doorkeeper 5.1.0.rc1 → 5.1.0.rc2

data/spec/routing/custom_controller_routes_spec.rb

@@ -2,6 +2,10 @@ require 'spec_helper'
 
 describe 'Custom controller for routes' do
   before :all do
+    Doorkeeper.configure do
+      orm DOORKEEPER_ORM
+    end
+
     Rails.application.routes.disable_clear_and_finalize = true
 
     Rails.application.routes.draw do

data/spec/support/shared/hashing_shared_context.rb

@@ -1,7 +1,10 @@
 # frozen_string_literal: true
 
 shared_context 'with token hashing enabled' do
-  let(:hashed_or_plain_token_func) { Doorkeeper::AccessToken.method(:hashed_or_plain_token) }
+  let(:hashed_or_plain_token_func) do
+    Doorkeeper::SecretStoring::Sha256Hash.method(:transform_secret)
+  end
+
   before do
     Doorkeeper.configure do
       hash_token_secrets
@@ -10,17 +13,21 @@ shared_context 'with token hashing enabled' do
 end
 
 shared_context 'with token hashing and fallback lookup enabled' do
-  let(:hashed_or_plain_token_func) { Doorkeeper::AccessToken.method(:hashed_or_plain_token) }
+  let(:hashed_or_plain_token_func) do
+    Doorkeeper::SecretStoring::Sha256Hash.method(:transform_secret)
+  end
+
   before do
     Doorkeeper.configure do
-      hash_token_secrets
-      fallback_to_plain_secrets
+      hash_token_secrets fallback: :plain
     end
   end
 end
 
 shared_context 'with application hashing enabled' do
-  let(:hashed_or_plain_token_func) { Doorkeeper::Application.method(:hashed_or_plain_token) }
+  let(:hashed_or_plain_token_func) do
+    Doorkeeper::SecretStoring::Sha256Hash.method(:transform_secret)
+  end
   before do
     Doorkeeper.configure do
       hash_application_secrets

