canvas-lms/app/models/developer_key.rb

#
# Copyright (C) 2011 Instructure, Inc.
#
# This file is part of Canvas.
#
# Canvas is free software: you can redistribute it and/or modify it under
# the terms of the GNU Affero General Public License as published by the Free
# Software Foundation, version 3 of the License.
#
# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
#

class DeveloperKey < ActiveRecord::Base
  include CustomValidations

  belongs_to :user
  belongs_to :account
  has_many :page_views
  has_many :access_tokens
  has_many :context_external_tools, :primary_key => 'tool_id', :foreign_key => 'tool_id'

  attr_accessible :api_key, :name, :user, :account, :icon_url, :redirect_uri, :tool_id, :email

  before_create :generate_api_key
  before_save :nullify_empty_tool_id

  validates_as_url :redirect_uri

  def nullify_empty_tool_id
    self.tool_id = nil if tool_id.blank?
    self.icon_url = nil if icon_url.blank?
  end
  
  def generate_api_key(overwrite=false)
    self.api_key = AutoHandle.generate(nil, 64) if overwrite || !self.api_key
  end
  
  def self.default
    get_special_key("User-Generated")
  end
  
  def account_name
    account.try(:name)
  end
  
  def self.get_special_key(default_key_name)
    Shard.default.activate do
      @special_keys ||= {}

      if Rails.env.test?
        # TODO: we have to do this because tests run in transactions. maybe it'd
        # be good to create some sort of of memoize_if_safe method, that only
        # memoizes when we're caching classes and not in test mode? I dunno. But
        # this stinks.
        return @special_keys[default_key_name] = DeveloperKey.find_or_create_by_name(default_key_name)
      end

      key = @special_keys[default_key_name]
      return key if key
      if (key_id = Setting.get("#{default_key_name}_developer_key_id", nil)) && key_id.present?
        key = DeveloperKey.find_by_id(key_id)
      end
      return @special_keys[default_key_name] = key if key
      key = DeveloperKey.create!(:name => default_key_name)
      Setting.set("#{default_key_name}_developer_key_id", key.id)
      return @special_keys[default_key_name] = key
    end
  end

  # verify that the given uri has the same domain as this key's
  # redirect_uri domain.
  def redirect_domain_matches?(redirect_uri)
    self_domain = URI.parse(self.redirect_uri).host
    other_domain = URI.parse(redirect_uri).host
    return self_domain.present? && (self_domain == other_domain || other_domain.end_with?(".#{self_domain}"))
  rescue URI::InvalidURIError
    return false
  end
end
Initial commit. closes #6988138 2011-02-01 09:57:29 +08:00			`#`
			`# Copyright (C) 2011 Instructure, Inc.`
			`#`
			`# This file is part of Canvas.`
			`#`
			`# Canvas is free software: you can redistribute it and/or modify it under`
			`# the terms of the GNU Affero General Public License as published by the Free`
			`# Software Foundation, version 3 of the License.`
			`#`
			`# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY`
			`# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR`
			`# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more`
			`# details.`
			`#`
			`# You should have received a copy of the GNU Affero General Public License along`
			`# with this program. If not, see <http://www.gnu.org/licenses/>.`
			`#`

			`class DeveloperKey < ActiveRecord::Base`
allow sub-domains to match the redirect_uri on the developer key fixes #9995 also validates_as_url the redirect_uri, sometimes people were leaving off the http:// part when setting up the key test plan: set up a developer key with a given domain. kick off an oauth request flow with redirect_uri equal to that domain, it should be accepted. use a sub-domain of that domain, it should also be accepted. use a higher-level domain, it should not be accepted. Change-Id: I55510f463b1faa3339b9908f9941715d93de5a16 Reviewed-on: https://gerrit.instructure.com/12980 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Cody Cutrer <cody@instructure.com> 2012-08-17 05:25:50 +08:00			`include CustomValidations`

