dce_lti 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 537eafe1ddf43015784d36ac3d0b75b29636d274
+  data.tar.gz: b1b6c42e830086952c486bb6ef33030b2e1bd9b4
+SHA512:
+  metadata.gz: 3507c09883950f002947a628e0fec151c6b046633575d739d3318c9dd67931ac32fd74a143027bce9d4c56f30d97bb1b9cf56268d0d78fddefe9a60bad03a1c3
+  data.tar.gz: 30f1ae5dbd4e394ba1f9eb3f31104a161666585fbb4998ff59193b17dc56c5e96348689650701bf1484975ec4dfcd3f8296b50a00923d0818892f159d45e33a9

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2014 YOURNAME
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,154 @@
+# DceLti - LTI Authentication for Rails apps
+
+The DceLti engine simplifies integrating LTI authentication for Rails apps via
+the [IMS::LTI gem](https://github.com/instructure/ims-lti).
+
+## Prerequisites
+
+* A postgres database
+* Rails > 4.1.x
+
+## Getting started
+
+Add this engine to your gemfile:
+
+    gem 'dce_lti'
+
+Install it and run migrations:
+
+    bundle
+    rake dce_lti:install
+    rake db:migrate
+
+Mount the engine in 'config/routes.rb'
+
+    mount DceLti::Engine => "/lti"
+
+Once mounted, you can use the engine-provided methods `authenticate_via_lti`
+and `current_user`. Use `authenticate_via_lti` as a `before_filter` to ensure
+you have a valid LTI-provided user in `current_user`, thusly:
+
+    class VideosController < ApplicationController
+      before_filter :authenticate_via_lti
+
+      def show
+         @post = current_user.posts.where(id: params[:id])
+      end
+    end
+
+## Configuration
+
+The generated config looks something like (commented defaults omitted):
+
+    DceLti::Engine.setup do |lti|
+      lti.consumer_secret = (ENV['LTI_CONSUMER_SECRET'] || 'consumer_secret')
+      lti.consumer_key = (ENV['LTI_CONSUMER_KEY'] || 'consumer_key')
+      lti.tool_config_extensions = ->(controller, tool_config) do
+        tool_config.extend ::IMS::LTI::Extensions::Canvas::ToolConfig
+        tool_config.canvas_domain!(controller.request.host)
+        tool_config.canvas_privacy_public!
+      end
+    end
+
+### Basic attributes
+
+Most basic attributes are configured via ENV. See the generated
+`config/initializers/dce_lti_config.rb` file.
+
+### X-Frame Options
+
+We install a config file that removes `X-Frame-Options` by default to allow
+your application to be embedded in an `iframe`. Feel free to edit this file if
+you'd like to lock down `iframe` policies.
+
+### Consumer key and secret configuration
+
+If you're building an LTI app that will only ever provide a tool to one
+consumer, then getting the key and secret from ENV is OK. However, in all
+likelihood you'll want your tool to work for any approved consumer and will
+need something more flexible.
+
+With that in mind, `consumer_key` and `consumer_secret` can be lambdas and
+receive the `launch_params` as sent by the consumer. These launch parameters
+include the `consumer_key` and other attributes to help you identify a consumer
+uniquely - most likely `context_id` or `tool_consumer_instance_guid`. Example:
+
+    DceLti::Engine.setup do |lti|
+      lti.consumer_secret = ->(launch_params) {
+        Consumer.find_by(context_id: launch_params[:context_id]).consumer_secret
+      }
+      lti.consumer_key = ->(launch_params) {
+        Consumer.find_by(context_id: launch_params[:context_id]).consumer_key
+      }
+    }
+
+### Customizing the Tool Provider XML configuration
+
+The tool config instance (provided by
+[IMS::LTI::ToolConfig](https://github.com/instructure/ims-lti/blob/master/lib/ims/lti/tool_config.rb))
+can be configured directly via the `tool_config_extensions` lambda. This allows
+you to set LMS-specific config extensions. A common example for the Canvas LMS
+is created by default in the generated configs.
+
+The `tool_config_extensions` lambda runs before the xml is generated and gets
+two parameters:
+
+* controller - An instance of DceLti::ConfigsController
+* tool_config - An instance of IMS::LTI::ToolConfig
+
+See
+[IMS::LTI::Extensions::Canvas::ToolConfig](https://github.com/instructure/ims-lti/blob/master/lib/ims/lti/extensions/canvas.rb)
+and other classes/modules under the IMS::LTI::Extensions hierarchy for further
+options.
+
+## Notes
+
+The `DceLti` provided controllers inherit from `ApplicationController` as
+defined in your application.
+
+### Consumer context info
+
+For successful launches, the controller `session` hash will contain:
+
+* `:context_id`
+* `:context_label`
+* `:context_title`
+* `:resource_link_id`
+* `:resource_link_title`
+* `:tool_consumer_instance_guid`
+
+These values come from the LTI values posted by the consumer.
+
+### After a successful launch
+
+By default, a successful launch will redirect to your application's
+`root_path`. This is configured via `redirect_after_successful_auth` which is
+evaluated in engine controller context. This method should have access to
+`current_user`, rails route helpers and other controller-specific context.
+
+### Invalid LTI Sessions
+
+If an LTI session cannot be validated, `dce_lti/sessions/invalid` will be
+rendered. You can customize this output by creating a file named
+`app/views/dce_lti/sessions/invalid.html.erb`, per the default engine view
+resolution behavior.
+
+### Nonce cleanup
+
+You can clean up lti-related
+[nonces](http://en.wikipedia.org/wiki/Cryptographic_nonce) via the
+engine-provided `dce_lti:clean_nonces` rake task, which'll remove nonces older
+than 6 hours. You should probably run this in a cron job every hour or so. You
+can also just invoke `DceLti::Nonce.clean` on your own.
+
+## Contributors
+
+* Dan Collis-Puro - @djcp
+
+## License
+
+This project is licensed under the same terms as Rails itself.
+
+## Copyright
+
+2014 President and Fellows of Harvard College

data/Rakefile

@@ -0,0 +1,19 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+Bundler::GemHelper.install_tasks
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+desc "Run all specs in spec directory (excluding plugin specs)"
+
+RSpec::Core::RakeTask.new(:spec => 'app:db:test:prepare')
+
+task(:default).clear
+task default: [:spec]

data/app/assets/javascripts/dce_lti/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/app/assets/stylesheets/dce_lti/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any styles
+ * defined in the other CSS/SCSS files in this directory. It is generally better to create a new
+ * file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/concerns/dce_lti/session_helpers.rb

@@ -0,0 +1,55 @@
+module DceLti
+  module SessionHelpers
+    ATTRIBUTES_TO_EXTRACT_FOR_SESSION = %i|
+context_id
+context_label
+context_title
+resource_link_id
+resource_link_title
+tool_consumer_instance_guid
+    |
+
+    def valid_lti_request?(request)
+      tool_provider.valid_request?(request) &&
+        Nonce.valid?(tool_provider.oauth_nonce) &&
+        TimestampValidator.valid?(tool_provider.oauth_timestamp)
+    end
+
+    def launch_params
+      params.reject{ |k,v| ['controller','action'].include? k }
+    end
+
+    def consumer_key
+      find_from_config(:consumer_key)
+    end
+
+    def consumer_secret
+      find_from_config(:consumer_secret)
+    end
+
+    def find_from_config(attribute)
+      value = Engine.config.send(attribute)
+      if value.respond_to?(:call)
+        value.call(launch_params)
+      else
+        value
+      end
+    end
+
+    def redirect_after_successful_auth
+      Engine.config.redirect_after_successful_auth.call
+    end
+
+    def tool_provider
+      @tool_provider ||= IMS::LTI::ToolProvider.new(
+        consumer_key, consumer_secret, launch_params
+      )
+    end
+
+    def captured_attributes_from(tool_provider)
+      ATTRIBUTES_TO_EXTRACT_FOR_SESSION.inject({}) do |attributes, att|
+        attributes.merge(att => tool_provider.send(att))
+      end
+    end
+  end
+end

data/app/controllers/dce_lti/application_controller.rb

@@ -0,0 +1,5 @@
+module DceLti
+  class ApplicationController < ActionController::Base
+    protect_from_forgery with: :exception
+  end
+end

data/app/controllers/dce_lti/configs_controller.rb

@@ -0,0 +1,26 @@
+module DceLti
+  class ConfigsController < ApplicationController
+    skip_before_filter :authenticate_via_lti
+    respond_to :xml
+
+    def index
+      tool_config = ::IMS::LTI::ToolConfig.new(
+        launch_url: sessions_url,
+        title: engine_config.provider_title,
+        description: engine_config.provider_description,
+      )
+
+      if engine_config.respond_to?(:tool_config_extensions)
+        engine_config.tool_config_extensions.call(self, tool_config)
+      end
+
+      respond_with tool_config
+    end
+
+    private
+
+    def engine_config
+      DceLti::Engine.config
+    end
+  end
+end

data/app/controllers/dce_lti/sessions_controller.rb

@@ -0,0 +1,20 @@
+require 'oauth/request_proxy/rack_request'
+
+module DceLti
+  class SessionsController < ApplicationController
+    include SessionHelpers
+
+    skip_before_filter :verify_authenticity_token, :authenticate_via_lti
+
+    def create
+      if valid_lti_request?(request)
+        user = UserInitializer.find_from(tool_provider)
+        session[:current_user_id] = user.id
+        session.merge!(captured_attributes_from(tool_provider))
+        redirect_to redirect_after_successful_auth
+      else
+        render :invalid
+      end
+    end
+  end
+end

