canvas-lms

History

Weston Dransfield b6d24d5006 Consider client_id as identifier for service JWTs This commit squashes two previously seperate commits. The individual test plans for each commit have been left intact. Closes CNVS-59219,CNVS-59187 flag=site_admin_service_auth Test Plan: - Restart Canvas after pulling change - Enable the flag - Make valid requset to the token endponit using a client_credentials grant. To be valid, the following must be true: - The client_id is a usable developer key global ID - The client_secret is the api_key of the dev key - The developer key has `internal_service: true` - The developer key has an associated `service_user` - Validate an acess token is returned - Make an API request using the access token. Note that you will need to set the User-Agent header to something matching the Instructure service user agent regexp. For example: ``` inst-service-ninety-nine/1234567890ABCDEF ``` - Tail web logs and validate the client identifier use by request throttling middleware is: ``` service_user_key:<global developer key ID>" ``` Change-Id: I214823b708fedb3e811f123cb986a955f37b95c0 Allow blocking inst_access tokens by jti claims Test Plan: - Restart Canvas after pulling change - Enable the flag - Make valid requset to the token endponit using a client_credentials grant. To be valid, the following must be true: - The client_id is a usable developer key global ID - The client_secret is the api_key of the dev key - The developer key has `internal_service: true` - The developer key has an associated `service_user` - Make an API request using the access token. Note that you will need to set the User-Agent header to something matching the Instructure service user agent regexp. For example: ``` inst-service-ninety-nine/1234567890ABCDEF ``` - Tail web logs and validate the client identifier use by request throttling middleware is: ``` service_user_key:<global developer key ID>" ``` - Decode the access token and note the `jti` claim value - In a Canvas Rails console, add that jti value to the request throttling blocklist: ``` Setting.set("request_throttle.blocklist", <jti value>) ``` - Attempt to use the token again and validate the http response code is 403 - Attempt to make an API request with a standard access token and validate throttling middlware does not raise an error - Attempt ot make a request with an active session and validate throttling middleware does not raise an error Change-Id: Ia8448094b7bf0281268bc3dd2d027bb934aa595c Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/323766 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Cody Cutrer <cody@instructure.com> QA-Review: Daniel Matyas Vincze <daniel.vincze@instructure.com> Product-Review: Weston Dransfield <wdransfield@instructure.com>	2023-09-26 22:01:14 +00:00
..
inst_access_token.rb	Consider client_id as identifier for service JWTs	2023-09-26 22:01:14 +00:00

Weston Dransfield b6d24d5006 Consider client_id as identifier for service JWTs

This commit squashes two previously seperate commits.

The individual test plans for each commit have been left intact.

Closes CNVS-59219,CNVS-59187
flag=site_admin_service_auth

Test Plan:
- Restart Canvas after pulling change
- Enable the flag
- Make valid requset to the token endponit using a
  client_credentials grant. To be valid, the following
  must be true:
  - The client_id is a usable developer key global ID
  - The client_secret is the api_key of the dev key
  - The developer key has `internal_service: true`
  - The developer key has an associated `service_user`
- Validate an acess token is returned
- Make an API request using the access token. Note
  that you will need to set the User-Agent header to
  something matching the Instructure service user
  agent regexp. For example:
  ```
  inst-service-ninety-nine/1234567890ABCDEF
  ```
- Tail web logs and validate the client identifier
  use by request throttling middleware is:
  ```
  service_user_key:<global developer key ID>"
  ```

Change-Id: I214823b708fedb3e811f123cb986a955f37b95c0

Allow blocking inst_access tokens by jti claims

Test Plan:
- Restart Canvas after pulling change
- Enable the flag
- Make valid requset to the token endponit using a
  client_credentials grant. To be valid, the following
  must be true:
  - The client_id is a usable developer key global ID
  - The client_secret is the api_key of the dev key
  - The developer key has `internal_service: true`
  - The developer key has an associated `service_user`
- Make an API request using the access token. Note
  that you will need to set the User-Agent header to
  something matching the Instructure service user
  agent regexp. For example:
  ```
  inst-service-ninety-nine/1234567890ABCDEF
  ```
- Tail web logs and validate the client identifier
  use by request throttling middleware is:
  ```
  service_user_key:<global developer key ID>"
  ```
- Decode the access token and note the `jti` claim value
- In a Canvas Rails console, add that jti value to
  the request throttling blocklist:
  ```
  Setting.set("request_throttle.blocklist", <jti value>)
  ```
- Attempt to use the token again and validate the http
  response code is 403
- Attempt to make an API request with a standard access
  token and validate throttling middlware does not raise
  an error
- Attempt ot make a request with an active session and validate
  throttling middleware does not raise an error

Change-Id: Ia8448094b7bf0281268bc3dd2d027bb934aa595c
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/323766
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Daniel Matyas Vincze <daniel.vincze@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>

2023-09-26 22:01:14 +00:00

inst_access_token.rb

Consider client_id as identifier for service JWTs

2023-09-26 22:01:14 +00:00