Commit 8faa5d20 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-add-presence-validation-oauth-apps' into 'master'

Add scopes presence validation to OAuth Application creation

See merge request gitlab-org/security/gitlab!895
parents d37d469e fba26a2f
...@@ -11,7 +11,16 @@ module Applications ...@@ -11,7 +11,16 @@ module Applications
# EE would override and use `request` arg # EE would override and use `request` arg
def execute(request) def execute(request)
Doorkeeper::Application.create(params) @application = Doorkeeper::Application.new(params)
unless params[:scopes].present?
@application.errors.add(:base, _("Scopes can't be blank"))
return @application
end
@application.save
@application
end end
end end
end end
......
---
title: Add scope presence validation to OAuth Application creation
merge_request:
author:
type: security
...@@ -40,7 +40,7 @@ RSpec.describe Admin::ApplicationsController do ...@@ -40,7 +40,7 @@ RSpec.describe Admin::ApplicationsController do
describe 'POST #create' do describe 'POST #create' do
it 'creates the application' do it 'creates the application' do
create_params = attributes_for(:application, trusted: true, confidential: false) create_params = attributes_for(:application, trusted: true, confidential: false, scopes: ['api'])
expect do expect do
post :create, params: { doorkeeper_application: create_params } post :create, params: { doorkeeper_application: create_params }
...@@ -63,7 +63,7 @@ RSpec.describe Admin::ApplicationsController do ...@@ -63,7 +63,7 @@ RSpec.describe Admin::ApplicationsController do
context 'when the params are for a confidential application' do context 'when the params are for a confidential application' do
it 'creates a confidential application' do it 'creates a confidential application' do
create_params = attributes_for(:application, confidential: true) create_params = attributes_for(:application, confidential: true, scopes: ['read_user'])
expect do expect do
post :create, params: { doorkeeper_application: create_params } post :create, params: { doorkeeper_application: create_params }
...@@ -75,6 +75,18 @@ RSpec.describe Admin::ApplicationsController do ...@@ -75,6 +75,18 @@ RSpec.describe Admin::ApplicationsController do
expect(application).to have_attributes(create_params.except(:uid, :owner_type)) expect(application).to have_attributes(create_params.except(:uid, :owner_type))
end end
end end
context 'when scopes are not present' do
it 'renders the application form on errors' do
create_params = attributes_for(:application, trusted: true, confidential: false)
expect do
post :create, params: { doorkeeper_application: create_params }
end.not_to change { Doorkeeper::Application.count }
expect(response).to render_template :new
end
end
end end
describe 'PATCH #update' do describe 'PATCH #update' do
......
...@@ -123,7 +123,8 @@ RSpec.describe Oauth::ApplicationsController do ...@@ -123,7 +123,8 @@ RSpec.describe Oauth::ApplicationsController do
invalid_uri_params = { invalid_uri_params = {
doorkeeper_application: { doorkeeper_application: {
name: 'foo', name: 'foo',
redirect_uri: 'javascript://alert()' redirect_uri: 'javascript://alert()',
scopes: ['api']
} }
} }
...@@ -133,6 +134,23 @@ RSpec.describe Oauth::ApplicationsController do ...@@ -133,6 +134,23 @@ RSpec.describe Oauth::ApplicationsController do
end end
end end
context 'when scopes are not present' do
render_views
it 'shows an error for blank scopes' do
invalid_uri_params = {
doorkeeper_application: {
name: 'foo',
redirect_uri: 'http://example.org'
}
}
post :create, params: invalid_uri_params
expect(response.body).to include 'Scopes can't be blank'
end
end
it_behaves_like 'redirects to login page when the user is not signed in' it_behaves_like 'redirects to login page when the user is not signed in'
it_behaves_like 'redirects to 2fa setup page when the user requires it' it_behaves_like 'redirects to 2fa setup page when the user requires it'
end end
...@@ -172,7 +190,8 @@ RSpec.describe Oauth::ApplicationsController do ...@@ -172,7 +190,8 @@ RSpec.describe Oauth::ApplicationsController do
{ {
doorkeeper_application: { doorkeeper_application: {
name: 'foo', name: 'foo',
redirect_uri: 'http://example.org' redirect_uri: 'http://example.org',
scopes: ['api']
} }
} }
end end
......
...@@ -7,7 +7,7 @@ RSpec.describe 'admin manage applications' do ...@@ -7,7 +7,7 @@ RSpec.describe 'admin manage applications' do
sign_in(create(:admin)) sign_in(create(:admin))
end end
it do it 'creates new oauth application' do
visit admin_applications_path visit admin_applications_path
click_on 'New application' click_on 'New application'
...@@ -16,6 +16,7 @@ RSpec.describe 'admin manage applications' do ...@@ -16,6 +16,7 @@ RSpec.describe 'admin manage applications' do
fill_in :doorkeeper_application_name, with: 'test' fill_in :doorkeeper_application_name, with: 'test'
fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com' fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
check :doorkeeper_application_trusted check :doorkeeper_application_trusted
check :doorkeeper_application_scopes_read_user
click_on 'Submit' click_on 'Submit'
expect(page).to have_content('Application: test') expect(page).to have_content('Application: test')
expect(page).to have_content('Application ID') expect(page).to have_content('Application ID')
...@@ -43,4 +44,19 @@ RSpec.describe 'admin manage applications' do ...@@ -43,4 +44,19 @@ RSpec.describe 'admin manage applications' do
end end
expect(page.find('.oauth-applications')).not_to have_content('test_changed') expect(page.find('.oauth-applications')).not_to have_content('test_changed')
end end
context 'when scopes are blank' do
it 'returns an error' do
visit admin_applications_path
click_on 'New application'
expect(page).to have_content('New application')
fill_in :doorkeeper_application_name, with: 'test'
fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
click_on 'Submit'
expect(page).to have_content("Scopes can't be blank")
end
end
end end
...@@ -15,6 +15,7 @@ RSpec.describe 'User manages applications' do ...@@ -15,6 +15,7 @@ RSpec.describe 'User manages applications' do
fill_in :doorkeeper_application_name, with: 'test' fill_in :doorkeeper_application_name, with: 'test'
fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com' fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
check :doorkeeper_application_scopes_read_user
click_on 'Save application' click_on 'Save application'
expect(page).to have_content 'Application: test' expect(page).to have_content 'Application: test'
...@@ -41,4 +42,16 @@ RSpec.describe 'User manages applications' do ...@@ -41,4 +42,16 @@ RSpec.describe 'User manages applications' do
end end
expect(page.find('.oauth-applications')).not_to have_content 'test_changed' expect(page.find('.oauth-applications')).not_to have_content 'test_changed'
end end
context 'when scopes are blank' do
it 'returns an error' do
expect(page).to have_content 'Add new application'
fill_in :doorkeeper_application_name, with: 'test'
fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
click_on 'Save application'
expect(page).to have_content("Scopes can't be blank")
end
end
end end
...@@ -6,9 +6,24 @@ RSpec.describe ::Applications::CreateService do ...@@ -6,9 +6,24 @@ RSpec.describe ::Applications::CreateService do
include TestRequestHelpers include TestRequestHelpers
let(:user) { create(:user) } let(:user) { create(:user) }
let(:params) { attributes_for(:application) }
subject { described_class.new(user, params) } subject { described_class.new(user, params) }
context 'when scopes are present' do
let(:params) { attributes_for(:application, scopes: ['read_user']) }
it { expect { subject.execute(test_request) }.to change { Doorkeeper::Application.count }.by(1) } it { expect { subject.execute(test_request) }.to change { Doorkeeper::Application.count }.by(1) }
end
context 'when scopes are missing' do
let(:params) { attributes_for(:application) }
it { expect { subject.execute(test_request) }.not_to change { Doorkeeper::Application.count } }
it 'includes blank scopes error message' do
application = subject.execute(test_request)
expect(application.errors.full_messages).to include "Scopes can't be blank"
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment