--- loncom/lond	2022/02/27 01:43:13	1.575
+++ loncom/lond	2023/12/22 18:50:55	1.580
@@ -2,7 +2,7 @@
 # The LearningOnline Network
 # lond "LON Daemon" Server (port "LOND" 5663)
 #
-# $Id: lond,v 1.575 2022/02/27 01:43:13 raeburn Exp $
+# $Id: lond,v 1.580 2023/12/22 18:50:55 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -65,7 +65,7 @@ my $DEBUG = 0;		       # Non zero to ena
 my $status='';
 my $lastlog='';
 
-my $VERSION='$Revision: 1.575 $'; #' stupid emacs
+my $VERSION='$Revision: 1.580 $'; #' stupid emacs
 my $remoteVERSION;
 my $currenthostid="default";
 my $currentdomainid;
@@ -306,6 +306,7 @@ my %trust = (
                servertimezone => {remote => 1, enroll => 1},
                setannounce => {remote => 1, domroles => 1},
                sethost => {anywhere => 1},
+               signlti => {remote => 1},
                store => {remote => 1, enroll => 1, reqcrs => 1,},
                studentphoto => {remote => 1, enroll => 1},
                sub => {content => 1,},
@@ -865,7 +866,7 @@ sub PushFile {
 
     if($filename eq "host") {
 	$contents = AdjustHostContents($contents);
-    } elsif (($filename eq 'dns_host') || ($filename eq 'dns_domain') ||
+    } elsif (($filename eq 'dns_hosts') || ($filename eq 'dns_domain') ||
              ($filename eq 'loncapaCAcrl')) {
         if ($contents eq '') {
             &logthis('<font color="red"> Pushfile: unable to install '
@@ -5264,9 +5265,9 @@ sub encrypted_get_domain_handler {
 #   0       - Exit.
 #  Side effects:
 #     The reply will contain an LTI itemID, if the signed LTI payload
-#     could be verified using the consumer key and the shared secret 
-#     available for that key (for the itemID) for either the course or domain, 
-#     depending on values for cnum and context. The reply is encrypted before 
+#     could be verified using the consumer key and the shared secret
+#     available for that key (for the itemID) for either the course or domain,
+#     depending on values for cnum and context. The reply is encrypted before
 #     being written to $client.
 #
 sub lti_handler {
@@ -5307,6 +5308,81 @@ sub lti_handler {
 &register_handler("lti", \&lti_handler, 1, 1, 0);
 
 #
+# Data for LTI payload (received encrypted) are unencrypted and
+# then signed with the appropriate key and secret, before re-encrypting
+# the signed payload which is sent to the client for unencryption by
+# the caller: lonnet::sign_lti()) before dispatch either to a web browser
+# (launch) or to a remote web service (roster, logout, or grade).  
+#
+# Parameters:
+#   $cmd             - Command request keyword (signlti).
+#   $tail            - Tail of the command.  This is a colon-separated list
+#                      consisting of the domain, coursenum (if for an External
+#                      Tool defined in a course), crsdef (true if defined in
+#                      a course), type (linkprot or lti)
+#                      context (launch, roster, logout, or grade),
+#                      escaped launch URL, numeric ID of external tool,
+#                      version number for encryption key (if tool's LTI secret was
+#                      encrypted before storing), a frozen hash of LTI launch 
+#                      parameters, and a frozen hash of LTI information,
+#                      (e.g., method => 'HMAC-SHA1',
+#                             respfmt => 'to_authorization_header').
+#   $client          - File descriptor open on the client.
+# Returns:
+#   1       - Continue processing.
+#   0       - Exit.
+#  Side effects:
+#     The reply will contain the LTI payload, as & separated key=value pairs,
+#     where value is itself a frozen hash, if the required key and secret
+#     for the specific tool ID are available. The payload data are retrieved from
+#     a call to Lond::sign_lti_payload(), and the reply is encrypted before being
+#     written to $client.
+#
+sub sign_lti_handler {
+    my ($cmd, $tail, $client) = @_;
+
+    my $userinput = "$cmd:$tail";
+
+    my ($cdom,$cnum,$crsdef,$type,$context,$escurl,
+        $ltinum,$keynum,$paramsref,$inforef) = split(/:/,$tail);
+    my $url = &unescape($escurl);
+    my $params = &Apache::lonnet::thaw_unescape($paramsref);
+    my $info = &Apache::lonnet::thaw_unescape($inforef);
+    my $res =
+        &LONCAPA::Lond::sign_lti_payload($cdom,$cnum,$crsdef,$type,$context,$url,$ltinum,
+                                         $keynum,$perlvar{'lonVersion'},$params,$info);
+    my $result;
+    if (ref($res) eq 'HASH') {
+        foreach my $key (keys(%{$res})) {
+            $result .= &escape($key).'='.&Apache::lonnet::freeze_escape($res->{$key}).'&';
+        }
+        $result =~ s/\&$//;
+    } else {
+        $result = $res;
+    }
+    if ($result =~ /^error:/) {
+        &Failure($client, \$result, $userinput);
+    } else {
+        if ($cipher) {
+            my $cmdlength=length($result);
+            $result.="         ";
+            my $encres='';
+            for (my $encidx=0;$encidx<=$cmdlength;$encidx+=8) {
+                $encres.= unpack("H16",
+                                 $cipher->encrypt(substr($result,
+                                                         $encidx,
+                                                         8)));
+            }
+            &Reply( $client,"enc:$cmdlength:$encres\n",$userinput);
+        } else {
+            &Failure( $client, "error:no_key\n",$userinput);
+        }
+    }
+    return 1;
+}
+&register_handler("signlti", \&sign_lti_handler, 1, 1, 0);
+
+#
 #  Puts an id to a domains id database. 
 #
 #  Parameters:
@@ -8804,6 +8880,9 @@ sub currentversion {
     if (-e $ulsdir) {
 	if(-d $ulsdir) {
 	    if (opendir(LSDIR,$ulsdir)) {
+                if (-e $fname) {
+                    $version=0;
+                }
 		my $ulsfn;
 		while ($ulsfn=readdir(LSDIR)) {
 # see if this is a regular file (ignore links produced earlier)