[skip-stages=Flakey]
Change-Id: I6abefdfa9fed6dd4525c8786e93efa548b3710f2
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/319603
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Isaac Moore <isaac.moore@instructure.com>
QA-Review: Jacob Burroughs <jburroughs@instructure.com>
Product-Review: Jacob Burroughs <jburroughs@instructure.com>
Build-Review: Jacob Burroughs <jburroughs@instructure.com>
Migration-Review: Jacob Burroughs <jburroughs@instructure.com>
flag=none
In testing setting up or testing LTI 2 tools, we
sometimes run into issues where we don't need/want to
set up the Live Events ecosystem, but if you don't
you can't install the LTI 2 tool. This allows you
to bypass that system.
Test plan
- In the dynamic settings for live events
turn on the disabled flag
- Try to install an LTI 2 plagiarism tool
without the live events ecosystem set up
and ensure it works
- Turn off the disabled flag, but don't
have live events running
- It should give you a (more) useful error
instead of just "we couldn't install it"
Change-Id: I0aec12b01fd385e764f2a2412c647e14d277fa16
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/289874
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Xander Moffatt <xmoffatt@instructure.com>
Product-Review: Mysti Lilla <mysti@instructure.com>
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
refs FOO-2410
test plan:
- in dynamic_settings.yml, add the following block:
```
store:
canvas:
services-jwt:
# these are all the same JWK but with different kid
# to generate a new key, run the following in a Canvas console:
#
# key = OpenSSL::PKey::RSA.generate(2048)
# key.public_key.to_jwk(kid: Time.now.utc.iso8601).to_json
jwk-past.json: "{\"kty\":\"RSA\",\"e\":\"AQAB\",\"n\":\"uX1MpfEMQCBUMcj0sBYI-iFaG5Nodp3C6OlN8uY60fa5zSBd83-iIL3n_qzZ8VCluuTLfB7rrV_tiX727XIEqQ\",\"kid\":\"2018-05-18T22:33:20Z_a\",\"d\":\"pYwR64x-LYFtA13iHIIeEvfPTws50ZutyGfpHN-kIZz3k-xVpun2Hgu0hVKZMxcZJ9DkG8UZPqD-zTDbCmCyLQ\",\"p\":\"6OQ2bi_oY5fE9KfQOcxkmNhxDnIKObKb6TVYqOOz2JM\",\"q\":\"y-UBef95njOrqMAxJH1QPds3ltYWr8QgGgccmcATH1M\",\"dp\":\"Ol_xkL7rZgNFt_lURRiJYpJmDDPjgkDVuafIeFTS4Ic\",\"dq\":\"RtzDY5wXr5TzrwWEztLCpYzfyAuF_PZj1cfs976apsM\",\"qi\":\"XA5wnwIrwe5MwXpaBijZsGhKJoypZProt47aVCtWtPE\"}"
jwk-present.json: "{\"kty\":\"RSA\",\"e\":\"AQAB\",\"n\":\"uX1MpfEMQCBUMcj0sBYI-iFaG5Nodp3C6OlN8uY60fa5zSBd83-iIL3n_qzZ8VCluuTLfB7rrV_tiX727XIEqQ\",\"kid\":\"2018-06-18T22:33:20Z_b\",\"d\":\"pYwR64x-LYFtA13iHIIeEvfPTws50ZutyGfpHN-kIZz3k-xVpun2Hgu0hVKZMxcZJ9DkG8UZPqD-zTDbCmCyLQ\",\"p\":\"6OQ2bi_oY5fE9KfQOcxkmNhxDnIKObKb6TVYqOOz2JM\",\"q\":\"y-UBef95njOrqMAxJH1QPds3ltYWr8QgGgccmcATH1M\",\"dp\":\"Ol_xkL7rZgNFt_lURRiJYpJmDDPjgkDVuafIeFTS4Ic\",\"dq\":\"RtzDY5wXr5TzrwWEztLCpYzfyAuF_PZj1cfs976apsM\",\"qi\":\"XA5wnwIrwe5MwXpaBijZsGhKJoypZProt47aVCtWtPE\"}"
jwk-future.json: "{\"kty\":\"RSA\",\"e\":\"AQAB\",\"n\":\"uX1MpfEMQCBUMcj0sBYI-iFaG5Nodp3C6OlN8uY60fa5zSBd83-iIL3n_qzZ8VCluuTLfB7rrV_tiX727XIEqQ\",\"kid\":\"2018-07-18T22:33:20Z_c\",\"d\":\"pYwR64x-LYFtA13iHIIeEvfPTws50ZutyGfpHN-kIZz3k-xVpun2Hgu0hVKZMxcZJ9DkG8UZPqD-zTDbCmCyLQ\",\"p\":\"6OQ2bi_oY5fE9KfQOcxkmNhxDnIKObKb6TVYqOOz2JM\",\"q\":\"y-UBef95njOrqMAxJH1QPds3ltYWr8QgGgccmcATH1M\",\"dp\":\"Ol_xkL7rZgNFt_lURRiJYpJmDDPjgkDVuafIeFTS4Ic\",\"dq\":\"RtzDY5wXr5TzrwWEztLCpYzfyAuF_PZj1cfs976apsM\",\"qi\":\"XA5wnwIrwe5MwXpaBijZsGhKJoypZProt47aVCtWtPE\"}"
```
- Ensure /internal/services/jwks loads correctly
- In console, ensure `CanvasSecurity::ServicesJwt.decrypt(Base64.decode64(CanvasSecurity::ServicesJwt.for_user('localhost', User.first)))`
and `CanvasSecurity::ServicesJwt.decrypt(Base64.decode64(CanvasSecurity::ServicesJwt.for_user('localhost', User.first, symmetric: true)))`
both work and produce sensible looking output
