ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
canvas-lms/gems/canvas_security/spec
History
Evan Battaglia 583f813092 Fix parsing of kid for key rotation 
Fixes INTEROP-7269
flag=none

The problem was introduced in
https://gerrit.instructure.com/c/canvas-lms/+/275160 which added a UUID,
to the KID. If the UUID happens to have something that looks like a
date, Time.zone.parse picks that up and doesn't return the date in the
first part of the kid. For example:

  > Time.parse "2022-01-25T17:46:59Z_d2fe13a4-b3f7-4feb-9"
  => -0009-02-04 17:46:59 UTC

This resulted in a flaky spec. It could also cause rotate_keys to rotate
keys multiple times on the first of the month (which can happen but
we're not sure why, see 89941a1d). It could also cause the keys to not
rotate (if the timestamp is in the future):

  > Time.zone.parse "2022-01-25T17:46:59Z_2feb2023-aaaa-aaaa-a"
  => Thu, 02 Feb 2023 17:46:59 UTC +00:00

Test plan:
- run Lti::KeyStorage.retrieve_keys to see the keys; then Lti::KeyStorage.rotate_keys
- retrieve keys again to see they rotated
- run rotate_keys again and make sure they haven't rotated
- class << Lti::KeyStorage; def min_rotation_period; 10.seconds; end; end
- run rotate_keys again and make sure they've rotated
- class << SecureRandom; def uuid; "2feb2023-aaaa-aaaa-a"; end; end
- run rotate_keys again and make sure they only rotate 10 seconds after
  the last time and that the kid includes that string

Change-Id: Ia67cafe3d04a650d8c6735835bb170b8dc8980ee
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/283562
Reviewed-by: Xander Moffatt <xmoffatt@instructure.com>
QA-Review: Xander Moffatt <xmoffatt@instructure.com>
Product-Review: Evan Battaglia <ebattaglia@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
 		2022-01-26 16:24:40 +00:00
..
canvas_security Fix parsing of kid for key rotation 2022-01-26 16:24:40 +00:00
fixtures/config pull canvas::security out into a gem 2021-03-02 20:58:55 +00:00
canvas_security_spec.rb RuboCop: Style/StringLiterals, Style/StringLiteralsInInterpolation 2021-11-25 14:03:06 +00:00
spec_helper.rb RuboCop: Style/StringLiterals, Style/StringLiteralsInInterpolation 2021-11-25 14:03:06 +00:00