doorkeeper 4.2.5 → 4.3.0

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -60,13 +60,15 @@ Doorkeeper.configure do
   # Change the way client credentials are retrieved from the request object.
   # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
   # falls back to the `:client_id` and `:client_secret` params from the `params` object.
-  # Check out the wiki for more information on customization
+  # Check out https://github.com/doorkeeper-gem/doorkeeper/wiki/Changing-how-clients-are-authenticated
+  # for more information on customization
   # client_credentials :from_basic, :from_params
 
   # Change the way access token is authenticated from the request object.
   # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
   # falls back to the `:access_token` or `:bearer_token` params from the `params` object.
-  # Check out the wiki for more information on customization
+  # Check out https://github.com/doorkeeper-gem/doorkeeper/wiki/Changing-how-clients-are-authenticated
+  # for more information on customization
   # access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
 
   # Change the native redirect uri for client apps
@@ -80,7 +82,21 @@ Doorkeeper.configure do
   # by default in non-development environments). OAuth2 delegates security in
   # communication to the HTTPS protocol so it is wise to keep this enabled.
   #
+  # Callable objects such as proc, lambda, block or any object that responds to
+  # #call can be used in order to allow conditional checks (to allow non-SSL
+  # redirects to localhost for example).
+  #
   # force_ssl_in_redirect_uri !Rails.env.development?
+  #
+  # force_ssl_in_redirect_uri { |uri| uri.host != 'localhost' }
+
+  # Specify what redirect URI's you want to block during creation. Any redirect
+  # URI is whitelisted by default.
+  #
+  # You can use this option in order to forbid URI's with 'javascript' scheme
+  # for example.
+  #
+  # forbid_redirect_uri { |uri| uri.scheme.to_s.downcase == 'javascript' }
 
   # Specify what grant flows are enabled in array of Strings. The valid
   # strings and the flows they enable are:
@@ -98,7 +114,7 @@ Doorkeeper.configure do
   #   http://tools.ietf.org/html/rfc6819#section-4.4.2
   #   http://tools.ietf.org/html/rfc6819#section-4.4.3
   #
-  # grant_flows %w(authorization_code client_credentials)
+  # grant_flows %w[authorization_code client_credentials]
 
   # Under some circumstances you might want to have applications auto-approved,
   # so that the user skips the authorization step.

data/lib/generators/doorkeeper/templates/{migration.rb → migration.rb.erb}

@@ -1,4 +1,4 @@
-class CreateDoorkeeperTables < ActiveRecord::Migration
+class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
   def change
     create_table :oauth_applications do |t|
       t.string  :name,         null: false

data/spec/controllers/applications_controller_spec.rb

@@ -19,13 +19,24 @@ module Doorkeeper
           post :create, doorkeeper_application: {
             name: 'Example',
             redirect_uri: 'https://example.com' }
-        end.to_not change { Doorkeeper::Application.count }
+        end.not_to change { Doorkeeper::Application.count }
       end
     end
 
     context 'when admin is authenticated' do
+      render_views
+
       before do
-        allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(->(arg) { true })
+        allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(->(*) { true })
+      end
+
+      it 'sorts applications by created_at' do
+        first_application = FactoryBot.create(:application)
+        second_application = FactoryBot.create(:application)
+        expect(Doorkeeper::Application).to receive(:ordered_by).and_call_original
+        get :index
+        expect(response.body).to have_selector("tbody tr:first-child#application_#{first_application.id}")
+        expect(response.body).to have_selector("tbody tr:last-child#application_#{second_application.id}")
       end
 
       it 'creates application' do
@@ -38,7 +49,7 @@ module Doorkeeper
       end
 
       it 'does not allow mass assignment of uid or secret' do
-        application = FactoryGirl.create(:application)
+        application = FactoryBot.create(:application)
         put :update, id: application.id, doorkeeper_application: {
           uid: '1A2B3C4D',
           secret: '1A2B3C4D' }
@@ -47,7 +58,7 @@ module Doorkeeper
       end
 
       it 'updates application' do
-        application = FactoryGirl.create(:application)
+        application = FactoryBot.create(:application)
         put :update, id: application.id, doorkeeper_application: {
           name: 'Example',
           redirect_uri: 'https://example.com' }

data/spec/controllers/authorizations_controller_spec.rb

@@ -3,18 +3,33 @@ require 'spec_helper_integration'
 describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
   include AuthorizationRequestHelper
 
-  def fragments(param)
-    fragment = URI.parse(response.location).fragment
-    Rack::Utils.parse_query(fragment)[param]
+  if Rails::VERSION::MAJOR >= 5
+    class ActionDispatch::TestResponse
+      def query_params
+        @_query_params ||= begin
+          fragment = URI.parse(location).fragment
+          Rack::Utils.parse_query(fragment)
+        end
+      end
+    end
+  else
+    class ActionController::TestResponse
+      def query_params
+        @_query_params ||= begin
+          fragment = URI.parse(location).fragment
+          Rack::Utils.parse_query(fragment)
+        end
+      end
+    end
   end
 
   def translated_error_message(key)
     I18n.translate key, scope: [:doorkeeper, :errors, :messages]
   end
 
-  let(:client)        { FactoryGirl.create :application }
+  let(:client)        { FactoryBot.create :application }
   let(:user)          { User.create!(name: 'Joe', password: 'sekret') }
-  let(:access_token)  { FactoryGirl.build :access_token, resource_owner_id: user.id, application_id: client.id }
+  let(:access_token)  { FactoryBot.build :access_token, resource_owner_id: user.id, application_id: client.id }
 
   before do
     allow(Doorkeeper.configuration).to receive(:grant_flows).and_return(["implicit"])
@@ -35,15 +50,15 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     end
 
     it 'includes access token in fragment' do
-      expect(fragments('access_token')).to eq(Doorkeeper::AccessToken.first.token)
+      expect(response.query_params['access_token']).to eq(Doorkeeper::AccessToken.first.token)
     end
 
     it 'includes token type in fragment' do
-      expect(fragments('token_type')).to eq('bearer')
+      expect(response.query_params['token_type']).to eq('bearer')
     end
 
     it 'includes token expiration in fragment' do
-      expect(fragments('expires_in').to_i).to eq(2.hours.to_i)
+      expect(response.query_params['expires_in'].to_i).to eq(2.hours.to_i)
     end
 
     it 'issues the token for the current client' do
@@ -70,15 +85,15 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     end
 
     it 'does not include access token in fragment' do
-      expect(fragments('access_token')).to be_nil
+      expect(response.query_params['access_token']).to be_nil
     end
 
     it 'includes error in fragment' do
-      expect(fragments('error')).to eq('invalid_scope')
+      expect(response.query_params['error']).to eq('invalid_scope')
     end
 
     it 'includes error description in fragment' do
-      expect(fragments('error_description')).to eq(translated_error_message(:invalid_scope))
+      expect(response.query_params['error_description']).to eq(translated_error_message(:invalid_scope))
     end
 
     it 'does not issue any access token' do
@@ -95,7 +110,7 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     end
 
     it 'returns the existing access token in a fragment' do
-      expect(fragments('access_token')).to eq(access_token.token)
+      expect(response.query_params['access_token']).to eq(access_token.token)
     end
 
     it 'does not creates a new access token' do
@@ -129,7 +144,7 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
   describe 'GET #new code request with native url and skip_authorization true' do
     before do
       allow(Doorkeeper.configuration).to receive(:grant_flows).
-        and_return(%w(authorization_code))
+        and_return(%w[authorization_code])
       allow(Doorkeeper.configuration).to receive(:skip_authorization).and_return(proc do
         true
       end)
@@ -139,7 +154,7 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
 
     it 'should redirect immediately' do
       expect(response).to be_redirect
-      expect(response.location).to match(/oauth\/authorize\//)
+      expect(response.location).to match(/oauth\/authorize\/native\?code=#{Doorkeeper::AccessGrant.first.token}/)
     end
 
     it 'should issue a grant' do
@@ -169,11 +184,11 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     end
 
     it 'includes token type in fragment' do
-      expect(fragments('token_type')).to eq('bearer')
+      expect(response.query_params['token_type']).to eq('bearer')
     end
 
     it 'includes token expiration in fragment' do
-      expect(fragments('expires_in').to_i).to eq(2.hours.to_i)
+      expect(response.query_params['expires_in'].to_i).to eq(2.hours.to_i)
     end
 
     it 'issues the token for the current client' do

data/spec/controllers/protected_resources_controller_spec.rb

@@ -9,11 +9,9 @@ module ControllerActions
     render plain: 'show'
   end
 
-  def doorkeeper_unauthorized_render_options(*)
-  end
+  def doorkeeper_unauthorized_render_options(*); end
 
-  def doorkeeper_forbidden_render_options(*)
-  end
+  def doorkeeper_forbidden_render_options(*); end
 end
 
 describe 'doorkeeper authorize filter' do
@@ -74,12 +72,12 @@ describe 'doorkeeper authorize filter' do
     context 'with valid token', token: :valid do
       it 'allows into index action' do
         get :index, access_token: token_string
-        expect(response).to be_success
+        expect(response).to be_successful
       end
 
       it 'allows into show action' do
         get :show, id: '4', access_token: token_string
-        expect(response).to be_success
+        expect(response).to be_successful
       end
     end
 
@@ -109,15 +107,16 @@ describe 'doorkeeper authorize filter' do
 
     it 'allows if the token has particular scopes' do
       token = double(Doorkeeper::AccessToken,
-                     accessible?: true, scopes: %w(write public),
+                     accessible?: true, scopes: %w[write public],
                      previous_refresh_token: "",
                      revoke_previous_refresh_token!: true)
       expect(token).to receive(:acceptable?).with([:write]).and_return(true)
       expect(
         Doorkeeper::AccessToken
       ).to receive(:by_token).with(token_string).and_return(token)
+
       get :index, access_token: token_string
-      expect(response).to be_success
+      expect(response).to be_successful
     end
 
     it 'does not allow if the token does not include given scope' do
@@ -129,6 +128,7 @@ describe 'doorkeeper authorize filter' do
         Doorkeeper::AccessToken
       ).to receive(:by_token).with(token_string).and_return(token)
       expect(token).to receive(:acceptable?).with([:write]).and_return(false)
+
       get :index, access_token: token_string
       expect(response.status).to eq 403
       expect(response.header).to_not include('WWW-Authenticate')
@@ -146,14 +146,17 @@ describe 'doorkeeper authorize filter' do
       before do
         module ControllerActions
           remove_method :doorkeeper_unauthorized_render_options
+
           def doorkeeper_unauthorized_render_options(error: nil)
             { json: ActiveSupport::JSON.encode(error_message: error.description) }
           end
         end
       end
+
       after do
         module ControllerActions
           remove_method :doorkeeper_unauthorized_render_options
+
           def doorkeeper_unauthorized_render_options(error: nil)
           end
         end
@@ -164,9 +167,9 @@ describe 'doorkeeper authorize filter' do
         expect(response.status).to eq 401
         expect(response.content_type).to eq('application/json')
         expect(response.header['WWW-Authenticate']).to match(/^Bearer/)
-        parsed_body = JSON.parse(response.body)
-        expect(parsed_body).not_to be_nil
-        expect(parsed_body['error_message']).to match('token is invalid')
+
+        expect(json_response).not_to be_nil
+        expect(json_response['error_message']).to match('token is invalid')
       end
     end
 
@@ -174,16 +177,18 @@ describe 'doorkeeper authorize filter' do
       before do
         module ControllerActions
           remove_method :doorkeeper_unauthorized_render_options
-          def doorkeeper_unauthorized_render_options(error: nil)
+
+          def doorkeeper_unauthorized_render_options(**)
             { plain: 'Unauthorized' }
           end
         end
       end
+
       after do
         module ControllerActions
           remove_method :doorkeeper_unauthorized_render_options
-          def doorkeeper_unauthorized_render_options(error: nil)
-          end
+
+          def doorkeeper_unauthorized_render_options(error: nil); end
         end
       end
 
@@ -206,8 +211,8 @@ describe 'doorkeeper authorize filter' do
     after do
       module ControllerActions
         remove_method :doorkeeper_forbidden_render_options
-        def doorkeeper_forbidden_render_options(*)
-        end
+
+        def doorkeeper_forbidden_render_options(*); end
       end
     end
 
@@ -223,12 +228,14 @@ describe 'doorkeeper authorize filter' do
              expired?: false, previous_refresh_token: "",
              revoke_previous_refresh_token!: true)
     end
+
     let(:token_string) { '1A2DUWE' }
 
     context 'with a JSON custom render' do
       before do
         module ControllerActions
           remove_method :doorkeeper_forbidden_render_options
+
           def doorkeeper_forbidden_render_options(*)
             { json: { error_message: 'Forbidden' } }
           end
@@ -240,9 +247,9 @@ describe 'doorkeeper authorize filter' do
         expect(response.header).to_not include('WWW-Authenticate')
         expect(response.content_type).to eq('application/json')
         expect(response.status).to eq 403
-        parsed_body = JSON.parse(response.body)
-        expect(parsed_body).not_to be_nil
-        expect(parsed_body['error_message']).to match('Forbidden')
+
+        expect(json_response).not_to be_nil
+        expect(json_response['error_message']).to match('Forbidden')
       end
     end
 
@@ -267,6 +274,7 @@ describe 'doorkeeper authorize filter' do
       before do
         module ControllerActions
           remove_method :doorkeeper_forbidden_render_options
+
           def doorkeeper_forbidden_render_options(*)
             { plain: 'Forbidden' }
           end
@@ -285,6 +293,7 @@ describe 'doorkeeper authorize filter' do
       before do
         module ControllerActions
           remove_method :doorkeeper_forbidden_render_options
+
           def doorkeeper_forbidden_render_options(*)
             { respond_not_found_when_forbidden: true, plain: 'Not Found' }
           end

data/spec/controllers/token_info_controller_spec.rb

@@ -1,26 +1,23 @@
 require 'spec_helper_integration'
 
 describe Doorkeeper::TokenInfoController do
-  describe 'when requesting tokeninfo with valid token' do
-    let(:doorkeeper_token) { FactoryGirl.create(:access_token) }
+  describe 'when requesting token info with valid token' do
+    let(:doorkeeper_token) { FactoryBot.create(:access_token) }
 
     before(:each) do
       allow(controller).to receive(:doorkeeper_token) { doorkeeper_token }
     end
 
-    def do_get
-      get :show
-    end
-
     describe 'successful request' do
-
       it 'responds with tokeninfo' do
-        do_get
+        get :show
+
         expect(response.body).to eq(doorkeeper_token.to_json)
       end
 
       it 'responds with a 200 status' do
-        do_get
+        get :show
+
         expect(response.status).to eq 200
       end
     end
@@ -29,8 +26,10 @@ describe Doorkeeper::TokenInfoController do
       before(:each) do
         allow(controller).to receive(:doorkeeper_token).and_return(nil)
       end
+
       it 'responds with 401 when doorkeeper_token is not valid' do
-        do_get
+        get :show
+
         expect(response.status).to eq 401
         expect(response.headers['WWW-Authenticate']).to match(/^Bearer/)
       end
@@ -38,14 +37,19 @@ describe Doorkeeper::TokenInfoController do
       it 'responds with 401 when doorkeeper_token is invalid, expired or revoked' do
         allow(controller).to receive(:doorkeeper_token).and_return(doorkeeper_token)
         allow(doorkeeper_token).to receive(:accessible?).and_return(false)
-        do_get
+
+        get :show
+
         expect(response.status).to eq 401
         expect(response.headers['WWW-Authenticate']).to match(/^Bearer/)
       end
 
       it 'responds body message for error' do
-        do_get
-        expect(response.body).to eq(Doorkeeper::OAuth::ErrorResponse.new(name: :invalid_request, status: :unauthorized).body.to_json)
+        get :show
+
+        expect(response.body).to eq(
+          Doorkeeper::OAuth::ErrorResponse.new(name: :invalid_request, status: :unauthorized).body.to_json
+        )
       end
     end
   end

data/spec/controllers/tokens_controller_spec.rb

@@ -2,9 +2,7 @@ require 'spec_helper_integration'
 
 describe Doorkeeper::TokensController do
   describe 'when authorization has succeeded' do
-    let :token do
-      double(:token, authorize: true)
-    end
+    let(:token) { double(:token, authorize: true) }
 
     before do
       allow(controller).to receive(:token) { token }
@@ -57,7 +55,7 @@ describe Doorkeeper::TokensController do
       }
       expect(response.status).to eq 401
       expect(response.headers['WWW-Authenticate']).to match(/Bearer/)
-      expect(JSON.load(response.body)).to eq expected_response_body
+      expect(JSON.parse(response.body)).to eq expected_response_body
     end
   end
 
@@ -85,4 +83,140 @@ describe Doorkeeper::TokensController do
       post :create
     end
   end
+
+  describe 'when requested token introspection' do
+    context 'authorized using Bearer token' do
+      let(:client) { FactoryBot.create(:application) }
+      let(:access_token) { FactoryBot.create(:access_token, application: client) }
+
+      it 'responds with full token introspection' do
+        request.headers['Authorization'] = "Bearer #{access_token.token}"
+
+        post :introspect, token: access_token.token
+
+        should_have_json 'active', true
+        expect(json_response).to include('client_id', 'token_type', 'exp', 'iat')
+      end
+    end
+
+    context 'authorized using Client Authentication' do
+      let(:client) { FactoryBot.create(:application) }
+      let(:access_token) { FactoryBot.create(:access_token, application: client) }
+
+      it 'responds with full token introspection' do
+        request.headers['Authorization'] = basic_auth_header_for_client(client)
+
+        post :introspect, token: access_token.token
+
+        should_have_json 'active', true
+        expect(json_response).to include('client_id', 'token_type', 'exp', 'iat')
+        should_have_json 'client_id', client.uid
+      end
+    end
+
+    context 'public access token' do
+      let(:client) { FactoryBot.create(:application) }
+      let(:access_token) { FactoryBot.create(:access_token, application: nil) }
+
+      it 'responds with full token introspection' do
+        request.headers['Authorization'] = basic_auth_header_for_client(client)
+
+        post :introspect, token: access_token.token
+
+        should_have_json 'active', true
+        expect(json_response).to include('client_id', 'token_type', 'exp', 'iat')
+        should_have_json 'client_id', nil
+      end
+    end
+
+    context 'token was issued to a different client than is making this request' do
+      let(:client) { FactoryBot.create(:application) }
+      let(:different_client) { FactoryBot.create(:application) }
+      let(:access_token) { FactoryBot.create(:access_token, application: client) }
+
+      it 'responds with only active state' do
+        request.headers['Authorization'] = basic_auth_header_for_client(different_client)
+
+        post :introspect, token: access_token.token
+
+        expect(response).to be_successful
+
+        should_have_json 'active', false
+        expect(json_response).not_to include('client_id', 'token_type', 'exp', 'iat')
+      end
+    end
+
+    context 'using invalid credentials to authorize' do
+      let(:client) { double(uid: '123123', secret: '666999') }
+      let(:access_token) { FactoryBot.create(:access_token) }
+
+      it 'responds with invalid_client error' do
+        request.headers['Authorization'] = basic_auth_header_for_client(client)
+
+        post :introspect, token: access_token.token
+
+        expect(response).not_to be_successful
+        response_status_should_be 401
+
+        should_not_have_json 'active'
+        should_have_json 'error', 'invalid_client'
+      end
+    end
+
+    context 'using wrong token value' do
+      let(:client) { FactoryBot.create(:application) }
+      let(:access_token) { FactoryBot.create(:access_token, application: client) }
+
+      it 'responds with only active state' do
+        request.headers['Authorization'] = basic_auth_header_for_client(client)
+
+        post :introspect, token: SecureRandom.hex(16)
+
+        should_have_json 'active', false
+        expect(json_response).not_to include('client_id', 'token_type', 'exp', 'iat')
+      end
+    end
+
+    context 'when requested Access Token expired' do
+      let(:client) { FactoryBot.create(:application) }
+      let(:access_token) { FactoryBot.create(:access_token, application: client, created_at: 1.year.ago) }
+
+      it 'responds with only active state' do
+        request.headers['Authorization'] = basic_auth_header_for_client(client)
+
+        post :introspect, token: access_token.token
+
+        should_have_json 'active', false
+        expect(json_response).not_to include('client_id', 'token_type', 'exp', 'iat')
+      end
+    end
+
+    context 'when requested Access Token revoked' do
+      let(:client) { FactoryBot.create(:application) }
+      let(:access_token) { FactoryBot.create(:access_token, application: client, revoked_at: 1.year.ago) }
+
+      it 'responds with only active state' do
+        request.headers['Authorization'] = basic_auth_header_for_client(client)
+
+        post :introspect, token: access_token.token
+
+        should_have_json 'active', false
+        expect(json_response).not_to include('client_id', 'token_type', 'exp', 'iat')
+      end
+    end
+
+    context 'unauthorized (no bearer token or client credentials)' do
+      let(:access_token) { FactoryBot.create(:access_token) }
+
+      it 'responds with invalid_request error' do
+        post :introspect, token: access_token.token
+
+        expect(response).not_to be_successful
+        response_status_should_be 401
+
+        should_not_have_json 'active'
+        should_have_json 'error', 'invalid_request'
+      end
+    end
+  end
 end