data/app/helpers/dce_lti/application_helper.rb

@@ -0,0 +1,4 @@
+module DceLti
+  module ApplicationHelper
+  end
+end

data/app/models/dce_lti/nonce.rb

@@ -0,0 +1,17 @@
+module DceLti
+  class Nonce < ActiveRecord::Base
+    def self.clean
+      delete_all(['created_at < ?', Time.now - 6.hours])
+    end
+
+    def self.valid?(nonce)
+      begin
+        self.create!(nonce: nonce)
+        true
+      rescue => e
+        Rails.logger.warn(%Q|Creating nonce failed: "#{nonce}"|)
+        false
+      end
+    end
+  end
+end

data/app/models/dce_lti/user.rb

@@ -0,0 +1,16 @@
+module DceLti
+  class User < ActiveRecord::Base
+    validates :lti_user_id,
+      uniqueness: true,
+      length: { maximum: 255 },
+      presence: true
+
+    def roles=(roles)
+      super roles.map{|role| role.downcase}
+    end
+
+    def has_role?(role)
+      roles.include?(role.to_s.downcase)
+    end
+  end
+end

data/app/services/dce_lti/timestamp_validator.rb

@@ -0,0 +1,7 @@
+module DceLti
+  class TimestampValidator
+    def self.valid?(timestamp)
+      Time.at(timestamp.to_i) >= (Time.now - 3.hours)
+    end
+  end
+end

data/app/services/dce_lti/user_initializer.rb

@@ -0,0 +1,22 @@
+module DceLti
+  class UserInitializer
+    TOOL_PROVIDER_ATTRIBUTES = %i|
+    roles
+    lis_person_contact_email_primary
+    lis_person_name_family
+    lis_person_name_full
+    lis_person_name_given
+    lis_person_sourcedid
+    user_image
+    |
+
+    def self.find_from(tool_provider)
+      User.find_or_create_by(lti_user_id: tool_provider.user_id).tap do |user|
+        TOOL_PROVIDER_ATTRIBUTES.each do |attribute|
+          user.send("#{attribute}=", tool_provider.send(attribute))
+        end
+        user.save
+      end
+    end
+  end
+end

data/app/views/dce_lti/sessions/invalid.html.erb

@@ -0,0 +1,4 @@
+<h2>Invalid Session</h2>
+
+<p>Oops. We can't determine if you're supposed to be here or not. Please log
+out and try again.</p>

data/app/views/layouts/dce_lti/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>DceLti</title>
+  <%= stylesheet_link_tag    "dce_lti/application", media: "all" %>
+  <%= javascript_include_tag "dce_lti/application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/config/routes.rb

@@ -0,0 +1,9 @@
+DceLti::Engine.routes.draw do
+  resources :sessions, only: [:create] do
+    collection do
+      get :invalid
+    end
+  end
+
+  resources :configs, only: [:index]
+end

data/db/migrate/20141003180140_create_dce_lti_users.rb

@@ -0,0 +1,16 @@
+class CreateDceLtiUsers < ActiveRecord::Migration
+  def change
+    create_table :dce_lti_users do |t|
+      t.string :lti_user_id, nil: false
+      t.string :lis_person_contact_email_primary, size: 1.kilobyte
+      t.string :lis_person_name_family, size: 1.kilobyte
+      t.string :lis_person_name_full, size: 1.kilobyte
+      t.string :lis_person_name_given, size: 1.kilobyte
+      t.string :lis_person_sourcedid, size: 1.kilobyte
+      t.string :user_image, size: 1.kilobyte
+      t.string :roles, array: true, default: []
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20141008172001_create_dce_lti_nonces.rb

@@ -0,0 +1,10 @@
+class CreateDceLtiNonces < ActiveRecord::Migration
+  def change
+    create_table :dce_lti_nonces do |t|
+      t.string :nonce, nil: false
+      t.timestamps
+    end
+
+    add_index :dce_lti_nonces, :nonce, unique: true
+  end
+end

data/lib/dce_lti/controller_methods.rb

@@ -0,0 +1,18 @@
+module DceLti
+  module ControllerMethods
+    def authenticate_via_lti
+      if ! current_user
+        redirect_to Engine.routes.url_helpers.invalid_sessions_path
+      end
+    end
+
+    def current_user
+      @current_user ||=
+        if ENV['FAKE_USER_ID']
+          User.find_by(id: ENV['FAKE_USER_ID'])
+        else
+          User.find_by(id: session[:current_user_id])
+        end
+    end
+  end
+end

data/lib/dce_lti/engine.rb

@@ -0,0 +1,30 @@
+require 'ims/lti'
+require 'pg'
+
+module DceLti
+  class Engine < ::Rails::Engine
+    def self.setup
+      config.provider_title = (ENV['LTI_PROVIDER_TITLE'] || 'DCE LTI Provider')
+      config.provider_description = (ENV['LTI_PROVIDER_DESCRIPTION'] || 'A description of this')
+
+      config.redirect_after_successful_auth = -> do
+        Rails.application.routes.url_helpers.root_path
+      end
+      config.tool_config_extensions = ->(*) {}
+      yield config
+    end
+
+    initializer 'dce_lti.load_helpers' do
+      ActionController::Base.send :include, ControllerMethods
+    end
+
+    isolate_namespace DceLti
+
+    config.generators do |g|
+      g.test_framework :rspec, :fixture => false
+      g.fixture_replacement :factory_girl, :dir => 'spec/factories'
+      g.assets false
+      g.helper false
+    end
+  end
+end

data/lib/dce_lti/version.rb

@@ -0,0 +1,3 @@
+module DceLti
+  VERSION = "0.2.0"
+end

data/lib/dce_lti.rb

@@ -0,0 +1,5 @@
+require "dce_lti/engine"
+require 'dce_lti/controller_methods'
+
+module DceLti
+end

data/lib/tasks/dce_lti_tasks.rake

@@ -0,0 +1,34 @@
+namespace :dce_lti do
+
+  def install_file(config_file)
+    if ! File.exists?(config_file)
+      puts %Q|Copied configuration #{config_file} from dce_lti|
+      FileUtils.copy("#{DceLti::Engine.root}/spec/dummy/#{config_file}", config_file)
+    end
+  end
+
+  desc "Install the DceLti engine into your application"
+  task :install do
+    install_file 'config/initializers/dce_lti_config.rb'
+    install_file 'config/initializers/x_frame_options.rb'
+
+    Rake::Task["dce_lti:install:migrations"].invoke
+
+    puts %Q|
+Base migrations and config files have been installed, please see above.
+
+Be sure to mount this engine in your config/routes.rb file, thusly:
+
+    mount DceLti::Engine => "/lti"
+
+Please see the README for more information about configuration and what this
+engine provides.
+
+    |
+  end
+
+  desc 'Clean up old nonces'
+  task clean_nonces: :environment do
+    DceLti::Nonce.clean
+  end
+end

data/spec/controllers/dce_lti/configs_controller_spec.rb

@@ -0,0 +1,71 @@
+module DceLti
+  describe ConfigsController do
+    include ConfigurationHelpers
+
+    context '#index' do
+      it 'uses IMS::LTI::ToolConfig to construct the tool config' do
+        configurer_double = create_configurer_double
+
+        get :index, { format: :xml, use_route: :dce_lti }
+
+        expect(configurer_double).to have_received(:to_xml)
+      end
+
+      it 'renders XML' do
+        create_configurer_double
+
+        get :index, {format: :xml, use_route: :dce_lti }
+
+        expect(response.content_type).to eq 'application/xml'
+      end
+
+      it 'defaults launch_url to sessions_url' do
+        sessions_url = 'foobar'
+        allow(controller).to receive(:sessions_url).and_return(sessions_url)
+        create_configurer_double
+
+        get :index, {format: :xml, use_route: :dce_lti }
+
+        expect(IMS::LTI::ToolConfig).to have_received(:new).with(
+          hash_including(launch_url: sessions_url)
+        )
+        expect(controller).to have_received(:sessions_url)
+      end
+
+      it 'evaluates custom lambdas with controller context correctly' do
+        tool_config_extensions = ->(controller, tool_config) {
+          tool_config.extend ::IMS::LTI::Extensions::Canvas::ToolConfig
+          tool_config.canvas_domain!(controller.request.host)
+        }
+        with_overridden_lti_config_of({tool_config_extensions: tool_config_extensions}) do
+          get :index, { format: :xml, use_route: :dce_lti }
+          expect(response.body).to include 'test.host'
+        end
+      end
+
+      it 'passes in the correct variables' do
+        with_overridden_lti_config_of({}) do |lti_config|
+          create_configurer_double
+          get :index, { format: :xml, use_route: :dce_lti }
+
+          expect(IMS::LTI::ToolConfig).to have_received(:new).with(
+            hash_including(
+              title: lti_config.provider_title,
+              description: lti_config.provider_description,
+            )
+          )
+        end
+      end
+    end
+
+    def create_configurer_double
+      double(
+        'IMS::LTI::ToolConfig',
+        to_xml: '<xml></xml>',
+        set_ext_param: '',
+      ).tap do |configurer_double|
+        allow(IMS::LTI::ToolConfig).to receive(:new).and_return(configurer_double)
+      end
+    end
+  end
+end