coalescing_panda 1.1.21.1 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA256:
-  metadata.gz: 32540f0bb85313eba7c4fd929b7bf55e7eaf9530877403972269f55abe92921a
-  data.tar.gz: 7780ee6b54a92fc11d95cc2c7c25c294a6bed3d7954c1754f6ec8180a4761e44
+SHA1:
+  metadata.gz: 829bbfc42e1c72b89558457db1a751e63cae9ad6
+  data.tar.gz: c045205fcd8fa84ec952e683cf8591f395ae31b8
 SHA512:
-  metadata.gz: f72e05c8581d3caf3541718516b4a20e72c6cb78af4c9b822982805e6da1dab9f7f7ce17ce5179eaa703898452d65d338685b3f8bf890f6c42ed67eca2f5725c
-  data.tar.gz: b8079a6c869505f33092f442fc33c3865d515e8d781252fbc35a7fa033d9351a2650a3a558db56debaf18b6c6d1fa930c9713054e6ae168887a754ae6f6cbc1b
+  metadata.gz: ae89c71cbbabc5adedc5ef81a630d260eb9df0955f271d07dce2477459a28a28c7385a40899e8362a19652e9fcf333390bb9585414fd628c2e4efad5c2a8707d
+  data.tar.gz: 97b7a7708254b674cf679c33731b524837f1205f359a5ec7ff80033835c69e043c1fd43b339c3e2410b9878c8c1ae7e78033f434f2d7253dbb968f075839aeee

data/app/controllers/coalescing_panda/oauth2_controller.rb

@@ -13,13 +13,17 @@ module CoalescingPanda
         client_key = lti_account.oauth2_client_key
         user_id = params[:user_id]
         api_domain = params[:api_domain]
-        client = Bearcat::Client.new(prefix: oauth2_protocol+'://'+api_domain)
-        token = client.retrieve_token(client_id, coalescing_panda.oauth2_redirect_url, client_key, params['code'])
-        CanvasApiAuth.where('user_id = ? and api_domain = ?', user_id, api_domain).first_or_create do |auth|
-          auth.api_token = token
-          auth.user_id = user_id
-          auth.api_domain = api_domain
-        end
+        prefix = [oauth2_protocol, '://', api_domain].join
+        Rails.logger.info "Creating Bearcat client for auth token retrieval pointed to: #{prefix}"
+        client = Bearcat::Client.new(prefix: prefix)
+        token_body = client.retrieve_token(client_id, coalescing_panda.oauth2_redirect_url, client_key, params['code'])
+        auth = CanvasApiAuth.where('user_id = ? and api_domain = ?', user_id, api_domain).first_or_initialize
+        auth.api_token = token_body['access_token']
+        auth.refresh_token = token_body['refresh_token']
+        auth.expires_at = Time.now + token_body['expires_in'] if token_body['expires_in']
+        auth.user_id = user_id
+        auth.api_domain = api_domain
+        auth.save!
       end
     end
 

data/app/models/coalescing_panda/canvas_api_auth.rb

@@ -3,7 +3,9 @@ module CoalescingPanda
     validates :user_id, :api_domain, presence: true
     validates :user_id, uniqueness: {scope: :api_domain}
 
-    attr_accessible :user_id, :api_domain
+    def expired?
+      expires_at && expires_at < Time.now
+    end
   end
 
 end

data/app/models/coalescing_panda/lti_account.rb

@@ -6,7 +6,6 @@ module CoalescingPanda
              :foreign_key => :coalescing_panda_lti_account_id,
              :class_name => 'CoalescingPanda::LtiNonce'
 
-    attr_accessible :name, :key, :secret, :oauth2_client_id, :oauth2_client_key, :settings
     serialize :settings
 
     def validate_nonce(nonce, timestamp)

data/db/migrate/20151209155923_add_refresh_settings_to_canvas_api_auth.rb

@@ -0,0 +1,6 @@
+class AddRefreshSettingsToCanvasApiAuth < ActiveRecord::Migration
+  def change
+    add_column :coalescing_panda_canvas_api_auths, :refresh_token, :string
+    add_column :coalescing_panda_canvas_api_auths, :expires_at, :datetime
+  end
+end

data/lib/coalescing_panda/bearcat_uri.rb

@@ -0,0 +1,24 @@
+class CoalescingPanda::BearcatUri
+  attr_accessor :uri
+
+  def initialize(uri)
+    Rails.logger.info "Parsing Bearcat URI: #{uri}"
+    @uri = URI.parse(uri)
+  end
+
+  def api_domain
+    if Rails.env.test? or Rails.env.development?
+      uri.port.present? ? URI.encode("#{uri.host}:#{uri.port.to_s}") : uri.host
+    else
+      uri.host
+    end
+  end
+
+  def scheme
+    [uri.scheme, '://'].join
+  end
+
+  def prefix
+    [scheme, api_domain].join
+  end
+end

data/lib/coalescing_panda/controller_helpers.rb

@@ -1,5 +1,3 @@
-require 'browser'
-
 module CoalescingPanda
   module ControllerHelpers
     require 'useragent'
@@ -9,91 +7,111 @@ module CoalescingPanda
       if lti_authorize!(*roles)
         user_id = params['user_id']
         launch_presentation_return_url = @lti_account.settings[:launch_presentation_return_url] || params['launch_presentation_return_url']
-        uri = URI.parse(launch_presentation_return_url)
-        api_domain = uri.host
-        api_domain = "#{api_domain}:#{uri.port.to_s}" if uri.port
-        scheme = uri.scheme + '://'
-        @lti_params = params.to_hash
-        session['user_id'] = user_id
-        session['uri'] = launch_presentation_return_url
-        session['lis_person_sourcedid'] = params['lis_person_sourcedid']
-        session['oauth_consumer_key'] = params['oauth_consumer_key']
-        session['custom_canvas_account_id'] = params['custom_canvas_account_id']
-
-        if token = CanvasApiAuth.where('user_id = ? and api_domain = ?', user_id, api_domain).pluck(:api_token).first
-          @client = Bearcat::Client.new(token: token, prefix: scheme+api_domain)
-        elsif @lti_account = params['oauth_consumer_key'] && LtiAccount.find_by_key(params['oauth_consumer_key'])
-          client_id = @lti_account.oauth2_client_id
-          client = Bearcat::Client.new(prefix: scheme+api_domain)
-          session['state'] = SecureRandom.hex(32)
-          @canvas_url = client.auth_redirect_url(client_id,
-                                                 coalescing_panda.oauth2_redirect_url({key: params['oauth_consumer_key'],
-                                                                                       user_id: user_id, api_domain: api_domain, state: session['state']}))
-          #delete the added params so the original oauth sig still works
-          @lti_params.delete('action')
-          @lti_params.delete('controller')
-          render 'coalescing_panda/oauth2/oauth2'
+        launch_presentation_return_url = [BearcatUri.new(request.env["HTTP_REFERER"]).prefix, launch_presentation_return_url].join unless launch_presentation_return_url.include?('http')
+        uri = BearcatUri.new(launch_presentation_return_url)
+        set_session(launch_presentation_return_url)
+
+        api_auth = CanvasApiAuth.find_by('user_id = ? and api_domain = ?', user_id, uri.api_domain)
+        if api_auth
+          begin
+            refresh_token(uri, api_auth) if api_auth.expired?
+            @client = Bearcat::Client.new(token: api_auth.api_token, prefix: uri.prefix)
+            @client.user_profile 'self'
+          rescue Footrest::HttpError::BadRequest, Footrest::HttpError::Unauthorized
+            # If we can't retrieve our own user profile, or the token refresh fails, something is awry on the canvas end
+            # and we'll need to go through the oauth flow again
+            render_oauth2_page uri, user_id
+          end
+        else
+          render_oauth2_page uri, user_id
         end
       end
     end
 
+    def render_oauth2_page(uri, user_id)
+      @lti_account = params['oauth_consumer_key'] && LtiAccount.find_by_key(params['oauth_consumer_key'])
+      return unless @lti_account
+
+      client_id = @lti_account.oauth2_client_id
+      client = Bearcat::Client.new(prefix: uri.prefix)
+      session['state'] = SecureRandom.hex(32)
+      redirect_path = coalescing_panda.oauth2_redirect_path({key: params['oauth_consumer_key'], user_id: user_id, api_domain: uri.api_domain, state: session['state']})
+      redirect_url = [coalescing_panda_url, redirect_path.sub(/^\/lti/, '')].join
+      @canvas_url = client.auth_redirect_url(client_id, redirect_url)
+
+      #delete the added params so the original oauth sig still works
+      @lti_params = params.to_hash
+      @lti_params.delete('action')
+      @lti_params.delete('controller')
+      render 'coalescing_panda/oauth2/oauth2', layout: 'coalescing_panda/application'
+    end
+
+    def refresh_token(uri, api_auth)
+      refresh_client = Bearcat::Client.new(prefix: uri.prefix)
+      refresh_body = refresh_client.retrieve_token(@lti_account.oauth2_client_id, coalescing_panda.oauth2_redirect_url,
+        @lti_account.oauth2_client_key, api_auth.refresh_token, 'refresh_token')
+      api_auth.update({ api_token: refresh_body['access_token'], expires_at: (Time.now + refresh_body['expires_in']) })
+    end
+
+    def check_refresh_token
+      uri = BearcatUri.new(session['uri'])
+      api_auth = CanvasApiAuth.find_by(user_id: session['user_id'], api_domain: uri.api_domain)
+      @lti_account = LtiAccount.find_by(key: session['oauth_consumer_key'])
+      return if @lti_account.nil? || api_auth.nil? # Not all tools use oauth
+
+      refresh_token(uri, api_auth) if api_auth.expired?
+    rescue Footrest::HttpError::BadRequest
+      render_oauth2_page uri, session['user_id']
+    end
+
+    def set_session(launch_presentation_return_url)
+      session['user_id'] = params['user_id']
+      session['uri'] = launch_presentation_return_url
+      session['lis_person_sourcedid'] = params['lis_person_sourcedid']
+      session['oauth_consumer_key'] = params['oauth_consumer_key']
+      session['custom_canvas_account_id'] = params['custom_canvas_account_id']
+    end
+
     def have_session?
-      if params['oauth_consumer_key'] && session['user_id'] != params['user_id']
+      if params['tool_consumer_instance_guid'] && session['user_id'] != params['user_id']
         reset_session
         logger.info("resetting session params")
         session['user_id'] = params['user_id']
       end
 
       if (session['user_id'] && session['uri'])
-        uri = URI.parse(session['uri'])
-        api_domain = uri.host
-        api_domain = "#{api_domain}:#{uri.port.to_s}" if uri.port
-        scheme = uri.scheme + '://'
-        token = CanvasApiAuth.where('user_id = ? and api_domain = ?', session['user_id'], api_domain).pluck(:api_token).first
-        @client = Bearcat::Client.new(token: token, prefix: scheme+api_domain) if token
+        uri = BearcatUri.new(session['uri'])
+        api_auth = CanvasApiAuth.find_by('user_id = ? and api_domain = ?', session['user_id'], uri.api_domain)
+        if api_auth && !api_auth.expired?
+          @client = Bearcat::Client.new(token: api_auth.api_token, prefix: uri.prefix)
+          @client.user_profile 'self'
+        end
       end
 
       @lti_account = LtiAccount.find_by_key(session['oauth_consumer_key']) if session['oauth_consumer_key']
 
       !!@client
+    rescue Footrest::HttpError::Unauthorized
+      false
     end
 
     def lti_authorize!(*roles)
       authorized = false
-      use_secure_headers_override(:safari_override) if browser.safari?
       if @lti_account = params['oauth_consumer_key'] && LtiAccount.find_by_key(params['oauth_consumer_key'])
-        sanitized_params = sanitize_params
-        authenticator = IMS::LTI::Services::MessageAuthenticator.new(request.original_url, sanitized_params, @lti_account.secret)
-        authorized = authenticator.valid_signature?
         @tp = IMS::LTI::ToolProvider.new(@lti_account.key, @lti_account.secret, params)
-        authorized = authorized && @tp.valid_request?(request)
+        authorized = @tp.valid_request?(request)
       end
       logger.info 'not authorized on tp valid request' if !authorized
       authorized = authorized && (roles.count == 0 || (roles & lti_roles).count > 0)
       logger.info 'not authorized on roles' if !authorized
       authorized = authorized && @lti_account.validate_nonce(params['oauth_nonce'], DateTime.strptime(params['oauth_timestamp'], '%s'))
       logger.info 'not authorized on nonce' if !authorized
-      if !authorized
-        render :text => 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized
-      end
-      authorized = authorized && check_for_iframes_problem if authorized
+      render :text => 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
       authorized
     end
 
-    # code for method taken from panda_pal v 4.0.8
-    # used for safari workaround
-    def sanitize_params
-      sanitized_params = request.request_parameters
-      # These params come over with a safari-workaround launch.  The authenticator doesn't like them, so clean them out.
-      safe_unexpected_params = ["full_win_launch_requested", "platform_redirect_url"]
-      safe_unexpected_params.each do |p|
-        sanitized_params.delete(p)
-      end
-      sanitized_params
-    end
-
     def lti_editor_button_response(return_type, return_params)
-      valid_return_types = [:image_url, :iframe, :url]
+      valid_return_types = [:image_url, :iframe, :url, :lti_launch_url]
       raise "invalid editor button return type #{return_type}" unless valid_return_types.include?(return_type)
       return_params[:return_type] = return_type.to_s
       return_url = "#{params['launch_presentation_return_url']}?#{return_params.to_query}"
@@ -133,35 +151,19 @@ module CoalescingPanda
     end
 
     def session_check
-            logger.warn 'session_check is deprecated. Functionality moved to canvas_oauth2.'
-    end
-
-    def check_for_iframes_problem
-      if cookies_need_iframe_fix?
-        fix_iframe_cookies
-        return false
-      end
-      # For safari we may have been launched temporarily full-screen by canvas.  This allows us to set the session cookie.
-      # In this case, we should make sure the session cookie is fixed and redirect back to canvas to properly launch the embedded LTI.
-      if params[:platform_redirect_url]
-        session[:safari_cookie_fixed] = true
-        redirect_to params[:platform_redirect_url]
-        return false
-      end
-      true
-    end
-    def cookies_need_iframe_fix?
-      @browser ||= Browser.new(request.user_agent)
-      @browser.safari? && !request.referrer.include?('sessionless_launch') && !session[:safari_cookie_fixed]  && !params[:platform_redirect_url]
-    end
-    def fix_iframe_cookies
-      if params[:safari_cookie_fix].present?
-        session[:safari_cookie_fixed] = true
-        redirect_to params[:return_to]
-      else
-        use_secure_headers_override(:safari_override)
-        render 'coalescing_panda/lti/iframe_cookie_fix', layout: false
+      user_agent = UserAgent.parse(request.user_agent) # Uses useragent gem!
+      if user_agent.browser == 'Safari' && !request.referrer.include?('sessionless_launch') # we apply the fix..
+        return if session[:safari_cookie_fixed] # it is already fixed.. continue
+        if params[:safari_cookie_fix].present? # we should be top window and able to set cookies.. so fix the issue :)
+          session[:safari_cookie_fixed] = true
+          redirect_to params[:return_to]
+        else
+          # Redirect the top frame to your server..
+          query = params.to_query
+          render :text => "<script>var referrer = document.referrer; top.window.location='?safari_cookie_fix=true&return_to='.concat(encodeURI(referrer));</script>"
+        end
       end
     end
+
   end
 end

data/lib/coalescing_panda/engine.rb

@@ -1,7 +1,3 @@
-# frozen_string_literal: true
-
-require 'secure_headers'
-
 module CoalescingPanda
   class Engine < ::Rails::Engine
     config.autoload_once_paths += Dir["#{config.root}/lib/**/"]
@@ -9,80 +5,30 @@ module CoalescingPanda
 
     initializer :append_migrations do |app|
       unless app.root.to_s.match root.to_s
-        config.paths['db/migrate'].expanded.each do |expanded_path|
-          app.config.paths['db/migrate'] << expanded_path
+        config.paths["db/migrate"].expanded.each do |expanded_path|
+          app.config.paths["db/migrate"] << expanded_path
         end
       end
     end
 
-    initializer 'coalescing_panda.app_controller' do |_app|
+    initializer 'coalescing_panda.app_controller' do |app|
       OAUTH_10_SUPPORT = true
       ActiveSupport.on_load(:action_controller) do
         include CoalescingPanda::ControllerHelpers
       end
     end
 
-    initializer 'cloaescing_panda.route_helper' do |_route|
-      ActionDispatch::Routing::Mapper.include CoalescingPanda::RouteHelpers
+    initializer 'cloaescing_panda.route_helper' do |route|
+      ActionDispatch::Routing::Mapper.send :include, CoalescingPanda::RouteHelpers
     end
 
-    initializer 'coalescing_panda.route_options', after: :disable_dependency_loading do |_app|
+    initializer 'coalescing_panda.route_options', :after => :disable_dependency_loading do |app|
       ActiveSupport.on_load(:action_controller) do
-        # force the routes to load
+        #force the routes to load
         Rails.application.reload_routes!
-        CoalescingPanda.propagate_lti_navigation
+        CoalescingPanda::propagate_lti_navigation
       end
     end
 
-    initializer :secure_headers do |_app|
-      connect_src = %w[self]
-      script_src = %w[self]
-      if Rails.env.development?
-        # Allow webpack-dev-server to work
-        connect_src << 'http://localhost:3035'
-        connect_src << 'ws://localhost:3035'
-        # Allow stuff like rack-mini-profiler to work in development:
-        # https://github.com/MiniProfiler/rack-mini-profiler/issues/327
-        # DON'T ENABLE THIS FOR PRODUCTION!
-        script_src << "'unsafe-eval'"
-      end
-      begin
-        SecureHeaders::Configuration.default do |config|
-          # The default cookie headers aren't compatable with PandaPal cookies currenntly
-          config.cookies = { samesite: { none: true } }
-          # Need to allow LTI iframes
-          config.x_frame_options = 'ALLOWALL'
-          config.x_content_type_options = 'nosniff'
-          config.x_xss_protection = '1; mode=block'
-          config.referrer_policy = %w[origin-when-cross-origin strict-origin-when-cross-origin]
-          config.csp = {
-            default_src: %w[self],
-            script_src: script_src,
-            # Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
-            style_src: %w[self unsafe-inline blob: https://fonts.googleapis.com],
-            font_src: %w[self data: https://fonts.gstatic.com],
-            connect_src: connect_src
-          }
-        end
-      rescue AlreadyConfiguredError
-        Rails.logger.warn 'Could not set default secure headers configuration when there is one already, continuing with previously defined configuration'
-      end
-      SecureHeaders::Configuration.override(:safari_override) do |config|
-        config.cookies = SecureHeaders::OPT_OUT
-        # Need to allow LTI iframes
-        config.x_frame_options = 'ALLOWALL'
-        config.x_content_type_options = 'nosniff'
-        config.x_xss_protection = '1; mode=block'
-        config.referrer_policy = %w[origin-when-cross-origin strict-origin-when-cross-origin]
-        config.csp = {
-          default_src: %w[self],
-          script_src: script_src,
-          # Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
-          style_src: %w[self unsafe-inline blob: https://fonts.googleapis.com],
-          font_src: %w[self data: https://fonts.gstatic.com],
-          connect_src: connect_src
-        }
-      end
-    end
   end
 end

data/lib/coalescing_panda/version.rb

@@ -1,3 +1,3 @@
 module CoalescingPanda
-  VERSION = '1.1.21.1'
+  VERSION = '1.2.0'
 end

data/spec/controllers/coalescing_panda/lti_controller_spec.rb

@@ -1,6 +1,6 @@
 require 'spec_helper'
 
-describe CoalescingPanda::LtiController do
+describe CoalescingPanda::LtiController, type: :controller do
   routes { CoalescingPanda::Engine.routes }
 
   describe '#lti_config' do
@@ -41,4 +41,4 @@ describe CoalescingPanda::LtiController do
   end
 
 
-end
+end

data/spec/controllers/coalescing_panda/oauth2_controller_spec.rb

@@ -1,15 +1,20 @@
 require 'spec_helper'
 
-describe CoalescingPanda::Oauth2Controller do
+describe CoalescingPanda::Oauth2Controller, type: :controller do
   routes { CoalescingPanda::Engine.routes }
+  let(:account) { FactoryGirl.create(:account, settings: {base_url: 'foo.com'}) }
 
   describe "#redirect" do
     it 'creates a token in the db' do
       ENV['OAUTH_PROTOCOL'] = 'http'
-      Bearcat::Client.any_instance.stub(retrieve_token: 'foobar')
-      get :redirect, {user_id: 1, api_domain:'foo.com', code:'bar'}
+      Bearcat::Client.any_instance.stub(retrieve_token: { 'access_token' => 'token', 'refresh_token' => 'token', 'expires_in' => 3600 })
+      session[:state] = 'test'
+      get :redirect, {user_id: 1, api_domain: 'foo.com', code: 'bar', key: account.key, state: 'test'}
       auth = CoalescingPanda::CanvasApiAuth.find_by_user_id_and_api_domain(1, 'foo.com')
       auth.should_not == nil
+      expect(auth.api_token).to eql 'token'
+      expect(auth.refresh_token).to eql 'token'
+      expect(auth.expires_at).to be > 50.minutes.from_now
     end
 
     it "doesn't create a token in the db" do
@@ -19,4 +24,4 @@ describe CoalescingPanda::Oauth2Controller do
 
   end
 
-end
+end