Initial commit. closes #6988138 2011-02-01 09:57:29 +08:00			`belongs_to :user`
			`belongs_to :account`
			`has_many :page_views`
oauth 2 requests via access tokens Added support for oauth 2 API requests. HTTP Basic only works for Canvas-auth and LDAP accounts, but oauth 2 will also work with SSO accounts. Also added ability for users to create access tokens from the profile page. Change-Id: I13581b4e77bfa77bf11dbb732900012dd1e50ede Reviewed-on: https://gerrit.instructure.com/3775 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Zach Wily <zach@instructure.com> 2011-05-27 07:41:43 +08:00			`has_many :access_tokens`
add tool_id and icon url to context_external_tools tool_id can be used to associate multiple context_external_tools with a single third party tool (i.e. to see how many installs there are of the youtube tool). When tools are launched Canvas will also track a custom ganalytics event with this tool id. icon_url is an attribute that can be set in standard LTI config that we were ignoring before. In the future this may be added to the UI when picking external tools. test plan: - find an external tool with tool_id and icon configs (there are some examples on lti-examples.heroku.com) - configure an external tool using this xml - confirm that tool_id and icon_url were correctly set (tool.tool_id and tool.settings[:icon_url]) - launch an external tool from within a course - make sure that nothing breaks Change-Id: If8d6386e8a919fa70eacd46b4fa6b68ade4b5c7b Reviewed-on: https://gerrit.instructure.com/10568 Reviewed-by: Brian Whitmer <brian@instructure.com> Tested-by: Jenkins <jenkins@instructure.com> 2012-05-06 02:18:08 +08:00			`has_many :context_external_tools, :primary_key => 'tool_id', :foreign_key => 'tool_id'`
oauth 2 requests via access tokens Added support for oauth 2 API requests. HTTP Basic only works for Canvas-auth and LDAP accounts, but oauth 2 will also work with SSO accounts. Also added ability for users to create access tokens from the profile page. Change-Id: I13581b4e77bfa77bf11dbb732900012dd1e50ede Reviewed-on: https://gerrit.instructure.com/3775 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Zach Wily <zach@instructure.com> 2011-05-27 07:41:43 +08:00
developer keys mgmt page Site admins can manage developer keys. This provides a basic interface for allowing key management. Admins can add new keys, edit existing keys, etc. Also adds an icon url for each key. If keys have an icon url, then the oauth screen will display this icon to end-users. test plan: - manually add a key from the "developer keys" page in the site admin account - confirm that the key is created correctly - edit the key - confirm that the changes persist - delete the key - confirm that the key is properly deleted - create more than 15 developer keys - confirm that the page properly paginates - set an icon url for a key - do the oauth dance - confirm that the icon appears in the approval step - do the oauth dance for a key without an icon url - confirm that no icon appears in the approval step Change-Id: I5d64d14974fdcef8be21c6aa84ab13f681217bd7 Reviewed-on: https://gerrit.instructure.com/10979 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Jon Jensen <jon@instructure.com> 2012-05-17 13:52:32 +08:00			`attr_accessible :api_key, :name, :user, :account, :icon_url, :redirect_uri, :tool_id, :email`
allow sub-domains to match the redirect_uri on the developer key fixes #9995 also validates_as_url the redirect_uri, sometimes people were leaving off the http:// part when setting up the key test plan: set up a developer key with a given domain. kick off an oauth request flow with redirect_uri equal to that domain, it should be accepted. use a sub-domain of that domain, it should also be accepted. use a higher-level domain, it should not be accepted. Change-Id: I55510f463b1faa3339b9908f9941715d93de5a16 Reviewed-on: https://gerrit.instructure.com/12980 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Cody Cutrer <cody@instructure.com> 2012-08-17 05:25:50 +08:00
Initial commit. closes #6988138 2011-02-01 09:57:29 +08:00			`before_create :generate_api_key`
developer keys mgmt page Site admins can manage developer keys. This provides a basic interface for allowing key management. Admins can add new keys, edit existing keys, etc. Also adds an icon url for each key. If keys have an icon url, then the oauth screen will display this icon to end-users. test plan: - manually add a key from the "developer keys" page in the site admin account - confirm that the key is created correctly - edit the key - confirm that the changes persist - delete the key - confirm that the key is properly deleted - create more than 15 developer keys - confirm that the page properly paginates - set an icon url for a key - do the oauth dance - confirm that the icon appears in the approval step - do the oauth dance for a key without an icon url - confirm that no icon appears in the approval step Change-Id: I5d64d14974fdcef8be21c6aa84ab13f681217bd7 Reviewed-on: https://gerrit.instructure.com/10979 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Jon Jensen <jon@instructure.com> 2012-05-17 13:52:32 +08:00			`before_save :nullify_empty_tool_id`
allow sub-domains to match the redirect_uri on the developer key fixes #9995 also validates_as_url the redirect_uri, sometimes people were leaving off the http:// part when setting up the key test plan: set up a developer key with a given domain. kick off an oauth request flow with redirect_uri equal to that domain, it should be accepted. use a sub-domain of that domain, it should also be accepted. use a higher-level domain, it should not be accepted. Change-Id: I55510f463b1faa3339b9908f9941715d93de5a16 Reviewed-on: https://gerrit.instructure.com/12980 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Cody Cutrer <cody@instructure.com> 2012-08-17 05:25:50 +08:00
			`validates_as_url :redirect_uri`

developer keys mgmt page Site admins can manage developer keys. This provides a basic interface for allowing key management. Admins can add new keys, edit existing keys, etc. Also adds an icon url for each key. If keys have an icon url, then the oauth screen will display this icon to end-users. test plan: - manually add a key from the "developer keys" page in the site admin account - confirm that the key is created correctly - edit the key - confirm that the changes persist - delete the key - confirm that the key is properly deleted - create more than 15 developer keys - confirm that the page properly paginates - set an icon url for a key - do the oauth dance - confirm that the icon appears in the approval step - do the oauth dance for a key without an icon url - confirm that no icon appears in the approval step Change-Id: I5d64d14974fdcef8be21c6aa84ab13f681217bd7 Reviewed-on: https://gerrit.instructure.com/10979 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Jon Jensen <jon@instructure.com> 2012-05-17 13:52:32 +08:00			`def nullify_empty_tool_id`
			`self.tool_id = nil if tool_id.blank?`
			`self.icon_url = nil if icon_url.blank?`
			`end`
Initial commit. closes #6988138 2011-02-01 09:57:29 +08:00
			`def generate_api_key(overwrite=false)`
oauth 2 requests via access tokens Added support for oauth 2 API requests. HTTP Basic only works for Canvas-auth and LDAP accounts, but oauth 2 will also work with SSO accounts. Also added ability for users to create access tokens from the profile page. Change-Id: I13581b4e77bfa77bf11dbb732900012dd1e50ede Reviewed-on: https://gerrit.instructure.com/3775 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Zach Wily <zach@instructure.com> 2011-05-27 07:41:43 +08:00			`self.api_key = AutoHandle.generate(nil, 64) if overwrite \|\| !self.api_key`
			`end`

			`def self.default`
			`get_special_key("User-Generated")`
			`end`

developer keys mgmt page Site admins can manage developer keys. This provides a basic interface for allowing key management. Admins can add new keys, edit existing keys, etc. Also adds an icon url for each key. If keys have an icon url, then the oauth screen will display this icon to end-users. test plan: - manually add a key from the "developer keys" page in the site admin account - confirm that the key is created correctly - edit the key - confirm that the changes persist - delete the key - confirm that the key is properly deleted - create more than 15 developer keys - confirm that the page properly paginates - set an icon url for a key - do the oauth dance - confirm that the icon appears in the approval step - do the oauth dance for a key without an icon url - confirm that no icon appears in the approval step Change-Id: I5d64d14974fdcef8be21c6aa84ab13f681217bd7 Reviewed-on: https://gerrit.instructure.com/10979 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Jon Jensen <jon@instructure.com> 2012-05-17 13:52:32 +08:00			`def account_name`
			`account.try(:name)`
			`end`

