--- loncom/lti/ltiauth.pm 2021/08/12 00:05:27 1.23 +++ loncom/lti/ltiauth.pm 2022/02/02 00:31:16 1.31 @@ -1,7 +1,7 @@ # The LearningOnline Network # Basic LTI Authentication Module # -# $Id: ltiauth.pm,v 1.23 2021/08/12 00:05:27 raeburn Exp $ +# $Id: ltiauth.pm,v 1.31 2022/02/02 00:31:16 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -31,7 +31,6 @@ package Apache::ltiauth; use strict; use LONCAPA qw(:DEFAULT :match); use Apache::Constants qw(:common :http); -use Net::OAuth; use Apache::lonlocal; use Apache::lonnet; use Apache::loncommon; @@ -127,20 +126,6 @@ sub handler { my $intdom = &Apache::lonnet::internet_dom($primary_id); if (($intdom ne '') && (grep(/^\Q$intdom\E$/,@intdoms))) { # -# Retrieve information for LTI link protectors in course -# where url was /adm/launch/tiny/$cdom/$uniqueid -# - my (%crslti,%crslti_by_key,$itemid,$ltitype); - %crslti = &Apache::lonnet::get_course_lti($cnum,$cdom,'provider'); - if (keys(%crslti)) { - foreach my $id (keys(%crslti)) { - if (ref($crslti{$id}) eq 'HASH') { - my $key = $crslti{$id}{'key'}; - push(@{$crslti_by_key{$key}},$id); - } - } - } -# # Verify the signed request using the secret for LTI link # protectors for which the key in the POSTed data matches # keys in the course configuration. @@ -153,8 +138,14 @@ sub handler { # Determine if nonce in POSTed data has expired. # If unexpired, confirm it has not already been used. # - if (keys(%crslti)) { - $itemid = &get_lti_itemid($requri,$hostname,$params,\%crslti,\%crslti_by_key); +# Retrieve information for LTI link protectors in course +# where url was /adm/launch/tiny/$cdom/$uniqueid +# + + my ($itemid,$ltitype,%crslti); + $itemid = &get_lti_itemid($requri,$hostname,$params,$cdom,$cnum,'deeplink'); + if ($itemid) { + %crslti = &Apache::lonnet::get_course_lti($cnum,$cdom,'provider'); } if (($itemid) && (ref($crslti{$itemid}) eq 'HASH')) { $ltitype = 'c'; @@ -164,30 +155,17 @@ sub handler { return OK; } } else { - my %lti = &Apache::lonnet::get_domain_lti($cdom,'provider'); - unless (keys(%lti) > 0) { - &invalid_request($r,4); - return OK; + my %lti; + $itemid = &get_lti_itemid($requri,$hostname,$params,$cdom,'','deeplink'); + if ($itemid) { + %lti = &Apache::lonnet::get_domain_lti($cdom,'provider'); } - my (%domlti_by_key,%domlti); - foreach my $id (keys(%lti)) { - if (ref($lti{$id}) eq 'HASH') { - my $key = $lti{$id}{'key'}; - if (!$lti{$itemid}{'requser'}) { - push(@{$domlti_by_key{$key}},$id); - $domlti{$id} = $lti{$id}; - } - } - } - if (keys(%domlti)) { - $itemid = &get_lti_itemid($requri,$hostname,$params,\%domlti,\%domlti_by_key); - } - if (($itemid) && (ref($domlti{$itemid}) eq 'HASH')) { + if (($itemid) && (ref($lti{$itemid}) eq 'HASH')) { $ltitype = 'd'; unless (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'}, - $domlti{$itemid}{'lifetime'},$cdom, + $lti{$itemid}{'lifetime'},$cdom, $r->dir_config('lonLTIDir'))) { - &invalid_request($r,5); + &invalid_request($r,4); return OK; } } @@ -197,27 +175,27 @@ sub handler { delete($env{'form.'.$key}); } my $ltoken = &Apache::lonnet::tmpput({'linkprot' => $itemid.$ltitype.':'.$tail}, - $lonhost); + $lonhost,'link'); if ($ltoken) { $r->internal_redirect($tail.'?ltoken='.$ltoken); $r->set_handlers('PerlHandler'=> undef); } else { - &invalid_request($r,6); + &invalid_request($r,5); } } else { - &invalid_request($r,7); + &invalid_request($r,6); } } else { - &invalid_request($r,8); + &invalid_request($r,7); } } else { - &invalid_request($r,9); + &invalid_request($r,8); } } else { - &invalid_request($r,10); + &invalid_request($r,9); } } else { - &invalid_request($r,11); + &invalid_request($r,10); } return OK; } @@ -318,7 +296,7 @@ sub handler { if ($tail =~ m{^/uploaded/($match_domain)/($match_courseid)/(?:default|supplemental)(?:|_\d+)\.(?:sequence|page)(|___\d+___.+)$}) { ($urlcdom,$urlcnum,my $rest) = ($1,$2,$3); if (($cdom ne '') && ($cdom ne $urlcdom)) { - &invalid_request($r,12); + &invalid_request($r,11); return OK; } if ($rest eq '') { @@ -337,13 +315,13 @@ sub handler { } elsif ($tail =~ m{^/($match_domain)/($match_courseid)$}) { ($urlcdom,$urlcnum) = ($1,$2); if (($cdom ne '') && ($cdom ne $urlcdom)) { - &invalid_request($r,13); + &invalid_request($r,12); return OK; } } elsif ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) { ($urlcdom,$urlcnum) = &course_from_tinyurl($tail); if (($urlcdom eq '') || ($urlcnum eq '')) { - &invalid_request($r,14); + &invalid_request($r,13); return OK; } } @@ -369,33 +347,19 @@ sub handler { # # Retrieve information for LTI Consumers in course's domain -# and populate hash -- %lti_by_key -- for which keys -# are those defined in domain configuration for LTI. -# - - my %lti = &Apache::lonnet::get_domain_lti($cdom,'provider'); - unless (keys(%lti) > 0) { - &invalid_request($r,15); - return OK; - } - my %lti_by_key; - if (keys(%lti)) { - foreach my $id (keys(%lti)) { - if (ref($lti{$id}) eq 'HASH') { - my $key = $lti{$id}{'key'}; - push(@{$lti_by_key{$key}},$id); - } - } - } - +# defined in domain configuration for LTI. # # Verify the signed request using the secret for those -# Consumers for which the key in the POSTed data matches +# Consumers for which the key in the POSTed data matches # keys in the course configuration or the domain configuration # for LTI. # - my $itemid = &get_lti_itemid($requri,$hostname,$params,\%lti,\%lti_by_key); + my %lti; + my $itemid = &get_lti_itemid($requri,$hostname,$params,$cdom); + if ($itemid) { + %lti = &Apache::lonnet::get_domain_lti($cdom,'provider'); + } # # Request is invalid if the signed request could not be verified @@ -403,7 +367,7 @@ sub handler { # configuration in LON-CAPA for that LTI Consumer. # unless (($itemid) && (ref($lti{$itemid}) eq 'HASH')) { - &invalid_request($r,16); + &invalid_request($r,14); return OK; } @@ -413,7 +377,7 @@ sub handler { # unless (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'}, $lti{$itemid}{'lifetime'},$cdom,$r->dir_config('lonLTIDir'))) { - &invalid_request($r,17); + &invalid_request($r,15); return OK; } @@ -434,10 +398,10 @@ sub handler { $r->internal_redirect($tail.'?ltoken='.$ltoken); $r->set_handlers('PerlHandler'=> undef); } else { - &invalid_request($r,18); + &invalid_request($r,16); } } else { - &invalid_request($r,19); + &invalid_request($r,17); } return OK; } @@ -495,13 +459,14 @@ sub handler { if ($sourcecrs ne '') { %consumers = &Apache::lonnet::get_dom('lticonsumers',[$sourcecrs],$cdom); if (exists($consumers{$sourcecrs})) { - if ($consumers{$sourcecrs} =~ /^$match_courseid$/) { - my $crshome = &Apache::lonnet::homeserver($consumers{$sourcecrs},$cdom); + if ($consumers{$sourcecrs} =~ /^\Q$itemid:\E($match_courseid)$/) { + my $storedcnum = $1; + my $crshome = &Apache::lonnet::homeserver($storedcnum,$cdom); if ($crshome =~ /(con_lost|no_host|no_such_host)/) { - &invalid_request($r,20); + &invalid_request($r,18); return OK; } else { - $posscnum = $consumers{$sourcecrs}; + $posscnum = $storedcnum; } } } @@ -510,7 +475,7 @@ sub handler { if ($urlcnum ne '') { if ($posscnum ne '') { if ($posscnum ne $urlcnum) { - &invalid_request($r,21); + &invalid_request($r,19); return OK; } else { $cnum = $posscnum; @@ -518,7 +483,7 @@ sub handler { } else { my $crshome = &Apache::lonnet::homeserver($urlcnum,$cdom); if ($crshome =~ /(con_lost|no_host|no_such_host)/) { - &invalid_request($r,22); + &invalid_request($r,20); return OK; } else { $cnum = $urlcnum; @@ -583,7 +548,7 @@ sub handler { $domdesc,\%data,\%alerts,\%rulematch, \%inst_results,\%curr_rules,%got_rules); if ($result eq 'notallowed') { - &invalid_request($r,23); + &invalid_request($r,21); } elsif ($result eq 'ok') { if (($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'mapcrs'}) && ($lti{$itemid}{'makecrs'})) { @@ -592,16 +557,16 @@ sub handler { } } } else { - &invalid_request($r,24); + &invalid_request($r,22); return OK; } } else { - &invalid_request($r,25); + &invalid_request($r,23); return OK; } } } else { - &invalid_request($r,26); + &invalid_request($r,24); return OK; } @@ -613,20 +578,26 @@ sub handler { my $reqcrs; if ($cnum eq '') { - if ((@ltiroles) && ($lti{$itemid}{'mapcrs'}) && - ($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'makecrs'})) { - my (%can_request,%request_domains); - &Apache::lonnet::check_can_request($cdom,\%can_request,\%request_domains,$uname,$udom); - if ($can_request{'lti'}) { - $reqcrs = 1; - <i_session($r,$itemid,$uname,$udom,$uhome,$lonhost,undef,$mapurl,$tail, - $symb,$cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles, - $reqcrs,$sourcecrs); + if ($lti{$itemid}{'crsinc'}) { + if ((@ltiroles) && ($lti{$itemid}{'mapcrs'}) && + ($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'makecrs'})) { + my (%can_request,%request_domains); + &Apache::lonnet::check_can_request($cdom,\%can_request,\%request_domains,$uname,$udom); + if ($can_request{'lti'}) { + $reqcrs = 1; + <i_session($r,$itemid,$uname,$udom,$uhome,$lonhost,undef,$mapurl,$tail, + $symb,$cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles, + $reqcrs,$sourcecrs); + } else { + &invalid_request($r,25); + } } else { - &invalid_request($r,27); + &invalid_request($r,26); } } else { - &invalid_request($r,28); + <i_session($r,$itemid,$uname,$udom,$uhome,$lonhost,undef,$mapurl,$tail, + $symb,$cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles, + $reqcrs,$sourcecrs); } return OK; } @@ -634,7 +605,7 @@ sub handler { # # If LON-CAPA course is a Community, and LON-CAPA role # indicated is cc, change role indicated to co. -# +# my %crsenv; if ($lcroles[0] eq 'cc') { @@ -712,7 +683,7 @@ sub handler { } } if ($reqrole eq '') { - &invalid_request($r,29); + &invalid_request($r,27); return OK; } else { unless (%crsenv) { @@ -722,10 +693,10 @@ sub handler { my $default_enrollment_end_date = $crsenv{'default_enrollment_end_date'}; my $now = time; if ($default_enrollment_end_date && $default_enrollment_end_date <= $now) { - &invalid_request($r,30); + &invalid_request($r,28); return OK; } elsif ($default_enrollment_start_date && $default_enrollment_start_date >$now) { - &invalid_request($r,31); + &invalid_request($r,29); return OK; } else { $selfenrollrole = $reqrole.'./'.$cdom.'/'.$cnum; @@ -739,11 +710,41 @@ sub handler { } # -# Store consumer-to-LON-CAPA course mapping +# Retrieve course type of LON-CAPA course to check if mapping from a Consumer +# course identifier permitted for this type of course (one of: official, +# unofficial, community, textbook, placement or lti. +# + + unless (%crsenv) { + %crsenv = &Apache::lonnet::coursedescription($cdom.'_'.$cnum); + } + my $crstype = lc($crsenv{'type'}); + if ($crstype eq '') { + $crstype = 'course'; + } + if ($crstype eq 'course') { + if ($crsenv{'internal.coursecode'}) { + $crstype = 'official'; + } elsif ($crsenv{'internal.textbook'}) { + $crstype = 'textbook'; + } elsif ($crsenv{'internal.lti'}) { + $crstype = 'lti'; + } else { + $crstype = 'unofficial'; + } + } + +# +# Store consumer-to-LON-CAPA course mapping if permitted # - if (($sourcecrs ne '') && ($consumers{$sourcecrs} eq '') && ($cnum ne '')) { - &Apache::lonnet::put_dom('lticonsumers',{ $sourcecrs => $cnum },$cdom); + if (($lti{$itemid}{'storecrs'}) && ($sourcecrs ne '') && + ($consumers{$sourcecrs} eq '') && ($cnum ne '')) { + if (ref($lti{$itemid}{'mapcrstype'}) eq 'ARRAY') { + if (grep(/^$crstype$/,@{$lti{$itemid}{'mapcrstype'}})) { + &Apache::lonnet::put_dom('lticonsumers',{ $sourcecrs => $itemid.':'.$cnum },$cdom); + } + } } # @@ -757,38 +758,19 @@ sub handler { } sub get_lti_itemid { - my ($requri,$hostname,$params,$lti,$lti_by_key) = @_; - return unless ((ref($params) eq 'HASH') && (ref($lti) eq 'HASH') && (ref($lti_by_key) eq 'HASH')); - - if (exists($params->{'oauth_callback'})) { - $Net::OAuth::PROTOCOL_VERSION = Net::OAuth::PROTOCOL_VERSION_1_0A; - } else { - $Net::OAuth::PROTOCOL_VERSION = Net::OAuth::PROTOCOL_VERSION_1_0; - } - + my ($requri,$hostname,$params,$cdom,$cnum,$context) = @_; + return unless (ref($params) eq 'HASH'); my $protocol = 'http'; if ($ENV{'SERVER_PORT'} == 443) { $protocol = 'https'; } - - my ($itemid,$consumer_key,$secret); - my $consumer_key = $params->{'oauth_consumer_key'}; - if (ref($lti_by_key->{$consumer_key}) eq 'ARRAY') { - foreach my $id (@{$lti_by_key->{$consumer_key}}) { - if (ref($lti->{$id}) eq 'HASH') { - $secret = $lti->{$id}{'secret'}; - my $request = Net::OAuth->request('request token')->from_hash($params, - request_url => $protocol.'://'.$hostname.$requri, - request_method => $env{'request.method'}, - consumer_secret => $secret,); - if ($request->verify()) { - $itemid = $id; - last; - } - } - } + my $url = $protocol.'://'.$hostname.$requri; + my $method = $env{'request.method'}; + if ($cnum ne '') { + return &Apache::lonnet::courselti_itemid($cnum,$cdom,$url,$method,$params,$context); + } else { + return &Apache::lonnet::domainlti_itemid($cdom,$url,$method,$params,$context); } - return $itemid; } sub lti_enroll { @@ -894,7 +876,9 @@ sub lti_session { $env{'request.lti.uri'} = $tail; } else { unless ($tail eq '/adm/roles') { - $env{'form.origurl'} = '/adm/navmaps'; + if ($cnum) { + $env{'form.origurl'} = '/adm/navmaps'; + } } } } @@ -930,7 +914,7 @@ sub lti_session { if ($params->{'launch_presentation_document_target'}) { $env{'request.lti.target'} = $params->{'launch_presentation_document_target'}; } - foreach my $key (%{$params}) { + foreach my $key (keys(%{$params})) { delete($env{'form.'.$key}); } my $redirecturl = '/adm/switchserver'; @@ -942,7 +926,7 @@ sub lti_session { } else { # need to login them in, so generate the need data that # migrate expects to do login - foreach my $key (%{$params}) { + foreach my $key (keys(%{$params})) { delete($env{'form.'.$key}); } if (($ltihash->{'callback'}) && ($params->{$ltihash->{'callback'}})) { @@ -1002,7 +986,9 @@ sub lti_session { $info{'origurl'} = $tail; } else { unless ($tail eq '/adm/roles') { - $info{'origurl'} = '/adm/navmaps'; + if ($cnum) { + $info{'origurl'} = '/adm/navmaps'; + } } } }