refs SAS-1540
* adds an audience setting to developer keys, so a key can be set to
target external audiences with its credentials grants
* when a key with an external audience grants credentials, the token is
signed with an asymmetric key instead of the internal symmetric key
* external audiences can retrieve the corresponding public keys from
/login/oauth2/jwks
* credentials issued by developer keys with an account id include the
account's guid in a custom claim
includes a refactor of key storage and rotation in consul, which had
already been done for LTI. but it wasn't really a feature of lti, just
something used by LTI, and we needed the same for key management for
this. moved it to be part of Canvas::Security
Change-Id: Ie5c0fcee6fc21687f31c109389a3bcc1ed349c5d
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/243606
QA-Review: Jonathan Featherstone <jfeatherstone@instructure.com>
Reviewed-by: Jonathan Featherstone <jfeatherstone@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Product-Review: Jacob Fugal <jacob@instructure.com>
test plan:
* enable the "Submission Type LTI Placement" feature
* add an external tool to a course or account with a
"submission_type_selection" placement configured
* should be able to create or edit an assignment and
select the tool directly from the submission type
drop down
* when selected, it should show a button
(that currently does nothing but will be used to
launch the tool for additional configuration)
* should be able to save the assignment with
the tool selected, and it should stay selected
when the saved assignment is edited again
flag=submission_type_tool_placement
closes #LA-725
Change-Id: Ic0dd44f91b61f3300c55db7e7b30d9180c7a14e2
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/237534
Reviewed-by: Clint Furse <cfurse@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Clint Furse <cfurse@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
closes CAL-6
flag=conference_selection_lti_placement
Test plan:
- Add LTI developer key at /accounts/self/developer_keys
- verify that conference_selection is not included in the
list of placement options
- turn on feature flag "Allow Conference Selection LTI placement"
at /accounts/site_admin/settings
- add LTI developer key again
- verify that conference_selection is included in
the placement options and tool can be saved/reloaded
Change-Id: Ie6016514a29e9362562aab1a7a33f0c3d808ed6a
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/232853
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Steve Shepherd <sshepherd@instructure.com>
Product-Review: Michael Brewer-Davis <mbd@instructure.com>
Closes PLAT-4952
Test Plan:
- Install an LTI 1.3 tool that uses the new
scope and service endpoint
- Make a request to the new endpoint specifying
a feature flag that exists. Verify the
feature flag is returned in the response
with accurate data.
- Make a request to the new endpoint specifying
a feature flag that does not exist. Verify
the service responds with a 404
- Verify the new endpoint adheres to LTI
Advange authentication/authorization (
requres JWT access token, requres active
developer key, etc.)
Change-Id: Ifb876b541c237a3c9ca45270bafea5693d6a03eb
Reviewed-on: https://gerrit.instructure.com/211196
Tested-by: Jenkins
Reviewed-by: Clint Furse <cfurse@instructure.com>
QA-Review: Clint Furse <cfurse@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
closes PLAT-4858
test plan:
- create an LTI dev key with a public_jwk_url instead of a public_jwk
- the url doesn't need to be anything special but
`https://canvas.instructure.com/api/lti/security/jwks`
is always a safe bet
- edit the LTI dev key and click save
- the save should return 200 and not show any errors
Change-Id: I85a732fb6b7e9a1f32a3156621ab9899f2bf68b9
Reviewed-on: https://gerrit.instructure.com/209913
Tested-by: Jenkins
Reviewed-by: Marc Phillips <mphillips@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Xander Moffatt <xmoffatt@instructure.com>
Refs Closes PLAT-4766
Test Plan:
Make sure you can save a tool configuraiton that uses the new
list_event_types scope
Change-Id: Ib0e9ce88e03a5cce71aae2a418557f67492234d7
Reviewed-on: https://gerrit.instructure.com/208079
Tested-by: Jenkins
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
QA-Review: Clint Furse <cfurse@instructure.com>
QA-Review: Xander Moffatt <xmoffatt@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
closes PLAT-4744
Test Plan:
- see that the index action returns a list
Change-Id: I92cc07c5476c7dd48202f38b62e09df6aa591b62
Reviewed-on: https://gerrit.instructure.com/206435
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Tested-by: Jenkins
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
closes PLAT-4761
Test Plan:
- see that a call to this endpoint will show a sub
Change-Id: Ifc299aebe5cfbadaf82a1970f75ad182ffa31b29
Reviewed-on: https://gerrit.instructure.com/206489
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
Tested-by: Jenkins
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
refs PLAT-4493
Test Plan:
-create a developer key and validate the public jwk url field
is present
-save developer key
-edit developer key and validate public jwk url field is present
-save edit and validate edits were saved to developer key
Change-Id: I9019d116ad9995931757439f4c3d63b3d67a3a5f
Reviewed-on: https://gerrit.instructure.com/197713
Tested-by: Jenkins
Reviewed-by: Marc Phillips <mphillips@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Jesse Poulos <jpoulos@instructure.com>
fixes PLAT-4492
Test Plan
-Create test tool
-Use tool to create developer key in canvas
-Change tool credential oauth_client_id to match
client id from developer key
-Go to http://lti13testtool.docker/developer_key/update_public_jwk/21
-Verify that public JWK was changed:
Change-Id: Ic09a665d4ab14d3423b7e4b2a3a51296c0617981
Reviewed-on: https://gerrit.instructure.com/194447
Tested-by: Jenkins
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Jesse Poulos <jpoulos@instructure.com>
Also fixed a few formatting issues and loosened the
requirements on domain and tool_id.
closes PLAT-4248
Test Plan:
Go through the lti manual creation flow, should work
Attempt to break it, shouldn't work
Change-Id: I8ceb05951d2596fd37e976dd114cc3da3a3d7499
Reviewed-on: https://gerrit.instructure.com/190194
Tested-by: Jenkins
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Jesse Poulos <jpoulos@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
This belongs in the settings hash.
refs PLAT-4248
Test Plan:
n/a
Change-Id: I89ca516d9e00e8fe8048e8d419893b16efc0b76d
Reviewed-on: https://gerrit.instructure.com/187200
Tested-by: Jenkins
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
For manual creation of keys, add the fields
that will be required or needed to create a
new Tool Configuration Manually.
refs PLAT-4248
Test Plan:
- Go to create a new LTI key, note that the manual
option now has fields attached
Change-Id: I34afe82ba903cc149a0ba74b245cec0375b029e4
Reviewed-on: https://gerrit.instructure.com/186829
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Tested-by: Jenkins
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
Some fields should not be required, fix typo
in Deeplinkingrequest.
fixes PLAT-4284
Test Plan:
- n/a
Change-Id: I36c3c84a143d8aaff7ddb9de7c33847640a6845a
Reviewed-on: https://gerrit.instructure.com/184627
Tested-by: Jenkins
Product-Review: Marc Phillips <mphillips@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Validate that a tool config matches the schema for
a tool.
closes PLAT-4258
Test Plan:
- Attempt to create an lti tool with an old config, should
fail with schema errors
- Create an lti tool with a new tool config, should succeed
- Create a tool from the config, should work
- Test that the launches still work for launch basic and
Deeplinking
Change-Id: Iaeea45f14dd10f464ab06f4bd1bb24696e91b38f
Reviewed-on: https://gerrit.instructure.com/184182
Tested-by: Jenkins
Reviewed-by: Nathan Mills <nathanm@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
Change-Id: Ifcc3316b96f4b2ae3da109c9e7e80afdd57cdada
Reviewed-on: https://gerrit.instructure.com/166599
Reviewed-by: Marc Alan Phillips <mphillips@instructure.com>
Tested-by: Jenkins
Product-Review: Marc Alan Phillips <mphillips@instructure.com>
QA-Review: Marc Alan Phillips <mphillips@instructure.com>
Closes PLAT-3739
Test Plan:
- Use the tool configuration create/update endpoint to create a new
tool configuration. The JSON provided to the settings should
include (in its root) a 'public_jwk' object. This object must
take the following form:
{
"kty":"RSA",
"e":"AQAB",
"n":"2YGluUtCi62Ww_TWB38OE6wTaN..."
"kid":"2018-09-18T21:55:18Z",
"alg":"RS256",
"use":"sig"
}
- Verify a tool configuration is created
- Verify the tool configuration's developer key's public_jwk
column is now set to the JWK from the previous step
- Verify all claims in the JWK above are required
- Verify the 'kty' claim must be 'RSA' when using the
endpoint
- Verify the 'alg' claim must be 'RS256' when using the
endpoint
- Verify all above verifications work when the settings JSON
is provided directly OR provided indirectly by URL
- Verify all above verifications work when creating a new tool
configuration OR editing an existing one
Change-Id: Iae8e9b89266611234b8ab2e47c4912b7fb1d9f2a
Reviewed-on: https://gerrit.instructure.com/165203
Reviewed-by: Marc Alan Phillips <mphillips@instructure.com>
QA-Review: Marc Alan Phillips <mphillips@instructure.com>
Tested-by: Jenkins
Product-Review: Weston Dransfield <wdransfield@instructure.com>
Cody Cutrer