RubyGems - coalescing_panda - Versions diffs - 5.1.12 → 5.2.0 - Mend

coalescing_panda 5.1.12 → 5.2.0

Files changed (7) hide show

checksums.yaml +4 -4
data/app/controllers/coalescing_panda/oauth2_controller.rb +3 -11
data/app/views/coalescing_panda/oauth2/oauth2.html.haml +3 -1
data/lib/coalescing_panda/bearcat_uri.rb +20 -18
data/lib/coalescing_panda/controller_helpers.rb +97 -79
data/lib/coalescing_panda/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 45ffb1d5dba84eb776180589d036732efebe48d87472dfd8fbf620b7f38c1747
-  data.tar.gz: 3f558eb4cb87853533369fa838bd92546060f5f6235c17655ee5c1908314d7f1
+  metadata.gz: 11cc21d4b7941edd42fc5a17f198a55766a46fed5ea37281389f91f71703636e
+  data.tar.gz: e4c4173587ad7feabf2478c98816b958cf153360da52b034656caf2e6a2a3d33
 SHA512:
-  metadata.gz: ca3c23e381fedb64619951fd7ca1687c3f4aa77ba3395f59e62ebea73a6a5b8703f912afece5d5069b2c94de1daed3e2d998d3e3ffcec28f0ed448f8d01556e1
-  data.tar.gz: 0d04904eec7b603682610cd92d9b482b11e9295f66e319c963d27182edca19db81c2fcdfc19cc7baa732fa3f09a7b05059e50705832f094bececac857c29164b
+  metadata.gz: 8bd652d61d8e4968e1b8289c44d8be96c6602c5f60c8e2ef0cc17789d57b67a1b8dfb88fd746c2655d99b0c8c954225853a7883531f4d565d759b2836eea4f5f
+  data.tar.gz: 23178183610e5449d6bf5c41d90f02b83f6f71b5f5c2a4c4ff2d7f2028c9063d5873795dc2f7015c86857a401bf1da4c5de38c6d5461a8993b2ac2f443d04639

data/app/controllers/coalescing_panda/oauth2_controller.rb CHANGED Viewed

@@ -15,10 +15,12 @@ module CoalescingPanda
         client_key = lti_account.oauth2_client_key
         user_id = @oauth_state.data[:user_id]
         api_domain = @oauth_state.data[:api_domain]
+        prefix = @oauth_state.data[:api_url]
         @oauth_state.destroy
-        prefix = [oauth2_protocol, '://', api_domain].join
         Rails.logger.info "Creating Bearcat client for auth token retrieval pointed to: #{prefix}"
         client = Bearcat::Client.new(prefix: prefix)
         token_body = client.retrieve_token(client_id, coalescing_panda.oauth2_redirect_url, client_key, params['code'])
         auth = CanvasApiAuth.where('user_id = ? and api_domain = ?', user_id, api_domain).first_or_initialize
         auth.api_token = token_body['access_token']
@@ -30,20 +32,10 @@ module CoalescingPanda
       end
     end
     private
-    def oauth2_protocol
-      ENV['OAUTH_PROTOCOL'] || (Rails.env.development? ? 'http' : 'https')
-    end
     def retrieve_oauth_state
       @oauth_state ||= params[:state].present? && OauthState.find_by(state_key: params[:state])
     end
-    def valid_state_token
-      return false unless params['state'].present? && session['state'].present?
-      params['state'] == session['state']
-    end
   end
 end

data/app/views/coalescing_panda/oauth2/oauth2.html.haml CHANGED Viewed

@@ -3,7 +3,9 @@
   %h2 Canvas Authentication Required
   %button.btn-canvas#oauth_btn Authenticate
-%form{id: 'lti_form', action: "#{request.original_url}", method: 'post'}
+%form{id: 'lti_form', action: "#{request.original_url}", method: request.method}
+  - unless @lti_params.include?(:session_token) || @lti_params.include?(:session_key)
+    %input{:type =>"hidden", :value=>link_nonce, :name=>"session_token"}
   - @lti_params.each do |k,v|
     %input{:type =>"hidden", :value=>"#{v}", :name=>"#{k}"}

