Lmsa 7719 library update

README.md

@@ -63,6 +63,7 @@ They can be set in a properties file, or overridden as environment variables.
 | Property             | Default Value               | Description                                               |
 |----------------------|-----------------------------|-----------------------------------------------------------|
 | `canvas.host`        |                             | Hostname of the Canvas instance                           |
+| `canvas.sso.host`    |                             | Hostname of the Canvas OIDC auth domain                   |
 | `canvas.baseUrl`     | https://`${canvas.host}`    | Base URL of the Canvas instance                           |
 | `canvas.baseApiUrl`  | `${canvas.baseUrl}`/api/v1  | Base URL for the Canvas API                               |
 | `canvas.token`       |                             | Token for access to Canvas instance                       |
@@ -122,4 +123,4 @@ Once enabled, the ui will be available at `/api/lti/swagger-ui.html`.  There are
 that need to be accounted for while using this setup.
 
 This is marked as experimental due to the fact that we aren't running with this option at IU.  We are running into CORS
-issues when trying to talk to our OAuth2 service via swagger, so we can't verify if it really works or not!
+issues when trying to talk to our OAuth2 service via swagger, so we can't verify if it really works or not!

examples/crosslisting.json

@@ -2,7 +2,7 @@
   "title": "Cross-listing Assistant",
   "description": "For cross-listing and de-cross-listing provisioned sections in Canvas.",
   "oidc_initiation_url": "http://localhost:8080/lti/login_initiation/lms_lti_crosslisting",
-  "target_link_uri": "http://localhost:8080/app/loading",
+  "target_link_uri": "http://localhost:8080/app/launch",
   "extensions": [
     {
       "domain": "localhost",

pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.7.8</version>
+        <version>2.7.15</version>
         <relativePath /> <!-- lookup parent from repository -->
     </parent>
 
@@ -74,20 +74,20 @@
         <java.version>17</java.version>
         <jdk.source>17</jdk.source>
         <jdk.target>17</jdk.target>
-        <jquery.version>3.5.1</jquery.version>
-        <lms-canvas-rivet.version>5.1.8.2_1</lms-canvas-rivet.version>
-        <lms-embedded-services.version>5.2.3</lms-embedded-services.version>
-        <lms-team-spring-boot-it12>4.7</lms-team-spring-boot-it12>
-        <spring-cloud.version>2021.0.5</spring-cloud.version>
-        <webjars-locator.version>0.46</webjars-locator.version>
+        <jquery.version>3.7.1</jquery.version>
+        <lms-canvas-rivet.version>5.2.5.2</lms-canvas-rivet.version>
+        <lms-embedded-services.version>5.2.15</lms-embedded-services.version>
+        <lms-team-spring-boot-it12>4.8</lms-team-spring-boot-it12>
+        <spring-cloud.version>2021.0.8</spring-cloud.version>
+        <webjars-locator.version>0.47</webjars-locator.version>
 
-        <plugins.compiler.version>3.10.1</plugins.compiler.version>
-        <plugins.gpg.version>3.0.1</plugins.gpg.version>
+        <plugins.compiler.version>3.11.0</plugins.compiler.version>
+        <plugins.gpg.version>3.1.0</plugins.gpg.version>
         <plugins.javadoc.version>3.5.0</plugins.javadoc.version>
         <plugins.license.version>2.0.0</plugins.license.version>
         <plugins.nexus-staging.version>1.6.13</plugins.nexus-staging.version>
-        <plugins.release.version>2.5.3</plugins.release.version>
-        <plugins.source.version>3.2.1</plugins.source.version>
+        <plugins.release.version>3.0.0</plugins.release.version>
+        <plugins.source.version>3.3.0</plugins.source.version>
     </properties>
 
     <dependencyManagement>

src/main/java/edu/iu/uits/lms/crosslist/WebApplication.java

@@ -55,7 +55,7 @@
 import java.util.Date;
 
 @SpringBootApplication
-@EnableGlobalErrorHandler(accessDeniedViewName="accessDenied")
+@EnableGlobalErrorHandler
 @Slf4j
 @EnableCookieFilter(ignoredRequestPatterns = "/rest/**")
 @EnableRedisConfiguration

src/main/java/edu/iu/uits/lms/crosslist/config/SecurityConfig.java

@@ -33,6 +33,8 @@
  * #L%
  */
 
+import edu.iu.uits.lms.common.it12logging.LmsFilterSecurityInterceptorObjectPostProcessor;
+import edu.iu.uits.lms.common.it12logging.RestSecurityLoggingConfig;
 import edu.iu.uits.lms.common.oauth.CustomJwtAuthenticationConverter;
 import edu.iu.uits.lms.lti.repository.DefaultInstructorRoleRepository;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -44,6 +46,7 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter;
 import uk.ac.ox.ctl.lti13.Lti13Configurer;
 
 import static edu.iu.uits.lms.lti.LTIConstants.BASE_USER_ROLE;
@@ -72,21 +75,33 @@ protected void configure(HttpSecurity http) throws Exception {
                     .and()
                     .authorizeRequests()
                     .antMatchers(WELL_KNOWN_ALL, "/error").permitAll()
-                    .antMatchers("/**").hasRole(BASE_USER_ROLE);
+                    .antMatchers("/**").hasRole(BASE_USER_ROLE)
+                    .withObjectPostProcessor(new LmsFilterSecurityInterceptorObjectPostProcessor())
+                    .and()
+                    .headers()
+                    .contentSecurityPolicy("style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self' https://*.instructure.com")
+                    .and()
+                    .referrerPolicy(referrer -> referrer
+                            .policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.SAME_ORIGIN));
 
             //Setup the LTI handshake
             Lti13Configurer lti13Configurer = new Lti13Configurer()
                     .grantedAuthoritiesMapper(new CustomRoleMapper(defaultInstructorRoleRepository, toolConfig));
 
             http.apply(lti13Configurer);
 
-            http.exceptionHandling().accessDeniedPage("/accessDenied");
-
             //Fallback for everything else
             http.requestMatchers().antMatchers("/**")
                     .and()
                     .authorizeRequests()
-                    .anyRequest().authenticated();
+                    .anyRequest().authenticated()
+                    .withObjectPostProcessor(new LmsFilterSecurityInterceptorObjectPostProcessor())
+                    .and()
+                    .headers()
+                    .contentSecurityPolicy("style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self' https://*.instructure.com")
+                    .and()
+                    .referrerPolicy(referrer -> referrer
+                            .policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.SAME_ORIGIN));
         }
 
         @Override
@@ -103,7 +118,9 @@ public static class CrosslistRestSecurityConfigurationAdapter extends WebSecurit
 
         @Override
         public void configure(HttpSecurity http) throws Exception {
-            http.requestMatchers().antMatchers("/rest/**")
+            http
+                    .cors().and()
+                    .requestMatchers().antMatchers("/rest/**")
                     .and()
                     .authorizeRequests()
                     .antMatchers("/rest/**")
@@ -113,6 +130,8 @@ public void configure(HttpSecurity http) throws Exception {
                     .and()
                     .oauth2ResourceServer()
                     .jwt().jwtAuthenticationConverter(new CustomJwtAuthenticationConverter());
+
+            http.apply(new RestSecurityLoggingConfig());
         }
     }
 
@@ -125,7 +144,14 @@ public void configure(HttpSecurity http) throws Exception {
             http.requestMatchers().antMatchers("/**")
                     .and()
                     .authorizeRequests()
-                    .anyRequest().authenticated();
+                    .anyRequest().authenticated()
+                    .withObjectPostProcessor(new LmsFilterSecurityInterceptorObjectPostProcessor())
+                    .and()
+                    .headers()
+                    .contentSecurityPolicy("style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self' https://*.instructure.com")
+                    .and()
+                    .referrerPolicy(referrer -> referrer
+                            .policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.SAME_ORIGIN));
         }
     }
 }

src/main/java/edu/iu/uits/lms/crosslist/controller/CrosslistController.java

@@ -127,11 +127,6 @@ public class CrosslistController extends OidcTokenAwareController {
     @Autowired
     private CourseSessionService courseSessionService;
 
-    @RequestMapping(value = "/accessDenied")
-    public String accessDenied() {
-        return "accessDenied";
-    }
-
     private Course getValidatedCourse(OidcAuthenticationToken token, HttpSession session) {
         OidcTokenUtils oidcTokenUtils = new OidcTokenUtils(token);
         String courseId = oidcTokenUtils.getCourseId();
@@ -154,7 +149,7 @@ private Course getValidatedCourse(OidcAuthenticationToken token, HttpSession ses
         return currentCourse;
     }
 
-    @RequestMapping("/loading")
+    @RequestMapping({"/launch", "/loading"})
     public String loading(Model model, HttpServletRequest request) {
         OidcAuthenticationToken token = getTokenWithoutContext();
         OidcTokenUtils oidcTokenUtils = new OidcTokenUtils(token);

src/main/resources/static/js/crosslisting.js

@@ -245,7 +245,7 @@ function checkboxEventRegistration() {
         event.preventDefault();
 
         var currentBox = $(this);
-        var li = currentBox.parent();
+        var li = currentBox.parent().parent();
 
         if (currentBox.is(":checked")) {
             var newLi = $("<li>", {

src/main/resources/templates/confirmation.html

@@ -74,13 +74,13 @@ <h1 class="rvt-alert__title" id="error-alert-title">Cross-listing Error</h1>
                     </p>
                 </div>
 
-                <div class="rvt-box">
-                    <div class="rvt-box__body">
-                        <div class="rvt-grid">
-                            <div class="rvt-grid__item-lg">
+                <div class="rvt-border-all rvt-border-radius rvt-p-all-sm"> <!-- old rvt-box -->
+                    <div class="rvt-container-xl">
+                        <div class="rvt-row">
+                            <div class="rvt-cols">
                                 <h2 class="rvt-ts-26">Final List of Cross-listed Sections</h2>
                                 <p>
-                                <ul class="rvt-plain-list summaryList" id="summaryListFinal">
+                                <ul class="rvt-list-plain summaryList" id="summaryListFinal">
                                     <li id="summaryNone" th:unless="${#lists.size(summaryListSections) > 0}">None</li>
                                     <li th:id="'summary_' + ${section.sectionId}" th:each="section : ${summaryListSections}"
                                         th:attr="data-sectionId=${section.sectionId},data-sectionName=${section.sectionName}">
@@ -90,11 +90,11 @@ <h2 class="rvt-ts-26">Final List of Cross-listed Sections</h2>
                                 </ul>
                                 </p>
                             </div>
-                            <div class="rvt-grid__item-lg">
+                            <div class="rvt-cols">
                                 <h2 class="rvt-ts-26">Summary of Actions</h2>
                                 <p>
                                 <h3 class="rvt-text-bold">Added</h3>
-                                <ul class="rvt-plain-list summaryList" id="summaryListAdded">
+                                <ul class="rvt-list-plain summaryList" id="summaryListAdded">
                                     <li id="addNone" th:unless="${#lists.size(addListSections) > 0}">None</li>
                                     <li th:id="'add_' + ${section.sectionId}" th:each="section : ${addListSections}"
                                         th:attr="data-sectionId=${section.sectionId},data-sectionName=${section.sectionName}">
@@ -105,7 +105,7 @@ <h3 class="rvt-text-bold">Added</h3>
                                 </p>
                                 <p>
                                 <h3 class="rvt-text-bold">Removed</h3>
-                                <ul class="rvt-plain-list summaryList" id="summaryListRemoved">
+                                <ul class="rvt-list-plain summaryList" id="summaryListRemoved">
                                     <li id="removeNone" th:unless="${#lists.size(removeListSections) > 0}">None</li>
                                     <li th:id="'remove_' + ${section.sectionId}" th:each="section : ${removeListSections}"
                                         th:attr="data-sectionId=${section.sectionId},data-sectionName=${section.sectionName}">