ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
canvas-lms/lib/token_scopes.rb

85 lines
4.3 KiB
Ruby
Raw Normal View History

Add route scope enforcement to application controller fixes PLAT-3176 fixes PLAT-3179 fixes PLAT-3181 fixes PLAT-3177 Test plan: * Create a DeveloperKey * Create an AccessToken * Ensure that everything can be accessed as normal * Set require_scopes to true on the DeveloperKey * Ensure that nothing can be accessed * Add some scopes to the AccessToken from the list of available scopes TokenScopes::SCOPES * Ensure that the endpoints associated with those requests work but that others don't * Ensure that HEAD requests work for GET endpoints * Ensure all api endpoints behave normally when scopes are not turned on for developer key Change-Id: I0e7c1758ae2d51743490f243cfa21714255c8109 Reviewed-on: https://gerrit.instructure.com/143026 Tested-by: Jenkins Reviewed-by: Simon Williams <simon@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> QA-Review: August Thornton <august@instructure.com> Reviewed-by: Rob Orton <rob@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-03-09 04:46:40 +08:00
#
# Copyright (C) 2018 - present Instructure, Inc.
#
# This file is part of Canvas.
#
# Canvas is free software: you can redistribute it and/or modify it under
# the terms of the GNU Affero General Public License as published by the Free
# Software Foundation, version 3 of the License.
#
# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
#
class TokenScopes
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
OAUTH2_SCOPE_NAMESPACE = '/auth/'.freeze
USER_INFO_SCOPE = {
add lookup class for scope resource names fixes PLAT-3311 test plan: * run the rake task "doc:api" * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that includes the localized name * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources_name" - you should get back a json object with the scopes grouped by localized resource_name Change-Id: I2cab1822baef7cdda6471096153d60d4f7fe1e2b Reviewed-on: https://gerrit.instructure.com/150233 Tested-by: Jenkins Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-15 05:32:44 +08:00
resource: :oauth2,
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
verb: "GET",
scope: "#{OAUTH2_SCOPE_NAMESPACE}userinfo"
}.freeze
Enforce Tool-Course visibility rules in NRPS V2 calls - NRPS v2 invocations referencing a `Course` Context now attempt to resolve a `ContextExternalTool` (CET) given the JWT `AccessToken` attached to the request. In order to return memberships, that CET must be active and must either be bound directly to the `Course` or to an `Account` in the `Course`'s' `Account` chain. - `AccessToken` must be associated with an active `DeveloperKey` (DK), and the search for the "operative" CET for the current request is executed against that DK's list of active CETs. - `Course`-level CETs are preferred, followed by `Account`-level CETs. - LTI 1.3/Advantage features must be turned on at the CET and root `Account` levels. - The `AccessToken`'s'JWT signature and security claims are not themselves validated... that comes later. - `Group` Context support also comes later. Closes LTIA-26 Test Plan: - Via Rails console create a `DeveloperKey` associated with the public key of a Tool configured in the IMS LTI 1.3/Advantage Reference Implementation (RI) and the root `Account` in your env - Via Rails console, create a LTI 1.3-enabled `ContextExternalTool` with a `course_navigation` placement and linked to the just-created `DeveloperKey` and its `Account` - For a `Course` owned by this `Account`, verify that direct invocations of the NRPS v2 API. (`GET /api/lti/courses/:course_id/names_and_roles`) fail with a 401 and a message complaining about a missing access token. - Navigate to the `Course` and click the newly created nav link, which should successfully launch the RI. - Click the 'Request Names and Roles' link in the RI. Verify course is reported in the NRPS v2 format. - Deactivate the `DeveloperKey`. Click 'Request Names and Roles' link in the RI. Verify a (non-descript) on-screen error message. - Re-enable the `DeveloperKey` and re-verify the same behavior for a `Course` associated with a sub-`Account`. - Delete the CET, verify that NRPS v2 invocations from the RI fail. - Via Rails console, create a new CET linked to the same `DeveloperKey`, but now attached to the sub-`Account` `Course`. - Re-verify NRPS v2 invocation from the RI. - *Consult JIRA for full acceptance criteria. Change-Id: Ie9625ea8d6ce5e6f59e3c7ce1d10d0a47291afa4 Reviewed-on: https://gerrit.instructure.com/167183 Tested-by: Jenkins QA-Review: Samuel Barney <sbarney@instructure.com> Reviewed-by: Marc Phillips <mphillips@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-10-03 11:23:45 +08:00
LTI_AGS_LINE_ITEM_SCOPE = "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem".freeze
LTI_AGS_LINE_ITEM_READ_ONLY_SCOPE = "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly".freeze
LTI_AGS_RESULT_READ_ONLY_SCOPE = "https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly".freeze
LTI_AGS_SCORE_SCOPE = "https://purl.imsglobal.org/spec/lti-ags/scope/score".freeze
LTI_NRPS_V2_SCOPE = "https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly".freeze
Create Developer Key update endpoint for public_jwk update fixes PLAT-4492 Test Plan -Create test tool -Use tool to create developer key in canvas -Change tool credential oauth_client_id to match client id from developer key -Go to http://lti13testtool.docker/developer_key/update_public_jwk/21 -Verify that public JWK was changed: Change-Id: Ic09a665d4ab14d3423b7e4b2a3a51296c0617981 Reviewed-on: https://gerrit.instructure.com/194447 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2019-05-18 01:46:07 +08:00
LTI_UPDATE_PUBLIC_JWK_SCOPE = "https://canvas.instructure.com/lti/public_jwk/scope/update".freeze
Add DataServices LTI integration refs PLAT-4757 Test Plan: - tests pass Change-Id: I695ce7c88e47a38115e397d4e29eccd9171e7bf2 Reviewed-on: https://gerrit.instructure.com/206063 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-22 01:21:07 +08:00
LTI_CREATE_DATA_SERVICE_SUBSCRIPTION_SCOPE = "https://canvas.instructure.com/lti/data_services/scope/create".freeze
Add subscription show to LTI DataServices closes PLAT-4761 Test Plan: - see that a call to this endpoint will show a sub Change-Id: Ifc299aebe5cfbadaf82a1970f75ad182ffa31b29 Reviewed-on: https://gerrit.instructure.com/206489 Reviewed-by: Xander Moffatt <xmoffatt@instructure.com> Tested-by: Jenkins QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-24 00:37:12 +08:00
LTI_SHOW_DATA_SERVICE_SUBSCRIPTION_SCOPE = "https://canvas.instructure.com/lti/data_services/scope/show".freeze
Add update to LTI Data Services closes PLAT-4763 Test Plan: it updates the subscription Change-Id: I80289d2bea6c88b70726718cec7b9087e4879aa9 Reviewed-on: https://gerrit.instructure.com/206505 Reviewed-by: Xander Moffatt <xmoffatt@instructure.com> Tested-by: Jenkins QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-24 01:18:18 +08:00
LTI_UPDATE_DATA_SERVICE_SUBSCRIPTION_SCOPE = "https://canvas.instructure.com/lti/data_services/scope/update".freeze
add valid lti scopes to js env for dev key app * NOTE: does not contain any server-side validation of these scopes, just their definitions refs PLAT-3766 test plan: * load the developer keys page * open console, confirm `window.ENV.validLtiScopes` exists and contains the correct scopes from the ticket Change-Id: I376ce41bcfdfcc074ae3356956cae7b8dbffb1a5 Reviewed-on: https://gerrit.instructure.com/165945 Reviewed-by: Weston Dransfield <wdransfield@instructure.com> Tested-by: Jenkins Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Xander Moffatt <xmoffatt@instructure.com>
2018-09-28 01:43:12 +08:00
LTI_SCOPES = {
Update wording for LTI Advantage messaging Wording is now more useful for admins to determine what permissions are being granted. closes PLAT-4257 Test Plan: - Create a tool with all permisisons - Note that the help text is changed and useful Change-Id: I23f50db5fad5d81565d64e8609d6a3da17f56321 Reviewed-on: https://gerrit.instructure.com/185851 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2019-03-19 07:52:51 +08:00
LTI_AGS_LINE_ITEM_SCOPE => I18n.t("Can create and view assignment data in the gradebook associated with the tool."),
Fixups to Manual ToolConfig Creation Add some changes to the Manual Configuration form for 1.3 tools. refs PLAT-4248 Test Plan: n/a Change-Id: I02d0321eb338ddda5dccd232ab024729abfdf88e Reviewed-on: https://gerrit.instructure.com/187168 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-03-28 04:10:59 +08:00
LTI_AGS_LINE_ITEM_READ_ONLY_SCOPE => I18n.t("Can view assignment data in the gradebook associated with the tool."),
Update wording for LTI Advantage messaging Wording is now more useful for admins to determine what permissions are being granted. closes PLAT-4257 Test Plan: - Create a tool with all permisisons - Note that the help text is changed and useful Change-Id: I23f50db5fad5d81565d64e8609d6a3da17f56321 Reviewed-on: https://gerrit.instructure.com/185851 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2019-03-19 07:52:51 +08:00
LTI_AGS_RESULT_READ_ONLY_SCOPE => I18n.t("Can view submission data for assignments associated with the tool."),
LTI_AGS_SCORE_SCOPE => I18n.t("Can create and update submission results for assignments associated with the tool."),
Create Developer Key update endpoint for public_jwk update fixes PLAT-4492 Test Plan -Create test tool -Use tool to create developer key in canvas -Change tool credential oauth_client_id to match client id from developer key -Go to http://lti13testtool.docker/developer_key/update_public_jwk/21 -Verify that public JWK was changed: Change-Id: Ic09a665d4ab14d3423b7e4b2a3a51296c0617981 Reviewed-on: https://gerrit.instructure.com/194447 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2019-05-18 01:46:07 +08:00
LTI_NRPS_V2_SCOPE => I18n.t("Can retrieve user data associated with the context the tool is installed in."),
Add DataServices LTI integration refs PLAT-4757 Test Plan: - tests pass Change-Id: I695ce7c88e47a38115e397d4e29eccd9171e7bf2 Reviewed-on: https://gerrit.instructure.com/206063 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-22 01:21:07 +08:00
LTI_UPDATE_PUBLIC_JWK_SCOPE => I18n.t("Can update public jwk for LTI services."),
Add subscription show to LTI DataServices closes PLAT-4761 Test Plan: - see that a call to this endpoint will show a sub Change-Id: Ifc299aebe5cfbadaf82a1970f75ad182ffa31b29 Reviewed-on: https://gerrit.instructure.com/206489 Reviewed-by: Xander Moffatt <xmoffatt@instructure.com> Tested-by: Jenkins QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-24 00:37:12 +08:00
LTI_CREATE_DATA_SERVICE_SUBSCRIPTION_SCOPE => I18n.t("Can create subscription to data service data."),
Add update to LTI Data Services closes PLAT-4763 Test Plan: it updates the subscription Change-Id: I80289d2bea6c88b70726718cec7b9087e4879aa9 Reviewed-on: https://gerrit.instructure.com/206505 Reviewed-by: Xander Moffatt <xmoffatt@instructure.com> Tested-by: Jenkins QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-24 01:18:18 +08:00
LTI_SHOW_DATA_SERVICE_SUBSCRIPTION_SCOPE => I18n.t("Can show subscription to data service data."),
LTI_UPDATE_DATA_SERVICE_SUBSCRIPTION_SCOPE => I18n.t("Can update subscription to data service data.")
add valid lti scopes to js env for dev key app * NOTE: does not contain any server-side validation of these scopes, just their definitions refs PLAT-3766 test plan: * load the developer keys page * open console, confirm `window.ENV.validLtiScopes` exists and contains the correct scopes from the ticket Change-Id: I376ce41bcfdfcc074ae3356956cae7b8dbffb1a5 Reviewed-on: https://gerrit.instructure.com/165945 Reviewed-by: Weston Dransfield <wdransfield@instructure.com> Tested-by: Jenkins Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Xander Moffatt <xmoffatt@instructure.com>
2018-09-28 01:43:12 +08:00
}.freeze
Include AGS claim in LTI 1.3 resource link launches - LTI 1.3 launches now include an AGS claim (`https://purl.imsglobal.org/spec/lti-ags/claim/endpoint`) if the current tool's `DeveloperKey` has been granted any AGS scope. - If the launched link is an `Assignment`, the AGS claim will include a `lineitem` sub-claim set to the `Assignment`'s LTI Advantage `LineItem` API URL (`/api/lti/courses/:course_id/line_items/:line_item_id`). - In any AGS-enabled launch from from a `Course` or `Group`, the AGS claim will include `lineitems` sub-claim set the `Course`'s LTI Advantage `LineItem` collection API URL (`/api/lti/courses/:course_id/line_items`.) Closes LTIA-49 Test Plan: 1. Create an LTI 1.3 tool with at least one AGS scope granted to its `DeveloperKey`. Those scopes are: - `https://purl.imsglobal.org/spec/lti-ags/scope/lineitem` - `https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly` - `https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly` - `https://purl.imsglobal.org/spec/lti-ags/scope/score` 2. Launch the tool from a course navigation link. 3. Verify that the `https://purl.imsglobal.org/spec/lti-ags/claim/endpoint` claim is present and: 3.1. Sets all the granted scopes into the `scope` sub-claim 3.2. Sets the `lineitems` sub-claim to `/api/lti/courses/:course_id/line_items` 3.3. The `lineitem` sub-claim is not present. 4. Bind the tool to an `Assignment` and launch from that `Assignment`. 5. Verify that the `https://purl.imsglobal.org/spec/lti-ags/claim/endpoint` claim is present and: 5.1. Sets all the granted scopes from step 1 into the `scope` sub-claim 5.2. Sets the `lineitems` sub-claim to `/api/lti/courses/:course_id/line_items` 5.3. Sets the `lineitem` sub-claim to `/api/lti/courses/:course_id/line_items/:line_item_id` To find :line_item_id for step 5.3 either use the console or database query. E.g. in the console: `Assignment.find(Assignment.maximum(:id)).line_items.find(&:assignment_line_item?).id` 6. Create another LTI 1.3 tool but do not grant any AGS scopes to its `DeveloperKey`. 7. Launch the tool from a course navigation link. 8. Verify that the `https://purl.imsglobal.org/spec/lti-ags/claim/endpoint` claim is not present. 9. Bind the tool to an `Assignment` and launch from that `Assignment`. 10. Verify that the `https://purl.imsglobal.org/spec/lti-ags/claim/endpoint` claim is not present. Change-Id: I787d3e99c60993ed3d28ede08455617e601f3d30 Reviewed-on: https://gerrit.instructure.com/171345 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2018-11-08 02:49:11 +08:00
LTI_AGS_SCOPES = [ LTI_AGS_LINE_ITEM_SCOPE, LTI_AGS_LINE_ITEM_READ_ONLY_SCOPE, LTI_AGS_RESULT_READ_ONLY_SCOPE, LTI_AGS_SCORE_SCOPE ].freeze
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
Add API Token Scope Docs Closes PLAT-3394 Test Plan: - Run the `doc:api` rake task - Navigate to /doc/api/index.html and verify there are two new links in the OAuth2 section ("Developer Keys" and "API Token Scopes") - Verify both links work - Verify the token scopes documentation has a table for each scope group and includes all Canvas scopes - Verify "Resources" documentation pages now display the scope along with each API endpoint Change-Id: I2fea0ff531744dbaf63d24619b3c0e9655a25a7a Reviewed-on: https://gerrit.instructure.com/151010 QA-Review: August Thornton <august@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> Tested-by: Jenkins Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-22 00:03:24 +08:00
def self.named_scopes
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
return @_named_scopes if @_named_scopes
named_scopes = detailed_scopes.each_with_object([]) do |frozen_scope, arr|
Add API Token Scope Docs Closes PLAT-3394 Test Plan: - Run the `doc:api` rake task - Navigate to /doc/api/index.html and verify there are two new links in the OAuth2 section ("Developer Keys" and "API Token Scopes") - Verify both links work - Verify the token scopes documentation has a table for each scope group and includes all Canvas scopes - Verify "Resources" documentation pages now display the scope along with each API endpoint Change-Id: I2fea0ff531744dbaf63d24619b3c0e9655a25a7a Reviewed-on: https://gerrit.instructure.com/151010 QA-Review: August Thornton <august@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> Tested-by: Jenkins Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-22 00:03:24 +08:00
scope = frozen_scope.dup
api_scope_mapper_class = ApiScopeMapperLoader.load
scope[:resource] ||= api_scope_mapper_class.lookup_resource(scope[:controller], scope[:action])
scope[:resource_name] = api_scope_mapper_class.name_for_resource(scope[:resource])
arr << scope if scope[:resource_name]
scope
end
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
@_named_scopes = Canvas::ICU.collate_by(named_scopes) {|s| s[:resource_name]}.freeze
Add API Token Scope Docs Closes PLAT-3394 Test Plan: - Run the `doc:api` rake task - Navigate to /doc/api/index.html and verify there are two new links in the OAuth2 section ("Developer Keys" and "API Token Scopes") - Verify both links work - Verify the token scopes documentation has a table for each scope group and includes all Canvas scopes - Verify "Resources" documentation pages now display the scope along with each API endpoint Change-Id: I2fea0ff531744dbaf63d24619b3c0e9655a25a7a Reviewed-on: https://gerrit.instructure.com/151010 QA-Review: August Thornton <august@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> Tested-by: Jenkins Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-22 00:03:24 +08:00
end
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
def self.all_scopes
Save tool configuration customizations Closes PLAT-3748 Test Plan: - Create an LTI key with customizations - Verify the disabled placements are persisted to the database - Verify the scopes are persited to the database - Verify the LTI key flow works as expected Change-Id: I97217b09cfb10b3732d6ded478b95a8999c6b4e5 Reviewed-on: https://gerrit.instructure.com/166691 Tested-by: Jenkins Product-Review: Weston Dransfield <wdransfield@instructure.com> Reviewed-by: Marc Phillips <mphillips@instructure.com> QA-Review: Marc Phillips <mphillips@instructure.com>
2018-10-03 05:02:48 +08:00
@_all_scopes ||= [USER_INFO_SCOPE[:scope], *api_routes.map {|route| route[:scope]}, *LTI_SCOPES.keys].freeze
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
end
def self.detailed_scopes
@_detailed_scopes ||= [USER_INFO_SCOPE, *api_routes].freeze
end
private_class_method :detailed_scopes
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
def self.api_routes
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
return @_api_routes if @_api_routes
routes = Rails.application.routes.routes.select {|route| /^\/api\/(v1|sis)/ =~ route.path.spec.to_s}.map do |route|
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
{
add lookup class for scope resource names fixes PLAT-3311 test plan: * run the rake task "doc:api" * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that includes the localized name * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources_name" - you should get back a json object with the scopes grouped by localized resource_name Change-Id: I2cab1822baef7cdda6471096153d60d4f7fe1e2b Reviewed-on: https://gerrit.instructure.com/150233 Tested-by: Jenkins Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-15 05:32:44 +08:00
controller: route.defaults[:controller]&.to_sym,
action: route.defaults[:action]&.to_sym,
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
verb: route.verb,
Add API Token Scope Docs Closes PLAT-3394 Test Plan: - Run the `doc:api` rake task - Navigate to /doc/api/index.html and verify there are two new links in the OAuth2 section ("Developer Keys" and "API Token Scopes") - Verify both links work - Verify the token scopes documentation has a table for each scope group and includes all Canvas scopes - Verify "Resources" documentation pages now display the scope along with each API endpoint Change-Id: I2fea0ff531744dbaf63d24619b3c0e9655a25a7a Reviewed-on: https://gerrit.instructure.com/151010 QA-Review: August Thornton <august@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> Tested-by: Jenkins Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-22 00:03:24 +08:00
path: route.path.spec.to_s.gsub(/\(\.:format\)$/, ''),
scope: TokenScopesHelper.scope_from_route(route).freeze,
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
}
end
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
@_api_routes = routes.uniq {|route| route[:scope]}.freeze
Add route scope enforcement to application controller fixes PLAT-3176 fixes PLAT-3179 fixes PLAT-3181 fixes PLAT-3177 Test plan: * Create a DeveloperKey * Create an AccessToken * Ensure that everything can be accessed as normal * Set require_scopes to true on the DeveloperKey * Ensure that nothing can be accessed * Add some scopes to the AccessToken from the list of available scopes TokenScopes::SCOPES * Ensure that the endpoints associated with those requests work but that others don't * Ensure that HEAD requests work for GET endpoints * Ensure all api endpoints behave normally when scopes are not turned on for developer key Change-Id: I0e7c1758ae2d51743490f243cfa21714255c8109 Reviewed-on: https://gerrit.instructure.com/143026 Tested-by: Jenkins Reviewed-by: Simon Williams <simon@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> QA-Review: August Thornton <august@instructure.com> Reviewed-by: Rob Orton <rob@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-03-09 04:46:40 +08:00
end
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
private_class_method :api_routes
Add route scope enforcement to application controller fixes PLAT-3176 fixes PLAT-3179 fixes PLAT-3181 fixes PLAT-3177 Test plan: * Create a DeveloperKey * Create an AccessToken * Ensure that everything can be accessed as normal * Set require_scopes to true on the DeveloperKey * Ensure that nothing can be accessed * Add some scopes to the AccessToken from the list of available scopes TokenScopes::SCOPES * Ensure that the endpoints associated with those requests work but that others don't * Ensure that HEAD requests work for GET endpoints * Ensure all api endpoints behave normally when scopes are not turned on for developer key Change-Id: I0e7c1758ae2d51743490f243cfa21714255c8109 Reviewed-on: https://gerrit.instructure.com/143026 Tested-by: Jenkins Reviewed-by: Simon Williams <simon@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> QA-Review: August Thornton <august@instructure.com> Reviewed-by: Rob Orton <rob@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-03-09 04:46:40 +08:00
end