ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
canvas-lms/lib/token_scopes.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

129 lines
6.7 KiB
Ruby
Raw Normal View History

add # frozen_string_literal: true for lib Change-Id: I59b751cac52367a89e03f572477f0cf1d607b405 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/251155 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Simon Williams <simon@instructure.com> QA-Review: Cody Cutrer <cody@instructure.com> Product-Review: Cody Cutrer <cody@instructure.com>
2020-10-27 00:50:13 +08:00
# frozen_string_literal: true
Add route scope enforcement to application controller fixes PLAT-3176 fixes PLAT-3179 fixes PLAT-3181 fixes PLAT-3177 Test plan: * Create a DeveloperKey * Create an AccessToken * Ensure that everything can be accessed as normal * Set require_scopes to true on the DeveloperKey * Ensure that nothing can be accessed * Add some scopes to the AccessToken from the list of available scopes TokenScopes::SCOPES * Ensure that the endpoints associated with those requests work but that others don't * Ensure that HEAD requests work for GET endpoints * Ensure all api endpoints behave normally when scopes are not turned on for developer key Change-Id: I0e7c1758ae2d51743490f243cfa21714255c8109 Reviewed-on: https://gerrit.instructure.com/143026 Tested-by: Jenkins Reviewed-by: Simon Williams <simon@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> QA-Review: August Thornton <august@instructure.com> Reviewed-by: Rob Orton <rob@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-03-09 04:46:40 +08:00
#
# Copyright (C) 2018 - present Instructure, Inc.
#
# This file is part of Canvas.
#
# Canvas is free software: you can redistribute it and/or modify it under
# the terms of the GNU Affero General Public License as published by the Free
# Software Foundation, version 3 of the License.
#
# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
#
class TokenScopes
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
OAUTH2_SCOPE_NAMESPACE = "/auth/"
USER_INFO_SCOPE = {
add lookup class for scope resource names fixes PLAT-3311 test plan: * run the rake task "doc:api" * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that includes the localized name * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources_name" - you should get back a json object with the scopes grouped by localized resource_name Change-Id: I2cab1822baef7cdda6471096153d60d4f7fe1e2b Reviewed-on: https://gerrit.instructure.com/150233 Tested-by: Jenkins Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-15 05:32:44 +08:00
resource: :oauth2,
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
verb: "GET",
scope: "#{OAUTH2_SCOPE_NAMESPACE}userinfo"
}.freeze
extend client_credentials oauth2 grants for CD2 refs SAS-1540 * adds an audience setting to developer keys, so a key can be set to target external audiences with its credentials grants * when a key with an external audience grants credentials, the token is signed with an asymmetric key instead of the internal symmetric key * external audiences can retrieve the corresponding public keys from /login/oauth2/jwks * credentials issued by developer keys with an account id include the account's guid in a custom claim includes a refactor of key storage and rotation in consul, which had already been done for LTI. but it wasn't really a feature of lti, just something used by LTI, and we needed the same for key management for this. moved it to be part of Canvas::Security Change-Id: Ie5c0fcee6fc21687f31c109389a3bcc1ed349c5d Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/243606 QA-Review: Jonathan Featherstone <jfeatherstone@instructure.com> Reviewed-by: Jonathan Featherstone <jfeatherstone@instructure.com> Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Product-Review: Jacob Fugal <jacob@instructure.com>
2020-07-17 03:36:03 +08:00
# Allows interaction with Canvas Data service
CD2_SCOPE = {
resource: :peer_services,
verb: "GET",
scope: "cd2"
}.freeze
Enforce Tool-Course visibility rules in NRPS V2 calls - NRPS v2 invocations referencing a `Course` Context now attempt to resolve a `ContextExternalTool` (CET) given the JWT `AccessToken` attached to the request. In order to return memberships, that CET must be active and must either be bound directly to the `Course` or to an `Account` in the `Course`'s' `Account` chain. - `AccessToken` must be associated with an active `DeveloperKey` (DK), and the search for the "operative" CET for the current request is executed against that DK's list of active CETs. - `Course`-level CETs are preferred, followed by `Account`-level CETs. - LTI 1.3/Advantage features must be turned on at the CET and root `Account` levels. - The `AccessToken`'s'JWT signature and security claims are not themselves validated... that comes later. - `Group` Context support also comes later. Closes LTIA-26 Test Plan: - Via Rails console create a `DeveloperKey` associated with the public key of a Tool configured in the IMS LTI 1.3/Advantage Reference Implementation (RI) and the root `Account` in your env - Via Rails console, create a LTI 1.3-enabled `ContextExternalTool` with a `course_navigation` placement and linked to the just-created `DeveloperKey` and its `Account` - For a `Course` owned by this `Account`, verify that direct invocations of the NRPS v2 API. (`GET /api/lti/courses/:course_id/names_and_roles`) fail with a 401 and a message complaining about a missing access token. - Navigate to the `Course` and click the newly created nav link, which should successfully launch the RI. - Click the 'Request Names and Roles' link in the RI. Verify course is reported in the NRPS v2 format. - Deactivate the `DeveloperKey`. Click 'Request Names and Roles' link in the RI. Verify a (non-descript) on-screen error message. - Re-enable the `DeveloperKey` and re-verify the same behavior for a `Course` associated with a sub-`Account`. - Delete the CET, verify that NRPS v2 invocations from the RI fail. - Via Rails console, create a new CET linked to the same `DeveloperKey`, but now attached to the sub-`Account` `Course`. - Re-verify NRPS v2 invocation from the RI. - *Consult JIRA for full acceptance criteria. Change-Id: Ie9625ea8d6ce5e6f59e3c7ce1d10d0a47291afa4 Reviewed-on: https://gerrit.instructure.com/167183 Tested-by: Jenkins QA-Review: Samuel Barney <sbarney@instructure.com> Reviewed-by: Marc Phillips <mphillips@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-10-03 11:23:45 +08:00
LTI_AGS_LINE_ITEM_SCOPE = "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem"
LTI_AGS_LINE_ITEM_READ_ONLY_SCOPE = "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly"
LTI_AGS_RESULT_READ_ONLY_SCOPE = "https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly"
LTI_AGS_SCORE_SCOPE = "https://purl.imsglobal.org/spec/lti-ags/scope/score"
expose Progress API as an LTI endpoint closes INTEROP-6474 flag=none test plan: * in the lti-1.3-test-tool repo, check out these commits: * https://gerrit.instructure.com/c/lti-1.3-test-tool/+/259061 * https://gerrit.instructure.com/c/lti-1.3-test-tool/+/259062 * using the AGS UI of the test tool, * with an assignment that has a line item already * post a Score object using that API, and check the box to include a file content item * the returned json should include the file content item, and a progress url * using the id from the progress url, fetch a Progress object using the AGS UI, providing the same credential and context ids * (optional) enable InstFS locally and repeat the same process Change-Id: Ieacc71cd612acf2fdf5c7e72293135796928877e Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/259064 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Wagner Goncalves <wagner.goncalves@instructure.com> QA-Review: Wagner Goncalves <wagner.goncalves@instructure.com> Product-Review: Xander Moffatt <xmoffatt@instructure.com>
2021-02-19 05:04:01 +08:00
LTI_AGS_SHOW_PROGRESS_SCOPE = "https://canvas.instructure.com/lti-ags/progress/scope/show"
Enforce Tool-Course visibility rules in NRPS V2 calls - NRPS v2 invocations referencing a `Course` Context now attempt to resolve a `ContextExternalTool` (CET) given the JWT `AccessToken` attached to the request. In order to return memberships, that CET must be active and must either be bound directly to the `Course` or to an `Account` in the `Course`'s' `Account` chain. - `AccessToken` must be associated with an active `DeveloperKey` (DK), and the search for the "operative" CET for the current request is executed against that DK's list of active CETs. - `Course`-level CETs are preferred, followed by `Account`-level CETs. - LTI 1.3/Advantage features must be turned on at the CET and root `Account` levels. - The `AccessToken`'s'JWT signature and security claims are not themselves validated... that comes later. - `Group` Context support also comes later. Closes LTIA-26 Test Plan: - Via Rails console create a `DeveloperKey` associated with the public key of a Tool configured in the IMS LTI 1.3/Advantage Reference Implementation (RI) and the root `Account` in your env - Via Rails console, create a LTI 1.3-enabled `ContextExternalTool` with a `course_navigation` placement and linked to the just-created `DeveloperKey` and its `Account` - For a `Course` owned by this `Account`, verify that direct invocations of the NRPS v2 API. (`GET /api/lti/courses/:course_id/names_and_roles`) fail with a 401 and a message complaining about a missing access token. - Navigate to the `Course` and click the newly created nav link, which should successfully launch the RI. - Click the 'Request Names and Roles' link in the RI. Verify course is reported in the NRPS v2 format. - Deactivate the `DeveloperKey`. Click 'Request Names and Roles' link in the RI. Verify a (non-descript) on-screen error message. - Re-enable the `DeveloperKey` and re-verify the same behavior for a `Course` associated with a sub-`Account`. - Delete the CET, verify that NRPS v2 invocations from the RI fail. - Via Rails console, create a new CET linked to the same `DeveloperKey`, but now attached to the sub-`Account` `Course`. - Re-verify NRPS v2 invocation from the RI. - *Consult JIRA for full acceptance criteria. Change-Id: Ie9625ea8d6ce5e6f59e3c7ce1d10d0a47291afa4 Reviewed-on: https://gerrit.instructure.com/167183 Tested-by: Jenkins QA-Review: Samuel Barney <sbarney@instructure.com> Reviewed-by: Marc Phillips <mphillips@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-10-03 11:23:45 +08:00