Change-Id: I13c6c35cc92ed12d03bf97e89e590614e11c6d47
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/275160
QA-Review: August Thornton <august@instructure.com>
Product-Review: August Thornton <august@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Ethan Vizitei <evizitei@instructure.com>
Reviewed-by: Evan Battaglia <ebattaglia@instructure.com>
so that we're not re-implementing it at multiple callsites
also remove unused error classes
Change-Id: I938d705729f2208532b4522eddbc8edfa4f2031f
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/269561
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Jacob Burroughs <jburroughs@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
refs FOO-1125
flag=non
TEST PLAN:
1) stats for things like ImperiumTimeouts should still
end up in datadog
2) sentry errors for the target error types should disappear
Change-Id: I6e97c04e3f6fcc3545b10418511934c89f20a419
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/251536
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
Will request all active and only deleted subs that
were done within past 90 days.
closes PLAT-4945
Test Plan:
- test this with commit https://gerrit.instructure.com/211181
- Ensure you have at least one sub that is deleted over 90
days ago (edit ddb if needed)
- See that the index does not show that sub
Change-Id: I9d87415c67d80f1a5de5c919aca67ee1db6a002c
Reviewed-on: https://gerrit.instructure.com/211183
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
Tested-by: Jenkins
QA-Review: Xander Moffatt <xmoffatt@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
closes PLAT-4770
Test Plan:
- have related changes deployed in subscription service and
live-events-lti
- endpoint to get event_types now allows query param
(message_type='live-event' or 'caliper' and will return
the appropriate event types
Change-Id: I24b2c9e00cc86bd250a7f92bef021f41992b4b8f
Reviewed-on: https://gerrit.instructure.com/208340
Tested-by: Jenkins
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
QA-Review: Xander Moffatt <xmoffatt@instructure.com>
Product-Review: Clint Furse <cfurse@instructure.com>
Closes PLAT-4766
Test Plan:
- Configure Canvas to use the live events
subscription service
- Verify making a request to the new endpoint
returns a categorized list of events
- Verify the new endpoint uses LTI advantage
authorization/authentication
Change-Id: Id6f4ec2978e3a4542042bd821e408acfa566005c
Reviewed-on: https://gerrit.instructure.com/207713
Tested-by: Jenkins
Reviewed-by: Clint Furse <cfurse@instructure.com>
QA-Review: Clint Furse <cfurse@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
refs PLAT-4848
Test Plan:
- deploy in conjunction with related changes in LiveEventsLTI
- verify that subscriptions can be retreived
Change-Id: Ieb08b14b509678881393c00ad33cd03b1b0c4a62
Reviewed-on: https://gerrit.instructure.com/207377
Tested-by: Jenkins
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
QA-Review: Xander Moffatt <xmoffatt@instructure.com>
Product-Review: Clint Furse <cfurse@instructure.com>
closes PLAT-4744
Test Plan:
- see that the index action returns a list
Change-Id: I92cc07c5476c7dd48202f38b62e09df6aa591b62
Reviewed-on: https://gerrit.instructure.com/206435
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Tested-by: Jenkins
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
closes PLAT-4757
Test Plan:
- create a subscription using the lti service, note that it works
Change-Id: Ia7cb10e4f2c1fd1e6d4a13be2f3d25b2f05e9bc7
Reviewed-on: https://gerrit.instructure.com/206291
Tested-by: Jenkins
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
closes CNVS-35834
* allow specifying tree, service, and cluster for consul stuff
