no setting requirement for additional grant scopes

- the logic introduced with this PR will be applied by default, even though it introduces breaking changes if anyone relied on the previous behavior regarding personal access tokens or full access for OAuth2 third parties.
2025-02-02 15:09:33 -05:00 · 2024-10-10 17:05:19 +02:00 · 2024-10-10 17:05:19 +02:00 · 33da8f1e71
commit 33da8f1e71
parent 4885397d18
5 changed files with 24 additions and 32 deletions
--- a/modules/setting/oauth2.go
+++ b/modules/setting/oauth2.go
@ -90,25 +90,23 @@ func parseScopes(sec ConfigSection, name string) []string {
 }

 var OAuth2 = struct {
-	Enabled                     bool
-	AccessTokenExpirationTime   int64
-	RefreshTokenExpirationTime  int64
-	InvalidateRefreshTokens     bool
-	JWTSigningAlgorithm         string `ini:"JWT_SIGNING_ALGORITHM"`
-	JWTSigningPrivateKeyFile    string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
-	MaxTokenLength              int
-	DefaultApplications         []string
-	EnableAdditionalGrantScopes bool
+	Enabled                    bool
+	AccessTokenExpirationTime  int64
+	RefreshTokenExpirationTime int64
+	InvalidateRefreshTokens    bool
+	JWTSigningAlgorithm        string `ini:"JWT_SIGNING_ALGORITHM"`
+	JWTSigningPrivateKeyFile   string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
+	MaxTokenLength             int
+	DefaultApplications        []string
 }{
-	Enabled:                     true,
-	AccessTokenExpirationTime:   3600,
-	RefreshTokenExpirationTime:  730,
-	InvalidateRefreshTokens:     false,
-	JWTSigningAlgorithm:         "RS256",
-	JWTSigningPrivateKeyFile:    "jwt/private.pem",
-	MaxTokenLength:              math.MaxInt16,
-	DefaultApplications:         []string{"git-credential-oauth", "git-credential-manager", "tea"},
-	EnableAdditionalGrantScopes: false,
+	Enabled:                    true,
+	AccessTokenExpirationTime:  3600,
+	RefreshTokenExpirationTime: 730,
+	InvalidateRefreshTokens:    false,
+	JWTSigningAlgorithm:        "RS256",
+	JWTSigningPrivateKeyFile:   "jwt/private.pem",
+	MaxTokenLength:             math.MaxInt16,
+	DefaultApplications:        []string{"git-credential-oauth", "git-credential-manager", "tea"},
 }

 func loadOAuth2From(rootCfg ConfigProvider) {
--- a/routers/web/user/setting/applications.go
+++ b/routers/web/user/setting/applications.go
@ -113,6 +113,5 @@ func loadApplicationsData(ctx *context.Context) {
 			ctx.ServerError("GetOAuth2GrantsByUserID", err)
 			return
 		}
-		ctx.Data["EnableAdditionalGrantScopes"] = setting.OAuth2.EnableAdditionalGrantScopes
 	}
 }
--- a/services/oauth2_provider/access_token.go
+++ b/services/oauth2_provider/access_token.go
@ -228,14 +228,10 @@ func GetOAuthGroupsForUser(ctx context.Context, user *user_model.User, onlyPubli

 	var groups []string
 	for _, org := range orgs {
-		// process additional scopes only if enabled in settings
-		// this could be removed once additional scopes get accepted
-		if setting.OAuth2.EnableAdditionalGrantScopes {
-			if onlyPublicGroups {
-				if public, err := org_model.IsPublicMembership(ctx, org.ID, user.ID); err == nil {
-					if !public || !org.Visibility.IsPublic() {
-						continue
-					}
+		if onlyPublicGroups {
+			if public, err := org_model.IsPublicMembership(ctx, org.ID, user.ID); err == nil {
+				if !public || !org.Visibility.IsPublic() {
+					continue
 				}
 			}
 		}
--- a/services/oauth2_provider/additional_scopes_test.go
+++ b/services/oauth2_provider/additional_scopes_test.go
@ -10,7 +10,6 @@ import (
 )

 func TestGrantAdditionalScopes(t *testing.T) {
-	setting.OAuth2.EnableAdditionalGrantScopes = true
 	tests := []struct {
 		grantScopes    string
 		expectedScopes string
--- a/tests/integration/oauth_test.go
+++ b/tests/integration/oauth_test.go
@ -515,7 +515,7 @@ func TestOAuth_GrantScopesReadUserFailRepos(t *testing.T) {
 	err := db.Insert(db.DefaultContext, grant)
 	require.NoError(t, err)

-	assert.Contains(t, grant.Scope, "openid profile email read:user")
+	assert.ElementsMatch(t, []string{"openid", "profile", "email", "read:user"}, strings.Split(grant.Scope, " "))

 	ctx := loginUserWithPasswordRemember(t, user.Name, "password", true)

@ -596,7 +596,7 @@ func TestOAuth_GrantScopesReadRepositoryFailOrganization(t *testing.T) {
 	err := db.Insert(db.DefaultContext, grant)
 	require.NoError(t, err)

-	assert.Contains(t, grant.Scope, "openid profile email read:user read:repository")
+	assert.ElementsMatch(t, []string{"openid", "profile", "email", "read:user", "read:repository"}, strings.Split(grant.Scope, " "))

 	ctx := loginUserWithPasswordRemember(t, user.Name, "password", true)

@ -790,7 +790,7 @@ func TestOAuth_GrantScopesClaimGroupsAll(t *testing.T) {
 	}
 }

-func TestOAuth_GrantScopesEnabledClaimGroups(t *testing.T) {
+func TestOAuth_GrantScopesClaimGroupsPublicOnly(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()

 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"})
@ -819,7 +819,7 @@ func TestOAuth_GrantScopesEnabledClaimGroups(t *testing.T) {
 	err := db.Insert(db.DefaultContext, grant)
 	require.NoError(t, err)

-	assert.Contains(t, grant.Scope, "openid profile email groups")
+	assert.ElementsMatch(t, []string{"openid", "profile", "email", "groups"}, strings.Split(grant.Scope, " "))

 	ctx := loginUserWithPasswordRemember(t, user.Name, "password", true)