Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
f7fd30fc
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
f7fd30fc
编写于
5月 26, 2020
作者:
G
GitLab Bot
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee
上级
e80b54a5
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
103 addition
and
32 deletion
+103
-32
app/controllers/oauth/authorizations_controller.rb
app/controllers/oauth/authorizations_controller.rb
+11
-0
changelogs/unreleased/security-dblessing-oauth-email-verification.yml
...nreleased/security-dblessing-oauth-email-verification.yml
+5
-0
config/locales/doorkeeper.en.yml
config/locales/doorkeeper.en.yml
+1
-0
spec/controllers/oauth/authorizations_controller_spec.rb
spec/controllers/oauth/authorizations_controller_spec.rb
+46
-32
spec/features/oauth_provider_authorize_spec.rb
spec/features/oauth_provider_authorize_spec.rb
+21
-0
spec/support/shared_examples/features/secure_oauth_authorizations_shared_examples.rb
...s/features/secure_oauth_authorizations_shared_examples.rb
+19
-0
未找到文件。
app/controllers/oauth/authorizations_controller.rb
浏览文件 @
f7fd30fc
...
...
@@ -4,6 +4,8 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
include
Gitlab
::
Experimentation
::
ControllerConcern
include
InitializesCurrentUserMode
before_action
:verify_confirmed_email!
,
only:
[
:new
]
layout
'profile'
# Overridden from Doorkeeper::AuthorizationsController to
...
...
@@ -21,4 +23,13 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
render
"doorkeeper/authorizations/error"
end
end
private
def
verify_confirmed_email!
return
if
current_user
&
.
confirmed?
pre_auth
.
error
=
:unconfirmed_email
render
"doorkeeper/authorizations/error"
end
end
changelogs/unreleased/security-dblessing-oauth-email-verification.yml
0 → 100644
浏览文件 @
f7fd30fc
---
title
:
Require confirmed email address for GitLab OAuth authentication
merge_request
:
author
:
type
:
security
config/locales/doorkeeper.en.yml
浏览文件 @
f7fd30fc
...
...
@@ -36,6 +36,7 @@ en:
access_denied
:
'
The
resource
owner
or
authorization
server
denied
the
request.'
invalid_scope
:
'
The
requested
scope
is
invalid,
unknown,
or
malformed.'
server_error
:
'
The
authorization
server
encountered
an
unexpected
condition
which
prevented
it
from
fulfilling
the
request.'
unconfirmed_email
:
'
Verify
the
email
address
in
your
account
profile
before
you
sign
in.'
temporarily_unavailable
:
'
The
authorization
server
is
currently
unable
to
handle
the
request
due
to
a
temporary
overloading
or
maintenance
of
the
server.'
#configuration error messages
...
...
spec/controllers/oauth/authorizations_controller_spec.rb
浏览文件 @
f7fd30fc
...
...
@@ -3,7 +3,6 @@
require
'spec_helper'
describe
Oauth
::
AuthorizationsController
do
let
(
:user
)
{
create
(
:user
)
}
let!
(
:application
)
{
create
(
:oauth_application
,
scopes:
'api read_user'
,
redirect_uri:
'http://example.com'
)
}
let
(
:params
)
do
{
...
...
@@ -19,53 +18,68 @@ describe Oauth::AuthorizationsController do
end
describe
'GET #new'
do
context
'without valid params'
do
it
'returns 200 code and renders error view'
do
get
:new
context
'when the user is confirmed'
do
let
(
:user
)
{
create
(
:user
)
}
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
).
to
render_template
(
'doorkeeper/authorizations/error'
)
context
'without valid params'
do
it
'returns 200 code and renders error view'
do
get
:new
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
).
to
render_template
(
'doorkeeper/authorizations/error'
)
end
end
end
context
'with valid params'
do
render_views
context
'with valid params'
do
render_views
it
'returns 200 code and renders view'
do
get
:new
,
params:
params
it
'returns 200 code and renders view'
do
get
:new
,
params:
params
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
).
to
render_template
(
'doorkeeper/authorizations/new'
)
end
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
).
to
render_template
(
'doorkeeper/authorizations/new'
)
end
it
'deletes session.user_return_to and redirects when skip authorization'
do
application
.
update
(
trusted:
true
)
request
.
session
[
'user_return_to'
]
=
'http://example.com'
it
'deletes session.user_return_to and redirects when skip authorization'
do
application
.
update
(
trusted:
true
)
request
.
session
[
'user_return_to'
]
=
'http://example.com'
get
:new
,
params:
params
get
:new
,
params:
params
expect
(
request
.
session
[
'user_return_to'
]).
to
be_nil
expect
(
response
).
to
have_gitlab_http_status
(
:found
)
end
expect
(
request
.
session
[
'user_return_to'
]).
to
be_nil
expect
(
response
).
to
have_gitlab_http_status
(
:found
)
end
context
'when there is already an access token for the application'
do
context
'when the request scope matches any of the created token scopes'
do
before
do
scopes
=
Doorkeeper
::
OAuth
::
Scopes
.
from_string
(
'api'
)
context
'when there is already an access token for the application'
do
context
'when the request scope matches any of the created token scopes'
do
before
do
scopes
=
Doorkeeper
::
OAuth
::
Scopes
.
from_string
(
'api'
)
allow
(
Doorkeeper
.
configuration
).
to
receive
(
:scopes
).
and_return
(
scopes
)
allow
(
Doorkeeper
.
configuration
).
to
receive
(
:scopes
).
and_return
(
scopes
)
create
:oauth_access_token
,
application:
application
,
resource_owner_id:
user
.
id
,
scopes:
scopes
end
create
:oauth_access_token
,
application:
application
,
resource_owner_id:
user
.
id
,
scopes:
scopes
end
it
'authorizes the request and redirects'
do
get
:new
,
params:
params
it
'authorizes the request and redirects'
do
get
:new
,
params:
params
expect
(
request
.
session
[
'user_return_to'
]).
to
be_nil
expect
(
response
).
to
have_gitlab_http_status
(
:found
)
expect
(
request
.
session
[
'user_return_to'
]).
to
be_nil
expect
(
response
).
to
have_gitlab_http_status
(
:found
)
end
end
end
end
end
context
'when the user is unconfirmed'
do
let
(
:user
)
{
create
(
:user
,
confirmed_at:
nil
)
}
it
'returns 200 and renders error view'
do
get
:new
,
params:
params
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
).
to
render_template
(
'doorkeeper/authorizations/error'
)
end
end
end
end
spec/features/oauth_provider_authorize_spec.rb
0 → 100644
浏览文件 @
f7fd30fc
# frozen_string_literal: true
require
'spec_helper'
describe
'OAuth Provider'
do
describe
'Standard OAuth Authorization'
do
let
(
:application
)
{
create
(
:oauth_application
,
scopes:
'read_user'
)
}
before
do
sign_in
(
user
)
visit
oauth_authorization_path
(
client_id:
application
.
uid
,
redirect_uri:
application
.
redirect_uri
.
split
.
first
,
response_type:
'code'
,
state:
'my_state'
,
scope:
'read_user'
)
end
it_behaves_like
'Secure OAuth Authorizations'
end
end
spec/support/shared_examples/features/secure_oauth_authorizations_shared_examples.rb
0 → 100644
浏览文件 @
f7fd30fc
# frozen_string_literal: true
RSpec
.
shared_examples
'Secure OAuth Authorizations'
do
context
'when user is confirmed'
do
let
(
:user
)
{
create
(
:user
)
}
it
'asks the user to authorize the application'
do
expect
(
page
).
to
have_text
"Authorize
#{
application
.
name
}
to use your account?"
end
end
context
'when user is unconfirmed'
do
let
(
:user
)
{
create
(
:user
,
confirmed_at:
nil
)
}
it
'displays an error'
do
expect
(
page
).
to
have_text
I18n
.
t
(
'doorkeeper.errors.messages.unconfirmed_email'
)
end
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录