forked from instructure/canvas-lms
-
Notifications
You must be signed in to change notification settings - Fork 0
/
inst_fs.rb
380 lines (330 loc) · 13.4 KB
/
inst_fs.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
#
# Copyright (C) 2016 - present Instructure, Inc.
#
# This file is part of Canvas.
#
# Canvas is free software: you can redistribute it and/or modify it under
# the terms of the GNU Affero General Public License as published by the Free
# Software Foundation, version 3 of the License.
#
# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
module InstFS
class << self
def enabled?
# true if plugin is enabled AND all settings values are set
Canvas::Plugin.find('inst_fs').enabled? && !!app_host && !!jwt_secret
end
def login_pixel(user, session, oauth_host)
return if session[:oauth2] # don't stomp an existing oauth flow in progress
return if session[:pending_otp]
if !session[:shown_instfs_pixel] && user && enabled?
session[:shown_instfs_pixel] = true
pixel_url = login_pixel_url(token: session_jwt(user, oauth_host))
%Q(<img src="#{pixel_url}" alt="" role="presentation" />).html_safe
end
end
def logout(user)
return unless user && enabled?
CanvasHttp.delete(logout_url(user))
rescue CanvasHttp::Error => e
Canvas::Errors.capture_exception(:page_view, e)
end
def authenticated_url(attachment, options={})
query_params = { token: access_jwt(access_path(attachment), options) }
query_params[:download] = 1 if options[:download]
access_url(attachment, query_params)
end
def logout_url(user)
query_params = { token: logout_jwt(user) }
service_url("/session", query_params)
end
def authenticated_thumbnail_url(attachment, options={})
query_params = { token: access_jwt(thumbnail_path(attachment), options) }
query_params[:geometry] = options[:geometry] if options[:geometry]
thumbnail_url(attachment, query_params)
end
def export_references_url
query_params = { token: export_references_jwt}
service_url("/references", query_params)
end
def app_host
setting("app-host")
end
def jwt_secrets
secret = setting("secret")
return [] unless secret
secret.split(/\s+/).map{ |key| Base64.decode64(key) }
end
def jwt_secret
# if there are multiple keys (to allow for validating during key
# rotation), the foremost is used for signing
jwt_secrets.first
end
def validate_capture_jwt(token)
Canvas::Security.decode_jwt(token, jwt_secrets)
true
rescue
false
end
def upload_preflight_json(context:, root_account:, user:, acting_as:, access_token:, folder:, filename:,
content_type:, quota_exempt:, on_duplicate:, capture_url:, target_url: nil,
progress_json: nil, include_param: nil, additional_capture_params: {})
raise ArgumentError unless !!target_url == !!progress_json # these params must both be present or both absent
token = upload_jwt(
user: user,
acting_as: acting_as,
access_token: access_token,
root_account: root_account,
capture_url: capture_url,
capture_params: additional_capture_params.merge(
context_type: context.class.to_s,
context_id: context.global_id.to_s,
user_id: acting_as.global_id.to_s,
folder_id: folder&.global_id&.to_s,
root_account_id: root_account.global_id.to_s,
quota_exempt: !!quota_exempt,
on_duplicate: on_duplicate,
progress_id: progress_json && progress_json[:id],
include: include_param
)
)
upload_params = {
filename: filename,
content_type: content_type
}
if target_url
