Merge branch 'fj-46278-apply-doorkeeper-scope-patch' into 'master'

Fix OAuth application authorization screen to appear with every access

See merge request gitlab-org/gitlab-ce!20216

changelogs/unreleased/fj-46278-apply-doorkeeper-scope-patch.yml

+---
+title: Fix OAuth Application Authorization screen to appear with each access
+merge_request: 20216
+author:
+type: fixed

config/initializers/doorkeeper.rb

@@ -106,3 +106,53 @@ Doorkeeper.configure do
 
   base_controller '::Gitlab::BaseDoorkeeperController'
 end
+
+# Monkey patch to avoid creating new applications if the scope of the
+# app created does not match the complete list of scopes of the configured app.
+# It also prevents the OAuth authorize application window to appear every time.
+
+# Remove after we upgrade the doorkeeper gem from version 4.3.2
+if Doorkeeper.gem_version > Gem::Version.new('4.3.2')
+  raise "Doorkeeper was upgraded, please remove the monkey patch in #{__FILE__}"
+end
+
+module Doorkeeper
+  module AccessTokenMixin
+    module ClassMethods
+      def matching_token_for(application, resource_owner_or_id, scopes)
+        resource_owner_id =
+          if resource_owner_or_id.respond_to?(:to_key)
+            resource_owner_or_id.id
+          else
+            resource_owner_or_id
+          end
+
+        tokens = authorized_tokens_for(application.try(:id), resource_owner_id)
+        tokens.detect do |token|
+          scopes_match?(token.scopes, scopes, application.try(:scopes))
+        end
+      end
+
+      def scopes_match?(token_scopes, param_scopes, app_scopes)
+        return true if token_scopes.empty? && param_scopes.empty?
+
+        (token_scopes.sort == param_scopes.sort) &&
+          Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
+            param_scopes.to_s,
+            Doorkeeper.configuration.scopes,
+            app_scopes)
+      end
+
+      def authorized_tokens_for(application_id, resource_owner_id)
+        ordered_by(:created_at, :desc)
+          .where(application_id: application_id,
+                 resource_owner_id: resource_owner_id,
+                 revoked_at: nil)
+      end
+
+      def last_authorized_token_for(application_id, resource_owner_id)
+        authorized_tokens_for(application_id, resource_owner_id).first
+      end
+    end
+  end
+end

spec/controllers/oauth/authorizations_controller_spec.rb

@@ -2,19 +2,12 @@ require 'spec_helper'
 
 describe Oauth::AuthorizationsController do
   let(:user) { create(:user) }
-
-  let(:doorkeeper) do
-    Doorkeeper::Application.create(
-      name: "MyApp",
-      redirect_uri: 'http://example.com',
-      scopes: "")
-  end
-
+  let!(:application) { create(:oauth_application, scopes: 'api read_user', redirect_uri: 'http://example.com') }
   let(:params) do
     {
       response_type: "code",
-      client_id: doorkeeper.uid,
-      redirect_uri: doorkeeper.redirect_uri,
+      client_id: application.uid,
+      redirect_uri: application.redirect_uri,
       state: 'state'
     }
   end
@@ -44,7 +37,7 @@ describe Oauth::AuthorizationsController do
       end
 
       it 'deletes session.user_return_to and redirects when skip authorization' do
-        doorkeeper.update(trusted: true)
+        application.update(trusted: true)
         request.session['user_return_to'] = 'http://example.com'
 
         get :new, params
@@ -52,6 +45,25 @@ describe Oauth::AuthorizationsController do
         expect(request.session['user_return_to']).to be_nil
         expect(response).to have_gitlab_http_status(302)
       end
+
+      context 'when there is already an access token for the application' do
+        context 'when the request scope matches any of the created token scopes' do
+          before do
+            scopes = Doorkeeper::OAuth::Scopes.from_string('api')
+
+            allow(Doorkeeper.configuration).to receive(:scopes).and_return(scopes)
+
+            create :oauth_access_token, application: application, resource_owner_id: user.id, scopes: scopes
+          end
+
+          it 'authorizes the request and redirects' do
+            get :new, params
+
+            expect(request.session['user_return_to']).to be_nil
+            expect(response).to have_gitlab_http_status(302)
+          end
+        end
+      end
     end
   end
 end