panda_pal 5.4.11 → 5.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 405f20d636bb1ef29c5f115bb91679f0a0cb951155bd6d9633c96ec72dcd4a43
-  data.tar.gz: 19cb62856f5a5a2184624218fa1a70de353c7a4abc5135133e18089dc99305a7
+  metadata.gz: 57786e37a6af09156402d16afed167b7984105dde04a1e1cc32aad5d8505567a
+  data.tar.gz: 1d9cc2abbe1dce34ce0d52aa0234f6f8e909dca3a5c9eabd59b57d2b91de9f90
 SHA512:
-  metadata.gz: 57524bab33e144b0ba8b8f2a2e792aec57a437234141b65ecb4dcf20c44c7f48989cf1f889802163756824f3cf12af4587f23627931e441f13b3240f68818806
-  data.tar.gz: db533926d6f3687bbf233099d904e11b6b507b410ad215e1f8f595450f3bcb1ae486d5cdd04b5bd8beb1f0f7535dc824c98e666c5891e6465cedc5718432e6d7
+  metadata.gz: 1943d3e91f8c510f28eeedd1793a8853545800608b098aa29e217a3ab7a155ad6e6ea414e6c661b13206b0980b527425564612c91f65a97e17537436ac30e449
+  data.tar.gz: d762fe3b44e97fda8eaded8595ebf4f53a8a2e551de8fd5ab8e74433068dcb2a52fcc0dcbf5af637ca0e28c13ee88d3d751a3860bd8d873d61f85a3199d44055

data/README.md

@@ -21,6 +21,16 @@ PandaPal::stage_navigation(:account_navigation, {
 
 Configuration data for an installation can be set by creating a `PandaPal::Organization` record.  Due to the nature of the data segregation, once created, the name of the organization should not be changed (and will raise a validation error).
 
+### Canvas Installation
+As of version 5.5.0, LTIs can be installed into Canvas via the console:
+```ruby
+org.install_lti(
+  host: "https://your_lti.herokuapp.com",
+  context: "account/self", # (Optional) Or "account/3", "course/1", etc
+  exists: :error, # (Optional) Action to take if an LTI with the same Key already exists. Options are :error, :replace, :duplicate
+)
+```
+
 ### LTI 1.3 Configuration
 LTI 1.3 has some additional configuration steps required to setup an LTI:
 
@@ -86,6 +96,35 @@ end
 
 XML for an installation can be generated by visiting `/lti/config` in your application.
 
+### Generated API Methods
+It's common to need to manually trigger logic during UAT. PandaPal 5.6.0+ adds a feature to enable clients to do this themselves.
+This is done by a deployer accessing the console and creating a `PandaPal::ApiCall`. This can be done like so:
+```ruby
+org.create_api(<<~RUBY, expiration: 30.days.from_now, uses: 10)
+  arg1 = p[:some_param] # `p` is an in-scope variable that is a Hash of the params sent to the triggering request.
+  PandaPal::Organization.current.trigger_canvas_sync()
+  { foo: "bar" } # Will be returned to the client. Can be anything that is JSON serializable.
+RUBY
+# OR
+org.create_api(:symbol_of_method_on_organization, expiration: 30.days.from_now, uses: 10)
+```
+This will return a URL like such: `/panda_pal/call_logic?some_param=TODO&token=JWT.TOKEN.IS.HERE` that can be either GET'd or POST'd.
+The URL generator will *attempt* to determine which params the logic accepts and insert them as `param=TODO` in the generated URL.
+
+When triggered, the return value of the code will be wrapped and sent to the client:
+```json
+{
+  "status": "ok",
+  "uses_remaining": 9,
+  "result": {
+    "foo": "bar",
+  }
+}
+```
+
+#### Revoking
+A Call URI may be revoked by deleting the `PandaPal::ApiCall` object. `uses:` and logic are stored in the DB (and can thus be altered), but `expiration:` is stored in the JWT and is thus immutable.
+
 ### Routing
 
 The following routes should be added to the routes.rb file of the implementing LTI. (substituting `account_navigation` with the other staged navigation routes, if necessary)

data/app/controllers/panda_pal/api_call_controller.rb

@@ -0,0 +1,36 @@
+require 'jwt'
+require_dependency "panda_pal/application_controller"
+
+module PandaPal
+  class ApiCallController < ApplicationController
+    rescue_from StandardError do |err|
+      render json: { status: 'error' }, status: 500
+    end
+    rescue_from ::JWT::DecodeError do |err|
+      render json: { status: 'error', error: "Invalid JWT" }, status: 403
+    end
+
+    around_action do |blk|
+      payload = ApiCall.decode_jwt(params[:token])
+      org_id = payload['organization_id']
+      if org_id
+        PandaPal::Organization.find(org_id).switch_tenant do
+          blk.call
+        end
+      else
+        blk.call
+      end
+    end
+
+    def call
+      ac = ApiCall.from_jwt(params.require(:token))
+      result = ac.call(params.to_unsafe_h)
+
+      render json: {
+        status: 'ok',
+        uses_remaining: ac.uses_remaining,
+        result: result,
+      }
+    end
+  end
+end

data/app/lib/panda_pal/launch_url_helpers.rb

@@ -1,6 +1,6 @@
 module PandaPal
   module LaunchUrlHelpers
-    def self.absolute_launch_url(launch_type, host:, launch_handler: nil, default_auto_launch: false)
+    def self.absolute_launch_url(launch_type, host: uri_host, launch_handler: nil, default_auto_launch: false)
       opts = PandaPal.lti_paths[launch_type]
       auto_launch = opts[:auto_launch] != nil ? opts[:auto_launch] : default_auto_launch
       auto_launch = auto_launch && launch_handler.present?
@@ -18,12 +18,10 @@ module PandaPal
     end
 
     def self.url_for(options)
-      request = Thread.current[:controller]&.request
-      host = "#{request.scheme}://#{request.host_with_port}"
       if options.is_a?(Symbol)
-        Rails.application.routes.url_helpers.send(options, host: host)
+        Rails.application.routes.url_helpers.send(options, host: uri_host)
       else
-        options[:host] ||= host
+        options[:host] ||= uri_host
         Rails.application.routes.url_helpers.url_for(options)
       end
     end
@@ -74,7 +72,23 @@ module PandaPal
       uri.to_s
     end
 
-    private
+    def self.with_uri_host(uri)
+      uri = URI.parse(uri) unless uri.is_a?(URI)
+      raise "host: param must have a protocal and no path" if uri.path.present?
+
+      initial = Thread.current[:panda_pal_access_uri]
+      begin
+        Thread.current[:panda_pal_access_uri] = uri
+        yield
+      ensure
+        Thread.current[:panda_pal_access_uri] = initial
+      end
+    end
+
+    def self.uri_host
+      request = Thread.current[:controller]&.request
+      Thread.current[:panda_pal_access_uri]&.to_s || "#{request.scheme}://#{request.host_with_port}"
+    end
 
     def self.resolve_route(key, *arguments, engine: 'PandaPal', **kwargs)
       return key if key.is_a?(String)

data/app/models/panda_pal/api_call.rb

@@ -0,0 +1,58 @@
+require 'jwt'
+
+module PandaPal
+  class ApiCall < ActiveRecord::Base
+    # TODO Add Rate Limiting?
+
+    def self.decode_jwt(jwt)
+      jwt_payload, jwt_header = ::JWT.decode(jwt, Rails.application.secret_key_base, true, { algorithm: 'HS256' })
+      jwt_payload
+    end
+
+    def self.from_jwt(jwt)
+      jwt = decode_jwt(jwt) if jwt.is_a?(String)
+      ApiCall.find(jwt['api_call_id'])
+    end
+
+    before_validation on: [:update] do
+      errors.add(:expiration, 'is not changeable') if expiration_changed?
+    end
+
+    def call(params, internal: false)
+      if !internal && uses_remaining != nil
+        self.uses_remaining -= 1
+        if uses_remaining <= 0
+          destroy!
+        else
+          save!
+        end
+      end
+
+      prc = eval("->(p) {
+        #{logic}
+      }")
+
+      prc.call(params)
+    end
+
+    def call_url(host: nil, params: {}, **kwargs)
+      func_params = logic.scan(/\bp\[:(\w+)\]/).flatten
+      phash = {}
+      func_params.each.with_index do |p, i|
+        phash[p.to_sym] = params[p.to_sym] || "TODO"
+      end
+
+      PandaPal::Engine.routes.url_helpers.call_logic_url(self, token: jwt_token(**kwargs), only_path: !host, host: host, **phash, format: nil)
+    end
+
+    def jwt_token(expiration: self.expiration)
+      payload = {
+        api_call_id: id,
+        organization_id: Organization.current&.id,
+      }
+      payload[:exp] = expiration.iso8601 if expiration.present?
+      ::JWT.encode(payload, Rails.application.secret_key_base, 'HS256')
+    end
+
+  end
+end

data/app/models/panda_pal/organization.rb

@@ -54,8 +54,63 @@ module PandaPal
       include ext
     end
 
+    def create_api(logic, expiration: nil, uses: nil, host: nil)
+      switch_tenant do
+        logic = "current_organization.#{logic}" if logic.is_a?(Symbol)
+        ac = ApiCall.create!(
+          logic: logic,
+          expiration: expiration,
+          uses_remaining: uses,
+        )
+        ac.call_url(host: host)
+      end
+    end
+
+    def lti_platform
+      lti_platform_type.new(self)
+    end
+
+    def lti_platform_type
+      platform = PandaPal.lti_options[:platform] || 'canvas.instructure.com'
+      case platform
+      when 'canvas.instructure.com'
+        PandaPal::Platform::Canvas
+      # when 'bridgeapp.com'
+        # TODO Add support for Bridge?
+      else
+        raise "Unknown platform '#{platform}'"
+      end
+    end
+
+    def rename!(new_name)
+      do_switch = Apartment::Tenant.current == name
+      ActiveRecord::Base.connection.execute(
+        "ALTER SCHEMA \"#{name}\" RENAME TO \"#{new_name}\";"
+      )
+      self.class.where(id: id).update_all(name: new_name)
+      reload
+      switch_tenant if do_switch
+    end
+
+    def respond_to_missing?(name, include_private = false)
+      (platform_org_extension_module&.instance_method(name) rescue nil) || super
+    end
+
+    def method_missing(method, *args, &block)
+      ext = platform_org_extension_module
+      if (ext.instance_method(method) rescue nil)
+        ext.instance_method(method).bind_call(self, *args, &block)
+      else
+        super
+      end
+    end
+
     private
 
+    def platform_org_extension_module
+      defined?(lti_platform_type::OrgExtension) ? lti_platform_type::OrgExtension : nil
+    end
+
     def create_schema
       Apartment::Tenant.create name
     end

data/app/models/panda_pal/platform.rb

@@ -1,3 +1,8 @@
+begin
+  require 'bearcat'
+rescue LoadError
+end
+
 module PandaPal
   class Platform
     def public_jwks
@@ -8,13 +13,24 @@ module PandaPal
     rescue
       nil
     end
+
+    protected
+
+    def self.find_org_setting(paths, org = current_organization)
+      paths.each do |p|
+        p = p.split('.').map(&:to_sym)
+        val = org.settings.dig(*p)
+        return val if val.present?
+      end
+      nil
+    end
   end
 
   class Platform::Canvas < Platform
-    attr_accessor :base_url
+    attr_accessor :organization
 
-    def initialize(base_url)
-      @base_url = base_url
+    def initialize(org)
+      @organization = org
     end
 
     def host
@@ -32,9 +48,128 @@ module PandaPal
     def grant_url
       "#{base_url}/login/oauth2/token"
     end
-  end
 
-  class Platform
-    CANVAS = Platform::Canvas.new('https://canvas.instructure.com')
+    def base_url; org.canvas_url; end
+
+    module OrgExtension
+      def install_lti(host: nil, context: :root_account, version: 'v1p1', exists: :error)
+        raise "Automatically installing this LTI requires Bearcat." unless defined?(Bearcat)
+
+        context = context.to_s
+        context = 'account/self' if context == 'root_account'
+        cid, ctype = context.split(/[\.\/]/).reverse
+        ctype ||= 'account'
+
+        existing_installs = bearcat_client.send(:"#{ctype}_external_tools", cid).all_pages_each.filter do |cet|
+          cet[:consumer_key] == self.key
+        end
+
+        if existing_installs.present?
+          case exists
+          when :error
+            raise "Tool with key #{self.key} already installed"
+          when :duplicate
+          when :replace
+            existing_installs.each do |install|
+              bearcat_client.send(:"delete_#{ctype}_external_tool", cid, install[:id])
+            end
+          else
+            raise "exists: #{exists} is not supported"
+          end
+        end
+
+        # TODO LTI 1.3 Support
+
+        conf = {
+          name: PandaPal.lti_options[:title],
+          description: PandaPal.lti_options[:description],
+          consumer_key: self.key,
+          shared_secret: self.secret,
+          privacy_level: "public",
+          config_type: 'by_url',
+          config_url: PandaPal::LaunchUrlHelpers.resolve_route(:v1p0_config_url, host: host),
+        }
+
+        bearcat_client.send(:"create_#{ctype}_external_tool", cid, conf)
+      end
+
+      def lti_api_configuration(host: nil)
+        PandaPal::LaunchUrlHelpers.with_uri_host(host) do
+          domain = PandaPal.lti_properties[:domain] || host.host
+          launch_url = PandaPal.lti_options[:secure_launch_url] ||
+            "#{domain}#{PandaPal.lti_options[:secure_launch_path]}" ||
+            PandaPal.lti_options[:launch_url] ||
+            "#{domain}#{PandaPal.lti_options[:launch_path]}" ||
+            domain
+
+          lti_json = {
+            name: PandaPal.lti_options[:title],
+            description: PandaPal.lti_options[:description],
+            domain: host.host,
+            url: launch_url,
+            consumer_key: self.key,
+            shared_secret: self.secret,
+            privacy_level: "public",
+
+            custom_fields: {},
+
+            environments: PandaPal.lti_environments,
+          }
+
+          lti_json = lti_json.with_indifferent_access
+          lti_json.merge!(PandaPal.lti_properties)
+
+          (PandaPal.lti_options[:custom_fields] || []).each do |k, v|
+            lti_json[:custom_fields][k] = v
+          end
+
+          PandaPal.lti_paths.each do |k, options|
+            options = PandaPal::LaunchUrlHelpers.normalize_lti_launch_desc(options)
+            options[:url] = PandaPal::LaunchUrlHelpers.absolute_launch_url(
+              k.to_sym,
+              host: host,
+              launch_handler: :v1p0_launch_path,
+              default_auto_launch: false
+            ).to_s
+            lti_json[k] = options
+          end
+
+          lti_json
+        end
+      end
+
+      def canvas_url
+        PandaPal::Platform.find_org_setting([
+          "canvas.base_url",
+          "canvas_url",
+          "canvas_base_url",
+          "canvas.url",
+          "base_url",
+        ], self) || (Rails.env.development? && 'http://localhost:3000') || 'https://canvas.instructure.com'
+      end
+
+      def canvas_api_token
+        PandaPal::Platform.find_org_setting([
+          "canvas.api_token",
+          "canvas.api_key",
+          "canvas.token",
+          "canvas_api_token",
+          "canvas_token",
+          "api_token",
+        ], self)
+      end
+
+      if defined?(Bearcat)
+        def bearcat_client
+          return canvas_sync_client if defined?(canvas_sync_client)
+
+          Bearcat::Client.new(
+            prefix: canvas_url,
+            token: canvas_token,
+            master_rate_limit: (Rails.env.production? && !!defined?(Redis) && ENV['REDIS_URL'].present?),
+          )
+        end
+      end
+    end
   end
 end

data/config/routes.rb

@@ -1,6 +1,9 @@
 PandaPal::Engine.routes.draw do
   get '/config' => 'lti_v1_p0#tool_config' # Legacy Support
 
+  get "/call_logic" => "api_call#call"
+  post "/call_logic" => "api_call#call"
+
   scope '/v1p0', as: 'v1p0' do
     get '/config' => 'lti_v1_p0#tool_config'
     post '/launch' => 'lti_v1_p0#launch'

data/db/migrate/20220721095653_create_panda_pal_api_calls.rb

@@ -0,0 +1,11 @@
+class CreatePandaPalApiCalls < PandaPal::MiscHelper::MigrationClass
+  def change
+    create_table :panda_pal_api_calls do |t|
+      t.text :logic
+      t.string :expiration
+      t.integer :uses_remaining
+
+      t.timestamps null: false
+    end
+  end
+end

data/lib/panda_pal/engine.rb

@@ -15,13 +15,11 @@ module PandaPal
     end
 
     initializer :append_migrations do |app|
-      unless app.root.to_s.match root.to_s
-        config.paths["db/migrate"].expanded.each do |expanded_path|
-          app.config.paths["db/migrate"] << expanded_path
-        end
-        # Apartment will modify this, but it doesn't fully support engine migrations, so we'll reset it here
-        ActiveRecord::Migrator.migrations_paths = Rails.application.paths['db/migrate'].to_a
+      config.paths["db/migrate"].expanded.each do |expanded_path|
+        app.config.paths["db/migrate"] << expanded_path
       end
+      # Apartment will modify this, but it doesn't fully support engine migrations, so we'll reset it here
+      ActiveRecord::Migrator.migrations_paths = Rails.application.paths['db/migrate'].to_a
     end
 
     initializer 'interop dependencies' do
@@ -70,7 +68,7 @@ module PandaPal
     end
 
     initializer "panda_pal.assets.precompile" do |app|
-      app.config.assets.precompile << "panda_pal_manifest.js"
+      app.config.assets.precompile << "panda_pal_manifest.js" rescue nil
     end
 
     initializer :secure_headers do |app|

data/lib/panda_pal/helpers/controller_helper.rb

@@ -13,14 +13,7 @@ module PandaPal::Helpers
     end
 
     def current_lti_platform
-      return @current_lti_platform if @current_lti_platform.present?
-      # TODO: (Future) This could be expanded more to take better advantage of the LTI 1.3 Multi-Tenancy model.
-      if (canvas_url = current_organization&.settings&.dig(:canvas, :base_url)).present?
-        @current_lti_platform ||= PandaPal::Platform::Canvas.new(canvas_url)
-      end
-      @current_lti_platform ||= PandaPal::Platform::Canvas.new('http://localhost:3000') if Rails.env.development?
-      @current_lti_platform ||= PandaPal::Platform::CANVAS
-      @current_lti_platform
+      @current_lti_platform ||= current_organization.lti_platform
     end
 
     def lti_launch_params
@@ -41,7 +34,7 @@ module PandaPal::Helpers
       authorized = false
       # We should verify the timestamp is recent (within 5 minutes).  The approved timestamp is part of the signature,
       # so we don't need to worry about malicious users messing with it.  We should deny requests that come too long
-      # after the approved timestamp.  
+      # after the approved timestamp.
       good_timestamp = params['oauth_timestamp'] && params['oauth_timestamp'].to_i > Time.now.to_i - 300
       if @organization = good_timestamp && params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
         sanitized_params = request.request_parameters

data/lib/panda_pal/version.rb

@@ -1,3 +1,3 @@
 module PandaPal
-  VERSION = "5.4.11"
+  VERSION = "5.6.0"
 end

data/panda_pal.gemspec

@@ -1,11 +1,16 @@
 $:.push File.expand_path("../lib", __FILE__)
 
-require "panda_pal/version"
+begin
+  require "panda_pal/version"
+  version = PandaPal::VERSION
+rescue LoadError
+  version = "0.0.0.docker"
+end
 
 # Describe your gem and declare its dependencies:
 Gem::Specification.new do |s|
   s.name        = "panda_pal"
-  s.version     = PandaPal::VERSION
+  s.version     = version
   s.authors     = ["Instructure ProServe"]
   s.email       = ["pseng@instructure.com"]
   s.homepage    = "http://instructure.com"
@@ -22,10 +27,15 @@ Gem::Specification.new do |s|
   s.add_dependency 'attr_encrypted', '~> 3.0.0'
   s.add_dependency 'secure_headers', '~> 6.1'
   s.add_dependency 'json-jwt'
+  s.add_dependency 'jwt'
   s.add_dependency 'httparty'
 
