From a493b8db3e411a3f725dda51c4cf4aeeb2f8dd77 Mon Sep 17 00:00:00 2001 From: Mariam A Date: Thu, 21 Sep 2023 13:38:28 -0400 Subject: [PATCH 1/2] LTI-266: Pull tenant credentials from broker (#233) * LTI-266: Pull tenant credentials from broker * fix for backwards compatibility --------- Co-authored-by: Jesus Federico --- lib/bbb/credentials.rb | 65 ++++++++++++++++++++++++++++-------------- 1 file changed, 44 insertions(+), 21 deletions(-) diff --git a/lib/bbb/credentials.rb b/lib/bbb/credentials.rb index 24542a04..4aba80d9 100644 --- a/lib/bbb/credentials.rb +++ b/lib/bbb/credentials.rb @@ -22,6 +22,8 @@ module Bbb class Credentials + include OmniauthHelper + attr_writer :cache, :cache_enabled, :multitenant_api_endpoint, :multitenant_api_secret # Rails.cache store is assumed. # Enabled by default. def initialize(endpoint, secret) @@ -34,14 +36,10 @@ def initialize(endpoint, secret) end def endpoint(tenant) - return fix_bbb_endpoint_format(@endpoint) if tenant.blank? - fix_bbb_endpoint_format(tenant_endpoint(tenant)) end def secret(tenant) - return @secret if tenant.blank? - tenant_secret(tenant) end @@ -56,29 +54,45 @@ def tenant_secret(tenant) end def tenant_info(tenant, key) - info = fetch_tenant_info(tenant) + info = formatted_tenant_info(tenant) return if info.nil? info[key] end - ## - # TODO: This new mechanism for tenant_credentials should be discarded when tenant settings are implemented in the brocker (LTI-172). - ## - def fetch_tenant_info(tenant) - tenant_credentials = JSON.parse(Rails.configuration.tenant_credentials)[tenant] - - raise 'Multitenant API not defined' if (@multitenant_api_endpoint.nil? || @multitenant_api_secret.nil?) && tenant_credentials.nil? - - # Check up cached info. + def formatted_tenant_info(tenant) if @cache_enabled - cached_tenant = @cache.fetch("#{tenant}/api") + cached_tenant = @cache.fetch("#{tenant}/tenantInfo") return cached_tenant unless cached_tenant.nil? end - if tenant_credentials - response = { 'apiURL' => tenant_credentials['bigbluebutton_url'], 'secret' => tenant_credentials['bigbluebutton_secret'] } - else + # Get tenant info from broker + tenant_info = fetch_tenant_info(tenant) + + # Get tenant credentials from TENANT_CREDENTIALS environment variable + tenant_credentials = JSON.parse(Rails.configuration.tenant_credentials)[tenant] + + raise 'Tenant does not exist' if tenant_info.nil? && tenant_credentials.nil? && tenant.present? + + # use credentials from broker first, if not found then use env variable, and then use bbb_endpoint & bbb_secret if single tenant + tenant_settings = tenant_info&.[]('settings') + + api_url = tenant_settings&.[]('bigbluebutton_url') || + tenant_credentials&.[]('bigbluebutton_url') || + (@endpoint if tenant.blank?) + + secret = tenant_settings&.[]('bigbluebutton_secret') || + tenant_credentials&.[]('bigbluebutton_secret') || + (@secret if tenant.blank?) + + missing_creds = !(api_url && secret) + + raise 'Bigbluebutton credentials not found' if tenant.blank? && missing_creds + + raise 'Multitenant API not defined' if tenant.present? && missing_creds && (@multitenant_api_endpoint.nil? || @multitenant_api_secret.nil?) + + # get the api URL and secret from the LB if not defined in tenant settings + if missing_creds # Build the URI. uri = encoded_url( "#{@multitenant_api_endpoint}api/getUser", @@ -88,14 +102,23 @@ def fetch_tenant_info(tenant) http_response = http_request(uri) response = parse_response(http_response) + response['settings'] = tenant_settings end - # Return the user credentials if the request succeeded on the External Tenant Manager. - @cache.fetch("#{tenant}/api", expires_in: 1.hour) do - response + @cache.fetch("#{tenant}/tenantInfo", expires_in: 1.hour) do + response || { 'apiURL' => api_url, 'secret' => secret, 'settings' => tenant_settings } end end + def fetch_tenant_info(tenant) + bbbltibroker_url = omniauth_bbbltibroker_url("/api/v1/tenants/#{tenant}") + get_response = RestClient.get(bbbltibroker_url, 'Authorization' => "Bearer #{omniauth_client_token(omniauth_bbbltibroker_url)}") + JSON.parse(get_response) + rescue StandardError + Rails.logger.error('Could not fetch tenant credentials from broker') + nil + end + def http_request(uri) # Make the request. http = Net::HTTP.new(uri.host, uri.port) From 7fe9caa25db0d1ac63f31d9fd7a1ddeabc8b4d0b Mon Sep 17 00:00:00 2001 From: Jesus Federico Date: Thu, 21 Sep 2023 13:45:49 -0400 Subject: [PATCH 2/2] [Snyk] Security upgrade web-console from 4.2.0 to 4.2.1 (#241) * fix: Gemfile & Gemfile.lock to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-RUBY-RACK-1061917 * Update Gemfile.lock --------- Co-authored-by: snyk-bot --- Gemfile | 2 +- Gemfile.lock | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile b/Gemfile index 29fb0809..0b0ecba2 100644 --- a/Gemfile +++ b/Gemfile @@ -56,7 +56,7 @@ end group :development do # Access an interactive console on exception pages or by calling 'console' anywhere in the code. gem 'listen', '>= 3.0.5', '< 3.2' - gem 'web-console', '>= 4.2.0' + gem 'web-console', '>= 4.2.1' # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring gem 'spring' gem 'spring-watcher-listen', '~> 2.0.0' diff --git a/Gemfile.lock b/Gemfile.lock index d84db15a..c63ce719 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -383,7 +383,7 @@ GEM unf_ext (0.0.8.2) unicode-display_width (2.4.2) version_gem (1.1.2) - web-console (4.2.0) + web-console (4.2.1) actionview (>= 6.0.0) activemodel (>= 6.0.0) bindex (>= 0.4.0) @@ -458,7 +458,7 @@ DEPENDENCIES turbolinks (~> 5) tzinfo-data uglifier (>= 1.3.0) - web-console (>= 4.2.0) + web-console (>= 4.2.1) webdrivers webmock webpacker (~> 6.0.0.rc.5)