ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
canvas-lms/lib/canvas/oauth/key_storage.rb

24 lines
805 B
Ruby
Raw Normal View History

add # frozen_string_literal: true for lib Change-Id: I59b751cac52367a89e03f572477f0cf1d607b405 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/251155 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Simon Williams <simon@instructure.com> QA-Review: Cody Cutrer <cody@instructure.com> Product-Review: Cody Cutrer <cody@instructure.com>
2020-10-27 00:50:13 +08:00
# frozen_string_literal: true
Canvas Creates Private-Public Key Pair & Copy into JWK Format Closes PLAT-3503 & PLAT-3504 Test Plan - Verify Lti::RSAKeyPair can generate a private and a public key - Verify the key pair can be read but not modified - Verify the keys got copied into JWK format correctly Change-Id: If83edebfbf631815e3078031623d6dead52017ec Reviewed-on: https://gerrit.instructure.com/154187 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins QA-Review: Marc Alan Phillips <mphillips@instructure.com> Product-Review: Han Ngo <hngo@instructure.com>
2018-06-19 02:09:53 +08:00
#
extend client_credentials oauth2 grants for CD2 refs SAS-1540 * adds an audience setting to developer keys, so a key can be set to target external audiences with its credentials grants * when a key with an external audience grants credentials, the token is signed with an asymmetric key instead of the internal symmetric key * external audiences can retrieve the corresponding public keys from /login/oauth2/jwks * credentials issued by developer keys with an account id include the account's guid in a custom claim includes a refactor of key storage and rotation in consul, which had already been done for LTI. but it wasn't really a feature of lti, just something used by LTI, and we needed the same for key management for this. moved it to be part of Canvas::Security Change-Id: Ie5c0fcee6fc21687f31c109389a3bcc1ed349c5d Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/243606 QA-Review: Jonathan Featherstone <jfeatherstone@instructure.com> Reviewed-by: Jonathan Featherstone <jfeatherstone@instructure.com> Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Product-Review: Jacob Fugal <jacob@instructure.com>
2020-07-17 03:36:03 +08:00
# Copyright (C) 2020 - present Instructure, Inc.
Canvas Creates Private-Public Key Pair & Copy into JWK Format Closes PLAT-3503 & PLAT-3504 Test Plan - Verify Lti::RSAKeyPair can generate a private and a public key - Verify the key pair can be read but not modified - Verify the keys got copied into JWK format correctly Change-Id: If83edebfbf631815e3078031623d6dead52017ec Reviewed-on: https://gerrit.instructure.com/154187 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins QA-Review: Marc Alan Phillips <mphillips@instructure.com> Product-Review: Han Ngo <hngo@instructure.com>
2018-06-19 02:09:53 +08:00
#
# This file is part of Canvas.
#
# Canvas is free software: you can redistribute it and/or modify it under
# the terms of the GNU Affero General Public License as published by the Free
# Software Foundation, version 3 of the License.
#
# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
#
inflect OAuth for zeitwerk refs FOO-2476 flag=none TEST PLAN: 1) specs pass Change-Id: I9f73e0021f5efec2be3c2f419e758baf00e6914f Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/275642 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Jacob Burroughs <jburroughs@instructure.com> QA-Review: Ethan Vizitei <evizitei@instructure.com> Product-Review: Ethan Vizitei <evizitei@instructure.com>
2021-10-12 06:05:09 +08:00
module Canvas::OAuth
Add asymmetric encryption for service tokens refs FOO-2410 test plan: - in dynamic_settings.yml, add the following block: ``` store: canvas: services-jwt: # these are all the same JWK but with different kid # to generate a new key, run the following in a Canvas console: # # key = OpenSSL::PKey::RSA.generate(2048) # key.public_key.to_jwk(kid: Time.now.utc.iso8601).to_json jwk-past.json: "{\"kty\":\"RSA\",\"e\":\"AQAB\",\"n\":\"uX1MpfEMQCBUMcj0sBYI-iFaG5Nodp3C6OlN8uY60fa5zSBd83-iIL3n_qzZ8VCluuTLfB7rrV_tiX727XIEqQ\",\"kid\":\"2018-05-18T22:33:20Z_a\",\"d\":\"pYwR64x-LYFtA13iHIIeEvfPTws50ZutyGfpHN-kIZz3k-xVpun2Hgu0hVKZMxcZJ9DkG8UZPqD-zTDbCmCyLQ\",\"p\":\"6OQ2bi_oY5fE9KfQOcxkmNhxDnIKObKb6TVYqOOz2JM\",\"q\":\"y-UBef95njOrqMAxJH1QPds3ltYWr8QgGgccmcATH1M\",\"dp\":\"Ol_xkL7rZgNFt_lURRiJYpJmDDPjgkDVuafIeFTS4Ic\",\"dq\":\"RtzDY5wXr5TzrwWEztLCpYzfyAuF_PZj1cfs976apsM\",\"qi\":\"XA5wnwIrwe5MwXpaBijZsGhKJoypZProt47aVCtWtPE\"}" jwk-present.json: "{\"kty\":\"RSA\",\"e\":\"AQAB\",\"n\":\"uX1MpfEMQCBUMcj0sBYI-iFaG5Nodp3C6OlN8uY60fa5zSBd83-iIL3n_qzZ8VCluuTLfB7rrV_tiX727XIEqQ\",\"kid\":\"2018-06-18T22:33:20Z_b\",\"d\":\"pYwR64x-LYFtA13iHIIeEvfPTws50ZutyGfpHN-kIZz3k-xVpun2Hgu0hVKZMxcZJ9DkG8UZPqD-zTDbCmCyLQ\",\"p\":\"6OQ2bi_oY5fE9KfQOcxkmNhxDnIKObKb6TVYqOOz2JM\",\"q\":\"y-UBef95njOrqMAxJH1QPds3ltYWr8QgGgccmcATH1M\",\"dp\":\"Ol_xkL7rZgNFt_lURRiJYpJmDDPjgkDVuafIeFTS4Ic\",\"dq\":\"RtzDY5wXr5TzrwWEztLCpYzfyAuF_PZj1cfs976apsM\",\"qi\":\"XA5wnwIrwe5MwXpaBijZsGhKJoypZProt47aVCtWtPE\"}" jwk-future.json: "{\"kty\":\"RSA\",\"e\":\"AQAB\",\"n\":\"uX1MpfEMQCBUMcj0sBYI-iFaG5Nodp3C6OlN8uY60fa5zSBd83-iIL3n_qzZ8VCluuTLfB7rrV_tiX727XIEqQ\",\"kid\":\"2018-07-18T22:33:20Z_c\",\"d\":\"pYwR64x-LYFtA13iHIIeEvfPTws50ZutyGfpHN-kIZz3k-xVpun2Hgu0hVKZMxcZJ9DkG8UZPqD-zTDbCmCyLQ\",\"p\":\"6OQ2bi_oY5fE9KfQOcxkmNhxDnIKObKb6TVYqOOz2JM\",\"q\":\"y-UBef95njOrqMAxJH1QPds3ltYWr8QgGgccmcATH1M\",\"dp\":\"Ol_xkL7rZgNFt_lURRiJYpJmDDPjgkDVuafIeFTS4Ic\",\"dq\":\"RtzDY5wXr5TzrwWEztLCpYzfyAuF_PZj1cfs976apsM\",\"qi\":\"XA5wnwIrwe5MwXpaBijZsGhKJoypZProt47aVCtWtPE\"}" ``` - Ensure /internal/services/jwks loads correctly - In console, ensure `CanvasSecurity::ServicesJwt.decrypt(Base64.decode64(CanvasSecurity::ServicesJwt.for_user('localhost', User.first)))` and `CanvasSecurity::ServicesJwt.decrypt(Base64.decode64(CanvasSecurity::ServicesJwt.for_user('localhost', User.first, symmetric: true)))` both work and produce sensible looking output Change-Id: I13c6c35cc92ed12d03bf97e89e590614e11c6d47 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/275160 QA-Review: August Thornton <august@instructure.com> Product-Review: August Thornton <august@instructure.com> Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Ethan Vizitei <evizitei@instructure.com> Reviewed-by: Evan Battaglia <ebattaglia@instructure.com>
2021-10-05 03:20:31 +08:00
KeyStorage = CanvasSecurity::KeyStorage.new('oauth2-asymmetric')
Run Key Rotation Script as a Periodic Job in Canvas Closes PLAT-3508 & PLAT-3509 Test Plan: - Verify the key rotate correctly (set current to past, future to current, and the new key to future) in both cases: when there is no existing key AND when there is key already in Consul - Verify the script will be running every month - Verify the keys got rotated using Imperium gem version '0.4.0' Change-Id: I630f230b3cd1c515ebb266b532901b4260622173 Reviewed-on: https://gerrit.instructure.com/154529 Reviewed-by: Stewie aka Nicholas Stewart <nstewart@instructure.com> QA-Review: Nathan Mills <nathanm@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com> Tested-by: Jenkins
2018-07-03 06:47:19 +08:00
end