doorkeeper 4.4.0 → 5.6.6

data/lib/doorkeeper/request.rb

@@ -1,46 +1,73 @@
-require 'doorkeeper/request/authorization_code'
-require 'doorkeeper/request/client_credentials'
-require 'doorkeeper/request/code'
-require 'doorkeeper/request/password'
-require 'doorkeeper/request/refresh_token'
-require 'doorkeeper/request/token'
+# frozen_string_literal: true
 
 module Doorkeeper
   module Request
-    module_function
+    class << self
+      def authorization_strategy(response_type)
+        grant_flow = authorization_flows.detect do |flow|
+          flow.matches_response_type?(response_type)
+        end
 
-    def authorization_strategy(response_type)
-      get_strategy response_type, authorization_response_types
-    rescue NameError
-      raise Errors::InvalidAuthorizationStrategy
-    end
+        if grant_flow
+          grant_flow.response_type_strategy
+        else
+          # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+          # For retro-compatibility only
+          build_fallback_strategy_class(response_type)
+        end
+      end
 
-    def token_strategy(grant_type)
-      get_strategy grant_type, token_grant_types
-    rescue NameError
-      raise Errors::InvalidTokenStrategy
-    end
+      def token_strategy(grant_type)
+        raise Errors::MissingRequiredParameter, :grant_type if grant_type.blank?
 
-    def get_strategy(grant_or_request_type, available)
-      fail Errors::MissingRequestStrategy unless grant_or_request_type.present?
-      fail NameError unless available.include?(grant_or_request_type.to_s)
-      strategy_class(grant_or_request_type)
-    end
+        grant_flow = token_flows.detect do |flow|
+          flow.matches_grant_type?(grant_type)
+        end
 
-    def authorization_response_types
-      Doorkeeper.configuration.authorization_response_types
-    end
-    private_class_method :authorization_response_types
+        if grant_flow
+          grant_flow.grant_type_strategy
+        else
+          # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+          # For retro-compatibility only
+          raise Errors::InvalidTokenStrategy unless available.include?(grant_type.to_s)
 
-    def token_grant_types
-      Doorkeeper.configuration.token_grant_types
-    end
-    private_class_method :token_grant_types
+          strategy_class = build_fallback_strategy_class(grant_type)
+          raise Errors::InvalidTokenStrategy unless strategy_class
+
+          strategy_class
+        end
+      end
+
+      private
+
+      def authorization_flows
+        Doorkeeper.configuration.authorization_response_flows
+      end
+
+      def token_flows
+        Doorkeeper.configuration.token_grant_flows
+      end
+
+      # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+      # For retro-compatibility only
+      def available
+        Doorkeeper.config.deprecated_token_grant_types_resolver
+      end
+
+      def build_fallback_strategy_class(grant_or_request_type)
+        strategy_class_name = grant_or_request_type.to_s.tr(" ", "_").camelize
+        fallback_strategy = "Doorkeeper::Request::#{strategy_class_name}".constantize
+
+        ::Kernel.warn <<~WARNING
+          [DOORKEEPER] #{fallback_strategy} found using fallback, it must be
+          registered using `Doorkeeper::GrantFlow.register(grant_flow_name, **options)`.
+          This functionality will be removed in a newer versions of Doorkeeper.
+        WARNING
 
-    def strategy_class(grant_or_request_type)
-      strategy_class_name = grant_or_request_type.to_s.tr(' ', '_').camelize
-      "Doorkeeper::Request::#{strategy_class_name}".constantize
+        fallback_strategy
+      rescue NameError
+        raise Errors::InvalidTokenStrategy
+      end
     end
-    private_class_method :strategy_class
   end
 end

data/lib/doorkeeper/secret_storing/base.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module SecretStoring
+    ##
+    # Base class for secret storing, including common helpers
+    class Base
+      ##
+      # Return the value to be stored by the database
+      # used for looking up a database value.
+      # @param plain_secret The plain secret input / generated
+      def self.transform_secret(_plain_secret)
+        raise NotImplementedError
+      end
+
+      ##
+      # Transform and store the given secret attribute => value
+      # pair used for safely storing the attribute
+      # @param resource The model instance being modified
+      # @param attribute The secret attribute
+      # @param plain_secret The plain secret input / generated
+      def self.store_secret(resource, attribute, plain_secret)
+        transformed_value = transform_secret(plain_secret)
+        resource.public_send(:"#{attribute}=", transformed_value)
+
+        transformed_value
+      end
+
+      ##
+      # Return the restored value from the database
+      # @param resource The resource instance to act on
+      # @param attribute The secret attribute to restore
+      # as retrieved from the database.
+      def self.restore_secret(_resource, _attribute)
+        raise NotImplementedError
+      end
+
+      ##
+      # Determines whether this strategy supports restoring
+      # secrets from the database. This allows detecting users
+      # trying to use a non-restorable strategy with +reuse_access_tokens+.
+      def self.allows_restoring_secrets?
+        false
+      end
+
+      ##
+      # Determines what secrets this strategy is applicable for
+      def self.validate_for(model)
+        valid = %i[token application]
+        return true if valid.include?(model.to_sym)
+
+        raise ArgumentError, "'#{name}' can not be used for #{model}."
+      end
+
+      ##
+      # Securely compare the given +input+ value with a +stored+ value
+      # processed by +transform_secret+.
+      def self.secret_matches?(input, stored)
+        transformed_input = transform_secret(input)
+        ActiveSupport::SecurityUtils.secure_compare transformed_input, stored
+      end
+    end
+  end
+end

data/lib/doorkeeper/secret_storing/bcrypt.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module SecretStoring
+    ##
+    # Plain text secret storing, which is the default
+    # but also provides fallback lookup if
+    # other secret storing mechanisms are enabled.
+    class BCrypt < Base
+      ##
+      # Return the value to be stored by the database
+      # @param plain_secret The plain secret input / generated
+      def self.transform_secret(plain_secret)
+        ::BCrypt::Password.create(plain_secret.to_s)
+      end
+
+      ##
+      # Securely compare the given +input+ value with a +stored+ value
+      # processed by +transform_secret+.
+      def self.secret_matches?(input, stored)
+        ::BCrypt::Password.new(stored.to_s) == input.to_s
+      rescue ::BCrypt::Errors::InvalidHash
+        false
+      end
+
+      ##
+      # Determines whether this strategy supports restoring
+      # secrets from the database. This allows detecting users
+      # trying to use a non-restorable strategy with +reuse_access_tokens+.
+      def self.allows_restoring_secrets?
+        false
+      end
+
+      ##
+      # Determines what secrets this strategy is applicable for
+      def self.validate_for(model)
+        unless model.to_sym == :application
+          raise ArgumentError,
+                "'#{name}' can only be used for storing application secrets."
+        end
+
+        unless bcrypt_present?
+          raise ArgumentError,
+                "'#{name}' requires the 'bcrypt' gem being loaded."
+        end
+
+        true
+      end
+
+      ##
+      # Test if we can require the BCrypt gem
+      def self.bcrypt_present?
+        require "bcrypt"
+        true
+      rescue LoadError
+        false
+      end
+    end
+  end
+end

data/lib/doorkeeper/secret_storing/plain.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module SecretStoring
+    ##
+    # Plain text secret storing, which is the default
+    # but also provides fallback lookup if
+    # other secret storing mechanisms are enabled.
+    class Plain < Base
+      ##
+      # Return the value to be stored by the database
+      # @param plain_secret The plain secret input / generated
+      def self.transform_secret(plain_secret)
+        plain_secret
+      end
+
+      ##
+      # Return the restored value from the database
+      # @param resource The resource instance to act on
+      # @param attribute The secret attribute to restore
+      # as retrieved from the database.
+      def self.restore_secret(resource, attribute)
+        resource.public_send(attribute)
+      end
+
+      ##
+      # Plain values obviously allow restoring
+      def self.allows_restoring_secrets?
+        true
+      end
+    end
+  end
+end

data/lib/doorkeeper/secret_storing/sha256_hash.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module SecretStoring
+    ##
+    # Plain text secret storing, which is the default
+    # but also provides fallback lookup if
+    # other secret storing mechanisms are enabled.
+    class Sha256Hash < Base
+      ##
+      # Return the value to be stored by the database
+      # @param plain_secret The plain secret input / generated
+      def self.transform_secret(plain_secret)
+        ::Digest::SHA256.hexdigest plain_secret
+      end
+
+      ##
+      # Determines whether this strategy supports restoring
+      # secrets from the database. This allows detecting users
+      # trying to use a non-restorable strategy with +reuse_access_tokens+.
+      def self.allows_restoring_secrets?
+        false
+      end
+    end
+  end
+end

data/lib/doorkeeper/server.rb

@@ -1,19 +1,21 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   class Server
-    attr_accessor :context
+    attr_reader :context
 
-    def initialize(context = nil)
+    def initialize(context)
       @context = context
     end
 
     def authorization_request(strategy)
-      klass = Request.authorization_strategy strategy
-      klass.new self
+      klass = Request.authorization_strategy(strategy)
+      klass.new(self)
     end
 
     def token_request(strategy)
-      klass = Request.token_strategy strategy
-      klass.new self
+      klass = Request.token_strategy(strategy)
+      klass.new(self)
     end
 
     # TODO: context should be the request
@@ -25,10 +27,6 @@ module Doorkeeper
       @client ||= OAuth::Client.authenticate(credentials)
     end
 
-    def client_via_uid
-      @client_via_uid ||= OAuth::Client.find(parameters[:client_id])
-    end
-
     def current_resource_owner
       context.send :current_resource_owner
     end
@@ -39,7 +37,7 @@ module Doorkeeper
     end
 
     def credentials
-      methods = Doorkeeper.configuration.client_credentials_methods
+      methods = Doorkeeper.config.client_credentials_methods
       @credentials ||= OAuth::Client::Credentials.from_request(context.request, *methods)
     end
   end

data/lib/doorkeeper/stale_records_cleaner.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  class StaleRecordsCleaner
+    CLEANER_CLASS = "StaleRecordsCleaner"
+
+    def self.for(base_scope)
+      orm_adapter = "doorkeeper/orm/#{configured_orm}".classify
+
+      orm_cleaner = "#{orm_adapter}::#{CLEANER_CLASS}".constantize
+      orm_cleaner.new(base_scope)
+    rescue NameError
+      raise Doorkeeper::Errors::NoOrmCleaner, "'#{configured_orm}' ORM has no cleaner!"
+    end
+
+    def self.new(base_scope)
+      self.for(base_scope)
+    end
+
+    def self.configured_orm
+      Doorkeeper.config.orm
+    end
+  end
+end

data/lib/doorkeeper/validations.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module Validations
     extend ActiveSupport::Concern

data/lib/doorkeeper/version.rb

@@ -1,36 +1,14 @@
-module Doorkeeper
-  CVE_2018_1000211_WARNING = <<-HEREDOC.freeze
-
-
-  WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211)
-
-  There is no breaking change in this release, however to take advantage of the security fix you must:
-
-    1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration
-    2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit)
-    3. Update their `confidential` column to `false` for those public apps
-
-  This is a backported security release.
-
-  For more information:
-
-    * https://github.com/doorkeeper-gem/doorkeeper/pull/1119
-    * https://github.com/doorkeeper-gem/doorkeeper/issues/891
-
-
-HEREDOC
-
-  def self.gem_version
-    Gem::Version.new VERSION::STRING
-  end
+# frozen_string_literal: true
 
+module Doorkeeper
   module VERSION
     # Semantic versioning
-    MAJOR = 4
-    MINOR = 4
-    TINY = 0
+    MAJOR = 5
+    MINOR = 6
+    TINY = 6
+    PRE = nil
 
     # Full version number
-    STRING = [MAJOR, MINOR, TINY].compact.join('.')
+    STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
 end

data/lib/doorkeeper.rb

@@ -1,75 +1,190 @@
-require 'doorkeeper/version'
-require 'doorkeeper/engine'
-require 'doorkeeper/config'
-
-require 'doorkeeper/errors'
-require 'doorkeeper/server'
-require 'doorkeeper/request'
-require 'doorkeeper/validations'
-
-require 'doorkeeper/oauth/authorization/code'
-require 'doorkeeper/oauth/authorization/token'
-require 'doorkeeper/oauth/authorization/uri_builder'
-require 'doorkeeper/oauth/helpers/scope_checker'
-require 'doorkeeper/oauth/helpers/uri_checker'
-require 'doorkeeper/oauth/helpers/unique_token'
-
-require 'doorkeeper/oauth/scopes'
-require 'doorkeeper/oauth/error'
-require 'doorkeeper/oauth/base_response'
-require 'doorkeeper/oauth/code_response'
-require 'doorkeeper/oauth/token_response'
-require 'doorkeeper/oauth/error_response'
-require 'doorkeeper/oauth/pre_authorization'
-require 'doorkeeper/oauth/base_request'
-require 'doorkeeper/oauth/authorization_code_request'
-require 'doorkeeper/oauth/refresh_token_request'
-require 'doorkeeper/oauth/password_access_token_request'
-require 'doorkeeper/oauth/client_credentials_request'
-require 'doorkeeper/oauth/code_request'
-require 'doorkeeper/oauth/token_request'
-require 'doorkeeper/oauth/client'
-require 'doorkeeper/oauth/token'
-require 'doorkeeper/oauth/token_introspection'
-require 'doorkeeper/oauth/invalid_token_response'
-require 'doorkeeper/oauth/forbidden_token_response'
-
-require 'doorkeeper/models/concerns/orderable'
-require 'doorkeeper/models/concerns/scopes'
-require 'doorkeeper/models/concerns/expirable'
-require 'doorkeeper/models/concerns/revocable'
-require 'doorkeeper/models/concerns/accessible'
-
-require 'doorkeeper/models/access_grant_mixin'
-require 'doorkeeper/models/access_token_mixin'
-require 'doorkeeper/models/application_mixin'
-
-require 'doorkeeper/helpers/controller'
-
-require 'doorkeeper/rails/routes'
-require 'doorkeeper/rails/helpers'
-
-require 'doorkeeper/orm/active_record'
-
-require 'active_support/deprecation'
+# frozen_string_literal: true
 
+require "doorkeeper/config"
+require "doorkeeper/engine"
+
+# Main Doorkeeper namespace.
+#
 module Doorkeeper
-  def self.configured?
-    ActiveSupport::Deprecation.warn "Method `Doorkeeper#configured?` has been deprecated without replacement."
-    @config.present?
+  autoload :Errors, "doorkeeper/errors"
+  autoload :GrantFlow, "doorkeeper/grant_flow"
+  autoload :OAuth, "doorkeeper/oauth"
+  autoload :Rake, "doorkeeper/rake"
+  autoload :Request, "doorkeeper/request"
+  autoload :Server, "doorkeeper/server"
+  autoload :StaleRecordsCleaner, "doorkeeper/stale_records_cleaner"
+  autoload :Validations, "doorkeeper/validations"
+  autoload :VERSION, "doorkeeper/version"
+
+  autoload :AccessGrantMixin, "doorkeeper/models/access_grant_mixin"
+  autoload :AccessTokenMixin, "doorkeeper/models/access_token_mixin"
+  autoload :ApplicationMixin, "doorkeeper/models/application_mixin"
+
+  module Helpers
+    autoload :Controller, "doorkeeper/helpers/controller"
+  end
+
+  module Request
+    autoload :Strategy, "doorkeeper/request/strategy"
+    autoload :AuthorizationCode, "doorkeeper/request/authorization_code"
+    autoload :ClientCredentials, "doorkeeper/request/client_credentials"
+    autoload :Code, "doorkeeper/request/code"
+    autoload :Password, "doorkeeper/request/password"
+    autoload :RefreshToken, "doorkeeper/request/refresh_token"
+    autoload :Token, "doorkeeper/request/token"
+  end
+
+  module OAuth
+    autoload :BaseRequest, "doorkeeper/oauth/base_request"
+    autoload :AuthorizationCodeRequest, "doorkeeper/oauth/authorization_code_request"
+    autoload :BaseResponse, "doorkeeper/oauth/base_response"
+    autoload :CodeResponse, "doorkeeper/oauth/code_response"
+    autoload :Client, "doorkeeper/oauth/client"
+    autoload :ClientCredentialsRequest, "doorkeeper/oauth/client_credentials_request"
+    autoload :CodeRequest, "doorkeeper/oauth/code_request"
+    autoload :ErrorResponse, "doorkeeper/oauth/error_response"
+    autoload :Error, "doorkeeper/oauth/error"
+    autoload :InvalidTokenResponse, "doorkeeper/oauth/invalid_token_response"
+    autoload :InvalidRequestResponse, "doorkeeper/oauth/invalid_request_response"
+    autoload :ForbiddenTokenResponse, "doorkeeper/oauth/forbidden_token_response"
+    autoload :NonStandard, "doorkeeper/oauth/nonstandard"
+    autoload :PasswordAccessTokenRequest, "doorkeeper/oauth/password_access_token_request"
+    autoload :PreAuthorization, "doorkeeper/oauth/pre_authorization"
+    autoload :RefreshTokenRequest, "doorkeeper/oauth/refresh_token_request"
+    autoload :Scopes, "doorkeeper/oauth/scopes"
+    autoload :Token, "doorkeeper/oauth/token"
+    autoload :TokenIntrospection, "doorkeeper/oauth/token_introspection"
+    autoload :TokenRequest, "doorkeeper/oauth/token_request"
+    autoload :TokenResponse, "doorkeeper/oauth/token_response"
+
+    module Authorization
+      autoload :Code, "doorkeeper/oauth/authorization/code"
+      autoload :Context, "doorkeeper/oauth/authorization/context"
+      autoload :Token, "doorkeeper/oauth/authorization/token"
+      autoload :URIBuilder, "doorkeeper/oauth/authorization/uri_builder"
+    end
+
+    class Client
+      autoload :Credentials, "doorkeeper/oauth/client/credentials"
+    end
+
+    module ClientCredentials
+      autoload :Validator, "doorkeeper/oauth/client_credentials/validator"
+      autoload :Creator, "doorkeeper/oauth/client_credentials/creator"
+      autoload :Issuer, "doorkeeper/oauth/client_credentials/issuer"
+    end
+
+    module Helpers
+      autoload :ScopeChecker, "doorkeeper/oauth/helpers/scope_checker"
+      autoload :URIChecker, "doorkeeper/oauth/helpers/uri_checker"
+      autoload :UniqueToken, "doorkeeper/oauth/helpers/unique_token"
+    end
+
+    module Hooks
+      autoload :Context, "doorkeeper/oauth/hooks/context"
+    end
+  end
+
+  module Models
+    autoload :Accessible, "doorkeeper/models/concerns/accessible"
+    autoload :Expirable, "doorkeeper/models/concerns/expirable"
+    autoload :ExpirationTimeSqlMath, "doorkeeper/models/concerns/expiration_time_sql_math"
+    autoload :Orderable, "doorkeeper/models/concerns/orderable"
+    autoload :PolymorphicResourceOwner, "doorkeeper/models/concerns/polymorphic_resource_owner"
+    autoload :Scopes, "doorkeeper/models/concerns/scopes"
+    autoload :Reusable, "doorkeeper/models/concerns/reusable"
+    autoload :ResourceOwnerable, "doorkeeper/models/concerns/resource_ownerable"
+    autoload :Revocable, "doorkeeper/models/concerns/revocable"
+    autoload :SecretStorable, "doorkeeper/models/concerns/secret_storable"
+  end
+
+  module Orm
+    autoload :ActiveRecord, "doorkeeper/orm/active_record"
   end
 
