As a OAuth consumer I want to get a refresh token during OAuth2 Registration

refresh token is now returned in oath registration

Fixes PLAT-1218

Test Plan:
Create a dev_key that has an invalid redirect_ur, this makes it easier
to subvert the oauth process later.

attempt to authorize your new key with a user. I used something like
blackmesa.canvas.dev/login/oauth2/auth?client_id=30000000000001&response_type=code&redirect_uri=http://blackmesa.dev/redirect&state=YYY

Sign in and authorize. You should be redirected to something similar to
http://blackmesa.dev/redirect?code=1c8d2ff5498eb879db9737d494a4bbd64810c84cf7e1776d1f4cebdb9699244c6209add4838d02f0d67b969a599cee589fecbeef5f84ababb1ef6e4cb9099b68&state=YYY

Take the code out of the url. open up
[postman](<https://chrome.google.com/webstore/detail/postman/fhbjgbiflinjbdggehcddcbncdddomop?hl=en)
create a new post request with the following params
    code: #{code}
    client_id: #{your dev key's client id}
    client_secret: #{your dev key's client secret}

make sure the response includes a refresh_token property. A postman
request that can be imported [can be found
here](https://gist.github.com/defektive/f1cced73b08e5f6a2925)

 ________
< Thanks >
 --------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Change-Id: I8a8a8450825309232c903251231dec8c5d4e7463
Reviewed-on: https://gerrit.instructure.com/63256
Tested-by: Jenkins
Reviewed-by: Nathan Mills <nathanm@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Brad Horrocks <bhorrocks@instructure.com>

Author: Brad Horrocks

app/models/access_token.rb

@@ -1,5 +1,6 @@
 class AccessToken < ActiveRecord::Base
   attr_reader :full_token
+  attr_reader :plaintext_refresh_token
   belongs_to :developer_key
   belongs_to :user
   has_one :account, through: :developer_key
@@ -24,6 +25,7 @@ class AccessToken < ActiveRecord::Base
   ALLOWED_SCOPES = ["#{OAUTH2_SCOPE_NAMESPACE}userinfo"]
 
   before_create :generate_token
+  before_create :generate_refresh_token
 
   def self.authenticate(token_string)
     # hash the user supplied token with all of our known keys
@@ -95,6 +97,27 @@ def generate_token(overwrite=false)
     end
   end
 
+  def refresh_token=(new_token)
+    self.crypted_refresh_token = AccessToken.hashed_token(new_token)
+    @plaintext_refresh_token = new_token
+  end
+
+  def generate_refresh_token(overwrite=false)
+    if overwrite || !self.crypted_refresh_token
+      self.refresh_token = CanvasSlug.generate(nil, TOKEN_SIZE)
+    end
+  end
+
+  def regenerate_refresh_token=(val)
+    if val == '1' && !protected_token?
+      generate_refresh_token(true)
+    end
+  end
+
+  def clear_plaintext_refresh_token!
+    @plaintext_refresh_token = nil
+  end
+
   def protected_token?
     developer_key != DeveloperKey.default
   end

db/migrate/20150910191348_add_refresh_token_to_access_tokens.rb

@@ -0,0 +1,12 @@
+class AddRefreshTokenToAccessTokens < ActiveRecord::Migration
+  tag :predeploy
+
+  def self.up
+    add_column :access_tokens, :crypted_refresh_token, :string
+    add_index :access_tokens, [:crypted_refresh_token], :unique => true
+  end
+
+  def self.down
+    remove_column :access_tokens, :crypted_refresh_token
+  end
+end

lib/canvas/oauth/token.rb

@@ -57,6 +57,7 @@ def create_access_token_if_needed(replace_tokens = false)
         @access_token = user.access_tokens.create!({:developer_key => key, :remember_access => remember_access?, :scopes => scopes, :purpose => purpose, expires_at: expiration_date})
 
         @access_token.clear_full_token! if @access_token.scoped_to?(['userinfo'])
+        @access_token.clear_plaintext_refresh_token! if @access_token.scoped_to?(['userinfo'])
       end
     end
 
@@ -76,6 +77,7 @@ def self.find_reusable_access_token(user, key, scopes, purpose)
     def as_json(_options={})
       json = {
         'access_token' => access_token.full_token,
+        'refresh_token' => access_token.plaintext_refresh_token,
         'user' => user.as_json(:only => [:id, :name], :include_root => false)
       }
       json['expires_in'] = access_token.expires_at.utc.to_time.to_i - Time.now.utc.to_i if access_token.expires_at

spec/controllers/oauth2_provider_controller_spec.rb

@@ -133,7 +133,7 @@
       Canvas.stubs(:redis => redis)
       get :token, :client_id => key.id, :client_secret => key.api_key, :code => valid_code
       expect(response).to be_success
-      expect(JSON.parse(response.body).keys.sort).to match_array(['access_token', 'user', 'expires_in'])
+      expect(JSON.parse(response.body).keys.sort).to eq ['access_token',  'expires_in', 'refresh_token', 'user']
     end
 
     it 'deletes existing tokens for the same key when replace_tokens=1' do

spec/lib/canvas/oauth/token_spec.rb

@@ -157,7 +157,7 @@ def stub_out_cache(client_id = nil, scopes = nil)
       end
 
       it 'does not put anything else into the json' do
-        expect(json.keys.sort).to match_array(['access_token', 'user', 'expires_in'])
+        expect(json.keys.sort).to eq ['access_token', 'expires_in', 'refresh_token', 'user']
       end
 
     end