coalescing_panda 5.0.2 → 5.0.8
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/app/controllers/coalescing_panda/canvas_batches_controller.rb +2 -2
- data/app/controllers/coalescing_panda/lti_controller.rb +1 -1
- data/app/helpers/coalescing_panda/canvas_batches_helper.rb +1 -1
- data/app/models/coalescing_panda/json_with_indifferent_access.rb +13 -0
- data/app/models/coalescing_panda/persistent_session.rb +2 -1
- data/app/views/coalescing_panda/canvas_batches/_canvas_batch_flash.html.haml +3 -3
- data/db/migrate/20131114150001_create_coalescing_panda_canvas_api_auths.rb +1 -1
- data/db/migrate/20131118211442_create_coalescing_panda_lti_accounts.rb +1 -1
- data/db/migrate/20131119165343_create_coalescing_panda_lti_nonces.rb +1 -1
- data/db/migrate/20140904223159_create_coalescing_panda_sessions.rb +1 -1
- data/db/migrate/20141119225319_create_coalescing_panda_terms.rb +1 -1
- data/db/migrate/20141119225721_create_coalescing_panda_courses.rb +1 -1
- data/db/migrate/20141120151432_create_coalescing_panda_sections.rb +1 -1
- data/db/migrate/20141120151940_create_coalescing_panda_assignments.rb +1 -1
- data/db/migrate/20141120152458_create_coalescing_panda_users.rb +1 -1
- data/db/migrate/20141120152546_create_coalescing_panda_submissions.rb +1 -1
- data/db/migrate/20141120153135_create_coalescing_panda_enrollments.rb +1 -1
- data/db/migrate/20141121174846_create_coalescing_panda_canvas_batches.rb +1 -1
- data/db/migrate/20141124160857_create_delayed_jobs.rb +1 -1
- data/db/migrate/20141208221740_add_submission_types_to_assignments.rb +1 -1
- data/db/migrate/20150106175418_add_group_category_id_to_assignment.rb +1 -1
- data/db/migrate/20150106180131_add_published_to_assignments.rb +1 -1
- data/db/migrate/20150107205405_create_coalescing_panda_groups.rb +1 -1
- data/db/migrate/20150107205413_create_coalescing_panda_group_memberships.rb +1 -1
- data/db/migrate/20150210180516_add_context_to_canvas_batch.rb +1 -1
- data/db/migrate/20150506183335_create_coalescing_panda_assignment_groups.rb +1 -1
- data/db/migrate/20150506192717_add_assignment_group_id_to_assignments.rb +1 -1
- data/db/migrate/20150526144713_add_account_to_canvas_batches.rb +1 -1
- data/db/migrate/20150602205257_add_option_to_canvas_batches.rb +1 -1
- data/db/migrate/20150708192717_add_group_moderator_to_group_memberships.rb +1 -1
- data/db/migrate/20150709192717_add_leader_id_to_groups.rb +1 -1
- data/db/migrate/20150714205405_create_coalescing_panda_group_categories.rb +1 -1
- data/db/migrate/20150811140030_add_fields_to_users.rb +1 -1
- data/db/migrate/20151209155923_add_refresh_settings_to_canvas_api_auth.rb +1 -1
- data/db/migrate/20160830183155_create_coalescing_panda_oauth_states.rb +1 -1
- data/db/migrate/20200528224505_create_coalescing_panda_persistent_session.rb +1 -1
- data/lib/coalescing_panda/controller_helpers.rb +40 -23
- data/lib/coalescing_panda/engine.rb +8 -42
- data/lib/coalescing_panda/misc_helper.rb +13 -0
- data/lib/coalescing_panda/secure_headers.rb +84 -0
- data/lib/coalescing_panda/version.rb +1 -1