data/spec/dummy/config/initializers/doorkeeper.rb

@@ -82,7 +82,7 @@ Doorkeeper.configure do
   #   http://tools.ietf.org/html/rfc6819#section-4.4.2
   #   http://tools.ietf.org/html/rfc6819#section-4.4.3
   #
-  # grant_flows %w(authorization_code client_credentials)
+  # grant_flows %w[authorization_code client_credentials]
 
   # Under some circumstances you might want to have applications auto-approved,
   # so that the user skips the authorization step.

data/spec/dummy/config/initializers/{active_record_belongs_to_required_by_default.rb → new_framework_defaults.rb}

@@ -1,6 +1,6 @@
 # Require `belongs_to` associations by default. This is a new Rails 5.0
 # default, so it is introduced as a configuration option to ensure that apps
 # made on earlier versions of Rails are not affected when upgrading.
-if Rails.version.to_i >= 5
+if Rails::VERSION::MAJOR >= 5
   Rails.application.config.active_record.belongs_to_required_by_default = true
 end

data/spec/dummy/config/initializers/secret_token.rb

@@ -5,5 +5,4 @@
 # Make sure the secret is at least 30 characters and all random,
 # no regular words or you'll be exposed to dictionary attacks.
 Dummy::Application.config.secret_key_base =
-  Dummy::Application.config.secret_token =
   'c00157b5a1bb6181792f0f4a8a080485de7bab9987e6cf159dc74c4f0573345c1bfa713b5d756e1491fc0b098567e8a619e2f8d268eda86a20a720d05d633780'

data/spec/factories.rb

@@ -1,4 +1,4 @@
-FactoryGirl.define do
+FactoryBot.define do
   factory :access_grant, class: Doorkeeper::AccessGrant do
     sequence(:resource_owner_id) { |n| n }
     application

data/spec/generators/application_owner_generator_spec.rb

@@ -10,13 +10,32 @@ describe 'Doorkeeper::ApplicationOwnerGenerator' do
   describe 'after running the generator' do
     before :each do
       prepare_destination
-      FileUtils.mkdir(::File.expand_path('config', Pathname(destination_root)))
-      FileUtils.copy_file(::File.expand_path('../templates/routes.rb', __FILE__), ::File.expand_path('config/routes.rb', Pathname.new(destination_root)))
-      run_generator
     end
 
-    it 'creates a migration' do
-      assert_migration 'db/migrate/add_owner_to_application.rb'
+    context 'pre Rails 5.0.0' do
+      it 'creates a migration with no version specifier' do
+        stub_const("ActiveRecord::VERSION::MAJOR", 4)
+        stub_const("ActiveRecord::VERSION::MINOR", 2)
+
+        run_generator
+
+        assert_migration 'db/migrate/add_owner_to_application.rb' do |migration|
+          assert migration.include?("ActiveRecord::Migration\n")
+        end
+      end
+    end
+
+    context 'post Rails 5.0.0' do
+      it 'creates a migration with a version specifier' do
+        stub_const("ActiveRecord::VERSION::MAJOR", 5)
+        stub_const("ActiveRecord::VERSION::MINOR", 0)
+
+        run_generator
+
+        assert_migration 'db/migrate/add_owner_to_application.rb' do |migration|
+          assert migration.include?("ActiveRecord::Migration[5.0]\n")
+        end
+      end
     end
   end
 end