
@@ -41,7 +41,7 @@ class ::DiscourseSaml::SamlOmniauthStrategy < OmniAuth::Strategies::SAML
  private

  def render_auto_submitted_form(destination:, params:)
-    submit_script_url = UrlHelper.absolute('/plugins/discourse-saml/javascripts/submit-form-on-load.js', GlobalSetting.cdn_url)
+    submit_script_url = UrlHelper.absolute("#{Discourse.base_path}/plugins/discourse-saml/javascripts/submit-form-on-load.js", GlobalSetting.cdn_url)

    inputs = params.map do |key, value|
      <<~HTML

--- a/spec/integration/saml_post_mode_spec.rb
+++ b/spec/integration/saml_post_mode_spec.rb
@@ -37,6 +37,45 @@ describe "SAML POST-mode functionality", type: :request do
      }
    )

-    expect(response.body).to have_tag("script")
+    html = Nokogiri::HTML5(response.body)
+    script_url = html.at("script").attribute("src").value
+
+    csp = response.headers["content-security-policy"]
+    script_src = csp.split(";").find { |directive| directive.strip.start_with?("script-src") }.split(" ")
+    included_in_csp = script_src.any? { |allowed_src| script_url.start_with?(allowed_src) }
+
+    expect(included_in_csp).to eq(true)
+  end
+
+  it "works for subfolder" do
+    set_subfolder "/forum"
+    SiteSetting.saml_request_method = "POST"
+
+    post "/auth/saml"
+    expect(response.status).to eq(200)
+    expect(response.body).to have_tag(
+      "form",
+      with: {
+        "action" => "https://example.com/samlidp",
+        "method" => "post",
+      }
+    )
+
+    expect(response.body).to have_tag(
+      "form input",
+      with: {
+        "name" => "SAMLRequest",
+        "type" => "hidden",
+      }
+    )
+
+    html = Nokogiri::HTML5(response.body)
+    script_url = html.at("script").attribute("src").value
+
+    csp = response.headers["content-security-policy"]
+    script_src = csp.split(";").find { |directive| directive.strip.start_with?("script-src") }.split(" ")
+    included_in_csp = script_src.any? { |allowed_src| script_url.start_with?(allowed_src) }
+
+    expect(included_in_csp).to eq(true)
  end
 end