SECURITY: Do not allow authentication with disabled plugin-supplied a… (#6071)

Do not allow authentication with disabled plugin-supplied auth providers

app/controllers/users/omniauth_callbacks_controller.rb

@@ -93,16 +93,19 @@ class Users::OmniauthCallbacksController < ApplicationController
   def self.find_authenticator(name)
     BUILTIN_AUTH.each do |authenticator|
       if authenticator.name == name
-        raise Discourse::InvalidAccess.new("provider is not enabled") unless SiteSetting.send("enable_#{name}_logins?")
+        raise Discourse::InvalidAccess.new(I18n.t("provider_not_enabled")) unless SiteSetting.send("enable_#{name}_logins?")
         return authenticator
       end
     end
 
     Discourse.auth_providers.each do |provider|
+      unless provider.enabled_setting.nil? || SiteSetting.send(provider.enabled_setting)
+        raise Discourse::InvalidAccess.new(I18n.t("provider_not_enabled"))
+      end
       return provider.authenticator if provider.name == name
     end
 
-    raise Discourse::InvalidAccess.new("provider is not found")
+    raise Discourse::InvalidAccess.new(I18n.t("provider_not_found"))
   end
 
   protected

config/locales/server.en.yml

@@ -198,6 +198,8 @@ en:
   not_found: "The requested URL or resource could not be found."
   invalid_access: "You are not permitted to view the requested resource."
   invalid_api_credentials: "You are not permitted to view the requested resource. The API username or key is invalid."
+  provider_not_enabled: "You are not permitted to view the requested resource. The authentication provider is not enabled."
+  provider_not_found: "You are not permitted to view the requested resource. The authentication provider does not exist."
   read_only_mode_enabled: "The site is in read only mode. Interactions are disabled."
 
   reading_time: "Reading time"

spec/requests/omniauth_callbacks_controller_spec.rb

@@ -33,6 +33,42 @@ RSpec.describe Users::OmniauthCallbacksController do
       expect(Users::OmniauthCallbacksController.find_authenticator("twitter"))
         .not_to eq(nil)
     end
+
+    context "with a plugin-contributed auth provider" do
+
+      let :provider do
+        provider = Plugin::AuthProvider.new
+        provider.authenticator = Auth::OpenIdAuthenticator.new('ubuntu', 'https://login.ubuntu.com', trusted: true)
+        provider.enabled_setting = "ubuntu_login_enabled"
+        provider
+      end
+
+      before do
+        Discourse.stubs(:auth_providers).returns [provider]
+      end
+
+      it "finds an authenticator when enabled" do
+        SiteSetting.stubs(:ubuntu_login_enabled).returns(true)
+
+        expect(Users::OmniauthCallbacksController.find_authenticator("ubuntu"))
+          .to be(provider.authenticator)
+      end
+
+      it "fails if an authenticator is disabled" do
+        SiteSetting.stubs(:ubuntu_login_enabled).returns(false)
+
+        expect { Users::OmniauthCallbacksController.find_authenticator("ubuntu") }
+          .to raise_error(Discourse::InvalidAccess)
+      end
+
+      it "succeeds if an authenticator does not have a site setting" do
+        provider.enabled_setting = nil
+        SiteSetting.stubs(:ubuntu_login_enabled).returns(false)
+
+        expect(Users::OmniauthCallbacksController.find_authenticator("ubuntu"))
+          .to be(provider.authenticator)
+      end
+    end
   end
 
   context 'Google Oauth2' do