Skip oAuth authorization for trusted applications

c1fa5e6d · Oswaldo Ferreira · Robert Speicher · bcd31001 · c1fa5e6d · c1fa5e6d
Commit c1fa5e6d authored Jul 17, 2017 by Oswaldo Ferreira Committed by Robert Speicher Jul 27, 2017
12 changed files
--- a/app/controllers/admin/applications_controller.rb
+++ b/app/controllers/admin/applications_controller.rb
@@ -50,6 +50,20 @@ class Admin::ApplicationsController < Admin::ApplicationController

  # Only allow a trusted parameter "white list" through.
  def application_params
-    params[:doorkeeper_application].permit(:name, :redirect_uri, :scopes)
+    params.require(:doorkeeper_application).permit(application_params_ce << application_params_ee)
+  end
+
+  def application_params_ce
+    %i[
+      name
+      redirect_uri
+      scopes
+    ]
+  end
+
+  def application_params_ee
+    %i[
+      trusted
+    ]
  end
 end
--- a/app/views/admin/applications/_form.html.haml
+++ b/app/views/admin/applications/_form.html.haml
@@ -6,6 +6,7 @@
    .col-sm-10
      = f.text_field :name, class: 'form-control'
      = doorkeeper_errors_for application, :name
+
  = content_tag :div, class: 'form-group' do
    = f.label :redirect_uri, class: 'col-sm-2 control-label'
    .col-sm-10
@@ -19,6 +20,13 @@
          %code= Doorkeeper.configuration.native_redirect_uri
          for local tests

+  = content_tag :div, class: 'form-group' do
+    = f.label :trusted, class: 'col-sm-2 control-label'
+    .col-sm-10
+      = f.check_box :trusted
+      %span.help-block
+        Trusted applications are automatically authorized on GitLab oAuth flow.
+
  .form-group
    = f.label :scopes, class: 'col-sm-2 control-label'
    .col-sm-10

--- a/app/views/admin/applications/index.html.haml
+++ b/app/views/admin/applications/index.html.haml
@@ -11,6 +11,7 @@
      %th Name
      %th Callback URL
      %th Clients
+      %th Trusted
      %th
      %th
  %tbody.oauth-applications
@@ -19,5 +20,6 @@
        %td= link_to application.name, admin_application_path(application)
        %td= application.redirect_uri
        %td= application.access_tokens.map(&:resource_owner_id).uniq.count
+        %td= application.trusted? ? 'Y': 'N'
        %td= link_to 'Edit', edit_admin_application_path(application), class: 'btn btn-link'
        %td= render 'delete_form', application: application
--- a/app/views/admin/applications/show.html.haml
+++ b/app/views/admin/applications/show.html.haml
@@ -23,6 +23,12 @@
          %div
            %span.monospace= uri

+    %tr
+      %td
+        Trusted
+      %td
+        = @application.trusted? ? 'Y' : 'N'
+
    = render "shared/tokens/scopes_list", token: @application

 .form-actions

--- a/changelogs/unreleased-ee/skip-oauth-authorization-for-trusted-applications.yml
+++ b/changelogs/unreleased-ee/skip-oauth-authorization-for-trusted-applications.yml
+---
+title: Skip oAuth authorization for trusted applications
+merge_request:
+author:
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -92,9 +92,9 @@ Doorkeeper.configure do
  # Under some circumstances you might want to have applications auto-approved,
  # so that the user skips the authorization step.
  # For example if dealing with trusted a application.
-  # skip_authorization do |resource_owner, client|
-  #   client.superapp? or resource_owner.admin?
-  # end
+  skip_authorization do |resource_owner, client|
+    client.application.trusted?
+  end

