coalescing_panda 5.0.8 → 5.1.3.beta.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA256:
-  metadata.gz: b00520a9558a0dbd2699d97b5f1163721dff23d0042be51b2df5cc220675a0a1
-  data.tar.gz: 7adaf679f268ebcd2e5695994d3b5b498eda1ee3078e3be617b5a47e24a04244
+SHA1:
+  metadata.gz: 10a09324435306113beac47c8dd609b16e4ebebc
+  data.tar.gz: 02ac6211e0eee50fe9447d0f2bd38df991c1fe90
 SHA512:
-  metadata.gz: 630ea590d568f2fc1839ed5b456eec95a8ab0fa43b8139a7c9c32d5c08eddbb557fbe6cd71b65a88b71e5d72ec61098252033772f18e863368f4475bc807ac96
-  data.tar.gz: 18622f8b4c058ca1d8d66626d7b5186083114dba571f5d0a2b7c3d12b75abea934a6b02b2e29612541674ac704c018da58c126bbf3ea58dcd06d66f7994c4878
+  metadata.gz: 206827a41c33c311d4b38a8bf4c1ce6d44bd85b79b4565e46fa7163c491ab93fe395e2fd0b5f23edf55c0d92a3f039980594ee6ee6faae14a640530d783dbca8
+  data.tar.gz: c4c6edff8dcebfd76f7af24efa6478b39b58fe8c67f73db6481fb97a2bc9fe70d2e03dbb52586c85e2e4eacbfdebb19d6d4182f89611cea5ddb36cd92ef2f237

data/app/controllers/coalescing_panda/oauth2_controller.rb

@@ -34,7 +34,7 @@ module CoalescingPanda
     private
 
     def oauth2_protocol
-      ENV['OAUTH_PROTOCOL'] || 'https'
+      ENV['OAUTH_PROTOCOL'] || (Rails.env.development? ? 'http' : 'https')
     end
 
     def retrieve_oauth_state

data/lib/coalescing_panda/controller_helpers.rb

@@ -1,51 +1,17 @@
 require 'browser'
+require_relative 'session_replacement'
 
 module CoalescingPanda
   module ControllerHelpers
     extend ActiveSupport::Concern
-
-    included do
-      alias_method :rails_session, :session
-
-      helper_method :encrypted_session_key, :current_session_data, :current_session
-      append_after_action :save_session, if: -> { @current_session && session_changed? }
-    end
-
-    class_methods do
-      def use_native_sessions
-        after_action do
-          rails_session['persistent_session_key'] = current_session.session_key if @current_session.present?
-        end
-      end
-    end
-
-    def current_session
-      @current_session ||= (CoalescingPanda::PersistentSession.find_by(session_key: session_key) if session_key)
-      @current_session ||= (CoalescingPanda::PersistentSession.create_from_launch(params, current_lti_account.id) if current_lti_account.present?)
-      @current_session
-    end
+    include SessionReplacement
 
     def current_lti_account
       @account ||= (CoalescingPanda::LtiAccount.find_by!(key: organization_key) if organization_key)
       @account ||= (CoalescingPanda::LtiAccount.find_by(id: organization_id) if organization_id)
       @account
     end
-
-    def current_session_data
-      current_session.data
-    end
-
-    def encrypted_session_key
-      msg_encryptor.encrypt_and_sign(current_session.session_key)
-    end
-
-    def save_session
-      current_session.try(:save)
-    end
-
-    def session_changed?
-      current_session.changed? && current_session.changes[:data].present?
-    end
+    def current_organization; current_lti_account; end
 
     def canvas_oauth2(*roles)
       return if have_session?
@@ -81,9 +47,7 @@ module CoalescingPanda
       client = Bearcat::Client.new(prefix: uri.prefix)
       state = SecureRandom.hex(32)
       OauthState.create! state_key: state, data: { key: params['oauth_consumer_key'], user_id: user_id, api_domain: uri.api_domain }
-      redirect_path = coalescing_panda.oauth2_redirect_path
-      redirect_url = [coalescing_panda_url, redirect_path.sub(/^\/lti/, '')].join
-      @canvas_url = client.auth_redirect_url(client_id, redirect_url, { state: state })
+      @canvas_url = client.auth_redirect_url(client_id, resolve_coalescing_panda_url(:oauth2_redirect_url), { state: state })
 
       #delete the added params so the original oauth sig still works
       @lti_params = params.to_hash
@@ -94,7 +58,7 @@ module CoalescingPanda
 
     def refresh_token(uri, api_auth)
       refresh_client = Bearcat::Client.new(prefix: uri.prefix)
-      refresh_body = refresh_client.retrieve_token(@lti_account.oauth2_client_id, coalescing_panda.oauth2_redirect_url,
+      refresh_body = refresh_client.retrieve_token(@lti_account.oauth2_client_id, resolve_coalescing_panda_url(:oauth2_redirect_url),
         @lti_account.oauth2_client_key, api_auth.refresh_token, 'refresh_token')
       api_auth.update({ api_token: refresh_body['access_token'], expires_at: (Time.now + refresh_body['expires_in']) })
     end
@@ -193,14 +157,21 @@ module CoalescingPanda
       end
     end
 
-    def session_check
-      logger.warn 'session_check is deprecated. Functionality moved to lti_authorize.'
+    def valid_session?
+      return false unless current_session(create_missing: false)&.persisted?
+      true
+    rescue SessionNonceMismatch
+      false
     end
 
     private
 
-    def msg_encryptor
-      @crypt ||= ActiveSupport::MessageEncryptor.new(Rails.application.secrets.secret_key_base[0..31])
+    def find_or_create_session(key:)
+      if key == :create
+        CoalescingPanda::PersistentSession.create_from_launch(params, current_lti_account.id) if current_lti_account.present?
+      else
+        CoalescingPanda::PersistentSession.find_by(session_key: key)
+      end
     end
 
     def organization_key
@@ -211,51 +182,16 @@ module CoalescingPanda
       params[:organization_id] || (current_session_data[:launch_params][:organization_id] if @current_session)
     end
 
-    def session_key
-      if params[:encrypted_session_key]
-        return msg_encryptor.decrypt_and_verify(params[:encrypted_session_key])
-      end
-      params[:session_key] || session_key_header || rails_session['persistent_session_key']
+    # This is necessitated by a bug in Rails Engines where it isn't resolving the URL correctly
+    # when using coalescing_panda.xyz_url (The Engine Prefix is not included)
+    # I believe https://github.com/rails/rails/issues/34452 is the same issue
+    def resolve_coalescing_panda_url(key)
+      key = key.to_s[0...-4] if key.to_s.ends_with?('_url')
+      resolved_path = coalescing_panda.send(:"#{key}_path")
+      cpurl = coalescing_panda_url
+      cppath = URI.parse(cpurl).path
+      resolved_path = cppath + resolved_path unless resolved_path.starts_with?(cppath)
+      URI.join(cpurl, resolved_path)
     end
-
-    def session_key_header
-      if (match = request.headers['Authorization'].try(:match, /crypted_token=(.+)/))
-        msg_encryptor.decrypt_and_verify(match[1])
-      elsif (match = request.headers['Authorization'].try(:match, /token=(.+)/))
-        match[1]
-      end
-    end
-
-    # Redirect with the session key intact. In production,
-    # handle this by encrypting the session key.  That way if the
-    # url is logged anywhere, it will all be encrypted data.   In dev,
-    # just put it in the URL. Putting it in the URL
-    # is insecure, but is fine in development.
-    # Keeping it in the URL in development means that it plays
-    # nicely with webpack-dev-server live reloading (otherwise
-    # you get an access error every time it tries to live reload).
-
-    def redirect_with_session_to(path, id_or_resource = nil, redirect_params = {})
-      if Rails.env.development? || Rails.env.test?
-        redirect_development_mode(path, id_or_resource, redirect_params)
-      else
-        redirect_production_mode(path, id_or_resource, redirect_params)
-      end
-    end
-
-    def redirect_development_mode(path, id_or_resource = nil, redirect_params)
-      redirect_to send(path, id_or_resource, {
-          session_key: current_session.session_key,
-          organization_id: current_lti_account.id
-      }.merge(redirect_params))
-    end
-
-    def redirect_production_mode(path, id_or_resource = nil, redirect_params)
-      redirect_to send(path, id_or_resource, {
-          encrypted_session_key: encrypted_session_key,
-          organization_id: current_lti_account.id
-      }.merge(redirect_params))
-    end
-
   end
 end

data/lib/coalescing_panda/misc_helper.rb

@@ -4,9 +4,9 @@ module CoalescingPanda
 
     def self.to_boolean(v)
       if Rails.version < '5.0'
-        ActiveRecord::Type::Boolean.new.type_cast_from_user("0")
+        ActiveRecord::Type::Boolean.new.type_cast_from_user(v)
       else
-        ActiveRecord::Type::Boolean.new.deserialize('0')
+        ActiveRecord::Type::Boolean.new.deserialize(v)
       end
     end
   end

data/lib/coalescing_panda/secure_headers.rb

@@ -48,11 +48,6 @@ module CoalescingPanda
         end
       end
 
-      if CoalescingPanda.lti_options.has_key?(:allow_unsafe_eval) && CoalescingPanda.lti_options[:allow_unsafe_eval] == true
-        # For when code is returned from server and injected into dom.  Need to have unsafe-eval or it won't work.
-        csp_entry(:script_src, "'unsafe-eval'")
-      end
-
       # Detect and permit Sentry
       if defined?(Raven) && Raven.configuration.server.present?
         csp_entry(:connect_src, Raven.configuration.server)

data/lib/coalescing_panda/session_replacement.rb

@@ -0,0 +1,193 @@
+module CoalescingPanda
+  class SessionNonceMismatch < StandardError; end
+
+  module SessionReplacement
+    extend ActiveSupport::Concern
+
+    included do
+      helper_method :link_nonce, :current_session, :current_session_data
+      helper_method :link_with_session_to, :url_with_session, :session_url_for
+
+      prepend_around_action :monkeypatch_flash
+      prepend_around_action :auto_save_session
+    end
+
+    class_methods do
+      def link_nonce_type(value = :not_given)
+        if value == :not_given
+          @link_nonce_type || superclass.try(:link_nonce_type) || :nonce
+        else
+          @link_nonce_type = value
+        end
+      end
+    end
+
+    def save_session
+      current_session.try(:save)
+    end
+
+    def current_session(create_missing: true)
+      return @current_session if @current_session.present?
+
+      if params[:session_token]
+        payload = JSON.parse(session_cryptor.decrypt_and_verify(params[:session_token])).with_indifferent_access
+        matched_session = find_or_create_session(key: payload[:session_key])
+        session_expiration_period_minutes = CoalescingPanda.lti_options[:session_expiration_period_minutes] || 15
+        session_expiration_period_minutes = session_expiration_period_minutes.to_i
+        puts "XXXXX"
+        puts session_expiration_period_minutes
+        puts session_expiration_period_minutes.minutes.ago
+        if matched_session.present?
+          if payload[:token_type] == 'nonce' && matched_session.data[:link_nonce] == payload[:nonce]
+            @current_session = matched_session
+            @current_session.data[:link_nonce] = nil
+          elsif payload[:token_type] == 'fixed_ip' && matched_session.data[:remote_ip] == request.remote_ip &&
+            DateTime.parse(matched_session.data[:last_ip_token_requested]) > session_expiration_period_minutes.minutes.ago
+            @current_session = matched_session
+          elsif payload[:token_type] == 'expiring' && DateTime.parse(matched_session.data[:last_token_requested]) > session_expiration_period_minutes.minutes.ago
+            @current_session = matched_session
+          end
+        end
+        raise SessionNonceMismatch, "Session Not Found" unless @current_session.present?
+      elsif (session_key = params[:session_key] || session_key_header || flash[:session_key] || session[:session_key]).present?
+        @current_session = find_or_create_session(key: session_key)
+      end
+
+      @current_session ||= find_or_create_session(key: :create) if create_missing
+
+      @current_session
+    end
+
+    def current_session_data
+      current_session.data
+    end
+
+    def session_changed?
+      current_session.changed? && current_session.changes[:data].present?
+    end
+
+    def forbid_access_if_lacking_session
+      render plain: 'You should do an LTI Tool Launch.', status: :unauthorized unless valid_session?
+    end
+
+    def verify_authenticity_token
+      # No need to check CSRF when no cookies were sent. This fixes CSRF failures in Browsers
+      # that restrict Cookie setting within an IFrame.
+      return unless request.cookies.keys.length > 0
+      super
+    end
+
+    # Redirect with the session key intact. In production,
+    # handle this by adding a one-time use encrypted token to the URL.
+    # Keeping it in the URL in development means that it plays
+    # nicely with webpack-dev-server live reloading (otherwise
+    # you get an access error everytime it tries to live reload).
+
+    def redirect_with_session_to(*args)
+      redirect_to url_with_session(*args)
+    end
+
+    def link_with_session_to(*args)
+      helpers.link_to url_with_session(*args)
+    end
+
+    def session_url_for(*args)
+      url_for(build_session_url_params(*args))
+    end
+
+    def url_with_session(location, *args, route_context: self, **kwargs)
+      route_context.send(location, *build_session_url_params(*args, **kwargs))
+    end
+
+    def link_nonce(type: link_nonce_type)
+      type = instance_exec(&type) if type.is_a?(Proc)
+      type = type.to_s
+
+      @cached_link_nonces ||= {}
+      @cached_link_nonces[type] ||= begin
+        payload = {
+          token_type: type,
+          session_key: current_session.session_key,
+          organization_id: current_organization.id,
+        }
+
+        if type == 'nonce'
+          current_session_data[:link_nonce] = SecureRandom.hex
+          payload.merge!(nonce: current_session_data[:link_nonce])
+        elsif type == 'fixed_ip'
+          current_session_data[:remote_ip] ||= request.remote_ip
+          current_session_data[:last_ip_token_requested] = DateTime.now.iso8601
+        elsif type == 'expiring'
+          current_session_data[:last_token_requested] = DateTime.now.iso8601
+        else
+          raise StandardError, "Unsupported link_nonce_type: '#{type}'"
+        end
+
+        session_cryptor.encrypt_and_sign(payload.to_json)
+      end
+    end
+
+    def link_nonce_type
+      self.class.link_nonce_type
+    end
+
+    private
+
+    def session_cryptor
+      secret_key_base = Rails.application.try(:secret_key_base) || Rails.application.secrets.secret_key_base
+      @session_cryptor ||= ActiveSupport::MessageEncryptor.new(secret_key_base[0..31])
+    end
+
+    def session_key_header
+      if match = request.headers['Authorization'].try(:match, /token=(.+)/)
+        match[1]
+      end
+    end
+
+    def build_session_url_params(*args, nonce_type: link_nonce_type, **kwargs)
+      if args[-1].is_a?(Hash)
+        args[-1] = args[-1].dup
+      else
+        args.push({})
+      end
+
+      if Rails.env.development?
+        args[-1].merge!(
+          session_key: current_session.session_key,
+          organization_id: current_organization.id,
+        )
+      else
+        args[-1].merge!(
+          session_token: link_nonce(type: nonce_type),
+          organization_id: current_organization.id,
+        )
+      end
+
+      args[-1].merge!(kwargs)
+      args
+    end
+
+    def auto_save_session
+      yield if block_given?
+      save_session if @current_session && session_changed?
+    end
+
+    def monkeypatch_flash
+      if valid_session? && (value = current_session_data['flashes']).present?
+        flashes = value["flashes"]
+        if discard = value["discard"]
+          flashes.except!(*discard)
+        end
+        flash.replace(flashes)
+        flash.discard()
+      end
+
+      yield
+
+      if @current_session.present?
+        current_session_data['flashes'] = flash.to_session_value
+        flash.discard()
+      end
+    end
+  end
+end

data/lib/coalescing_panda/version.rb

@@ -1,3 +1,3 @@
 module CoalescingPanda
-  VERSION = '5.0.8'
+  VERSION = '5.1.3.beta.1'
 end

data/spec/controllers/coalescing_panda/oauth2_controller_spec.rb

@@ -11,7 +11,7 @@ describe CoalescingPanda::Oauth2Controller, :type => :controller do
       Bearcat::Client.any_instance.stub(retrieve_token: { 'access_token' => 'token', 'refresh_token' => 'token', 'expires_in' => 3600 })
       session[:state] = 'test'
       CoalescingPanda::OauthState.create!(state_key: session[:state], data: { key: account.key, user_id: user.id, api_domain: 'foo.com' })
-      get :redirect, {user_id: user.id, api_domain: 'foo.com', code: 'bar', key: account.key, state: 'test'}
+      get :redirect, params: {user_id: user.id, api_domain: 'foo.com', code: 'bar', key: account.key, state: 'test'}
       auth = CoalescingPanda::CanvasApiAuth.find_by_user_id_and_api_domain(user.id, 'foo.com')
       auth.should_not == nil
       expect(auth.api_token).to eql 'token'
@@ -20,7 +20,7 @@ describe CoalescingPanda::Oauth2Controller, :type => :controller do
     end
 
     it "doesn't create a token in the db" do
-      get :redirect, {error: 'your face'}
+      get :redirect, params: {error: 'your face'}
       CoalescingPanda::CanvasApiAuth.all.count.should == 0
     end
   end

data/spec/models/coalescing_panda/canvas_api_auth_spec.rb

@@ -1,10 +1,10 @@
 require 'spec_helper'
 
-describe CoalescingPanda::CanvasApiAuth do
+describe CoalescingPanda::CanvasApiAuth, type: :model do
 
   it { should validate_uniqueness_of(:user_id).scoped_to(:api_domain)}
   it { should validate_presence_of(:user_id)}
-  it {should validate_presence_of(:api_domain)}
+  it { should validate_presence_of(:api_domain)}
 
   describe '#expired?' do
     let(:auth) { FactoryGirl.create :canvas_api_auth }

data/spec/spec_helper.rb

@@ -24,6 +24,13 @@ SimpleCov.start
 
 ActiveRecord::Migration.check_pending! if defined?(ActiveRecord::Migration)
 
+Shoulda::Matchers.configure do |config|
+  config.integrate do |with|
+    with.test_framework :rspec
+    with.library :rails
+  end
+end
+
 # This file was generated by the `rails generate rspec:install` command. Conventionally, all
 # specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
 # The generated `.rspec` file contains `--require spec_helper` which will cause this

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: coalescing_panda
 version: !ruby/object:Gem::Version
-  version: 5.0.8
+  version: 5.1.3.beta.1
 platform: ruby
 authors:
 - Nathan Mills
 - Cody Tanner
 - Jake Sorce
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-08-26 00:00:00.000000000 Z
+date: 2020-10-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -396,7 +396,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 
+description:
 email:
 - nathanm@instructure.com
 - ctanner@instructure.com
@@ -490,6 +490,7 @@ files:
 - lib/coalescing_panda/misc_helper.rb
 - lib/coalescing_panda/route_helpers.rb
 - lib/coalescing_panda/secure_headers.rb
+- lib/coalescing_panda/session_replacement.rb
 - lib/coalescing_panda/version.rb
 - lib/tasks/coalescing_panda_tasks.rake
 - spec/controllers/coalescing_panda/canvas_batches_controller_spec.rb
@@ -562,7 +563,7 @@ files:
 homepage: http://www.instructure.com
 licenses: []
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -573,12 +574,13 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubyforge_project:
+rubygems_version: 2.6.14.4
+signing_key:
 specification_version: 4
 summary: Canvas LTI and OAUTH2 mountable engine
 test_files: