atomic_tenant 1.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 1fb823e9a69ae301f4c54a2fdd0212a1ab1a722d8a29693eb19ab368bfe20426
+  data.tar.gz: 5dfc41443847da7d515de0aea9303d44cacac5ba424fbc9e2837335221c90a59
+SHA512:
+  metadata.gz: 178f0e154893bed333c5d1a308b6598c795b5516b9884083fc4303e57949cc623725a282bf7c7d6a01ae1bb334eb9d73bdc1e8fc5ad5986cb015f377eb0bfd11
+  data.tar.gz: de989225aac86e31b254e23c514bf1714bae793f319e63f48bcb140b3eb1e233e591c481d7b03e4c20325ac66153c147df9243ec0ddfb87051a2b816f1cd6f2c

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2022 Nick Benoit
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,38 @@
+# AtomicTenant
+This gem handles figuring out which tenant is being used and adds that information .
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem "atomic_tenant"
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install atomic_tenant
+```
+
+Then install the migrations:
+./bin/rails atomic_tenant:install:migrations
+
+## Usage
+Create a new initializer:
+```
+  config/initializers/atomic_tenant.rb
+```
+
+With the following content:
+```
+  AtomicTenant.jwt_secret = Rails.application.secrets.auth0_client_secret
+  AtomicTenant.jwt_aud = Rails.application.secrets.auth0_client_id
+  AtomicTenant.admin_subdomain = "admin".freeze
+```
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,8 @@
+require 'bundler/setup'
+
+APP_RAKEFILE = File.expand_path('test/dummy/Rakefile', __dir__)
+load 'rails/tasks/engine.rake'
+
+load 'rails/tasks/statistics.rake'
+
+require 'bundler/gem_tasks'

data/app/models/atomic_tenant/application_record.rb

@@ -0,0 +1,5 @@
+module AtomicTenant
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/models/atomic_tenant/lti_deployment.rb

@@ -0,0 +1,4 @@
+module AtomicTenant
+  class LtiDeployment < ApplicationRecord
+  end
+end

data/app/models/atomic_tenant/pinned_client_id.rb

@@ -0,0 +1,4 @@
+module AtomicTenant
+  class PinnedClientId < ApplicationRecord
+  end
+end

data/app/models/atomic_tenant/pinned_platform_guid.rb

@@ -0,0 +1,4 @@
+module AtomicTenant
+  class PinnedPlatformGuid < ApplicationRecord
+  end
+end

data/config/routes.rb

@@ -0,0 +1,2 @@
+AtomicTenant::Engine.routes.draw do
+end

data/db/migrate/20220816154357_create_atomic_tenant_lti_deployments.rb

@@ -0,0 +1,13 @@
+class CreateAtomicTenantLtiDeployments < ActiveRecord::Migration[7.0]
+  def change
+    create_table :atomic_tenant_lti_deployments do |t|
+      t.string :iss, null: false
+      t.string :deployment_id, null: false
+      t.bigint :application_instance_id, null: false
+      t.timestamps
+    end
+
+
+    add_index :atomic_tenant_lti_deployments, [:iss, :deployment_id], unique: true
+  end
+end

data/db/migrate/20220816174344_create_atomic_tenant_pinned_platform_guids.rb

@@ -0,0 +1,16 @@
+
+class CreateAtomicTenantPinnedPlatformGuids < ActiveRecord::Migration[7.0]
+  def change
+    create_table :atomic_tenant_pinned_platform_guids do |t|
+      t.string :iss, null: false
+      t.string :platform_guid, null: false
+      t.bigint :application_id, null: false
+
+      t.bigint :application_instance_id, null: false
+
+      t.timestamps
+    end
+
+    add_index :atomic_tenant_pinned_platform_guids, [:iss, :platform_guid, :application_id], unique: true, name: 'index_pinned_platform_guids'
+  end
+end

data/db/migrate/20220816223258_create_atomic_tenant_pinned_client_ids.rb

@@ -0,0 +1,16 @@
+class CreateAtomicTenantPinnedClientIds < ActiveRecord::Migration[7.0]
+  def change
+    create_table :atomic_tenant_pinned_client_ids do |t|
+      t.string :iss, null: false
+      t.string :client_id, null: false
+
+      t.bigint :application_instance_id, null: false
+
+      t.timestamps
+    end
+
+    add_index :atomic_tenant_pinned_client_ids, [:iss, :client_id], unique: true
+  end
+end
+
+

data/lib/atomic_tenant/canvas_content_migration.rb

@@ -0,0 +1,24 @@
+module AtomicTenant
+  module CanvasContentMigration
+    class InvalidTokenError < StandardError; end
+
+    ALGORITHM = "HS256".freeze
+    HEADER = 1
+
+    # Decode Canvas content migration JWT
+    # https://canvas.instructure.com/doc/api/file.tools_xml.html#content-migrations-support
+
+    def self.decode(token,  algorithm = ALGORITHM)
+      unverified = JWT.decode(token, nil, false)
+      kid = unverified[HEADER]["kid"]
+      app_instance = ApplicationInstance.find_by!(lti_key: kid)
+      decoded_token = JWT.decode(
+        token,
+        app_instance.lti_secret,
+        true,
+        { algorithm: algorithm },
+      )
+      [decoded_token, app_instance]
+    end
+  end
+end

data/lib/atomic_tenant/current_application_instance_middleware.rb

@@ -0,0 +1,101 @@
+require_relative 'jwt_token'
+require_relative 'canvas_content_migration'
+require_relative 'exceptions'
+module AtomicTenant
+  class CurrentApplicationInstanceMiddleware
+    include JwtToken
+
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      begin
+        request = Rack::Request.new(env)
+
+        if env['atomic.validated.oauth_consumer_key'].present?
+          oauth_consumer_key = env['atomic.validated.oauth_consumer_key']
+          if ai = ApplicationInstance.find_by(lti_key: oauth_consumer_key)
+            env['atomic.validated.application_instance_id'] = ai.id
+          end
+        elsif env['atomic.validated.id_token'].present?
+
+          custom_strategies = AtomicTenant.custom_strategies || []
+          default_strategies = [
+            AtomicTenant::DeploymentManager::PlatformGuidStrategy.new,
+            AtomicTenant::DeploymentManager::ClientIdStrategy.new
+          ]
+
+          deployment_manager = AtomicTenant::DeploymentManager::DeploymentManager.new(custom_strategies.concat(default_strategies))
+          decoded_token = env['atomic.validated.decoded_id_token']
+          iss = env['atomic.validated.decoded_id_token']['iss']
+          deployment_id = env['atomic.validated.decoded_id_token'][AtomicLti::Definitions::DEPLOYMENT_ID]
+
+          if deployment = AtomicTenant::LtiDeployment.find_by(iss: iss, deployment_id: deployment_id)
+            env['atomic.validated.application_instance_id'] = deployment.application_instance_id
+          else
+            deployment = deployment_manager.link_deployment_id(decoded_id_token: decoded_token)
+             env['atomic.validated.application_instance_id'] = deployment.application_instance_id
+          end
+        elsif env.dig("oauth_state", "application_instance_id").present?
+          env['atomic.validated.application_instance_id'] = env["oauth_state"]["application_instance_id"]
+        elsif is_admin?(request)
+          admin_app_key = AtomicTenant.admin_subdomain
+          admin_app = Application.find_by(key: admin_app_key)
+
+          raise Exceptions::NoAdminApp if admin_app.nil?
+          app_instances = admin_app.application_instances
+
+          raise Exceptions::NonUniqueAdminApp if app_instances.count > 1
+          raise Exceptions::NoAdminApp if app_instances.empty?
+
+          if instance = app_instances.first
+            env['atomic.validated.application_instance_id'] = instance.id
+          end
+        elsif canvas_migration_hook?(request)
+          _token, app_instance = AtomicTenant::CanvasContentMigration.decode(encoded_token(request))
+          env['atomic.validated.application_instance_id'] = app_instance.id
+        elsif encoded_token(request).present?
+          token = encoded_token(request)
+          # TODO: decoded token should be put on request
+          decoded_token = AtomicTenant::JwtToken.decode(token)
+          if decoded_token.present? && decoded_token.first.present?
+            if app_instance_id = decoded_token.first['application_instance_id']
+              env['atomic.validated.application_instance_id'] = app_instance_id
+            end
+          end
+
+        end
+
+      rescue StandardError => e
+        Rails.logger.error("Error in current app instance middleware: #{e}, #{e.backtrace}")
+      end
+
+      @app.call(env)
+    end
+
+    def is_admin?(request)
+      return true if request.path == "/readiness"
+
+      host = request.host_with_port
+      subdomain = host&.split(".")&.first
+
+      return false if subdomain.nil?
+
+      subdomain == AtomicTenant.admin_subdomain
+    end
+
+    def canvas_migration_hook?(request)
+      return true if request.path.match?(%r{^/api/ims_(import|export)})
+    end
+
+    def encoded_token(req)
+      return req.params['jwt'] if req.params['jwt']
+
+      # TODO: verify HTTP_AUTORIZAITON is the same as "Authorization"
+      if header = req.get_header('HTTP_AUTHORIZATION') # || req.headers[:authorization]
+        header.split(' ').last
+      end
+    end
+  end
+end

data/lib/atomic_tenant/deployment_manager/client_id_strategy.rb

@@ -0,0 +1,22 @@
+require 'uri'
+
+module AtomicTenant
+  module DeploymentManager
+      class ClientIdStrategy < DeploymentManagerStrategy
+        def name
+          'ClientIdStrategy'
+        end
+
+        def call(decoded_id_token:)
+          client_id = AtomicLti::Lti.client_id(decoded_id_token)
+          iss = decoded_id_token["iss"]
+
+          if (pinned = AtomicTenant::PinnedClientId.find_by(iss: iss, client_id: client_id))
+            DeploymentStrategyResult.new(application_instance_id: pinned.application_instance_id)
+          else
+            DeploymentStrategyResult.new()
+          end
+        end
+      end
+  end
+end

data/lib/atomic_tenant/deployment_manager/deployment_manager.rb

@@ -0,0 +1,72 @@
+module AtomicTenant
+
+  module DeploymentManager
+      class DeploymentStrategyResult
+        attr_accessor :application_instance_id
+        attr_accessor :details
+
+        def initialize(application_instance_id: nil, details: nil)
+          @application_instance_id = application_instance_id
+          @details = details
+        end
+
+      end
+
+      class DeploymentManagerStrategy
+        def name; end
+        def call(decoded_id_token:); end
+      end
+
+
+
+    # Associate deployment
+    class DeploymentManager
+
+        def initialize(strageties)
+            @strageties = strageties || []
+        end
+
+        def link_deployment_id(decoded_id_token:)
+          deployment_id = decoded_id_token[AtomicLti::Definitions::DEPLOYMENT_ID]
+          iss = decoded_id_token["iss"]
+
+          results = @strageties.flat_map do |strategy|
+            begin
+              [{name: strategy.name, result: strategy.call(decoded_id_token: decoded_id_token)}]
+            rescue StandardError => e
+               Rails.logger.error("Error in lti deployment linking strategy: #{strategy.name}, #{e}")
+              []
+            end
+          end
+
+          Rails.logger.debug("Linking Results: #{results}")
+
+          matched = results.filter { |r| r[:result].application_instance_id.present? }
+
+          to_link = if matched.size == 1
+                      matched.first[:result]
+                    elsif matched.size > 1
+                      matched.first[:result]
+                      Rails.logger.info("Colliding strategies, Linking iss / deployment id: #{iss} / #{deployment_id} to application instance: #{to_link.application_instance_id}, all results: #{results}")
+
+                    else
+                      raise AtomicTenant::Exceptions::UnableToLinkDeploymentError
+                    end
+
+          Rails.logger.info("Linking iss / deployment id: #{iss} / #{deployment_id} to application instance: #{to_link.application_instance_id}")
+
+          associate_deployment(iss: iss, deployment_id: deployment_id,application_instance_id: to_link.application_instance_id)
+        end
+
+        private
+
+        def associate_deployment(iss:, deployment_id:, application_instance_id:)
+          AtomicTenant::LtiDeployment.create!(
+            iss: iss,
+            deployment_id: deployment_id,
+            application_instance_id: application_instance_id
+          )
+        end
+    end
+  end
+end

data/lib/atomic_tenant/deployment_manager/deployment_manager_strategy.rb

@@ -0,0 +1,20 @@
+module AtomicTenant
+
+  module DeploymentManager
+      class DeploymentStrategyResult
+        attr_accessor :application_instance_id
+        attr_accessor :details
+
+        def initialize(application_instance_id: nil, details: nil)
+          @application_instance_id = application_instance_id
+          @details = details
+        end
+
+      end
+
+      class DeploymentManagerStrategy
+        def name; end
+        def call(id_token:); end
+      end
+  end
+end

data/lib/atomic_tenant/deployment_manager/platform_guid_strategy.rb

@@ -0,0 +1,37 @@
+require 'uri'
+
+module AtomicTenant
+  module DeploymentManager
+      class PlatformGuidStrategy < DeploymentManagerStrategy
+          def name
+            "PlatformGuidStrategy"
+          end
+
+          # return DeploymentStrategyResult
+          def call(decoded_id_token:)
+            iss = decoded_id_token["iss"]
+            platform_guid = decoded_id_token.dig(AtomicLti::Definitions::TOOL_PLATFORM_CLAIM, "guid")
+            target_link_uri = decoded_id_token[AtomicLti::Definitions::TARGET_LINK_URI_CLAIM]
+
+
+            return DeploymentStrategyResult.new() if !platform_guid.present? || !target_link_uri.present?
+
+
+            uri = URI.parse(target_link_uri)
+            application_key = uri.host&.split('.')&.first
+
+            return DeploymentStrategyResult.new() if !application_key.present?
+
+            app = Application.find_by(key: application_key)
+
+            return DeploymentStrategyResult.new() if !app.present?
+
+            if(pinned = AtomicTenant::PinnedPlatformGuid.find_by(iss: iss, platform_guid: platform_guid, application_id: app.id))
+              DeploymentStrategyResult.new(application_instance_id: pinned.application_instance_id)
+            else
+              DeploymentStrategyResult.new()
+            end
+          end
+      end
+  end
+end

data/lib/atomic_tenant/engine.rb

@@ -0,0 +1,5 @@
+module AtomicTenant
+  class Engine < ::Rails::Engine
+    isolate_namespace AtomicTenant
+  end
+end

data/lib/atomic_tenant/exceptions.rb

@@ -0,0 +1,11 @@
+
+module AtomicTenant
+  module Exceptions
+
+    class UnableToLinkDeploymentError < StandardError
+    end
+
+    class NonUniqueAdminApp < StandardError; end
+    class NoAdminApp < StandardError; end
+  end
+end

data/lib/atomic_tenant/jwt_token.rb

@@ -0,0 +1,59 @@
+module AtomicTenant
+  module JwtToken
+    class InvalidTokenError < StandardError; end
+ 
+    ALGORITHM = "HS512".freeze
+
+    def self.decode(token,  algorithm = ALGORITHM)
+      decoded_token = JWT.decode(
+        token,
+        AtomicTenant.jwt_secret,
+        true,
+        { algorithm: algorithm },
+      )
+      raise InvalidTokenError if AtomicTenant.jwt_aud != decoded_token[0]["aud"]
+
+      decoded_token
+    end
+
+    def self.valid?(token, algorithm = ALGORITHM)
+      decode(token, algorithm)
+    end
+
+    def decoded_jwt_token(req)
+      token = valid?(encoded_token(req))
+      raise InvalidTokenError, 'Unable to decode jwt token' if token.blank?
+      raise InvalidTokenError, 'Invalid token payload' if token.empty?
+
+      token[0]
+    end
+
+    def validate_token_with_secret(aud, secret, req = request)
+      token = decoded_jwt_token(req, secret)
+      raise InvalidTokenError if aud != token['aud']
+    rescue JWT::DecodeError, InvalidTokenError => e
+      Rails.logger.error "JWT Error occured: #{e.inspect}"
+      render json: { error: 'Unauthorized: Invalid token.' }, status: :unauthorized
+    end
+
+    def encoded_token!(req)
+      return req.params[:jwt] if req.params[:jwt]
+
+      header = req.headers['Authorization'] || req.headers[:authorization]
+      raise InvalidTokenError, 'No authorization header found' if header.nil?
+
+      token = header.split(' ').last
+      raise InvalidTokenError, 'Invalid authorization header string' if token.nil?
+
+      token
+    end
+
+    def encoded_token(req)
+      return req.params[:jwt] if req.params[:jwt]
+
+      if header = req.headers['Authorization'] || req.headers[:authorization]
+        header.split(' ').last
+      end
+    end
+  end
+end

data/lib/atomic_tenant/version.rb

@@ -0,0 +1,3 @@
+module AtomicTenant
+  VERSION = '1.2.0'
+end

data/lib/atomic_tenant.rb

@@ -0,0 +1,21 @@
+require 'atomic_tenant/version'
+require 'atomic_tenant/deployment_manager/deployment_manager'
+require 'atomic_tenant/deployment_manager/platform_guid_strategy'
+require 'atomic_tenant/deployment_manager/client_id_strategy'
+require 'atomic_tenant/deployment_manager/deployment_manager_strategy'
+require 'atomic_tenant/engine'
+require 'atomic_tenant/current_application_instance_middleware'
+
+module AtomicTenant
+  mattr_accessor :custom_strategies
+
+  mattr_accessor :jwt_secret
+  mattr_accessor :jwt_aud
+
+  mattr_accessor :admin_subdomain
+
+
+  def self.get_application_instance(iss:, deployment_id:)
+    AtomicTenant::LtiDeployment.find_by(iss: iss, deployment_id: deployment_id)
+  end
+end

data/lib/tasks/atomic_tenant_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :atomic_tenant do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,94 @@
+--- !ruby/object:Gem::Specification
+name: atomic_tenant
+version: !ruby/object:Gem::Version
+  version: 1.2.0
+platform: ruby
+authors:
+- Nick Benoit
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2023-08-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: atomic_lti
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.0'
+description: Description of AtomicTenant.
+email:
+- nick.benoit@atomicjolt.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- app/models/atomic_tenant/application_record.rb
+- app/models/atomic_tenant/lti_deployment.rb
+- app/models/atomic_tenant/pinned_client_id.rb
+- app/models/atomic_tenant/pinned_platform_guid.rb
+- config/routes.rb
+- db/migrate/20220816154357_create_atomic_tenant_lti_deployments.rb
+- db/migrate/20220816174344_create_atomic_tenant_pinned_platform_guids.rb
+- db/migrate/20220816223258_create_atomic_tenant_pinned_client_ids.rb
+- lib/atomic_tenant.rb
+- lib/atomic_tenant/canvas_content_migration.rb
+- lib/atomic_tenant/current_application_instance_middleware.rb
+- lib/atomic_tenant/deployment_manager/client_id_strategy.rb
+- lib/atomic_tenant/deployment_manager/deployment_manager.rb
+- lib/atomic_tenant/deployment_manager/deployment_manager_strategy.rb
+- lib/atomic_tenant/deployment_manager/platform_guid_strategy.rb
+- lib/atomic_tenant/engine.rb
+- lib/atomic_tenant/exceptions.rb
+- lib/atomic_tenant/jwt_token.rb
+- lib/atomic_tenant/version.rb
+- lib/tasks/atomic_tenant_tasks.rake
+homepage: https://example.com
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.15
+signing_key:
+specification_version: 4
+summary: Summary of AtomicTenant.
+test_files: []