Merge pull request #848 from kmycode/kb-draft-14.1

Release: 14.1

Gemfile.lock

@@ -470,9 +470,9 @@ GEM
     omniauth-rails_csrf_protection (1.0.2)
       actionpack (>= 4.2)
       omniauth (~> 2.0)
-    omniauth-saml (2.1.0)
-      omniauth (~> 2.0)
-      ruby-saml (~> 1.12)
+    omniauth-saml (2.2.1)
+      omniauth (~> 2.1)
+      ruby-saml (~> 1.17)
     omniauth_openid_connect (0.6.1)
       omniauth (>= 1.9, < 3)
       openid_connect (~> 1.1)
@@ -763,7 +763,7 @@ GEM
       rubocop-rspec (~> 3, >= 3.0.1)
     ruby-prof (1.7.0)
     ruby-progressbar (1.13.0)
-    ruby-saml (1.16.0)
+    ruby-saml (1.17.0)
       nokogiri (>= 1.13.10)
       rexml
     ruby-vips (2.2.2)

app/controllers/concerns/web_app_controller_concern.rb

@@ -8,6 +8,16 @@ module WebAppControllerConcern
 
     before_action :redirect_unauthenticated_to_permalinks!
     before_action :set_app_body_class
+
+    content_security_policy do |p|
+      policy = ContentSecurityPolicy.new
+
+      if policy.sso_host.present?
+        p.form_action policy.sso_host
+      else
+        p.form_action :none
+      end
+    end
   end
 
   def skip_csrf_meta_tags?

app/javascript/mastodon/reducers/accounts_map.js

@@ -4,11 +4,10 @@ import { ACCOUNT_LOOKUP_FAIL } from '../actions/accounts';
 import { importAccounts } from '../actions/accounts_typed';
 import { domain } from '../initial_state';
 
-export const normalizeForLookup = str => {
-  str = str.toLowerCase();
-  const trailingIndex = str.indexOf(`@${domain.toLowerCase()}`);
-  return (trailingIndex > 0) ? str.slice(0, trailingIndex) : str;
-};
+const pattern = new RegExp(`@${domain}$`, 'gi');
+
+export const normalizeForLookup = str =>
+  str.toLowerCase().replace(pattern, '');
 
 const initialState = ImmutableMap();
 

app/lib/content_security_policy.rb

@@ -13,6 +13,22 @@ def media_hosts
     [assets_host, cdn_host_value, paperclip_root_url].compact
   end
 
+  def sso_host
+    return unless ENV['ONE_CLICK_SSO_LOGIN'] == 'true' && ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1
+
+    provider = Devise.omniauth_configs[Devise.omniauth_providers[0]]
+    @sso_host ||= begin
+      case provider.provider
+      when :cas
+        provider.cas_url
+      when :saml
+        provider.options[:idp_sso_target_url]
+      when :openid_connect
+        provider.options.dig(:client_options, :authorization_endpoint) || OpenIDConnect::Discovery::Provider::Config.discover!(provider.options[:issuer]).authorization_endpoint
+      end
+    end
+  end
+
   private
 
   def url_from_configured_asset_host

config/initializers/content_security_policy.rb

@@ -12,24 +12,6 @@
 assets_host = policy.assets_host
 media_hosts = policy.media_hosts
 
-def sso_host
-  return unless ENV['ONE_CLICK_SSO_LOGIN'] == 'true'
-  return unless ENV['OMNIAUTH_ONLY'] == 'true'
-  return unless Devise.omniauth_providers.length == 1
-
-  provider = Devise.omniauth_configs[Devise.omniauth_providers[0]]
-  @sso_host ||= begin
-    case provider.provider
-    when :cas
-      provider.cas_url
-    when :saml
-      provider.options[:idp_sso_target_url]
-    when :openid_connect
-      provider.options.dig(:client_options, :authorization_endpoint) || OpenIDConnect::Discovery::Provider::Config.discover!(provider.options[:issuer]).authorization_endpoint
-    end
-  end
-end
-
 Rails.application.config.content_security_policy do |p|
   p.base_uri        :none
   p.default_src     :none
@@ -41,10 +23,10 @@ def sso_host
   p.frame_src       :self, :https
   p.manifest_src    :self, assets_host
 
-  if sso_host.present?
-    p.form_action     :self, sso_host
+  if policy.sso_host.present?
+    p.form_action :self, policy.sso_host
   else
-    p.form_action     :self
+    p.form_action :self
   end
 
   p.child_src       :self, :blob, assets_host

docker-compose.yml

@@ -59,7 +59,7 @@ services:
   web:
     # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
     # build: .
-    image: ghcr.io/mastodon/mastodon:v4.3.0-beta.1
+    image: ghcr.io/mastodon/mastodon:v4.3.0-beta.2
     restart: always
     env_file: .env.production
     command: bundle exec puma -C config/puma.rb
@@ -83,7 +83,7 @@ services:
     # build:
     #   dockerfile: ./streaming/Dockerfile
     #   context: .
-    image: ghcr.io/mastodon/mastodon-streaming:v4.3.0-beta.1
+    image: ghcr.io/mastodon/mastodon-streaming:v4.3.0-beta.2
     restart: always
     env_file: .env.production
     command: node ./streaming/index.js
@@ -101,7 +101,7 @@ services:
 
   sidekiq:
     build: .
-    image: ghcr.io/mastodon/mastodon:v4.3.0-beta.1
+    image: ghcr.io/mastodon/mastodon:v4.3.0-beta.2
     restart: always
     env_file: .env.production
     command: bundle exec sidekiq

lib/mastodon/version.rb

@@ -9,7 +9,7 @@ def kmyblue_major
     end
 
     def kmyblue_minor
-      0
+      1
     end
 
     def kmyblue_flag
@@ -31,7 +31,7 @@ def patch
     end
 
     def default_prerelease
-      'beta.1'
+      'beta.2'
     end
 
     def prerelease

spec/requests/content_security_policy_spec.rb

@@ -26,7 +26,7 @@ def expected_csp_headers
       connect-src 'self' data: blob: https://cb6e6126.ngrok.io #{Rails.configuration.x.streaming_api_base_url}
       default-src 'none'
       font-src 'self' https://cb6e6126.ngrok.io
-      form-action 'self'
+      form-action 'none'
       frame-ancestors 'none'
       frame-src 'self' https:
       img-src 'self' data: blob: https://cb6e6126.ngrok.io