doorkeeper-sequel 2.0.0 → 2.1.0

data/lib/doorkeeper-sequel/mixins/application_mixin.rb

@@ -1,4 +1,6 @@
-require_relative '../validators/redirect_uri_validator'
+# frozen_string_literal: true
+
+require_relative "../validators/redirect_uri_validator"
 
 module DoorkeeperSequel
   module ApplicationMixin
@@ -7,6 +9,7 @@ module DoorkeeperSequel
     include SequelCompat
     include Doorkeeper::OAuth::Helpers
     include Doorkeeper::Models::Scopes
+    include Doorkeeper::Models::SecretStorable
     include DoorkeeperSequel::RedirectUriValidator
 
     included do
@@ -14,22 +17,24 @@ module DoorkeeperSequel
       plugin :timestamps
       plugin :association_dependencies
 
-      one_to_many :access_grants, class: 'Doorkeeper::AccessGrant'
-      one_to_many :access_tokens, class: 'Doorkeeper::AccessToken'
+      one_to_many :access_grants, class: "Doorkeeper::AccessGrant"
+      one_to_many :access_tokens, class: "Doorkeeper::AccessToken"
 
       add_association_dependencies access_grants: :delete, access_tokens: :delete
 
       set_allowed_columns :name, :redirect_uri, :scopes, :confidential
 
       def before_validation
-        generate_uid
-        generate_secret
+        if new?
+          generate_uid
+          generate_secret
+        end
         super
       end
 
       def validate
         super
-        validates_presence [:name, :secret, :uid]
+        validates_presence %i[name secret uid]
         validates_unique [:uid]
         validates_redirect_uri :redirect_uri
         validates_includes [true, false], :confidential, allow_missing: true
@@ -41,13 +46,20 @@ module DoorkeeperSequel
         end
       end
 
+      # In some cases, Doorkeeper used as a proxy app. In this case database does not have any fields.
+      # Even table may not exists on source database.
+      # Aliasing this method throws NoMethod Error. Due to this we need to explicitly
+      # define confidential? here.
+      def confidential?
+        confidential.present? && !!confidential
+      end
+
       protected
 
       def validate_scopes_match_configured
-        if scopes.present? &&
-           !Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(scopes.to_s, Doorkeeper.configuration.scopes)
-
-          scope = 'sequel.errors.models.doorkeeper/application.attributes.scopes'
+        if scopes.present? && !Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(scope_str: scopes.to_s,
+                                                                               server_scopes: Doorkeeper.configuration.scopes)
+          scope = "sequel.errors.models.doorkeeper/application.attributes.scopes"
           errors.add(:scopes, I18n.t(:not_match_configured, scope: scope))
         end
       end
@@ -62,7 +74,8 @@ module DoorkeeperSequel
         app = by_uid(uid)
         return unless app
         return app if secret.blank? && !app.confidential?
-        return unless app.secret == secret
+        return unless app.secret_matches?(secret)
+
         app
       end
 
@@ -70,33 +83,44 @@ module DoorkeeperSequel
         first(uid: uid.to_s)
       end
 
-      def supports_confidentiality?
-        column_names.include?('confidential')
+      def find_by(params)
+        first(params)
       end
 
       def column_names
         columns.map(&:to_s)
       end
+
+      def secret_strategy
+        ::Doorkeeper.configuration.application_secret_strategy
+      end
+
+      def fallback_secret_strategy
+        ::Doorkeeper.configuration.application_secret_fallback_strategy
+      end
     end
 
-    # Fallback to existing, default behaviour of assuming all apps to be
-    # confidential if the migration hasn't been run
-    def confidential
-      return super if self.class.supports_confidentiality?
+    def secret_matches?(input)
+      # return false if either is nil, since secure_compare depends on strings
+      # but Application secrets MAY be nil depending on confidentiality.
+      return false if input.nil? || secret.nil?
 
