Commit d40003af authored by GitLab Bot's avatar GitLab Bot

Add latest changes from gitlab-org/security/gitlab@13-3-stable-ee

parent a986819a
......@@ -11,7 +11,16 @@ module Applications
# EE would override and use `request` arg
def execute(request)
Doorkeeper::Application.create(params)
@application = Doorkeeper::Application.new(params)
unless params[:scopes].present?
@application.errors.add(:base, _("Scopes can't be blank"))
return @application
end
@application.save
@application
end
end
end
......
---
title: Add scope presence validation to OAuth Application creation
merge_request:
author:
type: security
......@@ -40,7 +40,7 @@ RSpec.describe Admin::ApplicationsController do
describe 'POST #create' do
it 'creates the application' do
create_params = attributes_for(:application, trusted: true, confidential: false)
create_params = attributes_for(:application, trusted: true, confidential: false, scopes: ['api'])
expect do
post :create, params: { doorkeeper_application: create_params }
......@@ -63,7 +63,7 @@ RSpec.describe Admin::ApplicationsController do
context 'when the params are for a confidential application' do
it 'creates a confidential application' do
create_params = attributes_for(:application, confidential: true)
create_params = attributes_for(:application, confidential: true, scopes: ['read_user'])
expect do
post :create, params: { doorkeeper_application: create_params }
......@@ -75,6 +75,18 @@ RSpec.describe Admin::ApplicationsController do
expect(application).to have_attributes(create_params.except(:uid, :owner_type))
end
end
context 'when scopes are not present' do
it 'renders the application form on errors' do
create_params = attributes_for(:application, trusted: true, confidential: false)
expect do
post :create, params: { doorkeeper_application: create_params }
end.not_to change { Doorkeeper::Application.count }
expect(response).to render_template :new
end
end
end
describe 'PATCH #update' do
......
......@@ -123,7 +123,8 @@ RSpec.describe Oauth::ApplicationsController do
invalid_uri_params = {
doorkeeper_application: {
name: 'foo',
redirect_uri: 'javascript://alert()'
redirect_uri: 'javascript://alert()',
scopes: ['api']
}
}
......@@ -133,6 +134,23 @@ RSpec.describe Oauth::ApplicationsController do
end
end
context 'when scopes are not present' do
render_views
it 'shows an error for blank scopes' do
invalid_uri_params = {
doorkeeper_application: {
name: 'foo',
redirect_uri: 'http://example.org'
}
}
post :create, params: invalid_uri_params
expect(response.body).to include 'Scopes can't be blank'
end
end
it_behaves_like 'redirects to login page when the user is not signed in'
it_behaves_like 'redirects to 2fa setup page when the user requires it'
end
......@@ -172,7 +190,8 @@ RSpec.describe Oauth::ApplicationsController do
{
doorkeeper_application: {
name: 'foo',
redirect_uri: 'http://example.org'
redirect_uri: 'http://example.org',
scopes: ['api']
}
}
end
......
......@@ -7,7 +7,7 @@ RSpec.describe 'admin manage applications' do
sign_in(create(:admin))
end
it do
it 'creates new oauth application' do
visit admin_applications_path
click_on 'New application'
......@@ -16,6 +16,7 @@ RSpec.describe 'admin manage applications' do
fill_in :doorkeeper_application_name, with: 'test'
fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
check :doorkeeper_application_trusted
check :doorkeeper_application_scopes_read_user
click_on 'Submit'
expect(page).to have_content('Application: test')
expect(page).to have_content('Application ID')
......@@ -43,4 +44,19 @@ RSpec.describe 'admin manage applications' do
end
expect(page.find('.oauth-applications')).not_to have_content('test_changed')
end
context 'when scopes are blank' do
it 'returns an error' do
visit admin_applications_path
click_on 'New application'
expect(page).to have_content('New application')
fill_in :doorkeeper_application_name, with: 'test'
fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
click_on 'Submit'
expect(page).to have_content("Scopes can't be blank")
end
end
end
......@@ -15,6 +15,7 @@ RSpec.describe 'User manages applications' do
fill_in :doorkeeper_application_name, with: 'test'
fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
check :doorkeeper_application_scopes_read_user
click_on 'Save application'
expect(page).to have_content 'Application: test'
......@@ -41,4 +42,16 @@ RSpec.describe 'User manages applications' do
end
expect(page.find('.oauth-applications')).not_to have_content 'test_changed'
end
context 'when scopes are blank' do
it 'returns an error' do
expect(page).to have_content 'Add new application'
fill_in :doorkeeper_application_name, with: 'test'
fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
click_on 'Save application'
expect(page).to have_content("Scopes can't be blank")
end
end
end
......@@ -6,9 +6,24 @@ RSpec.describe ::Applications::CreateService do
include TestRequestHelpers
let(:user) { create(:user) }
let(:params) { attributes_for(:application) }
subject { described_class.new(user, params) }
it { expect { subject.execute(test_request) }.to change { Doorkeeper::Application.count }.by(1) }
context 'when scopes are present' do
let(:params) { attributes_for(:application, scopes: ['read_user']) }
it { expect { subject.execute(test_request) }.to change { Doorkeeper::Application.count }.by(1) }
end
context 'when scopes are missing' do
let(:params) { attributes_for(:application) }
it { expect { subject.execute(test_request) }.not_to change { Doorkeeper::Application.count } }
it 'includes blank scopes error message' do
application = subject.execute(test_request)
expect(application.errors.full_messages).to include "Scopes can't be blank"
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment