panda_pal 5.0.0 → 5.2.3

data/app/controllers/panda_pal/lti_v1_p3_controller.rb

@@ -0,0 +1,98 @@
+require_dependency "panda_pal/application_controller"
+
+module PandaPal
+  class LtiV1P3Controller < ApplicationController
+    skip_before_action :verify_authenticity_token
+
+    before_action :validate_launch!, only: [:resource_link_request]
+    around_action :switch_tenant, only: [:resource_link_request]
+
+    def login
+      current_session_data[:lti_oauth_nonce] = SecureRandom.uuid
+
+      @form_action = current_lti_platform.authentication_redirect_url
+      @method = :post
+      @form_data = {
+        scope: 'openid',
+        response_type: 'id_token',
+        response_mode: 'form_post',
+        prompt: 'none',
+        redirect_uri: params[:target_link_uri] || v1p3_resource_link_request_url,
+        client_id: params.require(:client_id),
+        login_hint: params.require(:login_hint),
+        lti_message_hint: params.require(:lti_message_hint),
+        state: current_session.session_key,
+        nonce: current_session_data[:lti_oauth_nonce]
+      }
+    end
+
+    def resource_link_request
+      # Redirect to correct region/env?
+      if params[:launch_type]
+        current_session_data.merge!({
+          lti_version: 'v1p3',
+          lti_launch_placement: params[:launch_type],
+          launch_params: @decoded_lti_jwt,
+        })
+
+        redirect_with_session_to(:"#{LaunchUrlHelpers.launch_route(params[:launch_type])}_url", route_context: main_app)
+      end
+    end
+
+    def tool_config
+      if PandaPal.lti_environments.empty?
+        render plain: 'Domains must be set in lti_environments'
+        return
+      end
+
+      platform = PandaPal.lti_options.delete(:platform) || 'canvas.instructure.com'
+      request_url = "#{request.scheme}://#{request.host_with_port}"
+      parsed_request_url = URI.parse(request_url)
+
+      mapped_placements = PandaPal.lti_paths.map do |k, opts|
+        opts = opts.dup
+        opts.delete(:route_helper_key)
+        opts.merge!({
+          placement: k,
+          target_link_uri: LaunchUrlHelpers.absolute_launch_url(k.to_sym, host: parsed_request_url, launch_handler: v1p3_resource_link_request_path),
+        })
+        opts
+      end
+
+      config_json = {
+        title: PandaPal.lti_options[:title],
+        scopes: [],
+        public_jwk_url: v1p3_public_jwks_url,
+        description: PandaPal.lti_options[:description] || 'PandaPal LTI',
+        target_link_uri: v1p3_resource_link_request_url, #app_url(:resource_link_request, request),
+        oidc_initiation_url: v1p3_oidc_login_url,
+        extensions: [{
+          platform: platform,
+          privacy_level: "public",
+          settings: {
+            placements: mapped_placements,
+            environments: PandaPal.lti_environments,
+          },
+        }],
+        custom_fields: PandaPal.lti_custom_params, # PandaPal.lti_options[:custom_fields],
+      }
+
+      render json: config_json
+    end
+
+    def public_jwks
+      render json: {
+        keys: [JWT::JWK.new(PandaPal.lti_private_key).export]
+      }
+    end
+
+    private
+
+    def auth_redirect_query
+      return unless params[:target_link_uri]&.include? 'platform_redirect_url='
+
+      platform_redirect_url = Rack::Utils.parse_query(URI(params[:target_link_uri]).query)&.dig('platform_redirect_url')
+      "?platform_redirect_url=#{platform_redirect_url}"
+    end
+  end
+end

data/app/lib/lti_xml/base_platform.rb

@@ -76,7 +76,7 @@ module LtiXml
 
     def add_lti_nav
       PandaPal.lti_paths.each do |k, v|
-        @tc.set_ext_param(platform, k.to_sym, ext_params(v))
+        @tc.set_ext_param(platform, k.to_sym, ext_params(v, k))
       end
     end
 
@@ -84,9 +84,9 @@ module LtiXml
       @tc.set_ext_param(platform, :environments, PandaPal.lti_environments)
     end
 
