From 9a70cac9debf31e9cc379b6a67d793346c978a76 Mon Sep 17 00:00:00 2001
From: CSDUMMI <31551856+CSDUMMI@users.noreply.github.com>
Date: Tue, 12 Sep 2023 13:04:51 +0200
Subject: [PATCH] Fix #26849 by adding the domain of the current SSO provider
 to the form-action CSP (#26857)

---
 .../concerns/web_app_controller_concern.rb    |  2 +-
 app/serializers/initial_state_serializer.rb   |  2 +-
 .../initializers/content_security_policy.rb   | 24 ++++++++++++++++++-
 3 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/app/controllers/concerns/web_app_controller_concern.rb b/app/controllers/concerns/web_app_controller_concern.rb
index 3a40ea3823..273d7344ca 100644
--- a/app/controllers/concerns/web_app_controller_concern.rb
+++ b/app/controllers/concerns/web_app_controller_concern.rb
@@ -11,7 +11,7 @@ module WebAppControllerConcern
   end
 
   def skip_csrf_meta_tags?
-    !(ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1) && current_user.nil?
+    !(ENV['ONE_CLICK_SSO_LOGIN'] == 'true' && ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1) && current_user.nil?
   end
 
   def set_app_body_class
diff --git a/app/serializers/initial_state_serializer.rb b/app/serializers/initial_state_serializer.rb
index 56d45c588e..b707d6fcb6 100644
--- a/app/serializers/initial_state_serializer.rb
+++ b/app/serializers/initial_state_serializer.rb
@@ -113,6 +113,6 @@ class InitialStateSerializer < ActiveModel::Serializer
   end
 
   def sso_redirect
-    "/auth/auth/#{Devise.omniauth_providers[0]}" if ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1
+    "/auth/auth/#{Devise.omniauth_providers[0]}" if ENV['ONE_CLICK_SSO_LOGIN'] == 'true' && ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1
   end
 end
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 59ac3bdea2..5b32ee49b3 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -19,6 +19,22 @@ media_host ||= host_to_url(ENV['AZURE_ALIAS_HOST'])
 media_host ||= host_to_url(ENV['S3_HOSTNAME']) if ENV['S3_ENABLED'] == 'true'
 media_host ||= assets_host
 
+def sso_host
+  return unless ENV['ONE_CLICK_SSO_LOGIN'] == 'true'
+  return unless ENV['OMNIAUTH_ONLY'] == 'true'
+  return unless Devise.omniauth_providers.length == 1
+
+  provider = Devise.omniauth_configs[Devise.omniauth_providers[0]]
+  @sso_host ||= begin
+    # using CAS
+    provider.cas_url if ENV['CAS_ENABLED'] == 'true'
+    # using SAML
+    provider.options[:idp_sso_target_url] if ENV['SAML_ENABLED'] == 'true'
+    # or using OIDC
+    ENV['OIDC_AUTH_ENDPOINT'] || (OpenIDConnect::Discovery::Provider::Config.discover!(ENV['OIDC_ISSUER']).authorization_endpoint if ENV['OIDC_ENABLED'] == 'true')
+  end
+end
+
 Rails.application.config.content_security_policy do |p|
   p.base_uri        :none
   p.default_src     :none
@@ -29,7 +45,13 @@ Rails.application.config.content_security_policy do |p|
   p.media_src       :self, :https, :data, assets_host
   p.frame_src       :self, :https
   p.manifest_src    :self, assets_host
-  p.form_action     :self
+
+  if sso_host.present?
+    p.form_action     :self, sso_host
+  else
+    p.form_action     :self
+  end
+
   p.child_src       :self, :blob, assets_host
   p.worker_src      :self, :blob, assets_host