Extract SIGN_COUNT_LIMIT constant in WebauthnCredential class (#30636)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Gemfile.lock

@@ -498,6 +498,10 @@ GEM
       opentelemetry-semantic_conventions
     opentelemetry-helpers-sql-obfuscation (0.1.0)
       opentelemetry-common (~> 0.20)
+    opentelemetry-instrumentation-action_mailer (0.1.0)
+      opentelemetry-api (~> 1.0)
+      opentelemetry-instrumentation-active_support (~> 0.1)
+      opentelemetry-instrumentation-base (~> 0.22.1)
     opentelemetry-instrumentation-action_pack (0.9.0)
       opentelemetry-api (~> 1.0)
       opentelemetry-instrumentation-base (~> 0.22.1)
@@ -551,8 +555,9 @@ GEM
       opentelemetry-api (~> 1.0)
       opentelemetry-common (~> 0.20.0)
       opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-rails (0.30.1)
+    opentelemetry-instrumentation-rails (0.30.2)
       opentelemetry-api (~> 1.0)
+      opentelemetry-instrumentation-action_mailer (~> 0.1.0)
       opentelemetry-instrumentation-action_pack (~> 0.9.0)
       opentelemetry-instrumentation-action_view (~> 0.7.0)
       opentelemetry-instrumentation-active_job (~> 0.7.0)

app/controllers/admin/domain_blocks_controller.rb

@@ -4,6 +4,18 @@ module Admin
   class DomainBlocksController < BaseController
     before_action :set_domain_block, only: [:destroy, :edit, :update]
 
+    PERMITTED_PARAMS = %i(
+      domain
+      obfuscate
+      private_comment
+      public_comment
+      reject_media
+      reject_reports
+      severity
+    ).freeze
+
+    PERMITTED_UPDATE_PARAMS = PERMITTED_PARAMS.without(:domain).freeze
+
     def batch
       authorize :domain_block, :create?
       @form = Form::DomainBlockBatch.new(form_domain_block_batch_params.merge(current_account: current_account, action: action_from_button))
@@ -88,11 +100,17 @@ module Admin
     end
 
     def update_params
-      params.require(:domain_block).permit(:severity, :reject_media, :reject_reports, :private_comment, :public_comment, :obfuscate)
+      params
+        .require(:domain_block)
+        .slice(*PERMITTED_UPDATE_PARAMS)
+        .permit(*PERMITTED_UPDATE_PARAMS)
     end
 
     def resource_params
-      params.require(:domain_block).permit(:domain, :severity, :reject_media, :reject_reports, :private_comment, :public_comment, :obfuscate)
+      params
+        .require(:domain_block)
+        .slice(*PERMITTED_PARAMS)
+        .permit(*PERMITTED_PARAMS)
     end
 
     def form_domain_block_batch_params

app/controllers/api/v1/admin/tags_controller.rb

@@ -13,6 +13,13 @@ class Api::V1::Admin::TagsController < Api::BaseController
 
   LIMIT = 100
 
+  PERMITTED_PARAMS = %i(
+    display_name
+    listable
+    trendable
+    usable
+  ).freeze
+
   def index
     authorize :tag, :index?
     render json: @tags, each_serializer: REST::Admin::TagSerializer
@@ -40,7 +47,9 @@ class Api::V1::Admin::TagsController < Api::BaseController
   end
 
   def tag_params
-    params.permit(:display_name, :trendable, :usable, :listable)
+    params
+      .slice(*PERMITTED_PARAMS)
+      .permit(*PERMITTED_PARAMS)
   end
 
   def next_path

app/javascript/styles/mastodon/forms.scss

@@ -613,9 +613,10 @@ code {
       font-family: inherit;
       pointer-events: none;
       cursor: default;
-      max-width: 140px;
+      max-width: 50%;
       white-space: nowrap;
       overflow: hidden;
+      text-overflow: ellipsis;
 
