refs CNVS-27581
this ensures we have one correlation ID for a request coming
through the ecosystem rather than a seperate ID for each request
at each service. Each request id must be signed to make sure
others can't just submit whatever they want.
TEST PLAN:
1) make an API request and provide the header 'X-Request-Context-Id'
2) make sure to include the X-Request-Context-Signature header, which
should have the value of the sha512 signature with the shared
secret for the services ecosystem
2) the logs should show your provided value as the context Id for that
canvas request
Change-Id: I610fbe8c4df355d43c05360670f80971d1459644
Reviewed-on: https://gerrit.instructure.com/73166
Tested-by: Jenkins
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
closes CNVS-27597
We need to not slam consul for rarely changing data.
the '#find' method still gets the value from consul everytime.
Cache can be infinite or with timeout.
TEST PLAN:
1) have some data in consul for what the signing secret is for canvas
2) Make sure to query it (Canvas::Security::ServicesJwt.signing_secret)
3) change the consul data
4) query it again, it should not have updated
5) send a SIGHUP
6) query it again, it should have changed
Change-Id: I5b923b8e44ab90692e87969c494a7c65fafcad72
Reviewed-on: https://gerrit.instructure.com/73198
Reviewed-by: Cody Cutrer <cody@instructure.com>
Reviewed-by: Brian Palmer <brianp@instructure.com>
Tested-by: Jenkins
Reviewed-by: David Adams <dadams@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
closes CNVS-27576
TEST PLAN:
1) JWT with nbf in the future should get rejected (tests prove this)
Change-Id: I55f5bde030a6be4caee323a14988e3fbb49cfa95
Reviewed-on: https://gerrit.instructure.com/73132
Reviewed-by: Jacob Fugal <jacob@instructure.com>
Tested-by: Jenkins
Product-Review: Ethan Vizitei <evizitei@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
refs CNVS-24823
having the host in the token means we don't need to pass multiple
parameters to give a service context for proxying API calls.
TEST PLAN:
1) jwt should still be able to be generated
2) decypted/decoded JWT should include a 'domain' entry
Change-Id: Ib886e37a12aba23f4f938a4b5cfa10adb44083af
Reviewed-on: https://gerrit.instructure.com/71727
Tested-by: Jenkins
Reviewed-by: Simon Williams <simon@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
closes CNVS-26734
distributing env vars through production is harder
than updating a shared highly available store. We put this stuff
in consul now so it's easy to update everywhere at once.
also clean up webmock spec usage, it causes a lot of errors
because it's configuration seeps outside the specs it's currently used
in
TEST PLAN:
1) no production changes (does not touch app code)
2) clean install, clean config directory
3) copy docker-compose/config/ files to your config directory
4) you shouldn't be missing any config files when you start your
compose file up
5) Canvas::DynamicSettings.find("canvas") should give you a hash
with your secrets from the init values in your config file
6) ServicesJwt.signing_secret and ServicesJwt.encryption secret
should pull those same values
7) if you have env vars for ECOSYSTEM_KEY or ECOSYSTEM_SECRET, they
should be ignored
Change-Id: I3b3c1b19d6e2a05af3e6caa2e0af6c5d1dc6df66
Reviewed-on: https://gerrit.instructure.com/71559
Tested-by: Jenkins
Reviewed-by: Simon Williams <simon@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
The request body params can be unbounded in size, so if they're too
large, truncate the string.
Change-Id: Icc3a7bc27227f38a05cc5fc67789616cd3c71fd3
Reviewed-on: https://gerrit.instructure.com/71867
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins
Product-Review: Brian Palmer <brianp@instructure.com>
QA-Review: Brian Palmer <brianp@instructure.com>
previously, we imported nested modules together within
one module, (using nesting to distinguish between submodules)
possibly leading to very large modules
now, submodules can be broken up on import using the
"Select Content" dialog
test plan:
* import the Common Cartridge package referenced in the ticket
using the "Select specific content" option
* use the dialog to navigate the module tree and select
specific sub-modules
* if all sub-modules of a given module are selected, a
radio toggle should appear to choose whether to import
the module as one or to split them up
closes #CNVS-26696
Change-Id: Ia542cd7ec847e810a01d92c675c6cc92d1247345
Reviewed-on: https://gerrit.instructure.com/71099
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Tested-by: Jenkins
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: Matt Goodwin <mattg@instructure.com>
closes gh-748
remove method that's now in the gem, and be more intelligent about adding
methods waiting pull requests
Change-Id: Ia304eca9cd53d1981e890de5dcb7e48fb2d4c460
Reviewed-on: https://gerrit.instructure.com/71140
Tested-by: Jenkins
Reviewed-by: Simon Williams <simon@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Google drive relevant code has been moved to the gems/google_drive
Actually test google drive with mocked api responses
cleaned up lots of code
Fixes PLAT-1301
Test Plan:
*** You'll need to use 2 separate google accounts to fully test ***
** Its helpful to have multiple chrome profiles so you dont have to log in and
** out a bunch https://support.google.com/chrome/answer/2364824?hl=en
BEFORE SWITCHING TO THIS PATCH SET
- Make sure you have some google doc collaborations
- Directions for creating one are below
- Disable your google docs plugin
Switch to the patch set
Enable google drive. (if not already)
- You should be able to paste in a client_secrets.json
- Update Redirect URI to point to your local instance (The URI should exist in the JSON)
As an admin/teacher
- Goto `profile/settings` and add the google drive user service
- Your email should be displayed with the service
- Goto Collaborations
- Make sure existing collaborations still work
- Click "Start new collaboration"
- give it a nice name (Created by admin)
- select your student
- click start collaborating
- You should be redirected to the new doc in google
- create another collaboration without the student (Created by admin, no users)
- Create an assignment with
Submission Type: Online
Online Entry Options: File Uploads
- Make sure your student has access to the course/assignment
- Goto Account settings -> Users
- Click View User Groups in the top right
- create a new group set with a group in it
- add yourself and your student to the group
- Goto the Group's Collaborations (Courses & Groups -> [group name] -> Collaborations)
- Click "Start new collaboration"
- give it a nice name (Created by admin for group)
- select your student
- click start collaborating
- You should be redirected to the new doc in google
As a student
- Goto `profile/settings` and add the google drive user service
- Your email should be displayed with the service
- Goto the assignment
- Submit the assignment
- You should have a "Google Doc" tab
- Choose a document and submit it
- After it submitted, click download on the right side
just to make sure its correct
- Goto Collaborations
- Make sure existing collaborations still work
- make sure the "created by admin" collaboration works
- make sure you can't see "Created by admin, no users"
- Click "Start new collaboration"
- give it a nice name (created by a student)
- click start collaborating
- You should be redirected to the new doc in google
- Switch to your admin/teacher and make sure they can't access it
- Edit the collaboration add the teacher, click Save
- Switch to your admin/teacher and make sure they can access it
- Goto `profile/settings` and REMOVE the google drive user service
- Go back to collaborations
- You should be forced to add the google service in order to use a collaboration
- Goto the Group's Collaborations (Courses & Groups -> [group name] -> Collaborations)
- Make sure you can access "Created by admin for group"
- Click "Start new collaboration"
- select your admin/teacher
- click start collaborating
- You should be redirected to the new doc in google
- make sure your admin can access it to
As a site admin
- Disable Google Drive
- Then with your student
- Make sure you can still do file upload submissions on the assignment
- Collaborations should no longer show up (unless you have etherpad enabled)
- Google drive should no longer show up in your profile settings as a registered service
Change-Id: I4dfaff6f5262743c044aadd12266fd0bd85a60e1
Reviewed-on: https://gerrit.instructure.com/69078
Reviewed-by: Andrew Butterfield <abutterfield@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Brad Horrocks <bhorrocks@instructure.com>
test plan:
* user_spec.rb:2085 should actually run, and pass, on ubuntu
Change-Id: I28b31cbc56d4225f83001c506e1fb752223a8843
Reviewed-on: https://gerrit.instructure.com/71072
Reviewed-by: Simon Williams <simon@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
refs CNVS-26792
messages are easier to group back to their accounts if the
root_account_id is popluated when a ticketing system ticket
is created and a send via email is attempted.
TEST PLAN:
1) enable ticketing connector for email
2) file a ticket
3) in the rails console, the generated message object
has it's root_account_id populated
Change-Id: Iceae2d09c6a33ba522a4333f634d238a78c81e03
Reviewed-on: https://gerrit.instructure.com/71068
Tested-by: Jenkins
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
refs CNVS-18526
test plan:
- navigate to <canvas>/accounts/self/plugins/ticketing_system
- select an account and ticketing system type
- apply the account configuration settings
- expect plugin settings to successfully update
Change-Id: Ie620e26dd991b54d9cdbb24c4680386c826b2572
Reviewed-on: https://gerrit.instructure.com/71001
Reviewed-by: Simon Williams <simon@instructure.com>
Tested-by: Jenkins
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Product-Review: August Thornton <august@instructure.com>
closes CNVS-26758
Sentry has a dedicated field for this now, opening up additional
functionality such as a count of affected users for each error.
test plan: enable sentry and trigger an in-request error, the error
report will now include your user id in a separate "user" section.
Change-Id: Ia58d54b923f7daa67e2ce060c02f0cfa0494387d
Reviewed-on: https://gerrit.instructure.com/70918
Reviewed-by: Simon Williams <simon@instructure.com>
Tested-by: Jenkins
Product-Review: Brian Palmer <brianp@instructure.com>
QA-Review: Brian Palmer <brianp@instructure.com>
closes CNVS-26657
Most bundles are extended in plugins with the glue
code method, this second method was only used
by one plugin. Now that we've
ported it to the glue code method, we can remove
this extension mechanism entirely.
Change-Id: Ice1ad4a3308779f12a85b560f624203fdc09d63d
Reviewed-on: https://gerrit.instructure.com/70755
Reviewed-by: Jon Jensen <jon@instructure.com>
Reviewed-by: Ryan Shaw <ryan@instructure.com>
Tested-by: Jenkins
Product-Review: Ethan Vizitei <evizitei@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
refs #CNVS-26056
Change-Id: Ia94ee2fcfded1ec66cb77a19085b005c81304800
Reviewed-on: https://gerrit.instructure.com/70251
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins
Product-Review: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
It is a middleware so it was in the wrong place. This solves class
reloading problems in dev.
test plan:
request throttling should still function (you can look for "request
throttling increment" log lines) and should no longer cause "A copy of
Canvas::RequestThrottle has been removed from the module tree but is
still active" errors.
Change-Id: Ied6aaa6de4ac64ddfb14c80c76463f253b988bd7
Reviewed-on: https://gerrit.instructure.com/70265
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Product-Review: Brian Palmer <brianp@instructure.com>
closes CNVS-26405
Some access tokens were generated which, when base64 decoded, happened
to have the right number of dot-delimited segments to look like a JWT,
and then the decoding library would choke parsing what it thought
was a JSON segment. This catches that parse error, and lets
access_token processing continue.
TEST PLAN:
1) create an access token for your user, and then overwrite it's token
value to be the same token as is in the specs accompanying this
patch set
2) you should be able to use the APi with that token ok
Change-Id: I7d6ee4e2d40f1fef08bd223e90fdd8dca3bb5779
Reviewed-on: https://gerrit.instructure.com/70160
Reviewed-by: Simon Williams <simon@instructure.com>
Tested-by: Jenkins
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
closes CNVS-18870
CNVS-18870 as described in the ticket description is not a bug. see
comments on the ticket for more details. but while investigating and
confirming that, it became obvious that the odd structure and scattered
implementation of the CSRF protection was both making it hard to reason
about and easy to introduce new bugs. after the refactor, we still:
* don't perform CSRF validation on GET requests
* don't perform it on token-authenticated API requests
* do perform it on session-authenticated API requests
* do perform it on non-API requests regardless of authentication method
additionally, we now:
* don't perform CSRF validation on HEAD requests
finally, we _don't_ support a csrf_token in the session anymore. that's
been deprecated forever; we can remove the code now.
test-plan:
- should not perform CSRF validation for:
- GET requests
- token-authenticated POST requests to API endpoints (path prefixed
by /api/) without an authenticity_token parameter or X-CSRF-Token
header
- token-authenticated POST requests to API endpoints even with an
authenticity_token parameter
- token-authenticated POST requests to API endpoints even with an
X-CSRF-Token header
- should perform CSRF validation for:
- POST requests to non-API endpoints
- session-authenticated POST requests to API endpoints
- when CSRF validation should occur, but the user has cookies off:
- POST requests to non-API endpoints should redirect to a "need
cookies" page
- XHR POST requests to non-API endpoints should not redirect
- POST requests to API endpoints should not redirect
Change-Id: I3dbb3a68623bc9d03a3e744a9d4e1f038a32709c
Reviewed-on: https://gerrit.instructure.com/65103
Reviewed-by: Simon Williams <simon@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Jacob Fugal <jacob@instructure.com>
Rails 4 changes #try to check with respond_to? to see if the
method exists first, and the Twilio API client doesn't actually
make the API request until method_missing is called, so try
falls over and hands back nil. Use try!, which retains the Rails
3 behavior of going straight to public_send, to get around this.
Fixes CNVS-26266
Test plan:
- Regression test international SMS with an account that owns
phone numbers in other countries and with recipients in those
countries
- Make sure that all international phone numbers in countries
for which the Twilio account you're testing with owns phone
numbers receive messages from numbers from those countries,
and not from U.S. phone numbers
Change-Id: I7333fb2f4965fe0186c530f4e94ee7f9479e58ef
Reviewed-on: https://gerrit.instructure.com/69795
Reviewed-by: Matthew Wheeler <mwheeler@instructure.com>
Tested-by: Jenkins
QA-Review: Heath Hales <hhales@instructure.com>
Product-Review: Alex Boyd <aboyd@instructure.com>
destroy! is now a method in rails
refs #CNVS-26056
Change-Id: I66e512265ff5cda6a12d7820e3cf69c77ef9e746
Reviewed-on: https://gerrit.instructure.com/69721
Tested-by: Jenkins
Reviewed-by: Cody Cutrer <cody@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
closes #CNVS-26031
Change-Id: I2e0351fb62e5a06b47fe8c6c3dd503318d29a7ad
Reviewed-on: https://gerrit.instructure.com/69228
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins
Product-Review: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
* issueid: DS-595
* test plan:
* create assignment and submission
* update assignment and submission
* ensure appropriate messages are in the kinesis queue
Change-Id: I0d7730c8a4ec01f780ae3b77581efb7b48c2733e
Reviewed-on: https://gerrit.instructure.com/68362
Tested-by: Jenkins
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Linda Feng <lfeng@instructure.com>
Fixes PLAT-1298
Test Plan:
Make sure when refreshing a token we aren't
sending back refresh_token
Change-Id: I85fdc9504143021f8ffd7c1320fad538d37a38d3
Reviewed-on: https://gerrit.instructure.com/69037
Reviewed-by: Nathan Mills <nathanm@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Brad Horrocks <bhorrocks@instructure.com>
test plan:
- in a console, do
Setting.set('content_migration_job_expiration_hours', -1)
- try to do course copies and course imports.
they should fail with "job expired" errors.
- go back to the console and undo the expire-migration-jobs-
-in-the-past setting with the following:
Setting.remove('content_migration_job_expiration_hours')
- now migration jobs should work again
fixes CNVS-25113
Change-Id: I2578c3e124276a950b73b4402f30625d8738a6c3
Reviewed-on: https://gerrit.instructure.com/68867
Tested-by: Jenkins
Reviewed-by: James Williams <jamesw@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
refs CNVS-24816
create the feature flag and expose it in
the Eportfolios controller
Add a consul docker container to docker-compose.yml,
and a class for consuming settings in consul.
Also, add the ability to init config values
into consul from the consul.yml file
TEST PLAN:
1) edit your consul.yml to look kinda like this:
development:
host: consul
port: 8500
ssl: false
init_values:
rich-content-service:
app-host: rce.docker
cdn-host: rce.docker
2) go to edit an eportfolio as a logged in user
3) check in js console "ENV.RICH_CONTENT_SERVICE_ENABLED"
4) should be "true" or "false" depending on the feature
flag state for that user's root account
5) with the feature flag on, refresh and check the env
6) should have values in the env for
RICH_CONTENT_APP_HOST and RICH_CONTENT_CDN_HOST
Change-Id: Ic138e24416b2aadd965ce4811d3c56538de391bc
Reviewed-on: https://gerrit.instructure.com/66614
Tested-by: Jenkins
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
closes CNVS-24966
change js specs to work with web pack.
update some dependency references, make some aliases
for external dependencies to get the right version,
and clean up a bunch of leaky state.
