feat: add initial experimental work for developmental purposes

.env.example

@@ -4,8 +4,14 @@ DB_USER=unlocked
 DB_PASSWORD=dev
 DB_NAME=unlocked
 
+# Used during registering the application
+BRIGHTSPACE_SCOPE=accommodations:profile:manage,read accountsettings:locale:read,update attributes:schemas:read attributes:users:delete,read,update datahub:dataexports:download,read datasets:bds:read globalusermapping:mapping:write localauthenticationsecurity:overrides:manage,read organizations:image:read role:detail:create,read users:activation:read,update users:own_profile:read users:own_pronoun:read,update users:password:delete,write users:profile:read users:userdata:create,delete,read,update
+BRIGHTSPACE_AUTH_URL=https://auth.brightspace.com/oauth2/auth
+BRIGHTSPACE_TOKEN_URL=https://auth.brightspace.com/core/connect/token
+BRIGHTSPACE_REDIRECT_URL=https://127.0.0.1/api/oidc/keighan/brightspace/callback
+
 # when running in containers, use the the service name in place of localhost
-APP_URL=http://localhost
+APP_URL=https://localhost
 APP_ENV=dev
 LOG_LEVEL=debug
 

backend/go.mod

@@ -56,6 +56,7 @@ require (
 	github.com/tetratelabs/wazero v1.8.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/net v0.27.0 // indirect
+	golang.org/x/oauth2 v0.23.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.25.0 // indirect
 	golang.org/x/text v0.18.0 // indirect

backend/go.sum

@@ -121,6 +121,8 @@ golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 h1:yixxcjnhBmY0nkL253HFVIm0J
 golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI=
 golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
 golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
 golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

backend/seeder/main.go

@@ -76,6 +76,14 @@ func seedTestData(db *gorm.DB) {
 			Type:      models.Kolibri,
 			State:     models.Enabled,
 			AccessKey: "testing_key_replace_me",
+		},
+		{
+			Name:      "Brightspace",
+			BaseUrl:   "https://unlocked.brightspacedemo.com",
+			AccountID: "5196e946-52d9-410b-9851-ffa6390f0b09", //clientID
+			Type:      models.Brightspace,
+			State:     models.Enabled,
+			AccessKey: "-KIJ5WUmermREabxfgVWnQybvlezGgf0Ef730nnL5VE;rt.us-east-1.vWqeE6yvAqOI-Vy5dWZbf6S6aOl4e3udhtG-50r7Z88", //ClientSecret;refresh-token
 		}}
 	for idx := range platforms {
 		if err := db.Create(&platforms[idx]).Error; err != nil {

backend/src/handlers/oidc.go

@@ -2,17 +2,95 @@ package handlers
 
 import (
 	"UnlockEdv2/src/models"
+	"context"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"net/http"
 	"os"
+
+	"golang.org/x/oauth2"
 )
 
