Merge branch 'security-add-presence-validation-oauth-apps' into 'master'

Add scopes presence validation to OAuth Application creation See merge request gitlab-org/security/gitlab!895

Merge branch 'security-add-presence-validation-oauth-apps' into 'master'
Add scopes presence validation to OAuth Application creation See merge request gitlab-org/security/gitlab!895
8faa5d20 · GitLab Release Tools Bot · d37d469e · fba26a2f · 8faa5d20 · 8faa5d20
Commit 8faa5d20 authored Sep 01, 2020 by GitLab Release Tools Bot
7 changed files
--- a/app/services/applications/create_service.rb
+++ b/app/services/applications/create_service.rb
@@ -11,7 +11,16 @@ module Applications

    # EE would override and use `request` arg
    def execute(request)
-      Doorkeeper::Application.create(params)
+      @application = Doorkeeper::Application.new(params)
+
+      unless params[:scopes].present?
+        @application.errors.add(:base, _("Scopes can't be blank"))
+
+        return @application
+      end
+
+      @application.save
+      @application
    end
  end
 end

--- a/changelogs/unreleased/security-add-presence-validation-oauth-apps.yml
+++ b/changelogs/unreleased/security-add-presence-validation-oauth-apps.yml
+---
+title: Add scope presence validation to OAuth Application creation
+merge_request:
+author:
+type: security
--- a/spec/controllers/admin/applications_controller_spec.rb
+++ b/spec/controllers/admin/applications_controller_spec.rb
@@ -40,7 +40,7 @@ RSpec.describe Admin::ApplicationsController do

  describe 'POST #create' do
    it 'creates the application' do
-      create_params = attributes_for(:application, trusted: true, confidential: false)
+      create_params = attributes_for(:application, trusted: true, confidential: false, scopes: ['api'])

      expect do
        post :create, params: { doorkeeper_application: create_params }
@@ -63,7 +63,7 @@ RSpec.describe Admin::ApplicationsController do

    context 'when the params are for a confidential application' do
      it 'creates a confidential application' do
-        create_params = attributes_for(:application, confidential: true)
+        create_params = attributes_for(:application, confidential: true, scopes: ['read_user'])

        expect do
          post :create, params: { doorkeeper_application: create_params }
@@ -75,6 +75,18 @@ RSpec.describe Admin::ApplicationsController do
        expect(application).to have_attributes(create_params.except(:uid, :owner_type))
      end
    end
+
+    context 'when scopes are not present' do
+      it 'renders the application form on errors' do
+        create_params = attributes_for(:application, trusted: true, confidential: false)
+
+        expect do
+          post :create, params: { doorkeeper_application: create_params }
+        end.not_to change { Doorkeeper::Application.count }
+
+        expect(response).to render_template :new
+      end
+    end
  end

  describe 'PATCH #update' do

--- a/spec/controllers/oauth/applications_controller_spec.rb
+++ b/spec/controllers/oauth/applications_controller_spec.rb
@@ -123,7 +123,8 @@ RSpec.describe Oauth::ApplicationsController do
          invalid_uri_params = {
            doorkeeper_application: {
              name: 'foo',
-              redirect_uri: 'javascript://alert()'
+              redirect_uri: 'javascript://alert()',
+              scopes: ['api']
            }
          }

@@ -133,6 +134,23 @@ RSpec.describe Oauth::ApplicationsController do
        end
      end

+      context 'when scopes are not present' do
+        render_views
+
+        it 'shows an error for blank scopes' do
+          invalid_uri_params = {
+            doorkeeper_application: {
+              name: 'foo',
+              redirect_uri: 'http://example.org'
+            }
+          }
+
+          post :create, params: invalid_uri_params
+
+          expect(response.body).to include 'Scopes can&#39;t be blank'
+        end
+      end
+
      it_behaves_like 'redirects to login page when the user is not signed in'
      it_behaves_like 'redirects to 2fa setup page when the user requires it'
    end
@@ -172,7 +190,8 @@ RSpec.describe Oauth::ApplicationsController do
    {
      doorkeeper_application: {
        name: 'foo',
-        redirect_uri: 'http://example.org'
+        redirect_uri: 'http://example.org',
+        scopes: ['api']
      }
    }
  end

--- a/spec/features/admin/admin_manage_applications_spec.rb
+++ b/spec/features/admin/admin_manage_applications_spec.rb
@@ -7,7 +7,7 @@ RSpec.describe 'admin manage applications' do
    sign_in(create(:admin))
  end

-  it do
+  it 'creates new oauth application' do
    visit admin_applications_path

    click_on 'New application'
@@ -16,6 +16,7 @@ RSpec.describe 'admin manage applications' do
    fill_in :doorkeeper_application_name, with: 'test'
    fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
    check :doorkeeper_application_trusted
+    check :doorkeeper_application_scopes_read_user
    click_on 'Submit'
    expect(page).to have_content('Application: test')
    expect(page).to have_content('Application ID')
@@ -43,4 +44,19 @@ RSpec.describe 'admin manage applications' do
    end
    expect(page.find('.oauth-applications')).not_to have_content('test_changed')
  end
+
+  context 'when scopes are blank' do
+    it 'returns an error' do
+      visit admin_applications_path
+
+      click_on 'New application'
+      expect(page).to have_content('New application')
+
+      fill_in :doorkeeper_application_name, with: 'test'
+      fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
+      click_on 'Submit'
+
+      expect(page).to have_content("Scopes can't be blank")
+    end
+  end
 end
--- a/spec/features/profiles/user_manages_applications_spec.rb
+++ b/spec/features/profiles/user_manages_applications_spec.rb
@@ -15,6 +15,7 @@ RSpec.describe 'User manages applications' do

    fill_in :doorkeeper_application_name,         with: 'test'
    fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
+    check :doorkeeper_application_scopes_read_user
    click_on 'Save application'

    expect(page).to have_content 'Application: test'
@@ -41,4 +42,16 @@ RSpec.describe 'User manages applications' do
    end
    expect(page.find('.oauth-applications')).not_to have_content 'test_changed'
  end
+
+  context 'when scopes are blank' do
+    it 'returns an error' do
+      expect(page).to have_content 'Add new application'
+
+      fill_in :doorkeeper_application_name,         with: 'test'
+      fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
+      click_on 'Save application'
+
+      expect(page).to have_content("Scopes can't be blank")
+    end
+  end
 end
--- a/spec/services/applications/create_service_spec.rb
+++ b/spec/services/applications/create_service_spec.rb
@@ -6,9 +6,24 @@ RSpec.describe ::Applications::CreateService do
  include TestRequestHelpers

  let(:user) { create(:user) }
-  let(:params) { attributes_for(:application) }

  subject { described_class.new(user, params) }

-  it { expect { subject.execute(test_request) }.to change { Doorkeeper::Application.count }.by(1) }
+  context 'when scopes are present' do
+    let(:params) { attributes_for(:application, scopes: ['read_user']) }
+
+    it { expect { subject.execute(test_request) }.to change { Doorkeeper::Application.count }.by(1) }
+  end
+
+  context 'when scopes are missing' do
+    let(:params) { attributes_for(:application) }
+
+    it { expect { subject.execute(test_request) }.not_to change { Doorkeeper::Application.count } }
+
+    it 'includes blank scopes error message' do
+      application = subject.execute(test_request)
+
+      expect(application.errors.full_messages).to include "Scopes can't be blank"
+    end
+  end
 end