Allow SSO callbacks through maintenance mode

When using other authentication methods, like SSO, LDAP, the path and controllers are slightly different, as they redirect back to a callback handled by Omniauth. This adds the specific routes and controller to the allowlist in the read-only middleware to allow them to go through. Changelog: fixed EE: true

Allow SSO callbacks through maintenance mode
When using other authentication methods, like SSO, LDAP, the path and controllers are slightly different, as they redirect back to a callback handled by Omniauth. This adds the specific routes and controller to the allowlist in the read-only middleware to allow them to go through. Changelog: fixed EE: true
b59f528b · Catalin Irimie · e1d2685e · b59f528b · b59f528b
Commit b59f528b authored Nov 02, 2021 by Catalin Irimie
2 changed files
--- a/ee/lib/ee/gitlab/middleware/read_only/controller.rb
+++ b/ee/lib/ee/gitlab/middleware/read_only/controller.rb
@@ -33,6 +33,11 @@ module EE
            'oauth/tokens' => %w{create}
          }.freeze

+          ALLOWLISTED_SSO_SIGN_IN_CONTROLLERS = [
+            'omniauth_callbacks',
+            'ldap/omniauth_callbacks'
+          ].freeze
+
          private

          override :allowlisted_routes
@@ -115,10 +120,14 @@ module EE
          end

          def sign_in_route?
-            return unless request.post? && request.path.start_with?('/users/sign_in', '/oauth/token',
-              '/users/auth/geo/sign_in')
+            return unless request.post?
+
+            is_regular_sign_in_route = request.path.start_with?('/users/sign_in', '/oauth/token', '/users/auth/geo/sign_in') &&
+                                       ALLOWLISTED_SIGN_IN_ROUTES[route_hash[:controller]]&.include?(route_hash[:action])
+            is_sso_callback_route = request.path.start_with?('/users/auth/') &&
+                                    ALLOWLISTED_SSO_SIGN_IN_CONTROLLERS.include?(route_hash[:controller])

-            ALLOWLISTED_SIGN_IN_ROUTES[route_hash[:controller]]&.include?(route_hash[:action])
+            is_regular_sign_in_route || is_sso_callback_route
          end

          def lfs_locks_route?

--- a/ee/spec/support/shared_examples/lib/gitlab/middleware/maintenance_mode_gitlab_ee_instance_shared_examples.rb
+++ b/ee/spec/support/shared_examples/lib/gitlab/middleware/maintenance_mode_gitlab_ee_instance_shared_examples.rb
@@ -30,10 +30,29 @@ RSpec.shared_examples 'write access for a read-only GitLab (EE) instance in main
  end

  shared_examples_for 'sign in/out and OAuth are allowed' do
+    include LdapHelpers
+    include LoginHelpers
+
+    before do
+      stub_ldap_setting({ enabled: true })
+      Rails.application.reload_routes!
+
+      # SAML draws a custom route, LDAP doesn't, so the reload needs to happen before this
+      # to prevent overwriting the SAML route.
+      stub_omniauth_saml_config(enabled: true, auto_link_saml_user: true, allow_single_sign_on: ['saml'])
+    end
+
+    after(:all) do
+      Rails.application.reload_routes!
+    end
+
    where(:description, :path) do
-      'sign in route'     | '/users/sign_in'
-      'sign out route'    | '/users/sign_out'
-      'oauth token route' | '/oauth/token'
+      'sign in route'       | '/users/sign_in'
+      'sign out route'      | '/users/sign_out'
+      'oauth token route'   | '/oauth/token'
+      'SSO callback route'  | '/users/auth/gitlab/callback'
+      'LDAP callback route' | '/users/auth/ldapmain/callback'
+      'SAML regular route'  | '/users/auth/saml'
    end

    with_them do