--- loncom/lti/ltiauth.pm 2019/07/18 18:28:46 1.19 +++ loncom/lti/ltiauth.pm 2021/08/04 19:59:11 1.20 @@ -1,7 +1,7 @@ # The LearningOnline Network # Basic LTI Authentication Module # -# $Id: ltiauth.pm,v 1.19 2019/07/18 18:28:46 raeburn Exp $ +# $Id: ltiauth.pm,v 1.20 2021/08/04 19:59:11 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -42,6 +42,7 @@ use LONCAPA::ltiutils; sub handler { my $r = shift; my $requri = $r->uri; + my $hostname = $r->hostname; # # Check for existing session, and temporarily delete any form items # in %env, if session exists @@ -57,7 +58,7 @@ sub handler { } } # -# Retrieve data POSTed by LTI Consumer on launch +# Retrieve data POSTed by LTI launch # &Apache::lonacc::get_posted_cgi($r); my $params = {}; @@ -97,12 +98,131 @@ sub handler { # Retrieve "internet domains" for all this institution's LON-CAPA # nodes. # - my ($udom,$uname,$uhome,$cdom,$cnum,$symb,$mapurl,@intdoms); + my @intdoms; my $lonhost = $r->dir_config('lonHostID'); my $internet_names = &Apache::lonnet::get_internet_names($lonhost); if (ref($internet_names) eq 'ARRAY') { @intdoms = @{$internet_names}; } +# +# Determine course's domain in LON-CAPA +# for basic launch using key and secret managed +# in LON-CAPA course (i.e., uri begins /adm/launch) +# + + my ($cdom,$cnum); + +# Note: "internet domain" for course's domain must be one of the +# internet domains for the institution's LON-CAPA servers. +# + if ($requri =~ m{^/adm/launch(|/.*)$}) { + my $tail = $1; + if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) { + my ($urlcdom,$urlcnum) = &course_from_tinyurl($tail); + if (($urlcdom ne '') && ($urlcnum ne '')) { + $cdom = $urlcdom; + $cnum = $urlcnum; + my $primary_id = &Apache::lonnet::domain($cdom,'primary'); + if ($primary_id ne '') { + my $intdom = &Apache::lonnet::internet_dom($primary_id); + if (($intdom ne '') && (grep(/^\Q$intdom\E$/,@intdoms))) { +# +# Retrieve information for LTI link protectors in course +# where url was /adm/launch/tiny/$cdom/$uniqueid +# + my (%crslti,%crslti_by_key,$itemid,$ltitype); + %crslti = &Apache::lonnet::get_course_lti($cnum,$cdom,'provider'); + if (keys(%crslti)) { + foreach my $id (keys(%crslti)) { + if (ref($crslti{$id}) eq 'HASH') { + my $key = $crslti{$id}{'key'}; + push(@{$crslti_by_key{$key}},$id); + } + } + } +# +# Verify the signed request using the secret for LTI link +# protectors for which the key in the POSTed data matches +# keys in the course configuration. +# +# Request is invalid if the signed request could not be verified +# for the key and secret from LON-CAPA course configuration for +# LTI link protectors or from LON-CAPA configuration for the +# course's domain if there are LTI Providers which may be used. +# +# Determine if nonce in POSTed data has expired. +# If unexpired, confirm it has not already been used. +# + if (keys(%crslti)) { + $itemid = &get_lti_itemid($requri,$hostname,$params,\%crslti,\%crslti_by_key); + } + if (($itemid) && (ref($crslti{$itemid}) eq 'HASH')) { + $ltitype = 'c'; + unless (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'}, + $crslti{$itemid}{'lifetime'},$cdom,$r->dir_config('lonLTIDir'))) { + &invalid_request($r,3); + return OK; + } + } else { + my %lti = &Apache::lonnet::get_domain_lti($cdom,'provider'); + unless (keys(%lti) > 0) { + &invalid_request($r,4); + return OK; + } + my (%domlti_by_key,%domlti); + foreach my $id (keys(%lti)) { + if (ref($lti{$id}) eq 'HASH') { + my $key = $lti{$id}{'key'}; + if (!$lti{$itemid}{'requser'}) { + push(@{$domlti_by_key{$key}},$id); + $domlti{$id} = $lti{$id}; + } + } + } + if (keys(%domlti)) { + $itemid = &get_lti_itemid($requri,$hostname,$params,\%domlti,\%domlti_by_key); + } + if (($itemid) && (ref($domlti{$itemid}) eq 'HASH')) { + $ltitype = 'd'; + unless (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'}, + $domlti{$itemid}{'lifetime'},$cdom, + $r->dir_config('lonLTIDir'))) { + &invalid_request($r,5); + return OK; + } + } + } + if ($itemid) { + foreach my $key (%{$params}) { + delete($env{'form.'.$key}); + } + my $ltoken = &Apache::lonnet::tmpput({'linkprot' => $itemid.$ltitype.':'.$tail}, + $lonhost); + if ($ltoken) { + $r->internal_redirect($tail.'?ltoken='.$ltoken); + $r->set_handlers('PerlHandler'=> undef); + } else { + &invalid_request($r,6); + } + } else { + &invalid_request($r,7); + } + } else { + &invalid_request($r,8); + } + } else { + &invalid_request($r,9); + } + } else { + &invalid_request($r,10); + } + } else { + &invalid_request($r,11); + } + return OK; + } + + my ($udom,$uname,$uhome,$symb,$mapurl); # # For user who launched LTI in Consumer, determine user's domain in @@ -198,7 +318,7 @@ sub handler { if ($tail =~ m{^/uploaded/($match_domain)/($match_courseid)/(?:default|supplemental)(?:|_\d+)\.(?:sequence|page)(|___\d+___.+)$}) { ($urlcdom,$urlcnum,my $rest) = ($1,$2,$3); if (($cdom ne '') && ($cdom ne $urlcdom)) { - &invalid_request($r,3); + &invalid_request($r,12); return OK; } if ($rest eq '') { @@ -217,30 +337,15 @@ sub handler { } elsif ($tail =~ m{^/($match_domain)/($match_courseid)$}) { ($urlcdom,$urlcnum) = ($1,$2); if (($cdom ne '') && ($cdom ne $urlcdom)) { - &invalid_request($r,4); + &invalid_request($r,13); return OK; } } elsif ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) { - ($urlcdom,my $key) = ($1,$2); - if (($cdom ne '') && ($cdom ne $urlcdom)) { - &invalid_request($r,5); + ($urlcdom,$urlcnum) = &course_from_tinyurl($tail); + if (($urlcdom eq '') || ($urlcnum eq '')) { + &invalid_request($r,14); return OK; } - my $tinyurl; - my ($result,$cached)=&Apache::lonnet::is_cached_new('tiny',$urlcdom."\0".$key); - if (defined($cached)) { - $tinyurl = $result; - } else { - my $configuname = &Apache::lonnet::get_domainconfiguser($urlcdom); - my %currtiny = &Apache::lonnet::get('tiny',[$key],$urlcdom,$configuname); - if ($currtiny{$key} ne '') { - $tinyurl = $currtiny{$key}; - &Apache::lonnet::do_cache_new('tiny',$urlcdom."\0".$key,$currtiny{$key},600); - } - } - if ($tinyurl ne '') { - $urlcnum = (split(/\&/,$tinyurl))[0]; - } } if (($cdom eq '') && ($urlcdom ne '')) { my $cprimary_id = &Apache::lonnet::domain($urlcdom,'primary'); @@ -263,14 +368,14 @@ sub handler { } # -# Retrieve information for LTI Consumers in course domain +# Retrieve information for LTI Consumers in course's domain # and populate hash -- %lti_by_key -- for which keys # are those defined in domain configuration for LTI. # my %lti = &Apache::lonnet::get_domain_lti($cdom,'provider'); unless (keys(%lti) > 0) { - &invalid_request($r,6); + &invalid_request($r,15); return OK; } my %lti_by_key; @@ -286,37 +391,11 @@ sub handler { # # Verify the signed request using the secret for those # Consumers for which the key in the POSTed data matches -# keys in the domain configuration for LTI. +# keys in the course configuration or the domain configuration +# for LTI. # - my $hostname = $r->hostname; - my $protocol = 'http'; - if ($ENV{'SERVER_PORT'} == 443) { - $protocol = 'https'; - } - if (exists($params->{'oauth_callback'})) { - $Net::OAuth::PROTOCOL_VERSION = Net::OAuth::PROTOCOL_VERSION_1_0A; - } else { - $Net::OAuth::PROTOCOL_VERSION = Net::OAuth::PROTOCOL_VERSION_1_0; - } - - my ($itemid,$consumer_key,$secret); - $consumer_key = $params->{'oauth_consumer_key'}; - if (ref($lti_by_key{$consumer_key}) eq 'ARRAY') { - foreach my $id (@{$lti_by_key{$consumer_key}}) { - if (ref($lti{$id}) eq 'HASH') { - $secret = $lti{$id}{'secret'}; - my $request = Net::OAuth->request('request token')->from_hash($params, - request_url => $protocol.'://'.$hostname.$requri, - request_method => $env{'request.method'}, - consumer_secret => $secret,); - if ($request->verify()) { - $itemid = $id; - last; - } - } - } - } + my $itemid = &get_lti_itemid($requri,$hostname,$params,\%lti,\%lti_by_key); # # Request is invalid if the signed request could not be verified @@ -324,7 +403,7 @@ sub handler { # configuration in LON-CAPA for that LTI Consumer. # unless (($itemid) && (ref($lti{$itemid}) eq 'HASH')) { - &invalid_request($r,7); + &invalid_request($r,16); return OK; } @@ -334,7 +413,7 @@ sub handler { # unless (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'}, $lti{$itemid}{'lifetime'},$cdom,$r->dir_config('lonLTIDir'))) { - &invalid_request($r,8); + &invalid_request($r,17); return OK; } @@ -345,19 +424,20 @@ sub handler { if (!$lti{$itemid}{'requser'}) { if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) { + my $ltitype = 'd'; foreach my $key (%{$params}) { delete($env{'form.'.$key}); } - my $ltoken = &Apache::lonnet::tmpput({'linkprot' => $itemid.':'.$tail}, + my $ltoken = &Apache::lonnet::tmpput({'linkprot' => $itemid.$ltitype.':'.$tail}, $lonhost); if ($ltoken) { $r->internal_redirect($tail.'?ltoken='.$ltoken); $r->set_handlers('PerlHandler'=> undef); } else { - &invalid_request($r,9); + &invalid_request($r,18); } } else { - &invalid_request($r,10); + &invalid_request($r,19); } return OK; } @@ -418,7 +498,7 @@ sub handler { if ($consumers{$sourcecrs} =~ /^$match_courseid$/) { my $crshome = &Apache::lonnet::homeserver($consumers{$sourcecrs},$cdom); if ($crshome =~ /(con_lost|no_host|no_such_host)/) { - &invalid_request($r,11); + &invalid_request($r,20); return OK; } else { $posscnum = $consumers{$sourcecrs}; @@ -430,7 +510,7 @@ sub handler { if ($urlcnum ne '') { if ($posscnum ne '') { if ($posscnum ne $urlcnum) { - &invalid_request($r,12); + &invalid_request($r,21); return OK; } else { $cnum = $posscnum; @@ -438,7 +518,7 @@ sub handler { } else { my $crshome = &Apache::lonnet::homeserver($urlcnum,$cdom); if ($crshome =~ /(con_lost|no_host|no_such_host)/) { - &invalid_request($r,13); + &invalid_request($r,22); return OK; } else { $cnum = $urlcnum; @@ -503,7 +583,7 @@ sub handler { $domdesc,\%data,\%alerts,\%rulematch, \%inst_results,\%curr_rules,%got_rules); if ($result eq 