to prevent locking yourself out
test plan:
* have a multiple auth providers
* add a login to an admin explicitly tied to one of the providers
* log in with that login
* you should not be able to delete the auth provider tied to the
login you just used
Change-Id: I5d3a5e7ce0f33efee237e2b4764be50e72c792d9
Reviewed-on: https://gerrit.instructure.com/63259
Reviewed-by: Mike Nomitch <mnomitch@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
test plan:
* before applying this change
* configure one account with canvas auth, one without (on account settings)
* configure another account with canvas auth and 3rd party auth
* check that /login still works on the above accounts, as well as
/login?authentication_provider=canvas
* run migration
* Canvas auth should properly show up or not in authentication providers,
and below any pre-existing providers
* delete all auth providers; Canvas should automatically show up after you
delete the last one
* Canvas auth should be respected for logging in when it is enabled/not
enabled (i.e. not enabled you can't login with a canvas password)
Change-Id: I873a4fe3e217f84384da6e5afbf5c280ae368c0b
Reviewed-on: https://gerrit.instructure.com/61814
Tested-by: Jenkins
Reviewed-by: Rob Orton <rob@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
fixes CNVS-22165
test plan:
* go to /accounts/self/authentication_providers
* create at least two ldap configs
* ensure the radio buttons work independently
per ldap configuration
* ensure radio button selections save properly
* default ldap config should check
"No TLS" by default
Change-Id: Ibb1702b0d732a91856191b054d33c389a5c0dbab
Reviewed-on: https://gerrit.instructure.com/60089
Tested-by: Jenkins
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Product-Review: August Thornton <august@instructure.com>
fixes CNVS-21924
also completely removes the long-deprecated update_all form
test plan:
* create, update, delete an authentication provider via the UI
* delete all providers via the UI
* create, update, delete an auth provider via the API using both
old and new routes
Change-Id: Id75351b937baf7369928edca1f8e08729214ad99
Reviewed-on: https://gerrit.instructure.com/58652
QA-Review: August Thornton <august@instructure.com>
Tested-by: Jenkins
Reviewed-by: Rob Orton <rob@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
canvas auth counts as a provider, and even with just canvas auth a
school may want to send to their website first
Change-Id: Icfd833b0c0786334d98e21011a66af8146280c0b
Reviewed-on: https://gerrit.instructure.com/57543
Tested-by: Jenkins
Reviewed-by: Rob Orton <rob@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
with the new css stuff, we don't actually use
jammit so jammit_css has been renamed to css_bundle.
we left an aliased jammit_css and marked it deprecated
so these all still worked but spit out a deprecation warning.
Change-Id: Ib74037711f559f64851d9379644479587c1f83f2
Reviewed-on: https://gerrit.instructure.com/55888
Reviewed-by: Jacob Fugal <jacob@instructure.com>
Tested-by: Jenkins
Product-Review: Ryan Shaw <ryan@instructure.com>
QA-Review: Ryan Shaw <ryan@instructure.com>
test plan:
- set up a LDAP configuration
- verify greater-than sign is no longer present in
"Test LDAP Authentication" button title
Change-Id: I9fc476f71d0a6c5da325c1eda1d2d8d8753c5af7
Reviewed-on: https://gerrit.instructure.com/57548
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins
Reviewed-by: Ryan Shaw <ryan@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Product-Review: August Thornton <august@instructure.com>
closes CNVS-21177
Turns the auth type selector into a react component
and makes sure it responds correctly in a couple
corner cases (with specs!)
TEST PLAN:
1) go to the authentication providers config page
2) add several authentication providers
3) you should always be scrolled down to your new
form when you add a new one
Change-Id: Ia520ee358dbc8a469e29e13fcd653cf11f9259b3
Reviewed-on: https://gerrit.instructure.com/56377
Tested-by: Jenkins
Reviewed-by: Jason Madsen <jmadsen@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
closes CNVS-20947
Allow users to "delete" auth configs without
violating foreign key constraints.
Also means updating all places that use the
association interface to a new method
that strips out inactive AACs
TEST PLAN:
1) create a new AAC with the IDP of your choice
2) create some pseudonyms that are attached to the new AAC
3) try to delete the AAC from the authorization config area
4) it should not blow up
Change-Id: Iff56fd8aa2ee66a2468191a9c880a99862d83927
Reviewed-on: https://gerrit.instructure.com/55808
Tested-by: Jenkins
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
authentication
Fixes PFS-1084
Parent Registration:
When a Saml config is designated for Parent Registration the parent
signing up will be redirected to a Saml login page where they will log
in with their child's credentials. After login the child user's
Saml session will be ended and the parent registration process will complete.
Parent Adding Student:
When a Saml config is designated for Parent Registration the parent
adding another observee will be redirected to a Saml login page
where they will log in with their child's credentials. After login the child user's
Saml session will be ended and the observee creation process
will complete.
---------------------------------------
TEST PLAN:
SETUP:
1) In your account settings check the box for 'Self Registration' (and
either of the sub-options)
2) Add the following users to your account (these will be the students):
billyjoel
eltonjohn
3) In Authentication Settings add a SAML authentication service
and enter the following fields (I've set up a remote SAML Idp):
IdP Entity ID: http://107.170.212.143/saml2/idp/metadata.php
Log On URL: http://107.170.212.143/simplesaml/saml2/idp/SSOService.php
Log Out URL:
http://107.170.212.143/simplesaml/saml2/idp/SingleLogoutService.php
Certificate Fingerprint:
9C:11:68:93:95:CD:18:01:EC:52:2B:9E:22:7F:73:55:ED:6D:82:D4
Parent Registration: check
TEST:
Parent Registration:
* Go to '/login/canvas'
* Click on the signup banner
* sign up as a parent for billyjoel or eltonjohn
(on SAML login page the password for either user is: tantrum)
Add Student:
* Log in as a parent user w/ a Canvas Auth login
* Go to '/profile/observees'
* Add Student 'billyjoel' or 'eltonjohn'
Authentication Settings (new parent reg checkbox):
* Go to Authentication Settings
* Add a second SAML config
* check the parent registration checkbox
- it should warn that selection will deselect the other
and in fact do so upon save.
- the selected config is the one used for
parent reg/add student
---------------------------------------
Change-Id: Ief83b604fc252c88dbb912c56de65d8620fe802f
Reviewed-on: https://gerrit.instructure.com/49691
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Reviewed-by: Jacob Fugal <jacob@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
closes CNVS-20912
test plan:
* change the login attribute
* ensure the error message you get when it can't find your login
shows the value you expect
Change-Id: I8fbad8c4df5f2dc5b01cf43d5d6c43ab7be97972
Reviewed-on: https://gerrit.instructure.com/55665
Tested-by: Jenkins
Reviewed-by: Ethan Vizitei <evizitei@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
header and footer were deleted and collapsed up into aac_settings partial,
so that doesn't need to be repeated in each provider type.
share an oauth2_fields partial between many of the oauth2 providers
test plan:
* config and reconfig all the types of auth providers
Change-Id: I7a91f0528fe1cef8da50f0a141347958ba4fa93a
Reviewed-on: https://gerrit.instructure.com/54862
Reviewed-by: Rob Orton <rob@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Tested-by: Jenkins
Product-Review: Cody Cutrer <cody@instructure.com>
closes CNVS-19536, CNVS-19540, CNVS-19545
test plan:
* test google auth
* re-test the other oauth providers, cause more stuff got refactored
Change-Id: Ib1c0332cc31f0825f171f3281bf7255abb602844
Reviewed-on: https://gerrit.instructure.com/54526
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Reviewed-by: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
fixes CNVS-20620
no need to have 1 per AAC
test plan:
* use a delegated auth provider
* configure an unknown user url
* log in with a user that doesn't exist in canvas
* it should redirect to your url
Change-Id: I962513a58993bbb98921c2337d228cb53de06e9e
Reviewed-on: https://gerrit.instructure.com/54671
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Reviewed-by: Rob Orton <rob@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
closes CNVS-19463, CNVS-19460, CNVS-19461
test plan:
* you know the drill by now.
* retest facebook, because that was refactored to share code
Change-Id: Iaf99b7b3c6850b1ac3690d1a5ebd1286268b5ae7
Reviewed-on: https://gerrit.instructure.com/54313
QA-Review: August Thornton <august@instructure.com>
Reviewed-by: Ethan Vizitei <evizitei@instructure.com>
Tested-by: Jenkins
Product-Review: Cody Cutrer <cody@instructure.com>
test plan:
* register an application on github
* configure github as an authentication source
* login with github
* it should complain about a missing user
* add that ID to your user
* login again, and it should work
* delete github authentication
* reconfigure at /plugins/github
* add authentication again; this time it shouldn't let you configure
the integration
* login with github again
Change-Id: I2be3dd482de79873ad845890827292bc4f995b7a
Reviewed-on: https://gerrit.instructure.com/54241
Tested-by: Jenkins
Reviewed-by: Ethan Vizitei <evizitei@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
fixes CNVS-19449, CNVS-19454, CNVS-19455
test plan:
* configure the facebook plugin (/plugins/facebook)
* add Facebook to your authentication configs
* try to login with valid facebook credentials - it should say it
couldn't find the user
* add a login to your user with that ID
* try to login with facebook again; it should work
* delete auth settings and plugin settings
* re-add the auth settings - it should let you configure it
directly
* log in again
Change-Id: I5aae400fe39fda6e1a864a062368e50a4c9f4ede
Reviewed-on: https://gerrit.instructure.com/54208
Reviewed-by: Ethan Vizitei <evizitei@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
fixes CNVS-20394
split it into appropriate concerns. main points are:
* /login never renders a login form - it redirects forward to the
default auth controller based on the first account
authorization config (or discovery url on the account)
* /login/canvas is the new home of the old login form. this form is
never rendered in-situ anymore - other places that used to render
it now redirect to /login (and then forward to here), reducing
their knowledge of SSO
* /login/ldap ends up at the same place (cause LDAP auth is handled
transparently)
* /login/cas and /login/saml redirect forward to the first SSO
configuration of the appropriate type. /login/:auth_type/:id can
be used to select a specific one
* if an SSO fails, it redirects back to /login with flash[:error]
set. this can forward to the discovery url appropriately, or
render an error page appropriately (the old no_auto=1, but now
it's not layered on top of the login partial that didn't show a
login form)
* ?canvas_login=1 is deprecated. just go directly to /login/canvas
* /saml_consume, /saml_logout are deprecated. they are processed
directly by /login/saml and /login/saml/logout
* /login/:id is deprecated - it forwards to /login/:auth_type/:id
as appropriate (presumably only saml, since that was the only
one that previously should have been using these links)
* OTP has been split into its own controller, and separated into
multiple actions instead of one all-in-one action
* /logout has been vastly simplified. the login controller should
set session[:login_aac], and on logout it will check with that
AAC for a url to redirect to after logout, instead of /login.
SSO logout is handled by each controller if they support it
test plan:
* regression test the following functionality -
* login with canvas auth
* login with LDAP auth
* login with SAML auth - and multiple SAMLs
* login with CAS auth
* MFA (configure, using, auto-setup)
* Canvas as OAuth Provider flow
* redirects to the login page when you're not
logged in
* failure of SAML/CAS (i.e. can't find user)
show a decent error page and allows retry
* "sticky" site admin auth (site admin is CAS/SAML,
going directly to another domain logs you in with
site admin)
Change-Id: I1bb9d81a101939f812cbd5020e20749e883fdc0f
Reviewed-on: https://gerrit.instructure.com/53220
QA-Review: August Thornton <august@instructure.com>
Tested-by: Jenkins
Reviewed-by: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
closes CNVS-20076
First, pull a presenter out of the AAC index
This thing needs more flexibility before introducing
multiple OAuth connectors. This commit adds a couple characterization
specs for the AAC controller, then drives out a presenter to pull
as much logic and config out of the nested views as possible.
Then, this commit refactors the
previously-somewhat-bespoke-and-presumptive sac
configuration into a workflow that shows each aac
in turn according to it's type, creating forms for
each type at the bottom, and
showing the relevant form for a new one based on
selection on the right.
Have regression tested in the browser to the level
of CRUD functionality, but also deserves solid QA
for SSO functionality post-configuration.
DONE:
-successful CAS creation/editing/deletion
-successful LDAP creation/editing/deletion
-proper differentiation between LDAP primary and secondary
-proper SAML creation/editing
-move away from "update_all" deprecated endpoint
-Selenium Spec fixes
-ensure discovery URL and debugging workflows for saml
-remove duplication from views
-tear down old JS workflow
-apply appropriate tests for new behavior
-remove presenter methods that are no longer valuable
-Moved change_password_url and login_handle_name
-up to account settings, removed them from AACs, and built
-migrations to manage the transition.
-Found and fixed all references to change_password_url on AACs
-Found and fixes all references to login_handle_name on AACs
-add datafixup for migrating AAC data to account settings
-unify repetative individual files into single form delcarations \o/
-remove old SAML editing js
-Make sure SAML still works
-Make LDAP partial flow just like SAML/CAS
-Unify position information across all types
-update "acts_as_list" to support STI classes
-move discovery URL into account auth form
-remove discover URL js management
-Unify form generation between new/existing aacs
-deprecate discovery url API endpoints
-update docs for authorization settings to deprecate their usage in AAC
api and redirect their values to current settings for now
-make delete links non-js-y to stop this silly page refresh on api
completion
-make form submissions actually submit the form rather than do this silly
page refresh on api completion
-See if anything needs “Edit Details” button, remove if not
-Wire up removing account settings by blanking out form
-Removed "cancel" button from form because fields are always open
-placate gergich
-Test removing config info
-Test population fixup on real data
-write docs for authorization settings
-fix existing specs
-fix routing and docs to not break doc generation
-fix stupid jenkins task that thinks it can’t see controls
-re-fix selenium
-fix saml debugging workflow
-write tests for acts_as_list behavior
-write tests for authorization settings
-remove auth_info types of things
-clean up and unify styles where possible
TEST PLAN:
Regression test creating/deleting/editing and logging
in with SSO solutions for CAS, LDAP, and SAML.
Should be no functional behavior modification, though
workflow will be a little more unified between the
3 currently supported types (each one will
require using the menu in the right sidebar
to add a new AAC).
Also test setting and deleting account settings through
the form underneath the configs when there are AACs in existence.
Finally, make sure that the SAML Debugging workflow still works.
Change-Id: I448db10185512d1b9469c2a425be0a3bcf9e6ebf
Reviewed-on: https://gerrit.instructure.com/53448
Tested-by: Jenkins
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
test plan:
- Ensure documentation for AccountAuthorizationConfigsController#create
does not have an occurrence of "unkown"
- Ensure the keys ":unknown_user_url" and ":unknown_user_url_description"
in app/views/account_authorization_configs/_saml_settings.html.erb
(lines 207 and 210) translate properly and display the correct text.
fixes CNVS-17939
Change-Id: I42627eaccf2e69ff1e354a9da68e4144c738f5aa
Reviewed-on: https://gerrit.instructure.com/47035
Reviewed-by: Clay Diffrient <cdiffrient@instructure.com>
Tested-by: Jenkins
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Product-Review: Clay Diffrient <cdiffrient@instructure.com>
Fixes: CNVS-18824
Updates icon markup so the dropdown is less ugly.
Test Plan:
- Create a SAML config from your root account in
Settings > Authentication.
- The dropdown under Current Integration should
now look like this:
http://cl.ly/image/2s000H2j2a2f
...instead of this:
https://www.dropbox.com/s/6l8m8s54n5t3flb/Screenshot%202015-02-21%2015.03.15.png?dl=0
Change-Id: Ie321be9e15837d3e180f3566fff1d1e2a350c17b
Reviewed-on: https://gerrit.instructure.com/49776
Tested-by: Jenkins
Reviewed-by: Colleen Palmer <colleen@instructure.com>
Product-Review: Colleen Palmer <colleen@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Screen readers no longer enter, exit, or report applications mode/region when
passing over menu trigger controls. Menu triggers can also be navigated
to with screen reader "jump to next/previous button" navigation shortcuts.
Fixes CNVS-15275
Test plan:
- Visit each kyle menu in Canvas.