data/lib/coalescing_panda/bearcat_uri.rb CHANGED Viewed

@@ -1,24 +1,26 @@
-class CoalescingPanda::BearcatUri
-  attr_accessor :uri
+module CoalescingPanda
+  class BearcatUri
+    attr_accessor :uri
-  def initialize(uri)
-    Rails.logger.info "Parsing Bearcat URI: #{uri}"
-    @uri = URI.parse(uri)
-  end
+    def initialize(uri)
+      Rails.logger.info "Parsing Bearcat URI: #{uri}"
+      @uri = URI.parse(uri)
+    end
-  def api_domain
-    if Rails.env.test? or Rails.env.development?
-      uri.port.present? ? URI.encode("#{uri.host}:#{uri.port.to_s}") : uri.host
-    else
-      uri.host
+    def api_domain
+      if Rails.env.test? or Rails.env.development?
+        uri.port.present? ? URI.encode("#{uri.host}:#{uri.port.to_s}") : uri.host
+      else
+        uri.host
+      end
     end
-  end
-  def scheme
-    [uri.scheme, '://'].join
-  end
+    def scheme
+      [uri.scheme, '://'].join
+    end
-  def prefix
-    [scheme, api_domain].join
+    def prefix
+      [scheme, api_domain].join
+    end
   end
-end
+end

data/lib/coalescing_panda/controller_helpers.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 require 'browser'
 require_relative 'session_replacement'
+require_relative 'bearcat_uri'
 module CoalescingPanda
   module ControllerHelpers
@@ -14,96 +15,77 @@ module CoalescingPanda
     def current_organization; current_lti_account; end
     def canvas_oauth2(*roles)
-      return if have_session?
-      if lti_authorize!(*roles)
-        user_id = params['user_id']
-        launch_presentation_return_url = @lti_account.settings[:launch_presentation_return_url] || params['launch_presentation_return_url']
-        launch_presentation_return_url = [CoalescingPanda::BearcatUri.new(request.env["HTTP_REFERER"]).prefix, launch_presentation_return_url].join unless launch_presentation_return_url.include?('http')
-        uri = CoalescingPanda::BearcatUri.new(launch_presentation_return_url)
-        set_session(launch_presentation_return_url)
-        api_auth = CanvasApiAuth.find_by('user_id = ? and api_domain = ?', user_id, uri.api_domain)
-        if api_auth
-          begin
-            refresh_token(uri, api_auth) if api_auth.expired?
-            @client = Bearcat::Client.new(token: api_auth.api_token, prefix: uri.prefix)
-            @client.user_profile 'self'
-          rescue Footrest::HttpError::BadRequest, Footrest::HttpError::Unauthorized
-            # If we can't retrieve our own user profile, or the token refresh fails, something is awry on the canvas end
-            # and we'll need to go through the oauth flow again
-            render_oauth2_page uri, user_id
-          end
-        else
-          render_oauth2_page uri, user_id
-        end
+      unless valid_session?
+        lti_authorize!(*roles)
+        current_session_data['user_id'] = params['user_id']
+        current_session_data['lis_person_sourcedid'] = params['lis_person_sourcedid']
+        current_session_data['oauth_consumer_key'] = params['oauth_consumer_key']
+        current_session_data['custom_canvas_account_id'] = params['custom_canvas_account_id']
       end
+      @lti_account = LtiAccount.find_by_key(current_session_data['oauth_consumer_key']) if current_session_data['oauth_consumer_key']
+      require_user_api_client
     end
-    def render_oauth2_page(uri, user_id)
-      @lti_account = params['oauth_consumer_key'] && LtiAccount.find_by_key(params['oauth_consumer_key'])
-      return unless @lti_account
+    def render_oauth2_page
+      client_id = current_lti_account.oauth2_client_id
+      client = Bearcat::Client.new(prefix: canvas_api_uri)
-      client_id = @lti_account.oauth2_client_id
-      client = Bearcat::Client.new(prefix: uri.prefix)
       state = SecureRandom.hex(32)
-      OauthState.create! state_key: state, data: { key: params['oauth_consumer_key'], user_id: user_id, api_domain: uri.api_domain }
+      OauthState.create! state_key: state, data: {
+        key: current_session_data.dig(:launch_params, :oauth_consumer_key),
+        user_id: current_session_data.dig(:launch_params, :user_id),
+        api_domain: URI.parse(canvas_api_uri).host,
+        api_url: canvas_api_uri,
+      }
       @canvas_url = client.auth_redirect_url(client_id, resolve_coalescing_panda_url(:oauth2_redirect_url), { state: state })
-      #delete the added params so the original oauth sig still works
       @lti_params = params.to_unsafe_h
       @lti_params.delete('action')
       @lti_params.delete('controller')
       render 'coalescing_panda/oauth2/oauth2', layout: 'coalescing_panda/application'
     end
-    def refresh_token(uri, api_auth)
-      refresh_client = Bearcat::Client.new(prefix: uri.prefix)
-      refresh_body = refresh_client.retrieve_token(@lti_account.oauth2_client_id, resolve_coalescing_panda_url(:oauth2_redirect_url),
-        @lti_account.oauth2_client_key, api_auth.refresh_token, 'refresh_token')
+    def refresh_token(api_auth)
+      refresh_client = Bearcat::Client.new(prefix: canvas_api_uri)
+      refresh_body = refresh_client.retrieve_token(
+        current_lti_account.oauth2_client_id,
+        resolve_coalescing_panda_url(:oauth2_redirect_url),
+        current_lti_account.oauth2_client_key,
+        api_auth.refresh_token,
+        'refresh_token'
+      )
       api_auth.update({ api_token: refresh_body['access_token'], expires_at: (Time.now + refresh_body['expires_in']) })
     end
-    def check_refresh_token
-      return unless current_session_data['uri'] && current_session_data['user_id'] && current_session_data['oauth_consumer_key']
-      uri = CoalescingPanda::BearcatUri.new(current_session_data['uri'])
-      api_auth = CanvasApiAuth.find_by(user_id: current_session_data['user_id'], api_domain: uri.api_domain)
-      @lti_account = LtiAccount.find_by(key: current_session_data['oauth_consumer_key'])
-      return if @lti_account.nil? || api_auth.nil? # Not all tools use oauth
-      refresh_token(uri, api_auth) if api_auth.expired?
-    rescue Footrest::HttpError::BadRequest
-      render_oauth2_page uri, current_session_data['user_id']
-    end
-    def set_session(launch_presentation_return_url)
-      current_session_data['user_id'] = params['user_id']
-      current_session_data['uri'] = launch_presentation_return_url
-      current_session_data['lis_person_sourcedid'] = params['lis_person_sourcedid']
-      current_session_data['oauth_consumer_key'] = params['oauth_consumer_key']
-      current_session_data['custom_canvas_account_id'] = params['custom_canvas_account_id']
-    end
-    def have_session?
-      if params['tool_consumer_instance_guid'] && current_session_data['user_id'] != params['user_id']
-        reset_session
-        logger.info("resetting session params")
-        current_session_data['user_id'] = params['user_id']
+    def require_user_api_client
+      if user_api_client.nil?
+        render_oauth2_page
       end
+    end
-      if (current_session_data['user_id'] && current_session_data['uri'])
-        uri = CoalescingPanda::BearcatUri.new(current_session_data['uri'])
-        api_auth = CanvasApiAuth.find_by('user_id = ? and api_domain = ?', current_session_data['user_id'], uri.api_domain)
-        if api_auth && !api_auth.expired?
-          @client = Bearcat::Client.new(token: api_auth.api_token, prefix: uri.prefix)
-          @client.user_profile 'self'
+    def user_api_client
+      @user_api_client ||= begin
+        user_id = current_session_data.dig(:launch_params, :user_id)
+        puri = URI.parse(canvas_api_uri)
+        api_auth = CanvasApiAuth.find_by('user_id = ? and api_domain = ?', user_id, puri.host)
+        if api_auth
+          begin
+            refresh_token(api_auth) if api_auth.expired?
+            client = Bearcat::Client.new(token: api_auth.api_token, prefix: canvas_api_uri)
+            client.user_profile('self')
+            client
+          rescue Footrest::HttpError::BadRequest, Footrest::HttpError::Unauthorized
+            # If we can't retrieve our own user profile, or the token refresh fails, something is awry on the canvas end
+            # and we'll need to go through the oauth flow again
+            nil
+          end
         end
       end
-      @lti_account = LtiAccount.find_by_key(current_session_data['oauth_consumer_key']) if current_session_data['oauth_consumer_key']
-      !!@client
-    rescue Footrest::HttpError::Unauthorized
-      false
     end
     def validate_launch!
@@ -111,23 +93,43 @@ module CoalescingPanda
     end
     def lti_authorize!(*roles)
+      if valid_session? # This means that we are returning from an OAuth dance.
+        # Set the params as they were at launch to avoid any bait-and-switch attack vulnerabilities in the App's launch controller
+        params.merge!(current_session_data[:launch_params])
+        return true
+      end
       authorized = false
       if (@lti_account = params['oauth_consumer_key'] && LtiAccount.find_by_key(params['oauth_consumer_key']))
         sanitized_params = sanitize_params
         @tp = IMS::LTI::ToolProvider.new(@lti_account.key, @lti_account.secret, sanitized_params)
         authorized = @tp.valid_request?(request)
       end
       logger.info 'not authorized on tp valid request' unless authorized
-      authorized = authorized && (roles.count == 0 || (roles & lti_roles).count > 0)
-      logger.info 'not authorized on roles' unless authorized
-      authorized = authorized && @lti_account.validate_nonce(params['oauth_nonce'], DateTime.strptime(params['oauth_timestamp'], '%s'))
-      logger.info 'not authorized on nonce' unless authorized
+      if authorized && !(authorized = (roles.count == 0 || (roles & lti_roles).count > 0))
+        logger.info 'not authorized on roles'
+      end
+      if authorized && !(authorized = @lti_account.validate_nonce(params['oauth_nonce'], DateTime.strptime(params['oauth_timestamp'], '%s')))
+        logger.info 'not authorized on nonce'
+      end
       render :text => 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
       # create session on first launch
       current_session
       authorized
     end
+    def valid_session?
+      return false unless current_session(create_missing: false)&.persisted?
+      true
+    rescue SessionNonceMismatch
+      false
+    end
     # code for method taken from panda_pal v 4.0.8
     # used for safari workaround
     def sanitize_params
@@ -161,11 +163,27 @@ module CoalescingPanda
       end
     end
-    def valid_session?
-      return false unless current_session(create_missing: false)&.persisted?
-      true
-    rescue SessionNonceMismatch
-      false
+    def canvas_api_uri
+      @canvas_api_uri ||= begin
+        launch_params = current_session_data[:launch_params] || {}
+        uri = 'canvas.instructure.com'
+        if launch_params[:custom_canvas_api_domain].present?
+          uri = launch_params[:custom_canvas_api_domain]
+        else
+          uri = current_lti_account.settings[:launch_presentation_return_url] || launch_params[:launch_presentation_return_url]
+          unless uri.include?('://')
+            referrer = URI.parse(request.env["HTTP_REFERER"])
+            referrer.path = ''
+            uri = [referrer.to_s, uri].join
+          end
+        end
+        uri = ((Rails.env.test? or Rails.env.development?) ? 'http' : 'https') + '://' + uri unless uri.include?('://')
+        uri = URI.parse(uri)
+        uri.path = ''
+        uri.to_s
+      end
     end
     private

data/lib/coalescing_panda/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module CoalescingPanda
-  VERSION = '5.1.12'
+  VERSION = '5.2.0'
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: coalescing_panda
 version: !ruby/object:Gem::Version
-  version: 5.1.12
+  version: 5.2.0
 platform: ruby
 authors:
 - Nathan Mills
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-03 00:00:00.000000000 Z
+date: 2021-11-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails