hubssolib 3.8.0 → 3.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 32438e5c41d655367f4bb0e8385b9d972645f2649871a09ab7b09dc5d617fe9e
-  data.tar.gz: a999f01f88325690644675acc1b06b33b7b275374e980c6c3f2fa346c3875d93
+  metadata.gz: 5fea64186dc1f80987fb5b531c46ac8eb9fff78878520b38e392a91dad8de7a9
+  data.tar.gz: 2ebe2f6599cbd9bf9dbfbaa6ebbbb81e99fe6f4922c5f8c19e250e380222c3c9
 SHA512:
-  metadata.gz: 881e57fa9c2e42ed8465b2faabf98cabdacf2dcea5df20d3c617836e50ff74d2255bbe1b8c11ca39b0bb3d57f2927e229ca1a390de11d0fcff9b8e4b32851ae6
-  data.tar.gz: 15aa2e97054fe9a8a86e45d901bdfa36bff0d0a6473ba88d279ec0bf622ce8413e6bc1a7b0427bac1f0e2bc0c2b994d9a3550d48897a8efec7cf2acf0c74abfa
+  metadata.gz: 44b066f10c3615a752b258d85ccf5316358c33af6589c9702ab6b2ae8036f6e7eda9f99ab2a2707dc9acce9e9377ce5e73f28c3533eaec7c7312ac5e6e828fe3
+  data.tar.gz: 1f7ae4d9e29916eb3d14e3c057b61f95192be76954270fd8570dd596a5552495561df2bddd1f16f887ac613bbcd3292fd75228f4bbddf87faeda698c2a866067

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## 3.8.1, 09-Apr-2025
+
+* It's been too long since I worked with DRb! Important fix for "live" (undumpable) vs copied objects which could lead to session enumeration problems in clients. Now, sessions enumerated by user ID are copies as is user data returned by HubSsoLib::Core#hubssolib_enumerate_users.
+* Other data is still live, since there's a fair amount of write-back that expects to be updating objects held by the DRb server itself. This will all get replaced by database storage in HubSsoLib 4, so I'm not going to address the weaknesses present wherein a session might be expired or deleted "under the feet" of a client. The Hub gem's own write-based operations are all on a "current" session, so that could only vanish if an admin independently elected to destroy all user sessions via the Hub Rails app front-end. The implication is that the other user was probably up to no good, and I don't really mind if they just seem to be suddenly logged out, or see a 500 error due to a _very_ inconveniently-timed page fetch.
+
 ## 3.8.0, 03-Apr-2025
 
 * Adds helper `HubSsoLib::Core#hubssolib_flash_markup` to compliment `HubSsoLib::Core#hubssolib_flash_data` and help make Flash presentation simpler and more consistent across integrated applications.

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    hubssolib (3.8.0)
+    hubssolib (3.8.1)
       base64 (~> 0.2)
       drb (~> 2.2)
 
@@ -178,7 +178,7 @@ GEM
     rake (13.2.1)
     rdoc (6.13.1)
       psych (>= 4.0.0)
-    reline (0.6.0)
+    reline (0.6.1)
       io-console (~> 0.5)
     rspec (3.13.0)
       rspec-core (~> 3.13.0)

data/hubssolib.gemspec

@@ -4,7 +4,7 @@ spec = Gem::Specification.new do |s|
   s.platform = Gem::Platform::RUBY
   s.name     = 'hubssolib'
 
-  s.version  = '3.8.0'
+  s.version  = '3.8.1'
   s.author   = 'Andrew Hodgkinson and others'
   s.email    = 'ahodgkin@rowing.org.uk'
   s.homepage = 'http://pond.org.uk/'

data/lib/hub_sso_lib.rb

@@ -366,17 +366,16 @@ module HubSsoLib
   #          26-Feb-2025 (ADH): Add 'trusted' concept.                  #
   #######################################################################
 
+  # This *must not* be 'undumped', since it gets passed from clients back to
+  # the persistent DRb server process. A client thread may disappear and be
+  # recreated by the web server at any time; if the user object is undumpable,
+  # then the DRb server has to *call back to the client* (in DRb, clients are
+  # also servers...!) to find out about the object. Trouble is, if the client
+  # thread has been recreated, the server will be trying to access to stale
+  # objects that only exist if the garbage collector hasn't got to them yet.
+  #
   class User
 
