why:
* to be consistent in allowing deep linking content to be added from the
3-dot menu at the top of the modules page and for each module
closes INTEROP-7294
flag=lti_multiple_assignment_deep_linking,lti_deep_linking_line_items
test plan:
* install a 1.3 test tool that has the module_menu_modal placement
configured, and with a message_type of LtiDeepLinkingRequest
* make sure these feature flags are enabled:
* lti_multiple_assignment_deep_linking
* lti_deep_linking_line_items
* lti_deep_linking_module_index_menu_modal
* from the modules page, click on the 3-dot menu in an existing module
* you should be able to launch the tool from there, which wasn't
possible before
* launch and return these content items. all scenarios should reload the
page and add things to the module:
* 1 content item: should add 1 item to the module
* many content items: should add all items to the module
* 1 content item with line item: should add 1 assignment to the module
* many content items with line items: should add all items to the
module as assignments
* many mixed content items (some with line items and some without):
should correctly add all items to the module as either lti links or
assignments
Change-Id: Id0c4d7933213b8a8acfab0a4c988807cddcedfa7
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/287770
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Tucker Mcknight <tmcknight@instructure.com>
QA-Review: Tucker Mcknight <tmcknight@instructure.com>
Product-Review: Alexis Nast <alexis.nast@instructure.com>
refs INTEROP-7075
flag=none
why:
* the existing module_index_menu lives behind a feature flag, and opens
in a tray, both of which are not ideal for a new standard placement that
will be used for adding module items and assignments via deep linking
* replicate course_assignments_menu, which opens a modal from
the assignments index, on the modules page
test plan:
* run webpack if needed
* install a new 1.3 tool with this placement, or add it to an existing
tool with a message type of `LtiResourceLinkRequest`
* from the modules page, click the 3 dots menu in the top right
of the page
* your tool should be an option there
* it should launch in a modal, and not be a deep linking request
Change-Id: I7f75b7397638e2554602cbf70b77bdf4ec7e512a
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/276155
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Mysti Lilla <mysti@instructure.com>
QA-Review: Alexandre Trindade <alexandre.trindade@instructure.com>
Product-Review: Karl Lloyd <karl@instructure.com>
We apparently we're restricting the values before
dbd8c466 fixed `"canvas_icon_class": { ... }` to
`"canvas_icon_class" => { ... }`
(Since that commit was ostensibly just a linting commit but changed
semantics, it might be worth revisiting other things in that commit.)
fixes INTEROP-7109
Test plan:
- Edit an LTI 1.3 dev key JSON in the Developer Keys UI
- Add "canvas_icon_class": "icon-pdf" to a placement in an LTI 1.3 dev key
- Make sure the dev key saves
- Observe that the dev key cannot be saved before this commit
Change-Id: Ibb22a8d5d9ebdb9b7afb99adf9ab2893be863165
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/276645
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
QA-Review: Xander Moffatt <xmoffatt@instructure.com>
Product-Review: Karl Lloyd <karl@instructure.com>
refs FOO-2410
test plan:
- in dynamic_settings.yml, add the following block:
```
store:
canvas:
services-jwt:
# these are all the same JWK but with different kid
# to generate a new key, run the following in a Canvas console:
#
# key = OpenSSL::PKey::RSA.generate(2048)
# key.public_key.to_jwk(kid: Time.now.utc.iso8601).to_json
jwk-past.json: "{\"kty\":\"RSA\",\"e\":\"AQAB\",\"n\":\"uX1MpfEMQCBUMcj0sBYI-iFaG5Nodp3C6OlN8uY60fa5zSBd83-iIL3n_qzZ8VCluuTLfB7rrV_tiX727XIEqQ\",\"kid\":\"2018-05-18T22:33:20Z_a\",\"d\":\"pYwR64x-LYFtA13iHIIeEvfPTws50ZutyGfpHN-kIZz3k-xVpun2Hgu0hVKZMxcZJ9DkG8UZPqD-zTDbCmCyLQ\",\"p\":\"6OQ2bi_oY5fE9KfQOcxkmNhxDnIKObKb6TVYqOOz2JM\",\"q\":\"y-UBef95njOrqMAxJH1QPds3ltYWr8QgGgccmcATH1M\",\"dp\":\"Ol_xkL7rZgNFt_lURRiJYpJmDDPjgkDVuafIeFTS4Ic\",\"dq\":\"RtzDY5wXr5TzrwWEztLCpYzfyAuF_PZj1cfs976apsM\",\"qi\":\"XA5wnwIrwe5MwXpaBijZsGhKJoypZProt47aVCtWtPE\"}"
jwk-present.json: "{\"kty\":\"RSA\",\"e\":\"AQAB\",\"n\":\"uX1MpfEMQCBUMcj0sBYI-iFaG5Nodp3C6OlN8uY60fa5zSBd83-iIL3n_qzZ8VCluuTLfB7rrV_tiX727XIEqQ\",\"kid\":\"2018-06-18T22:33:20Z_b\",\"d\":\"pYwR64x-LYFtA13iHIIeEvfPTws50ZutyGfpHN-kIZz3k-xVpun2Hgu0hVKZMxcZJ9DkG8UZPqD-zTDbCmCyLQ\",\"p\":\"6OQ2bi_oY5fE9KfQOcxkmNhxDnIKObKb6TVYqOOz2JM\",\"q\":\"y-UBef95njOrqMAxJH1QPds3ltYWr8QgGgccmcATH1M\",\"dp\":\"Ol_xkL7rZgNFt_lURRiJYpJmDDPjgkDVuafIeFTS4Ic\",\"dq\":\"RtzDY5wXr5TzrwWEztLCpYzfyAuF_PZj1cfs976apsM\",\"qi\":\"XA5wnwIrwe5MwXpaBijZsGhKJoypZProt47aVCtWtPE\"}"
jwk-future.json: "{\"kty\":\"RSA\",\"e\":\"AQAB\",\"n\":\"uX1MpfEMQCBUMcj0sBYI-iFaG5Nodp3C6OlN8uY60fa5zSBd83-iIL3n_qzZ8VCluuTLfB7rrV_tiX727XIEqQ\",\"kid\":\"2018-07-18T22:33:20Z_c\",\"d\":\"pYwR64x-LYFtA13iHIIeEvfPTws50ZutyGfpHN-kIZz3k-xVpun2Hgu0hVKZMxcZJ9DkG8UZPqD-zTDbCmCyLQ\",\"p\":\"6OQ2bi_oY5fE9KfQOcxkmNhxDnIKObKb6TVYqOOz2JM\",\"q\":\"y-UBef95njOrqMAxJH1QPds3ltYWr8QgGgccmcATH1M\",\"dp\":\"Ol_xkL7rZgNFt_lURRiJYpJmDDPjgkDVuafIeFTS4Ic\",\"dq\":\"RtzDY5wXr5TzrwWEztLCpYzfyAuF_PZj1cfs976apsM\",\"qi\":\"XA5wnwIrwe5MwXpaBijZsGhKJoypZProt47aVCtWtPE\"}"
```
- Ensure /internal/services/jwks loads correctly
- In console, ensure `CanvasSecurity::ServicesJwt.decrypt(Base64.decode64(CanvasSecurity::ServicesJwt.for_user('localhost', User.first)))`
and `CanvasSecurity::ServicesJwt.decrypt(Base64.decode64(CanvasSecurity::ServicesJwt.for_user('localhost', User.first, symmetric: true)))`
both work and produce sensible looking output
Change-Id: I13c6c35cc92ed12d03bf97e89e590614e11c6d47
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/275160
QA-Review: August Thornton <august@instructure.com>
Product-Review: August Thornton <august@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Ethan Vizitei <evizitei@instructure.com>
Reviewed-by: Evan Battaglia <ebattaglia@instructure.com>
refs SAS-1540
* adds an audience setting to developer keys, so a key can be set to
target external audiences with its credentials grants
* when a key with an external audience grants credentials, the token is
signed with an asymmetric key instead of the internal symmetric key
* external audiences can retrieve the corresponding public keys from
/login/oauth2/jwks
* credentials issued by developer keys with an account id include the
account's guid in a custom claim
includes a refactor of key storage and rotation in consul, which had
already been done for LTI. but it wasn't really a feature of lti, just
something used by LTI, and we needed the same for key management for
this. moved it to be part of Canvas::Security
Change-Id: Ie5c0fcee6fc21687f31c109389a3bcc1ed349c5d
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/243606
QA-Review: Jonathan Featherstone <jfeatherstone@instructure.com>
Reviewed-by: Jonathan Featherstone <jfeatherstone@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Product-Review: Jacob Fugal <jacob@instructure.com>
test plan:
* enable the "Submission Type LTI Placement" feature
* add an external tool to a course or account with a
"submission_type_selection" placement configured
* should be able to create or edit an assignment and
select the tool directly from the submission type
drop down
* when selected, it should show a button
(that currently does nothing but will be used to
launch the tool for additional configuration)
* should be able to save the assignment with
the tool selected, and it should stay selected
when the saved assignment is edited again
flag=submission_type_tool_placement
closes #LA-725
Change-Id: Ic0dd44f91b61f3300c55db7e7b30d9180c7a14e2
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/237534
Reviewed-by: Clint Furse <cfurse@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Clint Furse <cfurse@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
closes CAL-6
flag=conference_selection_lti_placement
Test plan:
- Add LTI developer key at /accounts/self/developer_keys
- verify that conference_selection is not included in the
list of placement options
- turn on feature flag "Allow Conference Selection LTI placement"
at /accounts/site_admin/settings
- add LTI developer key again
- verify that conference_selection is included in
the placement options and tool can be saved/reloaded
Change-Id: Ie6016514a29e9362562aab1a7a33f0c3d808ed6a
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/232853
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Steve Shepherd <sshepherd@instructure.com>
Product-Review: Michael Brewer-Davis <mbd@instructure.com>
Closes PLAT-4952
Test Plan:
- Install an LTI 1.3 tool that uses the new
scope and service endpoint
- Make a request to the new endpoint specifying
a feature flag that exists. Verify the
feature flag is returned in the response
with accurate data.
- Make a request to the new endpoint specifying
a feature flag that does not exist. Verify
the service responds with a 404
- Verify the new endpoint adheres to LTI
Advange authentication/authorization (
requres JWT access token, requres active
developer key, etc.)
Change-Id: Ifb876b541c237a3c9ca45270bafea5693d6a03eb
Reviewed-on: https://gerrit.instructure.com/211196
Tested-by: Jenkins
Reviewed-by: Clint Furse <cfurse@instructure.com>
QA-Review: Clint Furse <cfurse@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
closes PLAT-4858
test plan:
- create an LTI dev key with a public_jwk_url instead of a public_jwk
- the url doesn't need to be anything special but
`https://canvas.instructure.com/api/lti/security/jwks`
is always a safe bet
- edit the LTI dev key and click save
- the save should return 200 and not show any errors
Change-Id: I85a732fb6b7e9a1f32a3156621ab9899f2bf68b9
Reviewed-on: https://gerrit.instructure.com/209913
Tested-by: Jenkins
Reviewed-by: Marc Phillips <mphillips@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Xander Moffatt <xmoffatt@instructure.com>
Refs Closes PLAT-4766
Test Plan:
Make sure you can save a tool configuraiton that uses the new
list_event_types scope
Change-Id: Ib0e9ce88e03a5cce71aae2a418557f67492234d7
Reviewed-on: https://gerrit.instructure.com/208079
Tested-by: Jenkins
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
QA-Review: Clint Furse <cfurse@instructure.com>
QA-Review: Xander Moffatt <xmoffatt@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
closes PLAT-4744
Test Plan:
- see that the index action returns a list
Change-Id: I92cc07c5476c7dd48202f38b62e09df6aa591b62
Reviewed-on: https://gerrit.instructure.com/206435
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Tested-by: Jenkins
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
closes PLAT-4761
Test Plan:
- see that a call to this endpoint will show a sub
Change-Id: Ifc299aebe5cfbadaf82a1970f75ad182ffa31b29
Reviewed-on: https://gerrit.instructure.com/206489
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
Tested-by: Jenkins
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
refs PLAT-4493
Test Plan:
-create a developer key and validate the public jwk url field
is present
-save developer key
-edit developer key and validate public jwk url field is present
-save edit and validate edits were saved to developer key
Change-Id: I9019d116ad9995931757439f4c3d63b3d67a3a5f
Reviewed-on: https://gerrit.instructure.com/197713
Tested-by: Jenkins
Reviewed-by: Marc Phillips <mphillips@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Jesse Poulos <jpoulos@instructure.com>
fixes PLAT-4492
Test Plan
-Create test tool
-Use tool to create developer key in canvas
-Change tool credential oauth_client_id to match
client id from developer key
-Go to http://lti13testtool.docker/developer_key/update_public_jwk/21
-Verify that public JWK was changed:
Change-Id: Ic09a665d4ab14d3423b7e4b2a3a51296c0617981
Reviewed-on: https://gerrit.instructure.com/194447
Tested-by: Jenkins
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Jesse Poulos <jpoulos@instructure.com>
Also fixed a few formatting issues and loosened the
requirements on domain and tool_id.
