diff --git a/ee/changelogs/unreleased/oauth-geo-fix.yml b/ee/changelogs/unreleased/oauth-geo-fix.yml new file mode 100644 index 0000000000000000000000000000000000000000..1f8bf7bb1dd187053dfddc5806bb17b254aa780c --- /dev/null +++ b/ee/changelogs/unreleased/oauth-geo-fix.yml @@ -0,0 +1,5 @@ +--- +title: 'Geo: Fix OAuth authentication with relative URL used on secondary' +merge_request: 37083 +author: +type: fixed diff --git a/ee/lib/gitlab/geo/oauth/session.rb b/ee/lib/gitlab/geo/oauth/session.rb index f0941a8aa2d5851f7a12012b2da4b0c85e8eacf9..507131fdce2de2897f6fecc17766d335dd1834c0 100644 --- a/ee/lib/gitlab/geo/oauth/session.rb +++ b/ee/lib/gitlab/geo/oauth/session.rb @@ -8,11 +8,12 @@ module Gitlab include Gitlab::Utils::StrongMemoize include GrapePathHelpers::NamedRouteMatcher - # We don't use oauth_token_path helper because its output depends + # We don't use oauth_*_path helpers because their outputs depends # on secondary configuration (ex., relative URL) while we really need # it for a primary. This is why we're building it ourselves using - # primary node configuration and this static URL + # primary node configuration and these static URLs TOKEN_PATH = '/oauth/token' + AUTHORIZATION_PATH = '/oauth/authorize' def authorize_url(params = {}) oauth_client.auth_code.authorize_url(params) @@ -41,7 +42,7 @@ module Gitlab oauth_application&.uid, oauth_application&.secret, site: Gitlab::Geo.primary_node.url, - authorize_url: oauth_authorization_path, + authorize_url: oauth_authorization_url, token_url: token_url ) end @@ -54,6 +55,10 @@ module Gitlab def token_url Gitlab::Utils.append_path(Gitlab::Geo.primary_node.internal_url, TOKEN_PATH) end + + def oauth_authorization_url + Gitlab::Utils.append_path(Gitlab::Geo.primary_node.internal_url, AUTHORIZATION_PATH) + end end end end diff --git a/ee/spec/lib/gitlab/geo/oauth/session_spec.rb b/ee/spec/lib/gitlab/geo/oauth/session_spec.rb index 258729346ca6151d70e8c221451ec9a79ccb8754..b49f179b7a165cc13f95189651c84f9fad456a9f 100644 --- a/ee/spec/lib/gitlab/geo/oauth/session_spec.rb +++ b/ee/spec/lib/gitlab/geo/oauth/session_spec.rb @@ -19,6 +19,23 @@ RSpec.describe Gitlab::Geo::Oauth::Session, :geo do it 'returns a valid url to the primary node' do expect(subject.authorize_url).to start_with(primary_node.internal_url) end + + context 'secondary is configured with relative URL' do + def stub_relative_url(host, script_name) + url_options = { host: host, protocol: "http", port: nil, script_name: script_name } + + allow(Rails.application.routes).to receive(:default_url_options).and_return(url_options) + end + + it 'does not include secondary relative URL path' do + secondary_url = 'http://secondary.host/relative-path/' + + stub_config_setting(url: secondary_url, https: false) + stub_relative_url('secondary.host', '/relative-path') + + expect(subject.authorize_url).not_to include('relative-path') + end + end end describe '#authenticate' do