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.1.0.rc1
+  version: 5.1.0.rc2
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-17 00:00:00.000000000 Z
+date: 2019-03-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -28,21 +28,21 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '4.2'
 - !ruby/object:Gem::Dependency
-  name: capybara
+  name: appraisal
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.18'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.18'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: coveralls
+  name: capybara
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -56,33 +56,33 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: danger
+  name: coveralls
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: grape
+  name: danger
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '5.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: database_cleaner
   requirement: !ruby/object:Gem::Requirement
@@ -125,6 +125,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.9.3
+- !ruby/object:Gem::Dependency
+  name: grape
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -212,6 +226,7 @@ files:
 - gemfiles/rails_5_0.gemfile
 - gemfiles/rails_5_1.gemfile
 - gemfiles/rails_5_2.gemfile
+- gemfiles/rails_6_0.gemfile
 - gemfiles/rails_master.gemfile
 - lib/doorkeeper.rb
 - lib/doorkeeper/config.rb
@@ -225,11 +240,12 @@ files:
 - lib/doorkeeper/models/application_mixin.rb
 - lib/doorkeeper/models/concerns/accessible.rb
 - lib/doorkeeper/models/concerns/expirable.rb
-- lib/doorkeeper/models/concerns/hashable.rb
 - lib/doorkeeper/models/concerns/orderable.rb
 - lib/doorkeeper/models/concerns/ownership.rb
+- lib/doorkeeper/models/concerns/reusable.rb
 - lib/doorkeeper/models/concerns/revocable.rb
 - lib/doorkeeper/models/concerns/scopes.rb
+- lib/doorkeeper/models/concerns/secret_storable.rb
 - lib/doorkeeper/oauth.rb
 - lib/doorkeeper/oauth/authorization/code.rb
 - lib/doorkeeper/oauth/authorization/context.rb
@@ -281,6 +297,10 @@ files:
 - lib/doorkeeper/request/refresh_token.rb
 - lib/doorkeeper/request/strategy.rb
 - lib/doorkeeper/request/token.rb
+- lib/doorkeeper/secret_storing/base.rb
+- lib/doorkeeper/secret_storing/bcrypt.rb
+- lib/doorkeeper/secret_storing/plain.rb
+- lib/doorkeeper/secret_storing/sha256_hash.rb
 - lib/doorkeeper/server.rb
 - lib/doorkeeper/stale_records_cleaner.rb
 - lib/doorkeeper/validations.rb
@@ -360,9 +380,10 @@ files:
 - spec/lib/config_spec.rb
 - spec/lib/doorkeeper_spec.rb
 - spec/lib/models/expirable_spec.rb
-- spec/lib/models/hashable_spec.rb
+- spec/lib/models/reusable_spec.rb
 - spec/lib/models/revocable_spec.rb
 - spec/lib/models/scopes_spec.rb
+- spec/lib/models/secret_storable_spec.rb
 - spec/lib/oauth/authorization/uri_builder_spec.rb
 - spec/lib/oauth/authorization_code_request_spec.rb
 - spec/lib/oauth/base_request_spec.rb
@@ -391,6 +412,10 @@ files:
 - spec/lib/oauth/token_response_spec.rb
 - spec/lib/oauth/token_spec.rb
 - spec/lib/request/strategy_spec.rb
+- spec/lib/secret_storing/base_spec.rb
+- spec/lib/secret_storing/bcrypt_spec.rb
+- spec/lib/secret_storing/plain_spec.rb
+- spec/lib/secret_storing/sha256_hash_spec.rb
 - spec/lib/server_spec.rb
 - spec/lib/stale_records_cleaner_spec.rb
 - spec/models/doorkeeper/access_grant_spec.rb
@@ -518,9 +543,10 @@ test_files:
 - spec/lib/config_spec.rb
 - spec/lib/doorkeeper_spec.rb
 - spec/lib/models/expirable_spec.rb
-- spec/lib/models/hashable_spec.rb
+- spec/lib/models/reusable_spec.rb
 - spec/lib/models/revocable_spec.rb
 - spec/lib/models/scopes_spec.rb
+- spec/lib/models/secret_storable_spec.rb
 - spec/lib/oauth/authorization/uri_builder_spec.rb
 - spec/lib/oauth/authorization_code_request_spec.rb
 - spec/lib/oauth/base_request_spec.rb
@@ -549,6 +575,10 @@ test_files:
 - spec/lib/oauth/token_response_spec.rb
 - spec/lib/oauth/token_spec.rb
 - spec/lib/request/strategy_spec.rb
+- spec/lib/secret_storing/base_spec.rb
+- spec/lib/secret_storing/bcrypt_spec.rb
+- spec/lib/secret_storing/plain_spec.rb
+- spec/lib/secret_storing/sha256_hash_spec.rb
 - spec/lib/server_spec.rb
 - spec/lib/stale_records_cleaner_spec.rb
 - spec/models/doorkeeper/access_grant_spec.rb

