panda_pal 5.3.6 → 5.3.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6ee53aa3e0e7559100812856e27a35fac95ee52f140a2aeaf49a01ffc4655b01
-  data.tar.gz: 7fb1e3c0d998c130a0b88bb3c1183b7ab5c8073955622cb3bc3ad1a4ce530382
+  metadata.gz: 776a9f59c8500e45d110c3e672e8ec97a891e186687473f33d4561ea74f31902
+  data.tar.gz: b308adfeea7b3b5c15b2a023edd9a0e5eec8a0a768e1fc58c0ecc2c40891cbd0
 SHA512:
-  metadata.gz: 49caebe41e7c49a619f01dad189a7f5f655aa8e2b432afeda3af84758600e436bcdaddf78c45dba6f175f2532c2410e6857b6b3d7bd5ba4e700d81f435931ef9
-  data.tar.gz: 7b1c9f46b63601c074aa6c696eefce05b5d3ba548e197d51feb9aa58f3f354b5e1e4b413d8f1f7a7eb21933f44f7949a87044b127c63b4e4e3bd8134f8a2dfe6
+  metadata.gz: 81b794f8cb355eb4c1f2b3497062cf513e240349212a5b607edfcbe7e47074010cb3ef2fdb9da3025e492ed9c8f75b306270adefb59cc73919469f08a21ad664
+  data.tar.gz: a840a2ad126d6b06f54ec8786b964de3e1095f6f9243d0dcf8b3a18d694f1fa05994127969756678639aacf16849ed7c8528744fd01c7bcf89660c05c891aada

data/README.md

@@ -93,10 +93,22 @@ The following routes should be added to the routes.rb file of the implementing L
 ```ruby
 # config/routes.rb
 mount PandaPal::Engine, at: '/lti'
-lti_nav account_navigation: 'accounts#launch' # Use lti_nav to provide a custom Launch implementation, otherwise use the url: param of stage_navigation to let PandaPal handle launch.
 root to: 'panda_pal/lti#launch'
+
+# Add Launch Endpoints:
+lti_nav account_navigation: 'accounts#launch', auto_launch: false # (LTI <1.3 Default)
+# -- OR --
+scope '/organizations/:organization_id' do
+  lti_nav account_navigation: 'accounts#launch_landing', auto_launch: true # (LTI 1.3 Default)
+  lti_nav account_navigation: 'accounts#launch_landing' # Automatically sets auto_launch to true because :organization_id is part of the path
+  # ...
+end
 ```
 
+`auto_launch`: Setting to `true` will tell PandaPal to handle all of the launch details and session creation, and then pass off to
+the defined action. Setting it to `false` indicates that the defined action handles launch validation and setup itself (this has been the legacy approach).
+Because `auto_launch: false` is most similar to the previous behavior, it is the default for LTI 1.0/1.1 LTIs. For LTI 1.3 LTIs, `auto_launch: true` is the default. If not specified and `:organization_id` is detected in the Route Path, `auto_launch` will be set to `true`
+
 ## Implementating data segregation
 This engine uses Apartment to keep data segregated between installations of the implementing LTI tool.
 By default, it does this by inspecting the path of the request, and matching URLs containing `orgs` or `organizations`,

data/app/controllers/panda_pal/lti_v1_p0_controller.rb

@@ -2,7 +2,7 @@ require_dependency "panda_pal/application_controller"
 
 module PandaPal
   class LtiV1P0Controller < ApplicationController
-    skip_forgery_protection
+    skip_before_action :verify_authenticity_token
 
     def launch
       current_session_data.merge!({

data/app/controllers/panda_pal/lti_v1_p3_controller.rb

@@ -2,7 +2,7 @@ require_dependency "panda_pal/application_controller"
 
 module PandaPal
   class LtiV1P3Controller < ApplicationController
-    skip_forgery_protection
+    skip_before_action :verify_authenticity_token
     before_action :validate_launch!, only: [:resource_link_request]
     around_action :switch_tenant, only: [:resource_link_request]
 
@@ -58,7 +58,12 @@ module PandaPal
         opts = LaunchUrlHelpers.normalize_lti_launch_desc(opts)
         opts.merge!({
           placement: k,
-          target_link_uri: LaunchUrlHelpers.absolute_launch_url(k.to_sym, host: parsed_request_url, launch_handler: v1p3_resource_link_request_path),
+          target_link_uri: LaunchUrlHelpers.absolute_launch_url(
+            k.to_sym,
+            host: parsed_request_url,
+            launch_handler: v1p3_resource_link_request_path,
+            default_auto_launch: true
+          ),
         })
         opts
       end

data/app/lib/lti_xml/base_platform.rb

@@ -85,8 +85,13 @@ module LtiXml
     end
 
     def ext_params(options, k)
-      options = LaunchUrlHelpers.normalize_lti_launch_desc(options)
-      options[:url] = PandaPal::LaunchUrlHelpers.absolute_launch_url(k.to_sym, host: parsed_request_url, launch_handler: nil)
+      options = PandaPal::LaunchUrlHelpers.normalize_lti_launch_desc(options)
+      options[:url] = PandaPal::LaunchUrlHelpers.absolute_launch_url(
+        k.to_sym,
+        host: parsed_request_url,
+        launch_handler: :v1p0_launch_path,
+        default_auto_launch: false
+      )
       options
     end
   end

data/app/lib/panda_pal/launch_url_helpers.rb

@@ -1,25 +1,26 @@
 module PandaPal
   module LaunchUrlHelpers
-    def self.absolute_launch_url(launch_type, host:, launch_handler: nil)
+    def self.absolute_launch_url(launch_type, host:, launch_handler: nil, default_auto_launch: false)
       opts = PandaPal.lti_paths[launch_type]
-      is_direct = opts[:no_redirect] || !launch_handler.present?
+      auto_launch = opts[:auto_launch] != nil ? opts[:auto_launch] : default_auto_launch
+      auto_launch = auto_launch && launch_handler.present?
 
-      if is_direct
-        final_url = launch_url(opts, launch_type: launch_type)
-        return final_url if URI.parse(final_url).absolute?
-        return [host.to_s, final_url].join
-      else
+      if auto_launch
         launch_handler = resolve_route(launch_handler) if launch_handler.is_a?(Symbol)
         return add_url_params([host.to_s, launch_handler].join, {
           launch_type: launch_type,
         })
+      else
+        final_url = launch_url(opts, launch_type: launch_type)
+        return final_url if URI.parse(final_url).absolute?
+        return [host.to_s, final_url].join
       end
     end
 
     def self.normalize_lti_launch_desc(opts)
       opts = opts.dup
       opts.delete(:route_helper_key)
-      opts.delete(:no_redirect)
+      opts.delete(:auto_launch)
       opts
     end
 

data/app/models/panda_pal/organization_concerns/task_scheduling.rb

@@ -168,13 +168,17 @@ module PandaPal
         return nil unless cron_time.present?
 
         cron_time = instance_exec(&cron_time) if cron_time.is_a?(Proc)
-        if !Rufus::Scheduler.parse(cron_time).zone.present? && settings && settings[:timezone]
-          cron_time += " #{settings[:timezone]}"
+        if !Rufus::Scheduler.parse(cron_time).zone.present? && settings && settings_timezone
+          cron_time += " #{settings_timezone}"
         end
 
         cron_time
       end
 
+      def settings_timezone
+        settings[:timezone] || settings.dig(:canvas, :root_account_timezone).presence || nil
+      end
+
       class ScheduledTaskExecutor
         include Sidekiq::Worker
 

data/config/initializers/apartment.rb

@@ -10,8 +10,10 @@ Apartment.configure do |config|
 end
 
 Rails.application.config.middleware.use Apartment::Elevators::Generic, lambda { |request|
-  if match = request.path.match(/\/(?:orgs|organizations)\/(\d+)/)
+  if match = request.path.match(/\/(?:orgs?|organizations?)\/(\d+)/)
     PandaPal::Organization.find_by(id: match[1]).try(:name)
+  elsif request.path.starts_with?('/rails/active_storage/blobs/')
+    PandaPal::Organization.find_by(id: request.params['organization_id']).try(:name)
   end
 }
 

data/config/routes.rb

@@ -3,6 +3,7 @@ PandaPal::Engine.routes.draw do
 
   scope '/v1p0', as: 'v1p0' do
     get '/config' => 'lti_v1_p0#tool_config'
+    post '/launch' => 'lti_v1_p0#launch'
   end
 
   scope '/v1p3', as: 'v1p3' do

data/lib/panda_pal/engine.rb

@@ -24,6 +24,14 @@ module PandaPal
       end
     end
 
+    initializer 'Sidekiq Scheduler Hooks' do
+      ActiveSupport.on_load(:active_record) do
+        if Sidekiq.server? && PandaPal::Organization.respond_to?(:sync_schedules)
+          PandaPal::Organization.sync_schedules
+        end
+      end
+    end
+
     initializer 'panda_pal.app_controller' do |app|
       OAUTH_10_SUPPORT = true
       ActiveSupport.on_load(:action_controller) do

data/lib/panda_pal/helpers/controller_helper.rb

@@ -39,7 +39,11 @@ module PandaPal::Helpers
 
     def validate_v1p0_launch
       authorized = false
-      if @organization = params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
+      # We should verify the timestamp is recent (within 5 minutes).  The approved timestamp is part of the signature,
+      # so we don't need to worry about malicious users messing with it.  We should deny requests that come too long
+      # after the approved timestamp.  
+      good_timestamp = params['oauth_timestamp'] && params['oauth_timestamp'].to_i > Time.now.to_i - 300
+      if @organization = good_timestamp && params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
         sanitized_params = request.request_parameters
         # These params come over with a safari-workaround launch.  The authenticator doesn't like them, so clean them out.
         safe_unexpected_params = ["full_win_launch_requested", "platform_redirect_url", "dummy_param"]

data/lib/panda_pal/helpers/route_helper.rb

@@ -9,7 +9,12 @@ module PandaPal::Helpers::RouteHelper
     path = "#{base_path}/#{nav.to_s}"
 
     lti_options = options.delete(:lti_options) || {}
-    lti_options[:no_redirect] = options.delete(:no_redirect)
+    lti_options[:auto_launch] = options.delete(:auto_launch)
+
+    if lti_options[:auto_launch].nil?
+      lti_options[:auto_launch] = (@scope[:path] || '').include?(':organization_id')
+    end
+
     lti_options[:route_helper_key] = path.split('/').reject(&:empty?).join('_')
     post(path, options.dup, &block)
     get(path, options.dup, &block)

data/lib/panda_pal/version.rb

@@ -1,3 +1,3 @@
 module PandaPal
-  VERSION = "5.3.6"
+  VERSION = "5.3.12"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: panda_pal
 version: !ruby/object:Gem::Version
-  version: 5.3.6
+  version: 5.3.12
 platform: ruby
 authors:
 - Instructure ProServe
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-01-26 00:00:00.000000000 Z
+date: 2021-02-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails