panda_pal 5.1.0 → 5.2.0

data/app/lib/lti_xml/base_platform.rb

@@ -76,7 +76,7 @@ module LtiXml
 
     def add_lti_nav
       PandaPal.lti_paths.each do |k, v|
-        @tc.set_ext_param(platform, k.to_sym, ext_params(v))
+        @tc.set_ext_param(platform, k.to_sym, ext_params(v, k))
       end
     end
 
@@ -84,9 +84,9 @@ module LtiXml
       @tc.set_ext_param(platform, :environments, PandaPal.lti_environments)
     end
 
-    def ext_params(options)
-      url = options.delete(:url)
-      options[:url] = [parsed_request_url.to_s, main_app.send([url, '_url'].join, only_path: true)].join
+    def ext_params(options, k)
+      options.delete(:route_helper_key)
+      options[:url] = PandaPal::LaunchUrlHelpers.absolute_launch_url(k.to_sym, host: parsed_request_url, launch_handler: nil)
       options
     end
   end

data/app/lib/panda_pal/launch_url_helpers.rb

@@ -0,0 +1,69 @@
+module PandaPal
+  module LaunchUrlHelpers
+    def self.absolute_launch_url(launch_type, host:, launch_handler: nil)
+      opts = PandaPal.lti_paths[launch_type]
+      final_url = launch_url(opts, launch_type: launch_type)
+
+      is_direct = opts[:route_helper_key].present? || !launch_handler.present?
+
+      if is_direct
+        return final_url if URI.parse(final_url).absolute?
+        return [host.to_s, final_url].join
+      else
+        launch_handler = resolve_route(launch_handler) if launch_handler.is_a?(Symbol)
+        return add_url_params([host.to_s, launch_handler].join, {
+          launch_type: launch_type,
+        })
+      end
+    end
+
+    def self.launch_url(opts, launch_type: nil)
+      url = launch_route(opts, launch_type: launch_type)
+      url = resolve_url_symbol(url) if url.is_a?(Symbol)
+      url
+    end
+
+    def self.launch_route(opts, launch_type: nil)
+      if opts.is_a?(Symbol) || opts.is_a?(String)
+        launch_type = opts.to_sym
+        opts = PandaPal.lti_paths[launch_type]
+      end
+
+      if opts[:route_helper_key]
+        opts[:route_helper_key].to_sym
+      else
+        opts[:url] ||= launch_type
+        opts[:url]
+      end
+    end
+
+    def self.resolve_url_symbol(sym, **opts)
+      sym = :"#{sym}_url" unless sym.to_s.ends_with?('_url')
+      opts[:only_path] = true unless opts.key?(:only_path)
+      resolve_route(:"MainApp/#{sym}", **opts)
+    end
+
+    def self.add_url_params(url, params)
+      uri = URI(url)
+      decoded_params = URI.decode_www_form(uri.query || "")
+      params.each do |k, v|
+        decoded_params << [k, v]
+      end
+      uri.query = URI.encode_www_form(decoded_params)
+      uri.to_s
+    end
+
+    private
+
+    def self.resolve_route(key, *arguments, engine: 'PandaPal', **kwargs)
+      return key if key.is_a?(String)
+
+      key_bits = key.to_s.split('/')
+      key_bits.prepend(engine) if key_bits.count == 1
+      key_bits[0] = key_bits[0].classify
+
+      engine = key_bits[0] == 'MainApp' ? Rails.application : (key_bits[0].constantize)::Engine
+      engine.routes.url_helpers.send(key_bits[1], *arguments, **kwargs)
+    end
+  end
+end