       &::after {
         content: '';

app/lib/access_grant_extension.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module AccessGrantExtension
+  extend ActiveSupport::Concern
+
+  included do
+    scope :expired, -> { where.not(expires_in: nil).where('created_at + MAKE_INTERVAL(secs => expires_in) < NOW()') }
+    scope :revoked, -> { where.not(revoked_at: nil).where(revoked_at: ...Time.now.utc) }
+  end
+end

app/lib/access_token_extension.rb

@@ -9,6 +9,10 @@ module AccessTokenExtension
     has_many :web_push_subscriptions, class_name: 'Web::PushSubscription', inverse_of: :access_token
 
     after_commit :push_to_streaming_api
+
+    scope :expired, -> { where.not(expires_in: nil).where('created_at + MAKE_INTERVAL(secs => expires_in) < NOW()') }
+    scope :not_revoked, -> { where(revoked_at: nil) }
+    scope :revoked, -> { where.not(revoked_at: nil).where(revoked_at: ...Time.now.utc) }
   end
 
   def revoke(clock = Time)

app/lib/vacuum/access_tokens_vacuum.rb

@@ -9,12 +9,12 @@ class Vacuum::AccessTokensVacuum
   private
 
   def vacuum_revoked_access_tokens!
-    Doorkeeper::AccessToken.where.not(expires_in: nil).where('created_at + make_interval(secs => expires_in) < NOW()').in_batches.delete_all
-    Doorkeeper::AccessToken.where.not(revoked_at: nil).where('revoked_at < NOW()').in_batches.delete_all
+    Doorkeeper::AccessToken.expired.in_batches.delete_all
+    Doorkeeper::AccessToken.revoked.in_batches.delete_all
   end
 
   def vacuum_revoked_access_grants!
-    Doorkeeper::AccessGrant.where.not(expires_in: nil).where('created_at + make_interval(secs => expires_in) < NOW()').in_batches.delete_all
-    Doorkeeper::AccessGrant.where.not(revoked_at: nil).where('revoked_at < NOW()').in_batches.delete_all
+    Doorkeeper::AccessGrant.expired.in_batches.delete_all
+    Doorkeeper::AccessGrant.revoked.in_batches.delete_all
   end
 end

app/models/web/push_subscription.rb

@@ -75,7 +75,7 @@ class Web::PushSubscription < ApplicationRecord
 
   class << self
     def unsubscribe_for(application_id, resource_owner)
-      access_token_ids = Doorkeeper::AccessToken.where(application_id: application_id, resource_owner_id: resource_owner.id, revoked_at: nil).pluck(:id)
+      access_token_ids = Doorkeeper::AccessToken.where(application_id: application_id, resource_owner_id: resource_owner.id).not_revoked.pluck(:id)
       where(access_token_id: access_token_ids).delete_all
     end
   end

app/models/webauthn_credential.rb

@@ -15,9 +15,11 @@
 #
 
 class WebauthnCredential < ApplicationRecord
+  SIGN_COUNT_LIMIT = (2**63)
+
   validates :external_id, :public_key, :nickname, :sign_count, presence: true
   validates :external_id, uniqueness: true
   validates :nickname, uniqueness: { scope: :user_id }
   validates :sign_count,
-            numericality: { only_integer: true, greater_than_or_equal_to: 0, less_than_or_equal_to: (2**63) - 1 }
+            numericality: { only_integer: true, greater_than_or_equal_to: 0, less_than_or_equal_to: SIGN_COUNT_LIMIT - 1 }
 end

app/views/redirects/show.html.haml

@@ -1,3 +1,7 @@
+- content_for :header_tags do
+  %meta{ name: 'robots', content: 'noindex, noarchive' }/
+  %link{ rel: 'canonical', href: @redirect_path }
+
 .redirect
   .redirect__logo
     = link_to render_logo, root_path

config/application.rb

@@ -115,6 +115,7 @@ module Mastodon
       Doorkeeper::AuthorizationsController.layout 'modal'
       Doorkeeper::AuthorizedApplicationsController.layout 'admin'
       Doorkeeper::Application.include ApplicationExtension
+      Doorkeeper::AccessGrant.include AccessGrantExtension
       Doorkeeper::AccessToken.include AccessTokenExtension
       Devise::FailureApp.include AbstractController::Callbacks
       Devise::FailureApp.include Localized

lib/paperclip/color_extractor.rb

@@ -122,26 +122,28 @@ module Paperclip
 
       colors['out_array'].zip(colors['x_array'], colors['y_array']).map do |v, x, y|
         rgb_from_xyv(histogram, x, y, v)
-      end.reverse
+      end.flatten.reverse.uniq
     end
 
