Add latest changes from gitlab-org/security/gitlab@13-0-stable-ee

app/controllers/oauth/authorizations_controller.rb

@@ -4,6 +4,8 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
   include Gitlab::Experimentation::ControllerConcern
   include InitializesCurrentUserMode
 
+  before_action :verify_confirmed_email!, only: [:new]
+
   layout 'profile'
 
   # Overridden from Doorkeeper::AuthorizationsController to
@@ -21,4 +23,13 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
       render "doorkeeper/authorizations/error"
     end
   end
+
+  private
+
+  def verify_confirmed_email!
+    return if current_user&.confirmed?
+
+    pre_auth.error = :unconfirmed_email
+    render "doorkeeper/authorizations/error"
+  end
 end

changelogs/unreleased/security-dblessing-oauth-email-verification.yml

+---
+title: Require confirmed email address for GitLab OAuth authentication
+merge_request:
+author:
+type: security

config/locales/doorkeeper.en.yml

@@ -36,6 +36,7 @@ en:
         access_denied: 'The resource owner or authorization server denied the request.'
         invalid_scope: 'The requested scope is invalid, unknown, or malformed.'
         server_error: 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.'
+        unconfirmed_email: 'Verify the email address in your account profile before you sign in.'
         temporarily_unavailable: 'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.'
 
         #configuration error messages

spec/controllers/oauth/authorizations_controller_spec.rb

@@ -3,7 +3,6 @@
 require 'spec_helper'
 
 describe Oauth::AuthorizationsController do
-  let(:user) { create(:user) }
   let!(:application) { create(:oauth_application, scopes: 'api read_user', redirect_uri: 'http://example.com') }
   let(:params) do
     {
@@ -19,6 +18,9 @@ describe Oauth::AuthorizationsController do
   end
 
   describe 'GET #new' do
+    context 'when the user is confirmed' do
+      let(:user) { create(:user) }
+
       context 'without valid params' do
         it 'returns 200 code and renders error view' do
           get :new
@@ -68,4 +70,16 @@ describe Oauth::AuthorizationsController do
         end
       end
     end
+
+    context 'when the user is unconfirmed' do
+      let(:user) { create(:user, confirmed_at: nil) }
+
+      it 'returns 200 and renders error view' do
+        get :new, params: params
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response).to render_template('doorkeeper/authorizations/error')
+      end
+    end
+  end
 end

spec/features/oauth_provider_authorize_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'OAuth Provider' do
+  describe 'Standard OAuth Authorization' do
+    let(:application) { create(:oauth_application, scopes: 'read_user') }
+
+    before do
+      sign_in(user)
+
+      visit oauth_authorization_path(client_id: application.uid,
+                                     redirect_uri: application.redirect_uri.split.first,
+                                     response_type: 'code',
+                                     state: 'my_state',
+                                     scope: 'read_user')
+    end
+
+    it_behaves_like 'Secure OAuth Authorizations'
+  end
+end

spec/support/shared_examples/features/secure_oauth_authorizations_shared_examples.rb

+# frozen_string_literal: true
+
+RSpec.shared_examples 'Secure OAuth Authorizations' do
+  context 'when user is confirmed' do
+    let(:user) { create(:user) }
+
+    it 'asks the user to authorize the application' do
+      expect(page).to have_text "Authorize #{application.name} to use your account?"
+    end
+  end
+
+  context 'when user is unconfirmed' do
+    let(:user) { create(:user, confirmed_at: nil) }
+
+    it 'displays an error' do
+      expect(page).to have_text I18n.t('doorkeeper.errors.messages.unconfirmed_email')
+    end
+  end
+end