-      ActiveSupport::Deprecation.warn 'You are susceptible to security bug ' \
-        'CVE-2018-1000211. Please follow instructions outlined in ' \
-        'Doorkeeper::CVE_2018_1000211_WARNING'
+      # When matching the secret by comparer function, all is well.
+      return true if secret_strategy.secret_matches?(input, secret)
 
-      true
+      # When fallback lookup is enabled, ensure applications
+      # with plain secrets can still be found
+      if fallback_secret_strategy
+        fallback_secret_strategy.secret_matches?(input, secret)
+      else
+        false
+      end
     end
 
-    alias_method :confidential?, :confidential
-
     private
 
     def has_scopes?
-      Doorkeeper::Application.columns.include?('scopes')
+      Doorkeeper::Application.columns.include?("scopes")
     end
 
     def generate_uid
@@ -104,7 +128,10 @@ module DoorkeeperSequel
     end
 
     def generate_secret
-      self.secret = UniqueToken.generate if secret.blank? && new?
+      return unless secret.blank?
+
+      @raw_secret = UniqueToken.generate
+      secret_strategy.store_secret(self, :secret, @raw_secret)
     end
   end
 end

data/lib/doorkeeper-sequel/mixins/concerns/ownership.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   module Ownership
     extend ActiveSupport::Concern

data/lib/doorkeeper-sequel/mixins/concerns/sequel_compat.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   module SequelCompat
     extend ActiveSupport::Concern
@@ -8,9 +10,7 @@ module DoorkeeperSequel
       plugin :active_model
 
       # Sequel 4.47 and higher deprecated #set_allowed_columns
-      if (::Sequel::MAJOR >= 4 && ::Sequel::MINOR >= 47) || ::Sequel::MAJOR >= 5
-        plugin :whitelist_security
-      end
+      plugin :whitelist_security if (::Sequel::MAJOR >= 4 && ::Sequel::MINOR >= 47) || ::Sequel::MAJOR >= 5
 
       self.raise_on_save_failure = false
 
@@ -19,6 +19,8 @@ module DoorkeeperSequel
         save(columns: [column.to_sym], validate: false)
       end
 
+      alias_method :update_column, :update_attribute
+
       def update_attributes(*args)
         update(*args)
       end
@@ -36,7 +38,7 @@ module DoorkeeperSequel
       end
 
       def exists?
-        !self.empty?
+        !empty?
       end
 
       alias_method :exist?, :exists?

data/lib/doorkeeper-sequel/railtie.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   class Railtie < ::Rails::Railtie
     rake_tasks do
-      load File.expand_path('../tasks/doorkeeper-sequel.rake', __FILE__)
+      load File.expand_path("tasks/doorkeeper-sequel.rake", __dir__)
     end
   end
 end

data/lib/doorkeeper-sequel/tasks/doorkeeper-sequel.rake

@@ -1,26 +1,28 @@
+# frozen_string_literal: true
+
 namespace :doorkeeper_sequel do
   namespace :generate do
-    desc 'Generate main migration file'
+    desc "Generate main migration file"
     task :migration do
       DoorkeeperSequel::MigrationGenerator.start
     end
 
-    desc 'Generate migration file for Application Owner functionality'
+    desc "Generate migration file for Application Owner functionality"
     task :application_owner do
       DoorkeeperSequel::ApplicationOwnerGenerator.start
     end
 
-    desc 'Generate migration file for Previous Refresh Token functionality'
+    desc "Generate migration file for Previous Refresh Token functionality"
     task :previous_refresh_token do
       DoorkeeperSequel::PreviousRefreshTokenGenerator.start
     end
 
-    desc 'Generate migration file for PKCE'
+    desc "Generate migration file for PKCE"
     task :pkce do
       DoorkeeperSequel::PkceGenerator.start
     end
 
-    desc 'Add confidential column to Doorkeeper applications'
+    desc "Add confidential column to Doorkeeper applications"
     task :confidential_applications do
       DoorkeeperSequel::ConfidentialApplicationsGenerator.start
     end

data/lib/doorkeeper-sequel/validators/redirect_uri_validator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   module RedirectUriValidator
     extend ActiveSupport::Concern
@@ -6,12 +8,18 @@ module DoorkeeperSequel
       def validates_redirect_uri(attribute)
         value = self[attribute]
 