LTI_NRPS_V2_SCOPE = "https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly"
Create Developer Key update endpoint for public_jwk update fixes PLAT-4492 Test Plan -Create test tool -Use tool to create developer key in canvas -Change tool credential oauth_client_id to match client id from developer key -Go to http://lti13testtool.docker/developer_key/update_public_jwk/21 -Verify that public JWK was changed: Change-Id: Ic09a665d4ab14d3423b7e4b2a3a51296c0617981 Reviewed-on: https://gerrit.instructure.com/194447 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2019-05-18 01:46:07 +08:00
LTI_UPDATE_PUBLIC_JWK_SCOPE = "https://canvas.instructure.com/lti/public_jwk/scope/update"
Account lookup endpoint for CDC Event Transformer Endpoint needed by CDC Event Tranformer to look up UUIDs for root accounts it hasn't seen. closes PLAT-5515 flag=none Test plan: - get an LTI Advantage token for a site admin dev key with the new scope. This can be done by adding logging to the live-events-lti tool (I think in app/services/access_token_service.rb#16) or using my cdc-event-transformer test in CanvasClientTest.java and printing out cc.getToken(). - hit the new endpoint with header "Authorization: Bearer MYACCESSTOKEN" web.canvas-lms.docker/api/lti/accounts/123 with varying values of account ID, including global IDs, accounts that do not exist, global IDs where the shard does not exist... - ideally we'd like to test that a dev key only available for one shard cannot access account info for another shard. This could be done by creating two dev keys that have the same ID but are on different shards, and use a token for one dev key to try to access an account on the other shard. This is probably hard to do locally though. I did test on prod that DeveloperKey#account_binding_for will return nil for an account in another shard even if there is a dev key with the same local ID in the account's shard that has access to it. Change-Id: I1299ebce9b94ce00d7cb62db01891b81908915ff Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/229580 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Xander Moffatt <xmoffatt@instructure.com> Product-Review: Evan Battaglia <ebattaglia@instructure.com>
2020-03-11 07:11:46 +08:00
LTI_ACCOUNT_LOOKUP_SCOPE = "https://canvas.instructure.com/lti/account_lookup/scope/show"
Add DataServices LTI integration refs PLAT-4757 Test Plan: - tests pass Change-Id: I695ce7c88e47a38115e397d4e29eccd9171e7bf2 Reviewed-on: https://gerrit.instructure.com/206063 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-22 01:21:07 +08:00
LTI_CREATE_DATA_SERVICE_SUBSCRIPTION_SCOPE = "https://canvas.instructure.com/lti/data_services/scope/create"
Add subscription show to LTI DataServices closes PLAT-4761 Test Plan: - see that a call to this endpoint will show a sub Change-Id: Ifc299aebe5cfbadaf82a1970f75ad182ffa31b29 Reviewed-on: https://gerrit.instructure.com/206489 Reviewed-by: Xander Moffatt <xmoffatt@instructure.com> Tested-by: Jenkins QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-24 00:37:12 +08:00
LTI_SHOW_DATA_SERVICE_SUBSCRIPTION_SCOPE = "https://canvas.instructure.com/lti/data_services/scope/show"
Add update to LTI Data Services closes PLAT-4763 Test Plan: it updates the subscription Change-Id: I80289d2bea6c88b70726718cec7b9087e4879aa9 Reviewed-on: https://gerrit.instructure.com/206505 Reviewed-by: Xander Moffatt <xmoffatt@instructure.com> Tested-by: Jenkins QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-24 01:18:18 +08:00
LTI_UPDATE_DATA_SERVICE_SUBSCRIPTION_SCOPE = "https://canvas.instructure.com/lti/data_services/scope/update"
add data services index action closes PLAT-4744 Test Plan: - see that the index action returns a list Change-Id: I92cc07c5476c7dd48202f38b62e09df6aa591b62 Reviewed-on: https://gerrit.instructure.com/206435 Reviewed-by: Weston Dransfield <wdransfield@instructure.com> Tested-by: Jenkins QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-23 07:44:31 +08:00
LTI_LIST_DATA_SERVICE_SUBSCRIPTION_SCOPE = "https://canvas.instructure.com/lti/data_services/scope/list"
Add Data Services event subscription destroy closes PLAT-4819 Test Plan: n/a Change-Id: Ib5661b85af4e68048d44742f9ec8d273c79008b2 Reviewed-on: https://gerrit.instructure.com/206519 Tested-by: Jenkins QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com> Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
2019-08-24 01:42:38 +08:00
LTI_DESTROY_DATA_SERVICE_SUBSCRIPTION_SCOPE = "https://canvas.instructure.com/lti/data_services/scope/destroy"
Add event types index action to data services Closes PLAT-4766 Test Plan: - Configure Canvas to use the live events subscription service - Verify making a request to the new endpoint returns a categorized list of events - Verify the new endpoint uses LTI advantage authorization/authentication Change-Id: Id6f4ec2978e3a4542042bd821e408acfa566005c Reviewed-on: https://gerrit.instructure.com/207713 Tested-by: Jenkins Reviewed-by: Clint Furse <cfurse@instructure.com> QA-Review: Clint Furse <cfurse@instructure.com> Product-Review: Weston Dransfield <wdransfield@instructure.com>
2019-08-31 03:30:34 +08:00
LTI_LIST_EVENT_TYPES_DATA_SERVICE_SUBSCRIPTION_SCOPE = "https://canvas.instructure.com/lti/data_services/scope/list_event_types"
