Add scopes presence validation on OAuth Application creation

- Update OAuth Applications controllers to disallow empty scopes application creation

Add scopes presence validation on OAuth Application creation
- Update OAuth Applications controllers to disallow empty scopes application creation
fba26a2f · George Koltsov · Drew Blessing · 28fb38c7 · fba26a2f · fba26a2f
Commit fba26a2f authored Aug 28, 2020 by George Koltsov Committed by Drew Blessing Sep 01, 2020
7 changed files
--- a/app/services/applications/create_service.rb
+++ b/app/services/applications/create_service.rb
@@ -11,7 +11,16 @@ module Applications
    # EE would override and use `request` arg
    def execute(request)
-      Doorkeeper::Application.create(params)
+      @application = Doorkeeper::Application.new(params)
+      unless params[:scopes].present?
+        @application.errors.add(:base, _("Scopes can't be blank"))
+        return @application
+      end
+      @application.save
+      @application
    end
  end
 end

--- a/changelogs/unreleased/security-add-presence-validation-oauth-apps.yml
+++ b/changelogs/unreleased/security-add-presence-validation-oauth-apps.yml
+---
+title: Add scope presence validation to OAuth Application creation
+merge_request:
+author:
+type: security
--- a/spec/controllers/admin/applications_controller_spec.rb
+++ b/spec/controllers/admin/applications_controller_spec.rb
@@ -40,7 +40,7 @@ RSpec.describe Admin::ApplicationsController do
  describe 'POST #create' do
    it 'creates the application' do
-      create_params = attributes_for(:application, trusted: true, confidential: false)
+      create_params = attributes_for(:application, trusted: true, confidential: false, scopes: ['api'])
      expect do
        post :create, params: { doorkeeper_application: create_params }
@@ -63,7 +63,7 @@ RSpec.describe Admin::ApplicationsController do
    context 'when the params are for a confidential application' do
      it 'creates a confidential application' do
-        create_params = attributes_for(:application, confidential: true)
+        create_params = attributes_for(:application, confidential: true, scopes: ['read_user'])
        expect do
          post :create, params: { doorkeeper_application: create_params }
@@ -75,6 +75,18 @@ RSpec.describe Admin::ApplicationsController do
        expect(application).to have_attributes(create_params.except(:uid, :owner_type))
      end
    end
+    context 'when scopes are not present' do
+      it 'renders the application form on errors' do
+        create_params = attributes_for(:application, trusted: true, confidential: false)
+        expect do
+          post :create, params: { doorkeeper_application: create_params }
+        end.not_to change { Doorkeeper::Application.count }
+        expect(response).to render_template :new
+      end
+    end
  end
  describe 'PATCH #update' do

--- a/spec/controllers/oauth/applications_controller_spec.rb
+++ b/spec/controllers/oauth/applications_controller_spec.rb
@@ -123,7 +123,8 @@ RSpec.describe Oauth::ApplicationsController do
          invalid_uri_params = {
            doorkeeper_application: {
              name: 'foo',
-              redirect_uri: 'javascript://alert()'
+              redirect_uri: 'javascript://alert()',
+              scopes: ['api']
            }
          }
@@ -133,6 +134,23 @@ RSpec.describe Oauth::ApplicationsController do
        end
      end
+      context 'when scopes are not present' do
+        render_views
+        it 'shows an error for blank scopes' do
+          invalid_uri_params = {
+            doorkeeper_application: {
+              name: 'foo',
+              redirect_uri: 'http://example.org'
+            }
+          }
+          post :create, params: invalid_uri_params
+          expect(response.body).to include 'Scopes can&#39;t be blank'
+        end
+      end
      it_behaves_like 'redirects to login page when the user is not signed in'
      it_behaves_like 'redirects to 2fa setup page when the user requires it'
    end
@@ -172,7 +190,8 @@ RSpec.describe Oauth::ApplicationsController do
    {
      doorkeeper_application: {
        name: 'foo',
-        redirect_uri: 'http://example.org'
+        redirect_uri: 'http://example.org',
+        scopes: ['api']
      }
    }
  end

--- a/spec/features/admin/admin_manage_applications_spec.rb
+++ b/spec/features/admin/admin_manage_applications_spec.rb
@@ -7,7 +7,7 @@ RSpec.describe 'admin manage applications' do
    sign_in(create(:admin))
  end
-  it do
+  it 'creates new oauth application' do
    visit admin_applications_path
    click_on 'New application'
@@ -16,6 +16,7 @@ RSpec.describe 'admin manage applications' do
    fill_in :doorkeeper_application_name, with: 'test'
    fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
    check :doorkeeper_application_trusted
+    check :doorkeeper_application_scopes_read_user
    click_on 'Submit'
    expect(page).to have_content('Application: test')
    expect(page).to have_content('Application ID')
@@ -43,4 +44,19 @@ RSpec.describe 'admin manage applications' do
    end
    expect(page.find('.oauth-applications')).not_to have_content('test_changed')
  end
+  context 'when scopes are blank' do
+    it 'returns an error' do
+      visit admin_applications_path
+      click_on 'New application'
+      expect(page).to have_content('New application')
+      fill_in :doorkeeper_application_name, with: 'test'
+      fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
+      click_on 'Submit'
+      expect(page).to have_content("Scopes can't be blank")
+    end
+  end
 end
--- a/spec/features/profiles/user_manages_applications_spec.rb
+++ b/spec/features/profiles/user_manages_applications_spec.rb
@@ -15,6 +15,7 @@ RSpec.describe 'User manages applications' do
    fill_in :doorkeeper_application_name,         with: 'test'
    fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
+    check :doorkeeper_application_scopes_read_user
    click_on 'Save application'
    expect(page).to have_content 'Application: test'
@@ -41,4 +42,16 @@ RSpec.describe 'User manages applications' do
    end
    expect(page.find('.oauth-applications')).not_to have_content 'test_changed'
  end
+  context 'when scopes are blank' do
+    it 'returns an error' do
+      expect(page).to have_content 'Add new application'
+      fill_in :doorkeeper_application_name,         with: 'test'
+      fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
+      click_on 'Save application'
+      expect(page).to have_content("Scopes can't be blank")
+    end
+  end
 end
--- a/spec/services/applications/create_service_spec.rb
+++ b/spec/services/applications/create_service_spec.rb
@@ -6,9 +6,24 @@ RSpec.describe ::Applications::CreateService do
  include TestRequestHelpers
  let(:user) { create(:user) }
-  let(:params) { attributes_for(:application) }
  subject { described_class.new(user, params) }
+  context 'when scopes are present' do
+    let(:params) { attributes_for(:application, scopes: ['read_user']) }
    it { expect { subject.execute(test_request) }.to change { Doorkeeper::Application.count }.by(1) }
+  end
+  context 'when scopes are missing' do
+    let(:params) { attributes_for(:application) }
+    it { expect { subject.execute(test_request) }.not_to change { Doorkeeper::Application.count } }
+    it 'includes blank scopes error message' do
+      application = subject.execute(test_request)
+      expect(application.errors.full_messages).to include "Scopes can't be blank"
+    end
+  end
 end