support for trusted developer keys

fixes CAT-66

Auto-authorize trusted developer keys during without prompting the end-
user. This will allow for more seamless integrations with other in-house
apps.

Also fix remember-me access so it works when you re-auth into canvas
(previously it only worked if you were already authenticated into
canvas)

Expand test coverage around oauth login scenarios

test plan setup:
* set up a web-based oauth integration with canvas
* ensure your app doesn't currently pass force_login=1 during oauth
* ensure your app doesn't currently delete access tokens during logout
* for part 2, ensure your app uses the /auth/userinfo scope (for part
  1 it doesn't matter)
* for part 3, ensure your app does token request flow (not userinfo)

test plan part 1 (trusted keys):
1. in the canvas console, set trusted=true on the app's developer key
2. do an oauth login as and end-user
3. confirm that you are authenticated into the app without being prompted
   to give it canvas access
4. log out of the app (but not canvas)
5. click to log in again
6. confirm that you are automagically logged in without any prompts

test plan part 2 (remember access):
1. in the canvas console, set trusted=false on the app's developer key (or
   set up your app to use a different one)
2. do an oauth login as and end-user
3. confirm that you are prompted to authorize the app
4. check the box to remember access
5. log out of canvas and the app
6. do an oauth login again
7. confirm you are not prompted to authorize the app
8. log out of the app (but not canvas)
9. click to log in again
10. confirm that you are automagically logged in without any prompts

test plan part 3 (untrusted key, not-userinfo)
1. in the canvas console, set trusted=false on the app's developer key (or
   set up your app to use a different one)
2. do an oauth login as and end-user
3. confirm that you are prompted to authorize the app
4. confirm there is no box to remember access
5. log out of canvas and the app
6. do an oauth login again
7. confirm you are prompted to authorize the app again
8. log out of the app (but not canvas)
9. click to log in again
10. confirm that are prompted to authorize the app again

Change-Id: Ifb2eb29e4da163b595cb070455ebae21a4618ba4
Reviewed-on: https://gerrit.instructure.com/32926
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
Product-Review: Marc LeGendre <marc@instructure.com>
QA-Review: Marc LeGendre <marc@instructure.com>

Author: theluxembourg

app/controllers/pseudonym_sessions_controller.rb

@@ -567,8 +567,9 @@ def successful_login(user, pseudonym, otp_passed = false)
     session[:require_terms] = true if @domain_root_account.require_acceptance_of_terms?(@current_user)
 
     respond_to do |format|
-      if session[:oauth2]
-        return redirect_to(oauth2_auth_confirm_url)
+      if oauth = session[:oauth2]
+        provider = Canvas::Oauth::Provider.new(oauth[:client_id], oauth[:redirect_uri], oauth[:scopes], oauth[:purpose])
+        return oauth2_confirmation_redirect(provider)
       elsif session[:course_uuid] && user && (course = Course.find_by_uuid_and_workflow_state(session[:course_uuid], "created"))
         claim_session_course(course, user)
         format.html { redirect_to(course_url(course, :login_success => '1')) }
@@ -629,11 +630,7 @@ def oauth2_auth
     session[:oauth2][:state] = params[:state] if params.key?(:state)
 
     if @current_pseudonym && !params[:force_login]
-      if provider.authorized_token? @current_user
-        final_oauth2_redirect(session[:oauth2][:redirect_uri], final_oauth2_redirect_params)
-      elsif
-        redirect_to oauth2_auth_confirm_url
-      end
+      oauth2_confirmation_redirect(provider)
     else
       redirect_to login_url(params.slice(:canvas_login, :pseudonym_session, :force_login))
     end
@@ -687,6 +684,15 @@ def oauth2_logout
     render :json => {}
   end
 
+  def oauth2_confirmation_redirect(provider)
+    # skip the confirmation page if access is already (or automatically) granted
+    if provider.authorized_token?(@current_user)
+      final_oauth2_redirect(session[:oauth2][:redirect_uri], final_oauth2_redirect_params)
+    else
+      redirect_to oauth2_auth_confirm_url
+    end
+  end
+
   def final_oauth2_redirect_params(options = {})
     options = {:scopes => session[:oauth2][:scopes], :remember_access => options[:remember_access], :purpose => session[:oauth2][:purpose]}
     code = Canvas::Oauth::Token.generate_code_for(@current_user.global_id, session[:oauth2][:client_id], options)

app/models/access_token.rb

@@ -97,6 +97,10 @@ def visible_token
 
   #Scoped token convenience method
   def scoped_to?(req_scopes)
+    self.class.scopes_match?(scopes, req_scopes)
+  end
+
+  def self.scopes_match?(scopes, req_scopes)
     return req_scopes.size == 0 if scopes.nil?
 
     scopes.size == req_scopes.size &&

db/migrate/20140402204820_add_trusted_to_developer_keys.rb

@@ -0,0 +1,11 @@
+class AddTrustedToDeveloperKeys < ActiveRecord::Migration
+  tag :predeploy
+
+  def self.up
+    add_column :developer_keys, :trusted, :boolean
+  end
+
+  def self.down
+    remove_column :developer_keys, :trusted
+  end
+end

lib/canvas/oauth/provider.rb

@@ -42,14 +42,15 @@ def key
       @key ||= DeveloperKey.find_by_id(@client_id)
     end
 
-    #Checks to see if a token has already been issued to this client and if we can
-    #reissue the same token to that client without asking for user permmission again.
+    # Checks to see if a token has already been issued to this client and
+    # if we can reissue the same token to that client without asking for
+    # user permission again. If the developer key is trusted, access
+    # tokens will be automatically authorized without prompting the end-
+    # user
     def authorized_token?(user)
-      token = nil
-
       if !self.class.is_oob?(redirect_uri)
-        token = Token.find_userinfo_access_token(user, key, scopes, purpose)
-        return !token.nil? && token.remember_access?
+        return true if Token.find_reusable_access_token(user, key, scopes, purpose)
+        return true if key.trusted?
       end
 
       return false

lib/canvas/oauth/token.rb

@@ -47,7 +47,7 @@ def cached_code_entry
     end
 
     def access_token
-      @access_token ||= self.class.find_userinfo_access_token(user, key, scopes, purpose)
+      @access_token ||= self.class.find_reusable_access_token(user, key, scopes, purpose)
 
       if @access_token.nil?
         @access_token = user.access_tokens.create!({:developer_key => key, :remember_access => remember_access?, :scopes => scopes, :purpose => purpose})
@@ -57,17 +57,29 @@ def access_token
       @access_token
     end
 
+    def self.find_reusable_access_token(user, key, scopes, purpose)
+      if key.trusted?
+        find_access_token(user, key, scopes, purpose)
+      elsif AccessToken.scopes_match?(scopes, ["userinfo"])
+        find_userinfo_access_token(user, key, purpose)
+      end
+    end
+
     def as_json(options={})
       {
         'access_token' => access_token.full_token,
         'user' => user.as_json(:only => [:id, :name], :include_root => false),
       }
     end
 
-    def self.find_userinfo_access_token(user, developer_key, scopes, purpose)
+    def self.find_userinfo_access_token(user, developer_key, purpose)
+      find_access_token(user, developer_key, ["userinfo"], purpose, {remember_access: true})
+    end
+
+    def self.find_access_token(user, developer_key, scopes, purpose, conditions = {})
       user.shard.activate do
-        user.access_tokens.active.where(:remember_access => true, :developer_key_id => developer_key, :purpose => purpose).detect do |token|
-          token.scoped_to?(scopes) && token.scoped_to?(['userinfo'])
+        user.access_tokens.active.where({:developer_key_id => developer_key, :purpose => purpose}.merge(conditions)).detect do |token|
+          token.scoped_to?(scopes)
         end
       end
     end

spec/controllers/pseudonym_sessions_controller_spec.rb

@@ -807,6 +807,55 @@ def cas_client.validate_service_ticket(st)
         assigns[:cc].should == cc
       end
     end
+
+    context "oauth" do
+      before do
+        user_with_pseudonym(:active_all => 1, :password => 'qwerty')
+
+        redis = stub('Redis')
+        redis.stubs(:setex)
+        redis.stubs(:hmget)
+        redis.stubs(:del)
+        Canvas.stubs(:redis => redis)
+      end
+
+      let(:key) { DeveloperKey.create! :redirect_uri => 'https://example.com' }
+      let(:params) { {:pseudonym_session => { :unique_id => @pseudonym.unique_id, :password => 'qwerty' } } }
+
+      it 'should redirect to the confirm url if the user has no token' do
+        provider = Canvas::Oauth::Provider.new(key.id, key.redirect_uri, [], nil)
+
+        post :create, params, :oauth2 => provider.session_hash
+        response.should redirect_to(oauth2_auth_confirm_url)
+      end
+
+      it 'should redirect to the redirect uri if the user already has remember-me token' do
+        @user.access_tokens.create!({:developer_key => key, :remember_access => true, :scopes => ['/auth/userinfo'], :purpose => nil})
+        provider = Canvas::Oauth::Provider.new(key.id, key.redirect_uri, ['/auth/userinfo'], nil)
+
+        post :create, params, :oauth2 => provider.session_hash
+        response.should be_redirect
+        response.location.should match(/https:\/\/example.com/)
+      end
+
+      it 'should not reuse userinfo tokens for other scopes' do
+        @user.access_tokens.create!({:developer_key => key, :remember_access => true, :scopes => ['/auth/userinfo'], :purpose => nil})
+        provider = Canvas::Oauth::Provider.new(key.id, key.redirect_uri, [], nil)
+
+        post :create, params, :oauth2 => provider.session_hash
+        response.should redirect_to(oauth2_auth_confirm_url)
+      end
+
+      it 'should redirect to the redirect uri if the developer key is trusted' do
+        key.trusted = true
+        key.save!
+        provider = Canvas::Oauth::Provider.new(key.id, key.redirect_uri, [], nil)
+
+        post :create, params, :oauth2 => provider.session_hash
+        response.should be_redirect
+        response.location.should match(/https:\/\/example.com/)
+      end
+    end
   end
 
   describe 'otp_login' do
@@ -1086,11 +1135,16 @@ def cas_client.validate_service_ticket(st)
     end
 
     context 'with a user logged in' do
-      before :each do
-        user_session user
+      before do
+        user_with_pseudonym(:active_all => 1, :password => 'qwerty')
+        user_session(@user)
+
+        redis = stub('Redis')
+        redis.stubs(:setex)
+        Canvas.stubs(:redis => redis)
       end
 
-      it 'prompts the user to authorize this access' do
+      it 'should redirect to the confirm url if the user has no token' do
         get :oauth2_auth, :client_id => key.id, :redirect_uri => Canvas::Oauth::Provider::OAUTH2_OOB_URI
         response.should redirect_to(oauth2_auth_confirm_url)
       end
@@ -1099,6 +1153,27 @@ def cas_client.validate_service_ticket(st)
         get :oauth2_auth, :client_id => key.id, :redirect_uri => Canvas::Oauth::Provider::OAUTH2_OOB_URI, :force_login => 1
         response.should redirect_to(login_url(:force_login => 1))
       end
+
+      it 'should redirect to the redirect uri if the user already has remember-me token' do
+        @user.access_tokens.create!({:developer_key => key, :remember_access => true, :scopes => ['/auth/userinfo'], :purpose => nil})
+        get :oauth2_auth, :client_id => key.id, :redirect_uri => 'https://example.com', :scopes => '/auth/userinfo'
+        response.should be_redirect
+        response.location.should match(/https:\/\/example.com/)
+      end
+
+      it 'should not reuse userinfo tokens for other scopes' do
+        @user.access_tokens.create!({:developer_key => key, :remember_access => true, :scopes => ['/auth/userinfo'], :purpose => nil})
+        get :oauth2_auth, :client_id => key.id, :redirect_uri => 'https://example.com'
+        response.should redirect_to(oauth2_auth_confirm_url)
+      end
+
+      it 'should redirect to the redirect uri if the developer key is trusted' do
+        key.trusted = true
+        key.save!
+        get :oauth2_auth, :client_id => key.id, :redirect_uri => 'https://example.com', :scopes => '/auth/userinfo'
+        response.should be_redirect
+        response.location.should match(/https:\/\/example.com/)
+      end
     end
   end