Merge pull request #910 from nextcloud/handle-loginexception-when-aut…

…henticating-with-apache Handle LoginException when authenticating with Apache
nextcloud · Dec 3, 2024 · f59e79c · f59e79c
2 parents 0c174af + 2e9f5bc
commit f59e79c
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 1 deletion.
diff --git a/appinfo/app.php b/appinfo/app.php
@@ -4,6 +4,7 @@
  * SPDX-License-Identifier: AGPL-3.0-or-later
  */
 
+use OC\User\LoginException;
 use OCA\User_SAML\GroupBackend;
 use OCA\User_SAML\SAMLSettings;
 use OCA\User_SAML\UserBackend;
@@ -63,7 +64,21 @@
 		return;
 	}
 
-	OC_User::handleApacheAuth();
+	try {
+		OC_User::handleApacheAuth();
+	} catch (LoginException $e) {
+		if ($request->getPathInfo() === '/apps/user_saml/saml/error') {
+			return;
+		}
+		$targetUrl = $urlGenerator->linkToRouteAbsolute(
+			'user_saml.SAML.genericError',
+			[
+				'message' => $e->getMessage()
+			]
+		);
+		header('Location: ' . $targetUrl);
+		exit();
+	}
 }
 
 if ($returnScript === true) {

diff --git a/tests/integration/features/EnvironmentVariable.feature b/tests/integration/features/EnvironmentVariable.feature
@@ -27,3 +27,13 @@ Feature: EnvironmentVariable
     And The environment variable "REMOTE_USER" is set to "certainly-not-provisioned-user"
     When I send a GET request to "http://localhost:8080/index.php/login"
     Then I should be redirected to "http://localhost:8080/index.php/apps/user_saml/saml/notProvisioned"
+
+  Scenario: Authenticating using environment variable with SSO as a disabled user on backend
+    Given A local user with uid "provisioned-disabled-user" exists
+    And A local user with uid "provisioned-disabled-user" is disabled
+    And The setting "type" is set to "environment-variable"
+    And The setting "general-require_provisioned_account" is set to "1"
+    And The setting "general-uid_mapping" is set to "REMOTE_USER"
+    And The environment variable "REMOTE_USER" is set to "provisioned-disabled-user"
+    When I send a GET request to "http://localhost:8080/index.php/login"
+    Then I should be redirected to "http://localhost:8080/index.php/apps/user_saml/saml/error"
diff --git a/tests/integration/features/bootstrap/FeatureContext.php b/tests/integration/features/bootstrap/FeatureContext.php
@@ -493,6 +493,21 @@ public function aLocalUserWithUidExists($uid) {
 		);
 	}
 
+	/**
+	 * @Given A local user with uid :uid is disabled
+	 * @param string $uid
+	 */
+	public function aLocalUserWithUidIsDisabled($uid) {
+		shell_exec(
+			sprintf(
+				'OC_PASS=password %s %s user:disable %s',
+				PHP_BINARY,
+				__DIR__ . '/../../../../../../occ',
+				$uid
+			)
+		);
+	}
+
 	/**
 	 * @Then I hack :uid into existence
 	 */