upload_params[:target_url] = target_url
end
{
file_param: target_url ? nil : 'file',
progress: progress_json,
upload_url: upload_url(token),
upload_params: upload_params
}
end
def direct_upload(file_name:, file_object:)
# example of a call to direct_upload:
# > res = InstFS.direct_upload(
# > file_name: "a.png",
# > file_object: File.open("public/images/a.png")
# > )
token = direct_upload_jwt
url = "#{app_host}/files?token=#{token}"
data = {}
data[file_name] = file_object
response = CanvasHttp.post(url, form_data: data, multipart: true, streaming: true)
if response.class == Net::HTTPCreated
json_response = JSON.parse(response.body)
return json_response["instfs_uuid"] if json_response.key?("instfs_uuid")
raise InstFS::DirectUploadError, "upload succeeded, but response did not contain an \"instfs_uuid\" key"
end
raise InstFS::DirectUploadError, "received code \"#{response.code}\" from service, with message \"#{response.body}\""
end
def duplicate_file(instfs_uuid)
token = duplicate_file_jwt(instfs_uuid)
url = "#{app_host}/files/#{instfs_uuid}/duplicate?token=#{token}"
response = CanvasHttp.post(url)
if response.class == Net::HTTPCreated
json_response = JSON.parse(response.body)
return json_response["id"] if json_response.key?("id")
raise InstFS::DuplicationError, "duplication succeeded, but response did not contain an \"id\" key"
end
raise InstFS::DuplicationError, "received code \"#{response.code}\" from service, with message \"#{response.body}\""
end
def delete_file(instfs_uuid)
token = delete_file_jwt(instfs_uuid)
url = "#{app_host}/files/#{instfs_uuid}?token=#{token}"
response = CanvasHttp.delete(url)
unless response.class == Net::HTTPOK
raise InstFS::DeletionError, "received code \"#{response.code}\" from service, with message \"#{response.body}\""
end
true
end
private
def setting(key)
Canvas::DynamicSettings.find(service: "inst-fs", default_ttl: 5.minutes)[key]
rescue Imperium::TimeoutError => e
Canvas::Errors.capture_exception(:inst_fs, e)
nil
end
def service_url(path, query_params=nil)
url = "#{app_host}#{path}"
url += "?#{query_params.to_query}" if query_params
url
end
def login_pixel_url(query_params)
service_url("/session/ensure", query_params)
end
def access_url(attachment, query_params)
service_url(access_path(attachment), query_params)
end
def thumbnail_url(attachment, query_params)
service_url(thumbnail_path(attachment), query_params)
end
def upload_url(token=nil)
query_string = { token: token } if token
service_url("/files", query_string)
end
def access_path(attachment)
res = "/files/#{attachment.instfs_uuid}"
display_name = attachment.display_name || attachment.filename
if display_name
unencoded_characters = Addressable::URI::CharacterClasses::UNRESERVED
encoded_display_name = Addressable::URI.encode_component(display_name, unencoded_characters)
res += "/#{encoded_display_name}"
end
res
end
def thumbnail_path(attachment)
"/thumbnails/#{attachment.instfs_uuid}"
end
# `expires_at` can be either a Time or an ActiveSupport::Duration
def service_jwt(claims, expires_at)
expires_at = expires_at.from_now if expires_at.respond_to?(:from_now)
Canvas::Security.create_jwt(claims, expires_at, self.jwt_secret, :HS512)
end
# floor_to rounds `number` down to a multiple of the chosen step.
def floor_to(number, step)
whole, remainder = number.divmod(step)
whole * step
end
# If we just say every token was created at Time.now, since that token
# is included in the url, every time we make a url it will be a new url and no browser
# will never be able to get it from their cache. Which means, for example: every time you
# load your dash cards you will download all new thumbnails instead of using one from
# your browser cache. That's not what we want to do.
#
# But we also don't want to just have them all expire at the same time because then we'd
# get a thundering herd at the end of that cache window.
#
# So what we do is have all tokens for a certain resource say they were signed at same
# time within a 12 hour window. that way you're browser will be able to cache it for at
# least 12 hours and up to 24. And instead of picking something like the beginning of
# the day or hour, we use a random offset that is evenly distributed throughout the
# cache window. (this example uses 24 and 12 hours because the default expiration time is
# 24 hours, but the logic is the same if you say expires_in is 2 hours or 24 hours, it
# just makes sure that there is at least half of the availibilty time left before it expires)
def consistent_iat(resource, expires_in)
now = Time.now.utc.to_i
window = expires_in.to_i / 2
beginning_of_cache_window = floor_to(now, window)
this_resources_random_offset = resource.hash % window
if (beginning_of_cache_window + this_resources_random_offset) > now
# step back a window if adding the random offset would put us into the future
beginning_of_cache_window -= window
end
beginning_of_cache_window + this_resources_random_offset
end
def access_jwt(resource, options={})
expires_in = options[:expires_in] || Setting.get('instfs.access_jwt.expiration_hours', '24').to_i.hours
if (expires_in >= 1.hour.to_i) && Setting.get('instfs.access_jwt.use_consistent_iat', 'true') == "true"
iat = consistent_iat(resource, expires_in)
else
iat = Time.now.utc.to_i
end
claims = {
iat: iat,
user_id: options[:user]&.global_id&.to_s,
resource: resource,
host: options[:oauth_host]
}
if options[:acting_as] && options[:acting_as] != options[:user]
claims[:acting_as_user_id] = options[:acting_as].global_id.to_s
end
amend_claims_for_access_token(claims, options[:access_token], options[:root_account])
service_jwt(claims, Time.zone.at(iat) + expires_in)
end
def upload_jwt(user:, acting_as:, access_token:, root_account:, capture_url:, capture_params:)
expires_in = Setting.get('instfs.upload_jwt.expiration_minutes', '10').to_i.minutes
claims = {
iat: Time.now.utc.to_i,
user_id: user.global_id.to_s,
resource: "/files",
capture_url: capture_url,
capture_params: capture_params
}
unless acting_as == user
claims[:acting_as_user_id] = acting_as.global_id.to_s
end
amend_claims_for_access_token(claims, access_token, root_account)
service_jwt(claims, expires_in)
end
def direct_upload_jwt
expires_in = Setting.get('instfs.upload_jwt.expiration_minutes', '10').to_i.minutes
service_jwt({
iat: Time.now.utc.to_i,
user_id: nil,
host: "canvas",
resource: "/files",
}, expires_in)
end
def session_jwt(user, host)
expires_in = Setting.get('instfs.session_jwt.expiration_minutes', '5').to_i.minutes
service_jwt({
iat: Time.now.utc.to_i,
user_id: user.global_id&.to_s,
host: host,
resource: '/session/ensure'
}, expires_in)
end
def logout_jwt(user)
expires_in = Setting.get('instfs.logout_jwt.expiration_minutes', '5').to_i.minutes
service_jwt({
iat: Time.now.utc.to_i,
user_id: user.global_id&.to_s,
resource: '/session'
}, expires_in)
end
def export_references_jwt
expires_in = Setting.get('instfs.logout_jwt.expiration_minutes', '5').to_i.minutes
service_jwt({
iat: Time.now.utc.to_i,
resource: '/references'
}, expires_in)
end
def duplicate_file_jwt(instfs_uuid)
expires_in = Setting.get('instfs.duplicate_file_jwt.expiration_minutes', '5').to_i.minutes
service_jwt({
iat: Time.now.utc.to_i,
resource: "/files/#{instfs_uuid}/duplicate"
}, expires_in)
end
def delete_file_jwt(instfs_uuid)
expires_in = Setting.get('instfs.delete_file_jwt.expiration_minutes', '5').to_i.minutes
service_jwt({
iat: Time.now.utc.to_i,
resource: "/files/#{instfs_uuid}"
}, expires_in)
end
def amend_claims_for_access_token(claims, access_token, root_account)
return unless access_token
if whitelisted_access_token?(access_token)
# temporary workaround for legacy API consumers
claims[:legacy_api_developer_key_id] = access_token.global_developer_key_id.to_s
claims[:legacy_api_root_account_id] = root_account.global_id.to_s
else
# TODO: long term solution for updated API consumers goes here
end
end
def whitelisted_access_token?(access_token)
if access_token.nil?
false
elsif Setting.get('instfs.whitelist_all_developer_keys', 'false') == 'true'
true
else
whitelist = Setting.get('instfs.whitelisted_developer_key_global_ids', '')
whitelist = whitelist.split(',').map(&:to_i)
whitelist.include?(access_token.global_developer_key_id)
end
end
end
class DirectUploadError < StandardError; end
class DuplicationError < StandardError; end
class DeletionError < StandardError; end
end