Add LTI advantage feature flag service Closes PLAT-4952 Test Plan: - Install an LTI 1.3 tool that uses the new scope and service endpoint - Make a request to the new endpoint specifying a feature flag that exists. Verify the feature flag is returned in the response with accurate data. - Make a request to the new endpoint specifying a feature flag that does not exist. Verify the service responds with a 404 - Verify the new endpoint adheres to LTI Advange authentication/authorization ( requres JWT access token, requres active developer key, etc.) Change-Id: Ifb876b541c237a3c9ca45270bafea5693d6a03eb Reviewed-on: https://gerrit.instructure.com/211196 Tested-by: Jenkins Reviewed-by: Clint Furse <cfurse@instructure.com> QA-Review: Clint Furse <cfurse@instructure.com> Product-Review: Weston Dransfield <wdransfield@instructure.com>
2019-09-25 09:30:37 +08:00
LTI_SHOW_FEATURE_FLAG_SCOPE = "https://canvas.instructure.com/lti/feature_flags/scope/show"
feat(LTI): Adds LTI API endpoint for listing external tools Fixes: CAL-30 flag = none Test Plan: - Check developer keys LTI page and make sure HIDDEN items do not show up (http://canvas.docker/accounts/1/developer_keys#lti_key_modal_opened) under "LTI Advantage Services" - Specs pass Change-Id: I8408be58124ef7e57804b5a66fef791608701f7b Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/235629 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> QA-Review: Aaron Ogata <aogata@instructure.com> Product-Review: Alex Slaughter <aslaughter@instructure.com> Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
2020-04-29 19:00:03 +08:00
LTI_CREATE_ACCOUNT_EXTERNAL_TOOLS_SCOPE = "https://canvas.instructure.com/lti/account_external_tools/scope/create"
LTI_DESTROY_ACCOUNT_EXTERNAL_TOOLS_SCOPE = "https://canvas.instructure.com/lti/account_external_tools/scope/destroy"
LTI_LIST_ACCOUNT_EXTERNAL_TOOLS_SCOPE = "https://canvas.instructure.com/lti/account_external_tools/scope/list"
LTI_SHOW_ACCOUNT_EXTERNAL_TOOLS_SCOPE = "https://canvas.instructure.com/lti/account_external_tools/scope/show"
LTI_UPDATE_ACCOUNT_EXTERNAL_TOOLS_SCOPE = "https://canvas.instructure.com/lti/account_external_tools/scope/update"
add valid lti scopes to js env for dev key app * NOTE: does not contain any server-side validation of these scopes, just their definitions refs PLAT-3766 test plan: * load the developer keys page * open console, confirm `window.ENV.validLtiScopes` exists and contains the correct scopes from the ticket Change-Id: I376ce41bcfdfcc074ae3356956cae7b8dbffb1a5 Reviewed-on: https://gerrit.instructure.com/165945 Reviewed-by: Weston Dransfield <wdransfield@instructure.com> Tested-by: Jenkins Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Xander Moffatt <xmoffatt@instructure.com>
2018-09-28 01:43:12 +08:00
LTI_SCOPES = {
Update wording for LTI Advantage messaging Wording is now more useful for admins to determine what permissions are being granted. closes PLAT-4257 Test Plan: - Create a tool with all permisisons - Note that the help text is changed and useful Change-Id: I23f50db5fad5d81565d64e8609d6a3da17f56321 Reviewed-on: https://gerrit.instructure.com/185851 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2019-03-19 07:52:51 +08:00
LTI_AGS_LINE_ITEM_SCOPE => I18n.t("Can create and view assignment data in the gradebook associated with the tool."),
Fixups to Manual ToolConfig Creation Add some changes to the Manual Configuration form for 1.3 tools. refs PLAT-4248 Test Plan: n/a Change-Id: I02d0321eb338ddda5dccd232ab024729abfdf88e Reviewed-on: https://gerrit.instructure.com/187168 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-03-28 04:10:59 +08:00
LTI_AGS_LINE_ITEM_READ_ONLY_SCOPE => I18n.t("Can view assignment data in the gradebook associated with the tool."),
Update wording for LTI Advantage messaging Wording is now more useful for admins to determine what permissions are being granted. closes PLAT-4257 Test Plan: - Create a tool with all permisisons - Note that the help text is changed and useful Change-Id: I23f50db5fad5d81565d64e8609d6a3da17f56321 Reviewed-on: https://gerrit.instructure.com/185851 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2019-03-19 07:52:51 +08:00
LTI_AGS_RESULT_READ_ONLY_SCOPE => I18n.t("Can view submission data for assignments associated with the tool."),
LTI_AGS_SCORE_SCOPE => I18n.t("Can create and update submission results for assignments associated with the tool."),
Create Developer Key update endpoint for public_jwk update fixes PLAT-4492 Test Plan -Create test tool -Use tool to create developer key in canvas -Change tool credential oauth_client_id to match client id from developer key -Go to http://lti13testtool.docker/developer_key/update_public_jwk/21 -Verify that public JWK was changed: Change-Id: Ic09a665d4ab14d3423b7e4b2a3a51296c0617981 Reviewed-on: https://gerrit.instructure.com/194447 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2019-05-18 01:46:07 +08:00
LTI_NRPS_V2_SCOPE => I18n.t("Can retrieve user data associated with the context the tool is installed in."),
Add DataServices LTI integration refs PLAT-4757 Test Plan: - tests pass Change-Id: I695ce7c88e47a38115e397d4e29eccd9171e7bf2 Reviewed-on: https://gerrit.instructure.com/206063 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-22 01:21:07 +08:00
LTI_UPDATE_PUBLIC_JWK_SCOPE => I18n.t("Can update public jwk for LTI services."),
Account lookup endpoint for CDC Event Transformer Endpoint needed by CDC Event Tranformer to look up UUIDs for root accounts it hasn't seen. closes PLAT-5515 flag=none Test plan: - get an LTI Advantage token for a site admin dev key with the new scope. This can be done by adding logging to the live-events-lti tool (I think in app/services/access_token_service.rb#16) or using my cdc-event-transformer test in CanvasClientTest.java and printing out cc.getToken(). - hit the new endpoint with header "Authorization: Bearer MYACCESSTOKEN" web.canvas-lms.docker/api/lti/accounts/123 with varying values of account ID, including global IDs, accounts that do not exist, global IDs where the shard does not exist... - ideally we'd like to test that a dev key only available for one shard cannot access account info for another shard. This could be done by creating two dev keys that have the same ID but are on different shards, and use a token for one dev key to try to access an account on the other shard. This is probably hard to do locally though. I did test on prod that DeveloperKey#account_binding_for will return nil for an account in another shard even if there is a dev key with the same local ID in the account's shard that has access to it. Change-Id: I1299ebce9b94ce00d7cb62db01891b81908915ff Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/229580 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Xander Moffatt <xmoffatt@instructure.com> Product-Review: Evan Battaglia <ebattaglia@instructure.com>
2020-03-11 07:11:46 +08:00
LTI_ACCOUNT_LOOKUP_SCOPE => I18n.t("Can lookup Account information"),
expose Progress API as an LTI endpoint closes INTEROP-6474 flag=none test plan: * in the lti-1.3-test-tool repo, check out these commits: * https://gerrit.instructure.com/c/lti-1.3-test-tool/+/259061 * https://gerrit.instructure.com/c/lti-1.3-test-tool/+/259062 * using the AGS UI of the test tool, * with an assignment that has a line item already * post a Score object using that API, and check the box to include a file content item * the returned json should include the file content item, and a progress url * using the id from the progress url, fetch a Progress object using the AGS UI, providing the same credential and context ids * (optional) enable InstFS locally and repeat the same process Change-Id: Ieacc71cd612acf2fdf5c7e72293135796928877e Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/259064 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Wagner Goncalves <wagner.goncalves@instructure.com> QA-Review: Wagner Goncalves <wagner.goncalves@instructure.com> Product-Review: Xander Moffatt <xmoffatt@instructure.com>
2021-02-19 05:04:01 +08:00
LTI_AGS_SHOW_PROGRESS_SCOPE => I18n.t("Can view Progress records associated with the context the tool is installed in"),
add valid lti scopes to js env for dev key app * NOTE: does not contain any server-side validation of these scopes, just their definitions refs PLAT-3766 test plan: * load the developer keys page * open console, confirm `window.ENV.validLtiScopes` exists and contains the correct scopes from the ticket Change-Id: I376ce41bcfdfcc074ae3356956cae7b8dbffb1a5 Reviewed-on: https://gerrit.instructure.com/165945 Reviewed-by: Weston Dransfield <wdransfield@instructure.com> Tested-by: Jenkins Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Xander Moffatt <xmoffatt@instructure.com>
2018-09-28 01:43:12 +08:00
}.freeze
expose Progress API as an LTI endpoint closes INTEROP-6474 flag=none test plan: * in the lti-1.3-test-tool repo, check out these commits: * https://gerrit.instructure.com/c/lti-1.3-test-tool/+/259061 * https://gerrit.instructure.com/c/lti-1.3-test-tool/+/259062 * using the AGS UI of the test tool, * with an assignment that has a line item already * post a Score object using that API, and check the box to include a file content item * the returned json should include the file content item, and a progress url * using the id from the progress url, fetch a Progress object using the AGS UI, providing the same credential and context ids * (optional) enable InstFS locally and repeat the same process Change-Id: Ieacc71cd612acf2fdf5c7e72293135796928877e Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/259064 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Wagner Goncalves <wagner.goncalves@instructure.com> QA-Review: Wagner Goncalves <wagner.goncalves@instructure.com> Product-Review: Xander Moffatt <xmoffatt@instructure.com>
2021-02-19 05:04:01 +08:00
LTI_AGS_SCOPES = [
LTI_AGS_LINE_ITEM_SCOPE,
LTI_AGS_LINE_ITEM_READ_ONLY_SCOPE,
LTI_AGS_RESULT_READ_ONLY_SCOPE,
LTI_AGS_SCORE_SCOPE,
LTI_AGS_SHOW_PROGRESS_SCOPE
].freeze
feat(LTI): Adds LTI API endpoint for listing external tools Fixes: CAL-30 flag = none Test Plan: - Check developer keys LTI page and make sure HIDDEN items do not show up (http://canvas.docker/accounts/1/developer_keys#lti_key_modal_opened) under "LTI Advantage Services" - Specs pass Change-Id: I8408be58124ef7e57804b5a66fef791608701f7b Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/235629 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> QA-Review: Aaron Ogata <aogata@instructure.com> Product-Review: Alex Slaughter <aslaughter@instructure.com> Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