 func (srv *Server) registerOidcRoutes() {
+	//custom ones now for brightspace development--work in progress
+	srv.Mux.Handle("GET /api/oidc/keighan/brightspace", http.HandlerFunc(srv.handleBrightspaceLogin))
+	srv.Mux.Handle("/api/oidc/keighan/brightspace/callback", http.HandlerFunc(srv.handleBrightspaceCallback))
+	//custom ones now for brightspace development--work in progress
 	srv.Mux.Handle("GET /api/oidc/clients", srv.applyAdminMiddleware(srv.handleGetAllClients))
 	srv.Mux.Handle("POST /api/oidc/clients", srv.applyAdminMiddleware(srv.handleRegisterClient))
 	srv.Mux.Handle("GET /api/oidc/clients/{id}", srv.applyAdminMiddleware(srv.handleGetOidcClient))
 }
+//START FOR DEV USE ONLY
+var oauthStateString = "random"
+
+type BrightspaceToken struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+}
+
+// threw this here for develpment placement--WIP
+var brightspaceConfig = &oauth2.Config{
+	ClientID:     "5196e946-52d9-410b-9851-ffa6390f0b09",                    //in DB
+	ClientSecret: "-KIJ5WUmermREabxfgVWnQybvlezGgf0Ef730nnL5VE",             //in DB
+	RedirectURL:  "https://127.0.0.1/api/oidc/keighan/brightspace/callback", //SYSTEM PROP
+	Scopes:       []string{"accommodations:profile:manage,read accountsettings:locale:read,update attributes:schemas:read attributes:users:delete,read,update datahub:dataexports:download,read datasets:bds:read globalusermapping:mapping:write localauthenticationsecurity:overrides:manage,read organizations:image:read role:detail:create,read users:activation:read,update users:own_profile:read users:own_pronoun:read,update users:password:delete,write users:profile:read users:userdata:create,delete,read,update"},
+	Endpoint: oauth2.Endpoint{
+		AuthURL:   "https://auth.brightspace.com/oauth2/auth",
+		TokenURL:  "https://auth.brightspace.com/core/connect/token",
+		AuthStyle: oauth2.AuthStyleInHeader,
+	},
+}
+
+func (srv *Server) handleBrightspaceLogin(w http.ResponseWriter, r *http.Request) {
+	url := brightspaceConfig.AuthCodeURL(oauthStateString)
+	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
+}
+
+func (srv *Server) handleBrightspaceCallback(w http.ResponseWriter, r *http.Request) {
+	if r.FormValue("state") != oauthStateString {
+		fmt.Println("Invalid OAuth state")
+		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+		return
+	}
+
+	// Exchange the authorization code for an access token
+	code := r.FormValue("code")
+	token, err := brightspaceConfig.Exchange(context.Background(), code)
+	if err != nil {
+		fmt.Printf("Could not exchange code: %s\n", err.Error())
+		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+		return
+	}
+	//gets the access token
+	bsToken := BrightspaceToken{
+		AccessToken:  token.AccessToken,
+		RefreshToken: token.RefreshToken,
+	}
+	fmt.Println("Login successful! Refresh token: ", bsToken.RefreshToken)
+	//get all of them and search
+	providers, err := srv.Db.GetAllActiveProviderPlatforms()
+	fmt.Println("length of providers: ", len(providers))
+	if err != nil {
+		fmt.Println("failed to get provider platforms from db, error is: ", err)
+		fmt.Fprintf(w, "Login successful! Access token: %s", bsToken.AccessToken)
+		return
+	}
+	//attempt to save, just helping out here
+	for _, provider := range providers {
+		if provider.Type == models.Brightspace {
+			provider.AccessKey = brightspaceConfig.ClientSecret + ";" + bsToken.RefreshToken
+			fmt.Println("saving: ", provider.AccessKey)
+			if err := srv.Db.Save(&provider).Error; err != nil {
+				fmt.Println("failed to get provider platforms from db, error is: ", err)
+				fmt.Fprintf(w, "Login successful! Access token: %s", bsToken.AccessToken)
+				return
+			}
+			break
+		}
+	}
+	fmt.Fprintf(w, "Login successful! Access token: %s", bsToken.AccessToken)
+}
 
 func (srv *Server) handleGetAllClients(w http.ResponseWriter, r *http.Request, log sLog) error {
 	clients, err := srv.Db.GetAllRegisteredClients()

backend/src/models/provider_platforms.go

@@ -21,6 +21,7 @@ const (
 	CanvasOSS   ProviderPlatformType = "canvas_oss"
 	CanvasCloud ProviderPlatformType = "canvas_cloud"
 	Kolibri     ProviderPlatformType = "kolibri"
+	Brightspace ProviderPlatformType = "brightspace"
 )
 
 type ProviderPlatformState string
@@ -117,7 +118,12 @@ func (provider *ProviderPlatform) GetDefaultRedirectURI() []string {
 		defaultUri := provider.BaseUrl + "/oidccallback/"
 		stripped := strings.Replace(defaultUri, "https", "http", 1)
 		return []string{defaultUri, stripped}
+	//case Brightspace:
+		// Authorization endpoint: https://auth.brightspace.com/oauth2/auth
+		// Token endpoint: https://auth.brightspace.com/core/connect/token
+	//	return []string{provider.BaseUrl} //not sure yet why we need to do this here:::
 	}
+
 	return []string{}
 }
 

config/dev.nginx.conf

@@ -1,10 +1,15 @@
 server {
-  listen 80;
+  listen 443 ssl;
   server_name localhost;
   proxy_headers_hash_bucket_size 256;
   access_log /var/log/nginx/access.log;
   error_log /var/log/nginx/error.log;
 
+  ssl_certificate /etc/nginx/certs/selfsigned.crt;
+  ssl_certificate_key /etc/nginx/certs/selfsigned.key;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers HIGH:!aNULL:!MD5;
+
    location /api/ {
         proxy_pass http://server:8080;
         proxy_buffering on;

config/hydra/hydra.yml

@@ -3,61 +3,70 @@ serve:
     cors:
       enabled: true
       allowed_origins:
-        - http://127.0.0.1
-        - http://localhost
-        - https://staging.canvas.unlockedlabs.xyz
+      - http://127.0.0.1
+      - https://127.0.0.1
+      - http://localhost
+      - https://localhost
+      - https://staging.canvas.unlockedlabs.xyz
+      - https://auth.brightspace.com/oauth2/auth
+      - https://auth.brightspace.com/core/connect/token
+      - https://unlocked.brightspacedemo.com
       allowed_methods:
-        - POST
-        - GET
-        - PUT
-        - PATCH
-        - DELETE
+      - POST
+      - GET
+      - PUT
+      - PATCH
+      - DELETE
       allowed_headers:
-        - Authorization
-        - X-Requested-With
+      - Authorization
+      - X-Requested-With
       exposed_headers:
-        - Content-Type
+      - Content-Type
 
