Call Devise RegistrationsController block

When a Devise user calls create with a block, that block was swallowed by the block we use to perform our resource information extraction for registration events. Ensure the original block is called. We call it after our analysis in the event we should block for some reason, thus protecting the additional user code in their block. JIRA: - [SCRS-704](https://datadoghq.atlassian.net/browse/SCRS-704) - [APPSEC-12115](https://datadoghq.atlassian.net/browse/APPSEC-12115) - [APPSEC-12770](https://datadoghq.atlassian.net/browse/APPSEC-12770)
DataDog · Nov 28, 2023 · 176c642 · 176c642
1 parent dfacb69
commit 176c642
Show file tree

Hide file tree

Showing 2 changed files with 127 additions and 0 deletions.
diff --git a/lib/datadog/appsec/contrib/devise/patcher/registration_controller_patch.rb b/lib/datadog/appsec/contrib/devise/patcher/registration_controller_patch.rb
@@ -42,6 +42,8 @@ def create
                     **event_information.to_h
                   )
                 end
+
+                yield resource if block_given?
               end
             end
           end

diff --git a/spec/datadog/appsec/contrib/devise/patcher/registration_controller_patch_spec.rb b/spec/datadog/appsec/contrib/devise/patcher/registration_controller_patch_spec.rb
@@ -66,6 +66,17 @@ def try(value)
       expect(Datadog::AppSec::Contrib::Devise::Tracking).to_not receive(:track_signup)
       expect(controller.create).to eq(true)
     end
+
+    context 'and a block is given' do
+      let(:canary) { proc { |resource| } }
+      let(:block) { proc { |resource| canary.call(resource) } }
+
+      it 'do not tracks event' do
+        expect(Datadog::AppSec::Contrib::Devise::Tracking).to_not receive(:track_signup)
+        expect(canary).to receive(:call).with(resource)
+        expect(controller.create(&block)).to eq(true)
+      end
+    end
   end
 
   context 'Automated user tracking is disabled' do
@@ -77,6 +88,17 @@ def try(value)
       expect(Datadog::AppSec::Contrib::Devise::Tracking).to_not receive(:track_signup)
       expect(controller.create).to eq(true)
     end
+
+    context 'and a block is given' do
+      let(:canary) { proc { |resource| } }
+      let(:block) { proc { |resource| canary.call(resource) } }
+
+      it 'do not tracks event' do
+        expect(Datadog::AppSec::Contrib::Devise::Tracking).to_not receive(:track_signup)
+        expect(canary).to receive(:call).with(resource)
+        expect(controller.create(&block)).to eq(true)
+      end
+    end
   end
 
   context 'AppSec scope is nil ' do
@@ -89,6 +111,17 @@ def try(value)
       expect(Datadog::AppSec::Contrib::Devise::Tracking).to_not receive(:track_signup)
       expect(controller.create).to eq(true)
     end
+
+    context 'and a block is given' do
+      let(:canary) { proc { |resource| } }
+      let(:block) { proc { |resource| canary.call(resource) } }
+
+      it 'do not tracks event' do
+        expect(Datadog::AppSec::Contrib::Devise::Tracking).to_not receive(:track_signup)
+        expect(canary).to receive(:call).with(resource)
+        expect(controller.create(&block)).to eq(true)
+      end
+    end
   end
 
   context 'with persisted resource' do
@@ -99,6 +132,41 @@ def try(value)
     context 'with resource ID' do
       let(:resource) { persited_resource }
 
+      context 'and a block is given' do
+        let(:canary) { proc { |resource| } }
+        let(:block) { proc { |resource| canary.call(resource) } }
+
+        context 'safe mode' do
+          let(:mode) { 'safe' }
+
+          it 'tracks event' do
+            expect(Datadog::AppSec::Contrib::Devise::Tracking).to receive(:track_signup).with(
+              appsec_scope.trace,
+              appsec_scope.service_entry_span,
+              user_id: resource.id,
+              **{}
+            )
+            expect(canary).to receive(:call).with(resource)
+            expect(controller.create(&block)).to eq(true)
+          end
+        end
+
+        context 'extended mode' do
+          let(:mode) { 'extended' }
+
+          it 'tracks event' do
+            expect(Datadog::AppSec::Contrib::Devise::Tracking).to receive(:track_signup).with(
+              appsec_scope.trace,
+              appsec_scope.service_entry_span,
+              user_id: resource.id,
+              **{ email: 'hello@gmail.com', username: 'John' }
+            )
+            expect(canary).to receive(:call).with(resource)
+            expect(controller.create(&block)).to eq(true)
+          end
+        end
+      end
+
       context 'safe mode' do
         let(:mode) { 'safe' }
 
@@ -131,6 +199,41 @@ def try(value)
     context 'without resource ID' do
       let(:resource) { mock_resource.new(nil, 'hello@gmail.com', 'John', true) }
 
+      context 'and a block is given' do
+        let(:canary) { proc { |resource| } }
+        let(:block) { proc { |resource| canary.call(resource) } }
+
+        context 'safe mode' do
+          let(:mode) { 'safe' }
+
+          it 'tracks event' do
+            expect(Datadog::AppSec::Contrib::Devise::Tracking).to receive(:track_signup).with(
+              appsec_scope.trace,
+              appsec_scope.service_entry_span,
+              user_id: nil,
+              **{}
+            )
+            expect(canary).to receive(:call).with(resource)
+            expect(controller.create(&block)).to eq(true)
+          end
+        end
+
+        context 'extended mode' do
+          let(:mode) { 'extended' }
+
+          it 'tracks event' do
+            expect(Datadog::AppSec::Contrib::Devise::Tracking).to receive(:track_signup).with(
+              appsec_scope.trace,
+              appsec_scope.service_entry_span,
+              user_id: nil,
+              **{ email: 'hello@gmail.com', username: 'John' }
+            )
+            expect(canary).to receive(:call).with(resource)
+            expect(controller.create(&block)).to eq(true)
+          end
+        end
+      end
+
       context 'safe mode' do
         let(:mode) { 'safe' }
 
@@ -174,6 +277,17 @@ def try(value)
         expect(Datadog::AppSec::Contrib::Devise::Tracking).to_not receive(:track_signup)
         expect(controller.create).to eq(true)
       end
+
+      context 'and a block is given' do
+        let(:canary) { proc { |resource| } }
+        let(:block) { proc { |resource| canary.call(resource) } }
+
+        it 'do not tracks event' do
+          expect(Datadog::AppSec::Contrib::Devise::Tracking).to_not receive(:track_signup)
+          expect(canary).to receive(:call).with(resource)
+          expect(controller.create(&block)).to eq(true)
+        end
+      end
     end
 
     context 'extended mode' do
@@ -183,6 +297,17 @@ def try(value)
         expect(Datadog::AppSec::Contrib::Devise::Tracking).to_not receive(:track_signup)
         expect(controller.create).to eq(true)
       end
+
+      context 'and a block is given' do
+        let(:canary) { proc { |resource| } }
+        let(:block) { proc { |resource| canary.call(resource) } }
+
+        it 'do not tracks event' do
+          expect(Datadog::AppSec::Contrib::Devise::Tracking).to_not receive(:track_signup)
+          expect(canary).to receive(:call).with(resource)
+          expect(controller.create(&block)).to eq(true)
+        end
+      end
     end
   end
 end
-Original file line number
+Diff line change
@@ Expand Up / @@ -42,6 +42,8 @@ def create @@
                         **event_information.to_h
                       )
                     end
+                    yield resource if block_given?
                   end
                 end
               end
@@ Expand Down @@