panda_pal 5.6.7.beta1 → 5.6.7.beta2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6e63f91a338bf3876346da15600d8d51de860c1b7eca7cb988f54d1edcd9f425
-  data.tar.gz: 34aa9d21697f44409ae69fb16e6bf412d2d6c4c00a492c6c745e2202625d90d5
+  metadata.gz: 98591ab595d9224925ed0d0bd4259b3a0c6a9b80369ab8ed86539829583906fc
+  data.tar.gz: a240dacbb53ff02cd6e3f0688f41ba3cb0310bfa01af2f369c7229ecc3179c80
 SHA512:
-  metadata.gz: fca067f026f174fb1ce47561c0adca4ec454a61ae5e03437dbf8b7ebfb784aa2624b4e232ece1fbb642442ac3fe7c5c0f2169a9de1b71c37e8430409133e045a
-  data.tar.gz: 3de864a856dcb3928ef53066275946a24136c4cb877207090110aaf5a9b3cceca095748860d6bcbc132956570bd893dd0ede48b9672fd8025bcc3526bee383cc
+  metadata.gz: cf95e243d952873de333d242374c902d45bf4415efad2de495acebd31b760ae745ffcedbec205687c24b4d5a607af60b8c147db679f0a9defe1de362a1b85ec2
+  data.tar.gz: ae41d6a39f11e2aa2c4dccc837342d110d25491db1acc56edc1047d8cc9790f550d45d218e4d4bf5d46c6b781785f1dd8e8a7813416bccd94de92cf4215d8f3c

data/app/controllers/panda_pal/lti_v1_p3_controller.rb

@@ -12,14 +12,11 @@ module PandaPal
     around_action :switch_tenant, only: [:resource_link_request]
 
     def login
-      # TODO Figure out how to make this support deployment_ids
-      #   May need to move Platform#jwks_url and Platform#authentication_redirect_url to
-      #   a new GenericPlatform class/model and then associate the here-generated Session with
-      #   the public tenant, re-homing it once we have a deployment_id available
-      #   ... or create a new AuthState model instead of using Session here
-      @organization = PandaPal::Organization.find_by!(key: params[:client_id])
+      @current_lti_platform = PandaPal::Platform.resolve_platform(params)
 
+      current_session_data[:lti_platform] = @current_lti_platform&.serialize
       current_session_data[:lti_oauth_nonce] = SecureRandom.uuid
+      current_session.panda_pal_organization_id = -1
 
       @form_action = current_lti_platform.authentication_redirect_url
       @method = :post
@@ -39,6 +36,7 @@ module PandaPal
 
     def resource_link_request
       # Redirect to correct region/env?
+
       if params[:launch_type]
         current_session_data.merge!({
           lti_version: 'v1p3',

data/app/models/panda_pal/organization.rb

@@ -88,20 +88,8 @@ module PandaPal
       end
     end
 
-    def lti_platform
-      lti_platform_type.new(self)
-    end
-
-    def lti_platform_type
-      platform = PandaPal.lti_options[:platform] || 'canvas.instructure.com'
-      case platform
-      when 'canvas.instructure.com'
-        PandaPal::Platform::Canvas
-      # when 'bridgeapp.com'
-        # TODO Add support for Bridge?
-      else
-        raise "Unknown platform '#{platform}'"
-      end
+    def self.resolve_platform(hint)
+      iss = hint["iss"]
     end
 
     def rename!(new_name)
@@ -114,25 +102,15 @@ module PandaPal
       switch_tenant if do_switch
     end
 
-    def respond_to_missing?(name, include_private = false)
-      (platform_org_extension_module&.instance_method(name) rescue nil) || super
-    end
-
-    def method_missing(method, *args, **kwargs, &block)
-      ext = platform_org_extension_module
-      if (ext.instance_method(method) rescue nil)
-        ext.instance_method(method).bind_call(self, *args, **kwargs, &block)
-      else
-        super
+    if !PandaPal.lti_options[:platform].present? || PandaPal.lti_options[:platform].is_a?(String)
+      platform_cls = Platform.resolve_platform_class(nil) rescue nil
+      if platform_cls && defined?(platform_cls::OrgExtension)
+        include platform_cls::OrgExtension
       end
     end
 
     private
 
-    def platform_org_extension_module
-      defined?(lti_platform_type::OrgExtension) ? lti_platform_type::OrgExtension : nil
-    end
-
     def create_schema
       Apartment::Tenant.create name
     end

data/app/models/panda_pal/platform/canvas.rb

@@ -0,0 +1,163 @@
+begin
+  require 'bearcat'
+rescue LoadError
+end
+
+module PandaPal
+  class Platform::Canvas < Platform
+    attr_accessor :organization
+
+    KNOWN_ISSUERS = [
+      "https://canvas.instructure.com",
+      "https://canvas.beta.instructure.com",
+      "https://canvas.test.instructure.com",
+    ]
+
+    def jwks_url
+      "#{@issuer}/api/lti/security/jwks"
+    end
+
+    def authentication_redirect_url
+      "#{@issuer}/api/lti/authorize_redirect"
+    end
+
+    def grant_url
+      "#{@issuer}/login/oauth2/token"
+    end
+
+    module OrgExtension
+      extend ActiveSupport::Concern
+
+      def install_lti(host: nil, context: :root_account, version: 'v1p1', exists: :error)
+        raise "Automatically installing this LTI requires Bearcat." unless defined?(Bearcat)
+
+        context = context.to_s
+        context = 'account/self' if context == 'root_account'
+        cid, ctype = context.split(/[\.\/]/).reverse
+        ctype ||= 'account'
+
+        existing_installs = bearcat_client.send(:"#{ctype}_external_tools", cid).all_pages_each.filter do |cet|
+          cet[:consumer_key] == self.key
+        end
+
+        if existing_installs.present?
+          case exists
+          when :error
+            raise "Tool with key #{self.key} already installed"
+          when :duplicate
+          when :replace
+            existing_installs.each do |install|
+              bearcat_client.send(:"delete_#{ctype}_external_tool", cid, install[:id])
+            end
+          else
+            raise "exists: #{exists} is not supported"
+          end
+        end
+
+        # TODO LTI 1.3 Support
+
+        conf = {
+          name: PandaPal.lti_options[:title],
+          description: PandaPal.lti_options[:description],
+          consumer_key: self.key,
+          shared_secret: self.secret,
+          privacy_level: "public",
+          config_type: 'by_url',
+          config_url: PandaPal::LaunchUrlHelpers.resolve_route(:v1p0_config_url, host: host),
+        }
+
+        bearcat_client.send(:"create_#{ctype}_external_tool", cid, conf)
+      end
+
+      def reinstall_lti!(*args, **kwargs)
+        install_lti(*args, exists: :replace, **kwargs)
+      end
+
+      def lti_api_configuration(host: nil)
+        PandaPal::LaunchUrlHelpers.with_uri_host(host) do
+          domain = PandaPal.lti_properties[:domain] || host.host
+          launch_url = PandaPal.lti_options[:secure_launch_url] ||
+            "#{domain}#{PandaPal.lti_options[:secure_launch_path]}" ||
+            PandaPal.lti_options[:launch_url] ||
+            "#{domain}#{PandaPal.lti_options[:launch_path]}" ||
+            domain
+
+          lti_json = {
+            name: PandaPal.lti_options[:title],
+            description: PandaPal.lti_options[:description],
+            domain: host.host,
+            url: launch_url,
+            consumer_key: self.key,
+            shared_secret: self.secret,
+            privacy_level: "public",
+
+            custom_fields: {},
+
+            environments: PandaPal.lti_environments,
+          }
+
+          lti_json = lti_json.with_indifferent_access
+          lti_json.merge!(PandaPal.lti_properties)
+
+          (PandaPal.lti_options[:custom_fields] || []).each do |k, v|
+            lti_json[:custom_fields][k] = v
+          end
+
+          PandaPal.lti_paths.each do |k, options|
+            options = PandaPal::LaunchUrlHelpers.normalize_lti_launch_desc(options)
+            options[:url] = PandaPal::LaunchUrlHelpers.absolute_launch_url(
+              k.to_sym,
+              host: host,
+              launch_handler: :v1p0_launch_path,
+              default_auto_launch: false
+            ).to_s
+            lti_json[k] = options
+          end
+
+          lti_json
+        end
+      end
+
+      def canvas_url
+        PandaPal::Platform.find_org_setting([
+          "canvas.base_url",
+          "canvas_url",
+          "canvas_base_url",
+          "canvas.url",
+          "base_url",
+        ], self) || (Rails.env.development? && 'http://localhost:3000') || 'https://canvas.instructure.com'
+      end
+
+      def canvas_api_token
+        PandaPal::Platform.find_org_setting([
+          "canvas.api_token",
+          "canvas.api_key",
+          "canvas.token",
+          "canvas_api_token",
+          "canvas_token",
+          "api_token",
+        ], self)
+      end
+
+      def root_account_info
+        Rails.cache.fetch("panda_pal/org:#{name}/root_account_info", expires_in: 24.hours) do
+          response = bearcat_client.account("self")
+          response = bearcat_client.account(response[:root_account_id]) if response[:root_account_id].present?
+          response
+        end
+      end
+
+      if defined?(Bearcat)
+        def bearcat_client
+          return canvas_sync_client if defined?(canvas_sync_client)
+
+          Bearcat::Client.new(
+            prefix: canvas_url,
+            token: canvas_token,
+            master_rate_limit: (Rails.env.production? && !!defined?(Redis) && ENV['REDIS_URL'].present?),
+          )
+        end
+      end
+    end
+  end
+end

data/app/models/panda_pal/platform.rb

@@ -1,187 +1,106 @@
-begin
-  require 'bearcat'
-rescue LoadError
-end
 
 require 'httparty'
 
 module PandaPal
   class Platform
+    require_relative "platform/canvas"
+
+    def initialize(params)
+      @issuer = params[:iss]
+    end
+
     def public_jwks
       require "json/jwt"
 
-      response = HTTParty.get(jwks_url)
-      return nil unless response.success?
+      jwk_json = Rails.cache.fetch("panda_pal/jwks/#{jwks_url}")
+      jwk_json ||= begin
+        response = HTTParty.get(jwks_url)
+        response.success? ? response.body : nil
+      end
 
-      JSON::JWK::Set.new(JSON.parse(response.body))
-    rescue
-      nil
-    end
+      return nil unless jwk_json.present?
 
-    protected
+      Rails.cache.write("panda_pal/jwks/#{jwks_url}", jwk_json, expires_in: 24.hours)
 
-    def self.find_org_setting(paths, org = current_organization)
-      paths.each do |p|
-        p = p.split('.').map(&:to_sym)
-        val = org.settings.dig(*p)
-        return val if val.present?
-      end
+      JSON::JWK::Set.new(JSON.parse(jwk_json))
+    rescue
       nil
     end
-  end
-
-  class Platform::Canvas < Platform
-    attr_accessor :organization
 
-    def initialize(org)
-      @organization = org
+    def self.deserialize(params)
+      params[:platform_class].safe_constantize.new(params)
     end
 
-    def host
-      base_url
+    def serialize
+      {
+        platform_class: self.class.to_s,
+        iss: @issuer,
+      }
     end
 
-    def jwks_url
-      "#{base_url}/api/lti/security/jwks"
+    def self.resolve_platform(params)
+      resolved = resolve_raw_platform(params)
+      resolved.is_a?(Class) ? resolved.new({ iss: params[:iss] }) : resolved
     end
 
-    def authentication_redirect_url
-      "#{base_url}/api/lti/authorize_redirect"
+    def self.resolve_platform_class(params)
+      resolved = resolve_raw_platform(params)
+      resolved.is_a?(Class) ? resolved : resolved.class
     end
 
-    def grant_url
-      "#{base_url}/login/oauth2/token"
-    end
+    def self.resolve_raw_platform(params)
+      platform = PandaPal.lti_options[:platform] || "canvas.instructure.com"
 
-    def base_url; @organization.canvas_url; end # TODO Dissolve?
-
-    module OrgExtension
-      def install_lti(host: nil, context: :root_account, version: 'v1p1', exists: :error)
-        raise "Automatically installing this LTI requires Bearcat." unless defined?(Bearcat)
-
-        context = context.to_s
-        context = 'account/self' if context == 'root_account'
-        cid, ctype = context.split(/[\.\/]/).reverse
-        ctype ||= 'account'
-
-        existing_installs = bearcat_client.send(:"#{ctype}_external_tools", cid).all_pages_each.filter do |cet|
-          cet[:consumer_key] == self.key
-        end
-
-        if existing_installs.present?
-          case exists
-          when :error
-            raise "Tool with key #{self.key} already installed"
-          when :duplicate
-          when :replace
-            existing_installs.each do |install|
-              bearcat_client.send(:"delete_#{ctype}_external_tool", cid, install[:id])
-            end
-          else
-            raise "exists: #{exists} is not supported"
-          end
-        end
-
-        # TODO LTI 1.3 Support
-
-        conf = {
-          name: PandaPal.lti_options[:title],
-          description: PandaPal.lti_options[:description],
-          consumer_key: self.key,
-          shared_secret: self.secret,
-          privacy_level: "public",
-          config_type: 'by_url',
-          config_url: PandaPal::LaunchUrlHelpers.resolve_route(:v1p0_config_url, host: host),
-        }
-
-        bearcat_client.send(:"create_#{ctype}_external_tool", cid, conf)
-      end
+      if platform.is_a? Symbol
+        platform_const = Object.send(platform, params)
+        return platform_const if platform_const
 
-      def lti_api_configuration(host: nil)
-        PandaPal::LaunchUrlHelpers.with_uri_host(host) do
-          domain = PandaPal.lti_properties[:domain] || host.host
-          launch_url = PandaPal.lti_options[:secure_launch_url] ||
-            "#{domain}#{PandaPal.lti_options[:secure_launch_path]}" ||
-            PandaPal.lti_options[:launch_url] ||
-            "#{domain}#{PandaPal.lti_options[:launch_path]}" ||
-            domain
-
-          lti_json = {
-            name: PandaPal.lti_options[:title],
-            description: PandaPal.lti_options[:description],
-            domain: host.host,
-            url: launch_url,
-            consumer_key: self.key,
-            shared_secret: self.secret,
-            privacy_level: "public",
-
-            custom_fields: {},
-
-            environments: PandaPal.lti_environments,
-          }
-
-          lti_json = lti_json.with_indifferent_access
-          lti_json.merge!(PandaPal.lti_properties)
-
-          (PandaPal.lti_options[:custom_fields] || []).each do |k, v|
-            lti_json[:custom_fields][k] = v
-          end
-
-          PandaPal.lti_paths.each do |k, options|
-            options = PandaPal::LaunchUrlHelpers.normalize_lti_launch_desc(options)
-            options[:url] = PandaPal::LaunchUrlHelpers.absolute_launch_url(
-              k.to_sym,
-              host: host,
-              launch_handler: :v1p0_launch_path,
-              default_auto_launch: false
-            ).to_s
-            lti_json[k] = options
-          end
-
-          lti_json
-        end
-      end
+      elsif platform.is_a? Proc
+        platform_const = platform.call(params)
+        return platform_const if platform_const
 
-      def canvas_url
-        PandaPal::Platform.find_org_setting([
-          "canvas.base_url",
-          "canvas_url",
-          "canvas_base_url",
-          "canvas.url",
-          "base_url",
-        ], self) || (Rails.env.development? && 'http://localhost:3000') || 'https://canvas.instructure.com'
-      end
+      else
+        return Platform::Canvas if platform == "canvas.instructure.com"
 
-      def canvas_api_token
-        PandaPal::Platform.find_org_setting([
-          "canvas.api_token",
-          "canvas.api_key",
-          "canvas.token",
-          "canvas_api_token",
-          "canvas_token",
-          "api_token",
-        ], self)
+        platform_const = platform.safe_constantize
+        return platform_const if platform_const.is_a? Class
       end
 
-      def root_account_info
-        Rails.cache.fetch("panda_pal/org:#{name}/root_account_info", expires_in: 24.hours) do
-          response = bearcat_client.account("self")
-          response = bearcat_client.account(response[:root_account_id]) if response[:root_account_id].present?
-          response
-        end
-      end
+      # TODO Default logic?
+      return Platform::Canvas if Platform::Canvas::KNOWN_ISSUERS.include?(params[:iss])
+
+      raise "Unknown platform '#{platform}'"
+    end
 
-      if defined?(Bearcat)
-        def bearcat_client
-          return canvas_sync_client if defined?(canvas_sync_client)
+    def self.materialize_extension(org)
+      return nil unless defined?(self::OrgExtension)
+
+      ext_mod = self::OrgExtension
+      org = org.dup
+      org.extend(ext_mod)
+
+      org
+    end
+
+    protected
 
-          Bearcat::Client.new(
-            prefix: canvas_url,
-            token: canvas_token,
-            master_rate_limit: (Rails.env.production? && !!defined?(Redis) && ENV['REDIS_URL'].present?),
-          )
-        end
+    def self.find_org_setting(paths, org = current_organization)
+      paths.each do |p|
+        p = p.split('.').map(&:to_sym)
+        val = org.settings.dig(*p)
+        return val if val.present?
       end
+      nil
+    end
+  end
+
+  class Platform::Generic < Platform
+    attr_reader :jwks_url, :authentication_redirect_url, :grant_url
+
+    def init(base_url, jwks: "/api/lti/security/jwks", auth_redirect: "/api/lti/authorize_redirect", grant: "/login/oauth2/token")
+      @jwks_url = URI.join(base_url, jwks).to_s
+      @authentication_redirect_url = URI.join(base_url, auth_redirect).to_s
+      @grant_url = URI.join(base_url, grant).to_s
     end
   end
 end

data/app/models/panda_pal/session.rb

@@ -1,13 +1,17 @@
 module PandaPal
   class Session < ActiveRecord::Base
-    belongs_to :panda_pal_organization, class_name: 'PandaPal::Organization'
-
-    validates :panda_pal_organization_id, presence: true
+    belongs_to :panda_pal_organization, class_name: 'PandaPal::Organization', optional: true
 
     after_initialize do
       self.session_key ||= SecureRandom.urlsafe_base64(60)
     end
 
+    def lti_platform
+      return nil unless data[:lti_platform].present?
+
+      @lti_platform ||= Platform.deserialize(data[:lti_platform])
+    end
+
     class DataSerializer
       def self.load(str)
         return {} unless str.present?

data/lib/panda_pal/helpers/controller_helper.rb

@@ -13,7 +13,7 @@ module PandaPal::Helpers
     end
 
     def current_lti_platform
-      @current_lti_platform ||= current_organization.lti_platform
+      @current_lti_platform ||= current_session(create_missing: false)&.lti_platform
     end
 
     def lti_launch_params
@@ -55,6 +55,8 @@ module PandaPal::Helpers
     end
 
     def validate_v1p3_launch
+      require "json/jwt"
+
       decoded_jwt = JSON::JWT.decode(params.require(:id_token), :skip_verification)
       raise JSON::JWT::VerificationFailed, 'error decoding id_token' if decoded_jwt.blank?
 
@@ -70,14 +72,17 @@ module PandaPal::Helpers
 
       raise JSON::JWT::VerificationFailed, 'Unrecognized Organization' unless @organization.present?
 
+      params[:session_key] = params[:state]
+
       decoded_jwt.verify!(current_lti_platform.public_jwks)
 
-      params[:session_key] = params[:state]
       raise JSON::JWT::VerificationFailed, 'State is invalid' unless current_session_data[:lti_oauth_nonce] == decoded_jwt['nonce']
 
       jwt_verifier = PandaPal::LtiJwtValidator.new(decoded_jwt, client_id)
       raise JSON::JWT::VerificationFailed, jwt_verifier.errors unless jwt_verifier.valid?
 
+      current_session.update(panda_pal_organization: @organization)
+
       @decoded_lti_jwt = decoded_jwt
     rescue JSON::JWT::VerificationFailed => e
       payload = Array(e.message)
@@ -124,7 +129,7 @@ module PandaPal::Helpers
 
     def find_or_create_session(key:)
       if key == :create
-        PandaPal::Session.new(panda_pal_organization_id: current_organization.id)
+        PandaPal::Session.new(panda_pal_organization_id: current_organization&.id)
       else
         PandaPal::Session.find_by(session_key: key)
       end

data/lib/panda_pal/helpers/secure_headers.rb

@@ -29,9 +29,11 @@ module PandaPal
 
         # Allow stuff like rack-mini-profiler to work in development:
         # https://github.com/MiniProfiler/rack-mini-profiler/issues/327
-        # DON'T ENABLE THIS FOR PRODUCTION!
         csp_entry(:script_src, "'unsafe-eval'")
 
+        # React Devtools
+        csp_entry(:script_src, "'unsafe-inline'")
+
         # Detect and permit Scout APM in Dev
         if MiscHelper.to_boolean(ENV['SCOUT_DEV_TRACE'])
           csp_entry(:default_src, 'https://scoutapm.com')

data/lib/panda_pal/version.rb

@@ -1,3 +1,3 @@
 module PandaPal
-  VERSION = "5.6.7.beta1"
+  VERSION = "5.6.7.beta2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: panda_pal
 version: !ruby/object:Gem::Version
-  version: 5.6.7.beta1
+  version: 5.6.7.beta2
 platform: ruby
 authors:
 - Instructure ProServe
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-01-31 00:00:00.000000000 Z
+date: 2023-02-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -315,6 +315,7 @@ files:
 - app/models/panda_pal/organization_concerns/settings_validation.rb
 - app/models/panda_pal/organization_concerns/task_scheduling.rb
 - app/models/panda_pal/platform.rb
+- app/models/panda_pal/platform/canvas.rb
 - app/models/panda_pal/session.rb
 - app/views/layouts/panda_pal/application.html.erb
 - app/views/panda_pal/lti/launch.html.erb