- Verify with a screen reader:
- That the trigger is reachable via normal arrow key navigation
- That the trigger is reachable when navigating by buttons
- That the menu opens when enter is pressed on the menu trigger
- That forms mode is activated when the menu is opened (N/A in Voice Over).
- That the up and down arrow keys allow one to navigate through the menu
- That pressing enter on a menu option activates that action
- Verify that menu triggers are reachable by the keyboard (sans screen reader).
- Verify that all the other functionality relating to menus as discussed above
is accessible to keyboard only users.
Change-Id: I81d7678251b7c43e67504d5569e59ccd2f846949
Reviewed-on: https://gerrit.instructure.com/40951
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Ryan Florence <ryanf@instructure.com>
Product-Review: Ryan Florence <ryanf@instructure.com>
Reviewed-by: Ryan Shaw <ryan@instructure.com>
QA-Review: Nathan Rogowski <nathan@instructure.com>
fixes CNVS-15104
test plan:
- visit edited pages from spreadsheet below
- test page headings with screenreader in safari
- pages should have level 1 headers for screenreader that proceed in order logically
- compare top level headers on assignments, modules, syllabus, and wiki pages
bewteen their actual pages, and their pages when called from home page selection
- headers for the above pages should be h1 on their respective pages, and h2
when called from home page, and stll proceed logically
Changes need to be tested on the following pages
default home page (/)
home page set to course modules
home page set to front page
home page set to assignments list
/courses/1
/courses/1/assignments
/courses/1/assignments/new
/courses/1/assignments/1/edit
/courses/1/discussion_topics/new
/courses/1/discussion_topics/1
/courses/1/discussion_topics/1/edit
/courses/1/gradebook#tab-assignment
/courses/1/gradebook/speed_grader(just pick any assignment w/ speedgrader)
/courses/1/groups
/courses/1/user_services
/courses/1/pages/(whatever page for course)
/courses/1/quizzes/1/edit
/courses/1/quizzes/1/take?preview=1
/courses/1/question_banks/2
/courses/1/quizzes/1/take
/courses/1/conferences
/courses/1/modules/progressions
/calendar2
/about/1
/profile/settings
/dashboard/eportfolios
/conversations?#filter=type=inbox
/accounts/1
/accounts/1/users
/accounts/1/sub_accounts
/accounts/1/account_authorization_configs
/accounts/1/groups
/accounts/1/users/2
/accounts/1/permissions
/accounts/1/avatars
/users/2/user_notes
/accounts/1/rubrics
/accounts/1/grading_standards
/accounts/1/user_notes
/accounts/1/admin_tools
/users/1/admin_merge
/users/1/teacher_activity/student/1
/users/1/masquerade
Change-Id: Ifdad341a22631c0d6773977743be741e74fecd88
Reviewed-on: https://gerrit.instructure.com/40370
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Sean Lewis <slewis@instructure.com>
Product-Review: Aaron Cannon <acannon@instructure.com>
closes CNVS-14803
test plan:
- make sure the headers are unchanged on the following pages:
- /accounts/1/account_authorization_configs
- /accounts/1/sis_import
- /courses/1/content_exports
- /courses/1/confirm_action?event=delete
- /accounts/1/terms
- /accounts/1/sub_accounts
- /accounts/1/users/1/delete
- /users/1/admin_merge
Change-Id: I4563e243cb733e2826d52b408991032da3767efa
Reviewed-on: https://gerrit.instructure.com/39373
Reviewed-by: Ryan Florence <ryanf@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Anna Koalenz <akoalenz@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
fixes: CNVS-9194
This adds a configuration to CAS and SAML which will redirect to when an
unknown user is authorized from CAS or SAML but we do not have a
pseudonym for them in canvas yet. Instead of logging them out of CAS or
SAML it will redirect them to a custom url. By default if no url is
configured it will redirect to the login page or cas login page.
Test Plan:
CAS:
- Setup a User on the CAS server that can login.
- Make sure the user is not in Canvas and wont be matched up to any
other Canvas pseudonyms.
- Log in to CAS and Canvas.
- Canvas should redirect to cas_login_url.
- Configure the Canvas CAS setting unknown user url to redirect to
a custom url.