-    def ext_params(options)
-      url = options.delete(:url)
-      options[:url] = [parsed_request_url.to_s, main_app.send([url, '_url'].join, only_path: true)].join
+    def ext_params(options, k)
+      options.delete(:route_helper_key)
+      options[:url] = PandaPal::LaunchUrlHelpers.absolute_launch_url(k.to_sym, host: parsed_request_url, launch_handler: nil)
       options
     end
   end

data/app/lib/panda_pal/launch_url_helpers.rb

@@ -0,0 +1,69 @@
+module PandaPal
+  module LaunchUrlHelpers
+    def self.absolute_launch_url(launch_type, host:, launch_handler: nil)
+      opts = PandaPal.lti_paths[launch_type]
+      final_url = launch_url(opts, launch_type: launch_type)
+
+      is_direct = opts[:route_helper_key].present? || !launch_handler.present?
+
+      if is_direct
+        return final_url if URI.parse(final_url).absolute?
+        return [host.to_s, final_url].join
+      else
+        launch_handler = resolve_route(launch_handler) if launch_handler.is_a?(Symbol)
+        return add_url_params([host.to_s, launch_handler].join, {
+          launch_type: launch_type,
+        })
+      end
+    end
+
+    def self.launch_url(opts, launch_type: nil)
+      url = launch_route(opts, launch_type: launch_type)
+      url = resolve_url_symbol(url) if url.is_a?(Symbol)
+      url
+    end
+
+    def self.launch_route(opts, launch_type: nil)
+      if opts.is_a?(Symbol) || opts.is_a?(String)
+        launch_type = opts.to_sym
+        opts = PandaPal.lti_paths[launch_type]
+      end
+
+      if opts[:route_helper_key]
+        opts[:route_helper_key].to_sym
+      else
+        opts[:url] ||= launch_type
+        opts[:url]
+      end
+    end
+
+    def self.resolve_url_symbol(sym, **opts)
+      sym = :"#{sym}_url" unless sym.to_s.ends_with?('_url')
+      opts[:only_path] = true unless opts.key?(:only_path)
+      resolve_route(:"MainApp/#{sym}", **opts)
+    end
+
+    def self.add_url_params(url, params)
+      uri = URI(url)
+      decoded_params = URI.decode_www_form(uri.query || "")
+      params.each do |k, v|
+        decoded_params << [k, v]
+      end
+      uri.query = URI.encode_www_form(decoded_params)
+      uri.to_s
+    end
+
+    private
+
+    def self.resolve_route(key, *arguments, engine: 'PandaPal', **kwargs)
+      return key if key.is_a?(String)
+
+      key_bits = key.to_s.split('/')
+      key_bits.prepend(engine) if key_bits.count == 1
+      key_bits[0] = key_bits[0].classify
+
+      engine = key_bits[0] == 'MainApp' ? Rails.application : (key_bits[0].constantize)::Engine
+      engine.routes.url_helpers.send(key_bits[1], *arguments, **kwargs)
+    end
+  end
+end

data/app/lib/panda_pal/lti_jwt_validator.rb

@@ -0,0 +1,88 @@
+module PandaPal
+  class LtiJwtValidator
+    attr_reader :errors
+
+    def initialize(jwt, client_id)
+      @jwt = jwt
+      @client_id = client_id
+      @errors = []
+    end
+
+    def valid?
+      verify_audience(@jwt)
+      verify_sub(@jwt)
+      verify_nonce(@jwt)
+      verify_issued_at(@jwt)
+      verify_expiration(@jwt)
+      errors.empty?
+    end
+
+    private
+
+    def verify_audience(jwt)
+      aud = jwt[:aud]
+      aud_array = [*aud]
+      errors << 'Audience must be a string or Array of strings.' unless aud_array.all? { |a| a.is_a? String }
+      if jwt.key? :azp
+        verify_azp(aud, jwt[:azp])
+      else
+        errors << 'Audience not found' unless public_key_matches_one_of_client_ids(aud)
+      end
+    end
+
+    def verify_azp(aud, azp)
+      errors << 'Audience does not contain/match Authorized Party' unless azp_in_aud(aud, azp)
+      errors << 'Audience does not match Platform client_id' unless public_key_matches_one_of_client_ids(aud)
+    end
+
+    def verify_sub(jwt)
+      errors << 'Subject not present' if jwt[:sub].blank?
+    end
+
+    def verify_issued_at(jwt)
+      lower_bound = issued_at_lower_bound
+      errors << "Issued at of #{jwt[:iat]} not between #{lower_bound.to_i} and #{Time.zone.now.to_i}" unless Time.zone.at(
+        jwt[:iat]
+      ).between?(
+        lower_bound, Time.zone.now
+      )
+    end
+
+    def verify_expiration(jwt)
+      now = Time.zone.now
+      errors << "Expiration time of #{jwt[:exp]} before #{now.to_i}" unless Time.zone.at(jwt[:exp]) > Time.zone.now
+    end
+
+    def verify_nonce(jwt)
+      unless jwt[:nonce].present?
+        errors << 'Nonce not present'
+        return
+      end
+
+      return unless defined?(Redis) && Redis.current
+
+      cache_key = "nonces/#{jwt[:nonce]}"
+      if Redis.current.get(cache_key)
+        errors << 'Nonce has been used already'
+      else
+        Redis.current.set(cache_key, Time.zone.now.to_i, ex: 5.minutes)
+      end
+    end
+
+    def azp_in_aud(aud, azp)
+      if aud.is_a? Array
+        aud.include? azp
+      else
+        aud == azp
+      end
+    end
+
+    def issued_at_lower_bound
+      ENV.key?('issued_at_minutes_ago') ? ENV['issued_at_minutes_ago'].minutes.ago : 10.minutes.ago
+    end
+
+    def public_key_matches_one_of_client_ids(aud)
+      (Array(aud) & Array(@client_id)).any?
+    end
+  end
+end

data/app/lib/panda_pal/misc_helper.rb

@@ -0,0 +1,13 @@
+module PandaPal
+  module MiscHelper
+    MigrationClass = Rails.version < '5.0' ? ActiveRecord::Migration : ActiveRecord::Migration[4.2]
+
+    def self.to_boolean(v)
+      if Rails.version < '5.0'
+        ActiveRecord::Type::Boolean.new.type_cast_from_user("0")
+      else
+        ActiveRecord::Type::Boolean.new.deserialize('0')
+      end
+    end
+  end
+end

data/app/models/panda_pal/organization.rb

@@ -1,24 +1,33 @@
 module PandaPal
+  module OrganizationConcerns; end
 
   class Organization < ActiveRecord::Base
-    attribute :settings
+    include OrganizationConcerns::SettingsValidation
+    include OrganizationConcerns::TaskScheduling if defined?(Sidekiq.schedule)
+
+    serialize :settings, Hash
     attr_encrypted :settings, marshal: true, key: :encryption_key
     before_save {|a| a.settings = a.settings} # this is a hacky work-around to a bug where attr_encrypted is not saving settings in place
+
     validates :key, uniqueness: { case_sensitive: false }, presence: true
     validates :secret, presence: true
     validates :name, uniqueness: { case_sensitive: false }, presence: true, format: { with: /\A[a-z0-9_]+\z/i }
     validates :canvas_account_id, presence: true
     validates :salesforce_id, presence: true, uniqueness: true
-    validate :validate_settings
+
     after_create :create_schema
     after_commit :destroy_schema, on: :destroy
 
+    if defined?(scheduled_task)
+      scheduled_task '0 0 3 * * *', :clean_old_sessions do
+        PandaPal::Session.where(panda_pal_organization: self).where('updated_at < ?', 1.week.ago).delete_all
+      end
+    end
+
     before_validation on: [:update] do
       errors.add(:name, 'should not be changed after creation') if name_changed?
     end
 
-    serialize :settings, Hash
-
     def encryption_key
       # production environment might not have loaded secret_key_base yet.
       # In that case, just read it from env.
@@ -29,6 +38,14 @@ module PandaPal
       end
     end
 
+    def switch_tenant(&block)
+      if block_given?
+        Apartment::Tenant.switch(name, &block)
+      else
+        Apartment::Tenant.switch!(name)
+      end
+    end
+
     private
 
     def create_schema
@@ -38,48 +55,5 @@ module PandaPal
     def destroy_schema
       Apartment::Tenant.drop name
     end
-
-    def validate_settings
-      record = self
-      if PandaPal.lti_options && PandaPal.lti_options[:settings_structure]
-        validate_level(record, PandaPal.lti_options[:settings_structure], record.settings, [])
-      end
-    end
-    def validate_level(record, expectation, reality, previous_keys)
-      # Verify that the data elements at this level conform to requirements.
-      if expectation
-        expectation.each do |key, value|
-          is_required = expectation[key].try(:delete, :is_required)
-          data_type = expectation[key].try(:delete, :data_type)
-          value = reality.is_a?(Hash) ? reality.dig(key) : reality
-
-          if is_required && !value
-            record.errors[:settings] << "PandaPal::Organization.settings requires key [:#{previous_keys.push(key).join("][:")}].  It was not found."
-          end
-          if data_type && value
-            if value.class.to_s != data_type
-              record.errors[:settings] << "PandaPal::Organization.settings expected key [:#{previous_keys.push(key).join("][:")}] to be #{data_type} but it was instead #{value.class}."
-            end
-          end
-        end
-      end
-      # Verify that anything that is in the real settings has an expectation.
-      if reality
-        if reality.is_a? Hash
-          reality.each do |key, value|
-            was_expected = expectation.has_key?(key)
-            if !was_expected
-              record.errors[:settings] << "PandaPal::Organization.settings had unexpected key: #{key}.  If settings have expanded please update your lti_options accordingly."
-            end
-          end
-        end
-      end
-      # Recursively check out any children settings as well.
-      if expectation
-        expectation.each do |key, value|
-          validate_level(record, expectation[key], (reality.is_a?(Hash) ? reality.dig(key) : nil), previous_keys.deep_dup.push(key))
-        end
-      end
-    end
   end
 end