oauth 2 requests via access tokens Added support for oauth 2 API requests. HTTP Basic only works for Canvas-auth and LDAP accounts, but oauth 2 will also work with SSO accounts. Also added ability for users to create access tokens from the profile page. Change-Id: I13581b4e77bfa77bf11dbb732900012dd1e50ede Reviewed-on: https://gerrit.instructure.com/3775 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Zach Wily <zach@instructure.com> 2011-05-27 07:41:43 +08:00			`def self.get_special_key(default_key_name)`
always search for deprecated api key usage on the default shard also search for the default developer key on the default shard refs #7788 test plan: * create an api key (on the default shard) * access the api on a non-default shard * it should still work * create an oauth token in the UI on a different shard * it should work, and reference a key on the default shard Change-Id: I8c8aa36ab38f45ba9af2422a42552faeff28ac73 Reviewed-on: https://gerrit.instructure.com/9492 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Brian Palmer <brianp@instructure.com> 2012-03-20 06:24:27 +08:00			`Shard.default.activate do`
			`@special_keys \|\|= {}`
oauth 2 requests via access tokens Added support for oauth 2 API requests. HTTP Basic only works for Canvas-auth and LDAP accounts, but oauth 2 will also work with SSO accounts. Also added ability for users to create access tokens from the profile page. Change-Id: I13581b4e77bfa77bf11dbb732900012dd1e50ede Reviewed-on: https://gerrit.instructure.com/3775 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Zach Wily <zach@instructure.com> 2011-05-27 07:41:43 +08:00
always search for deprecated api key usage on the default shard also search for the default developer key on the default shard refs #7788 test plan: * create an api key (on the default shard) * access the api on a non-default shard * it should still work * create an oauth token in the UI on a different shard * it should work, and reference a key on the default shard Change-Id: I8c8aa36ab38f45ba9af2422a42552faeff28ac73 Reviewed-on: https://gerrit.instructure.com/9492 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Brian Palmer <brianp@instructure.com> 2012-03-20 06:24:27 +08:00			`if Rails.env.test?`
			`# TODO: we have to do this because tests run in transactions. maybe it'd`
			`# be good to create some sort of of memoize_if_safe method, that only`
			`# memoizes when we're caching classes and not in test mode? I dunno. But`
			`# this stinks.`
			`return @special_keys[default_key_name] = DeveloperKey.find_or_create_by_name(default_key_name)`
			`end`
oauth 2 requests via access tokens Added support for oauth 2 API requests. HTTP Basic only works for Canvas-auth and LDAP accounts, but oauth 2 will also work with SSO accounts. Also added ability for users to create access tokens from the profile page. Change-Id: I13581b4e77bfa77bf11dbb732900012dd1e50ede Reviewed-on: https://gerrit.instructure.com/3775 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Zach Wily <zach@instructure.com> 2011-05-27 07:41:43 +08:00
always search for deprecated api key usage on the default shard also search for the default developer key on the default shard refs #7788 test plan: * create an api key (on the default shard) * access the api on a non-default shard * it should still work * create an oauth token in the UI on a different shard * it should work, and reference a key on the default shard Change-Id: I8c8aa36ab38f45ba9af2422a42552faeff28ac73 Reviewed-on: https://gerrit.instructure.com/9492 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Brian Palmer <brianp@instructure.com> 2012-03-20 06:24:27 +08:00			`key = @special_keys[default_key_name]`
			`return key if key`
			`if (key_id = Setting.get("#{default_key_name}_developer_key_id", nil)) && key_id.present?`
			`key = DeveloperKey.find_by_id(key_id)`
			`end`
			`return @special_keys[default_key_name] = key if key`
			`key = DeveloperKey.create!(:name => default_key_name)`
			`Setting.set("#{default_key_name}_developer_key_id", key.id)`
			`return @special_keys[default_key_name] = key`
oauth 2 requests via access tokens Added support for oauth 2 API requests. HTTP Basic only works for Canvas-auth and LDAP accounts, but oauth 2 will also work with SSO accounts. Also added ability for users to create access tokens from the profile page. Change-Id: I13581b4e77bfa77bf11dbb732900012dd1e50ede Reviewed-on: https://gerrit.instructure.com/3775 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Zach Wily <zach@instructure.com> 2011-05-27 07:41:43 +08:00			`end`
Initial commit. closes #6988138 2011-02-01 09:57:29 +08:00			`end`
oauth2 web app flow, refs #5029 accepts a redirect_uri to return the code to, in addition to the OOB uri support. matches the redirect_uri domain host against the one stored on the developer key. this doesn't yet include a UI for registering developer keys. Change-Id: I6fbfe6ff3dbd6ebea9c2f9fc5ce3e45447a1cbc8 Reviewed-on: https://gerrit.instructure.com/4963 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Zach Wily <zach@instructure.com> 2011-08-23 03:35:03 +08:00
			`# verify that the given uri has the same domain as this key's`
			`# redirect_uri domain.`
			`def redirect_domain_matches?(redirect_uri)`
			`self_domain = URI.parse(self.redirect_uri).host`
			`other_domain = URI.parse(redirect_uri).host`
allow sub-domains to match the redirect_uri on the developer key fixes #9995 also validates_as_url the redirect_uri, sometimes people were leaving off the http:// part when setting up the key test plan: set up a developer key with a given domain. kick off an oauth request flow with redirect_uri equal to that domain, it should be accepted. use a sub-domain of that domain, it should also be accepted. use a higher-level domain, it should not be accepted. Change-Id: I55510f463b1faa3339b9908f9941715d93de5a16 Reviewed-on: https://gerrit.instructure.com/12980 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Cody Cutrer <cody@instructure.com> 2012-08-17 05:25:50 +08:00			`return self_domain.present? && (self_domain == other_domain \|\| other_domain.end_with?(".#{self_domain}"))`
oauth2 web app flow, refs #5029 accepts a redirect_uri to return the code to, in addition to the OOB uri support. matches the redirect_uri domain host against the one stored on the developer key. this doesn't yet include a UI for registering developer keys. Change-Id: I6fbfe6ff3dbd6ebea9c2f9fc5ce3e45447a1cbc8 Reviewed-on: https://gerrit.instructure.com/4963 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Zach Wily <zach@instructure.com> 2011-08-23 03:35:03 +08:00			`rescue URI::InvalidURIError`
			`return false`
			`end`
Initial commit. closes #6988138 2011-02-01 09:57:29 +08:00			`end`