--- loncom/lti/ltiauth.pm 2017/12/07 15:36:25 1.2
+++ loncom/lti/ltiauth.pm 2022/02/06 21:37:00 1.32
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Basic LTI Authentication Module
#
-# $Id: ltiauth.pm,v 1.2 2017/12/07 15:36:25 raeburn Exp $
+# $Id: ltiauth.pm,v 1.32 2022/02/06 21:37:00 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -31,18 +31,33 @@ package Apache::ltiauth;
use strict;
use LONCAPA qw(:DEFAULT :match);
use Apache::Constants qw(:common :http);
-use Net::OAuth;
use Apache::lonlocal;
use Apache::lonnet;
use Apache::loncommon;
use Apache::lonacc;
+use Apache::lonrequestcourse;
use LONCAPA::ltiutils;
sub handler {
my $r = shift;
my $requri = $r->uri;
+ my $hostname = $r->hostname;
+#
+# Check for existing session, and temporarily delete any form items
+# in %env, if session exists
+#
+ my %savedform;
+ my $handle = &Apache::lonnet::check_for_valid_session($r);
+ if ($handle ne '') {
+ foreach my $key (sort(keys(%env))) {
+ if ($key =~ /^form\.(.+)$/) {
+ $savedform{$1} = $env{$key};
+ delete($env{$key});
+ }
+ }
+ }
#
-# Retrieve data POSTed by LTI Consumer on launch
+# Retrieve data POSTed by LTI launch
#
&Apache::lonacc::get_posted_cgi($r);
my $params = {};
@@ -51,9 +66,20 @@ sub handler {
$params->{$1} = $env{$key};
}
}
+#
+# Check for existing session, and restore temporarily
+# deleted form items to %env, if session exists.
+#
+ if ($handle ne '') {
+ if (keys(%savedform)) {
+ foreach my $key (sort(keys(%savedform))) {
+ $env{'form.'.$key} = $savedform{$key};
+ }
+ }
+ }
unless (keys(%{$params})) {
- &invalid_request($r,1);
+ &invalid_request($r,'No parameters included in launch request');
return OK;
}
@@ -63,7 +89,7 @@ sub handler {
$params->{'oauth_version'} &&
$params->{'oauth_signature'} &&
$params->{'oauth_signature_method'}) {
- &invalid_request($r,2);
+ &invalid_request($r,'One or more required parameters missing from launch request');
return OK;
}
@@ -71,12 +97,175 @@ sub handler {
# Retrieve "internet domains" for all this institution's LON-CAPA
# nodes.
#
- my ($udom,$uname,$uhome,$cdom,$cnum,$symb,$mapurl,@intdoms);
+ my @intdoms;
my $lonhost = $r->dir_config('lonHostID');
my $internet_names = &Apache::lonnet::get_internet_names($lonhost);
if (ref($internet_names) eq 'ARRAY') {
@intdoms = @{$internet_names};
}
+#
+# Determine course's domain in LON-CAPA
+# for basic launch using key and secret managed
+# in LON-CAPA course (i.e., uri begins /adm/launch)
+#
+
+ my ($cdom,$cnum);
+
+# Note: "internet domain" for course's domain must be one of the
+# internet domains for the institution's LON-CAPA servers.
+#
+ if ($requri =~ m{^/adm/launch(|/.*)$}) {
+ my $tail = $1;
+ if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) {
+ my ($urlcdom,$urlcnum) = &course_from_tinyurl($tail);
+ if (($urlcdom ne '') && ($urlcnum ne '')) {
+ $cdom = $urlcdom;
+ $cnum = $urlcnum;
+ my $primary_id = &Apache::lonnet::domain($cdom,'primary');
+ if ($primary_id ne '') {
+ my $intdom = &Apache::lonnet::internet_dom($primary_id);
+ if (($intdom ne '') && (grep(/^\Q$intdom\E$/,@intdoms))) {
+#
+# Verify the signed request using the secret for LTI link
+# protectors for which the key in the POSTed data matches
+# keys in the course configuration.
+#
+# Request is invalid if the signed request could not be verified
+# for the key and secret from LON-CAPA course configuration for
+# LTI link protectors or from LON-CAPA configuration for the
+# course's domain if there are LTI Providers which may be used.
+#
+# Determine if nonce in POSTed data has expired.
+# If unexpired, confirm it has not already been used.
