ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
canvas-lms/lib/token_scopes.rb

107 lines
6.4 KiB
Ruby
Raw Normal View History

Add route scope enforcement to application controller fixes PLAT-3176 fixes PLAT-3179 fixes PLAT-3181 fixes PLAT-3177 Test plan: * Create a DeveloperKey * Create an AccessToken * Ensure that everything can be accessed as normal * Set require_scopes to true on the DeveloperKey * Ensure that nothing can be accessed * Add some scopes to the AccessToken from the list of available scopes TokenScopes::SCOPES * Ensure that the endpoints associated with those requests work but that others don't * Ensure that HEAD requests work for GET endpoints * Ensure all api endpoints behave normally when scopes are not turned on for developer key Change-Id: I0e7c1758ae2d51743490f243cfa21714255c8109 Reviewed-on: https://gerrit.instructure.com/143026 Tested-by: Jenkins Reviewed-by: Simon Williams <simon@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> QA-Review: August Thornton <august@instructure.com> Reviewed-by: Rob Orton <rob@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-03-09 04:46:40 +08:00
#
# Copyright (C) 2018 - present Instructure, Inc.
#
# This file is part of Canvas.
#
# Canvas is free software: you can redistribute it and/or modify it under
# the terms of the GNU Affero General Public License as published by the Free
# Software Foundation, version 3 of the License.
#
# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
#
class TokenScopes
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
OAUTH2_SCOPE_NAMESPACE = '/auth/'.freeze
USER_INFO_SCOPE = {
add lookup class for scope resource names fixes PLAT-3311 test plan: * run the rake task "doc:api" * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that includes the localized name * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources_name" - you should get back a json object with the scopes grouped by localized resource_name Change-Id: I2cab1822baef7cdda6471096153d60d4f7fe1e2b Reviewed-on: https://gerrit.instructure.com/150233 Tested-by: Jenkins Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-15 05:32:44 +08:00
resource: :oauth2,
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
verb: "GET",
scope: "#{OAUTH2_SCOPE_NAMESPACE}userinfo"
}.freeze
Enforce Tool-Course visibility rules in NRPS V2 calls - NRPS v2 invocations referencing a `Course` Context now attempt to resolve a `ContextExternalTool` (CET) given the JWT `AccessToken` attached to the request. In order to return memberships, that CET must be active and must either be bound directly to the `Course` or to an `Account` in the `Course`'s' `Account` chain. - `AccessToken` must be associated with an active `DeveloperKey` (DK), and the search for the "operative" CET for the current request is executed against that DK's list of active CETs. - `Course`-level CETs are preferred, followed by `Account`-level CETs. - LTI 1.3/Advantage features must be turned on at the CET and root `Account` levels. - The `AccessToken`'s'JWT signature and security claims are not themselves validated... that comes later. - `Group` Context support also comes later. Closes LTIA-26 Test Plan: - Via Rails console create a `DeveloperKey` associated with the public key of a Tool configured in the IMS LTI 1.3/Advantage Reference Implementation (RI) and the root `Account` in your env - Via Rails console, create a LTI 1.3-enabled `ContextExternalTool` with a `course_navigation` placement and linked to the just-created `DeveloperKey` and its `Account` - For a `Course` owned by this `Account`, verify that direct invocations of the NRPS v2 API. (`GET /api/lti/courses/:course_id/names_and_roles`) fail with a 401 and a message complaining about a missing access token. - Navigate to the `Course` and click the newly created nav link, which should successfully launch the RI. - Click the 'Request Names and Roles' link in the RI. Verify course is reported in the NRPS v2 format. - Deactivate the `DeveloperKey`. Click 'Request Names and Roles' link in the RI. Verify a (non-descript) on-screen error message. - Re-enable the `DeveloperKey` and re-verify the same behavior for a `Course` associated with a sub-`Account`. - Delete the CET, verify that NRPS v2 invocations from the RI fail. - Via Rails console, create a new CET linked to the same `DeveloperKey`, but now attached to the sub-`Account` `Course`. - Re-verify NRPS v2 invocation from the RI. - *Consult JIRA for full acceptance criteria. Change-Id: Ie9625ea8d6ce5e6f59e3c7ce1d10d0a47291afa4 Reviewed-on: https://gerrit.instructure.com/167183 Tested-by: Jenkins QA-Review: Samuel Barney <sbarney@instructure.com> Reviewed-by: Marc Phillips <mphillips@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-10-03 11:23:45 +08:00
