doorkeeper.rb 6.74 KB
Newer Older
Valeriy's avatar
Valeriy committed
1 2 3 4 5 6 7 8
Doorkeeper.configure do
  # Change the ORM that doorkeeper will use.
  # Currently supported options are :active_record, :mongoid2, :mongoid3, :mongo_mapper
  orm :active_record

  # This block will be called to check whether the resource owner is authenticated or not.
  resource_owner_authenticator do
    # Put your resource owner authentication logic here.
9 10 11
    if current_user
      current_user
    else
12 13
      # Ensure user is redirected to redirect_uri after login
      session[:user_return_to] = request.fullpath
14 15 16
      redirect_to(new_user_session_url)
      nil
    end
Valeriy's avatar
Valeriy committed
17 18
  end

19
  resource_owner_from_credentials do |routes|
20
    user = Gitlab::Auth.find_with_user_password(params[:username], params[:password])
21
    user unless user.try(:two_factor_enabled?)
22 23
  end

Valeriy's avatar
Valeriy committed
24 25 26 27 28 29 30 31 32 33 34 35
  # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
  # admin_authenticator do
  #   # Put your admin authentication logic here.
  #   # Example implementation:
  #   Admin.find_by_id(session[:admin_id]) || redirect_to(new_admin_session_url)
  # end

  # Authorization Code expiration time (default 10 minutes).
  # authorization_code_expires_in 10.minutes

  # Access token expiration time (default 2 hours).
  # If you want to disable expiration, set this to nil.
36
  access_token_expires_in nil
Valeriy's avatar
Valeriy committed
37 38 39

  # Reuse access token for the same resource owner within an application (disabled by default)
  # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
40
  reuse_access_token
Valeriy's avatar
Valeriy committed
41 42 43 44

  # Issue access tokens with refresh token (disabled by default)
  use_refresh_token

45 46 47 48 49 50
  # Forces the usage of the HTTPS protocol in non-native redirect uris (enabled
  # by default in non-development environments). OAuth2 delegates security in
  # communication to the HTTPS protocol so it is wise to keep this enabled.
  #
  force_ssl_in_redirect_uri false

51 52 53 54 55 56 57
  # Specify what redirect URI's you want to block during Application creation.
  # Any redirect URI is whitelisted by default.
  #
  # You can use this option in order to forbid URI's with 'javascript' scheme
  # for example.
  forbid_redirect_uri { |uri| %w[data vbscript javascript].include?(uri.scheme.to_s.downcase) }

Valeriy's avatar
Valeriy committed
58
  # Provide support for an owner to be assigned to each registered application (disabled by default)
59
  # Optional parameter confirmation: true (default false) if you want to enforce ownership of
Valeriy's avatar
Valeriy committed
60 61
  # a registered application
  # Note: you must also run the rails g doorkeeper:application_owner generator to provide the necessary support
62
  enable_application_owner confirmation: false
Valeriy's avatar
Valeriy committed
63 64 65 66

  # Define access token scopes for your provider
  # For more information go to
  # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
67
  default_scopes(*Gitlab::Auth::DEFAULT_SCOPES)
68
  optional_scopes(*Gitlab::Auth.optional_scopes)
Valeriy's avatar
Valeriy committed
69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86

  # Change the way client credentials are retrieved from the request object.
  # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
  # falls back to the `:client_id` and `:client_secret` params from the `params` object.
  # Check out the wiki for more information on customization
  # client_credentials :from_basic, :from_params

  # Change the way access token is authenticated from the request object.
  # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
  # falls back to the `:access_token` or `:bearer_token` params from the `params` object.
  # Check out the wiki for more information on customization
  access_token_methods :from_access_token_param, :from_bearer_authorization, :from_bearer_param

  # Change the native redirect uri for client apps
  # When clients register with the following redirect uri, they won't be redirected to any server and the authorization code will be displayed within the provider
  # The value can be any string. Use nil to disable this feature. When disabled, clients must provide a valid URL
  # (Similar behaviour: https://developers.google.com/accounts/docs/OAuth2InstalledApp#choosingredirecturi)
  #
Felipe's avatar
Felipe committed
87
  native_redirect_uri nil # 'urn:ietf:wg:oauth:2.0:oob'
Valeriy's avatar
Valeriy committed
88 89 90 91 92 93 94 95 96

  # Specify what grant flows are enabled in array of Strings. The valid
  # strings and the flows they enable are:
  #
  # "authorization_code" => Authorization Code Grant Flow
  # "implicit"           => Implicit Grant Flow
  # "password"           => Resource Owner Password Credentials Grant Flow
  # "client_credentials" => Client Credentials Grant Flow
  #
97
  grant_flows %w(authorization_code implicit password client_credentials)
Valeriy's avatar
Valeriy committed
98 99 100 101

  # Under some circumstances you might want to have applications auto-approved,
  # so that the user skips the authorization step.
  # For example if dealing with trusted a application.
102 103 104
  skip_authorization do |resource_owner, client|
    client.application.trusted?
  end
Valeriy's avatar
Valeriy committed
105 106 107 108 109 110 111 112

  # WWW-Authenticate Realm (default "Doorkeeper").
  # realm "Doorkeeper"

  # Allow dynamic query parameters (disabled by default)
  # Some applications require dynamic query parameters on their request_uri
  # set to true if you want this to be allowed
  # wildcard_redirect_uri false
113

114
  base_controller '::Gitlab::BaseDoorkeeperController'
Valeriy's avatar
Valeriy committed
115
end
116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165

# Monkey patch to avoid creating new applications if the scope of the
# app created does not match the complete list of scopes of the configured app.
# It also prevents the OAuth authorize application window to appear every time.

# Remove after we upgrade the doorkeeper gem from version 4.3.2
if Doorkeeper.gem_version > Gem::Version.new('4.3.2')
  raise "Doorkeeper was upgraded, please remove the monkey patch in #{__FILE__}"
end

module Doorkeeper
  module AccessTokenMixin
    module ClassMethods
      def matching_token_for(application, resource_owner_or_id, scopes)
        resource_owner_id =
          if resource_owner_or_id.respond_to?(:to_key)
            resource_owner_or_id.id
          else
            resource_owner_or_id
          end

        tokens = authorized_tokens_for(application.try(:id), resource_owner_id)
        tokens.detect do |token|
          scopes_match?(token.scopes, scopes, application.try(:scopes))
        end
      end

      def scopes_match?(token_scopes, param_scopes, app_scopes)
        return true if token_scopes.empty? && param_scopes.empty?

        (token_scopes.sort == param_scopes.sort) &&
          Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
            param_scopes.to_s,
            Doorkeeper.configuration.scopes,
            app_scopes)
      end

      def authorized_tokens_for(application_id, resource_owner_id)
        ordered_by(:created_at, :desc)
          .where(application_id: application_id,
                 resource_owner_id: resource_owner_id,
                 revoked_at: nil)
      end

      def last_authorized_token_for(application_id, resource_owner_id)
        authorized_tokens_for(application_id, resource_owner_id).first
      end
    end
  end
end