* check multiple consul keys for each setting (cluster, env, region, global)
test plan:
* an existing consul environment still works
Change-Id: I48e8fadeac2e140973bfc4b41c1cfb386532d15c
Reviewed-on: https://gerrit.instructure.com/125271
Tested-by: Jenkins
Reviewed-by: Rob Orton <rob@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Tucker McKnight <tmcknight@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
refs PLAT-2647
test plan:
• using an lti2 JWT
• create several hundred subscriptions
• do a GET request to /api/lti/subscriptions
• expect to see a list of subscriptions up to the default limit of
100 per result set
• look for an 'EndKey' header and put that value in your next request
as a header field called `StartKey`
• repeat this process until you have fetched all pages
Change-Id: I74c4029a245716a1f4bc6648348f52426d447e9b
Reviewed-on: https://gerrit.instructure.com/116795
Tested-by: Jenkins
Reviewed-by: Andrew Butterfield <abutterfield@instructure.com>
Product-Review: August Thornton <august@instructure.com>
QA-Review: August Thornton <august@instructure.com>
closes PLAT-2647
test plan:
• using an lti2 JWT
• create several hundred subscriptions
• do a GET request to /api/lti/subscriptions
• expect to see a list of subscriptions up to the default limit of
100 per result set
• look for an 'EndKey' header and put that value in your next request
as a header field called `StartKey`
• repeat this process until you have fetched all pages
Change-Id: I13835c736d7602044d142a83e65b51d64294d70f
Reviewed-on: https://gerrit.instructure.com/115540
Tested-by: Jenkins
Reviewed-by: Andrew Butterfield <abutterfield@instructure.com>
QA-Review: <sganesan@instructure.com>
Product-Review: August Thornton <august@instructure.com>
Since some environments share a consul datacenter we need to be able to
differentiate configurations.
Fixes: CNVS-34341
Test Plan:
- Nothing uses this yet but we need to make sure we haven't broken JWT
secrets, the RCE, and Address Book.
Change-Id: I496a8f7d2cafd02c3177a28b348679e552965c0d
Reviewed-on: https://gerrit.instructure.com/99650
Tested-by: Jenkins
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Product-Review: Tyler Pickett <tpickett@instructure.com>
fixes PLAT-2460
This will need to be tested in conjunction with a commit in the
live-events-subscription project
Test plan:
* Start the subscription service
* With the canvas api or in a rails console create a bunch of
subscriptions using the same tool proxy
* Using the rails console issue the following command passing in the
tool proxy
res = Services::LiveEventsSubscriptionService.destroy_all_tool_proxy_subscriptions(tp)
* Ensure that canvas makes the right request to the subscription service
and that the subscription service returns a 200
Change-Id: Ied5527d46db50bec14de0455907b209cb1375df2
Reviewed-on: https://gerrit.instructure.com/108834
Tested-by: Jenkins
Reviewed-by: Matthew Wheeler <mwheeler@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Andrew Butterfield <abutterfield@instructure.com>
Fixes: PLAT-2379
Change-Id: I6f64e4cd54c60cddb1eefaa31fd29c098c2f2006
Test-Plan:
- Modify the SubscriptionService jwt middleware to
console.log the raw jwt it decodes
- live-events-subscriptions/app/middleware/JwtService.js
- Ensure that RootAccountUUID is part of the jwt body
Reviewed-on: https://gerrit.instructure.com/107874
Tested-by: Jenkins
Reviewed-by: Andrew Butterfield <abutterfield@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Jayce Higgins <jhiggins@instructure.com>
Also, make Consul container accessible from the host.
Fixes: CNVS-35831
Refs: CNVS-34341, CNVS-32864
Test Plan:
- Smoke test RCS and Canvas running together to make sure they still
play nice.
Change-Id: I418d54a176677b1df8ec42a009752807908a847c
Reviewed-on: https://gerrit.instructure.com/99443
Tested-by: Jenkins
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Tucker McKnight <tmcknight@instructure.com>
Product-Review: Tyler Pickett <tpickett@instructure.com>
fixes PLAT-2280
Test plan:
* Install an LTI 2.1 tool with a developer key
* Start a rails console and run any of the
Services::LiveEventsSubscriptionService methods and save the result
* Inspect the request that was sent out with
result.request.options
* Grab the JWT from the headers and decrypt it using Canvas Security
* Ensure that the RootAccountId is there and that the DeveloperKey is
there
Change-Id: I688b45efe1dd16db0d48adcaf718de801a681415
Reviewed-on: https://gerrit.instructure.com/103076
Reviewed-by: Nathan Mills <nathanm@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Andrew Butterfield <abutterfield@instructure.com>
Fixes: PLAT-2129 PLAT-2126
Test Plan:
- Verify you can create and retrieve a TCP
with the new subscription service and
capabilities.
- Install an LTI2 tool using the split secret
capability. The tool's security contract
should use the new webhook service.
Example security contract:
"tp_half_shared_secret"=>
"873f5...",
"tool_service"=>
[{"@type"=>"RestServiceProfile",
"service"=>"vnd.Canvas.webhooksSubscription",
"action"=>["GET", "POST"]}]}
- Do a POST request to /api/lti/subscriptions with the
following body:
{
"subscription":{
"EventTypes":[
"submission_created"
],
"ContextType":"course",
"ContextId":<valid course id here>,
"Format":"live-event",
"TransportType":"sqs",
"TransportMetadata":{
"Url":"http://sqs.docker"
}
}
}
- Verify a 401 is returned
- Using https://docs.google.com/document/d
/12x6Peif-I-0zvl2uMv2JVbQdZumGGqMtspWKYTqlL9o/edit
attempt to create each subscription type (in bold)
and verify 401s are returned in each case.
- Using the same document, verify that adding one of
the capabilities listed under a subscription types
allows you to create the subscription
- Verify that using the vnd.instructure.webhooks.root_account.all
capability allows you to create any subscription.
- Install an LTI2 tool in a course
- Attempt to create a subscription in another course and
verify a 401 is given.
Change-Id: I322e4bb2c49209afdc6f0a3c3a8b5c73e339996e
Reviewed-on: https://gerrit.instructure.com/102272
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Reviewed-by: Andrew Butterfield <abutterfield@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
fixes PLAT-2239
Test plan:
* With the subscription service and canvas configured to use the same
encryption key and signing secret
* Start up the subscription service and a rails console
* In the console run the following commands being sure to use your
developer key and the right subscription Id
ToolProxy = Struct.new("ToolProxy", :guid, :product_family)
Family = Struct.new("Family", :developer_key)
f = Family.new(10000000000003)
tp = ToolProxy.new('hahahah', f)
subscription = {
"Id" => "some uuid",
"RootAccountId" => "1",
"EventTypes" => ["submission_created"],
"ContextType" => "course",
"ContextId" => "5001",
"Format" => "live-event",
"TransportType" => "sqs",
"TransportMetadata" => {
"Url" => "http://sqs.docker"
},
}
res = Services::LiveEventsSubscriptionService.update_tool_proxy_subscription(tp, "the subscription id", subscription)
* Ensure that you get a 200 back with a copy of the updated subscription
* Ensure that dynamo has the full subscription persisted with the
changes you made
Change-Id: Ia2fd506f45f414e5a1940a9eef978d1b4c566397
Reviewed-on: https://gerrit.instructure.com/102341
Tested-by: Jenkins
Reviewed-by: Nathan Mills <nathanm@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Andrew Butterfield <abutterfield@instructure.com>
fixes PLAT-2238
Test plan:
* Configure canvas and the subscription service to use the same signing
secret and encryption key
* With the subscription service running, open up a rails console and run
the following commands
ToolProxy = Struct.new("ToolProxy", :guid, :product_family)
Family = Struct.new("Family", :developer_key)
f = Family.new(10000000000002)
tp = ToolProxy.new('hahahah', f)
res = Services::LiveEventsSubscriptionService.destroy_tool_proxy_subscription(tp, "<id for a subscription>")
* Ensure that you get a successful response and that the subscription
was deleted by going to dynamo.les.docker