2020-04-29 19:00:03 +08:00
LTI_HIDDEN_SCOPES = {
feat(LTI): Add LTI API show endpoint for external tools flag = none refs: CAL-23 Test Plan: - Specs pass Change-Id: Ia90f71640693fb6202ba62540d15be00717896bb Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/236650 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> QA-Review: Alex Slaughter <aslaughter@instructure.com> Product-Review: Alex Slaughter <aslaughter@instructure.com> Reviewed-by: Aaron Ogata <aogata@instructure.com>
2020-05-08 12:07:10 +08:00
LTI_CREATE_ACCOUNT_EXTERNAL_TOOLS_SCOPE => I18n.t("Can create external tools."),
feat(LTI): Adds LTI API endpoint for listing external tools Fixes: CAL-30 flag = none Test Plan: - Check developer keys LTI page and make sure HIDDEN items do not show up (http://canvas.docker/accounts/1/developer_keys#lti_key_modal_opened) under "LTI Advantage Services" - Specs pass Change-Id: I8408be58124ef7e57804b5a66fef791608701f7b Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/235629 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> QA-Review: Aaron Ogata <aogata@instructure.com> Product-Review: Alex Slaughter <aslaughter@instructure.com> Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
2020-04-29 19:00:03 +08:00
LTI_DESTROY_ACCOUNT_EXTERNAL_TOOLS_SCOPE => I18n.t("Can destroy external tools."),
LTI_LIST_ACCOUNT_EXTERNAL_TOOLS_SCOPE => I18n.t("Can list external tools."),
LTI_SHOW_ACCOUNT_EXTERNAL_TOOLS_SCOPE => I18n.t("Can show external tools."),
LTI_UPDATE_ACCOUNT_EXTERNAL_TOOLS_SCOPE => I18n.t("Can update external tools."),
hide internal permissions from LTI Advantage Services section refs INTEROP-7575 flag=none -------------------------------------------------- Test plan -------------------------------------------------- * go to the Developer Keys page * click on "+ LTI Key" * find the "LTI Advantage Services" section * the Canvas Data Services permissions should not appear Change-Id: Ie6cf84a214e0fec019daaabb2cc8c1565f9305b6 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/299644 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Xander Moffatt <xmoffatt@instructure.com> QA-Review: Xander Moffatt <xmoffatt@instructure.com> Product-Review: Alexis Nast <alexis.nast@instructure.com>
2022-08-26 00:54:59 +08:00
LTI_CREATE_DATA_SERVICE_SUBSCRIPTION_SCOPE => I18n.t("Can create subscription to data service data."),
LTI_SHOW_DATA_SERVICE_SUBSCRIPTION_SCOPE => I18n.t("Can show subscription to data service data."),
LTI_UPDATE_DATA_SERVICE_SUBSCRIPTION_SCOPE => I18n.t("Can update subscription to data service data."),
LTI_LIST_DATA_SERVICE_SUBSCRIPTION_SCOPE => I18n.t("Can list subscriptions to data service data."),
LTI_DESTROY_DATA_SERVICE_SUBSCRIPTION_SCOPE => I18n.t("Can destroy subscription to data service data."),
LTI_LIST_EVENT_TYPES_DATA_SERVICE_SUBSCRIPTION_SCOPE => I18n.t("Can list categorized event types."),
LTI_SHOW_FEATURE_FLAG_SCOPE => I18n.t("Can view feature flags"),
feat(LTI): Adds LTI API endpoint for listing external tools Fixes: CAL-30 flag = none Test Plan: - Check developer keys LTI page and make sure HIDDEN items do not show up (http://canvas.docker/accounts/1/developer_keys#lti_key_modal_opened) under "LTI Advantage Services" - Specs pass Change-Id: I8408be58124ef7e57804b5a66fef791608701f7b Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/235629 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> QA-Review: Aaron Ogata <aogata@instructure.com> Product-Review: Alex Slaughter <aslaughter@instructure.com> Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
2020-04-29 19:00:03 +08:00
}.freeze
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
Add API Token Scope Docs Closes PLAT-3394 Test Plan: - Run the `doc:api` rake task - Navigate to /doc/api/index.html and verify there are two new links in the OAuth2 section ("Developer Keys" and "API Token Scopes") - Verify both links work - Verify the token scopes documentation has a table for each scope group and includes all Canvas scopes - Verify "Resources" documentation pages now display the scope along with each API endpoint Change-Id: I2fea0ff531744dbaf63d24619b3c0e9655a25a7a Reviewed-on: https://gerrit.instructure.com/151010 QA-Review: August Thornton <august@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> Tested-by: Jenkins Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-22 00:03:24 +08:00
def self.named_scopes
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
return @_named_scopes if @_named_scopes
RuboCop: Layout lib Change-Id: I0655d9a9d750f2debd6378b03d8ddc1403ebc31b Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/274158 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Simon Williams <simon@instructure.com> QA-Review: Cody Cutrer <cody@instructure.com> Product-Review: Cody Cutrer <cody@instructure.com>
2021-09-23 00:25:11 +08:00
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
named_scopes = detailed_scopes.each_with_object([]) do |frozen_scope, arr|
Add API Token Scope Docs Closes PLAT-3394 Test Plan: - Run the `doc:api` rake task - Navigate to /doc/api/index.html and verify there are two new links in the OAuth2 section ("Developer Keys" and "API Token Scopes") - Verify both links work - Verify the token scopes documentation has a table for each scope group and includes all Canvas scopes - Verify "Resources" documentation pages now display the scope along with each API endpoint Change-Id: I2fea0ff531744dbaf63d24619b3c0e9655a25a7a Reviewed-on: https://gerrit.instructure.com/151010 QA-Review: August Thornton <august@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> Tested-by: Jenkins Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-22 00:03:24 +08:00
scope = frozen_scope.dup
Fix flakey spec fixes INTEROP-7144 flag=none Test plan - Specs pass Change-Id: Ieaa24657e8c86aa172ec099f07d0f7b5538c1a75 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/277300 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Cody Cutrer <cody@instructure.com> QA-Review: Mysti Lilla <mysti@instructure.com> Product-Review: Mysti Lilla <mysti@instructure.com>
2021-11-03 06:12:29 +08:00
scope[:resource] ||= ApiScopeMapper.lookup_resource(scope[:controller], scope[:action])
scope[:resource_name] = ApiScopeMapper.name_for_resource(scope[:resource])
Add API Token Scope Docs Closes PLAT-3394 Test Plan: - Run the `doc:api` rake task - Navigate to /doc/api/index.html and verify there are two new links in the OAuth2 section ("Developer Keys" and "API Token Scopes") - Verify both links work - Verify the token scopes documentation has a table for each scope group and includes all Canvas scopes - Verify "Resources" documentation pages now display the scope along with each API endpoint Change-Id: I2fea0ff531744dbaf63d24619b3c0e9655a25a7a Reviewed-on: https://gerrit.instructure.com/151010 QA-Review: August Thornton <august@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> Tested-by: Jenkins Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-22 00:03:24 +08:00
arr << scope if scope[:resource_name]
scope
end
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
@_named_scopes = Canvas::ICU.collate_by(named_scopes) { |s| s[:resource_name] }.freeze
Add API Token Scope Docs Closes PLAT-3394 Test Plan: - Run the `doc:api` rake task - Navigate to /doc/api/index.html and verify there are two new links in the OAuth2 section ("Developer Keys" and "API Token Scopes") - Verify both links work - Verify the token scopes documentation has a table for each scope group and includes all Canvas scopes - Verify "Resources" documentation pages now display the scope along with each API endpoint Change-Id: I2fea0ff531744dbaf63d24619b3c0e9655a25a7a Reviewed-on: https://gerrit.instructure.com/151010 QA-Review: August Thornton <august@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> Tested-by: Jenkins Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-22 00:03:24 +08:00
end
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
def self.all_scopes
RuboCop: Rails/Pluck [skip-stages=Flakey] auto-corrected Change-Id: Iaad8a0eeece0bb57dae8f274ce4b98766b6f0261 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/278362 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Jacob Burroughs <jburroughs@instructure.com> QA-Review: Cody Cutrer <cody@instructure.com> Product-Review: Cody Cutrer <cody@instructure.com>
2021-11-16 06:57:07 +08:00
@_all_scopes ||= [USER_INFO_SCOPE[:scope], CD2_SCOPE[:scope], *api_routes.pluck(:scope), *LTI_SCOPES.keys, *LTI_HIDDEN_SCOPES.keys].freeze
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
end
def self.detailed_scopes
extend client_credentials oauth2 grants for CD2 refs SAS-1540 * adds an audience setting to developer keys, so a key can be set to target external audiences with its credentials grants * when a key with an external audience grants credentials, the token is signed with an asymmetric key instead of the internal symmetric key * external audiences can retrieve the corresponding public keys from /login/oauth2/jwks * credentials issued by developer keys with an account id include the account's guid in a custom claim includes a refactor of key storage and rotation in consul, which had already been done for LTI. but it wasn't really a feature of lti, just something used by LTI, and we needed the same for key management for this. moved it to be part of Canvas::Security Change-Id: Ie5c0fcee6fc21687f31c109389a3bcc1ed349c5d Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/243606 QA-Review: Jonathan Featherstone <jfeatherstone@instructure.com> Reviewed-by: Jonathan Featherstone <jfeatherstone@instructure.com> Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Product-Review: Jacob Fugal <jacob@instructure.com>
2020-07-17 03:36:03 +08:00
@_detailed_scopes ||= [USER_INFO_SCOPE, CD2_SCOPE, *api_routes].freeze
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
end
private_class_method :detailed_scopes
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
def self.api_routes
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
return @_api_routes if @_api_routes
RuboCop: Layout lib Change-Id: I0655d9a9d750f2debd6378b03d8ddc1403ebc31b Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/274158 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Simon Williams <simon@instructure.com> QA-Review: Cody Cutrer <cody@instructure.com> Product-Review: Cody Cutrer <cody@instructure.com>