+        # Allow nil? but do not allow empty string
         if value.blank?
-          add_error(attribute, :blank)
+          if Doorkeeper.configuration.allow_blank_redirect_uri?(self)
+            true
+          else
+            add_error(attribute, :blank)
+          end
         else
           value.split.each do |val|
+            next if oob_redirect_uri?(val)
+
             uri = ::URI.parse(val)
-            next if native_redirect_uri?(uri)
             validate_uri(uri, attribute)
           end
         end
@@ -21,6 +29,10 @@ module DoorkeeperSequel
 
       private
 
+      def oob_redirect_uri?(uri)
+        ::Doorkeeper::OAuth::NonStandard::IETF_WG_OAUTH2_OOB_METHODS.include?(uri)
+      end
+
       def native_redirect_uri?(uri)
         native_redirect_uri.present? && uri.to_s == native_redirect_uri.to_s
       end
@@ -33,17 +45,28 @@ module DoorkeeperSequel
       def validate_uri(uri, attribute)
         {
           fragment_present: uri.fragment.present?,
-          relative_uri: uri.scheme.nil? || uri.host.nil?,
           secured_uri: invalid_ssl_uri?(uri),
-          forbidden_uri: forbidden_uri?(uri)
+          forbidden_uri: forbidden_uri?(uri),
+          unspecified_scheme: unspecified_scheme?(uri),
+          relative_uri: relative_uri?(uri),
         }.each do |error, condition|
           add_error(attribute, error) if condition
         end
       end
 
+      def unspecified_scheme?(uri)
+        return true if uri.opaque.present?
+
+        %w[localhost].include?(uri.try(:scheme))
+      end
+
+      def relative_uri?(uri)
+        uri.scheme.nil? && uri.host.nil?
+      end
+
       def invalid_ssl_uri?(uri)
         forces_ssl = Doorkeeper.configuration.force_ssl_in_redirect_uri
-        non_https = uri.try(:scheme) == 'http'
+        non_https = uri.try(:scheme) == "http"
 
         if forces_ssl.respond_to?(:call)
           forces_ssl.call(uri) && non_https
@@ -57,7 +80,7 @@ module DoorkeeperSequel
       end
 
       def add_error(attribute, error)
-        scope = 'sequel.errors.models.doorkeeper/application.attributes.redirect_uri'
+        scope = "sequel.errors.models.doorkeeper/application.attributes.redirect_uri"
         errors.add(attribute, I18n.t(error, scope: scope))
       end
     end

data/lib/doorkeeper-sequel/version.rb

@@ -1,4 +1,6 @@
-require_relative 'gem_version'
+# frozen_string_literal: true
+
+require_relative "gem_version"
 
 module DoorkeeperSequel
   def self.version

data/lib/doorkeeper/orm/sequel.rb

@@ -1,4 +1,6 @@
-require 'doorkeeper/orm/sequel/stale_records_cleaner'
+# frozen_string_literal: true
+
+require "doorkeeper/orm/sequel/stale_records_cleaner"
 
 module Doorkeeper
   module Orm
@@ -9,18 +11,20 @@ module Doorkeeper
         # all the rake tasks (db:create, db:migrate, etc) would be aborted due to error.
         old_value = ::Sequel::Model.require_valid_table
         ::Sequel::Model.require_valid_table = false
+        ::Sequel::Model.strict_param_setting = false
+        ::Sequel::Model.plugin :json_serializer
 
         begin
-          require 'doorkeeper/orm/sequel/access_grant'
-          require 'doorkeeper/orm/sequel/access_token'
-          require 'doorkeeper/orm/sequel/application'
+          require "doorkeeper/orm/sequel/access_grant"
+          require "doorkeeper/orm/sequel/access_token"
+          require "doorkeeper/orm/sequel/application"
         ensure
           ::Sequel::Model.require_valid_table = old_value
         end
       end
 
       def self.initialize_application_owner!
-        require 'doorkeeper-sequel/mixins/concerns/ownership'
+        require "doorkeeper-sequel/mixins/concerns/ownership"
 
         Doorkeeper::Application.send :include, DoorkeeperSequel::Ownership
       end

data/lib/doorkeeper/orm/sequel/access_grant.rb

@@ -1,5 +1,23 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   class AccessGrant < Sequel::Model(:oauth_access_grants)
     include DoorkeeperSequel::AccessGrantMixin
+
+    def plaintext_token
+      if secret_strategy.allows_restoring_secrets?
+        secret_strategy.restore_secret(self, :token)
+      else
+        @raw_token
+      end
+    end
+
+    def uses_pkce?
+      pkce_supported? && code_challenge.present?
+    end
+
+    def pkce_supported?
+      respond_to?(:code_challenge)
+    end
   end
 end

data/lib/doorkeeper/orm/sequel/access_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   class AccessToken < Sequel::Model(:oauth_access_tokens)
     include DoorkeeperSequel::AccessTokenMixin

data/lib/doorkeeper/orm/sequel/application.rb

@@ -1,15 +1,38 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   class Application < Sequel::Model(:oauth_applications)
     include DoorkeeperSequel::ApplicationMixin
 
-    one_to_many :authorized_tokens, class: 'Doorkeeper::AccessToken', conditions: { revoked_at: nil }
-    many_to_many :authorized_applications, join_table: :oauth_access_tokens,
-                                           class: self, left_key: :id, right_key: :application_id
+    one_to_many :authorized_tokens,
+                class: "Doorkeeper::AccessToken",
+                conditions: { revoked_at: nil }
+
+    many_to_many :authorized_applications,
+                 join_table: :oauth_access_tokens,
+                 class: self,
+                 left_key: :id,
+                 right_key: :application_id
 
     def redirect_uri=(uris)
       super(uris.is_a?(Array) ? uris.join("\n") : uris)
     end
 
+    def plaintext_secret
+      if secret_strategy.allows_restoring_secrets?
+        secret_strategy.restore_secret(self, :secret)
+      else
+        @raw_secret
+      end
+    end
+
+    def to_json(options = nil)
+      hash = to_hash.dup
+      hash.delete(:secret)
+      hash.merge(secret: plaintext_secret)
+        .to_json(options)
+    end
+
     def self.authorized_for(resource_owner)
       resource_access_tokens = AccessToken.active_for(resource_owner)
       where(id: resource_access_tokens.select_map(:application_id)).all

data/lib/doorkeeper/redirect_uri_validator.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require "doorkeeper-sequel/validators/redirect_uri_validator"
+
+module Doorkeeper
+  module RedirectUriValidator
+    extend DoorkeeperSequel::RedirectUriValidator
+  end
+end

data/spec/stubs/spec_helper_integration.rb

@@ -1,17 +1,17 @@
-ENV['RAILS_ENV'] ||= 'test'
+ENV["RAILS_ENV"] ||= "test"
 
 DOORKEEPER_ORM = :sequel
 
 $LOAD_PATH.unshift File.dirname(__FILE__)
 
-require 'capybara/rspec'
-require 'dummy/config/environment'
-require 'rspec/rails'
-require 'generator_spec/test_case'
+require "capybara/rspec"
+require "dummy/config/environment"
+require "rspec/rails"
+require "generator_spec/test_case"
 
 # Load JRuby SQLite3 if in that platform
 begin
-  require 'jdbc/sqlite3'
+  require "jdbc/sqlite3"
   Jdbc::SQLite3.load_driver
 rescue LoadError
 end
@@ -22,7 +22,7 @@ Rails.logger.info "====> Ruby version: #{RUBY_VERSION}"
 
 require "support/orm/#{DOORKEEPER_ORM}"
 
-ENGINE_RAILS_ROOT = File.join(File.dirname(__FILE__), '../')
+ENGINE_RAILS_ROOT = File.join(File.dirname(__FILE__), "../")
 
 Dir["#{File.dirname(__FILE__)}/support/{dependencies,helpers,shared}/*.rb"].each { |f| require f }
 
@@ -45,5 +45,5 @@ RSpec.configure do |config|
     DB.transaction(rollback: :always, auto_savepoint: true) { example.run }
   end
 
-  config.order = 'random'
+  config.order = "random"
 end