Change-Id: I88495ce21d22e216dbfb1d854e16254eff366909
Reviewed-on: https://gerrit.instructure.com/101427
Tested-by: Jenkins
Reviewed-by: Nathan Mills <nathanm@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Andrew Butterfield <abutterfield@instructure.com>
fixes PLAT-2185
Test plan:
* Configure canvas and the subscription service to use the same signing
secret and encryption key
* With the subscription service running, open up a rails console and run
the following commands
ToolProxy = Struct.new("ToolProxy", :guid, :product_family)
Family = Struct.new("Family", :developer_key)
f = Family.new(10000000000002)
tp = ToolProxy.new('hahahah', f)
res = Services::LiveEventsSubscriptionService.tool_proxy_subscription(tp, "<id for a subscription>")
* Ensure that you get the subscription back successfully
Change-Id: If65ac06c6174cd16195c3bd218f7521b389ed0aa
Reviewed-on: https://gerrit.instructure.com/101425
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Reviewed-by: Nathan Mills <nathanm@instructure.com>
Product-Review: Andrew Butterfield <abutterfield@instructure.com>
fixes PLAT-2184
Test plan:
* With the subscription service and canvas configured to use the same
encryption and signing secret
* Start up the subscription service and a rails console
* In the console run the following commands
ToolProxy = Struct.new("ToolProxy", :guid, :product_family)
Family = Struct.new("Family", :developer_key)
f = Family.new(10000000000003)
tp = ToolProxy.new('hahahah', f)
subscription = {
"RootAccountId" => "1",
"EventTypes" => ["submission_created"],
"ContextType" => "quiz",
"ContextId" => "5001",
"Format" => "live-event",
"TransportType" => "sqs",
"TransportMetadata" => {
"Url" => "http://sqs.docker"
},
"UserId" => "3000",
}
res = Services::LiveEventsSubscriptionService.create_tool_proxy_subscription(tp, subscription)
* Ensure that you get a 200 response back with the newly created
subscription in it
* Ensure that dynamo has the new record
Change-Id: Ifa7f68983efbcb79058854fbd3ba802505b8d4b2
Reviewed-on: https://gerrit.instructure.com/101069
Tested-by: Jenkins
Reviewed-by: Matthew Wheeler <mwheeler@instructure.com>
Reviewed-by: Nathan Mills <nathanm@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Andrew Butterfield <abutterfield@instructure.com>
fixes PLAT-2062
Test plan:
* Ensure that Canvas is configured to talk to http://les.docker
* Comment out the code in SubscriptionController.findSubscriptions
* Start up both services
* In a console run the following commands:
ToolProxy = Struct.new("ToolProxy", :guid, :product_family)
Family = Struct.new("Family", :developer_key)
f = Family.new(<a developer key>)
tp = ToolProxy.new('hahahah', f)
* Repeat the following command several times within short succession
res = Services::LiveEventsSubscriptionService.tool_proxy_subscriptions(tp)
* Ensure that the request gets short circuited after a few attempts
Change-Id: I32bf8a962106e2b0de95258a278b7885eb845dd4
Reviewed-on: https://gerrit.instructure.com/100629
Reviewed-by: Matthew Wheeler <mwheeler@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Andrew Butterfield <abutterfield@instructure.com>
fixes PLAT-2080 PLAT-2059 PLAT-2061
Test plan:
* Set up canvas
* To be able to talk to http://les.docker
* To use an encryption key and signing secret that are 32 bytes long
* Set up live events subscription service
* To use the same signing secret you used in canvas and a base64
encoded version of the encryption key you used in canvas
* Run docker-compose run --rm app npm run seed:dynamo and give it the
developer key you want to use for testing
* With the subscription service running open up a rails console in Canvas
and run the following:
ToolProxy = Struct.new("ToolProxy", :guid, :product_family)
Family = Struct.new("Family", :developer_key)
f = Family.new(<a developer key>)
tp = ToolProxy.new('hahahah', f)
res = Services::LiveEventsSubscriptionService.tool_proxy_subscriptions(tp)
* Ensure that you get a response back with the subscriptions for your
developer key
* Go through this process first with dynamic settings enabled and then
with consul enabled
Change-Id: I454d5a82d98ce1edb2bd9afd23cb974dc062e04f
Reviewed-on: https://gerrit.instructure.com/100072
Reviewed-by: Tyler Pickett <tpickett@instructure.com>
Reviewed-by: Matthew Wheeler <mwheeler@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Andrew Butterfield <abutterfield@instructure.com>
Jacob Burroughs