RubyGems - coalescing_panda - Versions diffs - 5.1.12 → 5.2.0 - Mend

coalescing_panda 5.1.12 → 5.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/app/controllers/coalescing_panda/oauth2_controller.rb +3 -11
data/app/views/coalescing_panda/oauth2/oauth2.html.haml +3 -1
data/lib/coalescing_panda/bearcat_uri.rb +20 -18
data/lib/coalescing_panda/controller_helpers.rb +97 -79
data/lib/coalescing_panda/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 45ffb1d5dba84eb776180589d036732efebe48d87472dfd8fbf620b7f38c1747
-  data.tar.gz: 3f558eb4cb87853533369fa838bd92546060f5f6235c17655ee5c1908314d7f1
+  metadata.gz: 11cc21d4b7941edd42fc5a17f198a55766a46fed5ea37281389f91f71703636e
+  data.tar.gz: e4c4173587ad7feabf2478c98816b958cf153360da52b034656caf2e6a2a3d33
 SHA512:
-  metadata.gz: ca3c23e381fedb64619951fd7ca1687c3f4aa77ba3395f59e62ebea73a6a5b8703f912afece5d5069b2c94de1daed3e2d998d3e3ffcec28f0ed448f8d01556e1
-  data.tar.gz: 0d04904eec7b603682610cd92d9b482b11e9295f66e319c963d27182edca19db81c2fcdfc19cc7baa732fa3f09a7b05059e50705832f094bececac857c29164b
+  metadata.gz: 8bd652d61d8e4968e1b8289c44d8be96c6602c5f60c8e2ef0cc17789d57b67a1b8dfb88fd746c2655d99b0c8c954225853a7883531f4d565d759b2836eea4f5f
+  data.tar.gz: 23178183610e5449d6bf5c41d90f02b83f6f71b5f5c2a4c4ff2d7f2028c9063d5873795dc2f7015c86857a401bf1da4c5de38c6d5461a8993b2ac2f443d04639

data/app/controllers/coalescing_panda/oauth2_controller.rb CHANGED Viewed

@@ -15,10 +15,12 @@ module CoalescingPanda
         client_key = lti_account.oauth2_client_key
         user_id = @oauth_state.data[:user_id]
         api_domain = @oauth_state.data[:api_domain]
+        prefix = @oauth_state.data[:api_url]
         @oauth_state.destroy
-        prefix = [oauth2_protocol, '://', api_domain].join
         Rails.logger.info "Creating Bearcat client for auth token retrieval pointed to: #{prefix}"
         client = Bearcat::Client.new(prefix: prefix)
         token_body = client.retrieve_token(client_id, coalescing_panda.oauth2_redirect_url, client_key, params['code'])
         auth = CanvasApiAuth.where('user_id = ? and api_domain = ?', user_id, api_domain).first_or_initialize
         auth.api_token = token_body['access_token']
@@ -30,20 +32,10 @@ module CoalescingPanda
       end
     end
     private
-    def oauth2_protocol
-      ENV['OAUTH_PROTOCOL'] || (Rails.env.development? ? 'http' : 'https')
-    end
     def retrieve_oauth_state
       @oauth_state ||= params[:state].present? && OauthState.find_by(state_key: params[:state])
     end
-    def valid_state_token
-      return false unless params['state'].present? && session['state'].present?
-      params['state'] == session['state']
-    end
   end
 end

data/app/views/coalescing_panda/oauth2/oauth2.html.haml CHANGED Viewed

@@ -3,7 +3,9 @@
   %h2 Canvas Authentication Required
   %button.btn-canvas#oauth_btn Authenticate
-%form{id: 'lti_form', action: "#{request.original_url}", method: 'post'}
+%form{id: 'lti_form', action: "#{request.original_url}", method: request.method}
+  - unless @lti_params.include?(:session_token) || @lti_params.include?(:session_key)
+    %input{:type =>"hidden", :value=>link_nonce, :name=>"session_token"}
   - @lti_params.each do |k,v|
     %input{:type =>"hidden", :value=>"#{v}", :name=>"#{k}"}

data/lib/coalescing_panda/bearcat_uri.rb CHANGED Viewed

@@ -1,24 +1,26 @@
-class CoalescingPanda::BearcatUri
-  attr_accessor :uri
+module CoalescingPanda
+  class BearcatUri
+    attr_accessor :uri
-  def initialize(uri)
-    Rails.logger.info "Parsing Bearcat URI: #{uri}"
-    @uri = URI.parse(uri)
-  end
+    def initialize(uri)
+      Rails.logger.info "Parsing Bearcat URI: #{uri}"
+      @uri = URI.parse(uri)
+    end
-  def api_domain
-    if Rails.env.test? or Rails.env.development?
-      uri.port.present? ? URI.encode("#{uri.host}:#{uri.port.to_s}") : uri.host
-    else
-      uri.host
+    def api_domain
+      if Rails.env.test? or Rails.env.development?
+        uri.port.present? ? URI.encode("#{uri.host}:#{uri.port.to_s}") : uri.host
+      else
+        uri.host
+      end
     end
-  end
-  def scheme
-    [uri.scheme, '://'].join
-  end
+    def scheme
+      [uri.scheme, '://'].join
+    end
-  def prefix
-    [scheme, api_domain].join
+    def prefix
+      [scheme, api_domain].join
+    end
   end
-end
+end