+  s.add_development_dependency "rails", "~> 5.2"
+  s.add_development_dependency 'pg'
   s.add_development_dependency 'sidekiq'
   s.add_development_dependency 'sidekiq-scheduler'
+  s.add_development_dependency 'ros-apartment', '~> 2.11'
+  s.add_development_dependency 'ros-apartment-sidekiq', '~> 1.2'
   s.add_development_dependency 'rspec-rails'
   s.add_development_dependency 'factory_girl_rails'
 end

data/spec/controllers/panda_pal/api_call_controller_spec.rb

@@ -0,0 +1,27 @@
+require 'rails_helper'
+
+module PandaPal
+  RSpec.describe ApiCallController, type: :controller do
+    let!(:api_call) { ApiCall.create!(logic: '"#{p[:foo]}_bar"') }
+
+    def json_body
+      JSON.parse(response.body)
+    end
+
+    describe "#call" do
+      it "calls the function with parameters" do
+        get :call, params: { token: api_call.jwt_token, foo: 'bar', use_route: 'panda_pal' }
+        expect(response).to be_successful
+        expect(json_body["status"]).to eq 'ok'
+        expect(json_body["result"]).to eq 'bar_bar'
+      end
+
+      it "fails given a bad JWT" do
+        get :call, params: { token: "bad.jwt.token", foo: 'bar', use_route: 'panda_pal' }
+        expect(response).not_to be_successful
+        expect(json_body["status"]).to eq 'error'
+        expect(json_body["error"]).to eq 'Invalid JWT'
+      end
+    end
+  end
+end

data/spec/dummy/config/database.yml

@@ -1,25 +1,25 @@
-# SQLite version 3.x
-#   gem install sqlite3
-#
-#   Ensure the SQLite 3 gem is defined in your Gemfile
-#   gem 'sqlite3'
-#
+
 default: &default
   adapter: postgresql
-  pool: 5
-  timeout: 5000
+  encoding: unicode
+  # For details on connection pooling, see Rails configuration guide
+  # http://guides.rubyonrails.org/configuring.html#database-pooling
+  pool: <%= ENV.fetch("DB_POOL_SIZE", nil) || (ENV.fetch("RAILS_MAX_THREADS") { 5 }.to_i + 10) %>
+  username: <%= ENV.fetch("DB_USERNAME", "") %>
+  password: <%= ENV.fetch("DB_PASSWORD", "") %>
+  host: <%= ENV.fetch("DB_ADDRESS", "localhost") %>
 
 development:
   <<: *default
   database: panda_pal_development
 
-# Warning: The database defined as "test" will be erased and
-# re-generated from your development database when you run "rake".
-# Do not set this db to the same as development or production.
 test:
   <<: *default
   database: panda_pal_test
 
 production:
   <<: *default
-  database: db/production.sqlite3
+  host: <%= ENV.fetch('DB_ADDRESS', 'localhost') %>
+  database: panda_pal_production
+  username: <%= ENV.fetch("DB_USERNAME", "panda_pal_specs_postgres_user") %>
+  password: <%= ENV.fetch("DB_PASSWORD", 'panda_pal_specs_postgres_password') %>

data/spec/dummy/db/schema.rb

@@ -10,12 +10,20 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20171205194657) do
+ActiveRecord::Schema.define(version: 2022_07_21_095653) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
-  create_table "panda_pal_organizations", force: :cascade do |t|
+  create_table "panda_pal_api_calls", id: :serial, force: :cascade do |t|
+    t.text "logic"
+    t.string "expiration"
+    t.integer "uses_remaining"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+  end
+
+  create_table "panda_pal_organizations", id: :serial, force: :cascade do |t|
     t.string "name"
     t.string "key"
     t.string "secret"
@@ -29,7 +37,7 @@ ActiveRecord::Schema.define(version: 20171205194657) do
     t.index ["name"], name: "index_panda_pal_organizations_on_name", unique: true
   end
 
-  create_table "panda_pal_sessions", force: :cascade do |t|
+  create_table "panda_pal_sessions", id: :serial, force: :cascade do |t|
     t.string "session_key"
     t.text "data"
     t.datetime "created_at", null: false