'notallowed') { - &invalid_request($r,14); + &invalid_request($r,23); } elsif ($result eq 'ok') { if (($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'mapcrs'}) && ($lti{$itemid}{'makecrs'})) { @@ -512,16 +592,16 @@ sub handler { } } } else { - &invalid_request($r,15); + &invalid_request($r,24); return OK; } } else { - &invalid_request($r,16); + &invalid_request($r,25); return OK; } } } else { - &invalid_request($r,17); + &invalid_request($r,26); return OK; } @@ -543,10 +623,10 @@ sub handler { $symb,$cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles, $reqcrs,$sourcecrs); } else { - &invalid_request($r,18); + &invalid_request($r,27); } } else { - &invalid_request($r,19); + &invalid_request($r,28); } return OK; } @@ -632,7 +712,7 @@ sub handler { } } if ($reqrole eq '') { - &invalid_request($r,20); + &invalid_request($r,29); return OK; } else { unless (%crsenv) { @@ -642,10 +722,10 @@ sub handler { my $default_enrollment_end_date = $crsenv{'default_enrollment_end_date'}; my $now = time; if ($default_enrollment_end_date && $default_enrollment_end_date <= $now) { - &invalid_request($r,21); + &invalid_request($r,30); return OK; } elsif ($default_enrollment_start_date && $default_enrollment_start_date >$now) { - &invalid_request($r,22); + &invalid_request($r,31); return OK; } else { $selfenrollrole = $reqrole.'./'.$cdom.'/'.$cnum; @@ -676,6 +756,41 @@ sub handler { return OK; } +sub get_lti_itemid { + my ($requri,$hostname,$params,$lti,$lti_by_key) = @_; + return unless ((ref($params) eq 'HASH') && (ref($lti) eq 'HASH') && (ref($lti_by_key) eq 'HASH')); + + if (exists($params->{'oauth_callback'})) { + $Net::OAuth::PROTOCOL_VERSION = Net::OAuth::PROTOCOL_VERSION_1_0A; + } else { + $Net::OAuth::PROTOCOL_VERSION = Net::OAuth::PROTOCOL_VERSION_1_0; + } + + my $protocol = 'http'; + if ($ENV{'SERVER_PORT'} == 443) { + $protocol = 'https'; + } + + my ($itemid,$consumer_key,$secret); + my $consumer_key = $params->{'oauth_consumer_key'}; + if (ref($lti_by_key->{$consumer_key}) eq 'ARRAY') { + foreach my $id (@{$lti_by_key->{$consumer_key}}) { + if (ref($lti->{$id}) eq 'HASH') { + $secret = $lti->{$id}{'secret'}; + my $request = Net::OAuth->request('request token')->from_hash($params, + request_url => $protocol.'://'.$hostname.$requri, + request_method => $env{'request.method'}, + consumer_secret => $secret,); + if ($request->verify()) { + $itemid = $id; + last; + } + } + } + } + return $itemid; +} + sub lti_enroll { my ($uname,$udom,$selfenrollrole) = @_; my $enrollresult; @@ -917,4 +1032,28 @@ sub invalid_request { return; } +sub course_from_tinyurl { + my ($tail) = @_; + my ($urlcdom,$urlcnum); + if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) { + my ($urlcdom,$key) = ($1,$2); + my $tinyurl; + my ($result,$cached)=&Apache::lonnet::is_cached_new('tiny',$urlcdom."\0".$key); + if (defined($cached)) { + $tinyurl = $result; + } else { + my $configuname = &Apache::lonnet::get_domainconfiguser($urlcdom); + my %currtiny = &Apache::lonnet::get('tiny',[$key],$urlcdom,$configuname); + if ($currtiny{$key} ne '') { + $tinyurl = $currtiny{$key}; + &Apache::lonnet::do_cache_new('tiny',$urlcdom."\0".$key,$currtiny{$key},600); + } + } + if ($tinyurl ne '') { + $urlcnum = (split(/\&/,$tinyurl))[0]; + } + } + return ($urlcdom,$urlcnum); +} + 1;