Merge pull request #3 from oauth-xx/rails-5-2

Rails 5.2

Author: pboling

.gitignore

@@ -18,3 +18,8 @@ test/dummy/tmp
 test/dummy/.sass-cache
 tmp
 vendor/ruby
+
+# Ignore uploaded files in development, if ever there are any from ActiveStorage
+/storage/*
+
+/public/assets

Gemfile.lock

@@ -1,65 +1,71 @@
 PATH
   remote: .
   specs:
-    masq (0.3.4)
+    masq2 (1.0.0.pre.beta.1)
       erb
       i18n_data
-      rails (~> 5.1.0)
+      rails (>= 5.2.8.1)
       rails-controller-testing
-      ruby-openid
+      ruby-openid2 (~> 3.1)
       ruby-yadis
+      version_gem (~> 1.1, >= 1.1.6)
       yubikey
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.1.7)
-      actionpack (= 5.1.7)
+    actioncable (5.2.8.1)
+      actionpack (= 5.2.8.1)
       nio4r (~> 2.0)
-      websocket-driver (~> 0.6.1)
-    actionmailer (5.1.7)
-      actionpack (= 5.1.7)
-      actionview (= 5.1.7)
-      activejob (= 5.1.7)
+      websocket-driver (>= 0.6.1)
+    actionmailer (5.2.8.1)
+      actionpack (= 5.2.8.1)
+      actionview (= 5.2.8.1)
+      activejob (= 5.2.8.1)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.1.7)
-      actionview (= 5.1.7)
-      activesupport (= 5.1.7)
-      rack (~> 2.0)
+    actionpack (5.2.8.1)
+      actionview (= 5.2.8.1)
+      activesupport (= 5.2.8.1)
+      rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.1.7)
-      activesupport (= 5.1.7)
+    actionview (5.2.8.1)
+      activesupport (= 5.2.8.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.1.7)
-      activesupport (= 5.1.7)
+    activejob (5.2.8.1)
+      activesupport (= 5.2.8.1)
       globalid (>= 0.3.6)
-    activemodel (5.1.7)
-      activesupport (= 5.1.7)
-    activerecord (5.1.7)
-      activemodel (= 5.1.7)
-      activesupport (= 5.1.7)
-      arel (~> 8.0)
-    activesupport (5.1.7)
+    activemodel (5.2.8.1)
+      activesupport (= 5.2.8.1)
+    activerecord (5.2.8.1)
+      activemodel (= 5.2.8.1)
+      activesupport (= 5.2.8.1)
+      arel (>= 9.0)
+    activestorage (5.2.8.1)
+      actionpack (= 5.2.8.1)
+      activerecord (= 5.2.8.1)
+      marcel (~> 1.0.0)
+    activesupport (5.2.8.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-    arel (8.0.0)
+    arel (9.0.0)
+    base64 (0.2.0)
     builder (3.3.0)
     byebug (11.1.3)
     cgi (0.4.1)
     concurrent-ruby (1.3.4)
     crass (1.0.6)
-    date (3.4.0)
+    date (3.4.1)
     erb (4.0.4)
       cgi (>= 0.3.3)
-    erubi (1.13.0)
+    erubi (1.13.1)
     globalid (1.1.0)
       activesupport (>= 5.0)
     guard-compat (1.2.1)
@@ -70,22 +76,23 @@ GEM
       concurrent-ruby (~> 1.0)
     i18n_data (0.17.1)
       simple_po_parser (~> 1.1)
-    loofah (2.23.1)
+    loofah (2.24.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     mail (2.8.1)
       mini_mime (>= 0.1.1)
       net-imap
       net-pop
       net-smtp
+    marcel (1.0.4)
     method_source (1.1.0)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.7)
-    minitest (5.25.1)
-    mocha (2.5.0)
+    mini_portile2 (2.8.8)
+    minitest (5.25.4)
+    mocha (2.7.1)
       ruby2_keywords (>= 0.0.5)
     mysql2 (0.5.6)
-    net-imap (0.4.17)
+    net-imap (0.4.18)
       date
       net-protocol
     net-pop (0.1.2)
@@ -95,24 +102,26 @@ GEM
     net-smtp (0.5.0)
       net-protocol
     nio4r (2.7.4)
-    nokogiri (1.15.6-arm64-darwin)
+    nokogiri (1.15.7-arm64-darwin)
       racc (~> 1.4)
     pg (1.5.9)
+    power_assert (2.0.5)
     racc (1.8.1)
     rack (2.2.10)
-    rack-test (2.1.0)
+    rack-test (2.2.0)
       rack (>= 1.3)
-    rails (5.1.7)
-      actioncable (= 5.1.7)
-      actionmailer (= 5.1.7)
-      actionpack (= 5.1.7)
-      actionview (= 5.1.7)
-      activejob (= 5.1.7)
-      activemodel (= 5.1.7)
-      activerecord (= 5.1.7)
-      activesupport (= 5.1.7)
+    rails (5.2.8.1)
+      actioncable (= 5.2.8.1)
+      actionmailer (= 5.2.8.1)
+      actionpack (= 5.2.8.1)
+      actionview (= 5.2.8.1)
+      activejob (= 5.2.8.1)
+      activemodel (= 5.2.8.1)
+      activerecord (= 5.2.8.1)
+      activestorage (= 5.2.8.1)
+      activesupport (= 5.2.8.1)
       bundler (>= 1.3.0)
-      railties (= 5.1.7)
+      railties (= 5.2.8.1)
       sprockets-rails (>= 2.0.0)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
@@ -122,37 +131,42 @@ GEM
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.0)
+    rails-html-sanitizer (1.6.2)
       loofah (~> 2.21)
-      nokogiri (~> 1.14)
-    railties (5.1.7)
-      actionpack (= 5.1.7)
-      activesupport (= 5.1.7)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
+    railties (5.2.8.1)
+      actionpack (= 5.2.8.1)
+      activesupport (= 5.2.8.1)
       method_source
       rake (>= 0.8.7)
-      thor (>= 0.18.1, < 2.0)
+      thor (>= 0.19.0, < 2.0)
     rake (13.2.1)
     rb-fsevent (0.11.2)
-    ruby-openid (2.9.2)
+    ruby-openid2 (3.1.0)
+      version_gem (~> 1.1, >= 1.1.4)
     ruby-yadis (0.3.4)
     ruby2_keywords (0.0.5)
     ruby_gntp (0.3.4)
     simple_po_parser (1.1.6)
     sprockets (4.2.1)
       concurrent-ruby (~> 1.0)
       rack (>= 2.2.4, < 4)
-    sprockets-rails (3.2.2)
-      actionpack (>= 4.0)
-      activesupport (>= 4.0)
+    sprockets-rails (3.4.2)
+      actionpack (>= 5.2)
+      activesupport (>= 5.2)
       sprockets (>= 3.0.0)
     sqlite3 (1.7.3)
       mini_portile2 (~> 2.8.0)
+    test-unit (3.6.7)
+      power_assert
     thor (1.3.2)
     thread_safe (0.3.6)
-    timeout (0.4.2)
+    timeout (0.4.3)
     tzinfo (1.2.11)
       thread_safe (~> 0.1)
-    websocket-driver (0.6.5)
+    version_gem (1.1.6)
+    websocket-driver (0.7.7)
+      base64
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     yubikey (1.4.1)
@@ -163,7 +177,7 @@ PLATFORMS
 DEPENDENCIES
   byebug
   guard-minitest
-  masq!
+  masq2!
   minitest
   mocha
   mysql2
@@ -172,6 +186,7 @@ DEPENDENCIES
   rb-fsevent
   ruby_gntp
   sqlite3
+  test-unit (~> 3.0)
 
 BUNDLED WITH
    2.4.22

README.md

@@ -59,14 +59,62 @@ client-server communication (like requesting simple registration data).
 ### Introduction
 
 `masq2` adds ORACLE database support, as well as support for 
-Rails 5.1, 5.2, 6.0, 6.1, 7.0, 7.1, 7.2, 8.0,
+Rails 5.2, 6.0, 6.1, 7.0, 7.1, 7.2, 8.0,
 which `masq` never had. 
 
 The main functionality is in the server controller, which is the endpoint for incoming
 OpenID requests. The server controller is supposed to only interact with relying parties
 a.k.a. consumer websites. It includes the OpenidServerSystem module, which provides some
 handy methods to access and answer OpenID requests.
 
+#### v1 Release Breaking Change 
+
+\[📒Also Rails 5.2+ / Serialization / Psych Caveats\]
+
+v1 release has a breaking change from the ancient masq v0.3.4 release.
+Continue reading if you think it may impact you.
+
+Rails 5.2.8.1 is a security patch release to fix CVE-2022-32224.
+See: https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
+
+The patch (Rails v5.2.8.1) causes an error with `masq` v0.3.4
+(... actually it doesn't work at all on Rails v5, but some forks have been fixed):
+
+```
+Psych::DisallowedClass: Tried to load unspecified class: ActiveSupport::HashWithIndifferentAccess
+```
+
+when serializing a Hash the way we had done in previous versions `app/models/masq/open_id_request.rb`:
+```ruby
+serialize :parameters, Hash
+```
+
+so we instead switch to serializing as JSON:
+```ruby
+serialize :parameters, JSON
+```
+
+If an implementation needs to continue using the serialized Hash,
+you will need to override the definition by reopening the model, and adding:
+
+```ruby
+serialize :parameters, Hash
+```
+
+In addition, one of the following is also needed.
+
+1. Simple, but insecure fix, which reverts to previous unpatched behavior is:
+
+      ```ruby
+      Rails.application.config.active_record.use_yaml_unsafe_load = true
+      ```
+
+2. More complex, and a bit less insecure fix, is to explicitly list the allowed classes to serialize:
+
+      ```ruby
+      Rails.application.config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time, HashWithIndifferentAccess]
+      ```
+
 ### Testing
 
 You can run the tests with Rake:

app/models/masq/open_id_request.rb

@@ -5,7 +5,7 @@ class OpenIdRequest < ActiveRecord::Base
     before_validation :make_token, :on => :create
 
     #attr_accessible :parameters
-    serialize :parameters, Hash
+    serialize :parameters, JSON
 
     def parameters
       self[:parameters]

lib/masq.rb

@@ -1,6 +1,21 @@
-require "masq/engine"
-require "masq/authenticated_system"
-require "masq/openid_server_system"
-require "masq/active_record_openid_store/association"
-require "masq/active_record_openid_store/nonce"
-require "masq/active_record_openid_store/openid_ar_store"
+# external gems
+require "version_gem"
+
+# this library's version
+require_relative "masq/version"
+
+require_relative "masq/engine"
+require_relative "masq/authenticated_system"
+require_relative "masq/openid_server_system"
+require_relative "masq/active_record_openid_store/association"
+require_relative "masq/active_record_openid_store/nonce"
+require_relative "masq/active_record_openid_store/openid_ar_store"
+
+module Masq
+  # Namespace for this library
+end
+
+# Ensure version is configured before loading the rest of the library
+Masq::Version.class_eval do
+  extend VersionGem::Basic
+end

lib/masq/version.rb

@@ -1,3 +1,5 @@
 module Masq
-  VERSION = "0.3.4"
+  module Version
+    VERSION = "1.0.0-beta.1"
+  end
 end

masq.gemspec

@@ -1,25 +1,28 @@
-$:.push File.expand_path("../lib", __FILE__)
-
-# Maintain your gem's version:
-require "masq/version"
+# Get the GEMFILE_VERSION without *require* "my_gem/version", for code coverage accuracy
+# See: https://github.com/simplecov-ruby/simplecov/issues/557#issuecomment-2630782358
+# Kernel.load because load is overloaded in RubyGems during gemspec evaluation
+Kernel.load("lib/masq/version.rb")
+gem_version = Masq::Version::VERSION
+Masq::Version.send(:remove_const, :VERSION)
 
 # Describe your gem and declare its dependencies:
 Gem::Specification.new do |s|
   s.name        = "masq2"
-  s.version     = Masq::VERSION
+  s.version     = gem_version
   s.authors     = ["Peter Boling", "Dennis Reimann", "Bardoe Besselaar","Nikita Vasiliev"]
   s.email       = ["[email protected]"]
   s.homepage    = "https://github.com/oauth-xx/masq2"
-  s.summary     = "Mountable Rails engine that provides OpenID server/identity provider functionality"
-  s.description = "Masq2 supports the current OpenID specifications (OpenID 2.0) and supports SReg, AX (fetch and store requests) and PAPE as well as some custom additions like multi-factor authentication using a yubikey"
+  s.summary     = "Mountable Rails engine that provides OpenID 2.0 server/identity provider functionality"
+  s.description = "Masq2 supports OpenID 2.0 and supports SReg, AX (fetch and store requests) and PAPE as well as some custom additions like multi-factor authentication using a yubikey"
 
   s.files = Dir["{app,config,db,lib}/**/*"] + ["MIT-LICENSE", "Rakefile", "README.md"]
   s.test_files = Dir["test/**/*"]
 
-  s.add_dependency "rails", "~> 5.1.0"
+  s.add_dependency "version_gem", "~> 1.1", ">= 1.1.6"
+  s.add_dependency "rails", ">= 5.2.8.1"
   s.add_dependency "erb"
   s.add_dependency "rails-controller-testing"
-  s.add_dependency "ruby-openid"
+  s.add_dependency "ruby-openid2", "~> 3.1"
   s.add_dependency "ruby-yadis"
   s.add_dependency "yubikey"
   s.add_dependency "i18n_data"