-  def self.database_installed?
-    ActiveSupport::Deprecation.warn "Method `Doorkeeper#database_installed?` has been deprecated without replacement."
-    [AccessToken, AccessGrant, Application].all?(&:table_exists?)
+  module Rails
+    autoload :Helpers, "doorkeeper/rails/helpers"
+    autoload :Routes, "doorkeeper/rails/routes"
   end
 
-  def self.installed?
-    ActiveSupport::Deprecation.warn "Method `Doorkeeper#installed?` has been deprecated without replacement."
-    configured? && database_installed?
+  module SecretStoring
+    autoload :Base, "doorkeeper/secret_storing/base"
+    autoload :Plain, "doorkeeper/secret_storing/plain"
+    autoload :Sha256Hash, "doorkeeper/secret_storing/sha256_hash"
+    autoload :BCrypt, "doorkeeper/secret_storing/bcrypt"
   end
 
-  def self.authenticate(request, methods = Doorkeeper.configuration.access_token_methods)
-    OAuth::Token.authenticate(request, *methods)
+  class << self
+    attr_reader :orm_adapter
+
+    def configure(&block)
+      @config = Config::Builder.new(&block).build
+      setup
+      @config
+    end
+
+    # @return [Doorkeeper::Config] configuration instance
+    #
+    def configuration
+      @config || configure
+    end
+
+    def configured?
+      !@config.nil?
+    end
+
+    alias config configuration
+
+    def setup
+      setup_orm_adapter
+
+      # Deprecated, will be removed soon
+      unless configuration.orm == :active_record
+        setup_orm_models
+        setup_application_owner
+      end
+    end
+
+    def setup_orm_adapter
+      @orm_adapter = "doorkeeper/orm/#{configuration.orm}".classify.constantize
+    rescue NameError => e
+      raise e, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.strip_heredoc
+        [DOORKEEPER] ORM adapter not found (#{configuration.orm}), or there was an error
+        trying to load it.
+
+        You probably need to add the related gem for this adapter to work with
+        doorkeeper.
+      ERROR_MSG
+    end
+
+    def run_orm_hooks
+      config.clear_cache!
+
+      if @orm_adapter.respond_to?(:run_hooks)
+        @orm_adapter.run_hooks
+      else
+        ::Kernel.warn <<~MSG.strip_heredoc
+          [DOORKEEPER] ORM "#{configuration.orm}" should move all it's setup logic under `#run_hooks` method for
+          the #{@orm_adapter.name}. Later versions of Doorkeeper will no longer support `setup_orm_models` and
+          `setup_application_owner` API.
+        MSG
+      end
+    end
+
+    def setup_orm_models
+      @orm_adapter.initialize_models!
+    end
+
+    def setup_application_owner
+      @orm_adapter.initialize_application_owner!
+    end
+
+    def authenticate(request, methods = Doorkeeper.config.access_token_methods)
+      OAuth::Token.authenticate(request, *methods)
+    end
+
+    def gem_version
+      ::Gem::Version.new(::Doorkeeper::VERSION::STRING)
+    end
   end
 end