- metadata +17 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b00520a9558a0dbd2699d97b5f1163721dff23d0042be51b2df5cc220675a0a1
|
|
4
|
+
data.tar.gz: 7adaf679f268ebcd2e5695994d3b5b498eda1ee3078e3be617b5a47e24a04244
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 630ea590d568f2fc1839ed5b456eec95a8ab0fa43b8139a7c9c32d5c08eddbb557fbe6cd71b65a88b71e5d72ec61098252033772f18e863368f4475bc807ac96
|
|
7
|
+
data.tar.gz: 18622f8b4c058ca1d8d66626d7b5186083114dba571f5d0a2b7c3d12b75abea934a6b02b2e29612541674ac704c018da58c126bbf3ea58dcd06d66f7994c4878
|
|
@@ -12,13 +12,13 @@ module CoalescingPanda
|
|
|
12
12
|
@batch.status = 'Queued'
|
|
13
13
|
@batch.save
|
|
14
14
|
worker = CoalescingPanda::Workers::CourseMiner.new(@batch.context, @batch.options)
|
|
15
|
-
|
|
15
|
+
current_session_data[:canvas_batch_id] = worker.batch.id
|
|
16
16
|
worker.start(true)
|
|
17
17
|
redirect_to :back
|
|
18
18
|
end
|
|
19
19
|
|
|
20
20
|
def clear_batch_session
|
|
21
|
-
|
|
21
|
+
current_session_data[:canvas_batch_id] = nil
|
|
22
22
|
render nothing: true
|
|
23
23
|
end
|
|
24
24
|
end
|
|
@@ -17,7 +17,7 @@ module CoalescingPanda
|
|
|
17
17
|
lti_nav[:account][:text] = params[:account_navigation_label] if params[:account_navigation_label].present?
|
|
18
18
|
platform = 'canvas.instructure.com'
|
|
19
19
|
host = "#{request.scheme}://#{request.host_with_port}"
|
|
20
|
-
tc = IMS::LTI::
|
|
20
|
+
tc = IMS::LTI::ToolConfig.new(:title => lti_options[:title], :launch_url => ("#{host}#{lti_options[:launch_route]}") || 'ABC')
|
|
21
21
|
tc.set_ext_param(platform, :domain, request.host)
|
|
22
22
|
tc.set_ext_param(platform, :privacy_level, 'public')
|
|
23
23
|
tc.set_custom_param(:custom_canvas_role, '$Canvas.membership.roles')
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
module CoalescingPanda
|
|
2
2
|
module CanvasBatchesHelper
|
|
3
3
|
def current_batch
|
|
4
|
-
@current_batch ||= CoalescingPanda::CanvasBatch.find_by_id(
|
|
4
|
+
@current_batch ||= CoalescingPanda::CanvasBatch.find_by_id(current_session_data[:canvas_batch_id])
|
|
5
5
|
end
|
|
6
6
|
end
|
|
7
7
|
end
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
module CoalescingPanda
|
|
2
|
+
class JSONWithIndifferentAccess
|
|
3
|
+
def self.load(str)
|
|
4
|
+
return nil unless str.present?
|
|
5
|
+
parsed = JSON.parse(str)
|
|
6
|
+
parsed.is_a?(Hash) ? HashWithIndifferentAccess.new(parsed) : parsed
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def self.dump(obj)
|
|
10
|
+
JSON.dump(obj)
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
end
|
|
@@ -1,10 +1,11 @@
|
|
|
1
1
|
module CoalescingPanda
|
|
2
2
|
class PersistentSession < ActiveRecord::Base
|
|
3
|
-
serialize :data,
|
|
3
|
+
serialize :data, JSONWithIndifferentAccess
|
|
4
4
|
belongs_to :coalescing_panda_lti_account, :class_name => 'CoalescingPanda::LtiAccount'
|
|
5
5
|
validates :coalescing_panda_lti_account_id, presence: true
|
|
6
6
|
|
|
7
7
|
after_initialize do
|
|
8
|
+
self.data ||= {}
|
|
8
9
|
self.session_key ||= SecureRandom.urlsafe_base64(60)
|
|
9
10
|
end
|
|
10
11
|
|
|
@@ -1,4 +1,4 @@
|
|
|
1
1
|
- if current_batch.present?
|
|
2
|
-
- path = CoalescingPanda::Engine.routes.url_helpers.canvas_batch_path(current_batch)
|
|
3
|
-
- clear_path = CoalescingPanda::Engine.routes.url_helpers.clear_batch_session_path
|
|
4
|
-
#batch-progress{data: {batch: current_batch.try(:to_json), url: path, clear_path: clear_path} }
|
|
2
|
+
- path = CoalescingPanda::Engine.routes.url_helpers.canvas_batch_path(current_batch) + "?encrypted_session_key=#{encrypted_session_key}"
|
|
3
|
+
- clear_path = CoalescingPanda::Engine.routes.url_helpers.clear_batch_session_path + "?encrypted_session_key=#{encrypted_session_key}"
|
|
4
|
+
#batch-progress{data: {batch: current_batch.try(:to_json), url: path, clear_path: clear_path} }
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
class CreateDelayedJobs <
|
|
1
|
+
class CreateDelayedJobs < CoalescingPanda::MiscHelper::MigrationClass
|
|
2
2
|
def self.up
|
|
3
3
|
create_table :delayed_jobs, :force => true do |table|
|
|
4
4
|
table.integer :priority, :default => 0, :null => false # Allows some jobs to jump to the front of the queue
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
class AddGroupCategoryIdToAssignment <
|
|
1
|
+
class AddGroupCategoryIdToAssignment < CoalescingPanda::MiscHelper::MigrationClass
|
|
2
2
|
def change
|
|
3
3
|
add_column :coalescing_panda_assignments, :group_category_id, :integer
|
|
4
4
|
add_column :coalescing_panda_assignments, :grade_group_students_individually, :boolean
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
class AddContextToCanvasBatch <
|
|
1
|
+
class AddContextToCanvasBatch < CoalescingPanda::MiscHelper::MigrationClass
|
|
2
2
|
def change
|
|
3
3
|
add_column :coalescing_panda_canvas_batches, :context_id, :integer
|
|
4
4
|
add_column :coalescing_panda_canvas_batches, :context_type, :string
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
class CreateCoalescingPandaAssignmentGroups <
|
|
1
|
+
class CreateCoalescingPandaAssignmentGroups < CoalescingPanda::MiscHelper::MigrationClass
|
|
2
2
|
def change
|
|
3
3
|
create_table :coalescing_panda_assignment_groups do |t|
|
|
4
4
|
t.belongs_to :coalescing_panda_course, null: false
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
class AddLeaderIdToGroups <
|
|
1
|
+
class AddLeaderIdToGroups < CoalescingPanda::MiscHelper::MigrationClass
|
|
2
2
|
def change
|
|
3
3
|
add_column :coalescing_panda_groups, :leader_id, :integer
|
|
4
4
|
add_foreign_key :coalescing_panda_groups, :coalescing_panda_users, column: :leader_id, primary_key: "id"
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
class CreateCoalescingPandaGroupCategories <
|
|
1
|
+
class CreateCoalescingPandaGroupCategories < CoalescingPanda::MiscHelper::MigrationClass
|
|
2
2
|
def change
|
|
3
3
|
create_table :coalescing_panda_group_categories do |t|
|
|
4
4
|
t.belongs_to :context, polymorphic: true
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
class AddRefreshSettingsToCanvasApiAuth <
|
|
1
|
+
class AddRefreshSettingsToCanvasApiAuth < CoalescingPanda::MiscHelper::MigrationClass
|
|
2
2
|
def change
|
|
3
3
|
add_column :coalescing_panda_canvas_api_auths, :refresh_token, :string
|
|
4
4
|
add_column :coalescing_panda_canvas_api_auths, :expires_at, :datetime
|
|
@@ -2,15 +2,32 @@ require 'browser'
|
|
|
2
2
|
|
|
3
3
|
module CoalescingPanda
|
|
4
4
|
module ControllerHelpers
|
|
5
|
+
extend ActiveSupport::Concern
|
|
6
|
+
|
|
7
|
+
included do
|
|
8
|
+
alias_method :rails_session, :session
|
|
9
|
+
|
|
10
|
+
helper_method :encrypted_session_key, :current_session_data, :current_session
|
|
11
|
+
append_after_action :save_session, if: -> { @current_session && session_changed? }
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
class_methods do
|
|
15
|
+
def use_native_sessions
|
|
16
|
+
after_action do
|
|
17
|
+
rails_session['persistent_session_key'] = current_session.session_key if @current_session.present?
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
|
|
5
22
|
def current_session
|
|
6
|
-
@current_session ||= CoalescingPanda::PersistentSession.find_by(session_key: session_key) if session_key
|
|
7
|
-
@current_session ||= CoalescingPanda::PersistentSession.create_from_launch(params, current_lti_account.id)
|
|
23
|
+
@current_session ||= (CoalescingPanda::PersistentSession.find_by(session_key: session_key) if session_key)
|
|
24
|
+
@current_session ||= (CoalescingPanda::PersistentSession.create_from_launch(params, current_lti_account.id) if current_lti_account.present?)
|
|
8
25
|
@current_session
|
|
9
26
|
end
|
|
10
27
|
|
|
11
28
|
def current_lti_account
|
|
12
|
-
@account ||= CoalescingPanda::LtiAccount.find_by!(key: organization_key) if organization_key
|
|
13
|
-
@account ||= CoalescingPanda::LtiAccount.find_by(id: organization_id) if organization_id
|
|
29
|
+
@account ||= (CoalescingPanda::LtiAccount.find_by!(key: organization_key) if organization_key)
|
|
30
|
+
@account ||= (CoalescingPanda::LtiAccount.find_by(id: organization_id) if organization_id)
|
|
14
31
|
@account
|
|
15
32
|
end
|
|
16
33
|
|
|
@@ -83,42 +100,42 @@ module CoalescingPanda
|
|
|
83
100
|
end
|
|
84
101
|
|
|
85
102
|
def check_refresh_token
|
|
86
|
-
return unless
|
|
87
|
-
uri = BearcatUri.new(
|
|
88
|
-
api_auth = CanvasApiAuth.find_by(user_id:
|
|
89
|
-
@lti_account = LtiAccount.find_by(key:
|
|
103
|
+
return unless current_session_data['uri'] && current_session_data['user_id'] && current_session_data['oauth_consumer_key']
|
|
104
|
+
uri = BearcatUri.new(current_session_data['uri'])
|
|
105
|
+
api_auth = CanvasApiAuth.find_by(user_id: current_session_data['user_id'], api_domain: uri.api_domain)
|
|
106
|
+
@lti_account = LtiAccount.find_by(key: current_session_data['oauth_consumer_key'])
|
|
90
107
|
return if @lti_account.nil? || api_auth.nil? # Not all tools use oauth
|
|
91
108
|
|
|
92
109
|
refresh_token(uri, api_auth) if api_auth.expired?
|
|
93
110
|
rescue Footrest::HttpError::BadRequest
|
|
94
|
-
render_oauth2_page uri,
|
|
111
|
+
render_oauth2_page uri, current_session_data['user_id']
|
|
95
112
|
end
|
|
96
113
|
|
|
97
114
|
def set_session(launch_presentation_return_url)
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
115
|
+
current_session_data['user_id'] = params['user_id']
|
|
116
|
+
current_session_data['uri'] = launch_presentation_return_url
|
|
117
|
+
current_session_data['lis_person_sourcedid'] = params['lis_person_sourcedid']
|
|
118
|
+
current_session_data['oauth_consumer_key'] = params['oauth_consumer_key']
|
|
119
|
+
current_session_data['custom_canvas_account_id'] = params['custom_canvas_account_id']
|
|
103
120
|
end
|
|
104
121
|
|
|
105
122
|
def have_session?
|
|
106
|
-
if params['tool_consumer_instance_guid'] &&
|
|
123
|
+
if params['tool_consumer_instance_guid'] && current_session_data['user_id'] != params['user_id']
|
|
107
124
|
reset_session
|
|
108
125
|
logger.info("resetting session params")
|
|
109
|
-
|
|
126
|
+
current_session_data['user_id'] = params['user_id']
|
|
110
127
|
end
|
|
111
128
|
|
|
112
|
-
if (
|
|
113
|
-
uri = BearcatUri.new(
|
|
114
|
-
api_auth = CanvasApiAuth.find_by('user_id = ? and api_domain = ?',
|
|
129
|
+
if (current_session_data['user_id'] && current_session_data['uri'])
|
|
130
|
+
uri = BearcatUri.new(current_session_data['uri'])
|
|
131
|
+
api_auth = CanvasApiAuth.find_by('user_id = ? and api_domain = ?', current_session_data['user_id'], uri.api_domain)
|
|
115
132
|
if api_auth && !api_auth.expired?
|
|
116
133
|
@client = Bearcat::Client.new(token: api_auth.api_token, prefix: uri.prefix)
|
|
117
134
|
@client.user_profile 'self'
|
|
118
135
|
end
|
|
119
136
|
end
|
|
120
137
|
|
|
121
|
-
@lti_account = LtiAccount.find_by_key(
|
|
138
|
+
@lti_account = LtiAccount.find_by_key(current_session_data['oauth_consumer_key']) if current_session_data['oauth_consumer_key']
|
|
122
139
|
|
|
123
140
|
!!@client
|
|
124
141
|
rescue Footrest::HttpError::Unauthorized
|
|
@@ -129,8 +146,8 @@ module CoalescingPanda
|
|
|
129
146
|
authorized = false
|
|
130
147
|
if (@lti_account = params['oauth_consumer_key'] && LtiAccount.find_by_key(params['oauth_consumer_key']))
|
|
131
148
|
sanitized_params = sanitize_params
|
|
132
|
-
|
|
133
|
-
authorized =
|
|
149
|
+
@tp = IMS::LTI::ToolProvider.new(@lti_account.key, @lti_account.secret, sanitized_params)
|
|
150
|
+
authorized = @tp.valid_request?(request)
|
|
134
151
|
end
|
|
135
152
|
logger.info 'not authorized on tp valid request' unless authorized
|
|
136
153
|
authorized = authorized && (roles.count == 0 || (roles & lti_roles).count > 0)
|
|
@@ -198,7 +215,7 @@ module CoalescingPanda
|
|
|
198
215
|
if params[:encrypted_session_key]
|
|
199
216
|
return msg_encryptor.decrypt_and_verify(params[:encrypted_session_key])
|
|
200
217
|
end
|
|
201
|
-
params[:session_key] || session_key_header
|
|
218
|
+
params[:session_key] || session_key_header || rails_session['persistent_session_key']
|
|
202
219
|
end
|
|
203
220
|
|
|
204
221
|
def session_key_header
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
require 'secure_headers'
|
|
2
|
+
require_relative './secure_headers'
|
|
2
3
|
|
|
3
4
|
module CoalescingPanda
|
|
4
5
|
class Engine < ::Rails::Engine
|
|
@@ -42,56 +43,21 @@ module CoalescingPanda
|
|
|
42
43
|
end
|
|
43
44
|
|
|
44
45
|
initializer :secure_headers do |app|
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
if Rails.env.development?
|
|
49
|
-
# Allow webpack-dev-server to work
|
|
50
|
-
connect_src << "http://localhost:3035"
|
|
51
|
-
connect_src << "ws://localhost:3035"
|
|
52
|
-
|
|
53
|
-
# Allow stuff like rack-mini-profiler to work in development:
|
|
54
|
-
# https://github.com/MiniProfiler/rack-mini-profiler/issues/327
|
|
55
|
-
# DON'T ENABLE THIS FOR PRODUCTION!
|
|
56
|
-
script_src << "'unsafe-eval'"
|
|
57
|
-
elsif CoalescingPanda.lti_options.has_key?(:allow_unsafe_eval) && CoalescingPanda.lti_options[:allow_unsafe_eval] == true
|
|
58
|
-
# For when code is returned from server and injected into dom. Need to have unsafe-eval or it won't work.
|
|
59
|
-
script_src << "'unsafe-eval'"
|
|
60
|
-
end
|
|
61
|
-
|
|
62
|
-
SecureHeaders::Configuration.default do |config|
|
|
63
|
-
# The default cookie headers aren't compatible with PandaPal cookies currently
|
|
64
|
-
config.cookies = { samesite: { none: true } }
|
|
65
|
-
|
|
66
|
-
if Rails.env.production?
|
|
67
|
-
config.cookies[:secure] = true
|
|
46
|
+
begin
|
|
47
|
+
::SecureHeaders::Configuration.default do |config|
|
|
48
|
+
CoalescingPanda::SecureHeaders.apply_defaults(config)
|
|
68
49
|
end
|
|
69
|
-
|
|
70
|
-
#
|
|
71
|
-
config.x_frame_options = "ALLOWALL"
|
|
72
|
-
|
|
73
|
-
config.x_content_type_options = "nosniff"
|
|
74
|
-
config.x_xss_protection = "1; mode=block"
|
|
75
|
-
config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
|
|
76
|
-
|
|
77
|
-
config.csp = {
|
|
78
|
-
default_src: %w('self'),
|
|
79
|
-
script_src: script_src,
|
|
80
|
-
# Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
|
|
81
|
-
style_src: %w('self' 'unsafe-inline' blob: https://fonts.googleapis.com),
|
|
82
|
-
font_src: %w('self' data: https://fonts.gstatic.com),
|
|
83
|
-
connect_src: connect_src,
|
|
84
|
-
}
|
|
50
|
+
rescue ::SecureHeaders::Configuration::AlreadyConfiguredError
|
|
51
|
+
# The App already applied settings
|
|
85
52
|
end
|
|
86
53
|
|
|
87
|
-
SecureHeaders::Configuration.override(:safari_override) do |config|
|
|
54
|
+
::SecureHeaders::Configuration.override(:safari_override) do |config|
|
|
88
55
|
config.cookies = SecureHeaders::OPT_OUT
|
|
89
56
|
end
|
|
90
57
|
|
|
91
|
-
SecureHeaders::Configuration.override(:allow_inline_scripts) do |config|
|
|
58
|
+
::SecureHeaders::Configuration.override(:allow_inline_scripts) do |config|
|
|
92
59
|
config.csp[:script_src] << "'unsafe-inline'"
|
|
93
60
|
end
|
|
94
61
|
end
|
|
95
|
-
|
|
96
62
|
end
|
|
97
63
|
end
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
module CoalescingPanda
|
|
2
|
+
module MiscHelper
|
|
3
|
+
MigrationClass = Rails.version < '5.0' ? ActiveRecord::Migration : ActiveRecord::Migration[4.2]
|
|
4
|
+
|
|
5
|
+
def self.to_boolean(v)
|
|
6
|
+
if Rails.version < '5.0'
|
|
7
|
+
ActiveRecord::Type::Boolean.new.type_cast_from_user("0")
|
|
8
|
+
else
|
|
9
|
+
ActiveRecord::Type::Boolean.new.deserialize('0')
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
end
|
|
@@ -0,0 +1,84 @@
|
|
|
1
|
+
module CoalescingPanda
|
|
2
|
+
module SecureHeaders
|
|
3
|
+
def self.apply_defaults(config)
|
|
4
|
+
@config = config
|
|
5
|
+
# The default cookie headers aren't compatable with CoalescingPanda cookies currenntly
|
|
6
|
+
config.cookies = { samesite: { none: true } }
|
|
7
|
+
|
|
8
|
+
if Rails.env.production?
|
|
9
|
+
config.cookies[:secure] = true
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
# Need to allow LTI iframes
|
|
13
|
+
config.x_frame_options = "ALLOWALL"
|
|
14
|
+
|
|
15
|
+
config.x_content_type_options = "nosniff"
|
|
16
|
+
config.x_xss_protection = "1; mode=block"
|
|
17
|
+
config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
|
|
18
|
+
|
|
19
|
+
config.csp ||= {}
|
|
20
|
+
|
|
21
|
+
csp_entry(:default_src, %w['self'])
|
|
22
|
+
csp_entry(:connect_src, %w['self'])
|
|
23
|
+
csp_entry(:script_src, %w['self'])
|
|
24
|
+
|
|
25
|
+
if Rails.env.development?
|
|
26
|
+
# Allow webpack-dev-server to work
|
|
27
|
+
csp_entry(:connect_src, "http://localhost:3035")
|
|
28
|
+
csp_entry(:connect_src, "ws://localhost:3035")
|
|
29
|
+
|
|
30
|
+
# Allow stuff like rack-mini-profiler to work in development:
|
|
31
|
+
# https://github.com/MiniProfiler/rack-mini-profiler/issues/327
|
|
32
|
+
# DON'T ENABLE THIS FOR PRODUCTION!
|
|
33
|
+
csp_entry(:script_src, "'unsafe-eval'")
|
|
34
|
+
|
|
35
|
+
# Detect and permit Scout APM in Dev
|
|
36
|
+
if MiscHelper.to_boolean(ENV['SCOUT_DEV_TRACE'])
|
|
37
|
+
csp_entry(:default_src, 'https://scoutapm.com')
|
|
38
|
+
csp_entry(:default_src, 'https://apm.scoutapp.com')
|
|
39
|
+
|
|
40
|
+
csp_entry(:script_src, "'unsafe-inline'")
|
|
41
|
+
csp_entry(:script_src, 'https://scoutapm.com')
|
|
42
|
+
csp_entry(:script_src, 'https://apm.scoutapp.com')
|
|
43
|
+
|
|
44
|
+
csp_entry(:connect_src, 'https://apm.scoutapp.com')
|
|
45
|
+
|
|
46
|
+
csp_entry(:style_src, 'https://scoutapm.com')
|
|
47
|
+
csp_entry(:style_src, 'https://apm.scoutapp.com')
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
if CoalescingPanda.lti_options.has_key?(:allow_unsafe_eval) && CoalescingPanda.lti_options[:allow_unsafe_eval] == true
|
|
52
|
+
# For when code is returned from server and injected into dom. Need to have unsafe-eval or it won't work.
|
|
53
|
+
csp_entry(:script_src, "'unsafe-eval'")
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
# Detect and permit Sentry
|
|
57
|
+
if defined?(Raven) && Raven.configuration.server.present?
|
|
58
|
+
csp_entry(:connect_src, Raven.configuration.server)
|
|
59
|
+
|
|
60
|
+
# Report CSP Violations to Sentry
|
|
61
|
+
unless config.csp[:report_uri].present?
|
|
62
|
+
cfg = Raven.configuration
|
|
63
|
+
config.csp[:report_uri] = ["#{cfg.scheme}://#{cfg.host}/api/#{cfg.project_id}/security/?sentry_key=#{cfg.public_key}"] unless config.csp[:report_uri].present?
|
|
64
|
+
end
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
# Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
|
|
68
|
+
csp_entry(:style_src, %w('self' 'unsafe-inline' blob: https://fonts.googleapis.com))
|
|
69
|
+
csp_entry(:font_src, %w('self' data: https://fonts.gstatic.com))
|
|
70
|
+
|
|
71
|
+
@config = nil
|
|
72
|
+
|
|
73
|
+
config
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
private
|
|
77
|
+
|
|
78
|
+
def self.csp_entry(key, *values)
|
|
79
|
+
values = values.flatten
|
|
80
|
+
@config.csp[key] ||= []
|
|
81
|
+
@config.csp[key] |= values
|
|
82
|
+
end
|
|
83
|
+
end
|
|
84
|
+
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: coalescing_panda
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.0.
