doorkeeper-sequel 1.4.0 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5180553fee8bec58a28e43b6c0f7640710f3361a
-  data.tar.gz: 29edb05d561f410d413528b11d0e4ffd98def9e3
+  metadata.gz: 553728671816109cbf8e780da862de70222768b0
+  data.tar.gz: c241ff98bec1bef3de150659beebcc4b73853ad4
 SHA512:
-  metadata.gz: 55f0fb88ffa48a2deadf38515930893f44ba79da1518ae0d9a8f33a4497c19373fe722315a4c58514ac2f7ac6c43312016183cdc9890a72d0d0594433ded4c5b
-  data.tar.gz: 224719b1699ac988ba11841dace04acd0f9dd5cce79bb9f7798dedf5f07951e41693300225580b787214b6047c3a38a96e33286d2c7d00dde47c94757d2cc159
+  metadata.gz: d98ed140d5c131fbfc3d1967199c1a664baf9e6f2d2e398415fe52ad3e316c599f524bf6f058d9bbdd85c3f11cc17544a3eef7f78f41c39a63b86c8bb47c1225
+  data.tar.gz: 9fb3f5c993b40d5ef0a85dfe6ffbbd5b806ed74c5f3adaeb51429c8fbbe0f78a6f01c6de0de7f2633fe88ab00f260d595a1567d41a777547a4f3952924fdacdb

data/.gitmodules

@@ -1,3 +1,4 @@
 [submodule "doorkeeper"]
 	path = doorkeeper
 	url = https://github.com/doorkeeper-gem/doorkeeper.git
+    branch = 4.4.0

data/CHANGELOG.md

@@ -6,6 +6,12 @@ Reverse Chronological Order:
 
 https://github.com/nbulaj/doorkeeper-sequel/compare/1.3.2...master
 
+## `1.5.0` (2018-10-03)
+
+https://github.com/nbulaj/doorkeeper-sequel/compare/1.5.0...1.4.0
+
+* Support Doorkeeper >= 4.2.7 && < 5.0.0
+
 ## `1.4.0` (2018-02-08)
 
 https://github.com/nbulaj/doorkeeper-sequel/compare/1.3.1...1.4.0

data/README.md

@@ -1,7 +1,6 @@
 # Doorkeeper Sequel ORM extension
-[![GitHub release](https://img.shields.io/github/release/nbulaj/doorkeeper-sequel.svg?maxAge=259200)](https://github.com/nbulaj/doorkeeper-sequel/releases)
+[![Gem Version](https://badge.fury.io/rb/doorkeeper-sequel.svg)](https://rubygems.org/gems/doorkeeper-sequel)
 [![Build Status](https://travis-ci.org/nbulaj/doorkeeper-sequel.svg?branch=master)](https://travis-ci.org/nbulaj/doorkeeper-sequel)
-[![Dependency Status](https://gemnasium.com/nbulaj/doorkeeper-sequel.svg)](https://gemnasium.com/nbulaj/doorkeeper-sequel)
 [![Code Climate](https://codeclimate.com/github/nbulaj/doorkeeper-sequel/badges/gpa.svg)](https://codeclimate.com/github/nbulaj/doorkeeper-sequel)
 [![License](http://img.shields.io/badge/license-MIT-brightgreen.svg)](#license)
 
@@ -18,7 +17,8 @@
 To start using the Doorkeeper Sequel ORM, add to your Gemfile:
 
 ``` ruby
-gem 'doorkeeper-sequel', '~> 1.3'
+gem 'doorkeeper', '~> 4.0'
+gem 'doorkeeper-sequel', '~> 1.4'
 ```
 