data/app/models/panda_pal/organization_concerns/settings_validation.rb

@@ -0,0 +1,127 @@
+module PandaPal
+  module OrganizationConcerns
+    module SettingsValidation
+      extend ActiveSupport::Concern
+
+      included do
+        validate :validate_settings
+      end
+
+      class_methods do
+        def settings_structure
+          if PandaPal.lti_options&.[](:settings_structure).present?
+            normalize_settings_structure(PandaPal.lti_options[:settings_structure])
+          else
+            {
+              type: Hash,
+              allow_additional: true,
+              properties: {},
+            }
+          end
+        end
+
+        def normalize_settings_structure(struc)
+          return {} unless struc.present?
+          return struc if struc[:properties] || struc[:type] || struc.key?(:required)
+
+          struc = struc.dup
+          nstruc = {}
+
+          nstruc[:type] = struc.delete(:data_type) if struc.key?(:data_type)
+          nstruc[:required] = struc.delete(:is_required) if struc.key?(:is_required)
+          nstruc[:properties] = struc.map { |k, sub| [k, normalize_settings_structure(sub)] }.to_h if struc.present?
+
+          nstruc
+        end
+      end
+
+      def settings_structure
+        self.class.settings_structure
+      end
+
+      def validate_settings
+        validate_settings_level(settings || {}, settings_structure).each do |err|
+          errors[:settings] << err
+        end
+      end
+
+      private
+
+      def validate_settings_level(settings, spec, path: [], errors: [])
+        human_path = "[:#{path.join('][:')}]"
+
+        if settings.nil?
+          errors << "Entry #{human_path} is required" if spec[:required]
+          return errors
+        end
+
+        if spec[:type]
+          norm_types = Array(spec[:type]).map do |t|
+            if [:bool, :boolean, 'Bool', 'Boolean'].include?(t)
+              'Boolean'
+            elsif t.is_a?(String)
+              t.constantize
+            else
+              t
+            end
+          end
+
+          any_match = norm_types.any? do |t|
+            if t == 'Boolean'
+              settings == true || settings == false
+            else
+              settings.is_a?(t)
+            end
+          end
+
+          unless any_match
+            errors << "Expected #{human_path} to be a #{spec[:type]}. Was a #{settings.class.to_s}"
+            return errors
+          end
+        end
+
+        if spec[:validate].present?
+          val_errors = []
+          if spec[:validate].is_a?(Symbol)
+            proc_result = send(spec[:validate], settings, spec, path: path, errors: val_errors)
+          elsif spec[:validate].is_a?(String)
+            split_val = spec[:validate].split?('.')
+            split_val << 'validate_settings' if split_val.count == 1
+            resolved_module = split_val[0].constantize
+            proc_result = resolved_module.send(split_val[1].to_sym, settings, spec, path: path, errors: val_errors)
+          elsif spec[:validate].is_a?(Proc)
+            proc_result = instance_exec(settings, spec, path: path, errors: val_errors, &spec[:validate])
+          end
+          val_errors << proc_result unless val_errors.present? || proc_result == val_errors
+          val_errors = val_errors.flatten.uniq.compact.map do |ve|
+            ve.gsub('<path>', human_path)
+          end
+          errors.concat(val_errors)
+        end
+
+        if settings.is_a?(Hash)
+          if spec[:properties] != nil
+            spec[:properties].each do |key, pspec|
+              validate_settings_level(settings[key], pspec, path: [*path, key], errors: errors)
+            end
+          end
+
+          if spec[:properties] != nil || spec[:allow_additional] != nil
+            extra_keys = settings.keys - (spec[:properties]&.keys || [])
+            if extra_keys.present?
+              if spec[:allow_additional].is_a?(Hash)
+                extra_keys.each do |key|
+                  validate_settings_level(settings[key], spec[:allow_additional], path: [*path, key], errors: errors)
+                end
+              elsif !spec[:allow_additional]
+                errors << "Did not expect #{human_path} to contain [#{extra_keys.join(', ')}]"
+              end
+            end
+          end
+        end
+
+        errors
+      end
+    end
+  end
+end