doorkeeper 5.0.3 → 5.1.0.rc1

data/spec/lib/config_spec.rb

@@ -141,6 +141,22 @@ describe Doorkeeper, 'configuration' do
     end
   end
 
+  describe 'scopes_by_grant_type' do
+    it 'is {} by default' do
+      expect(subject.scopes_by_grant_type).to eq({})
+    end
+
+    it 'has hash value' do
+      hash = {}
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        scopes_by_grant_type hash
+      end
+
+      expect(subject.scopes_by_grant_type).to eq(hash)
+    end
+  end
+
   describe 'use_refresh_token' do
     it 'is false by default' do
       expect(subject.refresh_token_enabled?).to eq(false)
@@ -525,4 +541,72 @@ describe Doorkeeper, 'configuration' do
       expect(subject.handle_auth_errors).to eq(:raise)
     end
   end
+
+  describe 'hash_application_secrets' do
+    it 'is disabled by default' do
+      expect(subject.hash_application_secrets?).to eq(false)
+      expect(::Doorkeeper::Application.perform_secret_hashing?).to eq(false)
+    end
+
+    context 'when provided' do
+      before do
+        Doorkeeper.configure do
+          reuse_access_token
+          hash_application_secrets
+        end
+      end
+
+      it 'will enable hashing for applications' do
+        expect(subject.reuse_access_token).to eq(true)
+        expect(subject.hash_application_secrets?).to eq(true)
+
+        expect(::Doorkeeper::Application.perform_secret_hashing?).to eq(true)
+      end
+    end
+  end
+
+  describe 'hash_token_secrets' do
+    it 'is disabled by default' do
+      expect(subject.hash_token_secrets?).to eq(false)
+      expect(::Doorkeeper::AccessToken.perform_secret_hashing?).to eq(false)
+      expect(::Doorkeeper::AccessGrant.perform_secret_hashing?).to eq(false)
+    end
+
+    context 'when provided' do
+      include_context 'with token hashing enabled'
+
+      it 'will enable hashing for AccessToken and AccessGrant' do
+        expect(subject.hash_token_secrets?).to eq(true)
+        expect(::Doorkeeper::AccessToken.perform_secret_hashing?).to eq(true)
+        expect(::Doorkeeper::AccessGrant.perform_secret_hashing?).to eq(true)
+      end
+    end
+  end
+
+  describe 'fallback_to_plain_secrets' do
+    it 'is disabled by default' do
+      expect(subject.fallback_to_plain_secrets?).to eq(false)
+    end
+
+    context 'when provided' do
+      include_context 'with token hashing and fallback lookup enabled'
+
+      it 'will enable fallbacks' do
+        expect(subject.fallback_to_plain_secrets?).to eq(true)
+      end
+    end
+  end
+
+  describe 'hash_token_secrets together with reuse_access_token' do
+    it 'will disable reuse_access_token' do
+      expect(Rails.logger).to receive(:warn).with(/reuse_access_token will be disabled/)
+
+      Doorkeeper.configure do
+        reuse_access_token
+        hash_token_secrets
+      end
+
+      expect(subject.reuse_access_token).to eq(false)
+    end
+  end
 end