  # WWW-Authenticate Realm (default "Doorkeeper").
  # realm "Doorkeeper"

--- a/db/migrate/20170717200542_add_trusted_column_to_oauth_applications.rb
+++ b/db/migrate/20170717200542_add_trusted_column_to_oauth_applications.rb
+class AddTrustedColumnToOauthApplications < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default(:oauth_applications, :trusted, :boolean, default: false)
+  end
+
+  def down
+    remove_column(:oauth_applications, :trusted)
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -1209,6 +1209,7 @@ ActiveRecord::Schema.define(version: 20170719182937) do
    t.datetime "updated_at"
    t.integer "owner_id"
    t.string "owner_type"
+    t.boolean "trusted", default: false, null: false
  end

  add_index "oauth_applications", ["owner_id", "owner_type"], name: "index_oauth_applications_on_owner_id_and_owner_type", using: :btree

--- a/doc/integration/oauth_provider.md
+++ b/doc/integration/oauth_provider.md
@@ -63,6 +63,9 @@ it from the admin area.

 ![OAuth admin_applications](img/oauth_provider_admin_application.png)

+You're also able to mark an application as _trusted_ when creating it through the admin area. By doing that,
+the user authorization step is automatically skipped for this application.
+
 ---

 ## Authorized applications

--- a/spec/controllers/admin/applications_controller_spec.rb
+++ b/spec/controllers/admin/applications_controller_spec.rb
@@ -28,13 +28,16 @@ describe Admin::ApplicationsController do

  describe 'POST #create' do
    it 'creates the application' do
+      create_params = attributes_for(:application, trusted: true)
+
      expect do
-        post :create, doorkeeper_application: attributes_for(:application)
+        post :create, doorkeeper_application: create_params
      end.to change { Doorkeeper::Application.count }.by(1)

      application = Doorkeeper::Application.last

      expect(response).to redirect_to(admin_application_path(application))
+      expect(application).to have_attributes(create_params.except(:uid, :owner_type))
    end

    it 'renders the application form on errors' do
@@ -49,10 +52,12 @@ describe Admin::ApplicationsController do

  describe 'PATCH #update' do
    it 'updates the application' do
-      patch :update, id: application.id, doorkeeper_application: { redirect_uri: 'http://example.com/' }
+      patch :update, id: application.id, doorkeeper_application: { redirect_uri: 'http://example.com/', trusted: true }
+
+      application.reload

      expect(response).to redirect_to(admin_application_path(application))
-      expect(application.reload.redirect_uri).to eq 'http://example.com/'
+      expect(application).to have_attributes(redirect_uri: 'http://example.com/', trusted: true)
    end

    it 'renders the application form on errors' do

--- a/spec/controllers/oauth/authorizations_controller_spec.rb
+++ b/spec/controllers/oauth/authorizations_controller_spec.rb
@@ -34,6 +34,22 @@ describe Oauth::AuthorizationsController do
    end

    context 'with valid params' do
+      context 'when trusted application' do
+        before do
+          doorkeeper.update(trusted: true)
+        end
+
+        it 'deletes session.user_return_to and redirects' do
+          request.session['user_return_to'] = 'http://example.com'
+          allow(controller).to receive(:skip_authorization?).and_return(true)
+
+          get :new, params
+
+          expect(request.session['user_return_to']).to be_nil
+          expect(response).to have_http_status(302)
+        end
+      end
+
      it 'returns 200 code and renders view' do
        get :new, params


--- a/spec/features/admin/admin_manage_applications_spec.rb
+++ b/spec/features/admin/admin_manage_applications_spec.rb
@@ -13,19 +13,24 @@ RSpec.describe 'admin manage applications' do

    fill_in :doorkeeper_application_name, with: 'test'
    fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
+    check :doorkeeper_application_trusted
    click_on 'Submit'
    expect(page).to have_content('Application: test')
    expect(page).to have_content('Application Id')
    expect(page).to have_content('Secret')
+    expect(page).to have_content('Trusted Y')

    click_on 'Edit'
    expect(page).to have_content('Edit application')

    fill_in :doorkeeper_application_name, with: 'test_changed'
+    uncheck :doorkeeper_application_trusted
+
    click_on 'Submit'
    expect(page).to have_content('test_changed')
    expect(page).to have_content('Application Id')
    expect(page).to have_content('Secret')
+    expect(page).to have_content('Trusted N')

    visit admin_applications_path
    page.within '.oauth-applications' do