     # rubocop:disable Naming/MethodParameterName
     def rgb_from_xyv(image, x, y, v)
       pixel = image.getpoint(x, y)
 
-      # Unfortunately, we only have the first 2 dimensions, so try to
-      # guess the third one by looking up the value
+      # As we only have the first 2 dimensions for this maximum, we
+      # can't distinguish with different maxima with the same `r` and `g`
+      # values but different `b` values.
+      #
+      # Therefore, we return an array of maxima, which is always non-empty,
+      # but may contain multiple colors with the same values.
 
-      # NOTE: this means that if multiple bins with the same `r` and `g`
-      # components have the same number of occurrences, we will always return
-      # the one with the lowest `b` value. This means that in case of a tie,
-      # we will return the same color twice and skip the ones it tied with.
-      z = pixel.find_index(v)
+      pixel.filter_map.with_index do |pv, z|
+        next if pv != v
 
-      r = (x + 0.5) * 256 / BINS
-      g = (y + 0.5) * 256 / BINS
-      b = (z + 0.5) * 256 / BINS
-      ColorDiff::Color::RGB.new(r, g, b)
+        r = (x + 0.5) * 256 / BINS
+        g = (y + 0.5) * 256 / BINS
+        b = (z + 0.5) * 256 / BINS
+        ColorDiff::Color::RGB.new(r, g, b)
+      end
     end
 
     def w3c_contrast(color1, color2)

spec/models/account_domain_block_spec.rb

@@ -3,22 +3,30 @@
 require 'rails_helper'
 
 RSpec.describe AccountDomainBlock do
+  let(:account) { Fabricate(:account) }
+
   it 'removes blocking cache after creation' do
-    account = Fabricate(:account)
     Rails.cache.write("exclude_domains_for:#{account.id}", 'a.domain.already.blocked')
 
-    described_class.create!(account: account, domain: 'a.domain.blocked.later')
-
-    expect(Rails.cache.exist?("exclude_domains_for:#{account.id}")).to be false
+    expect { block_domain_for_account('a.domain.blocked.later') }
+      .to change { account_has_exclude_domains_cache? }.to(false)
   end
 
   it 'removes blocking cache after destruction' do
-    account = Fabricate(:account)
-    block = described_class.create!(account: account, domain: 'domain')
+    block = block_domain_for_account('domain')
     Rails.cache.write("exclude_domains_for:#{account.id}", 'domain')
 
-    block.destroy!
+    expect { block.destroy! }
+      .to change { account_has_exclude_domains_cache? }.to(false)
+  end
 
-    expect(Rails.cache.exist?("exclude_domains_for:#{account.id}")).to be false
+  private
+
+  def block_domain_for_account(domain)
+    Fabricate(:account_domain_block, account: account, domain: domain)
+  end
+
+  def account_has_exclude_domains_cache?
+    Rails.cache.exist?("exclude_domains_for:#{account.id}")
   end
 end

spec/models/webauthn_credential_spec.rb

@@ -71,8 +71,8 @@ RSpec.describe WebauthnCredential do
       expect(webauthn_credential).to model_have_error_on_field(:sign_count)
     end
 
-    it 'is invalid if sign_count is greater 2**63 - 1' do
-      webauthn_credential = Fabricate.build(:webauthn_credential, sign_count: 2**63)
+    it 'is invalid if sign_count is greater than the limit' do
+      webauthn_credential = Fabricate.build(:webauthn_credential, sign_count: (described_class::SIGN_COUNT_LIMIT * 2))
 
       webauthn_credential.valid?