panda_pal 5.0.0.beta.3 → 5.2.1

data/lib/panda_pal/engine.rb

@@ -38,52 +38,21 @@ module PandaPal
     initializer 'panda_pal.route_options' do |app|
       ActiveSupport.on_load(:action_controller) do
         Rails.application.reload_routes!
-        PandaPal::propagate_lti_navigation
+        PandaPal::validate_pandapal_config!
       end
     end
 
     initializer :secure_headers do |app|
-      connect_src = %w('self')
-      script_src = %w('self')
-
-      if Rails.env.development?
-        # Allow webpack-dev-server to work
-        connect_src << "http://localhost:3035"
-        connect_src << "ws://localhost:3035"
-
-        # Allow stuff like rack-mini-profiler to work in development:
-        # https://github.com/MiniProfiler/rack-mini-profiler/issues/327
-        # DON'T ENABLE THIS FOR PRODUCTION!
-        script_src << "'unsafe-eval'"
-      end
-
-      SecureHeaders::Configuration.default do |config|
-        # The default cookie headers aren't compatable with PandaPal cookies currenntly
-        config.cookies = { samesite: { none: true } }
-
-        if Rails.env.production?
-          config.cookies[:secure] = true
+      begin
+        ::SecureHeaders::Configuration.default do |config|
+          PandaPal::SecureHeaders.apply_defaults(config)
         end
-
-        # Need to allow LTI iframes
-        config.x_frame_options = "ALLOWALL"
-
-        config.x_content_type_options = "nosniff"
-        config.x_xss_protection = "1; mode=block"
-        config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
-
-        config.csp = {
-          default_src: %w('self'),
-          script_src: script_src,
-          # Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
-          style_src: %w('self' 'unsafe-inline' blob: https://fonts.googleapis.com),
-          font_src: %w('self' data: https://fonts.gstatic.com),
-          connect_src: connect_src,
-        }
+      rescue ::SecureHeaders::Configuration::AlreadyConfiguredError
+        # The App already applied settings
       end
 
-      SecureHeaders::Configuration.override(:safari_override) do |config|
-        config.cookies = SecureHeaders::OPT_OUT
+      ::SecureHeaders::Configuration.override(:safari_override) do |config|
+        config.cookies = ::SecureHeaders::OPT_OUT
       end
     end
   end

data/lib/panda_pal/helpers.rb

@@ -1,4 +1,5 @@
 module PandaPal::Helpers
   require_relative 'helpers/controller_helper'
   require_relative 'helpers/route_helper'
+  require_relative 'helpers/secure_headers'
 end

data/lib/panda_pal/helpers/controller_helper.rb

@@ -1,13 +1,40 @@
 require 'browser'
 
 module PandaPal::Helpers::ControllerHelper
+  extend ActiveSupport::Concern
+
+  class SessionNotFound < StandardError; end
+
+  included do
+    helper_method :link_nonce, :current_session
+
+    after_action :auto_save_session
+  end
+
   def save_session
     current_session.try(:save)
   end
 
   def current_session
-    @current_session ||= PandaPal::Session.find_by(session_key: session_key) if session_key
-    @current_session ||= PandaPal::Session.new(panda_pal_organization_id: current_organization.id)
+    return @current_session if @current_session.present?
+
+    if params[:session_token]
+      payload = JSON.parse(panda_pal_cryptor.decrypt_and_verify(params[:session_token])).with_indifferent_access
+      matched_session = PandaPal::Session.find_by(session_key: payload[:session_key])
+
+      if matched_session.present? && matched_session.data[:link_nonce] == params[:session_token]
+        @current_session = matched_session
+        @current_session.data[:link_nonce] = nil
+      end
+    elsif (session_key = params[:session_key] || session_key_header || flash[:session_key] || session[:session_key]).present?
+      @current_session = PandaPal::Session.find_by(session_key: session_key) if session_key.present?
+    else
+      @current_session = PandaPal::Session.new(panda_pal_organization_id: current_organization.id)
+    end
+
+    raise SessionNotFound, "Session Not Found" unless @current_session.present?
+
+    @current_session
   end
 
   def current_organization
@@ -16,17 +43,41 @@ module PandaPal::Helpers::ControllerHelper
     @organization ||= PandaPal::Organization.find_by_name(Apartment::Tenant.current)
   end
 
+  def current_lti_platform
+    return @current_lti_platform if @current_lti_platform.present?
+    # TODO: (Future) This could be expanded more to take better advantage of the LTI 1.3 Multi-Tenancy model.
+    if (canvas_url = current_organization&.settings&.dig(:canvas, :base_url)).present?
+      @current_lti_platform ||= PandaPal::Platform::Canvas.new(canvas_url)
+    end
+    @current_lti_platform ||= PandaPal::Platform::Canvas.new('http://localhost:3000') if Rails.env.development?
+    @current_lti_platform ||= PandaPal::Platform::CANVAS
+    @current_lti_platform
+  end
+
   def current_session_data
     current_session.data
   end
 
+  def lti_launch_params
+    current_session_data[:launch_params]
+  end
+
   def session_changed?
     current_session.changed? && current_session.changes[:data].present?
   end
 
   def validate_launch!
-    authorized = false
     safari_override
+
+    if params[:id_token].present?
+      validate_v1p3_launch
+    elsif params[:oauth_consumer_key].present?
+      validate_v1p0_launch
+    end
+  end
+
+  def validate_v1p0_launch
+    authorized = false
     if @organization = params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
       sanitized_params = request.request_parameters
       # These params come over with a safari-workaround launch.  The authenticator doesn't like them, so clean them out.
@@ -37,32 +88,42 @@ module PandaPal::Helpers::ControllerHelper
       authenticator = IMS::LTI::Services::MessageAuthenticator.new(request.original_url, sanitized_params, @organization.secret)
       authorized = authenticator.valid_signature?
     end
-    # short-circuit if we know the user is not authorized.
+
     if !authorized
       render plain: 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
-      return authorized
-    end
-    if require_persistent_session
-      if cookies_need_iframe_fix?(false)
-        fix_iframe_cookies
-        return false
-      end
-      # For safari we may have been launched temporarily full-screen by canvas.  This allows us to set the session cookie.
-      # In this case, we should make sure the session cookie is fixed and redirect back to canvas to properly launch the embedded LTI.
-      if params[:platform_redirect_url]
-        session[:safari_cookie_fixed] = true
-        redirect_to params[:platform_redirect_url]
-        return false
-      end
     end
-    return authorized
+
+    authorized
   end
 
-  def require_persistent_session
-    if PandaPal.lti_options.has_key?(:require_persistent_session) && PandaPal.lti_options[:require_persistent_session] == true
-      return true
-    end
-    return false
+  def validate_v1p3_launch
+    decoded_jwt = JSON::JWT.decode(params.require(:id_token), :skip_verification)
+    raise JSON::JWT::VerificationFailed, 'error decoding id_token' if decoded_jwt.blank?
+
+    client_id = decoded_jwt['aud']
+    @organization = PandaPal::Organization.find_by!(key: 'PandaPal') # client_id)
+    raise JSON::JWT::VerificationFailed, 'Unrecognized Organization' unless @organization.present?
+
+    decoded_jwt.verify!(current_lti_platform.public_jwks)
+
+    params[:session_key] = params[:state]
+    raise JSON::JWT::VerificationFailed, 'State is invalid' unless current_session_data[:lti_oauth_nonce] == decoded_jwt['nonce']
+
+    jwt_verifier = PandaPal::LtiJwtValidator.new(decoded_jwt, client_id)
+    raise JSON::JWT::VerificationFailed, jwt_verifier.errors unless jwt_verifier.valid?
+
+    @decoded_lti_jwt = decoded_jwt
+  rescue JSON::JWT::VerificationFailed => e
+    payload = Array(e.message)
+
+    render json: {
+      message: [
+        { errors: payload },
+        { id_token: params.require(:id_token) },
+      ],
+    }, status: :unauthorized
+
+    false
   end
 
   def switch_tenant(organization = current_organization, &block)
@@ -74,38 +135,18 @@ module PandaPal::Helpers::ControllerHelper
     end
   end
 