- Log in to CAS and Canvas
- Canvas should redirect to the custom url specified.
- The user should not be logged out of CAS.
SAML:
- Setup a User on the SAML server that can login.
- Make sure the user is not in Canvas and wont be matched up to any
other Canvas pseudonyms.
- Log in to SAML and Canvas.
- Canvas should redirect to login_url and provide a flash message
stating that the user could not be found.
- Configure the Canvas SAML settings Unknown User Url to redirect
to a custom url.
- Log in to SAML and Canvas
- Canvas should redirect to the custom url specified.
- The user should not be logged out of SAML.
Change-Id: I29a78f8ec60c94caecf63547584d8ae804ffc9de
Reviewed-on: https://gerrit.instructure.com/38472
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Matt Fairbourn <mfairbourn@instructure.com>
fixes CNVS-9554
all items are properly read and focused when
navigating Kyle Menus via keyboard
this commit patches JQueryUI menu.js :(
test plan:
- Create a graded discussion.
- Activate the discussion cog menu, and confirm
that all items are read by a
screen reader, and properly focused on screen
when arrowing up and down via the keyboard.
- Leave a reply, and test the cog menu on the
reply as above.
- Confirm that all items within the menu are
activatable by pressing enter
- Verify that the appearance of the page is still correct.
- Visit all other pages with Kyle Menus, and
verify the same as above.
- make sure to test in IE since the way click
events are simulated is different code
Change-Id: I735573b3151c1133b6bdfb2f0e6bea6b7a285372
Reviewed-on: https://gerrit.instructure.com/27447
Tested-by: Jenkins <jenkins@instructure.com>
Product-Review: Aaron Cannon <acannon@instructure.com>
Reviewed-by: Ryan Florence <ryanf@instructure.com>
QA-Review: Trevor deHaan <tdehaan@instructure.com>
fixes CNVS-3106
test plan:
* change language
* /accounts/X/account_authorization_configs
* /accounts/X/avatars
* go to a user page, and click "Delete from X" (where X is the account)
* all three of those pages the bread crumbs should be localized
Change-Id: I198275963999bb08fceb0659a7097af6287d8684
Reviewed-on: https://gerrit.instructure.com/34484
Reviewed-by: Rob Orton <rob@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
fixes CNVS-12781
test plan
- specs should pass
Change-Id: I53aad0d08ae0cf5f81faa612f4351b993ef2c712
Reviewed-on: https://gerrit.instructure.com/34111
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Nick Cloward <ncloward@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
QA-Review: Rob Orton <rob@instructure.com>
in rails 3, .new is analogous to .build for collections, so otherwise
temporary records will be added to the collection (and be autosaved)
Change-Id: I08ce7b4b35ee35646aff3afd237bbe896162a014
Reviewed-on: https://gerrit.instructure.com/30334
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
Change-Id: I64b648d361607fe17c6d0f5befcf057b10c34cd4
Reviewed-on: https://gerrit.instructure.com/30093
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
* fix view spec rendering to include helpers
* re-implement have_tag rspec matcher
* fix problems with finding routes to
unsaved records
Change-Id: I6ed267fcf5e8e32a62ee059be46371bc0ea35603
Reviewed-on: https://gerrit.instructure.com/30016
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
The previous code was a one-off written before timeout_protection
existed. This means that we'll now allow N timeouts (3 by default) in
the given period, rather than refusing to connect to the LDAP server
after just one timeout.
closes CNVS-8371
test plan:
* Configure an account to use ldap. Rather than setting up a real ldap
server, it's sufficient for this testing to just use nc or another
application to listen on the port you specify in the account config.
* Attempt to login to the account, and see canvas in your nc output.
Allow it to timeout. Attempt again, and canvas will hit your "ldap
server" again. After 3 timed out attempts, canvas will blacklist your
server for 1 minute.
* Also verify that logging in with ldap still works against a real ldap.
Change-Id: I60293d01690be3cc24f57b8bcd5c6c52e23fc2a9
Reviewed-on: https://gerrit.instructure.com/24657
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Brian Palmer <brianp@instructure.com>
so that xmlsec isn't a required feature
test plan:
* remove xmlsec from your system
* restart your server
* existing SAML configs should be ignored (i.e. when you go to login
at an account with SAML, it should give you Canvas login)
* configuring authentication settings should not show SAML in the
dropdown (existing SAML configs just won't show up, but you can
still disable it)
Change-Id: Ic44e05f97ea7d0b919d5165a943b91011ebe70bf
Reviewed-on: https://gerrit.instructure.com/21925
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jacob Fugal <jacob@instructure.com>
QA-Review: Jacob Fugal <jacob@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
no changes, just moving code around
test plan:
1. go to Account -> Authorization
2. add an LDAP config, but leave everything blank
3. click "Test Authentication"
4. the first test should fail and the rest should be canceled
5. set up LDAP according to: https://gist.github.com/jenseng/1b2ab5f505c54b9cf57c
6. click "Test Authentication" again
7. three tests should pass, and when you enter the credentials: user / pass
the last test should pass
Change-Id: Ia612797a290dc932abd0380f63997cf6599f24fe
Reviewed-on: https://gerrit.instructure.com/18298
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Cam Theriault <cam@instructure.com>
Reviewed-by: Joe Tanner <joe@instructure.com>
this commit does the following:
* upgrade bootstrap-sass gem to most recent version
* switches to using bootstrap's normalize.css and forms.css
which fixes a whole bunch of misformatting of how bootstrap
stuff is supposed to look, but changing those 2 affects
a lot of our old stylesheets.
* gets rid of unified_buttons.sass and just uses bootstraps buttons.
.ui-button @extends these because we still have to support .ui-button
for modals & buttonsets. but .button is no longer supported.
* a lot of css file reorganization (there's no more 'blue' and
'normal canvas', there's just canvas)
* a bunch of files had to be tweaked to look good with these changes.
test plan:
This change touches every page in canvas so, no kidding, we need to make
sure every page looks OK. In order to do that:
1. each sprint team needs to give a +1 after they make sure all the
pages in the features they are over look good.
2. the QA person on each team needs to look at the pages for their
teams features for a QA +1
things to look for specifically when testing:
* buttons: this gets rid of all those red 'cancel' links
that are actually buttons, make sure all the buttons you see
look right. if you see 2 plain gray buttons next to each other
like [Save] [Cancel], we should make the primary one blue (by
adding the .btn-primary class)
* Forms: a lot of this change has to do with how form elements look,
especially <select>s, <input>s and <label>s. look at the diffs
for the ones that have the most changes and make sure those look
good, but also check for the ones I missed and make sure those
look good too.
* and just random style changes, if something looks ugly or broken
(and it didn't before), we should fix that.
Also:
just use a link instead of a drop-menu for adding event from sidebar
we used to have a drop down menu for adding events
to cal2 from the sidebar where you'd hit a cog
and it'd ask you if you wanted to add an event or
an assignment. this just simplifies it to an add
icon.
this: http://cl.ly/image/133a2A3q3q1M
instead of: http://cl.ly/image/46463o2s3W0g
Change-Id: I384fe273934bca96bf28423afb1402c7792d8766
Reviewed-on: https://gerrit.instructure.com/15422
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Ryan Florence <ryanf@instructure.com>
QA-Review: Ryan Florence <ryanf@instructure.com>
in order to not have to support buttons with .ui-button AND
.button AND .btn classes this simplifies and and makes our
codebase more consistent by deprecating the .button class
with .btn
Change-Id: I4802d785a47b36aa477f302e6ac8c87715db8a62
Reviewed-on: https://gerrit.instructure.com/15194
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Ryan Shaw <ryan@instructure.com>
fixes#10236
test plan:
check each updated form to ensure it looks correct and works
Change-Id: I073c3bff5860bab0b892fecbf61a41a8e9c5ec76
Reviewed-on: https://gerrit.instructure.com/13904
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Ryan Shaw <ryan@instructure.com>
Test Plan:
* Add a SAML config and a discovery url
* It should save
* Delete the url
* It should delete. :)
refs #10497
Change-Id: I244aa3a39ee04a6d0c83558da4962909510e9c15
Reviewed-on: https://gerrit.instructure.com/14295
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
An account can now have multiple SAML configurations, and
can set an auth discovery url.
The old AAC API has been deprecated and this adds a normal
resource API for AACs
Test Plan:
* Test the api be doing lots of things
* Create two saml configurations
* Test the individual login urls for each (/login/{id}) and verify they work
* Test that the new SAML AAC UI works.
* Test that the SAML configuration in position 1 is used as the default
closes#10497
Change-Id: Ibe35fcf788d9506542b1079cc7420912a1e9d9a2
Reviewed-on: https://gerrit.instructure.com/14042
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
closes#9935
test plan:
* configure an LDAP server without a Login ID Attribute
* logging in with a pseudonym matching username should succeed
* set the Login ID Attribute to something the LDAP server
returns
* change the pseudonym to match what the LDAP server will return
* logging in with the same original username should succeed,
finding the pseudonym named after the returned attribute
Change-Id: I84a154de2bf4fbefa6183a9381ca21441bd2c35a
Reviewed-on: https://gerrit.instructure.com/12910
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Cody Cutrer <cody@instructure.com>
fixes#6347
* logs more information on ldap failures and passes it down to the browser in
the ajax response.
* fixes a crazy javascript bug where we were accidentally using a reserved
global var in webkit, 'status', which is a string, which interacted strangely
with our use of it as a boolean. this fixes the tester for firefox/ie
test plan:
(for #6347)
- use the tester in firefox and ie, it should work
(for error messages)
- one at a time, change the fields of a config, and run the tester
- you should get (slightly) more helpful error messages about what is failing,
based on status returned from the server.
Change-Id: Ic0837d7ff9f6283d615ddd4bbeef5a957dbd6553
Reviewed-on: https://gerrit.instructure.com/12880
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
disabling canvas auth also force-disables open registration, and
makes LDAP auth act like full delegated auth (CAS or SAML)
test plan:
* configure LDAP, CAS, or SAML. MAKE SURE YOU CAN LOG IN.
* go to account settings, and disable "Canvas Authentication"
* open registration should no longer show up on account settings
page (after saving)
* ensure you can no longer log in with your Canvas credentials, but
you can with LDAP, CAS, or SAML credentials.
* remove LDAP, CAS, or SAML from the account
* "Canvas Authentication" should no longer show up on the account
settings page, open registration should
* your Canvas credentials should start working again
* add LDAP, CAS, or SAML back
* "Canvas Authentication" should be back on in account settings
Change-Id: Ic7475623e5139bb545a87d8e5b1014dabaf4e854
Reviewed-on: https://gerrit.instructure.com/12850
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
minimum to not accidentally blow away more than 2 configs
test plan:
* in script/console, add more than 2 ldap configs to an account
* the UI should show them all, and they should be editable
* you should not be able to add more, or delete any individual
config
* normal editing of one or two configs should work just fine
Change-Id: I66b31f1b800b40aa490fd05b051bec23be9ef0bb
Reviewed-on: https://gerrit.instructure.com/12879
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Cody Cutrer <cody@instructure.com>
make start tls the default if not otherwise specified in the API, and
the default for new integrations in the UI. still support booleans
in the API.
test plan:
* test non-tls, simple tls, and start tls LDAP servers
* ensure new LDAP settings default to start tls
Change-Id: I60b2f2d6cbdd32beff14d198c92efbfd6705b041
Reviewed-on: https://gerrit.instructure.com/12923
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Cody Cutrer <cody@instructure.com>
aka: no more .dialog('close').dialog({}).dialog('open')
(does not actually change any behavior visible to end user)
test plan:
as far as manual testing goes, try to go to a bunch of pages that have dialogs
and open and close them.
For engineers, if you can think of other places where we might try to set options
on a UI widget before we initialize one (like sortables or something), check that too.
Change-Id: I7415c00d8c15b562ac12eeef83fa041aff1dfb35
Reviewed-on: https://gerrit.instructure.com/12810
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
it's no longer needed for the one customer that wanted it
test plan:
* CAS auth should continue to work
Change-Id: I47bd461769019bb9b57cbbfa8236de14c1614285
Reviewed-on: https://gerrit.instructure.com/11788
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Brian Palmer <brianp@instructure.com>
Cody Cutrer
