Fixes #32881 - expose previous app record through safemode

app/models/application_record.rb

@@ -9,10 +9,16 @@ class ApplicationRecord < ActiveRecord::Base
     name_desc = @meta[:name_desc] || "Name of the #{@meta[:friendly_name] || @meta[:class_scope]}#{meta_example}"
     property :name, String, desc: name_desc
     property :present?, one_of: [true, false], desc: 'Object presence (always true)'
+    property :previous_revision, ApplicationRecord, desc: "Previous revision of the record as tracked in the audit, returns the same object if there is no previous revision"
   end
 
-  class Jail < Safemode::Jail
-    allow :id, :name, :present?
+  class Jail < ::Safemode::Jail
+    allow :id, :name, :present?, :previous_revision
+  end
+
+  # Overriden by audited for some models
+  def previous_revision
+    raise "Class #{self.class.name} is not audited"
   end
 
   self.abstract_class = true

app/models/concerns/audit_associations.rb

@@ -8,6 +8,10 @@ def audited_attributes
       super.merge(associated_attributes)
     end
 
+    def previous_revision
+      revision(:previous)
+    end
+
     protected
 
     # Prevent associations from being set when looking at revisions since

app/models/domain.rb

@@ -56,7 +56,7 @@ class Domain < ApplicationRecord
     prop_group :basic_model_props, ApplicationRecord, meta: { example: 'example.com' }
     property :fullname, String, desc: 'User name for this domain, e.g. "Primary domain for our company"'
   end
-  class Jail < Safemode::Jail
+  class Jail < ApplicationRecord::Jail
     allow :id, :name, :fullname
   end
 

app/models/host/managed.rb

@@ -161,7 +161,7 @@ def build_hooks
     property :created_at, 'ActiveSupport::TimeWithZone', desc: 'The time when the host was created'
     property :comment, String, desc: 'Returns comment/description of this host'
   end
-  class Jail < ::Safemode::Jail
+  class Jail < ApplicationRecord::Jail
     allow :id, :name, :created_at, :diskLayout, :puppetmaster, :puppet_server, :puppet_ca_server, :operatingsystem, :os, :ptable, :hostgroup,
       :url_for_boot, :hostgroup, :compute_resource, :domain, :ip, :ip6, :mac, :shortname, :architecture,
       :model, :certname, :capabilities, :provider, :subnet, :subnet6, :token, :location, :organization, :provision_method,

app/models/host_status/status.rb

@@ -16,7 +16,7 @@ def self.presenter
       ::HostStatusPresenter.new(self)
     end
 
-    class Jail < ::Safemode::Jail
+    class Jail < ApplicationRecord::Jail
       allow :host, :to_global, :to_label, :status, :name, :relevant?
       allow_class_method :status_name, :humanized_name
     end

app/models/hostgroup.rb

@@ -107,7 +107,7 @@ class Hostgroup < ApplicationRecord
     property :pxe_loader, String, desc: 'Returns boot loader to be applied on each host within this host group'
     property :title, String, desc: 'Returns full title of this host group, e.g. Base/CentOS 7'
   end
-  class Jail < Safemode::Jail
+  class Jail < ApplicationRecord::Jail
     allow :id, :name, :diskLayout, :puppetmaster, :puppet_server, :operatingsystem, :architecture,
       :ptable, :url_for_boot, :params, :puppet_proxy, :puppet_ca_server,
       :os, :arch, :domain, :subnet, :subnet6, :hosts, :realm,

app/models/nic/base.rb

@@ -116,7 +116,7 @@ class Base < ApplicationRecord
       property :bmc?, one_of: [true, false], desc: 'Returns true if the type of the interface is BMC, false otherwise'
       property :link, one_of: [true, false], desc: 'Returns true if the interface is up, false otherwise'
     end
-    class Jail < ::Safemode::Jail
+    class Jail < ApplicationRecord::Jail
       allow :id, :subnet, :subnet6, :virtual?, :physical?, :mac, :ip, :ip6, :identifier, :attached_to,
         :link, :tag, :domain, :vlanid, :mtu, :bond_options, :attached_devices, :mode,
         :attached_devices_identifiers, :primary, :provision, :alias?, :inheriting_mac,

app/models/operatingsystem.rb

@@ -90,7 +90,7 @@ class Operatingsystem < ApplicationRecord
     property :pxe_type, String, desc: 'PXE type of the operating system, e.g. kickstart'
     property :password_hash, String, desc: 'Encrypted hash of the operating system password'
   end
-  class Jail < Safemode::Jail
+  class Jail < ApplicationRecord::Jail
     allow :id, :name, :major, :minor, :family, :to_s, :==, :release, :release_name, :kernel, :initrd, :pxe_type, :boot_files_uri, :password_hash, :mediumpath
   end
 

app/models/ptable.rb

@@ -64,7 +64,7 @@ def base_class
     sections only: %w[all additional]
     prop_group :basic_model_props, ApplicationRecord, meta: { friendly_name: 'partition table', example: 'Kickstart default' }
   end
-  class Jail < Safemode::Jail
+  class Jail < ApplicationRecord::Jail
     allow :id, :name
   end
 

app/models/realm.rb

@@ -39,7 +39,7 @@ class Realm < ApplicationRecord
     prop_group :basic_model_props, ApplicationRecord, meta: { example: 'EXAMPLE.COM' }
     property :realm_type, String, desc: 'Realm type, e.g. FreeIPA or Active Directory'
   end
-  class Jail < ::Safemode::Jail
+  class Jail < ApplicationRecord::Jail
     allow :id, :name, :realm_type
   end
 end

app/models/smart_proxy.rb

@@ -206,7 +206,7 @@ def get_features
     property :httpboot_https_port, Integer, desc: 'Returns proxy port for HTTPS boot'
     property :httpboot_https_port!, Integer, desc: 'Same as httpboot_https_port, but raises Foreman::Exception if no port is set'
   end
-  class Jail < ::Safemode::Jail
+  class Jail < ApplicationRecord::Jail
     allow :id, :name, :hostname, :httpboot_http_port, :httpboot_https_port, :httpboot_http_port!, :httpboot_https_port!, :url
   end
 end

app/models/ssh_key.rb

@@ -48,7 +48,7 @@ class SshKey < ApplicationRecord
     property :comment, String, desc: 'Returns a key comment. The comment is usually a user identifier',
                                example: '@ssh-key.comment # => forman@foreman.example.com'
   end
-  class Jail < ::Safemode::Jail
+  class Jail < ApplicationRecord::Jail
     allow :id, :name, :user, :key, :to_export, :fingerprint, :length, :ssh_key, :type, :comment
   end
 

app/models/subnet.rb

@@ -155,7 +155,7 @@ def model_name
     property :to_label, String, desc: 'Returns the the subnet label which is a combination of name and the network address'
     property :vlanid, Integer, desc: 'Returns the VLAN ID for of this subnet'
   end
-  class Jail < ::Safemode::Jail
+  class Jail < ApplicationRecord::Jail
     allow :id, :name, :network, :mask, :cidr, :title, :to_label, :gateway, :dns_primary, :dns_secondary, :dns_servers,
       :vlanid, :mtu, :nic_delay, :boot_mode, :nil?, :has_vlanid?, :dhcp_boot_mode?, :description, :present?,
       :dhcp, :dhcp?, :tftp, :tftp?, :dns, :dns?, :httpboot, :httpboot?, :template, :template?, :ipam, :ipam?

app/models/template.rb

@@ -29,7 +29,7 @@ class Template < ApplicationRecord
     sections only: %w[all additional]
     prop_group :basic_model_props, ApplicationRecord
   end
-  class Jail < Safemode::Jail
+  class Jail < ApplicationRecord::Jail
     allow :id, :name
   end
 

app/models/token.rb

@@ -4,7 +4,7 @@ class Token < ApplicationRecord
 
   validates :value, :host_id, :presence => true
 
-  class Jail < ::Safemode::Jail
+  class Jail < ApplicationRecord::Jail
     allow :id, :host, :value, :expires, :nil?, :present?
   end
 

app/models/user.rb

@@ -161,7 +161,7 @@ def as_json(options = {})
     property :last_login_on, 'ActiveSupport::TimeWithZone', desc: 'Returns the user last login time, in UTC time zone'
     property :disabled, one_of: [true, false], desc: 'Returns true if the user account is disabled, false otherwise'
   end
-  class Jail < ::Safemode::Jail
+  class Jail < ApplicationRecord::Jail
     allow :id, :login, :ssh_keys, :ssh_authorized_keys, :description, :firstname, :lastname, :mail, :last_login_on, :disabled
   end
 

app/models/usergroup.rb

@@ -43,7 +43,7 @@ class Usergroup < ApplicationRecord
 
   accepts_nested_attributes_for :external_usergroups, :reject_if => ->(a) { a[:name].blank? }, :allow_destroy => true
 
-  class Jail < ::Safemode::Jail
+  class Jail < ApplicationRecord::Jail
     allow :id, :ssh_keys, :all_users, :ssh_authorized_keys
   end
 

app/registries/foreman/plugin.rb

@@ -639,6 +639,20 @@ def extend_observable_events(events)
       (@observable_events << events).flatten!.uniq!
     end
 
+    def extend_allowed_instance_methods_for_jail(jail_class, *methods)
+      raise "Jail not defined for #{jail_class}" unless jail_class.const_defined?(:Jail)
+      methods.each do |method|
+        Object.const_get("#{jail_class}::Jail").allow_instance_method method.to_sym
+      end
+    end
+
+    def extend_allowed_class_methods_for_jail(jail_class, *methods)
+      raise "Jail not defined for #{jail_class}" unless jail_class.const_defined?(:Jail)
+      methods.each do |method|
+        Object.const_get("#{jail_class}::Jail").allow_class_method method.to_sym
+      end
+    end
+
     delegate :subscribe, to: ActiveSupport::Notifications
 
     private

app/services/medium_providers/provider.rb

@@ -13,7 +13,7 @@ def self.friendly_name
       name
     end
 
-    class Jail < Safemode::Jail
+    class Jail < ::Safemode::Jail
       allow :medium_uri, :unique_id, :errors
     end
 

test/unit/foreman/renderer/safe_mode_renderer_test.rb

@@ -24,4 +24,15 @@ def renderer
 
     assert_include exception.message, 'parse error on value ")"'
   end
+
+  test "application record allowed methods" do
+    assert ::ApplicationRecord::Jail.allowed? :name
+    assert ::ApplicationRecord::Jail.allowed? :present?
+  end
+
+  test "application record child allowed methods" do
+    assert ::Domain::Jail.allowed? :name
+    assert ::Domain::Jail.allowed? :fullname
+    assert ::Domain::Jail.allowed? :present?
+  end
 end