refs INTEROP-7087
flag=lti_platform_storage
why:
* signals to tools that Canvas supports a cookie-less launch process and
is listening for postMessages on the window designated by this param
* default value is `_parent`, which means tools should send postMessages
to `window.parent || window.opener`
* can be set to something else, in which case the tool should expect
to have a sibling frame named with this value, to which it should send
postMessages - not implemented yet since there are some kinks, so always
send `_parent`
* there are other specs that check for this list of params
in a login request - once the flag is flipped on for good,
these specs will fail and will need to be changed then
test plan:
* open the Network tab of the browser dev tools
* launch an LTI 1.3 tool
* in the login request (for the 1.3 test tool it's a POST to `/login`)
look for the lti_storage_target param - it should *not* be there
* enable the lti_platform_storage feature flag
* you may need to restart the web container and/or clear cache using
`GuardRail.activate(:deploy) { Rails.cache.clear }` to get
the flag enabling to stick
* launch an LTI 1.3 tool
* in the login request, lti_storage_target should be present in the form
data and set to `_parent`
Change-Id: Ic7539d3fdc381857c435cf7fb77f0a87ffc7c605
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/274516
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Evan Battaglia <ebattaglia@instructure.com>
QA-Review: Evan Battaglia <ebattaglia@instructure.com>
Product-Review: Xander Moffatt <xmoffatt@instructure.com>
Added in the "resource_link_id" migration parameter for resource link
launches. This parameter is included when the LTI 1.3 resource_link_uuid
is different than the LTI 1.1 lti_context_id. It helps tools migrating
from 1.1 to 1.3 map old ids in their databases to the new ids.
flag=none
closes INTEROP-6796
test-plan:
* Install an LTI 1.1 tool and create an assignment that launches that
tool, then launch it. Note the resource_link_uuid that is provided. It
should look like a hash, not a UUID. Xander likely knows of a good LTI
1.1 tool that would work for testing, or a way to make the 1.3 tool
work for this.
* Install the LTI 1.3 Test Tool in at least the assignment submission
and course menu placement. I'm lazy, so I have it installed everywhere :)
* Migrate your previous LTI 1.1 assignment to use the LTI 1.3 Test Tool.
You can do this by updating the assignment's external_tool_tag.url to
the launch url of the LTI 1.3 Test Tool which is typically
http://lti13testtool.docker/launch.
* Launch the assignment. You should see under the
"https://purl.imsglobal.org/spec/lti/claim/lti1p1" a value for
resource_link_id. This should match the hash you saw earlier when you
launched the 1.1 tool.
* Now for some monkey-patching :). Place a byebug breakpoint at the
beginning of the include_lti1p1_claims? method in
lib/lti/messages/resource_link_request.rb. Then, launch the 1.3 tool
from the assignment. When you hit the breakpoint, monkey-patch
Assignment with the following code:
class Assignment < ActiveRecord::Base
def lti_resource_link_id
primary_resource_link.resource_link_uuid
end
end
This makes sure that the code thinks that the LTI 1.1 and 1.3
resource_link_ids are the same, even though that can basically
never happen in real life. This way though, we know that only
include the claim when we absolutely need to.
Continue the launch after monkey-patching and you should see there is
no resource_link_id claim in the lti1p1 claims section.
* Launch the tool from the course menu and make sure that you *don't*
see a key-value pair for resource_link_id. It should only be included
on assignment launches.
Change-Id: I85bbd977f4aa0809b2b031492bf58c0c86fea4bc
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/275459
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
QA-Review: Xander Moffatt <xmoffatt@instructure.com>
Product-Review: Ryan Hawkins <ryan.hawkins@instructure.com>
not really rubocop, but found while doing Style/ExpandPathArguments
Change-Id: Iec2710795be95e7663df5a49de212043459e9823
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/278626
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Jacob Burroughs <jburroughs@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
auto-corrected, but so many tweaks after to gemspecs it may as well
have been manual
Change-Id: I69aeb6e216894462d6d893ed4c123aa9898fc72f
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/278516
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Jacob Burroughs <jburroughs@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
[skip-stages=Flakey]
auto-corrected (with manual post-review looking for possible non-array,
non-string slices that might go bad, with none found)
Change-Id: I00feba96f58f701ed1f668f86928b8871d0d8ef2
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/277991
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
We're adding the https://purl.imsglobal.org/spec/lti/claim/lti1p1
migration claim that will support the `user_id` field.
closes INTEROP-6649
flag=none
test-plan:
* Have a LTI 1.3 tool installed;
* Launch the tool and verify the JWT contains the lti1p1 claim with the
user_id;
Change-Id: I9278a6b22c69336b8ef35190c09c171e9b62dce7
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/262421
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Evan Battaglia <ebattaglia@instructure.com>
Reviewed-by: Mysti Lilla <mysti@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Wagner Goncalves <wagner.goncalves@instructure.com>
When launching a 1.3 tool as an unauthenticated user (possible in
public courses), Canvas sends the `sub` claim as
`https://canvas.instructure.com/public_user`
However, the sub claim should really be omitted when launching a tool as
an unauthenticated user, according to the IMS spec.
http://www.imsglobal.org/spec/lti/v1p3/#user-identity-claims
The `lti11_legacy_user_id` claim should follow the same behavior of
user_id laim in an LTI 1.1 tool. As `user_id` is empty when launching
a LTI 1.1 tool in a public course with unauthenticated user we're
changing the `lti11_legacy_user_id` claim to return an empty string
instead of `https://canvas.instructure.com/public_user`.
closes INTEROP-6599
flag=none
test-plan:
* Have a public course published;
* Install an LTI 1.3 tool with course navigation placement enabled, you
can use the this change in the LTI 1.3 Test Tool
https://gerrit.instructure.com/c/canvas-lms/+/262530, which disable
sub claim validation;
* As an unathenticated user, access the tool in the course navigation,
and verify that the tool should launch and the `sub` claim should not
be present and the `lti11_legacy_user_id` claim should em empty;
* As an athenticated user, access the tool in the course navigation,
and verify that the tool should launch and the `sub` and
`lti11_legacy_user_id` claims should be present;
Change-Id: I78bb64e3d898f44fcc401a43d054909032ef5420
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/262530
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Evan Battaglia <ebattaglia@instructure.com>
QA-Review: Evan Battaglia <ebattaglia@instructure.com>
Product-Review: Wagner Goncalves <wagner.goncalves@instructure.com>
because of nokogiri, we rely on multi-platform gem caching, which
only works right in bundler 2.2
Change-Id: Id207278946e849abec3418807c71e4650506a0cf
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/259142
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Jacob Burroughs <jburroughs@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
Change-Id: Ib49bc8939cf1706e758429e531a87c57d0231a37
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/251156
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
We're adding the `lti11_legacy_user_id` variabble because is a constantly
request fom tool vendors that are working on the migration to LTI 1.3.
closes INTEROP-6214
flag=none
test-plan:
* Have a LTI 1.3 tool installed in your local Canvas, you can use the
lti-1.3.-test-tool for it.
* Launch the tool and ensure that under the JWT Decode that you see the
lti11_legacy_user_id variable as a String that matches with the current
user.
Change-Id: Id0efd2602111f99f0365ea95e2a8074c2ceca477
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/249755
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Karl Lloyd <karl@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Change-Id: I3d09440a090838edc8dd4557d98705926c2aaa09
Reviewed-on: https://gerrit.instructure.com/202620
Tested-by: Jenkins
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
Closes PLAT-4713
Test Plan:
Do an LTI 1.3 launch and verify the correct client_id is sent
in the initial login message from Canvas
Change-Id: I7cb82be8dbe7a356cf6ead8fa37a14bcea957148
Reviewed-on: https://gerrit.instructure.com/203073
Tested-by: Jenkins
Reviewed-by: Clint Furse <cfurse@instructure.com>
QA-Review: Clint Furse <cfurse@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
Closes PLAT-4658
Test Plan:
Do an LTI 1.3 launch and verify the canvas_region param is sent
in the login request. If your database server does not have a
region configured locally the value should be "not configured"
Change-Id: I2b4211504a3c8ed8420efc9d038e48f2896cefd8
Reviewed-on: https://gerrit.instructure.com/201176
Tested-by: Jenkins
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
Reviewed-by: Clint Furse <cfurse@instructure.com>
Call the message validations on the lti messages
before we send the launch.
closes PLAT-4117
Test Plan:
- do a launch, it should still work
Change-Id: I34d20c328173158c76b11aacf7028f7eb152f87b
Reviewed-on: https://gerrit.instructure.com/185216
Tested-by: Jenkins
Reviewed-by: Nathan Mills <nathanm@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
sqlite3 released a new version yesterday, but active record is pinned to
a previous version in a way that just errors. the version pins here can
be reverted once rails releases a compatibility update. see
https://github.com/rails/rails/pull/35154
Change-Id: If9edc76058d96a75b8731422407ecea2afb4ce29
Reviewed-on: https://gerrit.instructure.com/180583
Reviewed-by: James Butters <jbutters@instructure.com>
Tested-by: Jenkins
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
closes PLAT-4107
Test plan:
- Using the test tool, do a launch and see that
the target_link_uri is sent on the login and
the final launch as a claim
Change-Id: I32da1f86a5a0c47e3aee6d66aeac74439696276b
Reviewed-on: https://gerrit.instructure.com/177299
Tested-by: Jenkins
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
closes PLAT-4050
Test Plan:
- create a user, should work
- update a user, should work
- attempt to change the lti_id in teh console, should fail
- attempt a 1.3 launch and note that id is changed to new id
- also note the lti11_legacy_user_id field is present
Change-Id: I2747d76b08714a66cd2862b81c4f50e5068021e8
Reviewed-on: https://gerrit.instructure.com/174693
Reviewed-by: Rob Orton <rob@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Tested-by: Jenkins
Product-Review: Marc Phillips <mphillips@instructure.com>
Closes PLAT-4021
Test Plan:
- Install an LTI 1.3 tool that uses the editor_button
placement.
The tool's configuration should set the message
type of each of this placements to 'LtiDeepLinkingRequest'
- Launch the tool from the RCE and verify
* The 3rd party initiated OpenID auth flow occurs
* The ID token contains all standard claims LTI claims
(all claims a ResourceLinkRequest contains minus resourace_link_id
related items)
* Custom variables are supported and expanded
* The deep linking settings claim is sent with all required
values
Change-Id: I56ac0f708fb0afe7ffe515803f3fdb6f63f50d5b
Reviewed-on: https://gerrit.instructure.com/173385
Tested-by: Jenkins
Reviewed-by: Marc Phillips <mphillips@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Jesse Poulos <jpoulos@instructure.com>
git may not be installed
Change-Id: I69a3dfcd5dc9d743daca70bad15d994bc3ae5e0a
Reviewed-on: https://gerrit.instructure.com/173693
Reviewed-by: James Williams <jamesw@instructure.com>
Tested-by: Jenkins
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
- LTI 1.3 launches now include an AGS claim
(`https://purl.imsglobal.org/spec/lti-ags/claim/endpoint`)
if the current tool's `DeveloperKey` has been granted
any AGS scope.
- If the launched link is an `Assignment`, the AGS claim will
include a `lineitem` sub-claim set to the `Assignment`'s
LTI Advantage `LineItem` API URL
(`/api/lti/courses/:course_id/line_items/:line_item_id`).
- In any AGS-enabled launch from from a `Course` or `Group`,
the AGS claim will include `lineitems` sub-claim set the
`Course`'s LTI Advantage `LineItem` collection API URL
(`/api/lti/courses/:course_id/line_items`.)
Closes LTIA-49
Test Plan:
1. Create an LTI 1.3 tool with at least one AGS scope granted to
its `DeveloperKey`. Those scopes are:
- `https://purl.imsglobal.org/spec/lti-ags/scope/lineitem`
- `https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly`
- `https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly`
- `https://purl.imsglobal.org/spec/lti-ags/scope/score`
2. Launch the tool from a course navigation link.
3. Verify that the
`https://purl.imsglobal.org/spec/lti-ags/claim/endpoint` claim is
present and:
3.1. Sets all the granted scopes into the `scope` sub-claim
3.2. Sets the `lineitems` sub-claim to
`/api/lti/courses/:course_id/line_items`
3.3. The `lineitem` sub-claim is not present.
4. Bind the tool to an `Assignment` and launch from that
`Assignment`.
5. Verify that the
`https://purl.imsglobal.org/spec/lti-ags/claim/endpoint` claim is
present and:
5.1. Sets all the granted scopes from step 1 into the `scope`
sub-claim
5.2. Sets the `lineitems` sub-claim to
`/api/lti/courses/:course_id/line_items`
5.3. Sets the `lineitem` sub-claim to
`/api/lti/courses/:course_id/line_items/:line_item_id`
To find :line_item_id for step 5.3 either use the console or database
query. E.g. in the console:
`Assignment.find(Assignment.maximum(:id)).line_items.find(&:assignment_line_item?).id`
6. Create another LTI 1.3 tool but do not grant any AGS scopes to its
`DeveloperKey`.
7. Launch the tool from a course navigation link.
8. Verify that the
`https://purl.imsglobal.org/spec/lti-ags/claim/endpoint` claim is
not present.
9. Bind the tool to an `Assignment` and launch from that
`Assignment`.
10. Verify that the
`https://purl.imsglobal.org/spec/lti-ags/claim/endpoint` claim is
not present.
Change-Id: I787d3e99c60993ed3d28ede08455617e601f3d30
Reviewed-on: https://gerrit.instructure.com/171345
Tested-by: Jenkins
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
Closes: PLAT-3987, PLAT-3988
Test Plan:
- Verify the following for assignment, course nav,
and user nav placements:
* The unsigned ID token body is sored as JSON in
redis using the same key scheme as sessionless
launches
* The ID token contains all resource link
request claims
* Custom parameters are expanded before the body
is cached
- Verify the message_hint is now a jwt that contains
the domain and the "verifier"
Change-Id: I468e8af6ededdb4f6ef3da4d1014dc702f570543
Reviewed-on: https://gerrit.instructure.com/171223
Tested-by: Jenkins
Reviewed-by: Marc Phillips <mphillips@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
Closes PLAT-3950
Test Plan:
- Do the following for an LTI launch from an
LTI assignment, the course navigation, and the
user_settings placement.
* Verify correct LTI launch is stored in Redis
* Verify a login message is posted instead of
an LTI launch
* Verify the login message contains the following:
- iss -> The iss in the Canvas security config
- login_hint -> The session ID
- target_link_uri -> placeholder string for now
- lti_message_hint -> The redis key "verifier"
Change-Id: Iacd9e45b1883d062339d3ea03721f8c53cb815dd
Reviewed-on: https://gerrit.instructure.com/171036
Tested-by: Jenkins
Reviewed-by: Marc Phillips <mphillips@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
- Per recent NRPS vs spec change, the `service_version` LTI 1.3
launch sub-claim is renamed to `service_versions` and its type
changed from a string to an array of strings. (The expressed
version itself is still the same, i.e. it just appears as
["2.0"] instead of an unwrapped "2.0".)