   public:
     cors:
       enabled: true
       allowed_origins:
-        - http://localhost
-        - https://staging.canvas.unlockedlabs.xyz
+      - http://localhost
+      - https://localhost
+      - https://staging.canvas.unlockedlabs.xyz
+      - https://auth.brightspace.com/oauth2/auth
+      - https://auth.brightspace.com/core/connect/token
+      - https://unlocked.brightspacedemo.com
       allowed_methods:
-        - POST
-        - GET
-        - PUT
-        - PATCH
-        - DELETE
+      - POST
+      - GET
+      - PUT
+      - PATCH
+      - DELETE
       allowed_headers:
-        - Authorization
+      - Authorization
       exposed_headers:
-        - Content-Type
-        - Access-Control-Allowed-Origins
+      - Content-Type
+      - Access-Control-Allowed-Origins
   cookies:
     same_site_mode: Lax
 log:
   leak_sensitive_values: true
 
 urls:
   self:
-    issuer: http://127.0.0.1
-  login: http://127.0.0.1/self-service/login/browser
-  consent: http://127.0.0.1/consent
-  logout: http://127.0.0.1/logout
+    issuer: https://127.0.0.1
+  login: https://127.0.0.1/self-service/login/browser
+  consent: https://127.0.0.1/consent
+  logout: https://127.0.0.1/logout
   identity_provider:
     url: http://kratos:4434/admin
     publicUrl: http://kratos:4433
 
 dev: true
 secrets:
   system:
-    - Vg2CngwLX2MxZvZaKJnuyVp66cPiiV5bCHANGE_ME_IN_PROD
+  - Vg2CngwLX2MxZvZaKJnuyVp66cPiiV5bCHANGE_ME_IN_PROD
 oidc:
   subject_identifiers:
     supported_types:
-      - pairwise
-      - public
+    - pairwise
+    - public
     pairwise:
       salt: 2839o82hy2839OO#@#$@OFw@ksj8*^@*^$LSwsifw2692oCHANGE_ME_IN_PROD

config/kratos/kratos.yml

@@ -35,12 +35,13 @@ oauth2_provider:
   url: http://hydra:4445
 
 selfservice:
-  default_browser_return_url: http://127.0.0.1/authcallback
+  default_browser_return_url: https://127.0.0.1/authcallback
   allowed_return_urls:
-    - http://127.0.0.1/authcallback
+    - https://127.0.0.1/authcallback
     - http://127.0.0.1:4455
     - /dashboard
     - http://127.0.0.1/dashboard
+    - https://127.0.0.1/dashboard
 
   methods:
     password:
@@ -81,10 +82,10 @@ selfservice:
 
     logout:
       after:
-        default_browser_return_url: http://127.0.0.1/
+        default_browser_return_url: https://127.0.0.1/
 
     login:
-      ui_url: http://127.0.0.1/login
+      ui_url: https://127.0.0.1/login
       lifespan: 10m
 
     registration:

config/nginx/certs/selfsigned.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUO/BqaJQAeYCxFpyNCnUFXxPh5GcwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJMTI3LjAuMC4xMB4XDTI0MTAyNDAxMDc0OFoXDTI1MTAy
+NDAxMDc0OFowFDESMBAGA1UEAwwJMTI3LjAuMC4xMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAxelSL5DDpPPEMVdgjXFLdlLzPY5nhj4Hlw3hAImbCg2T
+Qnte9olmInzqOFvsvG44z0Jk3dTobq3GCWkXxwqIfrOvLorIzxAt6s2xK0wMglr/
+X/vEzqYt+B0vBZIT0s9BL085ycr9FYp3IU9duLUzQehNDHS9eqpdS/30chCnwJ4r
+1slj0sF3ROinifXUuZXwFMFY2IObzljTOQxVNJVysdgnb7FmuKi+quCLycc42uz5
+nPU1DFpWROnZQuXCy5ctTo14DJfDOFFhijJDBEGzuqVfsiZozCNDq4egajzaEfWl
+MdhHYpuQ4fZvq3sVi9Asw5ZdY6cF+e0Bfckwc2YDYwIDAQABo1MwUTAdBgNVHQ4E
+FgQUJtqTdQW6LzIhg4WsgeYLDucThXIwHwYDVR0jBBgwFoAUJtqTdQW6LzIhg4Ws
+geYLDucThXIwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAbfsw
+5/liGnSORZsdWqV5hdpjM2f7vytgf5LUnoUO9Wc5fPthPBT/q6R0+Qqw7HoKq8UA
+l6iNWpK8TAbXrpW7NBp2syACJEt3pYxF4bjl3p5VYYwrizUt03fNHpV9QIgE3Drd
+Cki2j24DPvJDBJwm2uiX7/XYmKT9ErE7dqhWHdZzp+NxXUVJb0BkgaYkWEIm0dx9
+BcQvILRgai/FbkTl6MqKTKGruvjZgGSzThigHWlWjjcGb4LQKotoM7dZV/Eci3iC
+gCWoPbCY6amTadHoojwEak7FwQlaL54VAmMqpcKqm26jacKxr0NDWYcWUgTlrMTU
+sfJjyiB3PpCYTSJM+A==
+-----END CERTIFICATE-----

config/nginx/certs/selfsigned.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDF6VIvkMOk88Qx
+V2CNcUt2UvM9jmeGPgeXDeEAiZsKDZNCe172iWYifOo4W+y8bjjPQmTd1OhurcYJ
+aRfHCoh+s68uisjPEC3qzbErTAyCWv9f+8TOpi34HS8FkhPSz0EvTznJyv0Vinch
+T124tTNB6E0MdL16ql1L/fRyEKfAnivWyWPSwXdE6KeJ9dS5lfAUwVjYg5vOWNM5
+DFU0lXKx2CdvsWa4qL6q4IvJxzja7Pmc9TUMWlZE6dlC5cLLly1OjXgMl8M4UWGK
+MkMEQbO6pV+yJmjMI0Orh6BqPNoR9aUx2Edim5Dh9m+rexWL0CzDll1jpwX57QF9
+yTBzZgNjAgMBAAECggEACBf7eJ7YJBn5/ItBE20TiSJpoytR4toM5RRiuWsR5Zkv
+hrOqlbTXHJ2fgIWLNXDhLuIIDlBjibSJREpBeC40mHs7CfwQAUkn75HQ5zSO0Gft
+81wbAi5788knFU2833gCskTFrWcj7tUWUSJAnXSqRM2TamkodJNHXyZixaVruYNM
+COSJNyCLj9UQHogdV44bRySR6CW5x2isS0VGmv9CRIH6Jf9kVxi3PRh1Eir45lda
+4eacsLh/qf+SzCY8re+/ElKdWpptNWQQi6roUiZ5yijOg3/v9OIHSrvZ/ZCKVmbT
+HjfIvESy+nWBMO7lDFDKMCIGuQ191xwPH7DleXMkIQKBgQDhbzxvw0A3dA8oK2h6
+AO6oV4+RBKS35m08J2pLc769/D65uMu1ZdIWQthIRkWXCeqrv+zRxiII4FWqLExX
+lGVuIeljNwEJ4uxigVCscw8LFDF49oBe28zf39CmgfSxJwPYOJNo8ZpGvT7uby/l
+ixOXooSm77zbOHrQXHoonjxyYQKBgQDgvsQq3xXCYfFt1UG7u9/DJ4C8cL5n4YJk
+JehZnF1Heg2kKUY6P10c7DFBl2bJF22UYLwLp2fhaW1wjzekadM7g6eRGKmK8iie
+t0x43zjv0B7b9UgSG1I///LT4kb9u+MfAJnuRraiyJOwD3js/nGeIYrPO1UjxfX7
+eUcF8/SUQwKBgBMD5v0mYwxKZdzljHJ+EaNxf1KkKaC5dw1T5ctnf/dWh5Py2nv6
+krX9/XBbPRN4aqsCDV/EbqqBAbjQ87+PbN7VTXJo+VV0JqxIbB2ftu0gTuv9Hubh
+c26O2nKxE4q9170tSIHZn0HIRL6n8kpSaNypgLb0EeIL6ZAZvNQgRMkBAoGAVac+
+uhwVfeS4D6T0DWl3yTe375mEZ7Dhceuklupp/oC8zDDSzAY0JX668wWRrdgY8jC/
+2i0uARGeHQToLugKEieF6F2e2A6cfojbQ0HHwFXwPOJJWmVBPpT8ZdZaOf+uerVO
+9SnMF1QcPUBYVPJQOPUNoxc4xo5+xh2dfN5R+2MCgYAgz873ctxOaafYuPikWiGN
+qUZZH/R8IasNjI9mGUOkD/vl5fwBQKAP28hdq92Wu5M2XIz7XI6zMnp9cLx9dLFe
+OI9PNJEs5LW+LflVR2Gq9BBpvdyd99RsdDO7RTjtSVlwVkEXDpr7Om0H9AXqe2ur
+ketCh34xEqiCUSoVXIPkPQ==
+-----END PRIVATE KEY-----