Merge tag 'v1.3.1' into apply_1-3-1

fastruby · Nov 21, 2023 · f1fe13e · f1fe13e
2 parents 1baa4a6 + 95dff4f
commit f1fe13e
Show file tree

Hide file tree

Showing 18 changed files with 174 additions and 36 deletions.
diff --git a/.github/workflows/brakeman-analysis.yml b/.github/workflows/brakeman-analysis.yml
@@ -0,0 +1,44 @@
+# This workflow integrates Brakeman with GitHub's Code Scanning feature
+# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications
+
+name: Brakeman Scan
+
+# This section configures the trigger for the workflow. Feel free to customize depending on your convention
+on:
+  push:
+    branches: [ "master", "main" ]
+  pull_request:
+    branches: [ "master", "main" ]
+
+jobs:
+  brakeman-scan:
+    name: Brakeman Scan
+    runs-on: ubuntu-latest
+    steps:
+    # Checkout the repository to the GitHub Actions runner
+    - name: Checkout
+      uses: actions/checkout@v2
+
+    # Customize the ruby version depending on your needs
+    - name: Setup Ruby
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: '2.7'
+
+    - name: Setup Brakeman
+      env:
+        BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+
+      run: |
+        gem install brakeman --version $BRAKEMAN_VERSION
+
+    # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
+    - name: Scan
+      continue-on-error: true
+      run: |
+        brakeman -f sarif -o output.sarif.json .
+
+    # Upload the SARIF file generated in the previous step
+    - name: Upload SARIF
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: output.sarif.json
diff --git a/.github/workflows/rubocop-analysis.yml b/.github/workflows/rubocop-analysis.yml
@@ -0,0 +1,39 @@
+name: "Rubocop"
+
+on: push
+
+jobs:
+  rubocop:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # If running on a self-hosted runner, check it meets the requirements
+    # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+
+    # This step is not necessary if you add the gem to your Gemfile
+    - name: Install Code Scanning integration
+      run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
+
+    - name: Install dependencies
+      run: bundle install
+
+    - name: Rubocop run
+      run: |
+        bash -c "
+          bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
+          [[ $? -ne 2 ]]
+        "
+
+    - name: Upload Sarif output
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: rubocop.sarif
diff --git a/.ruby-version b/.ruby-version
@@ -1 +1 @@
-2.6.5
+2.7.2
diff --git a/.travis.yml b/.travis.yml
@@ -2,6 +2,7 @@ language: ruby
 rvm:
   - 2.5.1
   - 2.6.0
+  - 2.7.2
 gemfile:
   - Gemfile
 script: time ./script/travis.sh

diff --git a/Gemfile b/Gemfile
@@ -36,4 +36,6 @@ group :test do
   gem 'selenium-webdriver'
   gem 'chromedriver-helper'
   gem 'launchy'
+
+  gem "nokogiri", ">= 1.10.8"
 end
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -52,8 +52,9 @@ GIT
 PATH
   remote: .
   specs:
-    devise_masquerade (1.2.0)
+    devise_masquerade (1.3.1)
       devise (>= 4.7.0)
+      globalid (>= 0.3.6)
       railties (>= 5.2.0)
 
 GEM
@@ -97,7 +98,7 @@ GEM
     archive-zip (0.12.0)
       io-like (~> 0.3.0)
     backports (3.15.0)
-    bcrypt (3.1.13)
+    bcrypt (3.1.16)
     bson (1.12.5)
     bson_ext (1.12.5)
       bson (~> 1.12.5)
@@ -141,7 +142,7 @@ GEM
     cucumber-tag_expressions (1.1.1)
     cucumber-wire (0.0.1)
     database_cleaner (1.0.1)
-    devise (4.7.1)
+    devise (4.7.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0)
@@ -200,13 +201,14 @@ GEM
       mime-types-data (~> 3.2015)
     mime-types-data (3.2019.1009)
     mini_mime (1.0.2)
-    mini_portile2 (2.4.0)
+    mini_portile2 (2.5.0)
     minitest (5.12.2)
     multi_json (1.14.1)
     multi_test (0.1.2)
     nenv (0.3.0)
-    nokogiri (1.10.5)
-      mini_portile2 (~> 2.4.0)
+    nokogiri (1.11.1)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
     notiffany (0.1.3)
       nenv (~> 0.1)
       shellany (~> 0.0)
@@ -219,7 +221,8 @@ GEM
       byebug (~> 11.0)
       pry (~> 0.10)
     public_suffix (4.0.1)
-    rack (2.0.8)
+    racc (1.5.2)
+    rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails-dom-testing (2.0.3)
@@ -238,7 +241,7 @@ GEM
     rb-inotify (0.10.0)
       ffi (~> 1.0)
     regexp_parser (1.6.0)
-    responders (3.0.0)
+    responders (3.0.1)
       actionpack (>= 5.0)
       railties (>= 5.0)
     rubyzip (2.0.0)
@@ -259,8 +262,8 @@ GEM
     thread_safe (0.3.6)
     tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    warden (1.2.8)
-      rack (>= 2.0.6)
+    warden (1.2.9)
+      rack (>= 2.0.9)
     xpath (3.2.0)
       nokogiri (~> 1.8)
     zeitwerk (2.2.0)
@@ -285,6 +288,7 @@ DEPENDENCIES
   guard-cucumber
   guard-rspec (~> 4.7)
   launchy
+  nokogiri (>= 1.10.8)
   pry
   pry-byebug
   rb-fsevent
@@ -300,4 +304,4 @@ DEPENDENCIES
   test-unit
 
 BUNDLED WITH
-   2.0.2
+   2.1.4
diff --git a/app/controllers/devise/masquerades_controller.rb b/app/controllers/devise/masquerades_controller.rb
@@ -28,15 +28,9 @@ def show
   end
 
   def back
-    user_id = session[session_key]
+    self.resource = find_owner_resource
 
-    resource = if user_id.present?
-      masquerading_resource_class.to_adapter.find_first(:id => user_id)
-    else
-      send(:"current_#{masquerading_resource_name}")
-    end
-
-    if masquerading_resource_class != masqueraded_resource_class
+    if resource.class != masqueraded_resource_class
       sign_out(send("current_#{masqueraded_resource_name}"))
     end
 
@@ -60,6 +54,10 @@ def find_resource
     GlobalID::Locator.locate_signed params[Devise.masquerade_param], for: 'masquerade'
   end
 
+  def find_owner_resource
+    GlobalID::Locator.locate_signed(Rails.cache.read(session_key), for: 'masquerade')
+  end
+
   def go_back(user, path:)
     if Devise.masquerade_routes_back
       redirect_back(fallback_location: path)
@@ -123,15 +121,20 @@ def after_back_masquerade_path_for(resource)
   end
 
   def save_masquerade_owner_session
+    resource_gid = send("current_#{masquerading_resource_name}").to_sgid(
+      expires_in: Devise.masquerade_expires_in, for: 'masquerade')
+    # skip sharing owner id via session
+    Rails.cache.write(session_key, resource_gid, expires_in: Devise.masquerade_expires_in)
+
     unless session.key?(session_key)
-      session[session_key] = send("current_#{masquerading_resource_name}").id
       session[session_key_masquerading_resource_class] = masquerading_resource_class.name
       session[session_key_masqueraded_resource_class] = masqueraded_resource_class.name
     end
   end
 
   def cleanup_masquerade_owner_session
-    session.delete(session_key)
+    Rails.cache.delete(session_key)
+
     session.delete(session_key_masqueraded_resource_class)
     session.delete(session_key_masquerading_resource_class)
   end

diff --git a/features/step_definitions/url_helpers_steps.rb b/features/step_definitions/url_helpers_steps.rb
@@ -0,0 +1,11 @@
+Then("I should see maquerade url") do
+  page.html.should include('href="/users/masquerade?masquerade=')
+end
+
+When("I am on the users page with extra params") do
+  visit '/extra_params'
+end
+
+Then("I should see maquerade url with extra params") do
+  page.html.should include('href="/users/masquerade?key1=value1&amp;masquerade=')
+end
diff --git a/features/url_helpers.feature b/features/url_helpers.feature
@@ -0,0 +1,14 @@
+Feature: Use masquerade path to generate routes on page
+  In order to have the way to render masquerade path
+  As an user
+  I want to be able to see the url and use it
+
+  Scenario: Use masquerade path helper
+    Given I logged in
+    And I have a user for masquerade
+
+    When I am on the users page
+      Then I should see maquerade url
+
+    When I am on the users page with extra params
+      Then I should see maquerade url with extra params
diff --git a/lib/devise_masquerade/controllers/helpers.rb b/lib/devise_masquerade/controllers/helpers.rb
@@ -38,12 +38,12 @@ def masquerade_#{name}!
           end
 
           def #{name}_masquerade?
-            session[:"devise_masquerade_#{name}"].present?
+            ::Rails.cache.exist?(:"devise_masquerade_#{name}").present?
           end
 
           def #{name}_masquerade_owner
             return nil unless send(:#{name}_masquerade?)
-            ::#{class_name}.to_adapter.find_first(id: session[:"devise_masquerade_#{name}"])
+            GlobalID::Locator.locate_signed(Rails.cache.read(:"devise_masquerade_#{name}"), for: 'masquerade')
           end
 
           private

diff --git a/lib/devise_masquerade/controllers/url_helpers.rb b/lib/devise_masquerade/controllers/url_helpers.rb
@@ -7,12 +7,12 @@ module UrlHelpers
       def masquerade_path(resource, *args)
         scope = Devise::Mapping.find_scope!(resource)
 
-        opts = args.first || {}
+        opts = args.shift || {}
         opts.merge!(masqueraded_resource_class: resource.class.name)
 
         opts.merge!(Devise.masquerade_param => resource.masquerade_key)
 
-        send("#{scope}_masquerade_path", resource, opts, *args)
+        send("#{scope}_masquerade_index_path", opts, *args)
       end
 
       def back_masquerade_path(resource, *args)

diff --git a/lib/devise_masquerade/routes.rb b/lib/devise_masquerade/routes.rb
@@ -3,11 +3,12 @@ module Routes
 
     def devise_masquerade(mapping, controllers)
       resources :masquerade,
-        only: :show,
         path: mapping.path_names[:masquerade],
-        controller: controllers[:masquerades] do
+        controller: controllers[:masquerades],
+        only: [] do
 
         collection do
+          get :show
           get :back
         end
       end

diff --git a/lib/devise_masquerade/version.rb b/lib/devise_masquerade/version.rb
@@ -1,3 +1,3 @@
 module DeviseMasquerade
-  VERSION = '1.2.0'.freeze
+  VERSION = '1.3.1'.freeze
 end
diff --git a/spec/controllers/devise/masquerades_controller_spec.rb b/spec/controllers/devise/masquerades_controller_spec.rb
@@ -14,7 +14,7 @@
           get :show, params: { id: mask.to_param, masqueraded_resource_class: mask.class.name, masquerade: mask.masquerade_key }
         end
 
-        it { expect(session.keys).to include('devise_masquerade_student') }
+        it { expect(Rails.cache.read('devise_masquerade_student')).to be }
 
         it 'should have warden keys defined' do
           expect(session["warden.user.student.key"].first.first).to eq(mask.id)
@@ -30,7 +30,7 @@
           get :show, params: { id: mask.to_param, masquerade: mask.masquerade_key }
         end
 
-        it { expect(session.keys).to include('devise_masquerade_user') }
+        it { expect(Rails.cache.read('devise_masquerade_user')).to be }
         it { expect(session["warden.user.user.key"].first.first).to eq(mask.id) }
         it { should redirect_to('/') }
 
@@ -39,7 +39,7 @@
 
           it { should redirect_to(masquerade_page) }
           it { expect(current_user.reload).to eq(@user) }
-          it { expect(session.keys).not_to include('devise_masquerade_user') }
+          it { expect(Rails.cache.read('devise_masquerade_user')).not_to be }
         end
       end
 
@@ -74,13 +74,19 @@
         end # context
 
         context 'and back' do
-          before { get :back }
+          before do
+            get :show, params: { id: mask.to_param, masquerade: mask.masquerade_key }
+
+            get :back
+          end
 
           it { should redirect_to(masquerade_page) }
         end # context
 
         context 'and back fallback if http_referer not present' do
           before do
+            get :show, params: { id: mask.to_param, masquerade: mask.masquerade_key }
+
             @request.env['HTTP_REFERER'] = 'previous_location'
             get :back
           end

diff --git a/spec/controllers/masquerades_tests_controller_spec.rb b/spec/controllers/masquerades_tests_controller_spec.rb
@@ -16,7 +16,7 @@
     before { get :show, params: { id: mask.to_param, masquerade: mask.masquerade_key } }
 
     it { expect(response.status).to eq(403) }
-    it { expect(session.keys).not_to include('devise_masquerade_user') }
+    it { expect(Rails.cache.read('devise_masquerade_user')).not_to be }
     it { expect(session['warden.user.user.key'].first.first).not_to eq(mask.id) }
   end
 
@@ -35,7 +35,7 @@
     end
 
     it { expect(response.status).to eq(302) }
-    it { expect(session.keys).to include('devise_masquerade_user') }
+    it { expect(Rails.cache.read('devise_masquerade_user')).to be }
     it { expect(session['warden.user.user.key'].first.first).to eq(mask.id) }
   end
 end
diff --git a/spec/dummy/app/controllers/dashboard_controller.rb b/spec/dummy/app/controllers/dashboard_controller.rb
@@ -4,5 +4,9 @@ class DashboardController < ApplicationController
   def index
     @users = User.where("users.id != ?", current_user.id).all
   end
+
+  def extra_params
+    @users = User.where("users.id != ?", current_user.id).all
+  end
 end
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,6 +2,7 @@ language: ruby @@
     rvm:
       - 2.5.1
       - 2.6.0
+      - 2.7.2
     gemfile:
       - Gemfile
     script: time ./script/travis.sh
@@ Expand Down @@