2021-09-23 00:25:11 +08:00
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
routes = Rails.application.routes.routes.select { |route| %r{^/api/(v1|sis)} =~ route.path.spec.to_s }.map do |route|
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
{
add lookup class for scope resource names fixes PLAT-3311 test plan: * run the rake task "doc:api" * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that includes the localized name * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources_name" - you should get back a json object with the scopes grouped by localized resource_name Change-Id: I2cab1822baef7cdda6471096153d60d4f7fe1e2b Reviewed-on: https://gerrit.instructure.com/150233 Tested-by: Jenkins Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-15 05:32:44 +08:00
controller: route.defaults[:controller]&.to_sym,
action: route.defaults[:action]&.to_sym,
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
verb: route.verb,
Fail a test on route changes used by dev keys If a developer key is given a scope (meaning that it only works on some API endpoints), and then the route for one of those endpoints is changed, this causes a problem for the developer key. So, we want to prevent that. This will force that change to be more intentional. flag=none refs INTEROP-7476 Change-Id: I4bbf2509112f375354cdde56a6e3ab46b77f239e Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/283706 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Evan Battaglia <ebattaglia@instructure.com> QA-Review: Evan Battaglia <ebattaglia@instructure.com> Product-Review: Tucker Mcknight <tmcknight@instructure.com>
2022-01-27 10:21:21 +08:00
path: TokenScopesHelper.path_without_format(route),
Add API Token Scope Docs Closes PLAT-3394 Test Plan: - Run the `doc:api` rake task - Navigate to /doc/api/index.html and verify there are two new links in the OAuth2 section ("Developer Keys" and "API Token Scopes") - Verify both links work - Verify the token scopes documentation has a table for each scope group and includes all Canvas scopes - Verify "Resources" documentation pages now display the scope along with each API endpoint Change-Id: I2fea0ff531744dbaf63d24619b3c0e9655a25a7a Reviewed-on: https://gerrit.instructure.com/151010 QA-Review: August Thornton <august@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> Tested-by: Jenkins Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-22 00:03:24 +08:00
scope: TokenScopesHelper.scope_from_route(route).freeze,
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
}
end
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
@_api_routes = routes.uniq { |route| route[:scope] }.freeze
Add route scope enforcement to application controller fixes PLAT-3176 fixes PLAT-3179 fixes PLAT-3181 fixes PLAT-3177 Test plan: * Create a DeveloperKey * Create an AccessToken * Ensure that everything can be accessed as normal * Set require_scopes to true on the DeveloperKey * Ensure that nothing can be accessed * Add some scopes to the AccessToken from the list of available scopes TokenScopes::SCOPES * Ensure that the endpoints associated with those requests work but that others don't * Ensure that HEAD requests work for GET endpoints * Ensure all api endpoints behave normally when scopes are not turned on for developer key Change-Id: I0e7c1758ae2d51743490f243cfa21714255c8109 Reviewed-on: https://gerrit.instructure.com/143026 Tested-by: Jenkins Reviewed-by: Simon Williams <simon@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> QA-Review: August Thornton <august@instructure.com> Reviewed-by: Rob Orton <rob@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-03-09 04:46:40 +08:00
end
remove need for api_scope_mapper.rb to be committed refs DE-362 Change-Id: I222120ad51421fa690c053d9c06a5ef0642f2c5b Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/252033 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: James Butters <jbutters@instructure.com> QA-Review: Aaron Ogata <aogata@instructure.com> Product-Review: Aaron Ogata <aogata@instructure.com>
2020-11-06 05:49:40 +08:00
def self.reset!
@_api_routes = nil
@_all_scopes = nil
@_detailed_scopes = nil
@_named_scopes = nil
end
Add route scope enforcement to application controller fixes PLAT-3176 fixes PLAT-3179 fixes PLAT-3181 fixes PLAT-3177 Test plan: * Create a DeveloperKey * Create an AccessToken * Ensure that everything can be accessed as normal * Set require_scopes to true on the DeveloperKey * Ensure that nothing can be accessed * Add some scopes to the AccessToken from the list of available scopes TokenScopes::SCOPES * Ensure that the endpoints associated with those requests work but that others don't * Ensure that HEAD requests work for GET endpoints * Ensure all api endpoints behave normally when scopes are not turned on for developer key Change-Id: I0e7c1758ae2d51743490f243cfa21714255c8109 Reviewed-on: https://gerrit.instructure.com/143026 Tested-by: Jenkins Reviewed-by: Simon Williams <simon@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> QA-Review: August Thornton <august@instructure.com> Reviewed-by: Rob Orton <rob@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-03-09 04:46:40 +08:00
end