-    # This *must not* be 'undumped', since it gets passed from clients
-    # back to the persistent DRb server process. A client thread may
-    # disappear and be recreated by the web server at any time; if the
-    # user object is undumpable, then the DRb server has to *call back
-    # to the client* (in DRb, clients are also servers...!) to find out
-    # about the object. Trouble is, if the client thread has been
-    # recreated, the server will be trying to access to stale objects
-    # that only exist if the garbage collector hasn't got to them yet.
-
     attr_accessor :user_salt
     attr_accessor :user_roles
     attr_accessor :user_updated_at
@@ -397,8 +396,8 @@ module HubSsoLib
   end # User class
 
   #######################################################################
-  # Class:   Session                                                    #
-  #          (C) Hipposoft 2006                                         #
+  # Class:   Session family                                             #
+  #          (C) Hipposoft 2006-2025                                    #
   #                                                                     #
   # Purpose: Session support object, used to store session metadata in  #
   #          an insecure cross-application cookie.                      #
@@ -406,37 +405,67 @@ module HubSsoLib
   # Author:  A.D.Hodgkinson                                             #
   #                                                                     #
   # History: 22-Oct-2006 (ADH): Created.                                #
+  #          09-Apr-2025 (ADH): Dumpable/undumpable variants created.   #
   #######################################################################
 
-  class Session
-
-    # Unlike a User, this *is* undumpable since it only gets passed from
-    # server to client. The server's always here to service requests
-    # from the client and used sessions are never garbage collected
-    # since the DRb server's front object, a SessionFactory, keeps them
-    # in a hash held within an instance variable.
-
-    include DRb::DRbUndumped
-
-    attr_accessor :session_last_used
-    attr_reader   :session_return_to # DEPRECATED
-    attr_accessor :session_flash
-    attr_accessor :session_user
-    attr_accessor :session_rotated_key
-
-    def initialize
-      @session_last_used   = Time.now.utc
-      @session_return_to   = nil
-      @session_flash       = {}
-      @session_user        = HubSsoLib::User.new
-      @session_rotated_key = nil
+  # A dumpable base class that can be used for undumpable proxies, where a
+  # change made in an object passed to a client is reflected on the server
+  # where the object actually lives; or for dumpable clones of sessions sent
+  # as read-only copies to clients which won't disppear due to server side
+  # deletion from key rotation, expiry or admin-driven deletion.
+  #
+  class SessionBase
+
+    ATTRIBUTES = %i{
+      session_last_used
+      session_flash
+      session_user
+      session_rotated_key
+    }
+
+    ATTRIBUTES.each { | attr | attr_accessor(attr) }
+    attr_reader :session_return_to # DEPRECATED
+
+    def initialize(copying_session: nil)
+      if copying_session.nil?
+        self.session_last_used   = Time.now.utc
+        self.session_flash       = {}
+        self.session_user        = HubSsoLib::User.new
+        self.session_rotated_key = nil
+      else
+        ATTRIBUTES.each do | attr |
+          self.send("#{attr}=", copying_session.send(attr))
+        end
+      end
 
     rescue => e
       Sentry.capture_exception(e) if defined?(Sentry) && Sentry.respond_to?(:capture_exception)
       raise
     end
+
+  end # SessionBase class
+
+  # Unlike a User, this *is* undumpable since it only gets passed from server
+  # to client. The server's always here to service requests from the client and
+  # used sessions are never garbage collected since the DRb server's front
+  # object, a SessionFactory, keeps them in a hash held within an instance
+  # variable.
+  #
+  # A recognised weakness here is that a session might disappear from under the
+  # feet of an accessing application, due to key rotation or explicit deletion.
+  #
+  class Session < SessionBase
+    include DRb::DRbUndumped
   end # Session class
 
+  # No special conditions - this is just a dumpable session. You should usually
+  # create it based on an undumpable, 'live' session thus:
+  #
+  #   SessionCopy.new(copying_session: undumpable_session)
+  #
+  class SessionCopy < SessionBase
+  end # SessionCopy class
+
   #######################################################################
   # Class:   SessionFactory                                             #
   #          (C) Hipposoft 2006                                         #
@@ -611,6 +640,16 @@ module HubSsoLib
     # given session key. No key rotation occurs. Returns +nil+ if no entry is
     # found for that key.
     #
+    # This returns a *LIVE OBJECT* owned by the DRb server. Writes made to this
+    # object will affect the live session state. However, the session might be
+    # invalidated at any time by actions such as key rotation, expiration or
+    # explicit user deletion. Attempts to read or write properties would then
+    # lead to exceptions such as:
+    #
+    #   "424" is not id value (RangeError)
+    #
+    # ...where 424 is the internal object ID of meaning only to the DRb system.
+    #
     def retrieve_session_by_key(key)
       HUB_MUTEX.synchronize { @hub_sessions[key] }
     end
@@ -622,15 +661,24 @@ module HubSsoLib
     # values yielding HubSsoLib::Session instances as values is returned.
     #
     # The array is ordered by least-recently-active first to most-recent last.
+    # Returned data is a copy of internal session information and should be
+    # considered read-only; changes made will have no effect outside your own
+    # application.
     #
     # IN THE CURRENT IMPLEMENTATION THIS JUST SEQUENTIALLY SCANS ALL ACTIVE
     # SESSIONS IN THE HASH and must therefore lock on mutex for the duration.
     #
     def retrieve_sessions_by_user_id(user_id)
       HUB_MUTEX.synchronize do
-        @hub_sessions.select do | key, session |
-          session&.session_user&.user_id == user_id
+        collection = {}
+
+        @hub_sessions.each do | key, session |
+          if session&.session_user&.user_id == user_id
+            collection[key] = SessionCopy.new(copying_session: session)
+          end
         end
+
+        collection
       end
     end
 
@@ -647,6 +695,8 @@ module HubSsoLib
         @hub_sessions.delete(key)
       end
 
+      return nil
+
     rescue => e
       Sentry.capture_exception(e) if defined?(Sentry) && Sentry.respond_to?(:capture_exception)
       raise
@@ -672,6 +722,8 @@ module HubSsoLib
         end
       end
 
+      return nil
+
     rescue => e
       Sentry.capture_exception(e) if defined?(Sentry) && Sentry.respond_to?(:capture_exception)
       raise
@@ -696,6 +748,8 @@ module HubSsoLib
         end
       end
 
+      return nil
+
     rescue => e
       Sentry.capture_exception(e) if defined?(Sentry) && Sentry.respond_to?(:capture_exception)
       raise
@@ -738,6 +792,8 @@ module HubSsoLib
         puts "Session factory: ...Destroyed #{destroyed} session(s)"
       end
 
+      return nil
+
     rescue => e
       Sentry.capture_exception(e) if defined?(Sentry) && Sentry.respond_to?(:capture_exception)
       raise
@@ -1251,8 +1307,8 @@ module HubSsoLib
 
       unless hub_session_info[:keys].nil? # (keyset too large, enumeration prohibited)
         hub_session_info[:keys].each do | key |
-          session = hubssolib_factory().retrieve_session_by_key(key)
-          hub_users << session.session_user unless session&.session_user&.user_id.nil?
+          session_user = hubssolib_factory().retrieve_session_by_key(key)&.session_user
+          hub_users << session_user unless session_user&.user_id.nil?
         end
       end
 

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: hubssolib
 version: !ruby/object:Gem::Version
-  version: 3.8.0
+  version: 3.8.1
 platform: ruby
 authors:
 - Andrew Hodgkinson and others
 bindir: bin
 cert_chain: []
-date: 2025-04-04 00:00:00.000000000 Z
+date: 2025-04-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: drb
@@ -138,6 +138,7 @@ files:
 - Gemfile
 - Gemfile.lock
 - README.md
+- hubssolib-3.7.0.gem
 - hubssolib.gemspec
 - lib/hub_sso_lib.rb
 homepage: http://pond.org.uk/