data/lib/doorkeeper/models/concerns/hashable.rb

@@ -1,137 +0,0 @@
-# frozen_string_literal: true
-
-module Doorkeeper
-  module Models
-    ##
-    # Hashable finder to provide lookups for input plaintext values which are
-    # mapped to their hashes before lookup.
-    module Hashable
-      extend ActiveSupport::Concern
-
-      delegate :perform_secret_hashing?,
-               :hashed_or_plain_token,
-               to: :class
-
-      # :nodoc
-      module ClassMethods
-        # Allow to override the hashing method by the including module
-        attr_accessor :secret_hash_function, :secret_comparer
-
-        # Compare the given plaintext with the secret
-        #
-        # @param input [String]
-        #   The plain input to compare.
-        #
-        # @param secret [String]
-        #   The secret value to compare with.
-        #
-        # @return [Boolean]
-        #   If hashing is enabled: Whether the secret equals hashed input
-        #   If hashing is disabled: Whether input matches secret
-        #
-        def secret_matches?(input, secret)
-          unless perform_secret_hashing?
-            return ActiveSupport::SecurityUtils.secure_compare input, secret
-          end
-
-          (secret_comparer || method(:default_comparer))
-            .call(input, secret)
-        end
-
-        # Returns an instance of the Doorkeeper::AccessToken with
-        # specific token value.
-        #
-        # @param attr [Symbol]
-        #   The token attribute we're looking with.
-        #
-        # @param token [#to_s]
-        #   token value (any object that responds to `#to_s`)
-        #
-        # @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
-        #   if there is no record with such token
-        #
-        def find_by_plaintext_token(attr, token)
-          token = token.to_s
-
-          find_by(attr => hashed_or_plain_token(token)) ||
-            find_by_fallback_token(attr, token)
-        end
-
-        # Allow looking up previously plain tokens as a fallback
-        # IFF respective options are enabled
-        #
-        # @param attr [Symbol]
-        #   The token attribute we're looking with.
-        #
-        # @param token [#to_s]
-        #   token value (any object that responds to `#to_s`)
-        #
-        # @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
-        #   if there is no record with such token
-        #
-        def find_by_fallback_token(attr, token)
-          return nil unless perform_secret_hashing?
-          return nil unless Doorkeeper.configuration.fallback_to_plain_secrets?
-
-          find_by(attr => token).tap do |fallback|
-            upgrade_fallback_value fallback, attr
-          end
-        end
-
-        # Hash the given input token
-        #
-        # @param plain_token [String]
-        #   The plain text token to hash.
-        #
-        # @return [String]
-        #   IFF secret hashing enabled, the hashed token,
-        #   otherwise returns the plain token.
-        def hashed_or_plain_token(plain_token)
-          if perform_secret_hashing?
-            (secret_hash_function || method(:default_hash_function))
-              .call plain_token
-          else
-            plain_token
-          end
-        end
-
-        # Allow implementations in ORMs to replace a plain
-        # value falling back to to avoid it remaining as plain text.
-        #
-        # @param instance
-        #   An instance of this model with a plain value token.
-        #
-        # @param attr
-        #   The token attribute to upgrade
-        #
-        def upgrade_fallback_value(instance, attr)
-          plain_token = instance.public_send attr
-          instance.update_column(attr, hashed_or_plain_token(plain_token))
-        end
-
-        # Including classes can override this function to
-        # disable or enable secret hashing dynamically
-        def perform_secret_hashing?
-          true
-        end
-
-        # Return a default hashing function to be used when including
-        # module or user does not specify what to use
-        # @param plain_token [String]
-        #   The plain text token to hash.
-        #
-        # @return [String] Hashed plain text token
-        #
-        def default_hash_function(plain_token)
-          ::Digest::SHA256.hexdigest plain_token
-        end
-
-        # Return a default comparer for the given hash function
-        def default_comparer(plain, secret)
-          hashed = hashed_or_plain_token(plain)
-          ActiveSupport::SecurityUtils.secure_compare hashed, secret
-        end
-      end
-    end
-  end
-end