data/spec/lib/models/hashable_spec.rb

@@ -0,0 +1,183 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Hashable' do
+  let(:clazz) do
+    Class.new do
+      include Doorkeeper::Models::Hashable
+
+      def self.find_by(*)
+        raise 'stub this'
+      end
+
+      def update_column(*)
+        raise 'stub this'
+      end
+
+      def token
+        raise 'stub this'
+      end
+    end
+  end
+
+  describe :hashed_or_plain_token do
+    let(:enabled_hashing?) { false }
+    subject { clazz.send(:hashed_or_plain_token, 'input') }
+
+    before do
+      allow(clazz).to receive(:perform_secret_hashing?)
+        .and_return enabled_hashing?
+    end
+
+    context 'when no hash function set' do
+      it 'returns the plain input' do
+        expect(subject).to eq 'input'
+      end
+
+      context 'when hashing enabled' do
+        let(:enabled_hashing?) { true }
+
+        it 'uses the default function' do
+          expect(clazz)
+            .to receive(:default_hash_function)
+            .with('input')
+            .and_call_original
+
+          expect(subject).not_to eq 'input'
+        end
+      end
+    end
+
+    context 'when hash_function defined' do
+      let(:hash_function) { ->(input) { input + '-hashed' } }
+
+      before do
+        clazz.secret_hash_function = hash_function
+      end
+
+      it 'returns the plain input' do
+        expect(clazz).not_to receive(:default_hash_function)
+        expect(subject).to eq 'input'
+      end
+
+      context 'when hashing enabled' do
+        let(:enabled_hashing?) { true }
+
+        it 'uses that function' do
+          expect(hash_function)
+            .to receive(:call)
+            .with('input')
+            .and_call_original
+
+          expect(subject).to eq 'input-hashed'
+        end
+      end
+    end
+  end
+
+  describe :secret_matches? do
+    context 'when comparer undefined' do
+      it 'uses a default compare' do
+        expect(clazz).to receive(:default_comparer).with('a', 'a').and_return true
+        expect(clazz.secret_matches?('a', 'a')).to be_truthy
+      end
+    end
+
+    context 'when comparer defined' do
+      let(:comparer) do
+        ->(*) { false }
+      end
+
+      before do
+        clazz.secret_comparer = comparer
+      end
+
+      it 'uses that comparer' do
+        expect(comparer).to receive(:call).with('a', 'a').and_call_original
+        expect(clazz.secret_matches?('a', 'a')).to be_falsey
+      end
+    end
+  end
+
+  describe :find_by_fallback_token do
+    let(:old_token) { instance_double(clazz, token: 'input') }
+    subject { clazz.send(:find_by_fallback_token, :token, 'input') }
+
+    it 'does not call find_by when not configured' do
+      expect(clazz).not_to receive(:find_by)
+      expect(subject).to eq(nil)
+    end
+
+    context 'when fallback configured' do
+      include_context 'with token hashing and fallback lookup enabled'
+      let(:hashed_token) { hashed_or_plain_token_func.call('input') }
+
+      it 'upgrades the plain token if no hashed exists' do
+        expect(clazz).to receive(:find_by).with(token: 'input').and_return(old_token)
+        expect(old_token).to receive(:update_column).with(:token, hashed_token)
+
+        expect(subject).to eq(old_token)
+      end
+    end
+  end
+
+  describe :find_by_plaintext_token do
+    let(:plain_token) { 'asdf' }
+    let(:subject) { clazz.send(:find_by_plaintext_token, :token, plain_token) }
+    let(:hashing_enabled?) { false }
+
+    before do
+      allow(clazz).to receive(:perform_secret_hashing?).and_return(hashing_enabled?)
+    end
+
+    context 'when not configured' do
+      it 'always finds with the plain value even when nil' do
+        expect(clazz).to receive(:find_by).with(token: plain_token).once.and_return(nil)
+        expect(subject).to eq(nil)
+      end
+    end
+
+    context 'when hashing configured' do
+      let(:hashing_enabled?) { true }
+      let(:hashed_token) { clazz.send(:default_hash_function, plain_token) }
+
+      it 'calls find_by only on the hashed value if it returns' do
+        expect(clazz).not_to receive(:find_by).with(token: plain_token)
+        expect(clazz).to receive(:find_by).with(token: hashed_token).and_return(:result)
+
+        expect(subject).to eq(:result)
+      end
+
+      it 'does not fall back to plain token' do
+        expect(clazz).not_to receive(:find_by).with(token: plain_token)
+        expect(clazz).to receive(:find_by).with(token: hashed_token).and_return(nil)
+
+        expect(subject).to eq(nil)
+      end
+
+      context 'when fallback configured' do
+        let(:old_token) { instance_double(clazz, token: plain_token) }
+        let(:hashed_token) { hashed_or_plain_token_func.call(plain_token) }
+
+        include_context 'with token hashing and fallback lookup enabled'
+
+        it 'does not fallback if found by hashed token' do
+          expect(clazz).to receive(:find_by).with(token: hashed_token).and_return old_token
+          expect(clazz).not_to receive(:find_by).with(token: plain_token)
+          expect(clazz).not_to receive(:upgrade_fallback_value)
+
+          expect(subject).to eq(old_token)
+        end
+
+        it 'also searches for the plain token if no hashed exists' do
+          expect(clazz).to receive(:find_by).with(token: hashed_token).and_return nil
+          expect(clazz).to receive(:find_by).with(token: plain_token).and_return(old_token)
+          expect(old_token).to receive(:update_column).with(:token, hashed_token)
+
+          expect(subject).to eq(old_token)
+        end
+      end
+    end
+  end
+end

data/spec/lib/oauth/base_request_spec.rb

@@ -4,13 +4,13 @@ module Doorkeeper::OAuth
   describe BaseRequest do
     let(:access_token) do
       double :access_token,
-             token:              "some-token",
-             expires_in:         "3600",
-             expires_in_seconds: "300",
-             scopes_string:      "two scopes",
-             refresh_token:      "some-refresh-token",
-             token_type:         "bearer",
-             created_at:         0
+             plaintext_token:         "some-token",
+             expires_in:              "3600",
+             expires_in_seconds:      "300",
+             scopes_string:           "two scopes",
+             plaintext_refresh_token: "some-refresh-token",
+             token_type:              "bearer",
+             created_at:              0
     end
 
     let(:client) { double :client, id: '1' }

data/spec/lib/oauth/client_credentials/validation_spec.rb

@@ -21,6 +21,7 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
     context 'with scopes' do
       it 'is invalid when scopes are not included in the server' do
         server_scopes = Doorkeeper::OAuth::Scopes.from_string 'email'
+        allow(request).to receive(:grant_type).and_return(Doorkeeper::OAuth::CLIENT_CREDENTIALS)
         allow(server).to receive(:scopes).and_return(server_scopes)
         allow(request).to receive(:scopes).and_return(
           Doorkeeper::OAuth::Scopes.from_string('invalid')
@@ -34,6 +35,7 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
           server_scopes = Doorkeeper::OAuth::Scopes.from_string 'email app'
           allow(application).to receive(:scopes).and_return(application_scopes)
           allow(server).to receive(:scopes).and_return(server_scopes)
+          allow(request).to receive(:grant_type).and_return(Doorkeeper::OAuth::CLIENT_CREDENTIALS)
           allow(request).to receive(:scopes).and_return(application_scopes)
           expect(subject).to be_valid
         end
@@ -42,6 +44,7 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
           application_scopes = Doorkeeper::OAuth::Scopes.from_string 'app'
           server_scopes = Doorkeeper::OAuth::Scopes.from_string 'email app'
           allow(application).to receive(:scopes).and_return(application_scopes)
+          allow(request).to receive(:grant_type).and_return(Doorkeeper::OAuth::CLIENT_CREDENTIALS)
           allow(server).to receive(:scopes).and_return(server_scopes)
           allow(request).to receive(:scopes).and_return(
             Doorkeeper::OAuth::Scopes.from_string('email')

data/spec/lib/oauth/helpers/scope_checker_spec.rb

@@ -6,31 +6,31 @@ module Doorkeeper::OAuth::Helpers
 
     it 'is valid if scope is present' do
       server_scopes.add :scope
-      expect(ScopeChecker.valid?('scope', server_scopes)).to be_truthy
+      expect(ScopeChecker.valid?(scope_str: 'scope', server_scopes: server_scopes)).to be_truthy
     end
 
     it 'is invalid if includes tabs space' do
-      expect(ScopeChecker.valid?("\tsomething", server_scopes)).to be_falsey
+      expect(ScopeChecker.valid?(scope_str: "\tsomething", server_scopes: server_scopes)).to be_falsey
     end
 
     it 'is invalid if scope is not present' do
-      expect(ScopeChecker.valid?(nil, server_scopes)).to be_falsey
+      expect(ScopeChecker.valid?(scope_str: nil, server_scopes: server_scopes)).to be_falsey
     end
 
     it 'is invalid if scope is blank' do
-      expect(ScopeChecker.valid?(' ', server_scopes)).to be_falsey
+      expect(ScopeChecker.valid?(scope_str: ' ', server_scopes: server_scopes)).to be_falsey
     end
 
     it 'is invalid if includes return space' do
-      expect(ScopeChecker.valid?("scope\r", server_scopes)).to be_falsey
+      expect(ScopeChecker.valid?(scope_str: "scope\r", server_scopes: server_scopes)).to be_falsey
     end
 
     it 'is invalid if includes new lines' do
-      expect(ScopeChecker.valid?("scope\nanother", server_scopes)).to be_falsey
+      expect(ScopeChecker.valid?(scope_str: "scope\nanother", server_scopes: server_scopes)).to be_falsey
     end
 
     it 'is invalid if any scope is not included in server scopes' do
-      expect(ScopeChecker.valid?('scope another', server_scopes)).to be_falsey
+      expect(ScopeChecker.valid?(scope_str: 'scope another', server_scopes: server_scopes)).to be_falsey
     end
 
     context 'with application_scopes' do
@@ -42,19 +42,54 @@ module Doorkeeper::OAuth::Helpers
       end
 
       it 'is valid if scope is included in the application scope list' do
-        expect(ScopeChecker.valid?(
-                 'app123',
-                 server_scopes,
-                 application_scopes
-               )).to be_truthy
+        expect(ScopeChecker.valid?(scope_str: 'app123',
+                                   server_scopes: server_scopes,
+                                   app_scopes: application_scopes)).to be_truthy
       end
 
       it 'is invalid if any scope is not included in the application' do
-        expect(ScopeChecker.valid?(
-                 'svr',
-                 server_scopes,
-                 application_scopes
-               )).to be_falsey
+        expect(ScopeChecker.valid?(scope_str: 'svr',
+                                   server_scopes: server_scopes,
+                                   app_scopes: application_scopes)).to be_falsey
+      end
+    end
+
+    context 'with grant_type' do
+      let(:server_scopes) do
+        Doorkeeper::OAuth::Scopes.from_string 'scope1 scope2'
+      end
+
+      context 'with scopes_by_grant_type not configured for grant_type' do
+        it 'is valid if the scope is in server scopes' do
+          expect(ScopeChecker.valid?(scope_str: 'scope1',
+                                     server_scopes: server_scopes,
+                                     grant_type: Doorkeeper::OAuth::PASSWORD)).to be_truthy
+        end
+
+        it 'is invalid if the scope is not in server scopes' do
+          expect(ScopeChecker.valid?(scope_str: 'unknown',
+                                     server_scopes: server_scopes,
+                                     grant_type: Doorkeeper::OAuth::PASSWORD)).to be_falsey
+        end
+      end
+
+      context 'when scopes_by_grant_type configured for grant_type' do
+        before do
+          allow(Doorkeeper.configuration).to receive(:scopes_by_grant_type).
+            and_return(password: [:scope1])
+        end
+
+        it 'is valid if the scope is permitted for grant_type' do
+          expect(ScopeChecker.valid?(scope_str: 'scope1',
+                                     server_scopes: server_scopes,
+                                     grant_type: Doorkeeper::OAuth::PASSWORD)).to be_truthy
+        end
+
+        it 'is invalid if the scope is permitted for grant_type' do
+          expect(ScopeChecker.valid?(scope_str: 'scope2',
+                                     server_scopes: server_scopes,
+                                     grant_type: Doorkeeper::OAuth::PASSWORD)).to be_falsey
+        end
       end
     end
   end

data/spec/lib/oauth/helpers/uri_checker_spec.rb

@@ -61,18 +61,36 @@ module Doorkeeper::OAuth::Helpers
         expect(URIChecker.matches?(uri, client_uri)).to be_truthy
       end
 
-      it 'doesn\'t allow non-matching domains through' do
+      it "doesn't allow non-matching domains through" do
         uri = 'http://app.abc/?query=hello'
         client_uri = 'http://app.co'
         expect(URIChecker.matches?(uri, client_uri)).to be_falsey
       end
 
-      it 'doesn\'t allow non-matching domains that don\'t start at the beginning' do
+      it "doesn't allow non-matching domains that don't start at the beginning" do
         uri = 'http://app.co/?query=hello'
         client_uri = 'http://example.com?app.co=test'
         expect(URIChecker.matches?(uri, client_uri)).to be_falsey
       end
 
+      context 'loopback IP redirect URIs' do
+        it 'ignores port for same URIs' do
+          uri = 'http://127.0.0.1:5555/auth/callback'
+          client_uri = 'http://127.0.0.1:48599/auth/callback'
+          expect(URIChecker.matches?(uri, client_uri)).to be_truthy
+
+          uri = 'http://[::1]:5555/auth/callback'
+          client_uri = 'http://[::1]:5555/auth/callback'
+          expect(URIChecker.matches?(uri, client_uri)).to be_truthy
+        end
+
+        it "doesn't ignore port for URIs with different queries" do
+          uri = 'http://127.0.0.1:5555/auth/callback'
+          client_uri = 'http://127.0.0.1:48599/auth/callback2'
+          expect(URIChecker.matches?(uri, client_uri)).to be_falsey
+        end
+      end
+
       context "client registered query params" do
         it "doesn't allow query being absent" do
           uri = 'http://app.co'