RubyGems - panda_pal - Versions diffs - 5.2.1 → 5.3.0 - Mend

panda_pal 5.2.1 → 5.3.0

Files changed (15) hide show

checksums.yaml +5 -5
data/README.md +5 -1
data/config/initializers/apartment.rb +59 -11
data/lib/panda_pal/helpers/controller_helper.rb +102 -186
data/lib/panda_pal/helpers/session_replacement.rb +185 -0
data/lib/panda_pal/version.rb +1 -1
metadata +5 -15
data/db/618eef7c0380ba654ad16f867a919e72.sqlite3 +0 -0
data/db/9ff93d4f7e0e9dc80a43f68997caf4a1.sqlite3 +0 -0
data/db/a3fda4044a7215bc2c9eb01a4b9e517a.sqlite3 +0 -0
data/db/daa0e6378a5ec76fcce83b7070dad219.sqlite3 +0 -0
data/spec/dummy/db/development.sqlite3 +0 -0
data/spec/dummy/db/test.sqlite3 +0 -0
data/spec/dummy/log/development.log +0 -15058
data/spec/dummy/log/test.log +0 -0

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
-SHA256:
-  metadata.gz: 88fe8cce75e1f511b08e025ca0f00ab9cb224e9ab9c91f4a6f36fbbef6031f26
-  data.tar.gz: 9b23a25becc266908e081985943a9b51a5b856b7b52c8c948e007ad638ce90a9
+SHA1:
+  metadata.gz: 42ed3ad8440c5f79c6ccbd20908ffc3e3458b342
+  data.tar.gz: 421fcb272ca0fb0d7c01b191ab4d47da9789d1c4
 SHA512:
-  metadata.gz: 5b82a6629e5d87d9420263eff1a57c477c9e1786fd91312354d8de41c0eba1e83968e4bf954691cb17eb09e6e5fc1f73284f08c76574ec459329ec5c5093d9c2
-  data.tar.gz: 86c997d27d7de28fd3be87bd9343c06ec5cfbf35a1559b2f131f068315b883449b58049b23ccba31e99524a32cef3132ff12ac50777a098821c17bbbe445a2e6
+  metadata.gz: 7a32296d2975f108022334ec1f32b23a461ee7e37966c639680779198a1941b683ef6bc02fe020a61d8ffa683132f7dc05199d43d8fb2c50ed877082a6129b66
+  data.tar.gz: 8d9f225f68a4b3b4d632f48a3975eab2a61ad61575c9278e06e1f21f41b7df6950750f8b429da47ab45c3e0d8aaf032e32da7b98b01c3a0d1151e049971b5857

data/README.md CHANGED

@@ -369,7 +369,11 @@ You will want to watch out for a few scenarios:
 3) If you use `link_to` and navigate in your LTI (apps that are not single page)
    make sure you include the `link_nonce` like so:
     ```ruby
-      link_to "Link Name", somewhere_else_path(session_token: link_nonce)
+      link_to "Link Name", somewhere_else_path(arg, session_token: link_nonce)
+    ```
+    NB: As of PandaPal 5.2.6, you can instead use
+    ```ruby
+      link_to "Name", url_with_session(:somewhere_else_path, arg, kwarg: 1)
     ```
 ### Previous Safari Instructions

data/config/initializers/apartment.rb CHANGED

@@ -1,7 +1,8 @@
 require 'apartment/elevators/generic'
 Apartment.configure do |config|
-  config.excluded_models = ['PandaPal::Organization', 'PandaPal::Session']
+  config.excluded_models ||= []
+  config.excluded_models |= ['PandaPal::Organization', 'PandaPal::Session']
   config.tenant_names = lambda {
     PandaPal::Organization.pluck(:name)
@@ -14,6 +15,21 @@ Rails.application.config.middleware.use Apartment::Elevators::Generic, lambda {
   end
 }
+module PandaPal::Plugins::ApartmentCache
+  private
+  if Rails.version >= '5.0'
+    def normalize_key(key, options)
+      "tenant:#{Apartment::Tenant.current}/#{super}"
+    end
+  else
+    def namespaced_key(*args)
+      "tenant:#{Apartment::Tenant.current}/#{super}"
+    end
+  end
+end
+ActiveSupport::Cache::Store.send(:prepend, PandaPal::Plugins::ApartmentCache)
 if defined?(ActionCable)
   module ActionCable
     module Channel
@@ -38,7 +54,7 @@ if defined?(ActionCable)
     end
   end
-  module ActionCableApartment
+  module PandaPal::Plugins::ActionCableApartment
     module Connection
       def tenant=(name)
         @tenant = name
@@ -56,18 +72,50 @@ if defined?(ActionCable)
     end
   end
-  ActionCable::Connection::Base.prepend(ActionCableApartment::Connection)
+  ActionCable::Connection::Base.prepend(PandaPal::Plugins::ActionCableApartment::Connection)
 end
-module ApartmentCache
-  private
+if defined?(Delayed)
+  module PandaPal::Plugins
+    class ApartmentDelayedJobsPlugin < ::Delayed::Plugin
+      callbacks do |lifecycle|
+        lifecycle.around(:enqueue) do |job, *args, &block|
+          current_tenant = Apartment::Tenant.current
-  def normalize_key(key, options)
-    "tenant:#{Apartment::Tenant.current}/#{super}"
-  end
+          #make sure enqueue on public tenant unless we are testing since delayed job is set to run immediately
+          Apartment::Tenant.switch!('public') unless Rails.env.test?
+          job.tenant = current_tenant
+          begin
+            block.call(job, *args)
+          rescue Exception => e
+            Rails.logger.error("Error enqueing job #{job.to_s} - #{e.backtrace}")
+          ensure
+            #switch back to prev tenant
+            Apartment::Tenant.switch!(current_tenant)
+          end
+        end
+        lifecycle.before(:perform) do |worker, *args, &block|
+          tenant = args.first.tenant
+          Apartment::Tenant.switch!(tenant) if tenant.present?
+          Rails.logger.debug("Running job with tenant #{Apartment::Tenant.current}")
+        end
+        lifecycle.around(:invoke_job) do |job, *args, &block|
+          begin
+            block.call(job, *args)
+          ensure
+            Apartment::Tenant.switch!('public')
+            Rails.logger.debug("Resetting Tenant back to: #{Apartment::Tenant.current}")
+          end
+        end
-  def namespaced_key(*args)
-    normalize_key(*args)
+        lifecycle.after(:failure) do |job, *args|
+          Rails.logger.error("Job failed on tenant: #{Apartment::Tenant.current}")
+        end
+      end
+    end
   end
+  Delayed::Worker.plugins << PandaPal::Plugins::ApartmentDelayedJobsPlugin
 end
-ActiveSupport::Cache::Store.send :prepend, ApartmentCache