 Or you can use git `master` branch for the latest gem version:
@@ -41,6 +41,7 @@ Generate migrations:
 rake doorkeeper_sequel:generate:migration
 rake doorkeeper_sequel:generate:application_owner
 rake doorkeeper_sequel:generate:previous_refresh_token
+rake doorkeeper_sequel:generate:confidential_applications # for Doorkeeper >= 4.4
 ```
 
 ## Tests

data/Rakefile

@@ -32,6 +32,7 @@ class ExtensionIntegrator
       FileUtils.cp_r('spec/stubs/support/sequel.rb', 'spec/support/orm/sequel.rb')
       FileUtils.rm('spec/dummy/config/initializers/active_record_belongs_to_required_by_default.rb', force: true)
       FileUtils.rm('spec/dummy/config/initializers/new_framework_defaults.rb', force: true)
+      FileUtils.rm('spec/models/doorkeeper/base_record_spec.rb', force: true)
       # Remove generators specs because we are using our own
       FileUtils.rm(Dir.glob('spec/generators/*.rb'))
     end

data/config/locales/en.yml

@@ -14,3 +14,4 @@ en:
               invalid_uri: 'must be a valid URI.'
               relative_uri: 'must be an absolute URI.'
               secured_uri: 'must be an HTTPS/SSL URI.'
+              forbidden_uri: 'is forbidden by the server.'

data/doorkeeper-sequel.gemspec

@@ -6,7 +6,6 @@ Gem::Specification.new do |gem|
   gem.name        = 'doorkeeper-sequel'
   gem.version     = DoorkeeperSequel.gem_version
   gem.authors     = ['Nikita Bulai']
-  gem.date        = '2018-02-08'
   gem.email       = ['bulajnikita@gmail.com']
   gem.homepage    = 'http://github.com/nbulaj/doorkeeper-sequel'
   gem.summary     = 'Doorkeeper Sequel ORM'
@@ -21,7 +20,7 @@ Gem::Specification.new do |gem|
 
   gem.required_ruby_version = '>= 2.0.0'
 
-  gem.add_runtime_dependency 'doorkeeper', '~> 4.0', '>= 4.0.0'
+  gem.add_runtime_dependency 'doorkeeper', '>= 4.2.6', '< 5.0'
   gem.add_runtime_dependency 'sequel', '>= 4.0.0', '< 6'
   gem.add_runtime_dependency 'sequel_polymorphic', '~> 0.2', '< 1.0'
   gem.add_runtime_dependency 'thor', '>= 0.18', '< 6'

data/lib/doorkeeper-sequel.rb

@@ -1,17 +1,22 @@
 require 'doorkeeper-sequel/version'
 
 if defined?(::Rails)
-  require 'thor/group'
-
-  require 'doorkeeper-sequel/generators/concerns/migration_actions'
-  require 'doorkeeper-sequel/generators/application_owner_generator'
-  require 'doorkeeper-sequel/generators/migration_generator'
-  require 'doorkeeper-sequel/generators/previous_refresh_token_generator'
-
   require 'doorkeeper-sequel/railtie'
 end
 
 require 'doorkeeper'
+require 'thor/group'
+
+require 'doorkeeper-sequel/generators/concerns/migration_actions'
+require 'doorkeeper-sequel/generators/application_owner_generator'
+require 'doorkeeper-sequel/generators/migration_generator'
+require 'doorkeeper-sequel/generators/previous_refresh_token_generator'
+
+require 'doorkeeper-sequel/mixins/concerns/sequel_compat'
+require 'doorkeeper-sequel/mixins/access_token_mixin'
+require 'doorkeeper-sequel/mixins/access_grant_mixin'
+require 'doorkeeper-sequel/mixins/application_mixin'
+
 require 'doorkeeper/orm/sequel'
 
 module DoorkeeperSequel

data/lib/doorkeeper-sequel/gem_version.rb

@@ -5,7 +5,7 @@ module DoorkeeperSequel
 
   module VERSION
     MAJOR = 1
-    MINOR = 4
+    MINOR = 5
     TINY  = 0
 
     STRING = [MAJOR, MINOR, TINY].compact.join('.')

data/lib/doorkeeper-sequel/generators/confidential_applications_generator.rb

@@ -0,0 +1,14 @@
+module DoorkeeperSequel
+  class ConfidentialApplicationsGenerator < ::Thor::Group
+    include ::Thor::Actions
+    include MigrationActions
+
+    source_root File.expand_path('../templates', __FILE__)
+
+    desc 'Add confidential column to Doorkeeper applications.'
+
+    def install
+      create_migration 'add_confidential_to_application_migration'
+    end
+  end
+end

data/lib/doorkeeper-sequel/generators/templates/add_confidential_to_application_migration.rb

@@ -0,0 +1,7 @@
+Sequel.migration do
+  change do
+    alter_table(:oauth_applications) do
+      add_column :confidential, TrueClass, null: false, default: true
+    end
+  end
+end

data/lib/doorkeeper-sequel/generators/templates/create_doorkeeper_tables.rb

@@ -9,6 +9,7 @@ Sequel.migration do
 
       column :scopes, String, size: 255, null: false, default: ''
       column :redirect_uri, String
+      column :confidential, TrueClass, null: false, default: true
 
       column :created_at, DateTime
       column :updated_at, DateTime

data/lib/doorkeeper-sequel/mixins/access_grant_mixin.rb

@@ -0,0 +1,46 @@
+module DoorkeeperSequel
+  module AccessGrantMixin
+    extend ActiveSupport::Concern
+
+    include SequelCompat
+    include Doorkeeper::OAuth::Helpers
+    include Doorkeeper::Models::Expirable
+    include Doorkeeper::Models::Revocable
+    include Doorkeeper::Models::Accessible
+    include Doorkeeper::Models::Scopes
+
+    included do
+      plugin :validation_helpers
+      plugin :timestamps
+
+      many_to_one :application, class: 'Doorkeeper::Application'
+
+      set_allowed_columns :resource_owner_id, :application_id,
+                          :expires_in, :redirect_uri, :scopes
+
+      def before_validation
+        generate_token if new?
+        super
+      end
+
+      def validate
+        super
+        validates_presence [:resource_owner_id, :application_id,
+                            :token, :expires_in, :redirect_uri]
+        validates_unique [:token]
+      end
+    end
+
+    module ClassMethods
+      def by_token(token)
+        first(token: token.to_s)
+      end
+    end
+
+    private
+
+    def generate_token
+      self.token = UniqueToken.generate
+    end
+  end
+end

data/lib/doorkeeper-sequel/mixins/access_token_mixin.rb

@@ -0,0 +1,164 @@
+module DoorkeeperSequel
+  module AccessTokenMixin
+    extend ActiveSupport::Concern
+
+    include SequelCompat
+    include Doorkeeper::OAuth::Helpers
+    include Doorkeeper::Models::Expirable
+    include Doorkeeper::Models::Revocable
+    include Doorkeeper::Models::Accessible
+    include Doorkeeper::Models::Scopes
+
+    included do
+      plugin :validation_helpers
+      plugin :timestamps
+
+      many_to_one :application, class: 'Doorkeeper::Application'
+
+      attr_writer :use_refresh_token
+
+      set_allowed_columns :application_id, :resource_owner_id, :expires_in,
+                          :scopes, :use_refresh_token, :previous_refresh_token
+
+      def before_validation
+        if new?
+          generate_token
+          generate_refresh_token if use_refresh_token?
+        end
+
+        super
+      end
+
+      def validate
+        super
+        validates_presence [:token]
+        validates_unique [:token]
+
+        validates_unique [:refresh_token] if use_refresh_token?
+      end
+
+      def application_id?
+        application_id.present?
+      end
+    end
+
+    module ClassMethods
+      def by_token(token)
+        first(token: token.to_s)
+      end
+
+      def by_refresh_token(refresh_token)
+        first(refresh_token: refresh_token.to_s)
+      end
+
+      def revoke_all_for(application_id, resource_owner, clock = Time)
+        where(application_id: application_id,
+              resource_owner_id: resource_owner.id,
+              revoked_at: nil)
+          .update(revoked_at: clock.now.utc)
+      end
+
+      def matching_token_for(application, resource_owner_or_id, scopes)
+        resource_owner_id = if resource_owner_or_id.respond_to?(:to_key)
+                              resource_owner_or_id.id
+                            else
+                              resource_owner_or_id
+                            end
+        token = last_authorized_token_for(application.try(:id), resource_owner_id)
+        if token && scopes_match?(token.scopes, scopes, application.try(:scopes))
+          token
+        end
+      end
+
+      def scopes_match?(token_scopes, param_scopes, app_scopes)
+        (token_scopes.blank? && param_scopes.blank?) ||
+          Doorkeeper::OAuth::Helpers::ScopeChecker.match?(
+            token_scopes.to_s,
+            param_scopes,
+            app_scopes
+          )
+      end
+
+      def find_or_create_for(application, resource_owner_id, scopes, expires_in, use_refresh_token)
+        if Doorkeeper.configuration.reuse_access_token
+          access_token = matching_token_for(application, resource_owner_id, scopes)
+          return access_token if access_token && !access_token.expired?
+        end
+
+        create!(
+          application_id: application.try(:id),
+          resource_owner_id: resource_owner_id,
+          scopes: scopes.to_s,
+          expires_in: expires_in,
+          use_refresh_token: use_refresh_token
+        )
+      end
+
+      def last_authorized_token_for(application_id, resource_owner_id)
+        where(application_id: application_id,
+              resource_owner_id: resource_owner_id,
+              revoked_at: nil)
+          .send(order_method, created_at_desc)
+          .first
+      end
+    end
+
+    def token_type
+      'Bearer'
+    end
+
+    def use_refresh_token?
+      !!@use_refresh_token
+    end
+
+    def as_json(_options = {})
+      {
+        resource_owner_id: resource_owner_id,
+        scopes: scopes,
+        expires_in_seconds: expires_in_seconds,
+        application: { uid: application.try(:uid) },
+        created_at: created_at.to_i
+      }
+    end
+
+    # It indicates whether the tokens have the same credential
+    def same_credential?(access_token)
+      application_id == access_token.application_id &&
+        resource_owner_id == access_token.resource_owner_id
+    end
+
+    def acceptable?(scopes)
+      accessible? && includes_scope?(*scopes)
+    end
+
+    private
+
+    def generate_refresh_token
+      self[:refresh_token] = UniqueToken.generate
+    end
+
+    def generate_token
+      self[:created_at] ||= Time.now.utc
+
+      generator = token_generator
+      unless generator.respond_to?(:generate)
+        raise Doorkeeper::Errors::UnableToGenerateToken, "#{generator} does not respond to `.generate`."
+      end
+
+      self[:token] = generator.generate(
+        resource_owner_id: resource_owner_id,
+        scopes: scopes,
+        application: application,
+        expires_in: expires_in,
+        created_at: created_at
+      )
+    end
+
+    def token_generator
+      generator_name = Doorkeeper.configuration.access_token_generator
+      generator_name.constantize
+    rescue NameError
+      raise Doorkeeper::Errors::TokenGeneratorNotFound, "#{generator_name} not found"
+    end
+  end
+end

data/lib/doorkeeper-sequel/mixins/application_mixin.rb

@@ -0,0 +1,93 @@
+require_relative '../validators/redirect_uri_validator'
+
+module DoorkeeperSequel
+  module ApplicationMixin
+    extend ActiveSupport::Concern
+
+    include SequelCompat
+    include Doorkeeper::OAuth::Helpers
+    include Doorkeeper::Models::Scopes
+    include DoorkeeperSequel::RedirectUriValidator
+
+    included do
+      plugin :validation_helpers
+      plugin :timestamps
+      plugin :association_dependencies
+
+      one_to_many :access_grants, class: 'Doorkeeper::AccessGrant'
+      one_to_many :access_tokens, class: 'Doorkeeper::AccessToken'
+
+      add_association_dependencies access_grants: :delete, access_tokens: :delete
+
+      set_allowed_columns :name, :redirect_uri, :scopes, :confidential
+
+      def before_validation
+        generate_uid
+        generate_secret
+        super
+      end
+
+      def validate
+        super
+        validates_presence [:name, :secret, :uid]
+        validates_unique [:uid]
+        validates_redirect_uri :redirect_uri
+        validates_includes [true, false], :confidential, allow_missing: true
+
+        if respond_to?(:validate_owner?)
+          validates_presence [:owner_id] if validate_owner?
+        end
+      end
+    end
+
+    module ClassMethods
+      def by_uid_and_secret(uid, secret)
+        app = by_uid(uid)
+        return unless app
+        return app if secret.blank? && !app.confidential?
+        return unless app.secret == secret
+        app
+      end
+
+      def by_uid(uid)
+        first(uid: uid.to_s)
+      end
+
+      def supports_confidentiality?
+        column_names.include?('confidential')
+      end
+
+      def column_names
+        columns.map(&:to_s)
+      end
+    end
+
+    # Fallback to existing, default behaviour of assuming all apps to be
+    # confidential if the migration hasn't been run
+    def confidential
+      return super if self.class.supports_confidentiality?
+
+      ActiveSupport::Deprecation.warn 'You are susceptible to security bug ' \
+        'CVE-2018-1000211. Please follow instructions outlined in ' \
+        'Doorkeeper::CVE_2018_1000211_WARNING'
+
+      true
+    end
+
+    alias_method :confidential?, :confidential
+
+    private
+
+    def has_scopes?
+      Doorkeeper::Application.columns.include?('scopes')
+    end
+
+    def generate_uid
+      self.uid = UniqueToken.generate if uid.blank? && new?
+    end
+
+    def generate_secret
+      self.secret = UniqueToken.generate if secret.blank? && new?
+    end
+  end
+end