|
|
4
|
+
version: 5.0.8
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Nathan Mills
|
|
@@ -10,20 +10,20 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date: 2020-
|
|
13
|
+
date: 2020-08-26 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: rails
|
|
17
17
|
requirement: !ruby/object:Gem::Requirement
|
|
18
18
|
requirements:
|
|
19
|
-
- - "
|
|
19
|
+
- - ">="
|
|
20
20
|
- !ruby/object:Gem::Version
|
|
21
21
|
version: 4.2.1
|
|
22
22
|
type: :runtime
|
|
23
23
|
prerelease: false
|
|
24
24
|
version_requirements: !ruby/object:Gem::Requirement
|
|
25
25
|
requirements:
|
|
26
|
-
- - "
|
|
26
|
+
- - ">="
|
|
27
27
|
- !ruby/object:Gem::Version
|
|
28
28
|
version: 4.2.1
|
|
29
29
|
- !ruby/object:Gem::Dependency
|
|
@@ -72,16 +72,22 @@ dependencies:
|
|
|
72
72
|
name: ims-lti
|
|
73
73
|
requirement: !ruby/object:Gem::Requirement
|
|
74
74
|
requirements:
|
|
75
|
-
- - "
|
|
75
|
+
- - "~>"
|
|
76
|
+
- !ruby/object:Gem::Version
|
|
77
|
+
version: 1.2.0
|
|
78
|
+
- - "<"
|
|
76
79
|
- !ruby/object:Gem::Version
|
|
77
|
-
version: 2.
|
|
80
|
+
version: '2.0'
|
|
78
81
|
type: :runtime
|
|
79
82
|
prerelease: false
|
|
80
83
|
version_requirements: !ruby/object:Gem::Requirement
|
|
81
84
|
requirements:
|
|
82
|
-
- - "
|
|
85
|
+
- - "~>"
|
|
86
|
+
- !ruby/object:Gem::Version
|
|
87
|
+
version: 1.2.0
|
|
88
|
+
- - "<"
|
|
83
89
|
- !ruby/object:Gem::Version
|
|
84
|
-
version: 2.
|
|
90
|
+
version: '2.0'
|
|
85
91
|
- !ruby/object:Gem::Dependency
|
|
86
92
|
name: haml-rails
|
|
87
93
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -423,6 +429,7 @@ files:
|
|
|
423
429
|
- app/models/coalescing_panda/group.rb
|
|
424
430
|
- app/models/coalescing_panda/group_category.rb
|
|
425
431
|
- app/models/coalescing_panda/group_membership.rb
|
|
432
|
+
- app/models/coalescing_panda/json_with_indifferent_access.rb
|
|
426
433
|
- app/models/coalescing_panda/lti_account.rb
|
|
427
434
|
- app/models/coalescing_panda/lti_nonce.rb
|
|
428
435
|
- app/models/coalescing_panda/oauth_state.rb
|
|
@@ -480,7 +487,9 @@ files:
|
|
|
480
487
|
- lib/coalescing_panda/bearcat_uri.rb
|
|
481
488
|
- lib/coalescing_panda/controller_helpers.rb
|
|
482
489
|
- lib/coalescing_panda/engine.rb
|
|
490
|
+
- lib/coalescing_panda/misc_helper.rb
|
|
483
491
|
- lib/coalescing_panda/route_helpers.rb
|
|
492
|
+
- lib/coalescing_panda/secure_headers.rb
|
|
484
493
|
- lib/coalescing_panda/version.rb
|
|
485
494
|
- lib/tasks/coalescing_panda_tasks.rake
|
|
486
495
|
- spec/controllers/coalescing_panda/canvas_batches_controller_spec.rb
|