data/lib/panda_pal/helpers/controller_helper.rb CHANGED

@@ -1,224 +1,140 @@
 require 'browser'
+require_relative 'session_replacement'
-module PandaPal::Helpers::ControllerHelper
-  extend ActiveSupport::Concern
+module PandaPal::Helpers
+  module ControllerHelper
+    extend ActiveSupport::Concern
+    include SessionReplacement
-  class SessionNotFound < StandardError; end
-  included do
-    helper_method :link_nonce, :current_session
-    after_action :auto_save_session
-  end
-  def save_session
-    current_session.try(:save)
-  end
-  def current_session
-    return @current_session if @current_session.present?
-    if params[:session_token]
-      payload = JSON.parse(panda_pal_cryptor.decrypt_and_verify(params[:session_token])).with_indifferent_access
-      matched_session = PandaPal::Session.find_by(session_key: payload[:session_key])
+    def current_organization
+      @organization ||= PandaPal::Organization.find_by!(key: organization_key) if organization_key
+      @organization ||= PandaPal::Organization.find_by(id: organization_id) if organization_id
+      @organization ||= PandaPal::Organization.find_by_name(Apartment::Tenant.current)
+    end
-      if matched_session.present? && matched_session.data[:link_nonce] == params[:session_token]
-        @current_session = matched_session
-        @current_session.data[:link_nonce] = nil
+    def current_lti_platform
+      return @current_lti_platform if @current_lti_platform.present?
+      # TODO: (Future) This could be expanded more to take better advantage of the LTI 1.3 Multi-Tenancy model.
+      if (canvas_url = current_organization&.settings&.dig(:canvas, :base_url)).present?
+        @current_lti_platform ||= PandaPal::Platform::Canvas.new(canvas_url)
       end
-    elsif (session_key = params[:session_key] || session_key_header || flash[:session_key] || session[:session_key]).present?
-      @current_session = PandaPal::Session.find_by(session_key: session_key) if session_key.present?
-    else
-      @current_session = PandaPal::Session.new(panda_pal_organization_id: current_organization.id)
+      @current_lti_platform ||= PandaPal::Platform::Canvas.new('http://localhost:3000') if Rails.env.development?
+      @current_lti_platform ||= PandaPal::Platform::CANVAS
+      @current_lti_platform
     end
-    raise SessionNotFound, "Session Not Found" unless @current_session.present?
-    @current_session
-  end
-  def current_organization
-    @organization ||= PandaPal::Organization.find_by!(key: organization_key) if organization_key
-    @organization ||= PandaPal::Organization.find_by(id: organization_id) if organization_id
-    @organization ||= PandaPal::Organization.find_by_name(Apartment::Tenant.current)
-  end
-  def current_lti_platform
-    return @current_lti_platform if @current_lti_platform.present?
-    # TODO: (Future) This could be expanded more to take better advantage of the LTI 1.3 Multi-Tenancy model.
-    if (canvas_url = current_organization&.settings&.dig(:canvas, :base_url)).present?
-      @current_lti_platform ||= PandaPal::Platform::Canvas.new(canvas_url)
+    def lti_launch_params
+      current_session_data[:launch_params]
     end
-    @current_lti_platform ||= PandaPal::Platform::Canvas.new('http://localhost:3000') if Rails.env.development?
-    @current_lti_platform ||= PandaPal::Platform::CANVAS
-    @current_lti_platform
-  end
-  def current_session_data
-    current_session.data
-  end
-  def lti_launch_params
-    current_session_data[:launch_params]
-  end
-  def session_changed?
-    current_session.changed? && current_session.changes[:data].present?
-  end
-  def validate_launch!
-    safari_override
+    def validate_launch!
+      safari_override
-    if params[:id_token].present?
-      validate_v1p3_launch
-    elsif params[:oauth_consumer_key].present?
-      validate_v1p0_launch
-    end
-  end
-  def validate_v1p0_launch
-    authorized = false
-    if @organization = params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
-      sanitized_params = request.request_parameters
-      # These params come over with a safari-workaround launch.  The authenticator doesn't like them, so clean them out.
-      safe_unexpected_params = ["full_win_launch_requested", "platform_redirect_url", "dummy_param"]
-      safe_unexpected_params.each do |p|
-        sanitized_params.delete(p)
+      if params[:id_token].present?
+        validate_v1p3_launch
+      elsif params[:oauth_consumer_key].present?
+        validate_v1p0_launch
       end
-      authenticator = IMS::LTI::Services::MessageAuthenticator.new(request.original_url, sanitized_params, @organization.secret)
-      authorized = authenticator.valid_signature?
     end
-    if !authorized
-      render plain: 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
-    end
-    authorized
-  end
+    def validate_v1p0_launch
+      authorized = false
+      if @organization = params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
+        sanitized_params = request.request_parameters
+        # These params come over with a safari-workaround launch.  The authenticator doesn't like them, so clean them out.
+        safe_unexpected_params = ["full_win_launch_requested", "platform_redirect_url", "dummy_param"]
+        safe_unexpected_params.each do |p|
+          sanitized_params.delete(p)
+        end
+        authenticator = IMS::LTI::Services::MessageAuthenticator.new(request.original_url, sanitized_params, @organization.secret)
+        authorized = authenticator.valid_signature?
+      end
-  def validate_v1p3_launch
-    decoded_jwt = JSON::JWT.decode(params.require(:id_token), :skip_verification)
-    raise JSON::JWT::VerificationFailed, 'error decoding id_token' if decoded_jwt.blank?
+      if !authorized
+        render plain: 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
+      end
-    client_id = decoded_jwt['aud']
-    @organization = PandaPal::Organization.find_by!(key: 'PandaPal') # client_id)
-    raise JSON::JWT::VerificationFailed, 'Unrecognized Organization' unless @organization.present?
+      authorized
+    end
-    decoded_jwt.verify!(current_lti_platform.public_jwks)
+    def validate_v1p3_launch
+      decoded_jwt = JSON::JWT.decode(params.require(:id_token), :skip_verification)
+      raise JSON::JWT::VerificationFailed, 'error decoding id_token' if decoded_jwt.blank?
-    params[:session_key] = params[:state]
-    raise JSON::JWT::VerificationFailed, 'State is invalid' unless current_session_data[:lti_oauth_nonce] == decoded_jwt['nonce']
+      client_id = decoded_jwt['aud']
+      @organization = PandaPal::Organization.find_by!(key: 'PandaPal') # client_id)
+      raise JSON::JWT::VerificationFailed, 'Unrecognized Organization' unless @organization.present?
-    jwt_verifier = PandaPal::LtiJwtValidator.new(decoded_jwt, client_id)
-    raise JSON::JWT::VerificationFailed, jwt_verifier.errors unless jwt_verifier.valid?
+      decoded_jwt.verify!(current_lti_platform.public_jwks)
-    @decoded_lti_jwt = decoded_jwt
-  rescue JSON::JWT::VerificationFailed => e
-    payload = Array(e.message)
+      params[:session_key] = params[:state]
+      raise JSON::JWT::VerificationFailed, 'State is invalid' unless current_session_data[:lti_oauth_nonce] == decoded_jwt['nonce']
-    render json: {
-      message: [
-        { errors: payload },
-        { id_token: params.require(:id_token) },
-      ],
-    }, status: :unauthorized
+      jwt_verifier = PandaPal::LtiJwtValidator.new(decoded_jwt, client_id)
+      raise JSON::JWT::VerificationFailed, jwt_verifier.errors unless jwt_verifier.valid?
-    false
-  end
+      @decoded_lti_jwt = decoded_jwt
+    rescue JSON::JWT::VerificationFailed => e
+      payload = Array(e.message)
-  def switch_tenant(organization = current_organization, &block)
-    return unless organization
-    raise 'This method should be called in an around_action callback' unless block_given?
+      render json: {
+        message: [
+          { errors: payload },
+          { id_token: params.require(:id_token) },
+        ],
+      }, status: :unauthorized
-    Apartment::Tenant.switch(organization.name) do
-      yield
+      false
     end
-  end
-  def forbid_access_if_lacking_session
-    render plain: 'You should do an LTI Tool Launch.', status: :unauthorized unless valid_session?
-    safari_override
-  end
+    def switch_tenant(organization = current_organization, &block)
+      return unless organization
+      raise 'This method should be called in an around_action callback' unless block_given?
-  def verify_authenticity_token
-    # No need to check CSRF when no cookies were sent. This fixes CSRF failures in Browsers
-    # that restrict Cookie setting within an IFrame.
-    return unless request.cookies.keys.length > 0
-    super
-  end
-  def valid_session?
-    [
-      current_session.persisted?,
-      current_organization,
-      current_session.panda_pal_organization_id == current_organization.id,
-      Apartment::Tenant.current == current_organization.name
-    ].all?
-  end
-  def safari_override
-    use_secure_headers_override(:safari_override) if browser.safari?
-  end
-  # Redirect with the session key intact. In production,
-  # handle this by adding a one-time use encrypted token to the URL.
-  # Keeping it in the URL in development means that it plays
-  # nicely with webpack-dev-server live reloading (otherwise
-  # you get an access error everytime it tries to live reload).
-  def redirect_with_session_to(location, params = {}, route_context: self)
-    if Rails.env.development?
-      redirect_to route_context.send(location, {
-        session_key: current_session.session_key,
-        organization_id: current_organization.id,
-      }.merge(params))
-    else
-      redirect_to route_context.send(location, {
-        session_token: link_nonce,
-        organization_id: current_organization.id,
-      }.merge(params))
+      Apartment::Tenant.switch(organization.name) do
+        yield
+      end
     end
-  end
-  def link_nonce
-    @link_nonce ||= begin
-      current_session_data[:link_nonce] = SecureRandom.hex
-      payload = {
-        session_key: current_session.session_key,
-        organization_id: current_organization.id,
-        nonce: current_session_data[:link_nonce],
-      }
+    def forbid_access_if_lacking_session
+      super
+      safari_override
+    end
-      panda_pal_cryptor.encrypt_and_sign(payload.to_json)
+    def valid_session?
+      [
+        current_session&.persisted?,
+        current_organization,
+        current_session&.panda_pal_organization_id == current_organization.id,
+        Apartment::Tenant.current == current_organization.name
+      ].all?
+    rescue SessionNonceMismatch
+      false
     end
-  end
-  private
+    def safari_override
+      use_secure_headers_override(:safari_override) if browser.safari?
+    end
-  def organization_key
-    org_key ||= params[:oauth_consumer_key]
-    org_key ||= "#{params[:client_id]}/#{params[:deployment_id]}" if params[:client_id].present?
-    org_key ||= session[:organization_key]
-    org_key
-  end
+    private
-  def organization_id
-    params[:organization_id]
-  end
-  def session_key_header
-    if match = request.headers['Authorization'].try(:match, /token=(.+)/)
-      match[1]
+    def find_or_create_session(key:)
+      if key == :create
+        PandaPal::Session.new(panda_pal_organization_id: current_organization.id)
+      else
+        PandaPal::Session.find_by(session_key: key)
+      end
     end
-  end
-  def panda_pal_cryptor
-    @panda_pal_cryptor ||= ActiveSupport::MessageEncryptor.new(Rails.application.secret_key_base[0..31])
-  end
+    def organization_key
+      org_key ||= params[:oauth_consumer_key]
+      org_key ||= "#{params[:client_id]}/#{params[:deployment_id]}" if params[:client_id].present?
+      org_key ||= session[:organization_key]
+      org_key
+    end
-  def auto_save_session
-    yield if block_given?
-    save_session if @current_session && session_changed?
+    def organization_id
+      params[:organization_id]
+    end
   end
 end