RubyGems - panda_pal - Versions diffs - 5.3.6.beta2 → 5.3.10 - Mend

panda_pal 5.3.6.beta2 → 5.3.10

Files changed (15) hide show

checksums.yaml +4 -4
data/README.md +15 -2
data/app/controllers/panda_pal/lti_v1_p0_controller.rb +1 -1
data/app/controllers/panda_pal/lti_v1_p3_controller.rb +8 -4
data/app/lib/lti_xml/base_platform.rb +7 -2
data/app/lib/panda_pal/launch_url_helpers.rb +15 -8
data/app/models/panda_pal/organization_concerns/settings_validation.rb +14 -0
data/config/initializers/apartment.rb +3 -1
data/config/routes.rb +1 -0
data/lib/panda_pal.rb +1 -0
data/lib/panda_pal/helpers/controller_helper.rb +5 -1
data/lib/panda_pal/helpers/route_helper.rb +6 -0
data/lib/panda_pal/version.rb +1 -1
data/panda_pal.gemspec +1 -0
metadata +18 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1797969aa547664019c9091a2286fc7ed2958e749c392094db1818e3f2826984
-  data.tar.gz: 53049f9345f939d99f7083dbf49cd3a96f15f3282252a1b4a518aa16d589632d
+  metadata.gz: 42e9ffbf3704935100156e28b5d3f2490fba75a5974b352f0092c14bb8b87ffb
+  data.tar.gz: 5d511a85fe356dfe659ecaacfc7023315f649947ff483c6969e253802549e825
 SHA512:
-  metadata.gz: 5088fcf2d122b23da5a2f82ac3054d64fe6974c6c984d9c3726db910bb101b67816b92b8a4b43b47e818fbb85f3bd02a9487d0ca2fd322daeea7cc475bf67b41
-  data.tar.gz: 16d8ee8931f7911a00486f7c5fe0774a4cc80bc942b3477458df0e3bcb0dcc274f519789f10fb1b6e6c4d28419ef45649460c2c09104b95b81cf96c6478fe1bc
+  metadata.gz: a4d2a7242e203c4c86866ff7efb3ba211c2b3b7f41463b776785371e06997470fdee569ed4e4ba0025a7eef6198bb067e1fdf71fc8b7c9307bf26c1d343de7db
+  data.tar.gz: 7c3f0facf0767b7afea02ad0368bf6a0d79c8522109289e463a95719cd7f3762a34b5ad641499ff96871815f2db1ec76f192dd6221936d3af2586399a402bf1f

data/README.md CHANGED Viewed

@@ -26,7 +26,8 @@ LTI 1.3 has some additional configuration steps required to setup an LTI:
 1. If you're running Canvas locally, make sure the `config/redis.yml` and `config/dynamic_settings.yml` files exist in Canvas.
 2. In prod, you'll need to generate a RSA Private Key for the LTI to use. You can set the `LTI_PRIVATE_KEY` ENV variable, or manually set `PandaPal.lti_private_key = OpenSSL::PKey::RSA.new(key)`.
-3. Your PandaPal::Organization's `key` should be `CLIENT_ID/DEPLOYMENT_ID` (which can be found in Canvas). If a Deployment ID is not given, the key should just be `CLIENT_ID/`.
+3. Make sure you have Redis installed and linked correctly
+4. Your PandaPal::Organization's `key` should be `CLIENT_ID/DEPLOYMENT_ID` (which can be found in Canvas). If a Deployment ID is not given, the key should just be `CLIENT_ID`.
 ### Launch URL property
 LTI Spec: `The launch_url contains the URL to which the LTI Launch is to be sent.   The secure_launch_url is the URL to use if secure http is required.  One of either the launch_url or the secure_launch_url must be specified.`
@@ -92,10 +93,22 @@ The following routes should be added to the routes.rb file of the implementing L
 ```ruby
 # config/routes.rb
 mount PandaPal::Engine, at: '/lti'
-lti_nav account_navigation: 'accounts#launch' # Use lti_nav to provide a custom Launch implementation, otherwise use the url: param of stage_navigation to let PandaPal handle launch.
 root to: 'panda_pal/lti#launch'
+# Add Launch Endpoints:
+lti_nav account_navigation: 'accounts#launch', auto_launch: false # (LTI <1.3 Default)
+# -- OR --
+scope '/organizations/:organization_id' do
+  lti_nav account_navigation: 'accounts#launch_landing', auto_launch: true # (LTI 1.3 Default)
+  lti_nav account_navigation: 'accounts#launch_landing' # Automatically sets auto_launch to true because :organization_id is part of the path
+  # ...
+end
 ```
+`auto_launch`: Setting to `true` will tell PandaPal to handle all of the launch details and session creation, and then pass off to
+the defined action. Setting it to `false` indicates that the defined action handles launch validation and setup itself (this has been the legacy approach).
+Because `auto_launch: false` is most similar to the previous behavior, it is the default for LTI 1.0/1.1 LTIs. For LTI 1.3 LTIs, `auto_launch: true` is the default. If not specified and `:organization_id` is detected in the Route Path, `auto_launch` will be set to `true`
 ## Implementating data segregation
 This engine uses Apartment to keep data segregated between installations of the implementing LTI tool.
 By default, it does this by inspecting the path of the request, and matching URLs containing `orgs` or `organizations`,

data/app/controllers/panda_pal/lti_v1_p0_controller.rb CHANGED Viewed

@@ -2,7 +2,7 @@ require_dependency "panda_pal/application_controller"
 module PandaPal
   class LtiV1P0Controller < ApplicationController
-    skip_forgery_protection
+    skip_before_action :verify_authenticity_token
     def launch
       current_session_data.merge!({

data/app/controllers/panda_pal/lti_v1_p3_controller.rb CHANGED Viewed

@@ -2,7 +2,7 @@ require_dependency "panda_pal/application_controller"
 module PandaPal
   class LtiV1P3Controller < ApplicationController
-    skip_forgery_protection
+    skip_before_action :verify_authenticity_token
     before_action :validate_launch!, only: [:resource_link_request]
     around_action :switch_tenant, only: [:resource_link_request]
@@ -55,11 +55,15 @@ module PandaPal
       parsed_request_url = URI.parse(request_url)
       mapped_placements = PandaPal.lti_paths.map do |k, opts|
-        opts = opts.dup
-        opts.delete(:route_helper_key)
+        opts = LaunchUrlHelpers.normalize_lti_launch_desc(opts)
         opts.merge!({
           placement: k,
-          target_link_uri: LaunchUrlHelpers.absolute_launch_url(k.to_sym, host: parsed_request_url, launch_handler: v1p3_resource_link_request_path),
+          target_link_uri: LaunchUrlHelpers.absolute_launch_url(
+            k.to_sym,
+            host: parsed_request_url,
+            launch_handler: v1p3_resource_link_request_path,
+            default_auto_launch: true
+          ),
         })
         opts
       end

data/app/lib/lti_xml/base_platform.rb CHANGED Viewed

@@ -85,8 +85,13 @@ module LtiXml
     end
     def ext_params(options, k)
-      options.delete(:route_helper_key)
-      options[:url] = PandaPal::LaunchUrlHelpers.absolute_launch_url(k.to_sym, host: parsed_request_url, launch_handler: nil)
+      options = PandaPal::LaunchUrlHelpers.normalize_lti_launch_desc(options)
+      options[:url] = PandaPal::LaunchUrlHelpers.absolute_launch_url(
+        k.to_sym,
+        host: parsed_request_url,
+        launch_handler: :v1p0_launch_path,
+        default_auto_launch: false
+      )
       options
     end
   end

data/app/lib/panda_pal/launch_url_helpers.rb CHANGED Viewed

@@ -1,22 +1,29 @@
 module PandaPal
   module LaunchUrlHelpers
-    def self.absolute_launch_url(launch_type, host:, launch_handler: nil)
+    def self.absolute_launch_url(launch_type, host:, launch_handler: nil, default_auto_launch: false)
       opts = PandaPal.lti_paths[launch_type]
-      final_url = launch_url(opts, launch_type: launch_type)
+      auto_launch = opts[:auto_launch] != nil ? opts[:auto_launch] : default_auto_launch
+      auto_launch = auto_launch && launch_handler.present?
-      is_direct = opts[:route_helper_key].present? || !launch_handler.present?
-      if is_direct
-        return final_url if URI.parse(final_url).absolute?
-        return [host.to_s, final_url].join
-      else
+      if auto_launch
         launch_handler = resolve_route(launch_handler) if launch_handler.is_a?(Symbol)
         return add_url_params([host.to_s, launch_handler].join, {
           launch_type: launch_type,
         })
+      else
+        final_url = launch_url(opts, launch_type: launch_type)
+        return final_url if URI.parse(final_url).absolute?
+        return [host.to_s, final_url].join
       end
     end
+    def self.normalize_lti_launch_desc(opts)
+      opts = opts.dup
+      opts.delete(:route_helper_key)
+      opts.delete(:auto_launch)
+      opts
+    end
     def self.launch_url(opts, launch_type: nil)
       url = launch_route(opts, launch_type: launch_type)
       url = resolve_url_symbol(url) if url.is_a?(Symbol)

data/app/models/panda_pal/organization_concerns/settings_validation.rb CHANGED Viewed

@@ -99,6 +99,20 @@ module PandaPal
           errors.concat(val_errors)
         end
+        if settings.is_a?(Array)
+          if spec[:length].is_a?(Range)
+            errors << "#{human_path} should contain #{spec[:length]} items" unless spec[:length].include?(settings.count)
+          elsif spec[:length].is_a?(Numeric)
+            errors << "#{human_path} should contain exactly #{spec[:length]} items" unless spec[:length] == settings.count
+          end
+          if spec[:item] != nil
+            settings.each_with_index do |value, i|
+              validate_settings_level(settings[i], spec[:item], path: [*path, i], errors: errors)
+            end
+          end
+        end
         if settings.is_a?(Hash)
           if spec[:properties] != nil
             spec[:properties].each do |key, pspec|

data/config/initializers/apartment.rb CHANGED Viewed

@@ -10,7 +10,9 @@ Apartment.configure do |config|
 end
 Rails.application.config.middleware.use Apartment::Elevators::Generic, lambda { |request|
-  if match = request.path.match(/\/(?:orgs|organizations)\/(\d+)/)
+  if request.path.starts_with?('/rails/active_storage/blobs/')
+    PandaPal::Organization.find_by(id: request.params['organization_id']).try(:name)
+  elsif match = request.path.match(/\/(?:orgs?|organizations?)\/(\d+)/)
     PandaPal::Organization.find_by(id: match[1]).try(:name)
   end
 }

data/config/routes.rb CHANGED Viewed

@@ -3,6 +3,7 @@ PandaPal::Engine.routes.draw do
   scope '/v1p0', as: 'v1p0' do
     get '/config' => 'lti_v1_p0#tool_config'
+    post '/launch' => 'lti_v1_p0#launch'
   end
   scope '/v1p3', as: 'v1p3' do

data/lib/panda_pal.rb CHANGED Viewed

@@ -81,6 +81,7 @@ module PandaPal
   def self.validate_lti_navigation(errors = [])
     @@lti_navigation.each do |k, v|
+      next if v[:route_helper_key]
       errors << "lti navigation '#{k}' does not have a Route!" unless (LaunchUrlHelpers.launch_url(k) rescue nil)
     end
     errors

data/lib/panda_pal/helpers/controller_helper.rb CHANGED Viewed

@@ -39,7 +39,11 @@ module PandaPal::Helpers
     def validate_v1p0_launch
       authorized = false
-      if @organization = params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
+      # We should verify the timestamp is recent (within 5 minutes).  The approved timestamp is part of the signature,
+      # so we don't need to worry about malicious users messing with it.  We should deny requests that come too long
+      # after the approved timestamp.
+      good_timestamp = params['oauth_timestamp'] && params['oauth_timestamp'].to_i > Time.now.to_i - 300
+      if @organization = good_timestamp && params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
         sanitized_params = request.request_parameters
         # These params come over with a safari-workaround launch.  The authenticator doesn't like them, so clean them out.
         safe_unexpected_params = ["full_win_launch_requested", "platform_redirect_url", "dummy_param"]

data/lib/panda_pal/helpers/route_helper.rb CHANGED Viewed

@@ -9,6 +9,12 @@ module PandaPal::Helpers::RouteHelper
     path = "#{base_path}/#{nav.to_s}"
     lti_options = options.delete(:lti_options) || {}
+    lti_options[:auto_launch] = options.delete(:auto_launch)
+    if lti_options[:auto_launch].nil?
+      lti_options[:auto_launch] = (@scope[:path] || '').include?(':organization_id')
+    end
     lti_options[:route_helper_key] = path.split('/').reject(&:empty?).join('_')
     post(path, options.dup, &block)
     get(path, options.dup, &block)

data/lib/panda_pal/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module PandaPal
-  VERSION = "5.3.6.beta2"
+  VERSION = "5.3.10"
 end

data/panda_pal.gemspec CHANGED Viewed

@@ -23,6 +23,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'attr_encrypted', '~> 3.0.0'
   s.add_dependency 'secure_headers', '~> 6.1'
   s.add_dependency 'json-jwt'
+  s.add_dependency 'httparty'
   s.add_development_dependency 'sidekiq'
   s.add_development_dependency 'sidekiq-scheduler'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: panda_pal
 version: !ruby/object:Gem::Version
-  version: 5.3.6.beta2
+  version: 5.3.10
 platform: ruby
 authors:
 - Instructure ProServe
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-12-18 00:00:00.000000000 Z
+date: 2021-02-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -128,6 +128,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: sidekiq
   requirement: !ruby/object:Gem::Requirement
@@ -298,9 +312,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubygems_version: 3.0.3
 signing_key: