pass in user id for just in time user impersonation override

cryptomail · cryptomail · commit 46d2dc2e4b28 · 2025-10-11T23:31:01.000-07:00
diff --git a/.ruby-version b/.ruby-version
@@ -1 +1 @@
-3.1.7
+3.4.7
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -2,6 +2,7 @@ PATH
   remote: .
   specs:
     zendesk_api (3.1.1)
+      base64
       faraday (> 2.0.0)
       faraday-multipart
       hashie (>= 3.5.2)
diff --git a/lib/zendesk_api/client.rb b/lib/zendesk_api/client.rb
@@ -9,6 +9,7 @@
 require 'zendesk_api/middleware/request/raise_rate_limited'
 require 'zendesk_api/middleware/request/upload'
 require 'zendesk_api/middleware/request/encode_json'
+require 'zendesk_api/middleware/request/api_token_impersonate'
 require 'zendesk_api/middleware/request/url_based_access_token'
 require 'zendesk_api/middleware/response/callback'
 require 'zendesk_api/middleware/response/deflate'
@@ -104,6 +105,24 @@ def initialize
       add_warning_callback
     end
 
+    # token impersonation for the scope of the block
+    # @param [String] username The username (email) of the user to impersonate
+    # @yield The block to run while impersonating the user
+    # @example
+    #   client.api_token_impersonate("otheruser@yourcompany.com") do
+    #    client.tickets.create(:subject => "Help!")
+    #   end
+    #
+    #   # creates a ticket on behalf of otheruser
+    # @return
+    # yielded value
+    def api_token_impersonate(username)
+      Thread.current[:local_username] = username
+      yield
+    ensure
+      Thread.current[:local_username] = nil
+    end
+
     # Creates a connection if there is none, otherwise returns the existing connection.
     #
     # @return [Faraday::Connection] Faraday connection for the client
@@ -180,6 +199,7 @@ def build_connection
         end
 
         builder.adapter(*adapter, &config.adapter_proc)
+        builder.use ZendeskAPI::Middleware::Request::ApiTokenImpersonate
       end
     end
 
diff --git a/lib/zendesk_api/middleware/request/api_token_impersonate.rb b/lib/zendesk_api/middleware/request/api_token_impersonate.rb
@@ -0,0 +1,28 @@
+require 'base64'
+module ZendeskAPI
+  # @private
+  module Middleware
+    # @private
+    module Request
+      # ApiTokenImpersonate
+      # If Thread.current[:local_username] is set, it will modify the Authorization header
+      # to impersonate that user using the API token from the current Authorization header.
+      class ApiTokenImpersonate < Faraday::Middleware
+        def call(env)
+          if Thread.current[:local_username] && env[:request_headers][:authorization] =~ /^Basic /
+            current_u_p_encoded = env[:request_headers][:authorization].split(/\s+/)[1]
+            current_u_p = Base64.urlsafe_decode64(current_u_p_encoded)
+            unless current_u_p.include?("/token:")
+              raise ZendeskAPI::Error, "You must use an API token to impersonate a user."
+            end
+
+            parts = current_u_p.split(":")
+            next_u_p = "#{Thread.current[:local_username]}/token:#{parts[1]}"
+            env[:request_headers][:authorization] = "Basic #{Base64.urlsafe_encode64(next_u_p)}"
+          end
+          @app.call(env)
+        end
+      end
+    end
+  end
+end
diff --git a/zendesk_api.gemspec b/zendesk_api.gemspec
@@ -33,4 +33,5 @@ Gem::Specification.new do |s|
   s.add_dependency "inflection"
   s.add_dependency "multipart-post", "~> 2.0"
   s.add_dependency "mini_mime"
+  s.add_dependency "base64"
 end
