Commit 786cbfa1 authored by Sean McGivern's avatar Sean McGivern

Merge branch 'fj-46278-apply-doorkeeper-scope-patch' into 'master'

Fix OAuth application authorization screen to appear with every access

See merge request gitlab-org/gitlab-ce!20216
parents 4c09fb32 7a0bb214
---
title: Fix OAuth Application Authorization screen to appear with each access
merge_request: 20216
author:
type: fixed
...@@ -106,3 +106,53 @@ Doorkeeper.configure do ...@@ -106,3 +106,53 @@ Doorkeeper.configure do
base_controller '::Gitlab::BaseDoorkeeperController' base_controller '::Gitlab::BaseDoorkeeperController'
end end
# Monkey patch to avoid creating new applications if the scope of the
# app created does not match the complete list of scopes of the configured app.
# It also prevents the OAuth authorize application window to appear every time.
# Remove after we upgrade the doorkeeper gem from version 4.3.2
if Doorkeeper.gem_version > Gem::Version.new('4.3.2')
raise "Doorkeeper was upgraded, please remove the monkey patch in #{__FILE__}"
end
module Doorkeeper
module AccessTokenMixin
module ClassMethods
def matching_token_for(application, resource_owner_or_id, scopes)
resource_owner_id =
if resource_owner_or_id.respond_to?(:to_key)
resource_owner_or_id.id
else
resource_owner_or_id
end
tokens = authorized_tokens_for(application.try(:id), resource_owner_id)
tokens.detect do |token|
scopes_match?(token.scopes, scopes, application.try(:scopes))
end
end
def scopes_match?(token_scopes, param_scopes, app_scopes)
return true if token_scopes.empty? && param_scopes.empty?
(token_scopes.sort == param_scopes.sort) &&
Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
param_scopes.to_s,
Doorkeeper.configuration.scopes,
app_scopes)
end
def authorized_tokens_for(application_id, resource_owner_id)
ordered_by(:created_at, :desc)
.where(application_id: application_id,
resource_owner_id: resource_owner_id,
revoked_at: nil)
end
def last_authorized_token_for(application_id, resource_owner_id)
authorized_tokens_for(application_id, resource_owner_id).first
end
end
end
end
...@@ -2,19 +2,12 @@ require 'spec_helper' ...@@ -2,19 +2,12 @@ require 'spec_helper'
describe Oauth::AuthorizationsController do describe Oauth::AuthorizationsController do
let(:user) { create(:user) } let(:user) { create(:user) }
let!(:application) { create(:oauth_application, scopes: 'api read_user', redirect_uri: 'http://example.com') }
let(:doorkeeper) do
Doorkeeper::Application.create(
name: "MyApp",
redirect_uri: 'http://example.com',
scopes: "")
end
let(:params) do let(:params) do
{ {
response_type: "code", response_type: "code",
client_id: doorkeeper.uid, client_id: application.uid,
redirect_uri: doorkeeper.redirect_uri, redirect_uri: application.redirect_uri,
state: 'state' state: 'state'
} }
end end
...@@ -44,7 +37,7 @@ describe Oauth::AuthorizationsController do ...@@ -44,7 +37,7 @@ describe Oauth::AuthorizationsController do
end end
it 'deletes session.user_return_to and redirects when skip authorization' do it 'deletes session.user_return_to and redirects when skip authorization' do
doorkeeper.update(trusted: true) application.update(trusted: true)
request.session['user_return_to'] = 'http://example.com' request.session['user_return_to'] = 'http://example.com'
get :new, params get :new, params
...@@ -52,6 +45,25 @@ describe Oauth::AuthorizationsController do ...@@ -52,6 +45,25 @@ describe Oauth::AuthorizationsController do
expect(request.session['user_return_to']).to be_nil expect(request.session['user_return_to']).to be_nil
expect(response).to have_gitlab_http_status(302) expect(response).to have_gitlab_http_status(302)
end end
context 'when there is already an access token for the application' do
context 'when the request scope matches any of the created token scopes' do
before do
scopes = Doorkeeper::OAuth::Scopes.from_string('api')
allow(Doorkeeper.configuration).to receive(:scopes).and_return(scopes)
create :oauth_access_token, application: application, resource_owner_id: user.id, scopes: scopes
end
it 'authorizes the request and redirects' do
get :new, params
expect(request.session['user_return_to']).to be_nil
expect(response).to have_gitlab_http_status(302)
end
end
end
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment