Merge branch 'id-bump-doorkeeper-5-3' into 'master'

Bump doorkeeper to 5.3.0 See merge request gitlab-org/gitlab!40929

Merge branch 'id-bump-doorkeeper-5-3' into 'master'
Bump doorkeeper to 5.3.0 See merge request gitlab-org/gitlab!40929
9d57d68f · Rémy Coutable · 58e6326a · 3145a9d9 · 9d57d68f · 9d57d68f
Commit 9d57d68f authored Sep 02, 2020 by Rémy Coutable
11 changed files
--- a/Gemfile
+++ b/Gemfile
@@ -26,8 +26,8 @@ gem 'marginalia', '~> 1.9.0'

 # Authentication libraries
 gem 'devise', '~> 4.6'
-gem 'doorkeeper', '~> 5.1.1'
-gem 'doorkeeper-openid_connect', '~> 1.6.3'
+gem 'doorkeeper', '~> 5.3.0'
+gem 'doorkeeper-openid_connect', '~> 1.7.4'
 gem 'omniauth', '~> 1.8'
 gem 'omniauth-auth0', '~> 2.0.0'
 gem 'omniauth-azure-oauth2', '~> 0.0.9'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -254,11 +254,11 @@ GEM
    docile (1.3.2)
    domain_name (0.5.20180417)
      unf (>= 0.0.5, < 1.0.0)
-    doorkeeper (5.1.1)
+    doorkeeper (5.3.3)
      railties (>= 5)
-    doorkeeper-openid_connect (1.6.3)
-      doorkeeper (>= 5.0, < 5.2)
-      json-jwt (~> 1.6)
+    doorkeeper-openid_connect (1.7.4)
+      doorkeeper (>= 5.2, < 5.5)
+      json-jwt (>= 1.11.0)
    dry-configurable (0.11.5)
      concurrent-ruby (~> 1.0)
      dry-core (~> 0.4, >= 0.4.7)
@@ -1265,8 +1265,8 @@ DEPENDENCIES
  diff_match_patch (~> 0.1.0)
  diffy (~> 3.3)
  discordrb-webhooks-blackst0ne (~> 3.3)
-  doorkeeper (~> 5.1.1)
-  doorkeeper-openid_connect (~> 1.6.3)
+  doorkeeper (~> 5.3.0)
+  doorkeeper-openid_connect (~> 1.7.4)
  ed25519 (~> 1.2)
  elasticsearch-api (~> 6.8)
  elasticsearch-model (~> 6.1)

--- a/app/controllers/oauth/jira/authorizations_controller.rb
+++ b/app/controllers/oauth/jira/authorizations_controller.rb
@@ -14,6 +14,7 @@ class Oauth::Jira::AuthorizationsController < ApplicationController

    redirect_to oauth_authorization_path(client_id: params['client_id'],
                                         response_type: 'code',
+                                         scope: params['scope'],
                                         redirect_uri: oauth_jira_callback_url)
  end


--- a/app/views/admin/applications/_form.html.haml
+++ b/app/views/admin/applications/_form.html.haml
@@ -16,11 +16,6 @@
      = doorkeeper_errors_for application, :redirect_uri
      %span.form-text.text-muted
        Use one line per URI
-      - if Doorkeeper.configuration.native_redirect_uri
-        %span.form-text.text-muted
-          Use
-          %code= Doorkeeper.configuration.native_redirect_uri
-          for local tests

  = content_tag :div, class: 'form-group row' do
    .col-sm-2.col-form-label.pt-0

--- a/app/views/doorkeeper/applications/_form.html.haml
+++ b/app/views/doorkeeper/applications/_form.html.haml
@@ -11,9 +11,6 @@

    %span.form-text.text-muted
      = _('Use one line per URI')
-    - if Doorkeeper.configuration.native_redirect_uri
-      %span.form-text.text-muted
-        = html_escape(_('Use %{native_redirect_uri} for local tests')) % { native_redirect_uri: tag.code(Doorkeeper.configuration.native_redirect_uri) }

  .form-group.form-check
    = f.check_box :confidential, class: 'form-check-input'

--- a/changelogs/unreleased/id-bump-doorkeeper-5-3.yml
+++ b/changelogs/unreleased/id-bump-doorkeeper-5-3.yml
+---
+title: Bump doorkeeper to 5.3.0
+merge_request: 40929
+author:
+type: changed
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -79,13 +79,6 @@ Doorkeeper.configure do
  # Check out the wiki for more information on customization
  access_token_methods :from_access_token_param, :from_bearer_authorization, :from_bearer_param

-  # Change the native redirect uri for client apps
-  # When clients register with the following redirect uri, they won't be redirected to any server and the authorization code will be displayed within the provider
-  # The value can be any string. Use nil to disable this feature. When disabled, clients must provide a valid URL
-  # (Similar behaviour: https://developers.google.com/accounts/docs/OAuth2InstalledApp#choosingredirecturi)
-  #
-  native_redirect_uri nil # 'urn:ietf:wg:oauth:2.0:oob'
-
  # Specify what grant flows are enabled in array of Strings. The valid
  # strings and the flows they enable are:
  #

--- a/config/locales/doorkeeper.en.yml
+++ b/config/locales/doorkeeper.en.yml
@@ -30,7 +30,6 @@ en:
    errors:
      messages:
        # Common error messages
-        invalid_request: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
        invalid_redirect_uri: 'The redirect URI included is not valid.'
        unauthorized_client: 'The client is not authorized to perform this request using this method.'
        access_denied: 'The resource owner or authorization server denied the request.'
@@ -54,6 +53,12 @@ en:
        # Password Access token errors
        invalid_resource_owner: 'The provided resource owner credentials are not valid, or resource owner cannot be found'

+        invalid_request:
+          unknown: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
+          missing_param: 'Missing required parameter: %{value}.'
+          not_support_pkce: 'Invalid code_verifier parameter. Server does not support pkce.'
+          request_not_authorized: 'Request need to be authorized. Required parameter for authorizing request is missing or invalid.'
+
        invalid_token:
          revoked: "The access token was revoked"
          expired: "The access token expired"

--- a/lib/api/applications.rb
+++ b/lib/api/applications.rb
@@ -6,6 +6,15 @@ module API
    before { authenticated_as_admin! }

    resource :applications do
+      helpers do
+        def validate_redirect_uri(value)
+          uri = ::URI.parse(value)
+          !uri.is_a?(URI::HTTP) || uri.host
+        rescue URI::InvalidURIError
+          false
+        end
+      end
+
      desc 'Create a new application' do
        detail 'This feature was introduced in GitLab 10.5'
        success Entities::ApplicationWithSecret
@@ -19,6 +28,13 @@ module API
          desc: 'Application will be used where the client secret is confidential'
      end
      post do
+        # Validate that host in uri is specified
+        # Please remove it when https://github.com/doorkeeper-gem/doorkeeper/pull/1440 is merged
+        # and the doorkeeper gem version is bumped
+        unless validate_redirect_uri(declared_params[:redirect_uri])
+          render_api_error!({ redirect_uri: ["must be an absolute URI."] }, :bad_request)
+        end
+
        application = Doorkeeper::Application.new(declared_params)

        if application.save

--- a/lib/mattermost/session.rb
+++ b/lib/mattermost/session.rb
@@ -52,7 +52,7 @@ module Mattermost
    # Next methods are needed for Doorkeeper
    def pre_auth
      @pre_auth ||= Doorkeeper::OAuth::PreAuthorization.new(
-        Doorkeeper.configuration, server.client_via_uid, params)
+        Doorkeeper.configuration, params)
    end

    def authorization

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -26892,9 +26892,6 @@ msgstr ""
 msgid "Use %{code_start}::%{code_end} to create a %{link_start}scoped label set%{link_end} (eg. %{code_start}priority::1%{code_end})"
 msgstr ""

-msgid "Use %{native_redirect_uri} for local tests"
-msgstr ""
-
 msgid "Use Service Desk to connect with your users (e.g. to offer customer support) through email right inside GitLab"
 msgstr ""