coalescing_panda 4.7.0 → 5.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 943b18616d0a5e87a50358017ce3faf8e27fb7ff
-  data.tar.gz: 10539ffb27a3ae9709b58e9f08b3e1bd57e4f295
+  metadata.gz: 4946cde6027861484869379aa63fb8c0016d413d
+  data.tar.gz: 40794a3d7beab2e690e38da0d0433b0195ab2c60
 SHA512:
-  metadata.gz: 5a2df63567b03a1b07d05efa93676139f470b1cc625cdd2887ccd38df80f0f08f0b04eb0cf676ae7ad2cb7b515477f069c9bdb748810ebede82f6a14203227b6
-  data.tar.gz: 414e8d88d43b97ed4564d6ca67bc60e4c38b0638e01fc8f4a316a26b586009ce4f7136080a07319948f9835456c7642db675ee2c70e21f74fb96b909dcd1f990
+  metadata.gz: 0672ab922b73f33f81534f586e918f8c82dec08c14f30e56d1f97d62c0597416529f8f96baab489bf3d9c6c7a114563ff513ae3fa7afd47a15f9faddac2e5695
+  data.tar.gz: 99afede25863235a5db2dfaf59e2ef7d64bf7361243fead2ddb5dce5e0b01db9b73c74c039e65c01afd21956caf0f07abda7ac106ecf9a37b8e782c7113d1667

data/app/controllers/coalescing_panda/oauth2_controller.rb

@@ -7,6 +7,8 @@ module CoalescingPanda
     end
 
     def redirect
+      use_secure_headers_override(:allow_inline_scripts)
+
       if !params[:error] && retrieve_oauth_state
         lti_account = LtiAccount.find_by_key(@oauth_state.data[:key])
         client_id = lti_account.oauth2_client_id

data/app/models/coalescing_panda/persistent_session.rb

@@ -0,0 +1,38 @@
+module CoalescingPanda
+  class PersistentSession < ActiveRecord::Base
+    serialize :data, Hash
+    belongs_to :coalescing_panda_lti_account, :class_name => 'CoalescingPanda::LtiAccount'
+    validates :coalescing_panda_lti_account_id, presence: true
+
+    after_initialize do
+      self.session_key ||= SecureRandom.urlsafe_base64(60)
+    end
+
+    def self.create_from_launch(launch_params, account_id)
+      session = PersistentSession.new(coalescing_panda_lti_account_id: account_id)
+      session.data[:launch_params] = launch_params.to_unsafe_h.with_indifferent_access
+      session.data[:roles] = launch_params['roles'].split(',').map { |role|
+        case role.downcase.strip
+        when 'admin'
+          :admin
+        when 'urn:lti:instrole:ims/lis/administrator'
+          :admin
+        when 'learner'
+          :student
+        when 'instructor'
+          :teacher
+        when 'urn:lti:role:ims/lis/teachingassistant'
+          :ta
+        when 'contentdeveloper'
+          :designer
+        when 'urn:lti:instrole:ims/lis/observer'
+          :observer
+        else
+          :none
+        end
+      }.uniq
+      session.save!
+      session
+    end
+  end
+end

data/db/migrate/20200528224505_create_coalescing_panda_persistent_session.rb

@@ -0,0 +1,13 @@
+class CreateCoalescingPandaPersistentSession < ActiveRecord::Migration
+  def change
+    create_table :coalescing_panda_persistent_sessions do |t|
+      t.string :session_key
+      t.text :data
+      t.integer :coalescing_panda_lti_account_id
+
+      t.timestamps null: false
+    end
+    add_index :coalescing_panda_persistent_sessions, :session_key, unique: true
+    add_index :coalescing_panda_persistent_sessions, :coalescing_panda_lti_account_id, name: 'index_persistent_session_on_lti_account_id'
+  end
+end

data/lib/coalescing_panda/controller_helpers.rb

@@ -2,6 +2,33 @@ require 'browser'
 
 module CoalescingPanda
   module ControllerHelpers
+    def current_session
+      @current_session ||= CoalescingPanda::PersistentSession.find_by(session_key: session_key) if session_key
+      @current_session ||= CoalescingPanda::PersistentSession.create_from_launch(params, current_lti_account.id)
+      @current_session
+    end
+
+    def current_lti_account
+      @account ||= CoalescingPanda::LtiAccount.find_by!(key: organization_key) if organization_key
+      @account ||= CoalescingPanda::LtiAccount.find_by(id: organization_id) if organization_id
+      @account
+    end
+
+    def current_session_data
+      current_session.data
+    end
+
+    def encrypted_session_key
+      msg_encryptor.encrypt_and_sign(current_session.session_key)
+    end
+
+    def save_session
+      current_session.try(:save)
+    end
+
+    def session_changed?
+      current_session.changed? && current_session.changes[:data].present?
+    end
 
     def canvas_oauth2(*roles)
       return if have_session?
@@ -100,18 +127,19 @@ module CoalescingPanda
 
     def lti_authorize!(*roles)
       authorized = false
-      if @lti_account = params['oauth_consumer_key'] && LtiAccount.find_by_key(params['oauth_consumer_key'])
+      if (@lti_account = params['oauth_consumer_key'] && LtiAccount.find_by_key(params['oauth_consumer_key']))
         sanitized_params = sanitize_params
         authenticator = IMS::LTI::Services::MessageAuthenticator.new(request.original_url, sanitized_params, @lti_account.secret)
         authorized = authenticator.valid_signature?
       end
-      logger.info 'not authorized on tp valid request' if !authorized
+      logger.info 'not authorized on tp valid request' unless authorized
       authorized = authorized && (roles.count == 0 || (roles & lti_roles).count > 0)
-      logger.info 'not authorized on roles' if !authorized
+      logger.info 'not authorized on roles' unless authorized
       authorized = authorized && @lti_account.validate_nonce(params['oauth_nonce'], DateTime.strptime(params['oauth_timestamp'], '%s'))
-      logger.info 'not authorized on nonce' if !authorized
+      logger.info 'not authorized on nonce' unless authorized
       render :text => 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
-      authorized = authorized && check_for_iframes_problem if authorized
+      # create session on first launch
+      current_session
       authorized
     end
 
@@ -136,26 +164,7 @@ module CoalescingPanda
     end
 
     def lti_roles
-      @lti_roles ||= params['roles'].split(',').map { |role|
-        case role.downcase.strip
-          when 'admin'
-            :admin
-          when 'urn:lti:instrole:ims/lis/administrator'
-            :admin
-          when 'learner'
-            :student
-          when 'instructor'
-            :teacher
-          when 'urn:lti:role:ims/lis/teachingassistant'
-            :ta
-          when 'contentdeveloper'
-            :designer
-          when 'urn:lti:instrole:ims/lis/observer'
-            :observer
-          else
-            :none
-        end
-      }.uniq
+      @lti_roles ||= current_session_data[:roles]
     end
 
     def canvas_environment
@@ -168,38 +177,68 @@ module CoalescingPanda
     end
 
     def session_check
-      logger.warn 'session_check is deprecated. Functionality moved to canvas_oauth2.'
+      logger.warn 'session_check is deprecated. Functionality moved to lti_authorize.'
     end
 
-    def check_for_iframes_problem
-      if cookies_need_iframe_fix?
-        fix_iframe_cookies
-        return false
-      end
+    private
+
+    def msg_encryptor
+      @crypt ||= ActiveSupport::MessageEncryptor.new(Rails.application.secrets.secret_key_base[0..31])
+    end
+
+    def organization_key
+      params[:oauth_consumer_key] || (current_session_data[:launch_params][:oauth_consumer_key] if @current_session)
+    end
+
+    def organization_id
+      params[:organization_id] || (current_session_data[:launch_params][:organization_id] if @current_session)
+    end
 
-      # For safari we may have been launched temporarily full-screen by canvas.  This allows us to set the session cookie.
-      # In this case, we should make sure the session cookie is fixed and redirect back to canvas to properly launch the embedded LTI.
-      if params[:platform_redirect_url]
-        session[:safari_cookie_fixed] = true
-        redirect_to params[:platform_redirect_url]
-        return false
+    def session_key
+      if params[:encrypted_session_key]
+        return msg_encryptor.decrypt_and_verify(params[:encrypted_session_key])
       end
-      true
+      params[:session_key] || session_key_header
     end
 
-    def cookies_need_iframe_fix?
-      @browser ||= Browser.new(request.user_agent)
-      @browser.safari? && !request.referrer&.include?('sessionless_launch') && !session[:safari_cookie_fixed]  && !params[:platform_redirect_url]
+    def session_key_header
+      if (match = request.headers['Authorization'].try(:match, /crypted_token=(.+)/))
+        msg_encryptor.decrypt_and_verify(match[1])
+      elsif (match = request.headers['Authorization'].try(:match, /token=(.+)/))
+        match[1]
+      end
     end
 
-    def fix_iframe_cookies
-      if params[:safari_cookie_fix].present?
-        session[:safari_cookie_fixed] = true
-        redirect_to params[:return_to]
+    # Redirect with the session key intact. In production,
+    # handle this by encrypting the session key.  That way if the
+    # url is logged anywhere, it will all be encrypted data.   In dev,
+    # just put it in the URL. Putting it in the URL
+    # is insecure, but is fine in development.
+    # Keeping it in the URL in development means that it plays
+    # nicely with webpack-dev-server live reloading (otherwise
+    # you get an access error every time it tries to live reload).
+
+    def redirect_with_session_to(path, id_or_resource = nil, redirect_params = {})
+      if Rails.env.development? || Rails.env.test?
+        redirect_development_mode(path, id_or_resource, redirect_params)
       else
-        render 'coalescing_panda/lti/iframe_cookie_fix', layout: false
+        redirect_production_mode(path, id_or_resource, redirect_params)
       end
     end
 
+    def redirect_development_mode(path, id_or_resource = nil, redirect_params)
+      redirect_to send(path, id_or_resource, {
+          session_key: current_session.session_key,
+          organization_id: current_lti_account.id
+      }.merge(redirect_params))
+    end
+
+    def redirect_production_mode(path, id_or_resource = nil, redirect_params)
+      redirect_to send(path, id_or_resource, {
+          encrypted_session_key: encrypted_session_key,
+          organization_id: current_lti_account.id
+      }.merge(redirect_params))
+    end
+
   end
 end

data/lib/coalescing_panda/engine.rb

@@ -50,6 +50,9 @@ module CoalescingPanda
         # https://github.com/MiniProfiler/rack-mini-profiler/issues/327
         # DON'T ENABLE THIS FOR PRODUCTION!
         script_src << "'unsafe-eval'"
+      elsif CoalescingPanda.lti_options.has_key?(:allow_unsafe_eval) && CoalescingPanda.lti_options[:allow_unsafe_eval] == true
+        # For when code is returned from server and injected into dom.  Need to have unsafe-eval or it won't work.
+        script_src << "'unsafe-eval'"
       end
 
       SecureHeaders::Configuration.default do |config|
@@ -80,6 +83,10 @@ module CoalescingPanda
       SecureHeaders::Configuration.override(:safari_override) do |config|
         config.cookies = SecureHeaders::OPT_OUT
       end
+
+      SecureHeaders::Configuration.override(:allow_inline_scripts) do |config|
+        config.csp[:script_src] << "'unsafe-inline'"
+      end
     end
 
   end

data/lib/coalescing_panda/version.rb

@@ -1,3 +1,3 @@
 module CoalescingPanda
-  VERSION = '4.7.0'
+  VERSION = '5.0.1'
 end

data/spec/dummy/db/schema.rb

@@ -173,6 +173,17 @@ ActiveRecord::Schema.define(version: 20160830183155) do
 
   add_index "coalescing_panda_oauth_states", ["state_key"], name: "index_coalescing_panda_oauth_states_on_state_key", unique: true
 
+  create_table "coalescing_panda_persistent_sessions", force: :cascade do |t|
+    t.string   "session_key"
+    t.text     "data"
+    t.integer  "coalescing_panda_lti_account_id"
+    t.datetime "created_at",                      null: false
+    t.datetime "updated_at",                      null: false
+  end
+
+  add_index "coalescing_panda_persistent_sessions", ["coalescing_panda_lti_account_id"], name: "index_persistent_session_on_lti_account_id", using: :btree
+  add_index "coalescing_panda_persistent_sessions", ["session_key"], name: "index_coalescing_panda_persistent_sessions_on_session_key", unique: true, using: :btree
+
   create_table "coalescing_panda_sections", force: :cascade do |t|
     t.integer  "coalescing_panda_course_id", null: false
     t.string   "name"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: coalescing_panda
 version: !ruby/object:Gem::Version
-  version: 4.7.0
+  version: 5.0.1
 platform: ruby
 authors:
 - Nathan Mills
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-03-24 00:00:00.000000000 Z
+date: 2020-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -416,6 +416,7 @@ files:
 - app/models/coalescing_panda/workers/course_miner.rb
 - app/models/coalescing_panda/lti_nonce.rb
 - app/models/coalescing_panda/course.rb
+- app/models/coalescing_panda/persistent_session.rb
 - app/models/coalescing_panda/lti_account.rb
 - app/models/coalescing_panda/user.rb
 - app/models/coalescing_panda/group_category.rb
@@ -463,6 +464,7 @@ files:
 - db/migrate/20141120153135_create_coalescing_panda_enrollments.rb
 - db/migrate/20150107205405_create_coalescing_panda_groups.rb
 - db/migrate/20141119225721_create_coalescing_panda_courses.rb
+- db/migrate/20200528224505_create_coalescing_panda_persistent_session.rb
 - db/migrate/20141124160857_create_delayed_jobs.rb
 - db/migrate/20131119165343_create_coalescing_panda_lti_nonces.rb
 - db/migrate/20150106180131_add_published_to_assignments.rb