refs FOO-2410
test plan:
- in dynamic_settings.yml, add the following block:
```
store:
canvas:
services-jwt:
# these are all the same JWK but with different kid
# to generate a new key, run the following in a Canvas console:
#
# key = OpenSSL::PKey::RSA.generate(2048)
# key.public_key.to_jwk(kid: Time.now.utc.iso8601).to_json
jwk-past.json: "{\"kty\":\"RSA\",\"e\":\"AQAB\",\"n\":\"uX1MpfEMQCBUMcj0sBYI-iFaG5Nodp3C6OlN8uY60fa5zSBd83-iIL3n_qzZ8VCluuTLfB7rrV_tiX727XIEqQ\",\"kid\":\"2018-05-18T22:33:20Z_a\",\"d\":\"pYwR64x-LYFtA13iHIIeEvfPTws50ZutyGfpHN-kIZz3k-xVpun2Hgu0hVKZMxcZJ9DkG8UZPqD-zTDbCmCyLQ\",\"p\":\"6OQ2bi_oY5fE9KfQOcxkmNhxDnIKObKb6TVYqOOz2JM\",\"q\":\"y-UBef95njOrqMAxJH1QPds3ltYWr8QgGgccmcATH1M\",\"dp\":\"Ol_xkL7rZgNFt_lURRiJYpJmDDPjgkDVuafIeFTS4Ic\",\"dq\":\"RtzDY5wXr5TzrwWEztLCpYzfyAuF_PZj1cfs976apsM\",\"qi\":\"XA5wnwIrwe5MwXpaBijZsGhKJoypZProt47aVCtWtPE\"}"
jwk-present.json: "{\"kty\":\"RSA\",\"e\":\"AQAB\",\"n\":\"uX1MpfEMQCBUMcj0sBYI-iFaG5Nodp3C6OlN8uY60fa5zSBd83-iIL3n_qzZ8VCluuTLfB7rrV_tiX727XIEqQ\",\"kid\":\"2018-06-18T22:33:20Z_b\",\"d\":\"pYwR64x-LYFtA13iHIIeEvfPTws50ZutyGfpHN-kIZz3k-xVpun2Hgu0hVKZMxcZJ9DkG8UZPqD-zTDbCmCyLQ\",\"p\":\"6OQ2bi_oY5fE9KfQOcxkmNhxDnIKObKb6TVYqOOz2JM\",\"q\":\"y-UBef95njOrqMAxJH1QPds3ltYWr8QgGgccmcATH1M\",\"dp\":\"Ol_xkL7rZgNFt_lURRiJYpJmDDPjgkDVuafIeFTS4Ic\",\"dq\":\"RtzDY5wXr5TzrwWEztLCpYzfyAuF_PZj1cfs976apsM\",\"qi\":\"XA5wnwIrwe5MwXpaBijZsGhKJoypZProt47aVCtWtPE\"}"
jwk-future.json: "{\"kty\":\"RSA\",\"e\":\"AQAB\",\"n\":\"uX1MpfEMQCBUMcj0sBYI-iFaG5Nodp3C6OlN8uY60fa5zSBd83-iIL3n_qzZ8VCluuTLfB7rrV_tiX727XIEqQ\",\"kid\":\"2018-07-18T22:33:20Z_c\",\"d\":\"pYwR64x-LYFtA13iHIIeEvfPTws50ZutyGfpHN-kIZz3k-xVpun2Hgu0hVKZMxcZJ9DkG8UZPqD-zTDbCmCyLQ\",\"p\":\"6OQ2bi_oY5fE9KfQOcxkmNhxDnIKObKb6TVYqOOz2JM\",\"q\":\"y-UBef95njOrqMAxJH1QPds3ltYWr8QgGgccmcATH1M\",\"dp\":\"Ol_xkL7rZgNFt_lURRiJYpJmDDPjgkDVuafIeFTS4Ic\",\"dq\":\"RtzDY5wXr5TzrwWEztLCpYzfyAuF_PZj1cfs976apsM\",\"qi\":\"XA5wnwIrwe5MwXpaBijZsGhKJoypZProt47aVCtWtPE\"}"
```
- Ensure /internal/services/jwks loads correctly
- In console, ensure `CanvasSecurity::ServicesJwt.decrypt(Base64.decode64(CanvasSecurity::ServicesJwt.for_user('localhost', User.first)))`
and `CanvasSecurity::ServicesJwt.decrypt(Base64.decode64(CanvasSecurity::ServicesJwt.for_user('localhost', User.first, symmetric: true)))`
both work and produce sensible looking output
Change-Id: I13c6c35cc92ed12d03bf97e89e590614e11c6d47
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/275160
QA-Review: August Thornton <august@instructure.com>
Product-Review: August Thornton <august@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Ethan Vizitei <evizitei@instructure.com>
Reviewed-by: Evan Battaglia <ebattaglia@instructure.com>
Just let cloudfront compress the assets for us. It can handle the brotli/gzip
switching natively now.
Change-Id: I3416d428403f0bfbec5a575ff1c095d2342a5e4c
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/247818
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Jacob Burroughs <jburroughs@instructure.com>
Product-Review: Jacob Burroughs <jburroughs@instructure.com>
refs VICE-2034
i notice that some specs use
have_receieved instead of increments
from the looks of it, these tests
look hardier than simply using receive
p.s. I really wanted to add the new cop
to this commit, but adding a cop is a big effort
in and of itself. it will be tackled in
the next commit after this one is merged
Change-Id: If4a6bde01017abb5ab4c16cdd5d056e4caf1788a
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/273314
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Drake Harper <drake.harper@instructure.com>
Reviewed-by: Brian Watson <bwatson@instructure.com>
QA-Review: Drake Harper <drake.harper@instructure.com>
Product-Review: Drake Harper <drake.harper@instructure.com>
closes OUT-4695
flag=none
test plan:
- ensure live events are running locally (see live_events.md)
- verify that when making changes (including soft deleting) or
creating an outcome friendly description that live events are emitted
Change-Id: I98ae5aeda1e16e1816f7d63a6a82f777a2766ae0
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/272071
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Pat Renner <prenner@instructure.com>
Reviewed-by: Augusto Callejas <acallejas@instructure.com>
QA-Review: Brian Watson <bwatson@instructure.com>
Product-Review: Augusto Callejas <acallejas@instructure.com>
Creating a Kinesis client with no creds causes the AWS gem to reach out
to an AWS-internal IP (169.254.169.254). There is a connect timeout of 1
second but this is disabled in
config/initializers/no_timeouts_debugging.rb. As a result, creating a
Kinesis client can indefinitely hang, making Canvas completely unusable.
The issue is made worse by recent changes which turned Live Events on
with such invalid config for anyone who used config from
dynamic_settings.yml, whereas previously, Live Events had to be manually
turned on via a plugin.
This change prevents invalid configs from reaching the Kinesis client;
except in prod in case anyone is actually using the feature whereby
AWS looks up creds on the internal IP (and to avoid any possible
slowdowns by checking for the settings repeatedly).
Additionally I made NoRaiseTimeoutsWhileDebugging log a message when a
timeout happens, which would have greatly helped with debugging this
issue.
refs INTEROP-7016
flag=none
Test plan:
- Have config in dynamic_settings.yml like the old
dynamic_settings.yml.example, with live-events config but no creds,
e.g.:
live-events:
aws_endpoint: http://kinesis.canvaslms.docker
kinesis_stream_name: live-events
- From a rails dev console run LiveEvents::Client.config. It should
return nil.
- Run Canvas and make sure you can login, view a course, etc. -- just
try anything that emits a live event (almost anything)
- Add aws_access_key_id and aws_secret_access_key_dec from from
dynamic_settings.yml.example into your dynamic_settings.yml
- From a rails dev console run LiveEvents::Client.config. It should
return the config.
- From a rails dev console run `LiveEvents::Client.new`. It should
immediately produce a client.
- Restart Canvas and make sure you can view a course, etc.
Change-Id: I9a325b7f30c8e0203c2903a25a1f0139776b3f1f
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/271907
Reviewed-by: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Evan Battaglia <ebattaglia@instructure.com>
QA-Review: Evan Battaglia <ebattaglia@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
* and change singleton key
why:
* catalog is getting much fewer course_completed live events than they
used to
* live events log diving reveals the events _are_ getting sent, but as
course_progress instead, even though the API shows that the course
has been completed
* the on_conflict option defaults to :use_earliest, which doesn't
completely explain these discrepancies, but certainly isn't helping,
since the docs for inst-jobs say to use on_conflict: :overwrite for
debouncing.
* also, uncovered that sometimes if multiple modules are completed in
the 2 min debounce period, multiple jobs will be enqueued since the key
for the singleton strand is the ContextModuleProgression id. It would
be better if the key used the course and user, so that only one job and
only one event get sent at a time.
* this isn't a final solution but is a helpful first step
closes INTEROP-6924
flag=none
test plan:
* in `live_events_callbacks.rb:159`, change the delay_if_production to
just delay, for testing
* follow the directions in `doc/live_events.md` to set up live events
piped to the canvas docker kinesis stream, and tail the stream to see
live events flowing (reminder: after configuring the Plugin you *must*
restart canvas).
* have a course with a student and 4 modules, each with one
assignment in them
* as the student, submit the assignment for the first module
* in a rails console,
`Delayed::Job.where(tag: "CourseProgress#dispatch_live_event")` should
show you the jobs enqueued for the student
* there should only be one, and the strand should include the global ids
for the course and user
* the run_at time should be for two minutes from the created_at time
* in the browser, submit the assignment for the second module
* the run_at time should update to two minutes from now
* wait two minutes and let the job run
* in the stream logs, you should see a course_progress event
* in the browser, submit the assignments for the last two modules
* another job should be enqueued, wait two minutes and let it run
* in the stream logs, you should see a course_completed event, and no
more course_progress events (besides the first)
Change-Id: Ib6860a185031a9b9f0375347e079a0501f3b571c
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/269276
Product-Review: Xander Moffatt <xmoffatt@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Evan Battaglia <ebattaglia@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Reviewed-by: Ryan Hawkins <ryan.hawkins@instructure.com>
QA-Review: Evan Battaglia <ebattaglia@instructure.com>
fixes INTEROP-6911
also fixes some specs in jwts_controller_spec -- the intention was to
use a services JWT to try to generate a services JWT and see it fail.
it did fail, but for the wrong reason -- the spec didn't actually pass a
services JWT in the auth header, it passed something unrecognizable.
the fix here is to make it a proper JWT, and add a more specific
assertion so we're confident that we're exercising the right code path.
test plan:
- see test plan for commit c44b1844f7 for how to generate RSA keypairs
and configure InstID to use them
- get an API access token by following
https://canvas.instructure.com/doc/api/file.oauth.html#manual-token-generation
- use that token to generate an unencrypted InstID token like:
$ curl 'http://localhost:3000/api/v1/inst_ids?unencrypted=1' \
-X POST \
-H 'Authorization: Bearer <access_token>'
- now use the returned token to hit some other endpoint, e.g.:
$ curl http://localhost:3000/api/v1/users/self \
-X GET \
-H 'Authorization: Bearer <InstID_token>'
Change-Id: Ie6c01dd12d98f68c138da1960b87f91e42b8b04d
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/269345
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Ethan Vizitei <evizitei@instructure.com>
QA-Review: Michael Ziwisky <mziwisky@instructure.com>
Product-Review: Michael Ziwisky <mziwisky@instructure.com>
fixes INTEROP-6913, INTEROP-6892, INTEROP-6893, INTEROP-6920
flag = none
This commit introduces the InstID token, a signed and encrypted JWT (aka
JWE) that will soon be usable for Canvas API access (that's "part 2").
If the InstID class is configured with a private signing key and public
encryption key, it will be able to produce encrypted JWTs and validate
and deserialize decrypted JWTs. If it is configured with only a public
signing key, it cannot produce tokens but it can still validate and
deserialize decrypted ones. Therefore this class can be used by the
identity provider (currently Canvas) to produce tokens, but also by any
services that want to use InstID tokens for authentication.
test plan:
1) generate two RSA keypairs. one way to generate a keypair is from a
rails console:
> keypair = Canvas::Security::RSAKeyPair.new
> puts keypair.private_key.to_s
> puts keypair.public_key.to_s
2) choose which one is for signing and which is for encryption, then add
the private signing key and the public encryption key to your rails
credentials:
- run `bin/rails credentials:edit`
- add an entry like the following, and then save and close your
editor:
```
inst_id:
encryption_key: |
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvY1EMlGm1daM87ejGuFX
<...snip...>
/wIDAQAB
-----END PUBLIC KEY-----
signing_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAnDwED/QOB0f0H6TOZqLmjaPqA7m8c40NDXkAa6u5cK8zCbk3
<...snip...>
QhjPgifBwTrzj21484CfiPfy5oe756Exerj8PIlRrE/hxWRSDwBIOg==
-----END RSA PRIVATE KEY-----
```
3) open a rails console and do:
> id = InstID.for_user('user-uuid')
> id.to_token # make sure this doesn't blow up
> token = id.to_unencrypted_token
> decoded_id = InstID.from_token(token)
> id.jwt_payload == decoded_id.jwt_payload # => true
TODO in followup commits:
- make canvas accept InstID tokens for auth
Change-Id: Ie550c17507c26f9944bd62a747a6a63161e8e770
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/268872
Reviewed-by: Ethan Vizitei <evizitei@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Michael Ziwisky <mziwisky@instructure.com>
Product-Review: Michael Ziwisky <mziwisky@instructure.com>
closes FOO-1766
flag = none
[fsc-max-nodes=18]
[fsc-timeout=30]
Test Plan:
- Run the migration and make sure there are no errors
- Some things to check:
* How it acts as a teacher, student, and public user
in course files/folders and personal files/folders
with the various settings above toggled to different states
* How it acts as a teacher, student, and public user
in discussions, modules, content migrations/import/exports
(RCE should behave similarly throughout the site)
* Should only be able to upload or add folders if the
Course Files - add permission is enabled for the user's role
* Should only be able to manage file access, usage rights, move,
or rename course files/folders if the Course Files -
edit permission is enabled for the user's role
• Check Toolbar header at the top of Course files
• Check Cog (hamburger menu) to the right of each file/folder
• Check Usage Rights Indicator under usage rights column
that can be found in course and group file pages. This can
be enabled under course settings if not available
* Should only be able to delete course files/folders if the
Course Files - delete permission is enabled for the user's role
* Any given user/role should have full access to their respective
personal files/folders regardless of granted permissions. The
same also applies to a group context with some caveats
• Should not be able to modify file access in a group context
• Should not be able to modify usage rights in personal files
* A student enrollment not granted any file permissions (the default)
should only be able to _view_ and _download_ files unless granted
additional access from an authorizing role
* REST API works as expected
* UI works as expected with no additional javascript errors
Change-Id: I5e7f717494d658e6c8ec9be8a8039015afcebc63
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/262775
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Ahmad Amireh <ahmad@instructure.com>
QA-Review: Ahmad Amireh <ahmad@instructure.com>
Product-Review: Ahmad Amireh <ahmad@instructure.com>
refs FOO-2036
basically, refresh tokens took over the meaning of expires_at to mean
when you needed to refresh. another column is needed to mean you
need to refresh vs. the token is expired, period. I opted to add
a new column for permanent_expires_at instead of needs_refresh_at
because the datafixup is less racey this way.
Change-Id: Ia11a2e862e540f211d628aa39c05bcb6930647ac
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/266765
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Ethan Vizitei <evizitei@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
Change-Id: I5c1a9f260afc56887881f98cdab08ad3a25c45f3
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/263980
Reviewed-by: Simon Williams <simon@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Jacob Burroughs <jburroughs@instructure.com>
Product-Review: Jacob Burroughs <jburroughs@instructure.com>
Since we cache by full key anyway, there is no good reason
to convert it into a recursive hash only to convert it right back
Change-Id: Ifb356e38a2ac5e6e0477ebc5913e0d9128622489
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/263932
Reviewed-by: Ethan Vizitei <evizitei@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Jacob Burroughs <jburroughs@instructure.com>
Product-Review: Jacob Burroughs <jburroughs@instructure.com>
refs FOO-1853
flag = none
test plan:
• tests pass
• spec is no longer flaky (verify via splunk)
Change-Id: I0907bb81c6d053caaccc88c1385b2d4f6c17f81a
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/262581
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Aaron Ogata <aogata@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: August Thornton <august@instructure.com>
In this case we don't care what arguments
ConfigFile#load is receiving, we just care that
the proper response is getting set for the method stub
Using .with can cause fragility if the expected args
don't match what the method stub is actually being
called with.
fixes FOO-1853
flag = none
test plan:
• tests pass
• spec is no longer flaky (verify via splunk)
Change-Id: I8800748d175aeadae6dccbcac011418679adde4e
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/262408
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Jacob Burroughs <jburroughs@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: August Thornton <august@instructure.com>
refs QUIZ-8160
flag=none
test plan:
- test with quiz_lti patch /quiz_lti/+/261845
Change-Id: Ib8e1f8f2f5449b8ebbadea6067f8aaeef925c8f9
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/261846
Reviewed-by: James Logan <james.logan@instructure.com>
QA-Review: Mark McDermott <mmcdermott@instructure.com>
Product-Review: Susan Sorensen <susan.sorensen@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
refs OUT-4247
Test plan:
- ensure results from aligned rubrics and from quizzes
are visible in the learning mastery gradebook
Change-Id: Ie9731f2c702f91b3da2ce4d8ae43f7045ee5509e
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/260613
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Brian Watson <bwatson@instructure.com>
Product-Review: Michael Brewer-Davis <mbd@instructure.com>
Reviewed-by: Augusto Callejas <acallejas@instructure.com>
the ContextModuleProgression may be saved more than once while
requirements are evaluated, and these saves may generate spurious
course completion live events based on incomplete data. evaluating
an item requirement may also trigger delayed re-evaluation of other
requirements.
give these changes time to settle before sending any course progress
live events. queue a singleton job to do so, so multiple changes
in close succession do not result in multiple live events. the
delay is configurable as the "course_progress_live_event_delay_seconds"
Setting (default 120, two minutes).
test plan:
- enable live events in a production-like environment
- have a set of modules with requirements
- as a student, complete some of them in rapid succession
- wait two minutes, and a course progress live event should be
created and up-to-date when received (counting the right
number of completed requirements)
- as the student, finish the requirements
- two minutes later, a course completion live event should be
received
alternatively you could modify the Setting and customize the
expected delay
closes LS-1967
Change-Id: I5c5ab01e75c48cc9916d9299ee1be55d360d1ee7
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/260416
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Nate Armstrong <narmstrong@instructure.com>
QA-Review: Nate Armstrong <narmstrong@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
refs FOO-1648
flag=none
move general module code to "gems"
along with specs.
Leave shim in canvas to avoid breaking
things while callsites get changed.
change some limited callsites
from Canvas::Errors to CanvasErrors
that were doing spec stubbing that required
at least one namespace change anyway
generate readme describing common use
cases.
TEST PLAN:
1) we still send stuff to sentry
Change-Id: I0111afc21e9e8c6604370885b4c750186b96175f
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/260035
Reviewed-by: Cody Cutrer <cody@instructure.com>
Reviewed-by: Rob Orton <rob@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
refs FOO-1648
flag=none
[fsc-propagate=false]
move general module code to "gems"
along with specs.
Leave shim in canvas to avoid breaking
things while callsites get changed.
change some limited callsites
from Canvas::Security to CanvasSecurity
that were doing spec stubbing that required
at least one namespace change anyway
generate readme describing common use
cases.
TEST PLAN:
1) security operations continue unimpeded.
Change-Id: Ia2d102d5038e2f5d0bb24201e38894e12b73063e
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/259540
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
refs FOO-1636
flag=none
[fsc-propagate=false]
- add gem initializer to canvas for canvas_cache
- move Canvas::Redis into canvas_cache
- alias module in canvas
- expand dependencies of canvas_cache
- add redis dependency to vendored gem environment
- extract RedisConnections to deal with disconnect/clear_idle
TEST PLAN:
1) continue to cache things in redis
2) caching behavior with canvas-extensions
should not change
Change-Id: I96383eced80d670e14e535993f0c0608ab5f6520
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/259434
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
refs FOO-1615
flag=none
first step of verifying modularization path for
chunks of behavior inside canvas.
take a dependency on config_file to minimize
unnecessary injection
move initialization of dynamic_settings to one place.
leave pointer in previous initializer file.
TEST PLAN:
1) nothing changes at runtime
2) dynamic settings specs can be run
quickly on their own
Change-Id: I1bfbd5b8dfedb9835953d9fc663259c17b76ce7f
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/258762
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Jacob Burroughs <jburroughs@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
refs FOO-1648
flag=none
These login audits are a group of functionality
very specific to the pseudonym login case,
and they know a few things about the pseudonym model.
Moving it into it's own module makes sense from
and organizational standpoint, but also makes it
more reasonable to extract the rest of canvas_security
into a gem for other gems/engines to depend on.
TEST PLAN:
1) the pseudonym login process remains unchanged
2) specs pass
Change-Id: I8f689c9255c33f0ac4d7947e3b0a0592d7900463
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/259557
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
refs FOO-1648
flag=none
Canvas::Security depended on
ServicesJwt for secret loading.
ServicesJwt depended on Canvas::Security
for decoding and decryption
pushing the secret loading into the
security module breaks the circle
so we can extract canvas_security
without having to bring everything
at once.
TEST PLAN:
1) JWTs continue to get decrypted as they have
2) specs pass
Change-Id: I08c42b9727bee3660998cc2b0d9139beb496e244
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/259550
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
refs FOO-1648
This method doesn't belong in core
security because of all it's dependencies
on models and PluginSettings. These are circular
because models depend on Canvas::Security.
We need to move it so we can extract the rest
of canvas_security safely.
TEST PLAN:
1) mass re-encryption works as expected
2) specs pass
Change-Id: I1e28d83b09e36e9d72408a7dbd7276329162434b
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/259545
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
refs FOO-1636
flag=none
this helps ease the migration of caching
functionality into the canvas_cache
gem by unwinding circular references between
these modules.
Canvas now invokes Canvas::Redis, but
Canvas::Redis no longer invokes methods
on Canvas.
TEST PLAN
1) caching continues to work the same in operational environments
Change-Id: I99a55a63def4fd01e6195f26ec69ae8f62d76314
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/259424
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
it's only public sometimes because of how it's been extended
Change-Id: I64793fe54a6a98e7b509f968bf53aa6ba349f6fd
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/258931
Reviewed-by: James Butters <jbutters@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
closes FOO-1552
flag = none
test plan:
• permissions around course_sections function as they did before,
but now they are granularized and permanent
Change-Id: I5918a4c6ccce2ccaaf87d4b92772c31ad3e6280c
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/257619
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Charley Kline <ckline@instructure.com>
Product-Review: Charley Kline <ckline@instructure.com>
QA-Review: Charley Kline <ckline@instructure.com>
closes FOO-1501
refs FOO-130
flag = granular_permissions_course_files
[fsc-max-nodes=18]
Test Plan:
• see test plan outlined in base commit: g/253777
Change-Id: I33984062fd236348d39262395e5f51335e327ed9
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256914
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Michael Ziwisky <mziwisky@instructure.com>
Reviewed-by: Charley Kline <ckline@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: August Thornton <august@instructure.com>
Note: we'll want to re-run the data fix-up when we're ready to turn
on the feature flag permanently; in hopes to capture any differences
made to course files permissions between now and then.
Modified the files_controller quota and api_quota permission checks
to make them more lenient in regards to accepting any or all of the
files permissions role overrides. This allows legacy grouping and
new granularized files permissions to live in harmony and be modified
without causing unauthorized errors on the quota resource.
This commit will cover the backend permissions required to granularize
files / folders permission calls, however there will be a follow-up
ps to clean up the course file page to hide elements the user might
not be authorized to use.
closes FOO-130
refs FOO-1501
flag = granular_permissions_course_files
[fsc-max-nodes=18]
[fsc-timeout=30]
Test Plan:
- Run the migration and make sure there are no errors
- With the granular_permissions_course_files FF turned off,
course sections and REST API should work the same with this patch
set checked out as it does in beta/production
- Some things to check:
* How it acts as a teacher, student, and public user
in course files/folders and personal files/folders
with the various settings above toggled to different states
* How it acts as a teacher, student, and public user
in discussions, modules, content migrations/import/exports
(RCE should behave similarly throughout the site)
- With the granular_permissions_course_files feature flag turned on
course files/folders and REST API should work as expected. The same
list checked above should be done so again, but this time:
* Should only be able to upload or add folders if the
Course Files - add permission is enabled for the user's role
* Should only be able to manage file access, usage rights, move,
or rename course files/folders if the Course Files -
edit permission is enabled for the user's role
• Check Toolbar header at the top of Course files
• Check Cog (hamburger menu) to the right of each file/folder
• Check Usage Rights Indicator under usage rights column
that can be found in course and group file pages. This can
be enabled under course settings if not available
* Should only be able to delete course files/folders if the
Course Files - delete permission is enabled for the user's role
* Any given user/role should have full access to their respective
personal files/folders regardless of granted permissions. The
same also applies to a group context with some caveats
• Should not be able to modify file access in a group context
• Should not be able to modify usage rights in personal files
* A student enrollment not granted any file permissions (the default)
should only be able to _view_ and _download_ files unless granted
additional access from an authorizing role
* REST API works as expected
* UI works as expected with no additional javascript errors
Change-Id: Ieb2d10915c274959e8da4c623f7aba11d3540c2b
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/253777
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: August Thornton <august@instructure.com>
Reviewed-by: Michael Ziwisky <mziwisky@instructure.com>
refs FOO-1449
flag=none
TEST PLAN:
1) update consul state to have a current key
and previous key
2) tokens are still accepted when signed by old key
3) remove old key from consul
4) tokens signed with old key no longer accepted
Change-Id: Ie31b7ad1cdab1ab779210c75524ce3559423a44c
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256346
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
refs FOO-1397
flag=none
TEST PLAN:
1) run a big web application with many reads
2) requests to consul read the right things
even shortly after forking on a busy box.
Change-Id: Ie416b6a145a00b4cc972bdf4e3c3e4c1db31e684
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256330
Reviewed-by: Jacob Burroughs <jburroughs@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
* note that these are lti ids, not canvas ids
* source course is present if it's a course copy, otherwise it's nil
* destination course is always the context of the migration
closes INTEROP-6373
flag=none
test plan:
* specs
* if desired, send a content_migration_completed and note the presence
of those fields
Change-Id: Ibc1816ee715dc27420d1d35522924f3dc33c3152
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/254629
Reviewed-by: Mysti Lilla <mysti@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Mysti Lilla <mysti@instructure.com>
Product-Review: Xander Moffatt <xmoffatt@instructure.com>
fixes INTEROP-6354
flags=none
Test plan
- Set up a tool proxy with live events
- Ensure the live events that get sent
have the appropriate associated integration id
- Ensure that the subscriptions are getting created
with the appropriate associated integration id
- Ensure the data fixup corrects the subscriptions
Change-Id: Icdd82b42ead45eadc5b9456a66c52eedb23d6be5
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/253160
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
Reviewed-by: Mysti Lilla <mysti@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Mysti Lilla <mysti@instructure.com>
closes FOO-1272
flag=none
Use a specific error message for missing
queued messages that doesn't require
a sentry error for each.
Also introduces a pattern for
"Retriable" job errors and the
accompanying error-level handling
TEST PLAN:
1) delay the "deliver" ing of
a message that does not exist.
2) you should get a log message,
but no sentry error
Change-Id: Ib6d8f5ae499b2e1ecde1eb74397d77630c0f3e6b
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/254639
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
fixes FOO-1163
test plan:
* have a user with pseudonyms on two accounts with the same local id, on
different shards
* go to the user's page (/users/:id)
* it should correctly name both accounts
Change-Id: Ib5dfb77163a013deb0029dc311b26b1b9424f76c
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/252039
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Ethan Vizitei <evizitei@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
refs FOO-1125
flag=non
TEST PLAN:
1) stats for things like ImperiumTimeouts should still
end up in datadog
2) sentry errors for the target error types should disappear
Change-Id: I6e97c04e3f6fcc3545b10418511934c89f20a419
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/251536
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
closes FOO-1120
refs FOO-1125
flag=none
introduce canvas-errors logging callback
move error logging from application_controller
to Canvas::Errors callback
let all canvas::errors callbacks handle the new options hash
don't send errors less than ":error" level to sentry or
error reports.
change error stats to be grouped by "level", and use
error name as a tag.
TEST PLAN:
1) regular errors should still hit all the callbacks
2) errors declared as ":warn" or ":info" levels should
not make it to sentry (like SAML MissingMessage errors)
3) local errors during development should still get logged out
to development.log file
Change-Id: Ibe1401c0f5ad8f6d697c64f6a34153aaea048281
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/251125
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
test plan:
* account feature flag cache register checks should
be made against multicache redis, just as with g/246223
closes #LS-1404
Change-Id: I28172e9c7bf539c98d63b323f911b9e6bdcaf909
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/246243
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
closes OUT-3999
flag=none
test-plan:
- ensure live events are running locally (see live_events.md)
- verify that when making changes (including soft deleting) or
creating an outcome calculation method that live events are emitted
Change-Id: I715305dc3cd8dc1cab127033d1feb92acd28f948
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/250457
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Augusto Callejas <acallejas@instructure.com>
Reviewed-by: Michael Brewer-Davis <mbd@instructure.com>
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
Reviewed-by: Wagner Goncalves <wagner.goncalves@instructure.com>
QA-Review: Manoel Quirino <manoel.quirino@instructure.com>
Product-Review: Jody Sailor
"Somehow, the rotate_keys job returned" --
on Oct 1, both Lti::KeyStorage.rotate_keys and
Canvas::Oauth::KeyStorage.rotate_keys ran multiple times within seconds,
causing the keys to get rotated twice. This commit prevents us from
rotating keys if we just did a few seconds/minutes ago.
flag=none
closes INTEROP-6248
Test plan:
- in a rails console, run Lti::KeyStorage.retrieve_keys to see current
keys. (Local Canvas didn't seem to be saving DyanmicSettings for me so
rotating keys didn't have any effect on the keys at keys in
/api/lti/security/jwks)
- kick off rotation of keys: Lti::KeyStorage.rotate_keys
- check keys rotated
- kick off rotation of keys again
- check keys not rotated
- change min_rotation_period to something smaller like 2 minutes. You
can do that with:
class << Lti::KeyStorage; def min_rotation_period; 2.minutes; end; end
Wait that amount of time, kick off rotation of keys again, and check
that the keys rotated.
- run Canvas::Oauth::KeyStorage.rotate_keys and
Canvas::Oauth::KeyStorage.rotate_keys to make sure the min rotation
period for each set of keys is completely separated. Note that these
seem to start out empty so you will have to rotate them once to generate
them.
Change-Id: I7d58909e2eba7ccb2cd4222e60edf3f437547a6e
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/250155
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Evan Battaglia <ebattaglia@instructure.com>
Product-Review: Evan Battaglia <ebattaglia@instructure.com>
Reviewed-by: Wagner Goncalves <wagner.goncalves@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Normally submissions are created in raw SQL so the after_create hook is
not fired but there are some cases where this is not the case: in these
weird edge cases, submission_created is also fired when we create
Submission records with ActiveRecord so the after_create hooks fire. We
don't understand exactly what they are but they are a very small
proportion (about 0.15% of total submission_created events) and no one
cares about them.
This also adds "workflow_state" to the event body, and DRYs up some
specs.
closes INTEROP-6224
flag=none
Test plan:
- Run canvas with the environment variable STUB_LIVE_EVENTS_KINESIS=1
e.g.:
dcr -e STUB_LIVE_EVENTS_KINESIS=1 -u 0 web \
bundle exec rails server --binding='0.0.0.0' -p 80
- create assignments and make submissions for students in the following
ways, making sure the submission_created event is emitted (it will
be in the Canvas STDOUT, you might have to search for it) only when the
student (or API call in some cases) submits or resubmits:
- Student submits through UI.
- Student re-submits through UI.
- Done through API (?) Something like
/api/v1/courses/123/assignments/12345/submissions/1234 ?
- Grade passback (?)
- AGS (?)
- Make sure a submission_created event has the "workflow_state" in it.
- In a console, create a Submission with Submission.create! in a
unt push gerrit
submitted state and make sure the event does not fire.
- In a console, create a Submission with Submission.create! in a
submitted state and make sure the event does fire (you must provide
workflow_state: submitted, and a submission_type such as
online_text_entry)
Change-Id: I92b1c595282bf498557b7e52660547cc624795ac
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/249769
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Mysti Lilla <mysti@instructure.com>
Product-Review: Oxana Jurosevic
QA-Review: Evan Battaglia <ebattaglia@instructure.com>
Fixes INTEROP-6252
flag=none
Test Plan:
- Install multiple plagiarism detection tools
in the same account with _different_ resource
type codes. Each tool should also have a different
endpoint
- Associate an assignment with one of the tools
- Submit and verify an event is sent to the tool
with the matching resource type code
- Verify events were not sent to the other tools
Change-Id: I5892451c2ac3af64254881319d6f1143703a5cb6
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/249776
Reviewed-by: Mysti Lilla <mysti@instructure.com>
QA-Review: Tucker Mcknight <tmcknight@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
fixes INTEROP-6250
flag=none
Test plan
- Set up tools with varying endpoints and verify
we're sending the "closest/latest" endpoint ids
from among a plethora of similar tools on courses/
sub-accounts/accounts
- Verify the migration does the same thing
Change-Id: Iac761e94cfeee01588cae5cd8b4797faa1bcb643
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/249736
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Tucker Mcknight <tmcknight@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
so we know where they came from
Change-Id: I41d58d73c99d1187064f7d83821f361d3d73791f
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/249256
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
refs FOO-1032
we don't want to block local redis for very long,
it's not like the much more variable traffic
experienced by remote redis rings. Just give it
a little time to recover, and let us use a different
setting.
TEST PLAN:
1) make your local redis fail to connect
2) after the rails process acknowledges and blocks that host,
restore local redis.
3) within a few seconds you should be successfuly serving
queries from the local cache again.
Change-Id: Ic8bf976418198e9b5d6fa02a74b67edc60012a46
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/249274
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
refs FOO-1032
also log even expected redis failures
so that it's possible to pin down why a given request
failed after a botched redis query.
TEST PLAN:
1) make your redis client irredemably faulty with
a caught error, like InheritedError
2) try to ask MultiCache for results with an "mget"
3) you should get a [] as the default return value
Change-Id: Ia8ede817d1180e6c0a42dfbe69bfbcb5040c4b4d
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/249255
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
Skipped spec has had the success rate dip into the 30% range, well
below the acceptable flakiness of a spec.
flag = none
Change-Id: Ib41a6517e39ceb650e44073d03f5481be7825af4
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/249241
Reviewed-by: Andrea Cirulli <andrea.cirulli@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: James Butters <jbutters@instructure.com>
Product-Review: James Butters <jbutters@instructure.com>
Some endpoints (such as GraphQL and the LTI AGS scores service) appear
to not set `@context` in ApplicationController so the LiveEvents context
(which becomes "attributes"/"metadata" in live events) does not have a
context_id / context_type. This is a problem for some downstream plagiarism
platform consumes of the submissions_* events (particularly
submission_created).
flag=none
closes INTEROP-6174
Test plan:
- submit an assignment thru the grade_passback, AGS "Scores", or graphql
and check that the live event has a context_id.
Change-Id: Ife5b213436de63ebcef179b0a9ba41a7b088d182
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/249001
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Evan Battaglia <ebattaglia@instructure.com>
Product-Review: Oxana Jurosevic
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
usage rights were only never implmenented in canvas for users. Don't
show the UI in RCE's file upload modal in a user context.
closes LS-1457
flag=rce_enhancements
test plan:
- as a teacher, create an assignment
- open Documents > Upload Documemnt (or Image > Upload Image)
> expect the Computer tab to have the Usage Rights UI.
- pick one and submit
> expect the file to have the copyright symbol in the course
files page
- as a student, submit the above assignment
- in the RCE, open Documents > Upload Docuemnt
> expect no Usage Rights UI to be displayed
- create a group in a course with usage rights required
- as a teacher on a group homepage, create an Announcement or a Page
- open Documents > Upload Document
> expect to have the Usage Rights UI
- pick one and submit
> expect to see the file have the copyright symbol in the group
files page
Change-Id: Ib340c180885affda24af8cd809b06a8d565e0f34
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/248488
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Robin Kuss <rkuss@instructure.com>
Product-Review: Ed Schiebel <eschiebel@instructure.com>
closes FOO-1013
TEST PLAN:
1) send a sighup to a box
2) only ONE flushdb gets sent to local redis
Change-Id: I5af89014d21b79382cada9aa7b32eaa4e4e088b2
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/248800
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
refs FOO-779
TEST PLAN:
1) make many threads or processes try to load the same vault config
2) only one should actually call vault
3) they all should get a response
Change-Id: Ic5b778ab994bd964d930fd40fee936f42a4fd91d
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/248155
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
FIXES FOO-1011
FIXES FOO-1012
Also write the trees of dynamic settings
stuff atomically so that clears don't
result in a partial config hash in the cache
TEST PLAN:
1) store things in the dynamic settings cache
2) explicitly clear the cache
3) write a "true" value to the tree-level key
4) fetch the subkey
5) you should still get a valid value back from consul/file
Change-Id: I0f8bf524a6c03a2e6a6bba7fed3c199e6b179d93
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/248752
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
refs FOO-965
raise a real error if we get a response
other than a 200 or 404, only 404 is a good
reason for putting a nil value into the cache.
TEST PLAN:
1) override imperium to return error responses
2) run dynamic settings lookup
3) nil is not in cache, error reported
Change-Id: Iba384c122e674864fbcaf49c3159ab8aca3f0833
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/247948
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
refs FOO-965
TEST PLAN:
1) throw an error in a request
2) catch the error and capture with canvas errors,
then continue
3) you should get request and session info on
sentry context automatically
Change-Id: Iadacc5337eee5298c9190b34a976a482e6407572
Change-Id: If654cdd76f5b39218bd633b66d3c073c083185af
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/247924
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
sharding isn't necessarily set up if this
fires during boot sequence
Change-Id: I2d5448184f141716bd38eb29beef33fe155abdb7
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/247927
Reviewed-by: Simon Williams <simon@instructure.com>
Reviewed-by: Jacob Burroughs <jburroughs@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
fixes INTEROP-6125
flag=none
Test plan
- Set up an assignment with the plagiarism tool
- Test to make sure the live event sends with
the associated integration id from the ACTL
- Uninstall the tool and make sure it does
not send the associated integration id
- Play with different locations where the
tool is installed and make sure it works
as expected
Change-Id: I1fec2ee4744850cd7a0285fb0087a465b3448e46
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/246294
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
QA-Review: Xander Moffatt <xmoffatt@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Product-Review: Mysti Lilla <mysti@instructure.com>
refs FOO-779
TEST PLAN:
this doesn't get used yet,
but if you want you can grab
any cred path your vault client
is allowed to assume and try to pull
it through this object and talk to
an AWS service the assumed role is
permissioned for
Change-Id: I85faf802539feae6e708dfa8bd07d1f52346df1d
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/246255
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Jacob Burroughs <jburroughs@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
closes INTEROP-6016
flag=none
Test plan
- Have a submission that isn't graded
- Comment and/or grade the submission
- Note that a live event gets sent with
a new posted_at date
Change-Id: I63175965044350187af2b9c4857fb25b0ebc2e68
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/244908
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Ryan Hawkins <ryan.hawkins@instructure.com>
Product-Review: Karl Lloyd <karl@instructure.com>
Reviewed-by: Evan Battaglia <ebattaglia@instructure.com>
closes OUT-3867
flag=none
test-plan:
- ensure live events are running locally (see live_events.md)
- verify that when making changes (including soft deleting) or
creating an outcome proficiency that live events are emitted
- verify that ratings information is included in the proficiency payload
(cherry picked from commit 0f0edc8cbe)
Change-Id: Iee0a98666354fc6e375757d63a1bbf22cdff973e
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/245081
Reviewed-by: Michael Brewer-Davis <mbd@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Michael Brewer-Davis <mbd@instructure.com>
Product-Review: Michael Brewer-Davis <mbd@instructure.com>
refs SAS-1540
* adds an audience setting to developer keys, so a key can be set to
target external audiences with its credentials grants
* when a key with an external audience grants credentials, the token is
signed with an asymmetric key instead of the internal symmetric key
* external audiences can retrieve the corresponding public keys from
/login/oauth2/jwks
* credentials issued by developer keys with an account id include the
account's guid in a custom claim
includes a refactor of key storage and rotation in consul, which had
already been done for LTI. but it wasn't really a feature of lti, just
something used by LTI, and we needed the same for key management for
this. moved it to be part of Canvas::Security
Change-Id: Ie5c0fcee6fc21687f31c109389a3bcc1ed349c5d
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/243606
QA-Review: Jonathan Featherstone <jfeatherstone@instructure.com>
Reviewed-by: Jonathan Featherstone <jfeatherstone@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Product-Review: Jacob Fugal <jacob@instructure.com>
This reverts commit 0f0edc8cbe.
Reason for revert: merged prematurely, depends on code in g/244166
Change-Id: I49b623197354bf5c39cb3f6829b2dea72118e890
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/244037
Reviewed-by: Augusto Callejas <acallejas@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Pat Renner <prenner@instructure.com>
Product-Review: Pat Renner <prenner@instructure.com>
closes OUT-3867
flag=none
test-plan:
- ensure live events are running locally (see live_events.md)
- verify that when making changes (including soft deleting) or
creating an outcome proficiency that live events are emitted
- verify that ratings information is included in the proficiency payload
Change-Id: I0e6603896b6a08b7a6ea1050c742e5ff3a9b3b2f
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/244793
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Augusto Callejas <acallejas@instructure.com>
Reviewed-by: Michael Brewer-Davis <mbd@instructure.com>
QA-Review: Augusto Callejas <acallejas@instructure.com>
Product-Review: Pat Renner <prenner@instructure.com>
refs FOO-739
TEST PLAN:
1) disable request throttling
2) run some requests that are expensive
3) costs should still be tracked in headers
Change-Id: Iec1a60f797451c789c3cdb79682757b8c354005f
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/243569
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
test plan:
* with PG <10, nothing should change/break (migrations shouldn't even try to run)
* with pg >=10, run migrations
* it should create collations, and recreate a couple indexes
* going to the users page should not be broken
* specs ensure that the sorting is to our liking
Change-Id: I3eaf42dd2207d733c164c12ef2a43a1c1b417ff2
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/241190
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Charley Kline <ckline@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Charley Kline <ckline@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
closes PLAT-5766
flag=none
Test plan
- Planning to test this on beta once it's there
as that will be easier than trying to test it
locally
- We'll want to install a fresh Plagiarism tool
at an account
- Verify that the plagiarism subscription IS receiving
events for assignments that are linked to the tool
- Verify that the plagiarism subscription IS NOT receiving
events for assignments that are not linked to the
tool
- Verify that regular subscriptions are still receiving
events for both linked and non-linked assignments
Change-Id: I59a1f5f6d1c061dfcd50c1efa2788173875d2231
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/240369
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Michael Guymon <mguymon@instructure.com>
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
QA-Review: Xander Moffatt <xmoffatt@instructure.com>
Product-Review: Mysti Lilla <mysti@instructure.com>
flag=none
refs PLAT-5791
Test plan:
- make sure you have a course with a sis_source_id
- tail live events kinesis stream (See doc/live_events.md)
- trigger a course_completed or course_progress event
- check it has the account ID and sis_source_id
Change-Id: Ic4e529ee7b3eeddce68e028fcb81c5bdbbafb96a
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/239269
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
QA-Review: Xander Moffatt <xmoffatt@instructure.com>
Product-Review: Oxana Jurosevic
access tokens cannot be created when masquerading a user on purpose,
because this would allow a user to get the real token and use it when
permissions for the user could change in the future. A commit was made
ee50eec4bd to create the access tokens
used when doing an lti launch on the real_user instead of the user, but
this breaks some tools that are not handling all the masquerade data.
c94b34348a reverted that change to create
them on the user again.
This commit is adding a column to access_token so we can audit usage of
the tokens created from an LTI launch. When a token is created while
masquerading we add the real_user_id to the token and make the token
expire in one hour.
test plan
- masquerade as a user
- launch an lti_tool that creates an access token
- the tool should see the end users token
- in a console verify the token is set to expire in an hour
- verify that real_user_id is used on the token
- the token should expire within an hour
fixes KNO-464
flag=none
Change-Id: I1f8913fc536f4e2c8539551efed69b27fbdb6b1a
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/236443
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Davis Hyer <dhyer@instructure.com>
QA-Review: Davis Hyer <dhyer@instructure.com>
Product-Review: Davis Hyer <dhyer@instructure.com>
closes OUT-3675
flag=selectable_outcomes_in_course_copy
setup:
- create a course with many outcome groups,
containing many other outcome groups, each
with multiple outcomes
test plan:
- export a copy of the course
- in a new course, import the contents of the previous course,
selecting "Select specific content" option
- confirm that when selecting content, that selectable outcomes
are availble to import
Change-Id: Id9834f1f1256f7a69d8e0edb2593b196cf4deb05
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/237433
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Michael Brewer-Davis <mbd@instructure.com>
Reviewed-by: Pat Renner <prenner@instructure.com>
QA-Review: Brian Watson <bwatson@instructure.com>
Product-Review: Jody Sailor
closes OUT-3632, OUT-3633
flag=selectable_outcomes_in_course_copy
setup:
- create a course with many outcome groups,
containing many other outcome groups, each
with multiple outcomes
test plan:
- with "Selectable outcomes during course content migration"
feature option enabled (root account), confirm that for
course copy and course export/import, the selective content
dialog allows selective outcomes and that if a subgroup
is selected or non-root outcomes are selected, they all
appear at the root level in the target course.
also confirm that outcome groups and outcomes appear in
alphabetical order in the selective content dialog
(note: groups always appear before outcomes)
- with "Selectable outcomes during course content migration"
feature option disabled (root account), confirm that for
course copy and course export/import, the selective content
dialog does not allow for selective outcomes
Change-Id: Ibde113826b647feb1b5c4308b85698010f0bc4e9
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/236769
Reviewed-by: Pat Renner <prenner@instructure.com>
Reviewed-by: Michael Brewer-Davis <mbd@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Brian Watson <bwatson@instructure.com>
Product-Review: Jody Sailor
closes OUT-3622
flag=selectable_outcomes_in_course_copy
setup:
- create a course with outcomes, both in groups and at the
root level
- create another course
- select "Import Course Content"
- for "Content Type", select "Copy a Canvas Course"
- select the initial course to copy from
- for "Content", select "Select specific content"
- click "Import"
- wait for the "Select Content" button to appear under
"Current Jobs"
test plan:
- with "Selectable outcomes during course content migration"
feature option enabled (root account):
* click "Select Content" button
* confirm that the "Learning Outcomes" is available and
can be expanded to reveal all groups and outcomes
- with "Selectable outcomes during course content migration"
feature option disabled (root account):
* click "Select Content" button
* confirm that the "Learning Outcomes" is available but
cannot be expanded
Change-Id: I62f1ee07628b4f7ea3d5573748214f4b1db6d44a
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/236511
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Pat Renner <prenner@instructure.com>
Reviewed-by: Michael Brewer-Davis <mbd@instructure.com>
QA-Review: Pat Renner <prenner@instructure.com>
Product-Review: Jody Sailor
This reverts commit ee50eec4bd.
Reason for revert: need to more fully flesh out how masquerading can
be transparently handled for OAuth consumer.
Change-Id: I340b8914e3eff7c3156e1a06bae1ca6c9d10c1bd
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/236010
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Rob Orton <rob@instructure.com>
QA-Review: Rob Orton <rob@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
test plan:
* with redis enabled locally, create an assignment with
a due date and add it to a module
* view the modules page as a student and take note
of the due date
* use the bulk assignment date editing feature to
edit the assignment date
* re-view the modules page a the student
* the due date should be updated
closes #LA-957
Change-Id: I71d2f14f70109bc1d9ae137371afc89122efcd5b
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/236120
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Anju Reddy <areddy@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
flag = missing_policy_applicator_emits_live_events
closes TALLY-575
Test plan:
- Set up live events in your Canvas installation and monitor them (see
the relevant live events documentation in the doc/ directory)
- Have a course with a missing policy enabled
- With the root-account "Missing Policy Applicator Emits Live Events"
flag ON:
- Create/publish an assignment requiring online submissions and with a
due date in the near future
- Bear witness to the ineluctable passage of time as it strips you of
everything and everyone you hold dear
- Check that each submission marked as missing for the above assignment
has also emitted a corresponding submission_updated live event
- With the flag OFF:
- Repeat the above process
- The missing policy applicator's mass-update should NOT generate live
events
Change-Id: Ifa84affe2242827e1695d0d9c539cf9d542ba425
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/229181
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Spencer Olson <solson@instructure.com>
Reviewed-by: Nick Pitrak <npitrak@instructure.com>
QA-Review: Adrian Packel <apackel@instructure.com>
Product-Review: Spencer Olson <solson@instructure.com>
fixes USERS-457
test plan:
* login to the mobile app via qr code while masquerading
* the app should behave as if you're the masqueraded user
* inspecting user profiles in the web app, a token should
have been issued to the masquerading user, but not the
masqueradee
* confirm inst-fs works while masquerading
Change-Id: I82b6a310f8b31ffa6cf824b95f0734056292deb6
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/230784
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
Reviewed-by: James Williams <jamesw@instructure.com>
Reviewed-by: Keith Garner <kgarner@instructure.com>
refs PFS-15497
flag = none
Test plan:
1. create a new conversation on canvas with another user
2. create a new message in the conversation by replying
3. verify live event for conversation_message_created has been triggered
Change-Id: Idf929eb5398f6040d8a3e45c644481b207858042
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/232152
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Product-Review: Dan Dickson <ddickson@instructure.com>
QA-Review: Aiona Rae Hernandez <ahernandez@instructure.com>
Reviewed-by: Sean Mikkelsen <smikkelsen@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
refs PFS-15496
flag = none
test plan:
1. create a new conversation on canvas with another user
2. forward the conversation to another user who is not
already a participant in the conversation
3. verify live event for conversation_forwarded has
been triggered (only once)
Change-Id: I70d3de5cb6995aec1ffe00b3a42f99d31f19250d
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/232141
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Aiona Rae Hernandez <ahernandez@instructure.com>
Reviewed-by: Sean Mikkelsen <smikkelsen@instructure.com>
Product-Review: Dan Dickson <ddickson@instructure.com>
refs PFS-15495
flag = none
test plan:
1. create a new conversation on canvas with another user
2. verify live event for conversation_created has been triggered
Change-Id: Ice2c239b90318588a2e5fe68ac0db289ff591a94
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/231746
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Evan Battaglia <ebattaglia@instructure.com>
Reviewed-by: Evan Battaglia <ebattaglia@instructure.com>
Product-Review: Dan Dickson <ddickson@instructure.com>
closes APM-30
flag = none
TEST PLAN:
* canvas runs fine
* from beta app analytics telemetry shows up in datadog
Change-Id: I5128589040c053642ec81bd35ee797b60349a45e
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/231830
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
closes APM-29
flag = none
TEST PLAN:
* canvas boots correctly
* wrap an Canvas::Apm.tracer.trace call around some code
* APM Logging shows custom spans
Change-Id: I552f7db02db3fa7dabdcafd72a3682c2dd56006b
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/231742
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Keith Garner <kgarner@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
FIXES APM-25
flag = none
also properly implments plugin
reset so that we can enable/disable
without rebooting the process
test plan:
specs pass flaky spec catcher
Change-Id: I96e8137e351639559d68c8f1e9242e1c315cb26d
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/231006
Reviewed-by: David Warkentin <dwarkentin@instructure.com>
Reviewed-by: James Butters <jbutters@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
closes APM-16, APM-20
flag = none
also adds context id and user id
to request annotations for APM
configures host-level sampling
TEST PLAN:
* enable apm collection on datadog agent on single test cluster
* push consul config to same cluster for enabling apm sampling
* push consul config depressing host sampling rate to 5%
* delayed job telemetry should show up in ddog
* trace count from active clusters should drop by an order of magnitude
Change-Id: I94d97b299ed14403e8b141629740a1627310b259
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/230592
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
Reviewed-by: David Warkentin <dwarkentin@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
closes APM-11
flag = none
TEST PLAN:
* deploy to some environment with APM enabled
* observe telemetry and confirm root_account
and shard tags
Change-Id: I7246801c51617f10b8b7f3ca69b5d245375e81be
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/230415
Reviewed-by: Simon Williams <simon@instructure.com>
Reviewed-by: David Warkentin <dwarkentin@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Michael Hargiss <mhargiss@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
closes TALLY-563
flag = none
...obviously
test plan:
* Smoke test New Gradebook
* Smoke test Grade Summary
Change-Id: I0bf7f962f5e910002b69d727666464356a1e3ccf
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/225876
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Adrian Packel <apackel@instructure.com>
Reviewed-by: Gary Mei <gmei@instructure.com>
QA-Review: Robin Kuss <rkuss@instructure.com>
Product-Review: Keith Garner <kgarner@instructure.com>
test plan:
* do an LTI grade passback
* verify in the server logging that request throttle client identifiers
includes a "tool:<domain>" entry
Change-Id: I90914187848876ebe7a20ef87d0ff933254cc83b
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/226231
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
Next step will be to integrate a secrets API a-la-dynamic settings
test plan:
- Specs pass
Change-Id: Ic2fdd2be3c7f665804627f3ef3ffb5bc408d135b
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/224281
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
Currently, this just replaces the dynamic_settings cache;
it will also be used to cache things from vault
flag=none
test plan:
- Dynamic settings specs pass
Change-Id: I314a2c377adbcda59d7a7ec2d7522f25a3de08eb
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/224230
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
fixes DIG-1417
flag=none
test plan:
- trigger a `submission_updated` live event by submitting an
assignment.
- if you submitted on time, the event should contain `"late": false`.
if it was late, the event should contain `"late": true`.
Change-Id: I856b2748c8cd583308e89f5160e734bc9f287e3c
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/222297
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Tucker Mcknight <tmcknight@instructure.com>
Product-Review: Michael Ziwisky <mziwisky@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Change-Id: Ie137c1040260b363979160e1f0558883577ebebd
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/222510
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
Fires any time a student's course grade has changed.
Dig needs this event.
This also updates ObserverAlerts to only make one alert per
student+course in the case that the student is enrolled in multiple
sections of the same course. (Checked with mobile team to make sure
this is OK).
It also moves creating the alerts until after calculate_hidden_scores.
This shouldn't matter because the hidden (unposted) scores don't affect
the ObserverAlerts which only care about current_score. (Really we
could ignore the observer alert code if @ignore_muted is true
but I didn't want to change too much. Likewise, @ignore_muted
and @emit_live_event should be synonymous but I wanted to be explicit
and not rely on that always being the case.)
This also reloads scores all at once instead of individually, which
means less SQL queries and simplifies the code (especially since
reloading an object undoes the preloading of the enrollment).
refs PLAT-5189
flag=none
Test plan:
- Add `puts JSON.pretty_generate(event)` to
gems/live_events/lib/live_events/client.rb:103 (#post_event) to see
events locally
- watch for live events when going through various workflows which
change course grades and make sure only one event per course+student is
emitted
1. change an assignment grade for a student enrolled in multiple
sections -- only one event should be triggered
2. group assignments
3. a call to compute_and_save_scores where
@update_all_grading_period_scores is true (we start grading a
course/student and this kicks off scoring of all grading period
scores)
4. a call to compute_and_save_scores where @update_course_score is
true (we start by scoring a grading period and this starts scoring the
related student/course)
5. any thing else we can think of. grade_calculator experts or other
product experts may be able to suggest other scenarios.
- test these scenarios out with the "observer alerts" in the Canvas
Parent mobile app to make sure these events still work right.
Change-Id: I1d6d530149962a97890656566e26bc32dbb4c190
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/219208
Tested-by: Jenkins
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Product-Review: Oxana Jurosevic
Reviewed-by: Matt Sessions <msessions@instructure.com>
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
Reviewed-by: Spencer Olson <solson@instructure.com>
QA-Review: Tucker Mcknight <tmcknight@instructure.com>
closes PLAT-5096
Test Plan:
- trigger an asset_accessed as a non-admin
- verify that the enrollment_id and course_section_id is included
in the payload
Change-Id: Iea99daa7df03323b22181751c4fafd784025636d
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/217905
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Tested-by: Jenkins
Reviewed-by: Marc Phillips <mphillips@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
Closes PLAT-5098
Test Plan:
Verify both learning_outcome_result_created and
learning_outcome_result_updated events now send
the model's "mastery" value for the live event
"mastery" property
Change-Id: Ib450e5a46dec939f13a397a686a30763991c8fcb
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/216047
Tested-by: Jenkins
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
Reviewed-by: Marc Phillips <mphillips@instructure.com>
closes PLAT-4968
test plan:
* give a student a grade for an assignment
* configure the live events plugin using `doc/live_events.md`
* tail the kinesis stream following the directions in `doc/live_events.md`
* change the grade for the student
* assert that the assigment_name is present in the event body
Change-Id: Ibcabdada2a1c4ba7cd9b29bc6bacdbb387ec41f1
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/215983
Reviewed-by: Evan Battaglia <ebattaglia@instructure.com>
QA-Review: Evan Battaglia <ebattaglia@instructure.com>
Product-Review: Xander Moffatt <xmoffatt@instructure.com>
Tested-by: Jenkins
refs PLAT-4955
Test Plan:
- see that calendar feeds now have the context_id and context_type
for the asset_accessed live event
Change-Id: If86c43a07538648c7bdddcd33460bbd23ac916f9
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/214246
Tested-by: Jenkins
Reviewed-by: Clint Furse <cfurse@instructure.com>
QA-Review: Clint Furse <cfurse@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
closes PLAT-5027
Test Plan:
- setup account/course to allow final grade override
- override a student's final grade in gradebook
- a live event should be created called 'grade override'
Change-Id: I4c45ced4a3e21e612ad6c43849e1d4b80c3623c0
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/214166
Tested-by: Jenkins
Reviewed-by: Marc Phillips <mphillips@instructure.com>
QA-Review: Evan Battaglia <ebattaglia@instructure.com>
Product-Review: Oxana Jurosevic
test plan:
* enabling and locking the usage rights required setting
on an account should also enable on all courses
(and vis-versa)
closes #ADMIN-2977
Change-Id: Ieb55d5860b38e6001c1de4290f111e06131582ec
Reviewed-on: https://gerrit.instructure.com/212764
Reviewed-by: Carl Kibler <ckibler@instructure.com>
QA-Review: Carl Kibler <ckibler@instructure.com>
Product-Review: Carl Kibler <ckibler@instructure.com>
Tested-by: Jenkins
refs OUT-3177
Test plan:
- set env var for jobs container/BASE in
docker-compose.override.yml
STUB_LIVE_EVENTS_KINESIS: "true"
(see live_events.md)
- at canvas.docker/plugins/live_events
- uncheck "Disable this plugin"
- add anything to fields
- Apply
- tail Canvas containers for stubbed events
> docker-compose logs -f | grep stubbed_kinesis_stream
- verify that the following live events are seen and have
reasonable data:
learning_outcome_created
- when outcome created manually or via csv
learning_outcome_updated
- when outcome edited or deleted (in original context)
manually or via csv
learning_outcome_group_created
- when created manually, via import from account,
or via import from csv
learning_outcome_group_updated
- when group edited or deleted manually or via csv
learning_outcome_link_created
- when outcome created manually or via csv
- when outcome imported from account
learning_outcome_link_updated
- when outcome moved or deleted manually or via
csv
Change-Id: I70a62617f745b884951d22f2cb29c0178f283c12
Reviewed-on: https://gerrit.instructure.com/211460
Tested-by: Jenkins
Reviewed-by: Frank Murphy III <fmurphy@instructure.com>
Reviewed-by: Clint Furse <cfurse@instructure.com>
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
QA-Review: Xander Moffatt <xmoffatt@instructure.com>
Product-Review: Oxana Jurosevic
fixes: ADMIN-2525
fixes: ADMIN-2531
Test-Plan:
ensure that the settings work the same as the flags did
Change-Id: If5dd8e1d1700357321592fa433bbdfe49c75c886
Reviewed-on: https://gerrit.instructure.com/205261
Tested-by: Jenkins
QA-Review: Anju Reddy <areddy@instructure.com>
Product-Review: Carl Kibler <ckibler@instructure.com>
Reviewed-by: Carl Kibler <ckibler@instructure.com>
* specifically to user_created and user_updated
closes PLAT-4829
test plan:
* enable live events (see doc/live_events.md) on your local machine
* create a user with a sis id
* the live event generated should contain these 2 new fields
* update that user
* the live event generated should contain these 2 new fields
Change-Id: Ic199173ba9cd54723dba73dcc381be7b6de644aa
Reviewed-on: https://gerrit.instructure.com/209171
Reviewed-by: Marc Phillips <mphillips@instructure.com>
Tested-by: Jenkins
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Xander Moffatt <xmoffatt@instructure.com>
fixes PLAT-4773
Test Plan:
- Verify the new "compact_live_event_payloads"
release flag is visible in the root account and
defaults to "off"
- Enable the feature flag
- Verify null values are removed from live event
payloads
Change-Id: I8f91ead101fa3cd81fe8553f7f8ff6e94b294128
Reviewed-on: https://gerrit.instructure.com/206307
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
Tested-by: Jenkins
QA-Review: Xander Moffatt <xmoffatt@instructure.com>
Product-Review: Oxana Jurosevic
Fixes PLAT-4718
Test Plan:
-create an event
-verify asset_name is in body of event
-create a context external tool
-verify asset name is not in body of event
Change-Id: I96d38dfc74b1888aae962e62ee06d025f83ff35b
Reviewed-on: https://gerrit.instructure.com/204268
Tested-by: Jenkins
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Oxana Jurosevic
RedisStore is no longer supported
somewhat surprisingly, the serialization formats are compatible, so we don't
need to do any namespacing
Change-Id: Iede3a023cada95313875f0ce419b649c364ee97c
Reviewed-on: https://gerrit.instructure.com/202663
Tested-by: Jenkins
Reviewed-by: Rob Orton <rob@instructure.com>
QA-Review: Rob Orton <rob@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
When post policies is enabled, pass the current submission's
posted/hidden status in the "muted" field so that it accurately reflects
the state of the submission. When post policies is disabled, pass the
assignment's muted status as before. Also, update some queries in the
conditional release service to check the submission's posted status if
post policies is enabled.
fixes GRADE-2316
Test plan:
- Have Canvas and conditional release set up
- In Canvas, enable new gradebook for a course and flip on the post
policies setting:
> PostPolicy.enable_feature!
- Create two assignments
- In the gradebook, change the grade posting policy of one of the
assignments to "Manually"
- Leave the other as "Automatically"
- Assign grades to students in each assignment
- For the auto-posted assignment, grade change events should be
emitted with muted = false
- For the manual-posted assignment, grade change events should be
emitted with muted = true
- Post grades for the manual-posted assignment
- Grade change events should now be emitted with muted = false
- Confirm that mastery paths are generally doing the right thing
Change-Id: I7af38836ebd9b3361526a4c03565694ae0770f88
Reviewed-on: https://gerrit.instructure.com/202283
Tested-by: Jenkins
QA-Review: Michael Brewer-Davis <mbd@instructure.com>
Product-Review: Michael Brewer-Davis <mbd@instructure.com>
Reviewed-by: Derek Bender <djbender@instructure.com>
Reviewed-by: Jeremy Neander <jneander@instructure.com>
test plan:
* create an access token
* blacklist your user id in console
* try to access canvas with your access token
* it should not work
Change-Id: I9cf30798e844a648040a396258ca923cb4d77513
Reviewed-on: https://gerrit.instructure.com/199202
Tested-by: Jenkins
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
Closes PLAT-4633
Test Plan:
Verify you can fetch and use access tokens from
https://canvas.instructure.com/login/oauth2/token
in LTI services
For local testing you may create a new account
domain and temporarily change the
UNIVERSAL_GRANT_HOST constant
This is just one approach we could take. In my testing this is the
only change required to use AGS and NRPS
Change-Id: I50fb6da85ed91bd19b8d8b2b8afe4b5d48a120dc
Reviewed-on: https://gerrit.instructure.com/200059
Tested-by: Jenkins
Reviewed-by: Clint Furse <cfurse@instructure.com>
Reviewed-by: Marc Phillips <mphillips@instructure.com>
QA-Review: Tucker Mcknight <tmcknight@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
Because we were calling rce_js_env before @context was set, and
rce_js_env calls js_env. We were not setting an
ENV.context_context_asset_string on the /dashboard/eportfolios page
Test plan:
* go to /dashboard/eportfolios
* in a browser console type: window.ENV.context_context_asset_string
* it should say “user_3” or something like that
Change-Id: Ica3e2d008d23a8d009e42f0e5dc114a38d66916a
Reviewed-on: https://gerrit.instructure.com/200929
Tested-by: Jenkins
Reviewed-by: Clay Diffrient <cdiffrient@instructure.com>
QA-Review: Ryan Shaw <ryan@instructure.com>
Product-Review: Ryan Shaw <ryan@instructure.com>
closes PLAT-4632
Test Plan:
- Create a new comment on a submission
- verify the body of the live event includes local ids opposed to
global ids
Change-Id: I82a595d0207e4a134d9960bdc93c62a3c81fb9b2
Reviewed-on: https://gerrit.instructure.com/200290
Tested-by: Jenkins
Product-Review: Oxana Jurosevic
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Reviewed-by: Marc Phillips <mphillips@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
refs PLAT-4494
Test Plan:
-make a request that goes through the client credentials flow
-validate that it works
Change-Id: Ic008485f1a286b9923e514abeda17f88b9d39a5c
Reviewed-on: https://gerrit.instructure.com/200219
Reviewed-by: Marc Phillips <mphillips@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
QA-Review: Drake Harper <dharper@instructure.com>
Product-Review: Drake Harper <dharper@instructure.com>
Tested-by: Jenkins
closes PLAT-4549
Test Plan:
- Live events should only be sent in batches
Change-Id: I72f8e210ae74b32b09e16a8d4fb515e0c4f699fc
Reviewed-on: https://gerrit.instructure.com/197993
Tested-by: Jenkins
Reviewed-by: Clint Furse <cfurse@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Reviewed-by: Brent Burgoyne <bburgoyne@instructure.com>
QA-Review: Tucker Mcknight <tmcknight@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
closes PLAT-3929
Test Plan:
- Create a new comment on a submission
- verify that the live event is created
Change-Id: I8ebdeda24f356ddf51d2f90cb9ad8ae2effc3e31
Reviewed-on: https://gerrit.instructure.com/199520
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Tested-by: Jenkins
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
Closes PLAT-4457
Test Plan:
- Create a new entry/reply on a discussion
- a new event should be created: discussion_entry_submitted
- If discussion is graded, the submission and assignment
ids should be included in the LiveEvent payload
Change-Id: I5c6a6ea7c7df7fd1e6ff92d941c1b993b452bc0c
Reviewed-on: https://gerrit.instructure.com/199449
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Tested-by: Jenkins
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
refs: GH-1466
Test Plan:
- Set up a developer key with scopes enabled.
- Using a tool like oauth2-client-shell request access at
https://<canvas-install-url>/login/oauth2/auth with at least a
single scope which is not enabled on the developer key.
- Observe the error message (it should contain the requested scope
which is missing, but none of the scopes which are requested, but
not enabled).
Change-Id: I66789f556f7105377459a34fddd43ffdb6e6f93e
Reviewed-on: https://gerrit.instructure.com/198402
Tested-by: Jenkins
Reviewed-by: Spencer Olson <solson@instructure.com>
Reviewed-by: Marc Phillips <mphillips@instructure.com>
QA-Review: Bryan Petty <bpetty@instructure.com>
Product-Review: Bryan Petty <bpetty@instructure.com>
Closes PLAT-4604
Test Plan:
- Install a 1.3 tool and retrieve an access token using
the client credentials grant type
- Validate the token may be used with LTI services after
5 minutes have passed
- Validate the token may not be used with LTI services
after an hour has passed
Change-Id: Icad60c80f9926bf5801fb124f334adc3d2301fe1
Reviewed-on: https://gerrit.instructure.com/199914
Tested-by: Jenkins
Reviewed-by: Marc Phillips <mphillips@instructure.com>
QA-Review: Clint Furse <cfurse@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
Closes PLAT-3849
Test Plan:
- Trigger a live event by download a file from 1 of a few places including:
1. Your account > Files
2. Course > Files
- Verify an asset_accessed event is created and includes 2 new fields:
(filename & display_name)
Change-Id: I9c0ca7c21b373250ed69c025da59d6057a598c87
Reviewed-on: https://gerrit.instructure.com/197857
Tested-by: Jenkins
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Oxana Jurosevic
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Reviewed-by: Marc Phillips <mphillips@instructure.com>
test plan:
* in an environment with multiple redis rings
separated by shard (e.g. production) enrolling a user
from one ring (e.g. a site admin user) in to a
course in an other ring should clear their cache
(can be checeked via a call to /api/v1/courses )
closes #CORE-3080
Change-Id: I5d948e942652679c7698415c2ebaf1a5ccedd4e0
Reviewed-on: https://gerrit.instructure.com/197677
Tested-by: Jenkins
Reviewed-by: Rob Orton <rob@instructure.com>
QA-Review: Rob Orton <rob@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
test plan:
* permissions should behave exactly as before
* cached permissions should update correctly when changed
through the UI (or if accounts associations are changed)
refs #CORE-2851
Change-Id: I5c39547039b44f77e1f3bd3978783520b8191e3c
Reviewed-on: https://gerrit.instructure.com/193004
Tested-by: Jenkins
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
use the new cacheregister keys for a more reliable store
that should only be invalidated when an account_user
is created for the user
should improve performance of permission calls
refs #CORE-2851
Change-Id: Ia293c8e206a2fd83e7b6bc6e17d29d36c9cae87f
Reviewed-on: https://gerrit.instructure.com/192666
Tested-by: Jenkins
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
this test is to add coverage so that the thing that happened on
caturday doesn’t happen again
Test plan:
* automated specs should pass
Change-Id: I954090cd992c0dc5f8d04c20dc608c8b8c5d21c2
Reviewed-on: https://gerrit.instructure.com/194232
Tested-by: Jenkins
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
test plan:
* copying a course with "select content" should
work and copy the selected content properly
closes #ADMIN-2656
Change-Id: Ib03db34178138b2a4215991b45cd54599e783c56
Reviewed-on: https://gerrit.instructure.com/193220
Tested-by: Jenkins
Reviewed-by: Rob Orton <rob@instructure.com>
QA-Review: Rob Orton <rob@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
Was hardcoding the aud to be https, when we
are requiring http endpoints.
refs PLAT-4474
Test Plan:
- Use of the 1.3 tool to do services should work
Change-Id: Id8bd6ce92dcefecb6d046316704cf7db937fdebc
Reviewed-on: https://gerrit.instructure.com/193079
Tested-by: Jenkins
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
use the redis-based cache keys inside several calls that
rely only on a user's enrollments, group memberships, or
account_users
test plan:
* have redis configured as the cache store
* updating a user's enrollments, group memberhips,
or account admin associations should not result in
stale data being shown
refs #CORE-2851
Change-Id: I773a20eba40ff02a6aa37e35ffe345ba3554c4fd
Reviewed-on: https://gerrit.instructure.com/192271
Tested-by: Jenkins
Reviewed-by: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
QA-Review: Rob Orton <rob@instructure.com>
adds methods to get and invalidate timestamps for use
in cache keys (similar to how updated_at is currently used)
but separated by purpose (and stored in redis to ease db use)
e.g. a cached function dependent only on a user's current
enrollments can use `user.cache_key(:enrollments)`,
that will then be cleared when the user's enrollments
actually change
once most of our cache keys are migrated to the new format
we can hopefully stop running 'touch_all' all over the place
ulimately should help improve cache read rates
refs #CORE-2851
Change-Id: I4cb40faa30b85d9c3865dadc5e58a5424e2d6928
Reviewed-on: https://gerrit.instructure.com/191834
Tested-by: Jenkins
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
test plan:
* before checking this commit out, copy some
content into a course
* after checking it out, make sure re-copying
the course overwrites the content from
the earlier copy (tl;dr migration identifiers
are being changed but not for old exported/copied courses)
* make sure course copies/imports/exports still work
closes #CORE-2718 #CORE-2720
Change-Id: I7515c7ec2943afaaf502432f1510d3e580f13ced
Reviewed-on: https://gerrit.instructure.com/188371
Tested-by: Jenkins
QA-Review: Rob Orton <rob@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Reviewed-by: Rob Orton <rob@instructure.com>
this should speed things up by reducing the amount of traffic over the
Wire for our JS/CSS/images from our cdn for most browsers/users
(everyone besides IE 11 supports brotli). Should especially help people
on mobile connections and in remote areas.
For example, our vendor webpack bundle went from 850KB to ~500KB
closes: CORE-2755
Test plan:
* with the dev CDN set up in canvs_cdn.yml
* run: RAILS_ENV=production bundle exec rake canvas:compile_assets
* then run: bundle exec rake canvas:cdn:upload_to_s3
* then run:
RAILS_ENV=production bin/rake brand_configs:generate_and_upload_all
* then run RAILS_ENV=production bundle exec rails s
now go to canvas in your browser
* from any browser that supports brotli compression, the assets you get
From the CDN should come from /br/dist/whatever
(instead of /dist/whatever)
* everything should work the same but you should notice smaller file
Sizes in the network panel for your js and css assets
Now go to canvas in a browser that doesn’t support brotli, like IE 11
* you should see that it gets its css and js files from
<cdn host>.com/dist/whatever (and not from /br/dist/whatever)
* you should notice that the assets you are looking at are gzipped
Just like before, and you can compare against those in chrome and see
That the gzip version of those files is bigger than the brotli version
Change-Id: I81d28fa31c307d745ecd9b84f1fd55c07fba88ca
Reviewed-on: https://gerrit.instructure.com/188866
Tested-by: Jenkins
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Product-Review: Ryan Shaw <ryan@instructure.com>
fixes CORE-2538
test plan
- configure statsd to use data dog
- it should work
Change-Id: Ie8428e4e99973b35506bd7a8e4d1a18f5a7875a1
Reviewed-on: https://gerrit.instructure.com/182083
Tested-by: Jenkins
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
Closes: ADMIN-2496
Test plan:
- create a course with at least one page
- create a new course and open course settings
- select import course button
- select the copy a canvas course content type
- select the course with the existing page
- in the content selection, click the select
specific content b utton
- click the import button
- in the current jobs section, click the select
content button
- in the content list, view 'wiki pages' changed
to 'pages'
- specs pass
Change-Id: I4e1410629104a0eb5a95386c2bd5921a26cd6512
Reviewed-on: https://gerrit.instructure.com/185115
Tested-by: Jenkins
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Jeremy Stanley <jeremy@instructure.com>
Product-Review: Erin Hallmark <erin@instructure.com>
Closes PLAT-3916
Test Plan:
- Create an assignment group
- Verify the workflow state is sent in the assignmnet
group created event
- Modify the assignment group
- Verify the workflow state is sent in the assignment
group updated event
Change-Id: Iefcf885bfd6b7ce20895fd855fee2cf934e667d6
Reviewed-on: https://gerrit.instructure.com/182463
Tested-by: Jenkins
Reviewed-by: Marc Phillips <mphillips@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
refs QUIZ-5864
test plan:
- do a course copy
- find an assignment, set workflow_state to 'failed_to_duplicate'
in rails console
- expect Retry button is available in UI
- click Retry button and wait, the failed assignment can be duplicated
again
- regression on assignment copy, course copy
Change-Id: I1594a68cf15c4994cd916b25e100ed277cc6cdc1
Reviewed-on: https://gerrit.instructure.com/180012
Tested-by: Jenkins
Product-Review: Hannah Bottalla <hannah@instructure.com>
QA-Review: Robin Kuss <rkuss@instructure.com>
Reviewed-by: Stephen Kacsmark <skacsmark@instructure.com>
closes PLAT-3843
test plan:
* enable live events locally (see doc/live-events.md)
* tail the stream (see same doc)
* create a new discussion topic
* look at the stream and see if the new
fields have been added to the event
Change-Id: I0bc9aef8ae82faac37df7a6f1feffd38e4961664
Reviewed-on: https://gerrit.instructure.com/178920
Tested-by: Jenkins
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Xander Moffatt <xmoffatt@instructure.com>
Closes PLAT-4157
Test Plan:
Attempt to retrieve an access token using a client credentials
grant. The iat of the claimshould be 10 seconds in the future.
Verify you are still able to retrieve an access token.
Verify you cannot retrieve an access token if the iat is more than
30 seconds in the future.
Change-Id: I884f569c3ab4bcafaaa459c70fe3d0c2326153cd
Reviewed-on: https://gerrit.instructure.com/178477
Reviewed-by: Marc Phillips <mphillips@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Tested-by: Jenkins
Product-Review: Weston Dransfield <wdransfield@instructure.com>
Closes PLAT-4143
Test Plan:
- Attempt to retrieve an access token using the client
credentials grant type. Make the exp or iat claims
non-numeric
- Verify Canvas responds with a 400 and error message
- Verify the aud must be https
Change-Id: Iefc9b286d9198f0afd759c9a05b1dd8b22647aa4
Reviewed-on: https://gerrit.instructure.com/177837
Tested-by: Jenkins
Reviewed-by: Marc Phillips <mphillips@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
Erroneously checking the jti as if it was a nonce.
This allows the tokens to be used more often than
once.
closes PLAT-4084
Test Plan:
Generate a ccg token and attempt to make a call
a few times. Note that it works. Make sure that
you have redis enabled locally.
Change-Id: I4eeed1019ac9ca04956713ed84a2a922b4ffdde0
Reviewed-on: https://gerrit.instructure.com/176586
Reviewed-by: Nathan Mills <nathanm@instructure.com>
QA-Review: Nathan Mills <nathanm@instructure.com>
Tested-by: Jenkins
Product-Review: Marc Phillips <mphillips@instructure.com>
closes CORE-1847
test plan:
* have your user inheriting the default locale
* go to /api/v1/users/self, /api/v1/users/self/profile. they should
both have a non-null value for effective_locale, even though
locale is null
* to through the OAuth flow. notice that a value is provided
for effective_locale in the user portion of the /token response
Change-Id: Ia8b5b555168db395fe15075d70b296c264a59d6d
Reviewed-on: https://gerrit.instructure.com/171446
Tested-by: Jenkins
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
This does not remove the old dead code, just all the places
that checked to see if it was enabled.
closes PLAT-3752
Test Plan:
- Regression test on the developer keys page
- Also need to check that creating an oauth 2 token is
not broken (using client credentials)
Change-Id: I89983922a894ff7f20e86c034728d55284c8c668
Reviewed-on: https://gerrit.instructure.com/168271
Tested-by: Jenkins
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
closes CORE-1891
test plan:
- put null encryption and/or signing secretys in consul (or
dynamic_settings.yml)
- go to a page with an rce
- should not 500
- sidebar requests should 401
Change-Id: I8fd169c74df06fc5d5e04684a95e41023ea23c61
Reviewed-on: https://gerrit.instructure.com/164501
Reviewed-by: Simon Williams <simon@instructure.com>
Tested-by: Jenkins
Reviewed-by: Ryan Shaw <ryan@instructure.com>
QA-Review: Tucker McKnight <tmcknight@instructure.com>
Product-Review: Brent Burgoyne <bburgoyne@instructure.com>
Oauth2.0 client_credentials grant_type is added as a means
to support LTI Advantage services. Will accept only the
client_assertion_type of jwt-bearer and returns a JWS as
the access token. LTI services using the jws will be able to
authenticate, but other api endpoints will fail when using
this jwt.
closes PLAT-3659
Test Plan:
- Create an oauth 2.0 request using a jwt signed by a
developer key
- Request should be validated and returns a jwt with
the correct scopes
Change-Id: I786b71e39f8d3c2c9c71aa3eff4ea490f6d56285
Reviewed-on: https://gerrit.instructure.com/161245
Tested-by: Jenkins
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Marc Alan Phillips <mphillips@instructure.com>
instead of Setting. it's extremely rarely changed, and it's early enough in
the boot process (and part of redis itself) that it can't be cached
Change-Id: Ibdcb3ea025a6b06d204db2a4340d911d9e3f0919
Reviewed-on: https://gerrit.instructure.com/162495
Reviewed-by: Rob Orton <rob@instructure.com>
Tested-by: Jenkins
Product-Review: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
closes CAT-2293
test plan:
- add `:docker-compose/kinesis.override.yml` to your .env file
- do docker-compose up
- in another terminal window, type `AWS_ACCESS_KEY_ID=key
AWS_SECRET_ACCESS_KEY=secret aws --endpoint-url
http://kinesis.canvaslms.docker/ kinesis create-stream
--stream-name=live-events --shard-count=1 --region=us-east-1`
- go to canvas.docker/plugins
- find the Live Events plugin
- select All Accounts and click Create Config
- deselect the Disable this Plugin checkbox
- enter the following information and save:
Kinesis Stream Name live-events
AWS Region us-east-1
AWS Endpoint http://kinesis:4567
AWS Access Key ID key
AWS Secret Access Key secret
- close and reopen docker-compose up
- create a course with a single student enrolled
- create an assignment with web text entry worth 10 points in a module
- create a requirement for the module to earn 10/10 on the assignment
- masquerade as the student
- submit the assignment
- stop masquerading
- type `docker-compose run --rm web script/tail_kinesis
http://kinesis:4567 live-events` in another terminal window
- grade the assignment as a 10/10 for the student
- ensure an event appears with its event_name as "course_completed"
Change-Id: Iffd5d6148fadcb66da3f8eca3a4caa9355485a90
Reviewed-on: https://gerrit.instructure.com/161106
Tested-by: Jenkins
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Dariusz Dzien <ddzien@instructure.com>
Product-Review: Neil Gupta <ngupta@instructure.com>
Closes PLAT-3508 & PLAT-3509
Test Plan:
- Verify the key rotate correctly (set current to past, future
to current, and the new key to future) in both cases: when there
is no existing key AND when there is key already in Consul
- Verify the script will be running every month
- Verify the keys got rotated using Imperium gem version '0.4.0'
Change-Id: I630f230b3cd1c515ebb266b532901b4260622173
Reviewed-on: https://gerrit.instructure.com/154529
Reviewed-by: Stewie aka Nicholas Stewart <nstewart@instructure.com>
QA-Review: Nathan Mills <nathanm@instructure.com>
Product-Review: Nathan Mills <nathanm@instructure.com>
Tested-by: Jenkins
test plan:
- in user files (not course files),
- upload a zip file and select "Expand it"
- it should complete without having to reload the page
fixes ADMIN-1180
Change-Id: I9fbb52a1fa50f55ac294bc6df3057b7e4084fda6
Reviewed-on: https://gerrit.instructure.com/154982
Reviewed-by: Han Yan <hyan@instructure.com>
Reviewed-by: Steve Kacsmark <skacsmark@instructure.com>
Reviewed-by: Robert Lamb <rlamb@instructure.com>
Product-Review: Robert Lamb <rlamb@instructure.com>
QA-Review: Robert Lamb <rlamb@instructure.com>
Tested-by: Jenkins
refs QUIZ-4415
test plan:
- cr
- Quiz.Next CC import is not ready for test with only this patch
- regression on `Import Content`, to make sure:
1) `Qti .zip file` import works
2) `Common Catridge 1.x Package` import works
Change-Id: Iba2818a2b864020b6c59ef55e02f122b996e4c40
Reviewed-on: https://gerrit.instructure.com/149978
Reviewed-by: Andrew Butterfield <abutterfield@instructure.com>
Tested-by: Jenkins
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: David Tan <dtan@instructure.com>
Product-Review: Han Yan <hyan@instructure.com>
closes RECNVS-417
We want to give InstFS accurate information about who is actually
accessing files in canvas, even if they're masquerading as someone else.
This commit adds that additional information without breaking the normal
oauth flow for other apps that use oauth.
test plan:
* Check out g/148868 in your instfs repo
* Have canvas configured with inst-fs
* Log in to canvas as an admin
* While masqueraded as another user
- delete your inst-fs session cookie
(Go to api.instfs.docker and clear your cookies for that site)
- visit a canvas page displaying inst-fs files; this will
regenerate your inst-fs session
* base64 decode the new inst-fs session cookie; verify that it holds
the admin's user id and not the masqueraded-as user's id
Change-Id: I0790be317bf41290bcbeec672145dc64625573a0
Reviewed-on: https://gerrit.instructure.com/148142
Tested-by: Jenkins
Reviewed-by: Jacob Fugal <jacob@instructure.com>
QA-Review: Collin Parrish <cparrish@instructure.com>
Product-Review: Andrew Huff <ahuff@instructure.com>
Reviewed-by: Andrew Huff <ahuff@instructure.com>
The course id is needed to be able to access
that resource through the API.
Also only send the module updated live event
when the order changes. Previously they were
getting sent for all modules in the course,
even if the position hadn't changed.
Test plan:
- Create and make a change to context modules
and validate that the live event has the course_id
- Create and make a change to module items
and validate that the live event has the course_id
and module_id
- Reorder modules in a course and validate that the
only live events sent are for modules whose position
changed.
refs SKUNK-17
Change-Id: I8443eae28b6d8cddfc8560a22a79b99504e6664c
Reviewed-on: https://gerrit.instructure.com/148580
Reviewed-by: Andrew Butterfield <abutterfield@instructure.com>
Tested-by: Jenkins
Product-Review: Nate Collings <ncollings@instructure.com>
QA-Review: Nate Collings <ncollings@instructure.com>
refs PLAT-3024
test plan:
* request the scopes from api/v1/accounts/:account_id/scopes
- you should get back a json object that matches the documentation
* request the scopes from api/v1/accounts/:account_id/scopes passing
the query param "group_by=resources"
- you should get back a json object with the scopes grouped by
resource
Change-Id: I4562121a44e3baccc7de8e56e19629377f1931df
Reviewed-on: https://gerrit.instructure.com/148623
Reviewed-by: Marc Alan Phillips <mphillips@instructure.com>
Tested-by: Jenkins
Reviewed-by: Andrew Butterfield <abutterfield@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Nathan Mills <nathanm@instructure.com>
Test plan:
- Merge and warmfix onto beta
- Configure our EventManager Kinesis stream
to listen to the Module and ModuleItem
live events
- Create a Module and a ModuleItem and
validate that the events were sent
- Update a Module and a ModuleItem and
validate that the events were sent
refs SKUNK-17, SKUNK-18
Change-Id: Ia047024b0f5d38e5c14a19194f75b131f9fc68cc
Reviewed-on: https://gerrit.instructure.com/146858
Reviewed-by: Andrew Butterfield <abutterfield@instructure.com>
Reviewed-by: Brent Burgoyne <bburgoyne@instructure.com>
Tested-by: Jenkins
Product-Review: Nate Collings <ncollings@instructure.com>
QA-Review: Nate Collings <ncollings@instructure.com>
refs QUIZ-4175
Test Plan:
- qa-cr for now. A subsequent commit will include a comprehensive
test plan once the Quiz LTI contract test is published.
Change-Id: I2ffe962d8a626994614f3cc904d131e41e3a00b1
Reviewed-on: https://gerrit.instructure.com/145857
Tested-by: Jenkins
Reviewed-by: Mark Grant <mgrant@instructure.com>
Product-Review: Michael Hargiss <mhargiss@instructure.com>
QA-Review: Michael Hargiss <mhargiss@instructure.com>
fixes PLAT-3033
test plan:
* The specs should pass and be less brittle
Change-Id: Iefbe9f82259cb1aa2768ba150038d3974688ce3c
Reviewed-on: https://gerrit.instructure.com/144862
Tested-by: Jenkins
Reviewed-by: Andrew Butterfield <abutterfield@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Nathan Mills <nathanm@instructure.com>
fixes ADMIN-753
Test plan
- Set up a course with Mastery Paths and BluePrint
- Set up a child course for the BluePrint sync
- Set up a graded quiz and discussion with an item
unlocked with Mastery Paths
- Also set up any kind of item with a wiki page
unlocked by Mastery Paths
- Run the master course sync
- Verify the child course has the correct Mastery
Path links
- Remove the links from the parent course
- Ensure they are removed
Change-Id: Iad8672f295b041756821fe9f4e02b33f752c0ccb
Reviewed-on: https://gerrit.instructure.com/143566
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Tested-by: Jenkins
QA-Review: Leo Abner <rabner@instructure.com>
Product-Review: Mysti Sadler <mysti@instructure.com>
Closes: QUIZ-4112
Test-Plan:
- We could set up local live events and run a course copy
and assert that there is a live event being pushed to the kinesis
queue
- Then assert that the kinesis queue has the event looking correct
Change-Id: Ic98d026b2c087c2be4e0b2aefae85a374a827d2a
Reviewed-on: https://gerrit.instructure.com/143322
Tested-by: Jenkins
Reviewed-by: Hannah Bottalla <hannah@instructure.com>
QA-Review: Robin Kuss <rkuss@instructure.com>
Product-Review: Jayce Higgins <jhiggins@instructure.com>
Cody Cutrer