panda_pal 5.14.0.beta7 → 5.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 762a0d4a45e1c9e5c94e9a67303b9adfd7f437742d3b000b5216cda9f901ae0e
-  data.tar.gz: fc798c502cfc2218ef88f8286c05c9434e7e8b5a6835a2d643619b11e1ba8c21
+  metadata.gz: dcf0b49dce1c842893ddd32353c984df374c0355fcc3508f15fe430bd04d93df
+  data.tar.gz: af35bc87c1179a41aaf836282863806e58d7af534c6a6cc8523e7fe8e47b088a
 SHA512:
-  metadata.gz: 3b2d5f5342348f0e99dfbb8382c00e396e5f1c82f8d22721b5e0f725b65d0c3877c27b17b6a74ef292619840a05ff284de0f37161290a2ce08199cb87a31d997
-  data.tar.gz: 1883e69179dc592d45b243e944934df02e298315fd7e5806b17a406da4557f9b9c7ffc5de7cb4559d7b687f97e09154fbd95de220a9f482fec37fd1b7def7fed
+  metadata.gz: caaf1b79881bb2e3fc0670bba8c9148e808243ba569a143a5c940bbace0e5458732e4236a2b1c0c92b61f7820040118243a32547d35c74fcf2f6155e308a668a
+  data.tar.gz: d4c2901a2ec51d3c40b06cc3d727a3af346e93f8a7239f7d8b1d0e906fd5d7ac1c3e41b3b256d45091aad19898eeea0efe89a9491336125169ed5dd8e591119a

data/app/models/panda_pal/session.rb

@@ -1,5 +1,7 @@
 module PandaPal
   class Session < PandaPalRecord
+    class SessionNonceMismatch < StandardError; end
+
     belongs_to :panda_pal_organization, class_name: 'PandaPal::Organization', optional: true
 
     after_initialize do
@@ -9,6 +11,129 @@ module PandaPal
 
     delegate :dig, to: :data
 
+    def self.for_request(request, params = request.params, enforce_tenant: true)
+      return request.instance_variable_get(:@panda_pal_session) if request.instance_variable_defined?(:@panda_pal_session)
+
+      panda_token = extract_panda_token(request, params)
+      request.instance_variable_set(:@panda_pal_session, for_panda_token(panda_token, request: request, enforce_tenant: enforce_tenant))
+    end
+
+    def self.for_panda_token(panda_token, request: nil, validate: true, enforce_tenant: true)
+      return nil unless panda_token.present?
+
+      # <B64({ v: TOKEN FORMAT, o: ORG ID, s: SESSION ID, typ: TYPE, exp?: EXPIRE, usig?: URL SIGNATURE, nnc?: NONCE })>.<HMAC(<B64HEADER>) | KEY>
+      # TYPE = KEY | T-URI | T-IP | T-NONCE | T-EXP
+
+      found_session = nil
+
+      header, sig = panda_token.split('.')
+      decoded_header = JSON.parse(Base64.urlsafe_decode64(header))
+
+      org_id = decoded_header['o'].to_i
+      session_id = decoded_header['s']
+      type = decoded_header['typ']
+
+      tenant = "public"
+
+      if org_id > 0
+        org = PandaPal::Organization.find(org_id)
+        tenant = org.tenant_name
+      end
+
+      Apartment::Tenant.switch!(tenant) if enforce_tenant == :switch
+
+      if enforce_tenant && Apartment::Tenant.current != tenant
+        raise SessionNonceMismatch, "Session Not Found"
+      end
+
+      Apartment::Tenant.switch(tenant) do
+        if type == 'KEY'
+          found_session = PandaPal::Session.find_by(session_secret: sig)
+          return found_session unless validate
+
+          raise SessionNonceMismatch, "Session Not Found" unless found_session.present?
+          raise SessionNonceMismatch, "Session Not Found" if session_id && found_session.id != session_id
+        else
+          session_record = PandaPal::Session.find_by(id: session_id)
+          return session_record unless validate
+
+          raise SessionNonceMismatch, "Session Not Found" unless session_record.present?
+
+          # Validate the header against the signature
+          raise SessionNonceMismatch, "Invalid Signature" unless session_record.validate_signature(header, sig)
+
+          # Check expiration
+          if (expr = decoded_header['exp']).present?
+            raise SessionNonceMismatch, "Expired" unless expr > DateTime.now.iso8601
+          end
+
+          if type == "T-URI" || type == "T-URL"
+            # Signed URLs only support GET requests
+            raise SessionNonceMismatch, "Invalid Method" unless request.method.to_s.upcase == "GET"
+
+            # Verify the signature against the request URL
+            # The usig doesn't _need_ to be signed (since it's part of the payload that is already signed),
+            #   but this was an easy way to make the value a constant length. Any basic hashing function could solve this,
+            #   but the HMAC implementation was already available.
+            to_sign = format_url_for_signing(request.url)
+            raise SessionNonceMismatch, "Invalid Signature" unless session_record.validate_signature(to_sign, decoded_header['usig'])
+
+            # TODO Support single-use tokens via Redis?
+
+            found_session = session_record
+          elsif type == "T-NONCE"
+            raise SessionNonceMismatch, "Invalid Nonce" unless session_record.data[:link_nonce] == decoded_header['nnc']
+            found_session = session_record
+            found_session.data[:link_nonce] = nil
+          elsif type == "T-IP"
+            raise SessionNonceMismatch, "Invalid IP" unless decoded_header["ip"] == request.remote_ip
+            found_session = session_record
+          elsif type == "T-EXP"
+            # Expiration itself is checked above, but enforce that an expiration is set
+            raise SessionNonceMismatch, "Invalid Expiration" unless decoded_header["exp"].present?
+            found_session = session_record
+          else
+            raise SessionNonceMismatch, "Invalid Panda Token Type"
+          end
+        end
+      end
+
+      raise SessionNonceMismatch, "Session Not Found" unless found_session.present?
+
+      found_session
+    end
+
+    def self.extract_panda_token(request, params = request.params)
+      headers = request.respond_to?(:headers) ? request.headers : request.env
+      token = headers['HTTP_X_PANDA_TOKEN'] || headers['X-Panda-Token']
+
+      token ||= begin
+        if (auth_header = headers['HTTP_AUTHORIZATION'] || headers['Authorization']).present?
+          match = auth_header.match(/Bearer panda:(.+)/)
+          match ||= auth_header.match(/token=(.+)/) # Legacy Support
+          token = match[1] if match && match[1].include?('.')
+        end
+      end
+
+      token ||= params["panda_token"]
+      token ||= params["session_token"] if params["session_token"]&.include?('.') # Legacy Support
+      token ||= params["session_key"] if params["session_key"]&.include?('.') # Legacy Support
+
+      token.presence
+    end
+
+    def self.format_url_for_signing(uri)
+      uri = URI.parse(uri) if uri.is_a?(String)
+
+      query = Rack::Utils.parse_query(uri.query)
+      query.delete("panda_token")
+      query.delete("session_key")
+      query.delete("session_token")
+      uri.query = Rack::Utils.build_query(query)
+
+      "#{uri.path}?#{uri.query}"
+    end
+
     def session_key
       # <B64({ v: TOKEN FORMAT, o: ORG ID, s: SESSION ID, typ: "KEY" })>.<SESSION SECRET>
       payload = {
@@ -26,10 +151,11 @@ module PandaPal
     end
 
     def sign_value(data)
-      OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), signing_key, data)
+      OpenSSL::HMAC.base64digest(OpenSSL::Digest.new('sha256'), signing_key, data)
     end
 
     def validate_signature(data, signature)
+      # TODO Constant time
       signature == sign_value(data)
     end
 
@@ -106,11 +232,13 @@ module PandaPal
       val
     end
 
+    # Retrieve the User's Role Labels in the Launch Context
     def canvas_role_labels
       labels = get_lti_cust_param('custom_canvas_role')
       labels.is_a?(String) ? labels.split(',') : []
     end
 
+    # Retrieve the User's Role Labels in the specified Account, defaulting to the Root Account
     def canvas_account_role_labels(account = 'self')
       account = 'self' if account.to_s == "root"
       account = account.canvas_id if account.respond_to?(:canvas_id)

data/config/initializers/apartment.rb

@@ -181,7 +181,7 @@ module Apartment
             #   to effectively disable this patch for that model.
             if (adapter = Thread.current[:apartment_adapter]) && adapter.is_a?(Apartment::Adapters::PostgresMultiDBSchemaAdapter) && !adapter.is_excluded_model?(self)
               shard, schema = Apartment::Tenant.split_tenant(adapter.current)
-              return "apt:#{shard}" unless shard == "default"
+              return "#{shard}" unless shard == "default"
             end
 
             pre_apartment_current_shard
@@ -220,18 +220,19 @@ Apartment.configure do |config|
 end
 
 Rails.application.config.middleware.use Apartment::Elevators::Generic, lambda { |request|
-  if match = request.path.match(/\/(?:orgs?|organizations?)\/(\d+)/)
-    PandaPal::Organization.find_by(id: match[1]).try(:tenant_name)
-  elsif match = request.path.match(/\/(?:orgs?|organizations?|o)\/(\w+)/)
-    PandaPal::Organization.find_by(name: match[1]).try(:tenant_name)
-  elsif (panda_token = PandaPal::Helpers::SessionReplacement.extract_panda_token(request)).present?
-    header, sig = panda_token.split('.')
-    # This is just switching the tenant. Auth should be performed elsewhere (eg via `forbid_access_if_lacking_session`/`valid_session?`).
-    decoded_header = JSON.parse(Base64.urlsafe_decode64(header))
-    PandaPal::Organization.find_by(id: decoded_header['o']).try(:tenant_name)
-  elsif request.path.start_with?('/rails/active_storage/blobs/')
-    PandaPal::Organization.find_by(id: request.params['organization_id']).try(:tenant_name)
-  end
+  tenant = if match = request.path.match(/\/(?:orgs?|organizations?)\/(\d+)/)
+      PandaPal::Organization.find_by(id: match[1]).try(:tenant_name)
+    elsif match = request.path.match(/\/(?:orgs?|organizations?|o)\/(\w+)/)
+      PandaPal::Organization.find_by(name: match[1]).try(:tenant_name)
+    elsif (panda_token = PandaPal::Session.extract_panda_token(request)).present?
+      header, sig = panda_token.split('.')
+      # This is just switching the tenant. Auth should be performed elsewhere (eg via `forbid_access_if_lacking_session`/`valid_session?`).
+      decoded_header = JSON.parse(Base64.urlsafe_decode64(header))
+      PandaPal::Organization.find_by(id: decoded_header['o']).try(:tenant_name)
+    elsif request.path.start_with?('/rails/active_storage/blobs/')
+      PandaPal::Organization.find_by(id: request.params['organization_id']).try(:tenant_name)
+    end
+  tenant || 'public'
 }
 
 module PandaPal::Plugins::ApartmentCache

data/lib/panda_pal/helpers/controller_helper.rb

@@ -142,7 +142,7 @@ module PandaPal::Helpers
       return false unless current_panda_session.panda_pal_organization_id == current_organization.id
       return false unless Apartment::Tenant.current == current_organization.tenant_name
       true
-    rescue SessionNonceMismatch
+    rescue PandaPal::Session::SessionNonceMismatch
       false
     end
 

data/lib/panda_pal/helpers/session_replacement.rb

@@ -1,6 +1,4 @@
 module PandaPal::Helpers
-  class SessionNonceMismatch < StandardError; end
-
   module SessionReplacement
     extend ActiveSupport::Concern
 
@@ -43,64 +41,8 @@ module PandaPal::Helpers
     def current_panda_session
       return @current_session if defined?(@current_session)
 
-      if (panda_token = SessionReplacement.extract_panda_token(request, params)).present?
-        # <B64({ v: TOKEN FORMAT, o: ORG ID, s: SESSION ID, typ: TYPE, exp?: EXPIRE, usig?: URL SIGNATURE, nnc?: NONCE })>.<HMAC(<B64HEADER>) | KEY>
-        # TYPE = KEY | T-URI | T-IP | T-NONCE | T-EXP
-
-        header, sig = panda_token.split('.')
-        decoded_header = JSON.parse(Base64.urlsafe_decode64(header))
-
-        org_id = decoded_header['o'].to_i
-        session_id = decoded_header['s']
-        type = decoded_header['typ']
-
-        # raise SessionNonceMismatch, "Session Not Found" unless org_id < 1 || org_id == current_organization.id
-
-        if type == 'KEY'
-          @current_session = PandaPal::Session.find_by(session_secret: sig)
-          raise SessionNonceMismatch, "Session Not Found" unless @current_session.present?
-          raise SessionNonceMismatch, "Session Not Found" if session_id && @current_session.id != session_id
-        else
-          session_record = PandaPal::Session.find_by(id: session_id)
-          raise SessionNonceMismatch, "Session Not Found" unless session_record.present?
-
-          # Validate the header against the signature
-          raise SessionNonceMismatch, "Invalid Signature" unless session_record.validate_signature(header, sig)
-
-          # Check expiration
-          if (expr = decoded_header['exp']).present?
-            raise SessionNonceMismatch, "Expired" unless expr > DateTime.now.iso8601
-          end
-
-          if type == "T-URI"
-            # Signed URLs only support GET requests
-            raise SessionNonceMismatch, "Invalid Method" unless request.method == :get
-
-            # Verify the signature against the request URL
-            # The usig doesn't _need_ to be signed (since it's part of the payload that is already signed),
-            #   but this was an easy way to make the value a constant length. Any basic hashing function could solve this,
-            #   but the HMAC implementation was already available.
-            resigned = generate_signed_url(session_record.signing_key, request.url)
-            raise SessionNonceMismatch, "Invalid Signature" unless resigned == decoded_header['usig']
-
-            # TODO Support single-use tokens via Redis?
-
-            @current_session = session_record
-          elsif type == "T-NONCE"
-            raise SessionNonceMismatch, "Invalid Nonce" unless session_record.data[:link_nonce] == decoded_header['nnc']
-            @current_session = session_record
-            @current_session.data[:link_nonce] = nil
-          elsif type == "T-IP"
-            raise SessionNonceMismatch, "Invalid IP" unless decoded_header["ip"] == request.remote_ip
-            @current_session = session_record
-          elsif type == "T-EXP"
-            # Expiration itself is checked above, but enforce that an expiration is set
-            raise SessionNonceMismatch, "Invalid Expiration" unless decoded_header["exp"].present?
-            @current_session = session_record
-          end
-        end
-
-        raise SessionNonceMismatch, "Session Not Found" unless @current_session.present?
+      if (panda_token = PandaPal::Session.extract_panda_token(request, params)).present?
+        @current_session = PandaPal::Session.for_panda_token(panda_token, request: request)
 
       elsif (session_key = params[:session_key] || session_key_header || flash[:session_key] || session[:session_key]).present?
         # Legacy-format session_keys
@@ -189,9 +131,10 @@ module PandaPal::Helpers
 
       if type == 'url'
         raise StandardError, "URL is required" unless url.present?
+        to_sign = PandaPal::Session.format_url_for_signing(url)
         payload.merge!(
           typ: 'T-URI',
-          usig: generate_signed_url(current_session.signing_key, url.to_s),
+          usig: current_session.sign_value(to_sign),
         )
       else
         @cached_link_nonces ||= {}
@@ -237,22 +180,9 @@ module PandaPal::Helpers
       15
     end
 
+    # @deprecated
     def self.extract_panda_token(request, params = request.params)
-      headers = request.respond_to?(:headers) ? request.headers : request.env
-      token = headers['HTTP_X_PANDA_TOKEN'] || headers['X-Panda-Token']
-
-      token ||= begin
-        if (auth_header = headers['HTTP_AUTHORIZATION'] || headers['Authorization']).present?
-          match = auth_header.match(/Bearer panda:(.+)/)
-          match ||= auth_header.match(/token=(.+)/) # Legacy Support
-          token = match[1] if match && match[1].include?('.')
-        end
-      end
-
-      token ||= params["panda_token"]
-      token ||= params["session_token"] if params["session_token"]&.include?('.') # Legacy Support
-      token ||= params["session_key"] if params["session_key"]&.include?('.') # Legacy Support
-      token.presence
+      PandaPal::Session.extract_panda_token(request, params)
     end
 
     private
@@ -262,6 +192,7 @@ module PandaPal::Helpers
       @session_cryptor ||= ActiveSupport::MessageEncryptor.new(secret_key_base[0..31])
     end
 
+    # @deprecated
     def session_key_header
       if match = request.headers['Authorization'].try(:match, /token=(.+)/)
         match[1]
@@ -273,19 +204,6 @@ module PandaPal::Helpers
       save_session if @current_session && session_changed?
     end
 
-    def generate_signed_url(key, uri)
-      uri = URI.parse(uri) if uri.is_a?(String)
-      signable = "#{uri.path}?#{uri.query}"
-      OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, signable)
-    end
-
-    def validate_url_signature(key, uri, signature)
-      uri = URI.parse(uri) if uri.is_a?(String)
-      signable = uri.path + '?' + uri.query
-      signable.gsub!(/[&?](session_key|session_token|panda_token)=.*?(&.*)?$/, "")
-      signature == OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, signable)
-    end
-
     def monkeypatch_flash
       if valid_session? && (value = current_session['flashes']).present?
         flashes = value["flashes"]

data/lib/panda_pal/version.rb

@@ -1,3 +1,3 @@
 module PandaPal
-  VERSION = "5.14.0.beta7"
+  VERSION = "5.15.0"
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: panda_pal
 version: !ruby/object:Gem::Version
-  version: 5.14.0.beta7
+  version: 5.15.0
 platform: ruby
 authors:
 - Instructure CustomDev
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-04-24 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -282,7 +281,6 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 2.7.1
-description:
 email:
 - pseng@instructure.com
 executables: []
@@ -400,7 +398,6 @@ homepage: http://instructure.com
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -415,8 +412,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.16
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: LTI mountable engine
 test_files:
@@ -433,6 +429,7 @@ test_files:
 - spec/dummy/app/controllers/application_controller.rb
 - spec/dummy/app/helpers/application_helper.rb
 - spec/dummy/app/views/layouts/application.html.erb
+- spec/dummy/config.ru
 - spec/dummy/config/application.rb
 - spec/dummy/config/boot.rb
 - spec/dummy/config/database.yml
@@ -450,7 +447,6 @@ test_files:
 - spec/dummy/config/locales/en.yml
 - spec/dummy/config/routes.rb
 - spec/dummy/config/secrets.yml
-- spec/dummy/config.ru
 - spec/dummy/db/schema.rb
 - spec/dummy/db/test2_schema.rb
 - spec/dummy/public/404.html