data/app/lib/panda_pal/lti_jwt_validator.rb

@@ -0,0 +1,88 @@
+module PandaPal
+  class LtiJwtValidator
+    attr_reader :errors
+
+    def initialize(jwt, client_id)
+      @jwt = jwt
+      @client_id = client_id
+      @errors = []
+    end
+
+    def valid?
+      verify_audience(@jwt)
+      verify_sub(@jwt)
+      verify_nonce(@jwt)
+      verify_issued_at(@jwt)
+      verify_expiration(@jwt)
+      errors.empty?
+    end
+
+    private
+
+    def verify_audience(jwt)
+      aud = jwt[:aud]
+      aud_array = [*aud]
+      errors << 'Audience must be a string or Array of strings.' unless aud_array.all? { |a| a.is_a? String }
+      if jwt.key? :azp
+        verify_azp(aud, jwt[:azp])
+      else
+        errors << 'Audience not found' unless public_key_matches_one_of_client_ids(aud)
+      end
+    end
+
+    def verify_azp(aud, azp)
+      errors << 'Audience does not contain/match Authorized Party' unless azp_in_aud(aud, azp)
+      errors << 'Audience does not match Platform client_id' unless public_key_matches_one_of_client_ids(aud)
+    end
+
+    def verify_sub(jwt)
+      errors << 'Subject not present' if jwt[:sub].blank?
+    end
+
+    def verify_issued_at(jwt)
+      lower_bound = issued_at_lower_bound
+      errors << "Issued at of #{jwt[:iat]} not between #{lower_bound.to_i} and #{Time.zone.now.to_i}" unless Time.zone.at(
+        jwt[:iat]
+      ).between?(
+        lower_bound, Time.zone.now
+      )
+    end
+
+    def verify_expiration(jwt)
+      now = Time.zone.now
+      errors << "Expiration time of #{jwt[:exp]} before #{now.to_i}" unless Time.zone.at(jwt[:exp]) > Time.zone.now
+    end
+
+    def verify_nonce(jwt)
+      unless jwt[:nonce].present?
+        errors << 'Nonce not present'
+        return
+      end
+
+      return unless defined?(Redis) && Redis.current
+
+      cache_key = "nonces/#{jwt[:nonce]}"
+      if Redis.current.get(cache_key)
+        errors << 'Nonce has been used already'
+      else
+        Redis.current.set(cache_key, Time.zone.now.to_i, ex: 5.minutes)
+      end
+    end
+
+    def azp_in_aud(aud, azp)
+      if aud.is_a? Array
+        aud.include? azp
+      else
+        aud == azp
+      end
+    end
+
+    def issued_at_lower_bound
+      ENV.key?('issued_at_minutes_ago') ? ENV['issued_at_minutes_ago'].minutes.ago : 10.minutes.ago
+    end
+
+    def public_key_matches_one_of_client_ids(aud)
+      (Array(aud) & Array(@client_id)).any?
+    end
+  end
+end

data/app/lib/panda_pal/misc_helper.rb

@@ -0,0 +1,11 @@
+module PandaPal
+  module MiscHelper
+    def self.to_boolean(v)
+      if Rails.version < '5.0'
+        ActiveRecord::Type::Boolean.new.type_cast_from_user("0")
+      else
+        ActiveRecord::Type::Boolean.new.deserialize('0')
+      end
+    end
+  end
+end

data/app/models/panda_pal/organization.rb

@@ -1,5 +1,3 @@
-Dir[File.dirname(__FILE__) + "/organization/*.rb"].each { |file| require file }
-
 module PandaPal
   module OrganizationConcerns; end
 
@@ -7,7 +5,6 @@ module PandaPal
     include OrganizationConcerns::SettingsValidation
     include OrganizationConcerns::TaskScheduling if defined?(Sidekiq.schedule)
 
-    attribute :settings
     serialize :settings, Hash
     attr_encrypted :settings, marshal: true, key: :encryption_key
     before_save {|a| a.settings = a.settings} # this is a hacky work-around to a bug where attr_encrypted is not saving settings in place
@@ -21,6 +18,12 @@ module PandaPal
     after_create :create_schema
     after_commit :destroy_schema, on: :destroy
 
+    if defined?(scheduled_task)
+      scheduled_task '0 0 3 * * *', :clean_old_sessions do
+        PandaPal::Session.where(panda_pal_organization: self).where('updated_at < ?', 1.week.ago).delete_all
+      end
+    end
+
     before_validation on: [:update] do
       errors.add(:name, 'should not be changed after creation') if name_changed?
     end

data/app/models/panda_pal/{organization → organization_concerns}/settings_validation.rb

@@ -52,15 +52,31 @@ module PandaPal
 
         if settings.nil?
           errors << "Entry #{human_path} is required" if spec[:required]
-          return
+          return errors
         end
 
         if spec[:type]
-          resolved_type = spec[:type]
-          resolved_type = resolved_type.constantize if resolved_type.is_a?(String)
-          unless settings.is_a?(resolved_type)
+          norm_types = Array(spec[:type]).map do |t|
+            if [:bool, :boolean, 'Bool', 'Boolean'].include?(t)
+              'Boolean'
+            elsif t.is_a?(String)
+              t.constantize
+            else
+              t
+            end
+          end
+
+          any_match = norm_types.any? do |t|
+            if t == 'Boolean'
+              settings == true || settings == false
+            else
+              settings.is_a?(t)
+            end
+          end
+
+          unless any_match
             errors << "Expected #{human_path} to be a #{spec[:type]}. Was a #{settings.class.to_s}"
-            return
+            return errors
           end
         end
 

data/app/models/panda_pal/{organization → organization_concerns}/task_scheduling.rb

@@ -36,9 +36,36 @@ module PandaPal
               type: 'Hash',
               required: false,
               properties: _schedule_descriptors.keys.reduce({}) do |hash, k|
+                desc = _schedule_descriptors[k]
+
                 hash.tap do |hash|
+                  kl = ' ' * (k.to_s.length - 4)
                   hash[k.to_sym] = hash[k.to_s] = {
                     required: false,
+                    description: <<~MARKDOWN,
+                      Override schedule for '#{k.to_s}' task.
+
+                      **Default**: #{desc[:schedule].is_a?(String) ? desc[:schedule] : '<Computed>'}
+
+                      Set to `false` to disable or supply a Cron string:
+                      ```yaml
+                      #{k.to_s}: 0 0 0 * * * America/Denver
+                      ##{kl}     │ │ │ │ │ │ └── Timezone (Optional)
+                      ##{kl}     │ │ │ │ │ └── Day of Week
+                      ##{kl}     │ │ │ │ └── Month
+                      ##{kl}     │ │ │ └── Day of Month
+                      ##{kl}     │ │ └── Hour
+                      ##{kl}     │ └── Minute
+                      ##{kl}     └── Second (Optional)
+                      ````
+                    MARKDOWN
+                    json_schema: {
+                      oneOf: [
+                        { type: 'string', pattern: '^((((\d+,)+\d+|(\d+(\/|-)\d+)|\d+|\*) ?){5,6})(\w+\/\w+)?$' },
+                        { enum: [false] },
+                      ],
+                      default: desc[:schedule].is_a?(String) ? desc[:schedule] : '0 0 3 * * * America/Denver',
+                    },
                     validate: ->(value, *args, errors:, **kwargs) {
                       begin
                         Rufus::Scheduler.parse(value) if value
@@ -66,6 +93,11 @@ module PandaPal
           }
         end
 
+        def remove_scheduled_task(name_or_method)
+          dval = _schedule_descriptors.delete(name_or_method.to_s)
+          Rails.logger.warn("No task with key '#{name_or_method}' to delete!") unless dval.present?
+        end
+
         def sync_schedules
           # Ensure deleted Orgs are removed
           existing_orgs = pluck(:name)

data/app/models/panda_pal/platform.rb

@@ -0,0 +1,40 @@
+module PandaPal
+  class Platform
+    def public_jwks
+      response = HTTParty.get(jwks_url)
+      return nil unless response.success?
+
+      JSON::JWK::Set.new(JSON.parse(response.body))
+    rescue
+      nil
+    end
+  end
+
+  class Platform::Canvas < Platform
+    attr_accessor :base_url
+
+    def initialize(base_url)
+      @base_url = base_url
+    end
+
+    def host
+      base_url
+    end
+
+    def jwks_url
+      "#{base_url}/api/lti/security/jwks"
+    end
+
+    def authentication_redirect_url
+      "#{base_url}/api/lti/authorize_redirect"
+    end
+
+    def grant_url
+      "#{base_url}/login/oauth2/token"
+    end
+  end
+
+  class Platform
+    CANVAS = Platform::Canvas.new('https://canvas.instructure.com')
+  end
+end

data/app/views/panda_pal/lti_v1_p3/login.html.erb

@@ -0,0 +1 @@
+<%= render "panda_pal/partials/auto_submit_form" %>

data/app/views/panda_pal/partials/_auto_submit_form.html.erb

@@ -0,0 +1,9 @@
+<%= form_tag(@form_action, method: @method, id: 'redirect-form') do %>
+  <% @form_data.each do |k, v| %>
+    <%= hidden_field_tag(k, v) %>
+  <% end %>
+<% end %>
+
+<script type="text/javascript" nonce="<%= content_security_policy_script_nonce %>">
+  document.getElementById('redirect-form').submit();
+</script>

data/config/dev_lti_key.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAt+Za2scYD223YjVvAeuxpYvBjTf4yp2Y3udPFllG85zIVH/K
+XKsP4QVP9de/fh4FzouZPOfXMDY1KmWSlMK9jNYUm2rh0zp7+X/F6cnc5QMCzbqV
+MNnfALI4kvGM8yNPLbMJx4nA47T7T9TmlMJUZQxtyvC8zxBMv8Mv4Ae0arXevpI1
+Vcm/3Huz6dAJPRjTnL2CBsXrmNzf51OJU5r27HYFE4367g9njix1lGOcQqVDVjnT
+uXFTlidfUa2Bp2v5owzZU7Fe9jSQmeAQpqQ/XdYzWQNEJPrz8ESz5jP3brJ4q5Y5
+FaK9l8DHILqomGWhttYQ6IMCfdpLb4D4B2gcLQIDAQABAoIBAAuaXislmrAGhSaO
+JoXhgCDo03p8iJcIIIgX4haP5XkjcERcl8EHDgZtlmD1juB/NnCUwENmgV5KXUpi
+hEAclWcYbs5rjPoN25qfZDZfBS/x47BlUFp3tKlPlWA4G2OP28QPYtOTLndviNe9
+oBrMtBR4F0lRrSgHaEBFKXUiJ1EAMycKcXab63HA7Fp9HArLAu0NM0VWCsJBmxB/
+BprW4LtYRG7iJl9kfsHyAzOaAV5H1zLqhfA2YvEI2XADrILQtpPwZpmNKq/5L5On
+RlGy1WcBgxj8cqWdqir1PxVN/xDKVnUT9Mrf+SHn7xzgDL2uXvhD1Qt/5iLeVlvN
+nQTNJyECgYEA681T7A0oj9/FuqLwE1gxm+RUczv+EyXcNvHCUkpFSaiyEyqdQB9f
+EpHgeg7pXmlRmUwNkT3ZAH7O0uv3CVR6b8j9N7XmYbmcuRU2A6loeiBB/HkOOt21
+hxiC+tXD/K7c5BfRkThL6ca213xqztbqxxj/C8qGnWVaLc7SLPlJZfUCgYEAx6bp
+7tRGq8Q5xkyKvSDUSln9MI/iZjSysd44rTtj8Vo9LfQsBi5JbWm0+UEtaZoabeC1
+xaAp/ZETLe4oGu7CJxBreSE+UE/a6zc5MIcJblP+8RIiAYkf67iHNwSbiqSBvPqj
+S0HFxUZqw1NigmqsptHrPtvuTUZI8Hx3hKMgwlkCgYAa8RrlnZtE1QyChptnmmwQ
+o8YCZJhjF7BRls3dGR9RizTNe9D7wpnaRVCgoZOIdgAcw9PJBIgGxnZbIxrWthBH
+NW+5Lc9k2xBNFV9Wi8SkL4tajXpSv4I+LU7J2iLKfDBA33fSX9xMmafKdyy89VFd
+7j01264Fzc6/7SGWgeUhAQKBgDKGSgMXkz7arKhDLIUKLs8WEN3eO7QTt/kNPJiS
+RAuLA5qChTWXNxvKOXMujFiCGBggWr/FdXrm4MypzVpre5S5Mgl4YTWfz83grsda
+FQfnl8fYB+UNl5dmnklNEDO4x+BUKUjdPzhaRqBhlLdeWYzp6LeCnr7Nf53kUbau
+NZcZAoGBAJcYyWegsQCEVMY/ck42uNmZ00DmK1XSAU7hYulBo8iD3OqvXZ7Etppw
+SaRhSTCoTsLBWlqGccNDGoXH/r2/jJAFb8hUjGa2Z5dKP9byWMONEQEh6g8wzL/w
+XRthIsgdIE58a+cJGwHh/raUQwvD72S1C/epQSYcLe3TdUumtZm/
+-----END RSA PRIVATE KEY-----

data/config/routes.rb

@@ -1,4 +1,14 @@
 PandaPal::Engine.routes.draw do
-  get '/config' => 'lti#tool_config'
-  get '/launch' => 'lti#launch'
+  get '/config' => 'lti_v1_p0#tool_config' # Legacy Support
+
+  scope '/v1p0', as: 'v1p0' do
+    get '/config' => 'lti_v1_p0#tool_config'
+  end
+
+  scope '/v1p3', as: 'v1p3' do
+    get '/config' => 'lti_v1_p3#tool_config'
+    post '/oidc_login' => 'lti_v1_p3#login'
+    post '/resource_link_request' => 'lti_v1_p3#resource_link_request'
+    get '/public_jwks' => 'lti_v1_p3#public_jwks'
+  end
 end

data/db/migrate/20160412205931_create_panda_pal_organizations.rb

@@ -1,4 +1,4 @@
-class CreatePandaPalOrganizations < ActiveRecord::Migration[5.1]
+class CreatePandaPalOrganizations < ActiveRecord::Migration
   def change
     create_table :panda_pal_organizations do |t|
       t.string :name

data/db/migrate/20160413135653_create_panda_pal_sessions.rb

@@ -1,4 +1,4 @@
-class CreatePandaPalSessions < ActiveRecord::Migration[5.1]
+class CreatePandaPalSessions < ActiveRecord::Migration
   def change
     create_table :panda_pal_sessions do |t|
       t.string :session_key

data/db/migrate/20160425130344_add_panda_pal_organization_to_session.rb

@@ -1,4 +1,4 @@
-class AddPandaPalOrganizationToSession < ActiveRecord::Migration[5.1]
+class AddPandaPalOrganizationToSession < ActiveRecord::Migration
   def change
     add_column :panda_pal_sessions, :panda_pal_organization_id, :integer
     add_index :panda_pal_sessions, :panda_pal_organization_id

data/db/migrate/20170106165533_add_salesforce_id_to_organizations.rb

@@ -1,4 +1,4 @@
-class AddSalesforceIdToOrganizations < ActiveRecord::Migration[5.1]
+class AddSalesforceIdToOrganizations < ActiveRecord::Migration
   def change
     add_column :panda_pal_organizations, :salesforce_id, :string, unique: true
   end

data/db/migrate/20171205183457_encrypt_organization_settings.rb

@@ -1,4 +1,4 @@
-class EncryptOrganizationSettings < ActiveRecord::Migration[5.1]
+class EncryptOrganizationSettings < ActiveRecord::Migration
   def up
     # don't rerun this if it was already run before we renamed the migration.
     existing_versions = execute ("SELECT * from schema_migrations where version = '30171205183457'")

data/db/migrate/20171205194657_remove_old_organization_settings.rb

@@ -1,4 +1,4 @@
-class RemoveOldOrganizationSettings < ActiveRecord::Migration[5.1]
+class RemoveOldOrganizationSettings < ActiveRecord::Migration
   def current_tenant
     @current_tenant ||= PandaPal::Organization.find_by_name(Apartment::Tenant.current)
   end
@@ -10,14 +10,16 @@ class RemoveOldOrganizationSettings < ActiveRecord::Migration[5.1]
       execute "DELETE from schema_migrations where version = '30171205194657'"
       return
     end
+
     # migrations run for public and local tenants.  However, PandaPal::Organization
     # is going to always go to public tenant.  So don't do this active record
     # stuff unless we are on the public tenant.
-    if current_tenant == 'public'
+    if Apartment::Tenant.current == 'public'
       #PandaPal::Organization.connection.schema_cache.clear!
       #PandaPal::Organization.reset_column_information
       PandaPal::Organization.find_each do |o|
         # Would like to just be able to do this:
+        # PandaPal::Organization.reset_column_information
         # o.settings = YAML.load(o.old_settings)
         # o.save!
         # but for some reason that is always making the settings null.  Instead we will encrypt the settings manually.
@@ -26,14 +28,17 @@ class RemoveOldOrganizationSettings < ActiveRecord::Migration[5.1]
         key = o.encryption_key
         encrypted_settings = PandaPal::Organization.encrypt_settings(YAML.load(o.old_settings), iv: iv, key: key)
         o.update_columns(encrypted_settings_iv: [iv].pack("m"), encrypted_settings: encrypted_settings)
+        o = PandaPal::Organization.find_by!(name: o.name)
+        raise "Failed to migrate PandaPal Settings" if o.settings != YAML.load(o.old_settings)
       end
     end
+
     remove_column :panda_pal_organizations, :old_settings
   end
 
   def down
     add_column :panda_pal_organizations, :old_settings, :text
-    if current_tenant == 'public'
+    if Apartment::Tenant.current == 'public'
       PandaPal::Organization.find_each do |o|
         o.old_settings = o.settings.to_yaml
         o.save