closes PLAT-4248
Test Plan:
Go through the lti manual creation flow, should work
Attempt to break it, shouldn't work
Change-Id: I8ceb05951d2596fd37e976dd114cc3da3a3d7499
Reviewed-on: https://gerrit.instructure.com/190194
Tested-by: Jenkins
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Jesse Poulos <jpoulos@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
This belongs in the settings hash.
refs PLAT-4248
Test Plan:
n/a
Change-Id: I89ca516d9e00e8fe8048e8d419893b16efc0b76d
Reviewed-on: https://gerrit.instructure.com/187200
Tested-by: Jenkins
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
For manual creation of keys, add the fields
that will be required or needed to create a
new Tool Configuration Manually.
refs PLAT-4248
Test Plan:
- Go to create a new LTI key, note that the manual
option now has fields attached
Change-Id: I34afe82ba903cc149a0ba74b245cec0375b029e4
Reviewed-on: https://gerrit.instructure.com/186829
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Tested-by: Jenkins
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
Some fields should not be required, fix typo
in Deeplinkingrequest.
fixes PLAT-4284
Test Plan:
- n/a
Change-Id: I36c3c84a143d8aaff7ddb9de7c33847640a6845a
Reviewed-on: https://gerrit.instructure.com/184627
Tested-by: Jenkins
Product-Review: Marc Phillips <mphillips@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Validate that a tool config matches the schema for
a tool.
closes PLAT-4258
Test Plan:
- Attempt to create an lti tool with an old config, should
fail with schema errors
- Create an lti tool with a new tool config, should succeed
- Create a tool from the config, should work
- Test that the launches still work for launch basic and
Deeplinking
Change-Id: Iaeea45f14dd10f464ab06f4bd1bb24696e91b38f
Reviewed-on: https://gerrit.instructure.com/184182
Tested-by: Jenkins
Reviewed-by: Nathan Mills <nathanm@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
Change-Id: Ifcc3316b96f4b2ae3da109c9e7e80afdd57cdada
Reviewed-on: https://gerrit.instructure.com/166599
Reviewed-by: Marc Alan Phillips <mphillips@instructure.com>
Tested-by: Jenkins
Product-Review: Marc Alan Phillips <mphillips@instructure.com>
QA-Review: Marc Alan Phillips <mphillips@instructure.com>
Closes PLAT-3739
Test Plan:
- Use the tool configuration create/update endpoint to create a new
tool configuration. The JSON provided to the settings should
include (in its root) a 'public_jwk' object. This object must
take the following form:
{
"kty":"RSA",
"e":"AQAB",
"n":"2YGluUtCi62Ww_TWB38OE6wTaN..."
"kid":"2018-09-18T21:55:18Z",
"alg":"RS256",
"use":"sig"
}
- Verify a tool configuration is created
- Verify the tool configuration's developer key's public_jwk
column is now set to the JWK from the previous step
- Verify all claims in the JWK above are required
- Verify the 'kty' claim must be 'RSA' when using the
endpoint
- Verify the 'alg' claim must be 'RS256' when using the
endpoint
- Verify all above verifications work when the settings JSON
is provided directly OR provided indirectly by URL
- Verify all above verifications work when creating a new tool
configuration OR editing an existing one
Change-Id: Iae8e9b89266611234b8ab2e47c4912b7fb1d9f2a
Reviewed-on: https://gerrit.instructure.com/165203
Reviewed-by: Marc Alan Phillips <mphillips@instructure.com>
QA-Review: Marc Alan Phillips <mphillips@instructure.com>
Tested-by: Jenkins
Product-Review: Weston Dransfield <wdransfield@instructure.com>
Xander Moffatt