ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

use separate secret for lti postMessage forwarding 

why:
* the standard services secret is different in each region,
meaning that using it for postMessage forwarding
for LTI Platform Storage would not work when the
school was in a different region than sso.canvaslms.com

closes INTEROP-8191
flag=lti_platform_storage

test plan:
* cp config/vault_contents.yml.example config/vault_contents.yml
* dc restart to pick up config file changes
* in a rails console, confirm `Lti::PlatformStorage.signing_secret`
has a value

Change-Id: I7b361dc615316883f86f00de721fa19b7a12e774
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/324663
Reviewed-by: Ryan Hawkins <ryan.hawkins@instructure.com>
Reviewed-by: Jacob Burroughs <jburroughs@instructure.com>
QA-Review: Tucker Mcknight <tmcknight@instructure.com>
Product-Review: Xander Moffatt <xmoffatt@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
This commit is contained in:
Xander Moffatt 2023-08-08 09:25:38 -06:00
parent d3c7b884ac
commit 395066aae0
4 changed files with 22 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/lti/platform_storage_controller.rb
View File

@ -115,7 +115,7 @@ module Lti
end end
def signing_secret def signing_secret
CanvasSecurity.services_signing_secret Lti::PlatformStorage.signing_secret
end end
end end
end end

2
config/vault_contents.yml.example
View File

@ -19,6 +19,8 @@ development:
canvas_security: canvas_security:
encryption_secret: "astringthatisactually32byteslong" encryption_secret: "astringthatisactually32byteslong"
signing_secret: "astringthatisactually32byteslong" signing_secret: "astringthatisactually32byteslong"
lti_platform_storage:
signing_secret: "astringthatisactually32byteslong"
# canvas_cdn_creds: # canvas_cdn_creds:
# aws_access_key_id: <access_key_id> # aws_access_key_id: <access_key_id>
# aws_secret_access_key: <secret_access_key> # aws_secret_access_key: <secret_access_key>

4
lib/lti/platform_storage.rb
View File

@ -38,5 +38,9 @@ module Lti
def self.flag_enabled? def self.flag_enabled?
Account.site_admin.feature_enabled?(:lti_platform_storage) Account.site_admin.feature_enabled?(:lti_platform_storage)
end end
def self.signing_secret
Rails.application&.credentials&.dig(:lti_platform_storage, :signing_secret)
end
end end
end end

15
spec/lib/lti/platform_storage_spec.rb
View File

@ -62,4 +62,19 @@ describe Lti::PlatformStorage do
end end
end end
end end
describe "::signing_secret" do
subject { Lti::PlatformStorage.signing_secret }
let(:signing_secret) { "sekret" }
before do
allow(Rails).to receive(:application).and_return(instance_double("Rails::Application", credentials: {})) unless Rails.application.present?
allow(Rails.application.credentials).to receive(:dig).with(:lti_platform_storage, :signing_secret).and_return(signing_secret)
end
it "should return value from vault" do
expect(subject).to eq signing_secret
end
end
end end