-  # Browsers that prevent 3rd party cookies by default (Safari and IE) run into problems
-  # with CSRF handling because the Rails session cookie isn't set. To fix this, we
-  # redirect the current page to the LTI using JavaScript, which will set the cookie,
-  # and then immediately redirect back to Canvas.
-  def fix_iframe_cookies
-    if params[:safari_cookie_authorized].present?
-      session[:safari_cookie_authorized] = true
-      redirect_to params[:return_to]
-    elsif (session[:safari_cookie_fixed] && !params[:safari_cookie_authorized])
-      render 'panda_pal/lti/iframe_cookie_authorize', layout: false
-    else
-      render 'panda_pal/lti/iframe_cookie_fix', layout: false
-    end
-  end
-
-  def cookies_need_iframe_fix?(check_authorized=true)
-    if check_authorized
-      return browser.safari? && !request.referrer&.include?('sessionless_launch') && !(session[:safari_cookie_fixed] && session[:safari_cookie_authorized]) && !params[:platform_redirect_url]
-    else
-      return browser.safari? && !request.referrer&.include?('sessionless_launch') && !session[:safari_cookie_fixed] && !params[:platform_redirect_url]
-    end
-  end
-
   def forbid_access_if_lacking_session
-    if require_persistent_session && cookies_need_iframe_fix?(true)
-      fix_iframe_cookies
-    else
-      render plain: 'You should do an LTI Tool Launch.', status: :unauthorized unless valid_session?
-    end
+    render plain: 'You should do an LTI Tool Launch.', status: :unauthorized unless valid_session?
     safari_override
   end
 
+  def verify_authenticity_token
+    # No need to check CSRF when no cookies were sent. This fixes CSRF failures in Browsers
+    # that restrict Cookie setting within an IFrame.
+    return unless request.cookies.keys.length > 0
+    super
+  end
+
   def valid_session?
     [
       current_session.persisted?,
@@ -119,59 +160,65 @@ module PandaPal::Helpers::ControllerHelper
     use_secure_headers_override(:safari_override) if browser.safari?
   end
 
+  # Redirect with the session key intact. In production,
+  # handle this by adding a one-time use encrypted token to the URL.
+  # Keeping it in the URL in development means that it plays
+  # nicely with webpack-dev-server live reloading (otherwise
+  # you get an access error everytime it tries to live reload).
+
+  def redirect_with_session_to(location, params = {}, route_context: self)
+    if Rails.env.development?
+      redirect_to route_context.send(location, {
+        session_key: current_session.session_key,
+        organization_id: current_organization.id,
+      }.merge(params))
+    else
+      redirect_to route_context.send(location, {
+        session_token: link_nonce,
+        organization_id: current_organization.id,
+      }.merge(params))
+    end
+  end
+
+  def link_nonce
+    @link_nonce ||= begin
+      current_session_data[:link_nonce] = SecureRandom.hex
+
+      payload = {
+        session_key: current_session.session_key,
+        organization_id: current_organization.id,
+        nonce: current_session_data[:link_nonce],
+      }
+
+      panda_pal_cryptor.encrypt_and_sign(payload.to_json)
+    end
+  end
+
   private
+
   def organization_key
-    params[:oauth_consumer_key] || session[:organization_key]
+    org_key ||= params[:oauth_consumer_key]
+    org_key ||= "#{params[:client_id]}/#{params[:deployment_id]}" if params[:client_id].present?
+    org_key ||= session[:organization_key]
+    org_key
   end
 
   def organization_id
     params[:organization_id]
   end
 
-  def session_key
-    if params[:encrypted_session_key]
-      crypt = ActiveSupport::MessageEncryptor.new(Rails.application.secret_key_base[0..31])
-      return crypt.decrypt_and_verify(params[:encrypted_session_key])
-    end
-    params[:session_key] || session_key_header || flash[:session_key] || session[:session_key]
-  end
-
   def session_key_header
     if match = request.headers['Authorization'].try(:match, /token=(.+)/)
       match[1]
     end
   end
 
-  # Redirect with the session key intact. In production,
-  # handle this by encrypting the session key.  That way if the
-  # url is logged anywhere, it will all be encrypted data.   In dev,
-  # just put it in the URL. Putting it in the URL
-  # is insecure, but is fine in development.
-  # Keeping it in the URL in development means that it plays
-  # nicely with webpack-dev-server live reloading (otherwise
-  # you get an access error everytime it tries to live reload).
-
-  def redirect_with_session_to(location, params = {})
-    if Rails.env.development?
-      redirect_development_mode(location, params)
-    else
-      redirect_production_mode(location, params)
-    end
-  end
-
-  def redirect_development_mode(location, params)
-    redirect_to send(location, {
-      session_key: current_session.session_key,
-      organization_id: current_organization.id
-    }.merge(params))
+  def panda_pal_cryptor
+    @panda_pal_cryptor ||= ActiveSupport::MessageEncryptor.new(Rails.application.secret_key_base[0..31])
   end
 
-  def redirect_production_mode(location, params)
-    crypt = ActiveSupport::MessageEncryptor.new(Rails.application.secret_key_base[0..31])
-    encrypted_data = crypt.encrypt_and_sign(current_session.session_key)
-    redirect_to send(location, {
-      encrypted_session_key: encrypted_data,
-      organization_id: current_organization.id
-    }.merge(params))
+  def auto_save_session
+    yield if block_given?
+    save_session if @current_session && session_changed?
   end
 end

data/lib/panda_pal/helpers/route_helper.rb

@@ -1,17 +1,17 @@
 module PandaPal::Helpers::RouteHelper
-  def lti_nav(nav, *rest, &block)
+  def lti_nav(options, *rest, &block)
     base_path = Rails.application.routes.named_routes[:panda_pal].path.spec
     raise LtiNavigationInUse.new('PandaPal must be mounted before defining lti_nav routes') if base_path.blank?
-    options = nav
+
     nav, to = options.first
     options[:to] = to
     options.delete nav
-    lti_options = options.delete(:lti_options) || {}
     path = "#{base_path}/#{nav.to_s}"
-    lti_options[:url] = path.split('/').reject(&:empty?).join('_')
-    post path, options, &block
-    get path, options, &block
-    PandaPal::register_navigation(nav)
-    PandaPal::lti_navigation(nav, lti_options)
+
+    lti_options = options.delete(:lti_options) || {}
+    lti_options[:route_helper_key] = path.split('/').reject(&:empty?).join('_')
+    post(path, options.dup, &block)
+    get(path, options.dup, &block)
+    PandaPal::stage_navigation(nav, lti_options)
   end
 end

data/lib/panda_pal/helpers/secure_headers.rb

@@ -0,0 +1,79 @@
+module PandaPal
+  module SecureHeaders
+    def self.apply_defaults(config)
+      @config = config
+      # The default cookie headers aren't compatable with PandaPal cookies currenntly
+      config.cookies = { samesite: { none: true } }
+
+      if Rails.env.production?
+        config.cookies[:secure] = true
+      end
+
+      # Need to allow LTI iframes
+      config.x_frame_options = "ALLOWALL"
+
+      config.x_content_type_options = "nosniff"
+      config.x_xss_protection = "1; mode=block"
+      config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
+
+      config.csp ||= {}
+
+      csp_entry(:default_src, %w['self'])
+      csp_entry(:connect_src, %w['self'])
+      csp_entry(:script_src, %w['self'])
+
+      if Rails.env.development?
+        # Allow webpack-dev-server to work
+        csp_entry(:connect_src, "http://localhost:3035")
+        csp_entry(:connect_src, "ws://localhost:3035")
+
+        # Allow stuff like rack-mini-profiler to work in development:
+        # https://github.com/MiniProfiler/rack-mini-profiler/issues/327
+        # DON'T ENABLE THIS FOR PRODUCTION!
+        csp_entry(:script_src, "'unsafe-eval'")
+
+        # Detect and permit Scout APM in Dev
+        if MiscHelper.to_boolean(ENV['SCOUT_DEV_TRACE'])
+          csp_entry(:default_src, 'https://scoutapm.com')
+          csp_entry(:default_src, 'https://apm.scoutapp.com')
+
+          csp_entry(:script_src, "'unsafe-inline'")
+          csp_entry(:script_src, 'https://scoutapm.com')
+          csp_entry(:script_src, 'https://apm.scoutapp.com')
+
+          csp_entry(:connect_src, 'https://apm.scoutapp.com')
+
+          csp_entry(:style_src, 'https://scoutapm.com')
+          csp_entry(:style_src, 'https://apm.scoutapp.com')
+        end
+      end
+
+      # Detect and permit Sentry
+      if defined?(Raven) && Raven.configuration.server.present?
+        csp_entry(:connect_src, Raven.configuration.server)
+
+        # Report CSP Violations to Sentry
+        unless config.csp[:report_uri].present?
+          cfg = Raven.configuration
+          config.csp[:report_uri] = ["#{cfg.scheme}://#{cfg.host}/api/#{cfg.project_id}/security/?sentry_key=#{cfg.public_key}"] unless config.csp[:report_uri].present?
+        end
+      end
+
+      # Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
+      csp_entry(:style_src, %w('self' 'unsafe-inline' blob: https://fonts.googleapis.com))
+      csp_entry(:font_src, %w('self' data: https://fonts.gstatic.com))
+
+      @config = nil
+
+      config
+    end
+
+    private
+
+    def self.csp_entry(key, *values)
+      values = values.flatten
+      @config.csp[key] ||= []
+      @config.csp[key] |= values
+    end
+  end
+end