fix(csp): automatically include SAML IDP URL in form-action

This avoids need to manually include it in WEBLATE_CSP_FORM_SRC.
WeblateOrg · Oct 3, 2024 · f0a51f0 · f0a51f0
1 parent 72904fa
commit f0a51f0
Showing 1 changed file with 18 additions and 4 deletions.
diff --git a/weblate/middleware.py b/weblate/middleware.py
@@ -20,6 +20,7 @@
 from django.utils.translation import gettext_lazy
 from social_core.backends.oauth import OAuthAuth
 from social_core.backends.open_id import OpenIdAuth
+from social_core.backends.saml import SAMLAuth
 from social_django.utils import load_strategy
 
 from weblate.auth.models import AuthenticatedHttpRequest, get_auth_backends
@@ -428,14 +429,27 @@ def build_csp_auth(self) -> None:
             else:
                 social_strategy = load_strategy(self.request)
             for backend in get_auth_backends().values():
-                url = ""
+                urls: list[str] = []
+
                 # Handle OpenId redirect flow
                 if issubclass(backend, OpenIdAuth):
-                    url = backend(social_strategy).openid_url()
+                    urls = [backend(social_strategy).openid_url()]
+
                 # Handle OAuth redirect flow
                 if issubclass(backend, OAuthAuth):
-                    url = backend(social_strategy).authorization_url()
-                if url:
+                    urls = [backend(social_strategy).authorization_url()]
+
+                # Handle SAML redirect flow
+                if issubclass(backend, SAMLAuth):
+                    saml_auth = backend(social_strategy)
+                    urls = [
+                        saml_auth.get_idp(idp_name).sso_url
+                        for idp_name in getattr(
+                            settings, "SOCIAL_AUTH_SAML_ENABLED_IDPS", {}
+                        )
+                    ]
+
+                for url in urls:
                     self.add_csp_host(url, "form-action")