panda_pal 5.7.0.beta2 → 5.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: de960e9dd44bfec67832afe2e1cde116ea8a9e608f9658dea7cced1d45b1d934
-  data.tar.gz: 8795f3fed5583c49d3ff729ef18e1e4b4ab21214b4d6319fe13a28e90073e00f
+  metadata.gz: 35907d0726df7ab474a251eedff8ff28a5d96fbf4996566454c777e20443d90d
+  data.tar.gz: 4f883c646c445d4a0a8ad918c669308c17a2a8392818e4645a5d9efdce5ee0e2
 SHA512:
-  metadata.gz: 65b30bd9f2bfca02fcf92b451f85fd98e701a5251e0952d4468b4b84178b2a7149705fd7dd20783f6d89c8f1b02e4630ced8d00a0ceb22928927e19aa405c72e
-  data.tar.gz: 320abed36d66d03e24c7c1cb38f545d094779559107f10fa084d464989ebb473a07b497b75eeb9d84c3febc16bfadd88f0002ca298ab67456e4c657261fdc8d6
+  metadata.gz: 4f259a0c7c5928892748bd08f88b259adc5e7bb41f90f7f71e90a6c7c5e37e7a243ad426d34a4ad6b59857891e2430a7f7860cbd15938f11eaae0f74f6571247
+  data.tar.gz: 10a665a5f0d00604f623a863255435c4f85b850de0e175dc1ef29417a83a0263c41d3ff6a7016bda9e74b2abe558da18ebb9ee87b21503aeb8920fada15c1b91

data/app/controllers/panda_pal/lti_v1_p3_controller.rb

@@ -11,6 +11,9 @@ module PandaPal
     before_action :validate_launch!, only: [:resource_link_request]
     around_action :switch_tenant, only: [:resource_link_request]
 
+    # Redirect to beta/test as necessary
+    before_action :forward_to_env_and_region, only: [:login]
+
     def login
       @current_lti_platform = PandaPal::Platform.resolve_platform(params)
 
@@ -35,16 +38,16 @@ module PandaPal
     end
 
     def resource_link_request
-      # Redirect to correct region/env?
+      ltype = @decoded_lti_jwt['https://www.instructure.com/placement']
 
-      if params[:launch_type]
+      if ltype
         current_session_data.merge!({
           lti_version: 'v1p3',
-          lti_launch_placement: params[:launch_type],
+          lti_launch_placement: ltype,
           launch_params: @decoded_lti_jwt,
         })
 
-        redirect_with_session_to(:"#{LaunchUrlHelpers.launch_route(params[:launch_type])}_url", route_context: main_app)
+        redirect_with_session_to(:"#{LaunchUrlHelpers.launch_route(ltype)}_url", route_context: main_app)
       end
       # render json: {
       #   launch_type: params[:launch_type],
@@ -90,7 +93,6 @@ module PandaPal
           privacy_level: "public",
           settings: {
             placements: mapped_placements,
-            environments: PandaPal.lti_environments,
           },
         }],
         custom_fields: PandaPal.lti_custom_params, # PandaPal.lti_options[:custom_fields],
@@ -105,6 +107,37 @@ module PandaPal
       }
     end
 
+    protected
+
+    def forward_to_env_and_region
+      login_redirects = params['lti_login_redirects'] || []
+      login_redirects << request.url
+
+      redir_url = environment_login_url
+
+      if redir_url.present? && !login_redirects.include?(redir_url)
+        @form_action = redir_url
+        @method = request.method.downcase
+        @form_data = (request.POST.presence || request.GET).merge({
+          lti_login_redirects: login_redirects,
+        })
+
+        render action: :login
+      end
+    end
+
+    def environment_login_url
+      if (canvas_env = params['canvas_environment']).present?
+        tdomain = PandaPal.lti_environments[:"#{canvas_env}_domain"]
+
+        if tdomain.present? && !request.url.include?(tdomain)
+          return v1p3_oidc_login_url.gsub(PandaPal.lti_environments[:domain], tdomain)
+        end
+      end
+
+      nil
+    end
+
     private
 
     def auth_redirect_query

data/app/models/panda_pal/organization.rb

@@ -58,6 +58,12 @@ module PandaPal
     after_create :create_schema
     after_commit :destroy_schema, on: :destroy
 
+    define_setting("lti", {
+      type: 'Hash',
+      required: false,
+      properties: {},
+    })
+
     if defined?(scheduled_task)
       scheduled_task '0 0 3 * * *', :clean_old_sessions do
         PandaPal::Session.where(panda_pal_organization: self).where('updated_at < ?', 1.week.ago).delete_all
@@ -152,11 +158,32 @@ module PandaPal
     #
     # The API is currently an Organization subclass (using `becomes()`), but such may change.
     def platform_api(platform_type = primary_platform)
+      return nil if platform_type.nil?
       scl = platform_type.organization_api
       return self if scl == self.class
       becomes(scl)
     end
 
+    define_setting("lti.trusted_platforms", {
+      type: 'Array',
+      required: false,
+      description: "Additional trusted JWT issuers when validating the LTI 1.3 OIDC handshake",
+    })
+
+    # Determines if the specified platform can create sessions in this organization
+    def trusted_platform?(platform)
+      # Trust Instructure-hosted Canvas
+      return true if platform.is_a?(PandaPal::Platform::Canvas) && platform.is_trusted_env?
+
+      # Trust issuers added to the Org settings
+      if (issuer = platform.platform_uri rescue nil).present?
+        trusted_issuers = settings.dig(:lti, :trusted_platforms) || []
+        return true if trusted_issuers.include?(issuer)
+      end
+
+      false
+    end
+
     protected
 
     # OrgExtension-Overridable method to allow multi-platform tool Orgs to implicitly include a Platform API

data/app/models/panda_pal/platform/canvas.rb

@@ -5,24 +5,57 @@ end
 
 module PandaPal
   class Platform::Canvas < Platform
-    attr_accessor :organization
+    TRUSTED_ISSUERS = [
+      "https://sso.canvaslms.com",
+      "https://sso.beta.canvaslms.com",
+      "https://sso.test.canvaslms.com",
 
-    KNOWN_ISSUERS = [
+      # Deprecated (but still secure):
       "https://canvas.instructure.com",
       "https://canvas.beta.instructure.com",
       "https://canvas.test.instructure.com",
     ]
 
+    def initialize(options)
+      @issuer = options[:iss]
+    end
+
+    def platform_uri
+      @issuer
+    end
+
     def jwks_url
-      "#{@issuer}/api/lti/security/jwks"
+      "#{lti_api_domain}/api/lti/security/jwks"
     end
 
     def authentication_redirect_url
-      "#{@issuer}/api/lti/authorize_redirect"
+      "#{lti_api_domain}/api/lti/authorize_redirect"
     end
 
     def grant_url
-      "#{@issuer}/login/oauth2/token"
+      "#{lti_api_domain}/login/oauth2/token"
+    end
+
+    def is_trusted_env?
+      return true unless Rails.env.production?
+
+      TRUSTED_ISSUERS.include?(platform_uri)
+    end
+
+    def serialize
+      super.merge(iss: @issuer)
+    end
+
+    protected
+
+    def lti_api_domain
+      case @issuer
+      when "https://canvas.instructure.com"; "https://sso.canvaslms.com"
+      when "https://canvas.beta.instructure.com"; "https://sso.beta.canvaslms.com"
+      when "https://canvas.test.instructure.com"; "https://sso.test.canvaslms.com"
+      else
+        @issuer
+      end
     end
 
     module OrgExtension
@@ -44,13 +77,11 @@ module PandaPal
       def install_lti(host: nil, context: :root_account, version: 'v1p3', exists: :error, dedicated_deployment: false)
         raise "Automatically installing this LTI requires Bearcat." unless defined?(Bearcat)
 
-        version = version.to_s
-
         run_callbacks :lti_install do
           ctype, cid = _parse_lti_context(context)
 
           if version == 'v1p0'
-            existing_installs = _find_existing_installs(context, exists: exists) do |lti|
+            existing_installs = _find_existing_installs(exists: exists) do |lti|
               lti[:consumer_key] == self.key
             end
 
@@ -116,14 +147,28 @@ module PandaPal
         lti_json_url = PandaPal::LaunchUrlHelpers.resolve_route(:v1p3_config_url, host: host)
         lti_json = JSON.parse(HTTParty.get(lti_json_url, format: :plain).body)
 
+        valid_redirect_uris = [
+          lti_json["target_link_uri"]
+        ]
+
+        prod_domain = PandaPal.lti_environments[:domain]
+        if prod_domain.present?
+          PandaPal.lti_environments.each do |env, domain|
+            env = env.to_s
+            next unless env.endswith?("_domain")
+            env = env.split('_')[0]
+            valid_redirect_uris << lti_json["target_link_uri"].gsub(prod_domain, domain)
+          end
+        end
+
+        valid_redirect_uris.uniq!
+
         if !ekey
           # Create New
           ekey = bearcat_client.post("api/lti/accounts/self/developer_keys/tool_configuration", {
             developer_key: {
               name: PandaPal.lti_options[:title],
-              redirect_uris: [
-                lti_json["target_link_uri"],
-              ].join("\n")
+              redirect_uris: valid_redirect_uris.join("\n"),
             },
             tool_configuration: {
               settings: lti_json,

data/app/models/panda_pal/platform.rb

@@ -5,10 +5,6 @@ module PandaPal
   class Platform
     require_relative "platform/canvas"
 
-    def initialize(params)
-      @issuer = params[:iss]
-    end
-
     def public_jwks
       require "json/jwt"
 
@@ -27,14 +23,18 @@ module PandaPal
       nil
     end
 
+    def self.from_serialized(ser)
+      cls = ser[:platform_class].safe_constantize
+      cls.deserialize(ser)
+    end
+
     def self.deserialize(params)
-      params[:platform_class].safe_constantize.new(params)
+      new(params)
     end
 
     def serialize
       {
         platform_class: self.class.to_s,
-        iss: @issuer,
       }
     end
 
@@ -67,7 +67,7 @@ module PandaPal
       end
 
       # TODO Default logic?
-      return Platform::Canvas if Platform::Canvas::KNOWN_ISSUERS.include?(params[:iss])
+      return Platform::Canvas if Platform::Canvas::TRUSTED_ISSUERS.include?(params[:iss])
 
       raise "Unknown platform '#{platform}'"
     end
@@ -96,12 +96,37 @@ module PandaPal
   end
 
   class Platform::Generic < Platform
-    attr_reader :jwks_url, :authentication_redirect_url, :grant_url
+    def self.from_urls(base_url, jwks: nil, auth_redirect: nil, grant: nil)
+      new({
+        base_url: base_url,
+        jwks_url: jwks,
+        auth_redirect_url: auth_redirect,
+        grant_url: grant,
+      })
+    end
+
+    def initialize(options)
+      @options = options
+    end
+
+    def platform_uri
+      options[:issuer] || options[:base_url]
+    end
+
+    def jwks_url
+      URI.join(options[:base_url], options[:jwks_url] || "/api/lti/security/jwks").to_s
+    end
+
+    def authentication_redirect_url
+      URI.join(options[:base_url], options[:auth_redirect_url] || "/api/lti/authorize_redirect").to_s
+    end
+
+    def grant_url
+      URI.join(options[:base_url], options[:grant_url] || "/login/oauth2/token").to_s
+    end
 
-    def init(base_url, jwks: "/api/lti/security/jwks", auth_redirect: "/api/lti/authorize_redirect", grant: "/login/oauth2/token")
-      @jwks_url = URI.join(base_url, jwks).to_s
-      @authentication_redirect_url = URI.join(base_url, auth_redirect).to_s
-      @grant_url = URI.join(base_url, grant).to_s
+    def serialize
+      super.merge(options)
     end
   end
 end

data/app/models/panda_pal/session.rb

@@ -9,7 +9,7 @@ module PandaPal
     def lti_platform
       return nil unless data[:lti_platform].present?
 
-      @lti_platform ||= Platform.deserialize(data[:lti_platform])
+      @lti_platform ||= Platform.from_serialized(data[:lti_platform])
     end
 
     class DataSerializer

data/lib/panda_pal/engine.rb

@@ -39,12 +39,16 @@ module PandaPal
 
     initializer 'Sidekiq Scheduler Hooks' do
       ActiveSupport.on_load(:active_record) do
-        if defined?(Sidekiq) && Sidekiq.server? && PandaPal::Organization.respond_to?(:sync_schedules)
-          PandaPal::Organization.sync_schedules
+        if defined?(Sidekiq) && Sidekiq.server? # && PandaPal::Organization.respond_to?(:sync_schedules)
 
-          ActiveSupport::Reloader.to_prepare do
-            PandaPal::Organization.sync_schedules
+          Rails.application.reloader.to_prepare do
+            PandaPal::Organization.sync_schedules if PandaPal::Organization.respond_to?(:sync_schedules)
           end
+          # PandaPal::Organization.sync_schedules
+
+          # ActiveSupport::Reloader.to_prepare do
+          #   PandaPal::Organization.sync_schedules
+          # end
         end
       end
     end
@@ -74,21 +78,51 @@ module PandaPal
         def _panda_pal_console_app_name
           app_class = Rails.application.class
           app_name = app_class.respond_to?(:parent) ? app_class.parent : app_class.module_parent
+          app_name.to_s
+        end
+
+        def _panda_pal_short_console_app_name
+          _panda_pal_console_app_name[0...10]
+        end
+
+        def _panda_pal_console_env
+          if Rails.env.production?
+            env = ENV["SENTRY_CURRENT_ENV"].presence || "PROD"
+
+            if env.downcase.include?("prod")
+              Pry::Helpers::Text.red(env)
+            else
+              Pry::Helpers::Text.cyan(env)
+            end
+          elsif Rails.env.development?
+            Pry::Helpers::Text.cyan("dev")
+          elsif Rails.env.test?
+            Pry::Helpers::Text.cyan("test")
+          end
+        end
+
+        def _panda_pal_console_prefix
+          pfx = [
+            Pry::Helpers::Text.cyan(_panda_pal_short_console_app_name),
+            _panda_pal_console_env,
+            Pry::Helpers::Text.cyan(Apartment::Tenant.current),
+          ].compact.join('-')
+          pfx
         end
       end
 
       if defined? IRB
-        module PandaPalIrbTimePrompt
+        module PandaPalIrbPrompt
           def prompt(prompt, ltype, indent, line_no)
             formatted = super(prompt, ltype, indent, line_no)
-            app_bit = Pry::Helpers::Text.cyan("#{_panda_pal_console_app_name}-#{Apartment::Tenant.current}")
+            app_bit = _panda_pal_console_prefix
             "[#{app_bit}] #{formatted}"
           end
         end
 
         module ::IRB
           class Irb
-            prepend PandaPalIrbTimePrompt
+            prepend PandaPalIrbPrompt
           end
         end
       end
@@ -97,18 +131,16 @@ module PandaPal
         default_prompt = Pry::Prompt[:default]
         env = Pry::Helpers::Text.red(Rails.env.upcase)
 
-        app_name = _panda_pal_console_app_name
-
         Pry.config.prompt = Pry::Prompt.new(
           'custom',
           'my custom prompt',
           [
             ->(*args) {
-              app_bit = Pry::Helpers::Text.cyan("#{app_name}-#{Apartment::Tenant.current}")
+              app_bit = _panda_pal_console_prefix
               "#{app_bit}#{default_prompt.wait_proc.call(*args)}"
             },
             ->(*args) {
-              app_bit = Pry::Helpers::Text.cyan("#{app_name}-#{Apartment::Tenant.current}")
+              app_bit = _panda_pal_console_prefix
               "#{app_bit}#{default_prompt.incomplete_proc.call(*args)}"
             },
           ],

data/lib/panda_pal/helpers/controller_helper.rb

@@ -70,10 +70,11 @@ module PandaPal::Helpers
 
       @organization ||= PandaPal::Organization.find_by(key: client_id)
 
-      raise JSON::JWT::VerificationFailed, 'Unrecognized Organization' unless @organization.present?
-
       params[:session_key] = params[:state]
 
+      raise JSON::JWT::VerificationFailed, 'Unrecognized Organization' unless @organization.present?
+      raise JSON::JWT::VerificationFailed, 'Organization does not trust platform' unless @organization.trusted_platform?(current_lti_platform)
+
       decoded_jwt.verify!(current_lti_platform.public_jwks)
 
       raise JSON::JWT::VerificationFailed, 'State is invalid' unless current_session_data[:lti_oauth_nonce] == decoded_jwt['nonce']

data/lib/panda_pal/version.rb

@@ -1,3 +1,3 @@
 module PandaPal
-  VERSION = "5.7.0.beta2"
+  VERSION = "5.8.0"
 end