TEST PLAN:
js tests should pass in web pack _and_ requires
Change-Id: If37fbce93e7e67021d90bacb470ffc4f1b17402d
Reviewed-on: https://gerrit.instructure.com/66309
Tested-by: Jenkins
Reviewed-by: Ethan Vizitei <evizitei@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
This commit also upgrades React Router to version 0.13.4
skip-ci
closes CNVS-24259
Test Plan:
- Everything at /accounts/XX/settings/ on the Apps tab should
work as expected
- There should be no React related errors/warnings in the console
Change-Id: If36dfb32ad79ad164bd2d122ca72d42d2f3222bf
Reviewed-on: https://gerrit.instructure.com/65810
Reviewed-by: Brad Horrocks <bhorrocks@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Clay Diffrient <cdiffrient@instructure.com>
Tested-by: Clay Diffrient <cdiffrient@instructure.com>
fixes CNVS-24777
Also refactor the interface between the
canvas security module (which is getting fat)
and the ServicesJwt class (which was anemic).
TEST PLAN:
1) no behavior change
2) if you decrypt/decode a token, the JTI
should look like a secure-random gen'd string
(e.g. a8568287-eb98-4b58-b715-feb6bd02fb1f)
Change-Id: I90d4f0b343f1170303a86749e6253cc740a220a2
Reviewed-on: https://gerrit.instructure.com/66483
Tested-by: Jenkins
Reviewed-by: Simon Williams <simon@instructure.com>
Reviewed-by: Jacob Fugal <jacob@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
Fixes PLAT-1289
Test Plan:
do a refresh_token call
make sure the expiration is reset back to 3600 (an hour)
Change-Id: I17095e77211c49c43ea8ff217013d5986e6b6c91
Reviewed-on: https://gerrit.instructure.com/67373
Tested-by: Jenkins
Reviewed-by: Brad Humphrey <brad@instructure.com>
Product-Review: Brad Horrocks <bhorrocks@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Fixes CNVS-24733
Test plan:
- Set up config/twilio.yml
- Ensure that your Twilio account owns phone numbers in the U.S.
and phone numbers in at least one other country
- Enable both the "International SMS" and "International SMS -
Send from Recipient's Country" feature flags on the account
you'll be working with
- Add a phone number in the U.S. to your profile
- Cause a notification to be sent to this phone number
- Ensure that the text message you receive is from one of the
U.S. phone numbers
- Add a phone number in a country in which your Twilio account
owns outbound phone numbers to your profile
- Cause a notification to be sent to this phone number
- Ensure that the text message you receive is from one of the
phone numbers in this country
- Add a phone number in a country in which your Twilio account
does not own any outbound numbers
- Cause a notification to be sent to this phone number
- Ensure that the text message you receive is from one of the
U.S. phone numbers
- Disable the "International SMS - Send from Recipient's
Country" feature flag
- Repeat the above steps, but ensure that all text messages to
all phone numbers are sent from a U.S. phone number
Change-Id: I65b4a7c2e201f8afc5e6068ad80a3b4f9ce8710c
Reviewed-on: https://gerrit.instructure.com/66320
Reviewed-by: Matthew Wheeler <mwheeler@instructure.com>
Tested-by: Jenkins
QA-Review: Heath Hales <hhales@instructure.com>
Product-Review: Allison Weiss <allison@instructure.com>
also lay foundation for new account user search
test plan:
* in development mode, enable the
"Course and User Search" feature flag
* should be able to view the "Search" tab on the
sidebar (may need to resave the account to
clear the sidebar cache)
(replaces the "Courses" and "Users" tabs)
* searching for courses on the account page
should work pretty good
(the people tab is still forthcoming)
closes #CNVS-24750
Change-Id: Id44d1b3c7c36e407339858d2c1657579d1128abc
Reviewed-on: https://gerrit.instructure.com/65268
Tested-by: Jenkins
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Clare Strong <clare@instructure.com>
Product-Review: Cosme Salazar <cosme@instructure.com>
closes CNVS-24286
Add JWT (wrapped and signed by shared secret)
as a viable authentication method.
Also remove deprecation errors from login template
TEST PLAN:
1) have ECOSYSTEM_* env vars set (docker helps)
2) login as a user
3) take a token from "/jwts/generate"
4) wrap that token in another token signed
with the shared secret (ECOSYSTEM_SECRET,
see services_jwt_spec.rb for a way to do this)
5) use the base64 encoded string as a bearer
token for canvas
6) try it again in 70 minutes or so (the same
token), it should now be expired.
Change-Id: I721f42d7c9ca7edc82bc75b116354dd3edc50a88
Reviewed-on: https://gerrit.instructure.com/66110
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
This adds oauth info to captured error exceptions
Fixes PLAT-1256
Test Plan:
The error report should include all of the OAuth1 header information
If the Authorization Header is not OAuth1 it should not include it
The error report should also include the signature canvas generates
The error report should include where the authorization failed. i.e.
signature, nonce, expiration
The best way to test this is run the test :D
The best way to manually test this:
- Setup an LTI Tool (I used the example tool with all the checkboxes
checked)
- Use post man stand alone
- create a new request to "/api/lti/v1/tools/<tool_id>/grade_passback"
- Use post man's Authorization tab to setup OAuth1
- Use the tools key and secret
- tweak settings for different failure tests
- select add params to header
- click update request
- send the request
You will need to manually change the auth header to get to some
failures. Let me know if you need help
Change-Id: If09882017eaae0ddff96d39b7f33c2da9c1a7fc8
Reviewed-on: https://gerrit.instructure.com/65944
Tested-by: Jenkins
Reviewed-by: Nathan Mills <nathanm@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Brad Horrocks <bhorrocks@instructure.com>
closes CNVS-24285
This token isn't consumed by anyone yet, ultimately it will be used
to be passed back to canvas from other trusted services to
prove the user is authorized to those services and assets.
TEST PLAN:
1) login as a user
2) visit /jwts/generate
3) you should see a token-like thing in the JSON
Change-Id: I95852758597606d4ee3f1d2c788fcb252e7c154a
Reviewed-on: https://gerrit.instructure.com/65983
Tested-by: Jenkins
Reviewed-by: Mike Nomitch <mnomitch@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
closes CNVS-24284
json-jwt has encryption built into the library.
Also replace all bare uses of JWT library
with Canvas::Security so we use a consistent
interface throughout the app.
TEST PLAN:
1) no behavior changes
2) regression test Oauth logins
3) regression test LTI tool launches
Change-Id: If1a98cc9fbaf9f77631b730a5afe0951347743ab
Reviewed-on: https://gerrit.instructure.com/65774
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
Tested-by: Jenkins
test plan:
- create a course with an assignment group containing a graded
discussion topic and a quiz (but no assignments as such)
- export the course to a common cartridge file
- selectively import the course:
* you should see the quiz and the discussion topic listed
under "Assignments" and your assignment group in the
select-content dialog
* checking the assignment should check the associated
quiz or topic and vice versa
* if the (entire) assignment group is selected, it should be
imported in a selected import
* if individual items (but not the entire assignment group)
are selected, they should be imported into an
"Imported Assignments" group
fixes CNVS-23017
Change-Id: I2553cbf87209ea89b01325da855f3bfd12aa31aa
Reviewed-on: https://gerrit.instructure.com/66023
Tested-by: Jenkins
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
add warning message to the api docs about expiring access tokens
fixes PLAT-1263 PLAT-1243
test plan:
*create a developer key before cherry picking change set
*cherry-pick change set
*generate an Access Token using the old dev key
*it should not have an expiration
*create a new developer key
*create an access token with the new dev key
*it should have an expiration
*check the api doc on the oauth page for the warning message
Change-Id: Id53d9b7fab4b8b308a0abbae0268c1c25a2d4c6f
Reviewed-on: https://gerrit.instructure.com/64881
Reviewed-by: Brad Horrocks <bhorrocks@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Nathan Mills <nathanm@instructure.com>
Added grant_type request param. It will default to authorization_code if
its not set AND the code param is supplied.
Updated errors to be OAuth2 compliant. At some point we should remove
the legacy keys from Canvas::Oauth::RequestError.ERROR_MAP
Fixes PLAT-1219
Test Plan:
You MUST have a developer key
You MUST have a valid refresh_token
See test plan if you need the above: https://gerrit.instructure.com/#/c/63256/
Sample curl (plz change refresh_token, client_id, and client_secret):
curl 'http://blackmesa.canvas.dev/login/oauth2/token' --data
'refresh_token=1c8d2ff5498eb879db9737d494a4bbd64810c84cf7e1776d1f4cebdb9699244c6209add4838d02f0d67b969a599cee589fecbeef5f84ababb1ef6e4cb9099b68&client_id=30000000000001&client_secret=AHv7hXoImZdplvbTEcZaJ9zJF51F7ny82iHz0dCnmbIdqndA2cGU75iJnrezH5QB&grant_type=refresh_token'
Change-Id: I02d3f9c7dd01f26076720d74dea61a8c682b8f9a
Reviewed-on: https://gerrit.instructure.com/64433
Tested-by: Jenkins
Reviewed-by: Nathan Mills <nathanm@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Brad Horrocks <bhorrocks@instructure.com>
test-plan:
when you get an access via oauth2 token you shouldn't get an expiration, and it shouldn't be set in the db
Change-Id: Ie0b15b54ef789b9a94b726026c09fe9497f0adc5
Reviewed-on: https://gerrit.instructure.com/64749
Reviewed-by: Brad Horrocks <bhorrocks@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Nathan Mills <nathanm@instructure.com>
fixes: PLAT-1220
test-plan:
*using the oauth flow generate an access token
*you shouldl get an expires_in time with the token
*the token should expire after the expire_in time lapses
Change-Id: If25bea7a11dbd0c8e717d53eb131fdae6c156606
Reviewed-on: https://gerrit.instructure.com/62951
Tested-by: Jenkins
Reviewed-by: Brad Horrocks <bhorrocks@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Nathan Mills <nathanm@instructure.com>
Fixes PLAT-1232
test plan:
* go to developer keys UI
* you should be to deactive and reactivate keys
* deactivate a key that you have a token for
* the token should no longer work, even though it's not expired
Change-Id: I7388226c710ab0841692902886a49146a037e615
Reviewed-on: https://gerrit.instructure.com/50008
Tested-by: Jenkins
Reviewed-by: Nathan Mills <nathanm@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Brad Horrocks <bhorrocks@instructure.com>
Fixes CNVS-21546
Test plan N/A (just regression test international SMS messaging)
Change-Id: I135bef152b61b798208548835af20222a65f6b00
Reviewed-on: https://gerrit.instructure.com/61407
Tested-by: Jenkins
Reviewed-by: Jonathan Featherstone <jfeatherstone@instructure.com>
Reviewed-by: Matthew Wheeler <mwheeler@instructure.com>
QA-Review: Heath Hales <hhales@instructure.com>
Product-Review: Alex Boyd <aboyd@instructure.com>
Fixes CNVS-21548, CNVS-20625, CNVS-21580
Test plan:
- Copy config/twilio.yml.example to config/twilio.yml
- Configure config/twilio.yml with credentials from a Twilio
account
- Create a user
- Enable the international_sms feature flag for the account
of the user you created
- Create a communication channel from a Rails console, using
a phone number with which you can test. Assuming
1-801-555-0100 as the phone number, and assuming that the
id of the user that you created is 42, you can do that with:
User.find(42).communication_channels.create!(
path_type: 'sms', path: '+18015550100')
- As a site admin, confirm the user's communication channel
- Cause a notification to be sent to the user
- Ensure that you receive a text message
- Multiple outbound numbers (will need a paid Twilio account
to test):
- Configure config/twilio.yml with credentials from a
Twilio account that has multiple outbound phone numbers
- Create multiple users and add new phone numbers for each
using the above steps, and confirm them
- Cause notifications to be generated for each user and
ensure that they come from different phone numbers
- You may need to test several phone numbers before a
notification is sent from a different number
- Cause more notifications to be sent and ensure that each
phone number receives notifications from the same
outbound phone number every time
Change-Id: I103c93a8096acaaabd29530b0a0b5c43bc05c26b
Reviewed-on: https://gerrit.instructure.com/59901
Tested-by: Jenkins
Reviewed-by: Joel Hough <joel@instructure.com>
QA-Review: Heath Hales <hhales@instructure.com>
Product-Review: Peyton Craighill <pcraighill@instructure.com>
merge the dev/react-gradebook dev branch into
master, and put it behind a feature flag.
closes CNVS-23056
test plan:
go to account settings, and verify the
gradebook performance feature is turned
off. verify no bugs have been introduced
on the current, non-react-gradebook.
Change-Id: Ia1723d14df8bb77f91ffd832b446b0df842ac56e
Reviewed-on: https://gerrit.instructure.com/62978
Tested-by: Jenkins
Reviewed-by: Dylan Ross <dross@instructure.com>
QA-Review: Jason Carter <jcarter@instructure.com>
Product-Review: Spencer Olson <solson@instructure.com>
Ethan Vizitei