panda_pal 5.2.2 → 5.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA256:
-  metadata.gz: c1f192b2da218022d237ff08164acd4376fc14867a40a72809050bd951fc8334
-  data.tar.gz: 347dd911d927eeb2326bda476bb32f5de889fe278186a6f88dd49772ce27a4a3
+SHA1:
+  metadata.gz: 58d85faabac6cdf22825470f81fed8395597e998
+  data.tar.gz: b8a1cbcca9ee21e75ebbc6ef639838211f68271b
 SHA512:
-  metadata.gz: 645ae35f8ea0c1a8b300aae27412ac5d39429bc791e62b6831c4c04c47df80e81a45c5327079b4e202c62e20f084dca346a3bc9306370fdeaface121137d31b0
-  data.tar.gz: 0cbf19b4b88fdc839c4598ac213681f6b86ef26809dcbf75b5cb238e848ad4919846affbabb204b326de79e881ca9f1cec0a5e400a3a792905f045f13924af77
+  metadata.gz: d33dbc91baaae98777f01f373e2aa88d7a260d9765e0d924f2dffbddbc8af427e84b0f83ed99d4d9219569dc8fbea4235fca5e74ee091ee4e02ef0fd0b6c1008
+  data.tar.gz: a95ca21355c9fb8b0ceb4b9ca50d8b2d7cf9d3b366207991a7a650a3634834a663c2ba102688315765aac1ab5b0cd18aebb8f75e1220f16c3304e7dc2208a7b8

data/README.md

@@ -369,7 +369,11 @@ You will want to watch out for a few scenarios:
 3) If you use `link_to` and navigate in your LTI (apps that are not single page)
    make sure you include the `link_nonce` like so: 
     ```ruby
-      link_to "Link Name", somewhere_else_path(session_token: link_nonce)
+      link_to "Link Name", somewhere_else_path(arg, session_token: link_nonce)
+    ```
+    NB: As of PandaPal 5.2.6, you can instead use
+    ```ruby
+      link_to "Name", url_with_session(:somewhere_else_path, arg, kwarg: 1)
     ```
 
 ### Previous Safari Instructions

data/app/lib/panda_pal/misc_helper.rb

@@ -4,9 +4,9 @@ module PandaPal
 
     def self.to_boolean(v)
       if Rails.version < '5.0'
-        ActiveRecord::Type::Boolean.new.type_cast_from_user("0")
+        ActiveRecord::Type::Boolean.new.type_cast_from_user(v)
       else
-        ActiveRecord::Type::Boolean.new.deserialize('0')
+        ActiveRecord::Type::Boolean.new.deserialize(v)
       end
     end
   end

data/config/initializers/apartment.rb

@@ -1,7 +1,8 @@
 require 'apartment/elevators/generic'
 
 Apartment.configure do |config|
-  config.excluded_models = ['PandaPal::Organization', 'PandaPal::Session']
+  config.excluded_models ||= []
+  config.excluded_models |= ['PandaPal::Organization', 'PandaPal::Session']
 
   config.tenant_names = lambda {
     PandaPal::Organization.pluck(:name)
@@ -14,6 +15,21 @@ Rails.application.config.middleware.use Apartment::Elevators::Generic, lambda {
   end
 }
 
+module PandaPal::Plugins::ApartmentCache
+  private
+
+  if Rails.version >= '5.0'
+    def normalize_key(key, options)
+      "tenant:#{Apartment::Tenant.current}/#{super}"
+    end
+  else
+    def namespaced_key(*args)
+      "tenant:#{Apartment::Tenant.current}/#{super}"
+    end
+  end
+end
+ActiveSupport::Cache::Store.send(:prepend, PandaPal::Plugins::ApartmentCache)
+
 if defined?(ActionCable)
   module ActionCable
     module Channel
@@ -38,7 +54,7 @@ if defined?(ActionCable)
     end
   end
 
-  module ActionCableApartment
+  module PandaPal::Plugins::ActionCableApartment
     module Connection
       def tenant=(name)
         @tenant = name
@@ -56,18 +72,50 @@ if defined?(ActionCable)
     end
   end
 
-  ActionCable::Connection::Base.prepend(ActionCableApartment::Connection)
+  ActionCable::Connection::Base.prepend(PandaPal::Plugins::ActionCableApartment::Connection)
 end
 
-module ApartmentCache
-  private
+if defined?(Delayed)
+  module PandaPal::Plugins
+    class ApartmentDelayedJobsPlugin < ::Delayed::Plugin
+      callbacks do |lifecycle|
+        lifecycle.around(:enqueue) do |job, *args, &block|
+          current_tenant = Apartment::Tenant.current
 
-  def normalize_key(key, options)
-    "tenant:#{Apartment::Tenant.current}/#{super}"
-  end
+          #make sure enqueue on public tenant unless we are testing since delayed job is set to run immediately
+          Apartment::Tenant.switch!('public') unless Rails.env.test?
+          job.tenant = current_tenant
+          begin
+            block.call(job, *args)
+          rescue Exception => e
+            Rails.logger.error("Error enqueing job #{job.to_s} - #{e.backtrace}")
+          ensure
+            #switch back to prev tenant
+            Apartment::Tenant.switch!(current_tenant)
+          end
+        end
+
+        lifecycle.before(:perform) do |worker, *args, &block|
+          tenant = args.first.tenant
+          Apartment::Tenant.switch!(tenant) if tenant.present?
+          Rails.logger.debug("Running job with tenant #{Apartment::Tenant.current}")
+        end
+
+        lifecycle.around(:invoke_job) do |job, *args, &block|
+          begin
+            block.call(job, *args)
+          ensure
+            Apartment::Tenant.switch!('public')
+            Rails.logger.debug("Resetting Tenant back to: #{Apartment::Tenant.current}")
+          end
+        end
 
-  def namespaced_key(*args)
-    normalize_key(*args)
+        lifecycle.after(:failure) do |job, *args|
+          Rails.logger.error("Job failed on tenant: #{Apartment::Tenant.current}")
+        end
+      end
+    end
   end
+
+  Delayed::Worker.plugins << PandaPal::Plugins::ApartmentDelayedJobsPlugin
 end
-ActiveSupport::Cache::Store.send :prepend, ApartmentCache

data/lib/panda_pal/helpers/controller_helper.rb

@@ -1,225 +1,139 @@
 require 'browser'
+require_relative 'session_replacement'
 
-module PandaPal::Helpers::ControllerHelper
-  extend ActiveSupport::Concern
+module PandaPal::Helpers
+  module ControllerHelper
+    extend ActiveSupport::Concern
+    include SessionReplacement
 
-  class SessionNotFound < StandardError; end
-
-  included do
-    helper_method :link_nonce, :current_session
-
-    after_action :auto_save_session
-  end
-
-  def save_session
-    current_session.try(:save)
-  end
-
-  def current_session
-    return @current_session if @current_session.present?
-
-    if params[:session_token]
-      payload = JSON.parse(panda_pal_cryptor.decrypt_and_verify(params[:session_token])).with_indifferent_access
-      matched_session = PandaPal::Session.find_by(session_key: payload[:session_key])
+    def current_organization
+      @organization ||= PandaPal::Organization.find_by!(key: organization_key) if organization_key
+      @organization ||= PandaPal::Organization.find_by(id: organization_id) if organization_id
+      @organization ||= PandaPal::Organization.find_by_name(Apartment::Tenant.current)
+    end
 
-      if matched_session.present? && matched_session.data[:link_nonce] == params[:session_token]
-        @current_session = matched_session
-        @current_session.data[:link_nonce] = nil
+    def current_lti_platform
+      return @current_lti_platform if @current_lti_platform.present?
+      # TODO: (Future) This could be expanded more to take better advantage of the LTI 1.3 Multi-Tenancy model.
+      if (canvas_url = current_organization&.settings&.dig(:canvas, :base_url)).present?
+        @current_lti_platform ||= PandaPal::Platform::Canvas.new(canvas_url)
       end
-    elsif (session_key = params[:session_key] || session_key_header || flash[:session_key] || session[:session_key]).present?
-      @current_session = PandaPal::Session.find_by(session_key: session_key) if session_key.present?
-    else
-      @current_session = PandaPal::Session.new(panda_pal_organization_id: current_organization.id)
+      @current_lti_platform ||= PandaPal::Platform::Canvas.new('http://localhost:3000') if Rails.env.development?
+      @current_lti_platform ||= PandaPal::Platform::CANVAS
+      @current_lti_platform
     end
 
-    raise SessionNotFound, "Session Not Found" unless @current_session.present?
-
-    @current_session
-  end
-
-  def current_organization
-    @organization ||= PandaPal::Organization.find_by!(key: organization_key) if organization_key
-    @organization ||= PandaPal::Organization.find_by(id: organization_id) if organization_id
-    @organization ||= PandaPal::Organization.find_by_name(Apartment::Tenant.current)
-  end
-
-  def current_lti_platform
-    return @current_lti_platform if @current_lti_platform.present?
-    # TODO: (Future) This could be expanded more to take better advantage of the LTI 1.3 Multi-Tenancy model.
-    if (canvas_url = current_organization&.settings&.dig(:canvas, :base_url)).present?
-      @current_lti_platform ||= PandaPal::Platform::Canvas.new(canvas_url)
+    def lti_launch_params
+      current_session_data[:launch_params]
     end
-    @current_lti_platform ||= PandaPal::Platform::Canvas.new('http://localhost:3000') if Rails.env.development?
-    @current_lti_platform ||= PandaPal::Platform::CANVAS
-    @current_lti_platform
-  end
-
-  def current_session_data
-    current_session.data
-  end
-
-  def lti_launch_params
-    current_session_data[:launch_params]
-  end
-
-  def session_changed?
-    current_session.changed? && current_session.changes[:data].present?
-  end
 
-  def validate_launch!
-    safari_override
+    def validate_launch!
+      safari_override
 
-    if params[:id_token].present?
-      validate_v1p3_launch
-    elsif params[:oauth_consumer_key].present?
-      validate_v1p0_launch
-    end
-  end
-
-  def validate_v1p0_launch
-    authorized = false
-    if @organization = params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
-      sanitized_params = request.request_parameters
-      # These params come over with a safari-workaround launch.  The authenticator doesn't like them, so clean them out.
-      safe_unexpected_params = ["full_win_launch_requested", "platform_redirect_url", "dummy_param"]
-      safe_unexpected_params.each do |p|
-        sanitized_params.delete(p)
+      if params[:id_token].present?
+        validate_v1p3_launch
+      elsif params[:oauth_consumer_key].present?
+        validate_v1p0_launch
       end
-      authenticator = IMS::LTI::Services::MessageAuthenticator.new(request.original_url, sanitized_params, @organization.secret)
-      authorized = authenticator.valid_signature?
     end
 
-    if !authorized
-      render plain: 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
-    end
-
-    authorized
-  end
+    def validate_v1p0_launch
+      authorized = false
+      if @organization = params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
+        sanitized_params = request.request_parameters
+        # These params come over with a safari-workaround launch.  The authenticator doesn't like them, so clean them out.
+        safe_unexpected_params = ["full_win_launch_requested", "platform_redirect_url", "dummy_param"]
+        safe_unexpected_params.each do |p|
+          sanitized_params.delete(p)
+        end
+        authenticator = IMS::LTI::Services::MessageAuthenticator.new(request.original_url, sanitized_params, @organization.secret)
+        authorized = authenticator.valid_signature?
+      end
 
-  def validate_v1p3_launch
-    decoded_jwt = JSON::JWT.decode(params.require(:id_token), :skip_verification)
-    raise JSON::JWT::VerificationFailed, 'error decoding id_token' if decoded_jwt.blank?
+      if !authorized
+        render plain: 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
+      end
 
-    client_id = decoded_jwt['aud']
-    @organization = PandaPal::Organization.find_by!(key: 'PandaPal') # client_id)
-    raise JSON::JWT::VerificationFailed, 'Unrecognized Organization' unless @organization.present?
+      authorized
+    end
 
-    decoded_jwt.verify!(current_lti_platform.public_jwks)
+    def validate_v1p3_launch
+      decoded_jwt = JSON::JWT.decode(params.require(:id_token), :skip_verification)
+      raise JSON::JWT::VerificationFailed, 'error decoding id_token' if decoded_jwt.blank?
 
-    params[:session_key] = params[:state]
-    raise JSON::JWT::VerificationFailed, 'State is invalid' unless current_session_data[:lti_oauth_nonce] == decoded_jwt['nonce']
+      client_id = decoded_jwt['aud']
+      @organization = PandaPal::Organization.find_by!(key: 'PandaPal') # client_id)
+      raise JSON::JWT::VerificationFailed, 'Unrecognized Organization' unless @organization.present?
 
-    jwt_verifier = PandaPal::LtiJwtValidator.new(decoded_jwt, client_id)
-    raise JSON::JWT::VerificationFailed, jwt_verifier.errors unless jwt_verifier.valid?
+      decoded_jwt.verify!(current_lti_platform.public_jwks)
 
-    @decoded_lti_jwt = decoded_jwt
-  rescue JSON::JWT::VerificationFailed => e
-    payload = Array(e.message)
+      params[:session_key] = params[:state]
+      raise JSON::JWT::VerificationFailed, 'State is invalid' unless current_session_data[:lti_oauth_nonce] == decoded_jwt['nonce']
 
-    render json: {
-      message: [
-        { errors: payload },
-        { id_token: params.require(:id_token) },
-      ],
-    }, status: :unauthorized
+      jwt_verifier = PandaPal::LtiJwtValidator.new(decoded_jwt, client_id)
+      raise JSON::JWT::VerificationFailed, jwt_verifier.errors unless jwt_verifier.valid?
 
-    false
-  end
+      @decoded_lti_jwt = decoded_jwt
+    rescue JSON::JWT::VerificationFailed => e
+      payload = Array(e.message)
 
-  def switch_tenant(organization = current_organization, &block)
-    return unless organization
-    raise 'This method should be called in an around_action callback' unless block_given?
+      render json: {
+        message: [
+          { errors: payload },
+          { id_token: params.require(:id_token) },
+        ],
+      }, status: :unauthorized
 
-    Apartment::Tenant.switch(organization.name) do
-      yield
+      false
     end
-  end
 
-  def forbid_access_if_lacking_session
-    render plain: 'You should do an LTI Tool Launch.', status: :unauthorized unless valid_session?
-    safari_override
-  end
+    def switch_tenant(organization = current_organization, &block)
+      return unless organization
+      raise 'This method should be called in an around_action callback' unless block_given?
 
-  def verify_authenticity_token
-    # No need to check CSRF when no cookies were sent. This fixes CSRF failures in Browsers
-    # that restrict Cookie setting within an IFrame.
-    return unless request.cookies.keys.length > 0
-    super
-  end
-
-  def valid_session?
-    [
-      current_session.persisted?,
-      current_organization,
-      current_session.panda_pal_organization_id == current_organization.id,
-      Apartment::Tenant.current == current_organization.name
-    ].all?
-  end
-
-  def safari_override
-    use_secure_headers_override(:safari_override) if browser.safari?
-  end
-
-  # Redirect with the session key intact. In production,
-  # handle this by adding a one-time use encrypted token to the URL.
-  # Keeping it in the URL in development means that it plays
-  # nicely with webpack-dev-server live reloading (otherwise
-  # you get an access error everytime it tries to live reload).
-
-  def redirect_with_session_to(location, params = {}, route_context: self, **rest)
-    params.merge!(rest)
-    if Rails.env.development?
-      redirect_to route_context.send(location, {
-        session_key: current_session.session_key,
-        organization_id: current_organization.id,
-      }.merge(params))
-    else
-      redirect_to route_context.send(location, {
-        session_token: link_nonce,
-        organization_id: current_organization.id,
-      }.merge(params))
+      Apartment::Tenant.switch(organization.name) do
+        yield
+      end
     end
-  end
-
-  def link_nonce
-    @link_nonce ||= begin
-      current_session_data[:link_nonce] = SecureRandom.hex
 
-      payload = {
-        session_key: current_session.session_key,
-        organization_id: current_organization.id,
-        nonce: current_session_data[:link_nonce],
-      }
+    def forbid_access_if_lacking_session
+      super
+      safari_override
+    end
 
-      panda_pal_cryptor.encrypt_and_sign(payload.to_json)
+    def valid_session?
+      return false unless current_session(create_missing: false)&.persisted?
+      return false unless current_organization
+      return false unless current_session.panda_pal_organization_id == current_organization.id
+      return false unless Apartment::Tenant.current == current_organization.name
+      true
+    rescue SessionNonceMismatch
+      false
     end
-  end
 
-  private
+    def safari_override
+      use_secure_headers_override(:safari_override) if browser.safari?
+    end
 
-  def organization_key
-    org_key ||= params[:oauth_consumer_key]
-    org_key ||= "#{params[:client_id]}/#{params[:deployment_id]}" if params[:client_id].present?
-    org_key ||= session[:organization_key]
-    org_key
-  end
+    private
 
-  def organization_id
-    params[:organization_id]
-  end
-
-  def session_key_header
-    if match = request.headers['Authorization'].try(:match, /token=(.+)/)
-      match[1]
+    def find_or_create_session(key:)
+      if key == :create
+        PandaPal::Session.new(panda_pal_organization_id: current_organization.id)
+      else
+        PandaPal::Session.find_by(session_key: key)
+      end
     end
-  end
 
-  def panda_pal_cryptor
-    @panda_pal_cryptor ||= ActiveSupport::MessageEncryptor.new(Rails.application.secret_key_base[0..31])
-  end
+    def organization_key
+      org_key ||= params[:oauth_consumer_key]
+      org_key ||= "#{params[:client_id]}/#{params[:deployment_id]}" if params[:client_id].present?
+      org_key ||= session[:organization_key]
+      org_key
+    end
 
-  def auto_save_session
-    yield if block_given?
-    save_session if @current_session && session_changed?
+    def organization_id
+      params[:organization_id]
+    end
   end
 end