data/spec/lib/models/hashable_spec.rb

@@ -1,183 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'Hashable' do
-  let(:clazz) do
-    Class.new do
-      include Doorkeeper::Models::Hashable
-
-      def self.find_by(*)
-        raise 'stub this'
-      end
-
-      def update_column(*)
-        raise 'stub this'
-      end
-
-      def token
-        raise 'stub this'
-      end
-    end
-  end
-
-  describe :hashed_or_plain_token do
-    let(:enabled_hashing?) { false }
-    subject { clazz.send(:hashed_or_plain_token, 'input') }
-
-    before do
-      allow(clazz).to receive(:perform_secret_hashing?)
-        .and_return enabled_hashing?
-    end
-
-    context 'when no hash function set' do
-      it 'returns the plain input' do
-        expect(subject).to eq 'input'
-      end
-
-      context 'when hashing enabled' do
-        let(:enabled_hashing?) { true }
-
-        it 'uses the default function' do
-          expect(clazz)
-            .to receive(:default_hash_function)
-            .with('input')
-            .and_call_original
-
-          expect(subject).not_to eq 'input'
-        end
-      end
-    end
-
-    context 'when hash_function defined' do
-      let(:hash_function) { ->(input) { input + '-hashed' } }
-
-      before do
-        clazz.secret_hash_function = hash_function
-      end
-
-      it 'returns the plain input' do
-        expect(clazz).not_to receive(:default_hash_function)
-        expect(subject).to eq 'input'
-      end
-
-      context 'when hashing enabled' do
-        let(:enabled_hashing?) { true }
-
-        it 'uses that function' do
-          expect(hash_function)
-            .to receive(:call)
-            .with('input')
-            .and_call_original
-
-          expect(subject).to eq 'input-hashed'
-        end
-      end
-    end
-  end
-
-  describe :secret_matches? do
-    context 'when comparer undefined' do
-      it 'uses a default compare' do
-        expect(clazz).to receive(:default_comparer).with('a', 'a').and_return true
-        expect(clazz.secret_matches?('a', 'a')).to be_truthy
-      end
-    end
-
-    context 'when comparer defined' do
-      let(:comparer) do
-        ->(*) { false }
-      end
-
-      before do
-        clazz.secret_comparer = comparer
-      end
-
-      it 'uses that comparer' do
-        expect(comparer).to receive(:call).with('a', 'a').and_call_original
-        expect(clazz.secret_matches?('a', 'a')).to be_falsey
-      end
-    end
-  end
-
-  describe :find_by_fallback_token do
-    let(:old_token) { instance_double(clazz, token: 'input') }
-    subject { clazz.send(:find_by_fallback_token, :token, 'input') }
-
-    it 'does not call find_by when not configured' do
-      expect(clazz).not_to receive(:find_by)
-      expect(subject).to eq(nil)
-    end
-
-    context 'when fallback configured' do
-      include_context 'with token hashing and fallback lookup enabled'
-      let(:hashed_token) { hashed_or_plain_token_func.call('input') }
-
-      it 'upgrades the plain token if no hashed exists' do
-        expect(clazz).to receive(:find_by).with(token: 'input').and_return(old_token)
-        expect(old_token).to receive(:update_column).with(:token, hashed_token)
-
-        expect(subject).to eq(old_token)
-      end
-    end
-  end
-
-  describe :find_by_plaintext_token do
-    let(:plain_token) { 'asdf' }
-    let(:subject) { clazz.send(:find_by_plaintext_token, :token, plain_token) }
-    let(:hashing_enabled?) { false }
-
-    before do
-      allow(clazz).to receive(:perform_secret_hashing?).and_return(hashing_enabled?)
-    end
-
-    context 'when not configured' do
-      it 'always finds with the plain value even when nil' do
-        expect(clazz).to receive(:find_by).with(token: plain_token).once.and_return(nil)
-        expect(subject).to eq(nil)
-      end
-    end
-
-    context 'when hashing configured' do
-      let(:hashing_enabled?) { true }
-      let(:hashed_token) { clazz.send(:default_hash_function, plain_token) }
-
-      it 'calls find_by only on the hashed value if it returns' do
-        expect(clazz).not_to receive(:find_by).with(token: plain_token)
-        expect(clazz).to receive(:find_by).with(token: hashed_token).and_return(:result)
-
-        expect(subject).to eq(:result)
-      end
-
-      it 'does not fall back to plain token' do
-        expect(clazz).not_to receive(:find_by).with(token: plain_token)
-        expect(clazz).to receive(:find_by).with(token: hashed_token).and_return(nil)
-
-        expect(subject).to eq(nil)
-      end
-
-      context 'when fallback configured' do
-        let(:old_token) { instance_double(clazz, token: plain_token) }
-        let(:hashed_token) { hashed_or_plain_token_func.call(plain_token) }
-
-        include_context 'with token hashing and fallback lookup enabled'
-
-        it 'does not fallback if found by hashed token' do
-          expect(clazz).to receive(:find_by).with(token: hashed_token).and_return old_token
-          expect(clazz).not_to receive(:find_by).with(token: plain_token)
-          expect(clazz).not_to receive(:upgrade_fallback_value)
-
-          expect(subject).to eq(old_token)
-        end
-
-        it 'also searches for the plain token if no hashed exists' do
-          expect(clazz).to receive(:find_by).with(token: hashed_token).and_return nil
-          expect(clazz).to receive(:find_by).with(token: plain_token).and_return(old_token)
-          expect(old_token).to receive(:update_column).with(:token, hashed_token)
-
-          expect(subject).to eq(old_token)
-        end
-      end
-    end
-  end
-end