Closes LTIA-35 WIP
Test Plan:
- Verify LTI 1.3 launches to the IMS Reference Implementation include
a https://purl.imsglobal.org/spec/lti-nrps/claim/namesroleservice
claim with a `"service_versions": ["2.0"]` sub-claim
Change-Id: I53801d633166a07c571e106cc60256729059fdcf
Reviewed-on: https://gerrit.instructure.com/167714
QA-Review: Samuel Barney <sbarney@instructure.com>
Tested-by: Jenkins
Product-Review: Karl Lloyd <karl@instructure.com>
Reviewed-by: Marc Phillips <mphillips@instructure.com>
- Given a Tool with the `use_1_3` setting set to `true` and an
Account with the `lti_1_3` feature flag enabled, a resource link
launch JWT now includes a
`https://purl.imsglobal.org/spec/lti-nrps/claim/namesroleservice`
claim. The `context_memberships_url` field within that claim
advertises the NRPS v2 URL from which the Context's memberships
can be retrieved.
- Only works for Course and Group Contexts (though launching
from a Group does not seem to be possible at this time).
Closes LTIA-12
Test Plan:
* Create a Course and create and accept several Enrollments in
it.
* Create a LTI 1.3-enabled Tool configured to connect to the
IMS LTI 1.3/Advantage reference implementation and ensure the
Tool is placed into the Course.
* Enable the LTI 1.3/Advantage feature for the Course's Account.
* Launch the Tool.
* Verify the presence of the
`https://purl.imsglobal.org/spec/lti-nrps/claim/namesroleservice`
claim in the IMS RI's user interface, which should indicate
a successful launch.
* Verify enablement of the "Request Names and Roles" button in the
IMS RI user interface. Click it.
* Correct Course membership should be returned to the RI and
displayed in the on-screen panel.
* NB this may require configuring the RI Tool with a OAuth2
access token URL pointing to a Platform configured in the RI
Tool.
Change-Id: I9d6f97166aee88b5a1e4301a82e3c4604a555462
Reviewed-on: https://gerrit.instructure.com/166205
Tested-by: Jenkins
Reviewed-by: Marc Alan Phillips <mphillips@instructure.com>
QA-Review: Pedro Fajardo <pfajardo@instructure.com>
Product-Review: Karl Lloyd <karl@instructure.com>
Closes PLAT-3629
Test Plan:
- Install an LTI 1 tool in a course
- Modify the tool via the Rails console:
`tool.settings['use_1_3'] = true; tool.save!`
- Add the tool to a module item
- Launch the tool and verify a JWT is sent as the 'id_token'
- Verify the JWT contains all required LTI 1.3 claims (minus
security claims).
- Verify all claim data is accurate
- Verify the JWT contains all extensions Canvas sends
from the same placement in LTI 1.1
- Verify custom variables are sent and expanded
- Create an External Tool assignment with the same tool
- View the assignment and verify a JWT is sent as the
'id_token'
- Verify the JWT contains all required LTI 1.3 claims (minus
the security claims).
- Verify the JWT contains all extension Canvas sends in LTI 1
(ext_ LTI 1 params) as extension claims.
Note: For now the id_token is signed with a placeholder secret.
Change-Id: I7df3d150055bb30010bb509e4d40dde82a406631
Reviewed-on: https://gerrit.instructure.com/158907
Tested-by: Jenkins
Reviewed-by: Marc Alan Phillips <mphillips@instructure.com>
Product-Review: Marc Alan Phillips <mphillips@instructure.com>
QA-Review: Marc Alan Phillips <mphillips@instructure.com>
refs PLAT-3500
Change-Id: I72c7166bd58053017fba0cca0c4be271de4a2b45
Reviewed-on: https://gerrit.instructure.com/157551
Tested-by: Jenkins
Reviewed-by: Marc Alan Phillips <mphillips@instructure.com>
Product-Review: Marc Alan Phillips <mphillips@instructure.com>
QA-Review: Marc Alan Phillips <mphillips@instructure.com>
Xander Moffatt