LTI_AGS_LINE_ITEM_SCOPE = "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem".freeze
LTI_AGS_LINE_ITEM_READ_ONLY_SCOPE = "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly".freeze
LTI_AGS_RESULT_READ_ONLY_SCOPE = "https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly".freeze
LTI_AGS_SCORE_SCOPE = "https://purl.imsglobal.org/spec/lti-ags/scope/score".freeze
LTI_NRPS_V2_SCOPE = "https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly".freeze
Create Developer Key update endpoint for public_jwk update fixes PLAT-4492 Test Plan -Create test tool -Use tool to create developer key in canvas -Change tool credential oauth_client_id to match client id from developer key -Go to http://lti13testtool.docker/developer_key/update_public_jwk/21 -Verify that public JWK was changed: Change-Id: Ic09a665d4ab14d3423b7e4b2a3a51296c0617981 Reviewed-on: https://gerrit.instructure.com/194447 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2019-05-18 01:46:07 +08:00
LTI_UPDATE_PUBLIC_JWK_SCOPE = "https://canvas.instructure.com/lti/public_jwk/scope/update".freeze
Account lookup endpoint for CDC Event Transformer Endpoint needed by CDC Event Tranformer to look up UUIDs for root accounts it hasn't seen. closes PLAT-5515 flag=none Test plan: - get an LTI Advantage token for a site admin dev key with the new scope. This can be done by adding logging to the live-events-lti tool (I think in app/services/access_token_service.rb#16) or using my cdc-event-transformer test in CanvasClientTest.java and printing out cc.getToken(). - hit the new endpoint with header "Authorization: Bearer MYACCESSTOKEN" web.canvas-lms.docker/api/lti/accounts/123 with varying values of account ID, including global IDs, accounts that do not exist, global IDs where the shard does not exist... - ideally we'd like to test that a dev key only available for one shard cannot access account info for another shard. This could be done by creating two dev keys that have the same ID but are on different shards, and use a token for one dev key to try to access an account on the other shard. This is probably hard to do locally though. I did test on prod that DeveloperKey#account_binding_for will return nil for an account in another shard even if there is a dev key with the same local ID in the account's shard that has access to it. Change-Id: I1299ebce9b94ce00d7cb62db01891b81908915ff Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/229580 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Xander Moffatt <xmoffatt@instructure.com> Product-Review: Evan Battaglia <ebattaglia@instructure.com>
2020-03-11 07:11:46 +08:00
LTI_ACCOUNT_LOOKUP_SCOPE = "https://canvas.instructure.com/lti/account_lookup/scope/show".freeze
Add DataServices LTI integration refs PLAT-4757 Test Plan: - tests pass Change-Id: I695ce7c88e47a38115e397d4e29eccd9171e7bf2 Reviewed-on: https://gerrit.instructure.com/206063 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-22 01:21:07 +08:00
LTI_CREATE_DATA_SERVICE_SUBSCRIPTION_SCOPE = "https://canvas.instructure.com/lti/data_services/scope/create".freeze
Add subscription show to LTI DataServices closes PLAT-4761 Test Plan: - see that a call to this endpoint will show a sub Change-Id: Ifc299aebe5cfbadaf82a1970f75ad182ffa31b29 Reviewed-on: https://gerrit.instructure.com/206489 Reviewed-by: Xander Moffatt <xmoffatt@instructure.com> Tested-by: Jenkins QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-24 00:37:12 +08:00
LTI_SHOW_DATA_SERVICE_SUBSCRIPTION_SCOPE = "https://canvas.instructure.com/lti/data_services/scope/show".freeze
Add update to LTI Data Services closes PLAT-4763 Test Plan: it updates the subscription Change-Id: I80289d2bea6c88b70726718cec7b9087e4879aa9 Reviewed-on: https://gerrit.instructure.com/206505 Reviewed-by: Xander Moffatt <xmoffatt@instructure.com> Tested-by: Jenkins QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-24 01:18:18 +08:00
LTI_UPDATE_DATA_SERVICE_SUBSCRIPTION_SCOPE = "https://canvas.instructure.com/lti/data_services/scope/update".freeze
add data services index action closes PLAT-4744 Test Plan: - see that the index action returns a list Change-Id: I92cc07c5476c7dd48202f38b62e09df6aa591b62 Reviewed-on: https://gerrit.instructure.com/206435 Reviewed-by: Weston Dransfield <wdransfield@instructure.com> Tested-by: Jenkins QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-23 07:44:31 +08:00
LTI_LIST_DATA_SERVICE_SUBSCRIPTION_SCOPE = "https://canvas.instructure.com/lti/data_services/scope/list".freeze
Add Data Services event subscription destroy closes PLAT-4819 Test Plan: n/a Change-Id: Ib5661b85af4e68048d44742f9ec8d273c79008b2 Reviewed-on: https://gerrit.instructure.com/206519 Tested-by: Jenkins QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com> Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
2019-08-24 01:42:38 +08:00
LTI_DESTROY_DATA_SERVICE_SUBSCRIPTION_SCOPE = "https://canvas.instructure.com/lti/data_services/scope/destroy".freeze
Add event types index action to data services Closes PLAT-4766 Test Plan: - Configure Canvas to use the live events subscription service - Verify making a request to the new endpoint returns a categorized list of events - Verify the new endpoint uses LTI advantage authorization/authentication Change-Id: Id6f4ec2978e3a4542042bd821e408acfa566005c Reviewed-on: https://gerrit.instructure.com/207713 Tested-by: Jenkins Reviewed-by: Clint Furse <cfurse@instructure.com> QA-Review: Clint Furse <cfurse@instructure.com> Product-Review: Weston Dransfield <wdransfield@instructure.com>
2019-08-31 03:30:34 +08:00
LTI_LIST_EVENT_TYPES_DATA_SERVICE_SUBSCRIPTION_SCOPE = "https://canvas.instructure.com/lti/data_services/scope/list_event_types".freeze
Add LTI advantage feature flag service Closes PLAT-4952 Test Plan: - Install an LTI 1.3 tool that uses the new scope and service endpoint - Make a request to the new endpoint specifying a feature flag that exists. Verify the feature flag is returned in the response with accurate data. - Make a request to the new endpoint specifying a feature flag that does not exist. Verify the service responds with a 404 - Verify the new endpoint adheres to LTI Advange authentication/authorization ( requres JWT access token, requres active developer key, etc.) Change-Id: Ifb876b541c237a3c9ca45270bafea5693d6a03eb Reviewed-on: https://gerrit.instructure.com/211196 Tested-by: Jenkins Reviewed-by: Clint Furse <cfurse@instructure.com> QA-Review: Clint Furse <cfurse@instructure.com> Product-Review: Weston Dransfield <wdransfield@instructure.com>
2019-09-25 09:30:37 +08:00
LTI_SHOW_FEATURE_FLAG_SCOPE = "https://canvas.instructure.com/lti/feature_flags/scope/show".freeze
feat(LTI): Adds LTI API endpoint for listing external tools Fixes: CAL-30 flag = none Test Plan: - Check developer keys LTI page and make sure HIDDEN items do not show up (http://canvas.docker/accounts/1/developer_keys#lti_key_modal_opened) under "LTI Advantage Services" - Specs pass Change-Id: I8408be58124ef7e57804b5a66fef791608701f7b Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/235629 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> QA-Review: Aaron Ogata <aogata@instructure.com> Product-Review: Alex Slaughter <aslaughter@instructure.com> Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
2020-04-29 19:00:03 +08:00
LTI_CREATE_ACCOUNT_EXTERNAL_TOOLS_SCOPE = "https://canvas.instructure.com/lti/account_external_tools/scope/create".freeze
LTI_DESTROY_ACCOUNT_EXTERNAL_TOOLS_SCOPE = "https://canvas.instructure.com/lti/account_external_tools/scope/destroy".freeze
LTI_LIST_ACCOUNT_EXTERNAL_TOOLS_SCOPE = "https://canvas.instructure.com/lti/account_external_tools/scope/list".freeze
LTI_SHOW_ACCOUNT_EXTERNAL_TOOLS_SCOPE = "https://canvas.instructure.com/lti/account_external_tools/scope/show".freeze
LTI_UPDATE_ACCOUNT_EXTERNAL_TOOLS_SCOPE = "https://canvas.instructure.com/lti/account_external_tools/scope/update".freeze
add valid lti scopes to js env for dev key app * NOTE: does not contain any server-side validation of these scopes, just their definitions refs PLAT-3766 test plan: * load the developer keys page * open console, confirm `window.ENV.validLtiScopes` exists and contains the correct scopes from the ticket Change-Id: I376ce41bcfdfcc074ae3356956cae7b8dbffb1a5 Reviewed-on: https://gerrit.instructure.com/165945 Reviewed-by: Weston Dransfield <wdransfield@instructure.com> Tested-by: Jenkins Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Xander Moffatt <xmoffatt@instructure.com>
2018-09-28 01:43:12 +08:00
LTI_SCOPES = {
Update wording for LTI Advantage messaging Wording is now more useful for admins to determine what permissions are being granted. closes PLAT-4257 Test Plan: - Create a tool with all permisisons - Note that the help text is changed and useful Change-Id: I23f50db5fad5d81565d64e8609d6a3da17f56321 Reviewed-on: https://gerrit.instructure.com/185851 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2019-03-19 07:52:51 +08:00
LTI_AGS_LINE_ITEM_SCOPE => I18n.t("Can create and view assignment data in the gradebook associated with the tool."),
Fixups to Manual ToolConfig Creation Add some changes to the Manual Configuration form for 1.3 tools. refs PLAT-4248 Test Plan: n/a Change-Id: I02d0321eb338ddda5dccd232ab024729abfdf88e Reviewed-on: https://gerrit.instructure.com/187168 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-03-28 04:10:59 +08:00
LTI_AGS_LINE_ITEM_READ_ONLY_SCOPE => I18n.t("Can view assignment data in the gradebook associated with the tool."),
Update wording for LTI Advantage messaging Wording is now more useful for admins to determine what permissions are being granted. closes PLAT-4257 Test Plan: - Create a tool with all permisisons - Note that the help text is changed and useful Change-Id: I23f50db5fad5d81565d64e8609d6a3da17f56321 Reviewed-on: https://gerrit.instructure.com/185851 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2019-03-19 07:52:51 +08:00
LTI_AGS_RESULT_READ_ONLY_SCOPE => I18n.t("Can view submission data for assignments associated with the tool."),
LTI_AGS_SCORE_SCOPE => I18n.t("Can create and update submission results for assignments associated with the tool."),
Create Developer Key update endpoint for public_jwk update fixes PLAT-4492 Test Plan -Create test tool -Use tool to create developer key in canvas -Change tool credential oauth_client_id to match client id from developer key -Go to http://lti13testtool.docker/developer_key/update_public_jwk/21 -Verify that public JWK was changed: Change-Id: Ic09a665d4ab14d3423b7e4b2a3a51296c0617981 Reviewed-on: https://gerrit.instructure.com/194447 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2019-05-18 01:46:07 +08:00
LTI_NRPS_V2_SCOPE => I18n.t("Can retrieve user data associated with the context the tool is installed in."),
Add DataServices LTI integration refs PLAT-4757 Test Plan: - tests pass Change-Id: I695ce7c88e47a38115e397d4e29eccd9171e7bf2 Reviewed-on: https://gerrit.instructure.com/206063 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-22 01:21:07 +08:00
LTI_UPDATE_PUBLIC_JWK_SCOPE => I18n.t("Can update public jwk for LTI services."),
Account lookup endpoint for CDC Event Transformer Endpoint needed by CDC Event Tranformer to look up UUIDs for root accounts it hasn't seen. closes PLAT-5515 flag=none Test plan: - get an LTI Advantage token for a site admin dev key with the new scope. This can be done by adding logging to the live-events-lti tool (I think in app/services/access_token_service.rb#16) or using my cdc-event-transformer test in CanvasClientTest.java and printing out cc.getToken(). - hit the new endpoint with header "Authorization: Bearer MYACCESSTOKEN" web.canvas-lms.docker/api/lti/accounts/123 with varying values of account ID, including global IDs, accounts that do not exist, global IDs where the shard does not exist... - ideally we'd like to test that a dev key only available for one shard cannot access account info for another shard. This could be done by creating two dev keys that have the same ID but are on different shards, and use a token for one dev key to try to access an account on the other shard. This is probably hard to do locally though. I did test on prod that DeveloperKey#account_binding_for will return nil for an account in another shard even if there is a dev key with the same local ID in the account's shard that has access to it. Change-Id: I1299ebce9b94ce00d7cb62db01891b81908915ff Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/229580 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Xander Moffatt <xmoffatt@instructure.com> Product-Review: Evan Battaglia <ebattaglia@instructure.com>