data/lib/coalescing_panda/controller_helpers.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 require 'browser'
 require_relative 'session_replacement'
+require_relative 'bearcat_uri'
 module CoalescingPanda
   module ControllerHelpers
@@ -14,96 +15,77 @@ module CoalescingPanda
     def current_organization; current_lti_account; end
     def canvas_oauth2(*roles)
-      return if have_session?
-      if lti_authorize!(*roles)
-        user_id = params['user_id']
-        launch_presentation_return_url = @lti_account.settings[:launch_presentation_return_url] || params['launch_presentation_return_url']
-        launch_presentation_return_url = [CoalescingPanda::BearcatUri.new(request.env["HTTP_REFERER"]).prefix, launch_presentation_return_url].join unless launch_presentation_return_url.include?('http')
-        uri = CoalescingPanda::BearcatUri.new(launch_presentation_return_url)
-        set_session(launch_presentation_return_url)
-        api_auth = CanvasApiAuth.find_by('user_id = ? and api_domain = ?', user_id, uri.api_domain)
-        if api_auth
-          begin
-            refresh_token(uri, api_auth) if api_auth.expired?
-            @client = Bearcat::Client.new(token: api_auth.api_token, prefix: uri.prefix)
-            @client.user_profile 'self'
-          rescue Footrest::HttpError::BadRequest, Footrest::HttpError::Unauthorized
-            # If we can't retrieve our own user profile, or the token refresh fails, something is awry on the canvas end
-            # and we'll need to go through the oauth flow again
-            render_oauth2_page uri, user_id
-          end
-        else
-          render_oauth2_page uri, user_id
-        end
+      unless valid_session?
+        lti_authorize!(*roles)
+        current_session_data['user_id'] = params['user_id']
+        current_session_data['lis_person_sourcedid'] = params['lis_person_sourcedid']
+        current_session_data['oauth_consumer_key'] = params['oauth_consumer_key']
+        current_session_data['custom_canvas_account_id'] = params['custom_canvas_account_id']
       end
+      @lti_account = LtiAccount.find_by_key(current_session_data['oauth_consumer_key']) if current_session_data['oauth_consumer_key']
+      require_user_api_client
     end
-    def render_oauth2_page(uri, user_id)
-      @lti_account = params['oauth_consumer_key'] && LtiAccount.find_by_key(params['oauth_consumer_key'])
-      return unless @lti_account
+    def render_oauth2_page
+      client_id = current_lti_account.oauth2_client_id
+      client = Bearcat::Client.new(prefix: canvas_api_uri)
-      client_id = @lti_account.oauth2_client_id
-      client = Bearcat::Client.new(prefix: uri.prefix)
       state = SecureRandom.hex(32)
-      OauthState.create! state_key: state, data: { key: params['oauth_consumer_key'], user_id: user_id, api_domain: uri.api_domain }
+      OauthState.create! state_key: state, data: {
+        key: current_session_data.dig(:launch_params, :oauth_consumer_key),
+        user_id: current_session_data.dig(:launch_params, :user_id),
+        api_domain: URI.parse(canvas_api_uri).host,
+        api_url: canvas_api_uri,
+      }
       @canvas_url = client.auth_redirect_url(client_id, resolve_coalescing_panda_url(:oauth2_redirect_url), { state: state })
-      #delete the added params so the original oauth sig still works
       @lti_params = params.to_unsafe_h
       @lti_params.delete('action')
       @lti_params.delete('controller')
       render 'coalescing_panda/oauth2/oauth2', layout: 'coalescing_panda/application'
     end
-    def refresh_token(uri, api_auth)
-      refresh_client = Bearcat::Client.new(prefix: uri.prefix)
-      refresh_body = refresh_client.retrieve_token(@lti_account.oauth2_client_id, resolve_coalescing_panda_url(:oauth2_redirect_url),
-        @lti_account.oauth2_client_key, api_auth.refresh_token, 'refresh_token')
+    def refresh_token(api_auth)
+      refresh_client = Bearcat::Client.new(prefix: canvas_api_uri)
+      refresh_body = refresh_client.retrieve_token(
+        current_lti_account.oauth2_client_id,
+        resolve_coalescing_panda_url(:oauth2_redirect_url),
+        current_lti_account.oauth2_client_key,
+        api_auth.refresh_token,
+        'refresh_token'
+      )
       api_auth.update({ api_token: refresh_body['access_token'], expires_at: (Time.now + refresh_body['expires_in']) })
     end
-    def check_refresh_token
-      return unless current_session_data['uri'] && current_session_data['user_id'] && current_session_data['oauth_consumer_key']
-      uri = CoalescingPanda::BearcatUri.new(current_session_data['uri'])
-      api_auth = CanvasApiAuth.find_by(user_id: current_session_data['user_id'], api_domain: uri.api_domain)
-      @lti_account = LtiAccount.find_by(key: current_session_data['oauth_consumer_key'])
-      return if @lti_account.nil? || api_auth.nil? # Not all tools use oauth
-      refresh_token(uri, api_auth) if api_auth.expired?
-    rescue Footrest::HttpError::BadRequest
-      render_oauth2_page uri, current_session_data['user_id']
-    end
-    def set_session(launch_presentation_return_url)
-      current_session_data['user_id'] = params['user_id']
-      current_session_data['uri'] = launch_presentation_return_url
-      current_session_data['lis_person_sourcedid'] = params['lis_person_sourcedid']
-      current_session_data['oauth_consumer_key'] = params['oauth_consumer_key']
-      current_session_data['custom_canvas_account_id'] = params['custom_canvas_account_id']
-    end
-    def have_session?
-      if params['tool_consumer_instance_guid'] && current_session_data['user_id'] != params['user_id']
-        reset_session
-        logger.info("resetting session params")
-        current_session_data['user_id'] = params['user_id']
+    def require_user_api_client
+      if user_api_client.nil?
+        render_oauth2_page
       end
+    end
-      if (current_session_data['user_id'] && current_session_data['uri'])
-        uri = CoalescingPanda::BearcatUri.new(current_session_data['uri'])
-        api_auth = CanvasApiAuth.find_by('user_id = ? and api_domain = ?', current_session_data['user_id'], uri.api_domain)
-        if api_auth && !api_auth.expired?
-          @client = Bearcat::Client.new(token: api_auth.api_token, prefix: uri.prefix)
-          @client.user_profile 'self'
+    def user_api_client
+      @user_api_client ||= begin
+        user_id = current_session_data.dig(:launch_params, :user_id)
+        puri = URI.parse(canvas_api_uri)
+        api_auth = CanvasApiAuth.find_by('user_id = ? and api_domain = ?', user_id, puri.host)
+        if api_auth
+          begin
+            refresh_token(api_auth) if api_auth.expired?
+            client = Bearcat::Client.new(token: api_auth.api_token, prefix: canvas_api_uri)
+            client.user_profile('self')
+            client
+          rescue Footrest::HttpError::BadRequest, Footrest::HttpError::Unauthorized
+            # If we can't retrieve our own user profile, or the token refresh fails, something is awry on the canvas end
+            # and we'll need to go through the oauth flow again
+            nil
+          end
         end
       end
-      @lti_account = LtiAccount.find_by_key(current_session_data['oauth_consumer_key']) if current_session_data['oauth_consumer_key']
-      !!@client
-    rescue Footrest::HttpError::Unauthorized
-      false
     end
     def validate_launch!
@@ -111,23 +93,43 @@ module CoalescingPanda
     end
     def lti_authorize!(*roles)
+      if valid_session? # This means that we are returning from an OAuth dance.
+        # Set the params as they were at launch to avoid any bait-and-switch attack vulnerabilities in the App's launch controller
+        params.merge!(current_session_data[:launch_params])
+        return true
+      end
       authorized = false
       if (@lti_account = params['oauth_consumer_key'] && LtiAccount.find_by_key(params['oauth_consumer_key']))
         sanitized_params = sanitize_params
         @tp = IMS::LTI::ToolProvider.new(@lti_account.key, @lti_account.secret, sanitized_params)
         authorized = @tp.valid_request?(request)
       end
       logger.info 'not authorized on tp valid request' unless authorized
-      authorized = authorized && (roles.count == 0 || (roles & lti_roles).count > 0)
-      logger.info 'not authorized on roles' unless authorized
-      authorized = authorized && @lti_account.validate_nonce(params['oauth_nonce'], DateTime.strptime(params['oauth_timestamp'], '%s'))
-      logger.info 'not authorized on nonce' unless authorized
+      if authorized && !(authorized = (roles.count == 0 || (roles & lti_roles).count > 0))
+        logger.info 'not authorized on roles'
+      end
+      if authorized && !(authorized = @lti_account.validate_nonce(params['oauth_nonce'], DateTime.strptime(params['oauth_timestamp'], '%s')))
+        logger.info 'not authorized on nonce'
+      end
       render :text => 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
       # create session on first launch
       current_session
       authorized
     end
+    def valid_session?
+      return false unless current_session(create_missing: false)&.persisted?
+      true
+    rescue SessionNonceMismatch
+      false
+    end
     # code for method taken from panda_pal v 4.0.8
     # used for safari workaround
     def sanitize_params
@@ -161,11 +163,27 @@ module CoalescingPanda
       end
     end
-    def valid_session?
-      return false unless current_session(create_missing: false)&.persisted?
-      true
-    rescue SessionNonceMismatch
-      false
+    def canvas_api_uri
+      @canvas_api_uri ||= begin
+        launch_params = current_session_data[:launch_params] || {}
+        uri = 'canvas.instructure.com'
+        if launch_params[:custom_canvas_api_domain].present?
+          uri = launch_params[:custom_canvas_api_domain]
+        else
+          uri = current_lti_account.settings[:launch_presentation_return_url] || launch_params[:launch_presentation_return_url]
+          unless uri.include?('://')
+            referrer = URI.parse(request.env["HTTP_REFERER"])
+            referrer.path = ''
+            uri = [referrer.to_s, uri].join
+          end
+        end
+        uri = ((Rails.env.test? or Rails.env.development?) ? 'http' : 'https') + '://' + uri unless uri.include?('://')
+        uri = URI.parse(uri)
+        uri.path = ''
+        uri.to_s
+      end
     end
     private

data/lib/coalescing_panda/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module CoalescingPanda
-  VERSION = '5.1.12'
+  VERSION = '5.2.0'
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: coalescing_panda
 version: !ruby/object:Gem::Version
-  version: 5.1.12
+  version: 5.2.0
 platform: ruby
 authors:
 - Nathan Mills
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-03 00:00:00.000000000 Z
+date: 2021-11-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails