canvas-lms/Gemfile.d/app.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

202 lines
6.4 KiB
Ruby
Raw Normal View History

# frozen_string_literal: true
#
# Copyright (C) 2014 - present Instructure, Inc.
#
# This file is part of Canvas.
#
# Canvas is free software: you can redistribute it and/or modify it under
# the terms of the GNU Affero General Public License as published by the Free
# Software Foundation, version 3 of the License.
#
# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
# NOTE: Indented gems are meant to indicate optional dependencies of parent gems
def gem_override(name, version)
if File.directory?("vendor/#{name}")
gem name, path: "vendor/#{name}"
else
gem name, version
end
end
gem "bootsnap", "1.13.0", require: false
gem "rails", "7.0.3"
gem "tzinfo", "2.0.4"
gem_override "switchman", "3.3.7"
gem "guardrail", "3.0.2"
gem_override "switchman-inst-jobs", "4.0.13"
gem "irb", "1.4.1"
gem "academic_benchmarks", "1.1.2", require: false
gem "active_model-better_errors", "1.6.7", require: "active_model/better_errors"
gem "active_model_serializers", "0.9.0alpha1",
github: "rails-api/active_model_serializers", ref: "61882e1e4127facfe92e49057aec71edbe981829"
gem "activerecord-pg-extensions", "0.4.4"
gem "addressable", "2.7.0", require: false
gem "after_transaction_commit", "2.2.2"
gem "authlogic", "6.4.2"
gem "scrypt", "3.0.7"
gem "aws-sdk-core", "3.168.4", require: false
gem "aws-sdk-dynamodb", "1.80.0"
gem "aws-sdk-kinesis", "1.43.0", require: false
gem "aws-sdk-s3", "1.117.2", require: false
gem "aws-sdk-sns", "1.57.0", require: false
gem "aws-sdk-sqs", "1.52.1", require: false
gem "aws-sdk-kms", "1.61.0", require: false
gem "aws-sigv4", "1.5.2", require: false
gem "barby", "0.6.8", require: false
gem "rqrcode", "1.2.0", require: false
gem "chunky_png", "1.4.0", require: false
gem "bcrypt", "3.1.16"
gem "bigdecimal", "3.1.3"
gem "browser", "5.1.0", require: false
gem "builder", "3.2.4"
gem "business_time", "0.13.0"
gem "canvas_connect", "0.3.16"
gem "canvas_webex", "0.18.2"
gem "crocodoc-ruby", "0.0.1", require: false
gem "ddtrace", "0.42.0", require: false
gem "docx", "0.6.2"
gem "encrypted_cookie_store-instructure", "1.2.12", require: "encrypted_cookie_store"
gem "folio-pagination", "0.0.12", require: "folio/rails"
gem "ffi", "1.14.2", require: false
gem "gepub", "1.0.15"
gem "apollo-federation", "1.1.5"
upgrade graphql gem to latest fixes INTEROP-6951 upgrade required some tweaks including the following: - `GraphQL::Execution::Interpreter` removed from CanvasSchema because it is now included in GraphQL::Schema by default - `BaseMutation.input_type` adds arguments properly instead of using `merge!`, which blows up because `own_arguments` is a frozen Hash. (see https://github.com/rmosolgo/graphql-ruby/commit/55a955a84) - `NotificationPreferencesContextType` gets defined just once to avoid errors from specifying dupicate enum values each time its reopened - `.graphql_name` needed in a couple of places where `.name` (or implicit `.to_s` from string interpolation) previously worked. (see https://github.com/rmosolgo/graphql-ruby/blob/master/CHANGELOG.md#breaking-changes-14) - `GraphQL::Schema` uses the new `GrpahQL::Pagination::Connections` connections by default (previously `GraphQL::Relay::BaseConnection`), so our custom `PatchedArrayConnection` and `DynamoConnection` classes got redone in accordance with the new interface. - https://github.com/rmosolgo/graphql-ruby/pull/2792 made it so argument names are used as-specified, while previously they were automatically snake-cased. so the `gradingPeriodId` argument of `AssignmentFilterInputType` is now specified in snake-case, and everyone is happy. (note that in the generated GQL schema definition, it remains camel-cased, so the client interface is unchanged). - some sloppy queries in specs have been cleaned up because the GQL parser has been tightened up and was no longer recognizing them. also, unrelated to the gem bump, but the inst_access_tokens route was typo'd as a singular. here it's corrected to the plural. test plan: - since it's just a version bump, spec coverage should be sufficient Change-Id: Ib73eed4c1356833dfe245188b0841c98ae2c378a Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/270132 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Ethan Vizitei <evizitei@instructure.com> QA-Review: Michael Ziwisky <mziwisky@instructure.com> Product-Review: Michael Ziwisky <mziwisky@instructure.com>
2021-07-28 13:49:16 +08:00
gem "graphql", "1.12.14"
gem "graphql-batch", "0.4.3"
gem "hashery", "2.1.2", require: false
gem "highline", "2.0.3", require: false
gem "httparty", "0.18.1"
gem "i18n", "1.9.1"
gem "i18nliner", "0.2.2", github: "instructure/i18nliner", ref: "ruby3"
gem "icalendar", "2.7.0", require: false
gem "diplomat", "2.6.3", require: false
gem "ims-lti", "2.3.3", require: "ims"
gem "rrule", "0.4.4", require: false
Convert newlines to CRLFs in params used in signature base strings LTI 1 launches (and LTI 2 launches using the same OAuth 1 signature method) use a form with hidden fields to send the parameters to the LTI tool. Browsers always send newlines in hidden input fields (i.e. params encoded as form data) as carriage return + line feed (%0D%0A = "\r\n"). As a result, if any launch parameters include newlines, the tool will get "%0D%0A" in the query params for them. Currently, though, we calculate the base string as if the newlines in the parameters are just "%0A". This commit changes the newlines to CRLF before-hand to simulate what browsers do. (I then use the CRLF'd version for the actual parameters ... this eliminates any possibility of any differences due to weird mixed LF and CRLF endings or anything, and browsers don't add extra CRs if endings are already CRLF.) refs INTEROP-7387 flag=none Test plan: ** SETUP ** - on line 210 of app/controllers/lti/message_controller.rb, right before the end of the lti2_basic_launch method, add the following line: Lti::Logging.lti_1_launch_generated(message.message_authenticator.base_string) - have the following LTI tools installed: - an LTI 2 tool with the Canvas.placements.similarityDetection placement (that should be in the MessageHandler's 'capabilities') - an LTI 1 tool with extension_setting "oauth_compliant" - an LTI 1 tool without extension_setting "oauth_compliant" (and double-check sure disable_lti_post_only "Don't Move LTI Query Params to POST Body" feature flag is off) - For the LTI 2 tool, add "ResourceLink.description" to the MessageHandler's "capabilities". - For the LTI 1 tools, have a custom parameter with the value "$ResourceLink.description" (there might be a way to sent this as resourcelink_description instead of a custom parameter, I don't know what it is) and give it the similarity_detection placement - Open the copyasfetch_verify_oauth_signature.rb script (attached to the ticket). Find the secrets for your LTI 1 and LTI 2 tools as described in the script. Adjust the `secret_for_url()` method there for your tools. ** LAUNCHING AND TESTING ** - Launch the tools in the following ways in a browser that supports "copy as fetch" (Chrome and Firefox do). (Note that you don't need the tools running / working, we just need to look at the launch.) - for the LTI 2 tools and LTI 1 tools, create a new assignment. In the text field add some bullet points. Under Submission Type choose Online -> Text Entry. Then choose the tool in the Similarity Detection dropdown. The tool will launch. - For the LTI 1 tools, also make assignments with the description with bullet points but of type LTI assignment by choosing the tool. Then launch the assignment. - For each launch, verify the base string for the launch as follows. - In the logs, the base string is logged: grep base.string log/development.log Check that newlines are encoded as %0D%0A (which when double-encoded in the base string is %250D%250A). If you want, to unencode one level you can use: ruby -e 'require "cgi"; puts CGI.unescape(ARGF.read.split("&").last)' - Go to dev tools, find the launch in the Network tab, right click and choose "copy as fetch". Save to a file and pipe into the copyasfetch_verify_oauth_signature.rb script. It will tell you if the expected signature matches the one used in the launch. Also verify that the base string used includes CRLFs, i.e. "%250D%250A". Change-Id: I7d70f7740612ad25cb3ff61940d05e97a5a87aea Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/290806 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Product-Review: Alexis Nast <alexis.nast@instructure.com> Reviewed-by: Xander Moffatt <xmoffatt@instructure.com> QA-Review: Xander Moffatt <xmoffatt@instructure.com>
2022-04-29 21:34:21 +08:00
gem "inst_access", "0.1.1"
gem "inst_statsd", "2.2.0"
gem_override "inst-jobs", "3.1.6"
gem "inst-jobs-autoscaling", "2.1.1"
gem "inst-jobs-statsd", "2.2.0"
# if updating json gem it will need to be hotfixed because if a newer version of
# the json gem is installed, it will always use that one even before bundler
# gets activated. Updating the gem in it's own commit will make this easier.
gem "json", "~> 2.6.1"
gem "json_schemer", "0.2.16", github: "robotdana/json_schemer", ref: "0d2ac359a87964f74c07a14cafeb98cfcae4e29f"
gem "json-jwt", "1.13.0", require: false
gem "link_header", "0.0.8"
gem "mail", "2.7.1", require: false
gem "marginalia", "1.11.1", require: false
gem "mime-types", "3.3.1"
gem "mini_magick", "4.11.0"
gem "multi_json", "1.15.0"
gem "net-ldap", "0.16.3", require: false
gem "net-imap", "0.2.3", require: false
gem "net-pop", "0.1.1", require: false
gem "net-smtp", "0.3.1", require: false
gem "nokogiri", "1.13.8", require: false
gem "oauth", "0.5.4", require: false
gem "oauth2", "1.4.4", require: false
gem "oj", "3.10.16"
gem "outrigger", "3.0.1"
gem "pdf-reader", "2.5.0"
gem "pg_query", "2.2.0"
gem "prawn-rails", "1.3.0"
gem "matrix", "0.4.2" # Used to be a default gem but is no more, but prawn depends on it implicitly
gem "prosopite", "~> 1.3"
gem "rack", "2.2.3"
gem "rack-brotli", "1.0.0"
gem "rack-test", "1.1.0"
gem "rake", "~> 13.0"
gem "rails-observers", "0.1.5"
gem "ratom-nokogiri", "0.10.11", require: false
gem "redcarpet", "3.5.0", require: false
gem "retriable", "1.4.1"
gem "ritex", "1.0.1", require: false
gem "rotp", "6.2.0", require: false
gem "rss", "0.2.9", require: false
gem "ruby-duration", "3.2.3", require: false
gem "ruby2_keywords", "0.0.3"
gem "rubycas-client", "2.3.9", require: false
gem "ruby-rtf", "0.0.5"
gem "rubyzip", "2.3.0", require: "zip"
gem "saml2", "3.1.2"
gem "sanitize", "6.0.0", require: false
gem "sentry-ruby", "5.1.0"
gem "sentry-rails", "5.1.0"
gem "sentry-inst_jobs", "1.0.2"
gem "simple_oauth", "0.3.1", require: false
gem "twilio-ruby", "5.36.0", require: false
gem "vault", "0.15.0", require: false
gem "vericite_api", "1.5.3"
gem "wcag_color_contrast", "0.1.0"
gem "week_of_month", "1.2.5",
github: "instructure/week-of-month", ref: "b3013639e9474f302b5a6f27e4e45313e8d24902"
gem "will_paginate", "3.3.0", require: false # required for folio-pagination
gem "faraday", "0.17.4"
path "engines" do
gem "audits"
end
path "gems" do
gem "activesupport-suspend_callbacks"
gem "acts_as_list"
gem "adheres_to_policy"
gem "attachment_fu"
gem "autoextend"
gem "bookmarked_collection"
gem "broadcast_policy"
gem "canvas_breach_mitigation"
gem "canvas_cache"
gem "canvas_color"
gem "canvas_crummy"
gem "canvas_dynamodb"
gem "canvas_errors"
gem "canvas_ext"
gem "canvas_http"
gem "canvas_kaltura"
gem "canvas_panda_pub"
gem "canvas_partman"
gem "canvas_mimetype_fu"
gem "canvas_quiz_statistics"
gem "canvas_sanitize"
gem "canvas_security"
gem "canvas_slug"
gem "canvas_sort"
gem "canvas_stringex"
gem "canvas_text_helper"
gem "canvas_time"
gem "canvas_unzip"
gem "config_file"
gem "csv_diff"
gem "diigo"
gem "dynamic_settings"
gem "event_stream"
gem "google_drive"
gem "html_text_helper"
gem "incoming_mail_processor"
gem "json_token"
gem "linked_in"
gem "live_events"
gem "lti-advantage"
gem "lti_outbound"
gem "multipart"
gem "paginated_collection"
gem "request_context"
gem "stringify_ids"
gem "turnitin_api"
gem "twitter"
gem "utf8_cleaner"
gem "workflow"
end