RubyGems - panda_pal - Versions diffs - 5.2.1 → 5.3.0 - Mend

panda_pal 5.2.1 → 5.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

checksums.yaml +5 -5
data/README.md +5 -1
data/config/initializers/apartment.rb +59 -11
data/lib/panda_pal/helpers/controller_helper.rb +102 -186
data/lib/panda_pal/helpers/session_replacement.rb +185 -0
data/lib/panda_pal/version.rb +1 -1
metadata +5 -15
data/db/618eef7c0380ba654ad16f867a919e72.sqlite3 +0 -0
data/db/9ff93d4f7e0e9dc80a43f68997caf4a1.sqlite3 +0 -0
data/db/a3fda4044a7215bc2c9eb01a4b9e517a.sqlite3 +0 -0
data/db/daa0e6378a5ec76fcce83b7070dad219.sqlite3 +0 -0
data/spec/dummy/db/development.sqlite3 +0 -0
data/spec/dummy/db/test.sqlite3 +0 -0
data/spec/dummy/log/development.log +0 -15058
data/spec/dummy/log/test.log +0 -0

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
-SHA256:
-  metadata.gz: 88fe8cce75e1f511b08e025ca0f00ab9cb224e9ab9c91f4a6f36fbbef6031f26
-  data.tar.gz: 9b23a25becc266908e081985943a9b51a5b856b7b52c8c948e007ad638ce90a9
+SHA1:
+  metadata.gz: 42ed3ad8440c5f79c6ccbd20908ffc3e3458b342
+  data.tar.gz: 421fcb272ca0fb0d7c01b191ab4d47da9789d1c4
 SHA512:
-  metadata.gz: 5b82a6629e5d87d9420263eff1a57c477c9e1786fd91312354d8de41c0eba1e83968e4bf954691cb17eb09e6e5fc1f73284f08c76574ec459329ec5c5093d9c2
-  data.tar.gz: 86c997d27d7de28fd3be87bd9343c06ec5cfbf35a1559b2f131f068315b883449b58049b23ccba31e99524a32cef3132ff12ac50777a098821c17bbbe445a2e6
+  metadata.gz: 7a32296d2975f108022334ec1f32b23a461ee7e37966c639680779198a1941b683ef6bc02fe020a61d8ffa683132f7dc05199d43d8fb2c50ed877082a6129b66
+  data.tar.gz: 8d9f225f68a4b3b4d632f48a3975eab2a61ad61575c9278e06e1f21f41b7df6950750f8b429da47ab45c3e0d8aaf032e32da7b98b01c3a0d1151e049971b5857

data/README.md CHANGED

@@ -369,7 +369,11 @@ You will want to watch out for a few scenarios:
 3) If you use `link_to` and navigate in your LTI (apps that are not single page)
    make sure you include the `link_nonce` like so:
     ```ruby
-      link_to "Link Name", somewhere_else_path(session_token: link_nonce)
+      link_to "Link Name", somewhere_else_path(arg, session_token: link_nonce)
+    ```
+    NB: As of PandaPal 5.2.6, you can instead use
+    ```ruby
+      link_to "Name", url_with_session(:somewhere_else_path, arg, kwarg: 1)
     ```
 ### Previous Safari Instructions

data/config/initializers/apartment.rb CHANGED

@@ -1,7 +1,8 @@
 require 'apartment/elevators/generic'
 Apartment.configure do |config|
-  config.excluded_models = ['PandaPal::Organization', 'PandaPal::Session']
+  config.excluded_models ||= []
+  config.excluded_models |= ['PandaPal::Organization', 'PandaPal::Session']
   config.tenant_names = lambda {
     PandaPal::Organization.pluck(:name)
@@ -14,6 +15,21 @@ Rails.application.config.middleware.use Apartment::Elevators::Generic, lambda {
   end
 }
+module PandaPal::Plugins::ApartmentCache
+  private
+  if Rails.version >= '5.0'
+    def normalize_key(key, options)
+      "tenant:#{Apartment::Tenant.current}/#{super}"
+    end
+  else
+    def namespaced_key(*args)
+      "tenant:#{Apartment::Tenant.current}/#{super}"
+    end
+  end
+end
+ActiveSupport::Cache::Store.send(:prepend, PandaPal::Plugins::ApartmentCache)
 if defined?(ActionCable)
   module ActionCable
     module Channel
@@ -38,7 +54,7 @@ if defined?(ActionCable)
     end
   end
-  module ActionCableApartment
+  module PandaPal::Plugins::ActionCableApartment
     module Connection
       def tenant=(name)
         @tenant = name
@@ -56,18 +72,50 @@ if defined?(ActionCable)
     end
   end
-  ActionCable::Connection::Base.prepend(ActionCableApartment::Connection)
+  ActionCable::Connection::Base.prepend(PandaPal::Plugins::ActionCableApartment::Connection)
 end
-module ApartmentCache
-  private
+if defined?(Delayed)
+  module PandaPal::Plugins
+    class ApartmentDelayedJobsPlugin < ::Delayed::Plugin
+      callbacks do |lifecycle|
+        lifecycle.around(:enqueue) do |job, *args, &block|
+          current_tenant = Apartment::Tenant.current
-  def normalize_key(key, options)
-    "tenant:#{Apartment::Tenant.current}/#{super}"
-  end
+          #make sure enqueue on public tenant unless we are testing since delayed job is set to run immediately
+          Apartment::Tenant.switch!('public') unless Rails.env.test?
+          job.tenant = current_tenant
+          begin
+            block.call(job, *args)
+          rescue Exception => e
+            Rails.logger.error("Error enqueing job #{job.to_s} - #{e.backtrace}")
+          ensure
+            #switch back to prev tenant
+            Apartment::Tenant.switch!(current_tenant)
+          end
+        end
+        lifecycle.before(:perform) do |worker, *args, &block|
+          tenant = args.first.tenant
+          Apartment::Tenant.switch!(tenant) if tenant.present?
+          Rails.logger.debug("Running job with tenant #{Apartment::Tenant.current}")
+        end
+        lifecycle.around(:invoke_job) do |job, *args, &block|
+          begin
+            block.call(job, *args)
+          ensure
+            Apartment::Tenant.switch!('public')
+            Rails.logger.debug("Resetting Tenant back to: #{Apartment::Tenant.current}")
+          end
+        end
-  def namespaced_key(*args)
-    normalize_key(*args)
+        lifecycle.after(:failure) do |job, *args|
+          Rails.logger.error("Job failed on tenant: #{Apartment::Tenant.current}")
+        end
+      end
+    end
   end
+  Delayed::Worker.plugins << PandaPal::Plugins::ApartmentDelayedJobsPlugin
 end
-ActiveSupport::Cache::Store.send :prepend, ApartmentCache

data/lib/panda_pal/helpers/controller_helper.rb CHANGED

@@ -1,224 +1,140 @@
 require 'browser'
+require_relative 'session_replacement'
-module PandaPal::Helpers::ControllerHelper
-  extend ActiveSupport::Concern
+module PandaPal::Helpers
+  module ControllerHelper
+    extend ActiveSupport::Concern
+    include SessionReplacement
-  class SessionNotFound < StandardError; end
-  included do
-    helper_method :link_nonce, :current_session
-    after_action :auto_save_session
-  end
-  def save_session
-    current_session.try(:save)
-  end
-  def current_session
-    return @current_session if @current_session.present?
-    if params[:session_token]
-      payload = JSON.parse(panda_pal_cryptor.decrypt_and_verify(params[:session_token])).with_indifferent_access
-      matched_session = PandaPal::Session.find_by(session_key: payload[:session_key])
+    def current_organization
+      @organization ||= PandaPal::Organization.find_by!(key: organization_key) if organization_key
+      @organization ||= PandaPal::Organization.find_by(id: organization_id) if organization_id
+      @organization ||= PandaPal::Organization.find_by_name(Apartment::Tenant.current)
+    end
-      if matched_session.present? && matched_session.data[:link_nonce] == params[:session_token]
-        @current_session = matched_session
-        @current_session.data[:link_nonce] = nil
+    def current_lti_platform
+      return @current_lti_platform if @current_lti_platform.present?
+      # TODO: (Future) This could be expanded more to take better advantage of the LTI 1.3 Multi-Tenancy model.
+      if (canvas_url = current_organization&.settings&.dig(:canvas, :base_url)).present?
+        @current_lti_platform ||= PandaPal::Platform::Canvas.new(canvas_url)
       end
-    elsif (session_key = params[:session_key] || session_key_header || flash[:session_key] || session[:session_key]).present?
-      @current_session = PandaPal::Session.find_by(session_key: session_key) if session_key.present?
-    else
-      @current_session = PandaPal::Session.new(panda_pal_organization_id: current_organization.id)
+      @current_lti_platform ||= PandaPal::Platform::Canvas.new('http://localhost:3000') if Rails.env.development?
+      @current_lti_platform ||= PandaPal::Platform::CANVAS
+      @current_lti_platform
     end
-    raise SessionNotFound, "Session Not Found" unless @current_session.present?
-    @current_session
-  end
-  def current_organization
-    @organization ||= PandaPal::Organization.find_by!(key: organization_key) if organization_key
-    @organization ||= PandaPal::Organization.find_by(id: organization_id) if organization_id
-    @organization ||= PandaPal::Organization.find_by_name(Apartment::Tenant.current)
-  end
-  def current_lti_platform
-    return @current_lti_platform if @current_lti_platform.present?
-    # TODO: (Future) This could be expanded more to take better advantage of the LTI 1.3 Multi-Tenancy model.
-    if (canvas_url = current_organization&.settings&.dig(:canvas, :base_url)).present?
-      @current_lti_platform ||= PandaPal::Platform::Canvas.new(canvas_url)
+    def lti_launch_params
+      current_session_data[:launch_params]
     end
-    @current_lti_platform ||= PandaPal::Platform::Canvas.new('http://localhost:3000') if Rails.env.development?
-    @current_lti_platform ||= PandaPal::Platform::CANVAS
-    @current_lti_platform
-  end
-  def current_session_data
-    current_session.data
-  end
-  def lti_launch_params
-    current_session_data[:launch_params]
-  end
-  def session_changed?
-    current_session.changed? && current_session.changes[:data].present?
-  end
-  def validate_launch!
-    safari_override
+    def validate_launch!
+      safari_override
-    if params[:id_token].present?
-      validate_v1p3_launch
-    elsif params[:oauth_consumer_key].present?
-      validate_v1p0_launch
-    end
-  end
-  def validate_v1p0_launch
-    authorized = false
-    if @organization = params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
-      sanitized_params = request.request_parameters
-      # These params come over with a safari-workaround launch.  The authenticator doesn't like them, so clean them out.
-      safe_unexpected_params = ["full_win_launch_requested", "platform_redirect_url", "dummy_param"]
-      safe_unexpected_params.each do |p|
-        sanitized_params.delete(p)
+      if params[:id_token].present?
+        validate_v1p3_launch
+      elsif params[:oauth_consumer_key].present?
+        validate_v1p0_launch
       end
-      authenticator = IMS::LTI::Services::MessageAuthenticator.new(request.original_url, sanitized_params, @organization.secret)
-      authorized = authenticator.valid_signature?
     end
-    if !authorized
-      render plain: 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
-    end
-    authorized
-  end
+    def validate_v1p0_launch
+      authorized = false
+      if @organization = params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
+        sanitized_params = request.request_parameters
+        # These params come over with a safari-workaround launch.  The authenticator doesn't like them, so clean them out.
+        safe_unexpected_params = ["full_win_launch_requested", "platform_redirect_url", "dummy_param"]
+        safe_unexpected_params.each do |p|
+          sanitized_params.delete(p)
+        end
+        authenticator = IMS::LTI::Services::MessageAuthenticator.new(request.original_url, sanitized_params, @organization.secret)
+        authorized = authenticator.valid_signature?
+      end
-  def validate_v1p3_launch
-    decoded_jwt = JSON::JWT.decode(params.require(:id_token), :skip_verification)
-    raise JSON::JWT::VerificationFailed, 'error decoding id_token' if decoded_jwt.blank?
+      if !authorized
+        render plain: 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
+      end
-    client_id = decoded_jwt['aud']
-    @organization = PandaPal::Organization.find_by!(key: 'PandaPal') # client_id)
-    raise JSON::JWT::VerificationFailed, 'Unrecognized Organization' unless @organization.present?
+      authorized
+    end
-    decoded_jwt.verify!(current_lti_platform.public_jwks)
+    def validate_v1p3_launch
+      decoded_jwt = JSON::JWT.decode(params.require(:id_token), :skip_verification)
+      raise JSON::JWT::VerificationFailed, 'error decoding id_token' if decoded_jwt.blank?
-    params[:session_key] = params[:state]
-    raise JSON::JWT::VerificationFailed, 'State is invalid' unless current_session_data[:lti_oauth_nonce] == decoded_jwt['nonce']
+      client_id = decoded_jwt['aud']
+      @organization = PandaPal::Organization.find_by!(key: 'PandaPal') # client_id)
+      raise JSON::JWT::VerificationFailed, 'Unrecognized Organization' unless @organization.present?
-    jwt_verifier = PandaPal::LtiJwtValidator.new(decoded_jwt, client_id)
-    raise JSON::JWT::VerificationFailed, jwt_verifier.errors unless jwt_verifier.valid?
+      decoded_jwt.verify!(current_lti_platform.public_jwks)
-    @decoded_lti_jwt = decoded_jwt
-  rescue JSON::JWT::VerificationFailed => e
-    payload = Array(e.message)
+      params[:session_key] = params[:state]
+      raise JSON::JWT::VerificationFailed, 'State is invalid' unless current_session_data[:lti_oauth_nonce] == decoded_jwt['nonce']
-    render json: {
-      message: [
-        { errors: payload },
-        { id_token: params.require(:id_token) },
-      ],
-    }, status: :unauthorized
+      jwt_verifier = PandaPal::LtiJwtValidator.new(decoded_jwt, client_id)
+      raise JSON::JWT::VerificationFailed, jwt_verifier.errors unless jwt_verifier.valid?
-    false
-  end
+      @decoded_lti_jwt = decoded_jwt
+    rescue JSON::JWT::VerificationFailed => e
+      payload = Array(e.message)
-  def switch_tenant(organization = current_organization, &block)
-    return unless organization
-    raise 'This method should be called in an around_action callback' unless block_given?
+      render json: {
+        message: [
+          { errors: payload },
+          { id_token: params.require(:id_token) },
+        ],
+      }, status: :unauthorized
-    Apartment::Tenant.switch(organization.name) do
-      yield
+      false
     end
-  end
-  def forbid_access_if_lacking_session
-    render plain: 'You should do an LTI Tool Launch.', status: :unauthorized unless valid_session?
-    safari_override
-  end
+    def switch_tenant(organization = current_organization, &block)
+      return unless organization
+      raise 'This method should be called in an around_action callback' unless block_given?
-  def verify_authenticity_token
-    # No need to check CSRF when no cookies were sent. This fixes CSRF failures in Browsers
-    # that restrict Cookie setting within an IFrame.
-    return unless request.cookies.keys.length > 0
-    super
-  end
-  def valid_session?
-    [
-      current_session.persisted?,
-      current_organization,
-      current_session.panda_pal_organization_id == current_organization.id,
-      Apartment::Tenant.current == current_organization.name
-    ].all?
-  end
-  def safari_override
-    use_secure_headers_override(:safari_override) if browser.safari?
-  end
-  # Redirect with the session key intact. In production,
-  # handle this by adding a one-time use encrypted token to the URL.
-  # Keeping it in the URL in development means that it plays
-  # nicely with webpack-dev-server live reloading (otherwise
-  # you get an access error everytime it tries to live reload).
-  def redirect_with_session_to(location, params = {}, route_context: self)
-    if Rails.env.development?
-      redirect_to route_context.send(location, {
-        session_key: current_session.session_key,
-        organization_id: current_organization.id,
-      }.merge(params))
-    else
-      redirect_to route_context.send(location, {
-        session_token: link_nonce,
-        organization_id: current_organization.id,
-      }.merge(params))
+      Apartment::Tenant.switch(organization.name) do
+        yield
+      end
     end
-  end
-  def link_nonce
-    @link_nonce ||= begin
-      current_session_data[:link_nonce] = SecureRandom.hex
-      payload = {
-        session_key: current_session.session_key,
-        organization_id: current_organization.id,
-        nonce: current_session_data[:link_nonce],
-      }
+    def forbid_access_if_lacking_session
+      super
+      safari_override
+    end
-      panda_pal_cryptor.encrypt_and_sign(payload.to_json)
+    def valid_session?
+      [
+        current_session&.persisted?,
+        current_organization,
+        current_session&.panda_pal_organization_id == current_organization.id,
+        Apartment::Tenant.current == current_organization.name
+      ].all?
+    rescue SessionNonceMismatch
+      false
     end
-  end
-  private
+    def safari_override
+      use_secure_headers_override(:safari_override) if browser.safari?
+    end
-  def organization_key
-    org_key ||= params[:oauth_consumer_key]
-    org_key ||= "#{params[:client_id]}/#{params[:deployment_id]}" if params[:client_id].present?
-    org_key ||= session[:organization_key]
-    org_key
-  end
+    private
-  def organization_id
-    params[:organization_id]
-  end
-  def session_key_header
-    if match = request.headers['Authorization'].try(:match, /token=(.+)/)
-      match[1]
+    def find_or_create_session(key:)
+      if key == :create
+        PandaPal::Session.new(panda_pal_organization_id: current_organization.id)
+      else
+        PandaPal::Session.find_by(session_key: key)
+      end
     end
-  end
-  def panda_pal_cryptor
-    @panda_pal_cryptor ||= ActiveSupport::MessageEncryptor.new(Rails.application.secret_key_base[0..31])
-  end
+    def organization_key
+      org_key ||= params[:oauth_consumer_key]
+      org_key ||= "#{params[:client_id]}/#{params[:deployment_id]}" if params[:client_id].present?
+      org_key ||= session[:organization_key]
+      org_key
+    end
-  def auto_save_session
-    yield if block_given?
-    save_session if @current_session && session_changed?
+    def organization_id
+      params[:organization_id]
+    end
   end
 end