Class: InstAccess::Token

Inherits:

Object

• Object
• InstAccess::Token

Defined in:

lib/inst_access/token.rb

Constant Summary

ISSUER =

'instructure:inst_access'

ENCRYPTION_ALGO =

:'RSA-OAEP'

ENCRYPTION_METHOD =

:'A128CBC-HS256'

Instance Attribute Summary

• #jwt_payload ⇒ Object readonly

  Returns the value of attribute jwt_payload.

Class Method Summary

• .for_user(user_uuid: nil, account_uuid: nil, canvas_domain: nil, real_user_uuid: nil, real_user_shard_id: nil, user_global_id: nil, real_user_global_id: nil, region: nil, client_id: nil, instructure_service: nil, canvas_shard_id: nil) ⇒ Object

  rubocop:disable Metrics/ParameterLists.

• .from_token_string(jws) ⇒ Object

  Takes an unencrypted (but signed) token string.

• .token?(string) ⇒ Boolean

Instance Method Summary

• #account_uuid ⇒ Object
• #canvas_domain ⇒ Object
• #canvas_shard_id ⇒ Object
• #client_id ⇒ Object
• #initialize(jwt_payload) ⇒ Token constructor

  A new instance of Token.

• #instructure_service? ⇒ Boolean
• #jti ⇒ Object
• #masquerading_user_shard_id ⇒ Object
• #masquerading_user_uuid ⇒ Object
• #region ⇒ Object
• #to_token_string ⇒ Object
• #to_unencrypted_token_string ⇒ Object

  only for testing purposes, or to do local dev w/o running a decrypting service.

• #user_uuid ⇒ Object

Constructor Details

#initialize(jwt_payload) ⇒ Token

Returns a new instance of Token.

# File 'lib/inst_access/token.rb', line 29

def initialize(jwt_payload)
  @jwt_payload = jwt_payload.symbolize_keys
end

Instance Attribute Details

#jwt_payload ⇒ Object (readonly)

Returns the value of attribute jwt_payload.

# File 'lib/inst_access/token.rb', line 27

def jwt_payload
  @jwt_payload
end

Class Method Details

.for_user(user_uuid: nil, account_uuid: nil, canvas_domain: nil, real_user_uuid: nil, real_user_shard_id: nil, user_global_id: nil, real_user_global_id: nil, region: nil, client_id: nil, instructure_service: nil, canvas_shard_id: nil) ⇒ Object

rubocop:disable Metrics/ParameterLists

Raises:

• (ArgumentError)

# File 'lib/inst_access/token.rb', line 98

def for_user(
  user_uuid: nil,
  account_uuid: nil,
  canvas_domain: nil,
  real_user_uuid: nil,
  real_user_shard_id: nil,
  user_global_id: nil,
  real_user_global_id: nil,
  region: nil,
  client_id: nil,
  instructure_service: nil,
  canvas_shard_id: nil
)
  raise ArgumentError, 'Must provide user uuid and account uuid' if user_uuid.blank? || account_uuid.blank?

  now = Time.now.to_i

  payload = {
    iss: ISSUER,
    jti: SecureRandom.uuid,
    iat: now,
    exp: now + 1.hour.to_i,
    sub: user_uuid,
    acct: account_uuid,
    canvas_domain: canvas_domain,
    masq_sub: real_user_uuid,
    masq_shard: real_user_shard_id,
    debug_user_global_id: user_global_id&.to_s,
    debug_masq_global_id: real_user_global_id&.to_s,
    region: region,
    client_id: client_id,
    instructure_service: instructure_service,
    canvas_shard_id: canvas_shard_id
  }.compact

  new(payload)
end

.from_token_string(jws) ⇒ Object

Takes an unencrypted (but signed) token string

Raises:

• (TokenExpired)

# File 'lib/inst_access/token.rb', line 138

def from_token_string(jws)
  sig_key = InstAccess.config.signing_key
  jwt = begin
    JSON::JWT.decode(jws, sig_key)
  rescue StandardError => e
    raise InvalidToken, e
  end
  raise TokenExpired if jwt[:exp] < Time.now.to_i

  new(jwt.to_hash)
end

.token?(string) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/inst_access/token.rb', line 150

def token?(string)
  jwt = JSON::JWT.decode(string, :skip_verification)
  jwt[:iss] == ISSUER
rescue StandardError
  false
end

Instance Method Details

#account_uuid ⇒ Object

# File 'lib/inst_access/token.rb', line 37

def account_uuid
  jwt_payload[:acct]
end

#canvas_domain ⇒ Object

# File 'lib/inst_access/token.rb', line 41

def canvas_domain
  jwt_payload[:canvas_domain]
end

#canvas_shard_id ⇒ Object

# File 'lib/inst_access/token.rb', line 65

def canvas_shard_id
  jwt_payload[:canvas_shard_id]
end

#client_id ⇒ Object

# File 'lib/inst_access/token.rb', line 57

def client_id
  jwt_payload[:client_id]
end

#instructure_service? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/inst_access/token.rb', line 61

def instructure_service?
  jwt_payload[:instructure_service] == true
end

#jti ⇒ Object

# File 'lib/inst_access/token.rb', line 69

def jti
  jwt_payload[:jti]
end

#masquerading_user_shard_id ⇒ Object

# File 'lib/inst_access/token.rb', line 49

def masquerading_user_shard_id
  jwt_payload[:masq_shard]
end

#masquerading_user_uuid ⇒ Object

# File 'lib/inst_access/token.rb', line 45

def masquerading_user_uuid
  jwt_payload[:masq_sub]
end

#region ⇒ Object

# File 'lib/inst_access/token.rb', line 53

def region
  jwt_payload[:region]
end

#to_token_string ⇒ Object

# File 'lib/inst_access/token.rb', line 73

def to_token_string
  jwe = to_jws.encrypt(InstAccess.config.encryption_key, ENCRYPTION_ALGO, ENCRYPTION_METHOD)
  jwe.to_s
end

#to_unencrypted_token_string ⇒ Object

only for testing purposes, or to do local dev w/o running a decrypting service. unencrypted tokens should not be released into the wild!

# File 'lib/inst_access/token.rb', line 80

def to_unencrypted_token_string
  to_jws.to_s
end

#user_uuid ⇒ Object

# File 'lib/inst_access/token.rb', line 33

def user_uuid
  jwt_payload[:sub]
end