2020-03-11 07:11:46 +08:00
LTI_ACCOUNT_LOOKUP_SCOPE => I18n.t("Can lookup Account information"),
Add subscription show to LTI DataServices closes PLAT-4761 Test Plan: - see that a call to this endpoint will show a sub Change-Id: Ifc299aebe5cfbadaf82a1970f75ad182ffa31b29 Reviewed-on: https://gerrit.instructure.com/206489 Reviewed-by: Xander Moffatt <xmoffatt@instructure.com> Tested-by: Jenkins QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-24 00:37:12 +08:00
LTI_CREATE_DATA_SERVICE_SUBSCRIPTION_SCOPE => I18n.t("Can create subscription to data service data."),
Add update to LTI Data Services closes PLAT-4763 Test Plan: it updates the subscription Change-Id: I80289d2bea6c88b70726718cec7b9087e4879aa9 Reviewed-on: https://gerrit.instructure.com/206505 Reviewed-by: Xander Moffatt <xmoffatt@instructure.com> Tested-by: Jenkins QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-24 01:18:18 +08:00
LTI_SHOW_DATA_SERVICE_SUBSCRIPTION_SCOPE => I18n.t("Can show subscription to data service data."),
add data services index action closes PLAT-4744 Test Plan: - see that the index action returns a list Change-Id: I92cc07c5476c7dd48202f38b62e09df6aa591b62 Reviewed-on: https://gerrit.instructure.com/206435 Reviewed-by: Weston Dransfield <wdransfield@instructure.com> Tested-by: Jenkins QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2019-08-23 07:44:31 +08:00
LTI_UPDATE_DATA_SERVICE_SUBSCRIPTION_SCOPE => I18n.t("Can update subscription to data service data."),
Add Data Services event subscription destroy closes PLAT-4819 Test Plan: n/a Change-Id: Ib5661b85af4e68048d44742f9ec8d273c79008b2 Reviewed-on: https://gerrit.instructure.com/206519 Tested-by: Jenkins QA-Review: Marc Phillips <mphillips@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com> Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
2019-08-24 01:42:38 +08:00
LTI_LIST_DATA_SERVICE_SUBSCRIPTION_SCOPE => I18n.t("Can list subscriptions to data service data."),
Add event types index action to data services Closes PLAT-4766 Test Plan: - Configure Canvas to use the live events subscription service - Verify making a request to the new endpoint returns a categorized list of events - Verify the new endpoint uses LTI advantage authorization/authentication Change-Id: Id6f4ec2978e3a4542042bd821e408acfa566005c Reviewed-on: https://gerrit.instructure.com/207713 Tested-by: Jenkins Reviewed-by: Clint Furse <cfurse@instructure.com> QA-Review: Clint Furse <cfurse@instructure.com> Product-Review: Weston Dransfield <wdransfield@instructure.com>
2019-08-31 03:30:34 +08:00
LTI_DESTROY_DATA_SERVICE_SUBSCRIPTION_SCOPE => I18n.t("Can destroy subscription to data service data."),
Add LTI advantage feature flag service Closes PLAT-4952 Test Plan: - Install an LTI 1.3 tool that uses the new scope and service endpoint - Make a request to the new endpoint specifying a feature flag that exists. Verify the feature flag is returned in the response with accurate data. - Make a request to the new endpoint specifying a feature flag that does not exist. Verify the service responds with a 404 - Verify the new endpoint adheres to LTI Advange authentication/authorization ( requres JWT access token, requres active developer key, etc.) Change-Id: Ifb876b541c237a3c9ca45270bafea5693d6a03eb Reviewed-on: https://gerrit.instructure.com/211196 Tested-by: Jenkins Reviewed-by: Clint Furse <cfurse@instructure.com> QA-Review: Clint Furse <cfurse@instructure.com> Product-Review: Weston Dransfield <wdransfield@instructure.com>
2019-09-25 09:30:37 +08:00
LTI_LIST_EVENT_TYPES_DATA_SERVICE_SUBSCRIPTION_SCOPE => I18n.t("Can list categorized event types."),
LTI_SHOW_FEATURE_FLAG_SCOPE => I18n.t('Can view feature flags')
add valid lti scopes to js env for dev key app * NOTE: does not contain any server-side validation of these scopes, just their definitions refs PLAT-3766 test plan: * load the developer keys page * open console, confirm `window.ENV.validLtiScopes` exists and contains the correct scopes from the ticket Change-Id: I376ce41bcfdfcc074ae3356956cae7b8dbffb1a5 Reviewed-on: https://gerrit.instructure.com/165945 Reviewed-by: Weston Dransfield <wdransfield@instructure.com> Tested-by: Jenkins Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Xander Moffatt <xmoffatt@instructure.com>
2018-09-28 01:43:12 +08:00
}.freeze
Include AGS claim in LTI 1.3 resource link launches - LTI 1.3 launches now include an AGS claim (`https://purl.imsglobal.org/spec/lti-ags/claim/endpoint`) if the current tool's `DeveloperKey` has been granted any AGS scope. - If the launched link is an `Assignment`, the AGS claim will include a `lineitem` sub-claim set to the `Assignment`'s LTI Advantage `LineItem` API URL (`/api/lti/courses/:course_id/line_items/:line_item_id`). - In any AGS-enabled launch from from a `Course` or `Group`, the AGS claim will include `lineitems` sub-claim set the `Course`'s LTI Advantage `LineItem` collection API URL (`/api/lti/courses/:course_id/line_items`.) Closes LTIA-49 Test Plan: 1. Create an LTI 1.3 tool with at least one AGS scope granted to its `DeveloperKey`. Those scopes are: - `https://purl.imsglobal.org/spec/lti-ags/scope/lineitem` - `https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly` - `https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly` - `https://purl.imsglobal.org/spec/lti-ags/scope/score` 2. Launch the tool from a course navigation link. 3. Verify that the `https://purl.imsglobal.org/spec/lti-ags/claim/endpoint` claim is present and: 3.1. Sets all the granted scopes into the `scope` sub-claim 3.2. Sets the `lineitems` sub-claim to `/api/lti/courses/:course_id/line_items` 3.3. The `lineitem` sub-claim is not present. 4. Bind the tool to an `Assignment` and launch from that `Assignment`. 5. Verify that the `https://purl.imsglobal.org/spec/lti-ags/claim/endpoint` claim is present and: 5.1. Sets all the granted scopes from step 1 into the `scope` sub-claim 5.2. Sets the `lineitems` sub-claim to `/api/lti/courses/:course_id/line_items` 5.3. Sets the `lineitem` sub-claim to `/api/lti/courses/:course_id/line_items/:line_item_id` To find :line_item_id for step 5.3 either use the console or database query. E.g. in the console: `Assignment.find(Assignment.maximum(:id)).line_items.find(&:assignment_line_item?).id` 6. Create another LTI 1.3 tool but do not grant any AGS scopes to its `DeveloperKey`. 7. Launch the tool from a course navigation link. 8. Verify that the `https://purl.imsglobal.org/spec/lti-ags/claim/endpoint` claim is not present. 9. Bind the tool to an `Assignment` and launch from that `Assignment`. 10. Verify that the `https://purl.imsglobal.org/spec/lti-ags/claim/endpoint` claim is not present. Change-Id: I787d3e99c60993ed3d28ede08455617e601f3d30 Reviewed-on: https://gerrit.instructure.com/171345 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Marc Phillips <mphillips@instructure.com>
2018-11-08 02:49:11 +08:00
LTI_AGS_SCOPES = [ LTI_AGS_LINE_ITEM_SCOPE, LTI_AGS_LINE_ITEM_READ_ONLY_SCOPE, LTI_AGS_RESULT_READ_ONLY_SCOPE, LTI_AGS_SCORE_SCOPE ].freeze
feat(LTI): Adds LTI API endpoint for listing external tools Fixes: CAL-30 flag = none Test Plan: - Check developer keys LTI page and make sure HIDDEN items do not show up (http://canvas.docker/accounts/1/developer_keys#lti_key_modal_opened) under "LTI Advantage Services" - Specs pass Change-Id: I8408be58124ef7e57804b5a66fef791608701f7b Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/235629 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> QA-Review: Aaron Ogata <aogata@instructure.com> Product-Review: Alex Slaughter <aslaughter@instructure.com> Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
2020-04-29 19:00:03 +08:00
LTI_HIDDEN_SCOPES = {
LTI_CREATE_ACCOUNT_EXTERNAL_TOOLS_SCOPE => I18n.t("Can create extneral tools."),
LTI_DESTROY_ACCOUNT_EXTERNAL_TOOLS_SCOPE => I18n.t("Can destroy external tools."),
LTI_LIST_ACCOUNT_EXTERNAL_TOOLS_SCOPE => I18n.t("Can list external tools."),
LTI_SHOW_ACCOUNT_EXTERNAL_TOOLS_SCOPE => I18n.t("Can show external tools."),
LTI_UPDATE_ACCOUNT_EXTERNAL_TOOLS_SCOPE => I18n.t("Can update external tools."),
}.freeze
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
Add API Token Scope Docs Closes PLAT-3394 Test Plan: - Run the `doc:api` rake task - Navigate to /doc/api/index.html and verify there are two new links in the OAuth2 section ("Developer Keys" and "API Token Scopes") - Verify both links work - Verify the token scopes documentation has a table for each scope group and includes all Canvas scopes - Verify "Resources" documentation pages now display the scope along with each API endpoint Change-Id: I2fea0ff531744dbaf63d24619b3c0e9655a25a7a Reviewed-on: https://gerrit.instructure.com/151010 QA-Review: August Thornton <august@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> Tested-by: Jenkins Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-22 00:03:24 +08:00
def self.named_scopes
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
return @_named_scopes if @_named_scopes
named_scopes = detailed_scopes.each_with_object([]) do |frozen_scope, arr|
Add API Token Scope Docs Closes PLAT-3394 Test Plan: - Run the `doc:api` rake task - Navigate to /doc/api/index.html and verify there are two new links in the OAuth2 section ("Developer Keys" and "API Token Scopes") - Verify both links work - Verify the token scopes documentation has a table for each scope group and includes all Canvas scopes - Verify "Resources" documentation pages now display the scope along with each API endpoint Change-Id: I2fea0ff531744dbaf63d24619b3c0e9655a25a7a Reviewed-on: https://gerrit.instructure.com/151010 QA-Review: August Thornton <august@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> Tested-by: Jenkins Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-22 00:03:24 +08:00
scope = frozen_scope.dup
api_scope_mapper_class = ApiScopeMapperLoader.load
scope[:resource] ||= api_scope_mapper_class.lookup_resource(scope[:controller], scope[:action])
scope[:resource_name] = api_scope_mapper_class.name_for_resource(scope[:resource])
arr << scope if scope[:resource_name]
scope
end
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
@_named_scopes = Canvas::ICU.collate_by(named_scopes) {|s| s[:resource_name]}.freeze
Add API Token Scope Docs Closes PLAT-3394 Test Plan: - Run the `doc:api` rake task - Navigate to /doc/api/index.html and verify there are two new links in the OAuth2 section ("Developer Keys" and "API Token Scopes") - Verify both links work - Verify the token scopes documentation has a table for each scope group and includes all Canvas scopes - Verify "Resources" documentation pages now display the scope along with each API endpoint Change-Id: I2fea0ff531744dbaf63d24619b3c0e9655a25a7a Reviewed-on: https://gerrit.instructure.com/151010 QA-Review: August Thornton <august@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> Tested-by: Jenkins Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-22 00:03:24 +08:00
end
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
def self.all_scopes
feat(LTI): Adds LTI API endpoint for listing external tools Fixes: CAL-30 flag = none Test Plan: - Check developer keys LTI page and make sure HIDDEN items do not show up (http://canvas.docker/accounts/1/developer_keys#lti_key_modal_opened) under "LTI Advantage Services" - Specs pass Change-Id: I8408be58124ef7e57804b5a66fef791608701f7b Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/235629 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> QA-Review: Aaron Ogata <aogata@instructure.com> Product-Review: Alex Slaughter <aslaughter@instructure.com> Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
2020-04-29 19:00:03 +08:00
@_all_scopes ||= [USER_INFO_SCOPE[:scope], *api_routes.map {|route| route[:scope]}, *LTI_SCOPES.keys, *LTI_HIDDEN_SCOPES.keys].freeze
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
end
def self.detailed_scopes
@_detailed_scopes ||= [USER_INFO_SCOPE, *api_routes].freeze
end
private_class_method :detailed_scopes
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
def self.api_routes
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
return @_api_routes if @_api_routes
routes = Rails.application.routes.routes.select {|route| /^\/api\/(v1|sis)/ =~ route.path.spec.to_s}.map do |route|
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
{
add lookup class for scope resource names fixes PLAT-3311 test plan: * run the rake task "doc:api" * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that includes the localized name * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources_name" - you should get back a json object with the scopes grouped by localized resource_name Change-Id: I2cab1822baef7cdda6471096153d60d4f7fe1e2b Reviewed-on: https://gerrit.instructure.com/150233 Tested-by: Jenkins Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-15 05:32:44 +08:00
controller: route.defaults[:controller]&.to_sym,
action: route.defaults[:action]&.to_sym,
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
verb: route.verb,
Add API Token Scope Docs Closes PLAT-3394 Test Plan: - Run the `doc:api` rake task - Navigate to /doc/api/index.html and verify there are two new links in the OAuth2 section ("Developer Keys" and "API Token Scopes") - Verify both links work - Verify the token scopes documentation has a table for each scope group and includes all Canvas scopes - Verify "Resources" documentation pages now display the scope along with each API endpoint Change-Id: I2fea0ff531744dbaf63d24619b3c0e9655a25a7a Reviewed-on: https://gerrit.instructure.com/151010 QA-Review: August Thornton <august@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> Tested-by: Jenkins Product-Review: Jesse Poulos <jpoulos@instructure.com>
2018-05-22 00:03:24 +08:00
path: route.path.spec.to_s.gsub(/\(\.:format\)$/, ''),
scope: TokenScopesHelper.scope_from_route(route).freeze,
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
}
end
use class methods instead of consts for api scopes fixes PLAT-3454 test plan: * you can either test in production RAILS_ENV or turn on eager_loading and disable class_cache in development * The scopes list in the developer keys page should show all expected scopes Change-Id: I4018cdd8d4f08d32f549cfab5f4a135c2144c403 Reviewed-on: https://gerrit.instructure.com/152398 Tested-by: Jenkins Reviewed-by: Weston Dransfield <wdransfield@instructure.com> QA-Review: Weston Dransfield <wdransfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-06-05 01:29:40 +08:00
@_api_routes = routes.uniq {|route| route[:scope]}.freeze
Add route scope enforcement to application controller fixes PLAT-3176 fixes PLAT-3179 fixes PLAT-3181 fixes PLAT-3177 Test plan: * Create a DeveloperKey * Create an AccessToken * Ensure that everything can be accessed as normal * Set require_scopes to true on the DeveloperKey * Ensure that nothing can be accessed * Add some scopes to the AccessToken from the list of available scopes TokenScopes::SCOPES * Ensure that the endpoints associated with those requests work but that others don't * Ensure that HEAD requests work for GET endpoints * Ensure all api endpoints behave normally when scopes are not turned on for developer key Change-Id: I0e7c1758ae2d51743490f243cfa21714255c8109 Reviewed-on: https://gerrit.instructure.com/143026 Tested-by: Jenkins Reviewed-by: Simon Williams <simon@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> QA-Review: August Thornton <august@instructure.com> Reviewed-by: Rob Orton <rob@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-03-09 04:46:40 +08:00
end
refactor scopes api endpoint to allow grouping refs PLAT-3024 test plan: * request the scopes from api/v1/accounts/:account_id/scopes - you should get back a json object that matches the documentation * request the scopes from api/v1/accounts/:account_id/scopes passing the query param "group_by=resources" - you should get back a json object with the scopes grouped by resource Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df Reviewed-on: https://gerrit.instructure.com/148623 Reviewed-by: Marc Alan Phillips <mphillips@instructure.com> Tested-by: Jenkins Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2018-05-01 03:02:37 +08:00
private_class_method :api_routes
Add route scope enforcement to application controller fixes PLAT-3176 fixes PLAT-3179 fixes PLAT-3181 fixes PLAT-3177 Test plan: * Create a DeveloperKey * Create an AccessToken * Ensure that everything can be accessed as normal * Set require_scopes to true on the DeveloperKey * Ensure that nothing can be accessed * Add some scopes to the AccessToken from the list of available scopes TokenScopes::SCOPES * Ensure that the endpoints associated with those requests work but that others don't * Ensure that HEAD requests work for GET endpoints * Ensure all api endpoints behave normally when scopes are not turned on for developer key Change-Id: I0e7c1758ae2d51743490f243cfa21714255c8109 Reviewed-on: https://gerrit.instructure.com/143026 Tested-by: Jenkins Reviewed-by: Simon Williams <simon@instructure.com> Reviewed-by: Nathan Mills <nathanm@instructure.com> QA-Review: August Thornton <august@instructure.com> Reviewed-by: Rob Orton <rob@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2018-03-09 04:46:40 +08:00
end