+#
+# Retrieve information for LTI link protectors in course
+# where url was /adm/launch/tiny/$cdom/$uniqueid
+#
+
+ my ($itemid,$ltitype,%crslti,%lti_in_use);
+ $itemid = &get_lti_itemid($requri,$hostname,$params,$cdom,$cnum,'deeplink');
+ if ($itemid) {
+ %crslti = &Apache::lonnet::get_course_lti($cnum,$cdom,'provider');
+ }
+ if (($itemid) && (ref($crslti{$itemid}) eq 'HASH')) {
+ $ltitype = 'c';
+ if (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'},
+ $crslti{$itemid}{'lifetime'},$cdom,$r->dir_config('lonLTIDir'))) {
+ %lti_in_use = %{$crslti{$itemid}};
+ } else {
+ &invalid_request($r,'Time limit exceeded for launch request credentials');
+ return OK;
+ }
+ } else {
+ $itemid = &get_lti_itemid($requri,$hostname,$params,$cdom,'','deeplink');
+ my %lti;
+ if ($itemid) {
+ %lti = &Apache::lonnet::get_domain_lti($cdom,'provider');
+ }
+ if (($itemid) && (ref($lti{$itemid}) eq 'HASH')) {
+ $ltitype = 'd';
+ if (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'},
+ $lti{$itemid}{'lifetime'},$cdom,
+ $r->dir_config('lonLTIDir'))) {
+ %lti_in_use = %{$lti{$itemid}};
+ } else {
+ &invalid_request($r,'Time limit exceeded for launch request credentials');
+ return OK;
+ }
+ }
+ }
+ if (($itemid) && ($lti_in_use{'requser'})) {
+ my %courseinfo = &Apache::lonnet::coursedescription($cdom.'_'.$cnum);
+ my $ltiauth;
+ if (exists($courseinfo{'internal.ltiauth'})) {
+ $ltiauth = $courseinfo{'internal.ltiauth'};
+ } else {
+ my %domdefs = &Apache::lonnet::get_domain_defaults($cdom);
+ $ltiauth = $domdefs{'crsltiauth'};
+ }
+ if ($ltiauth) {
+ my $possuname;
+ my $mapuser = $crslti{$itemid}{'mapuser'};
+ if ($mapuser eq 'sourcedid') {
+ if ($params->{'lis_person_sourcedid'} =~ /^$match_username$/) {
+ $possuname = $params->{'lis_person_sourcedid'};
+ }
+ } elsif ($mapuser eq 'email') {
+ if ($params->{'lis_person_contact_email_primary'} =~ /^$match_username$/) {
+ $possuname = $params->{'lis_person_contact_email_primary'};
+ }
+ } elsif (exists($params->{$mapuser})) {
+ if ($params->{$mapuser} =~ /^$match_username$/) {
+ $possuname = $params->{$mapuser};
+ }
+ }
+ if ($possuname ne '') {
+ my $uhome = &Apache::lonnet::homeserver($possuname,$cdom);
+ unless ($uhome eq 'no_host') {
+ my $uname = $possuname;
+ my ($is_student,$is_nonstudent);
+ my %course_roles =
+ &Apache::lonnet::get_my_roles($uname,$cdom,,'userroles',['active'],
+ ['cc','co','in','ta','ep','ad','st','cr'],
+ [$cdom]);
+ foreach my $key (keys(%course_roles)) {
+ my ($trest,$tdomain,$trole,$sec) = split(/:/,$key);
+ if (($trest eq $cnum) && ($tdomain eq $cdom)) {
+ if ($trole eq 'st') {
+ $is_student = 1;
+ } else {
+ $is_nonstudent = 1;
+ last;
+ }
+ }
+ }
+ if (($is_student) && (!$is_nonstudent)) {
+ unless (&Apache::lonnet::is_advanced_user($uname,$cdom)) {
+ foreach my $key (%{$params}) {
+ delete($env{'form.'.$key});
+ }
+ &linkprot_session($r,$uname,$cnum,$cdom,$uhome,$itemid,$ltitype,$tail,$lonhost);
+ return OK;
+ }
+ }
+ }
+ }
+ if ($lti_in_use{'notstudent'} eq 'reject') {
+ &invalid_request($r,'Information for valid user missing from launch request');
+ }
+ }
+ }
+ if ($itemid) {
+ foreach my $key (%{$params}) {
+ delete($env{'form.'.$key});
+ }
+ my $ltoken = &Apache::lonnet::tmpput({'linkprot' => $itemid.$ltitype.':'.$tail},
+ $lonhost,'link');
+ if ($ltoken) {
+ $r->internal_redirect($tail.'?ltoken='.$ltoken);
+ $r->set_handlers('PerlHandler'=> undef);
+ } else {
+ &invalid_request($r,'Failed to store information from launch request');
+ }
+ } else {
+ &invalid_request($r,'Launch request could not be validated');
+ }
+ } else {
+ &invalid_request($r,'Launch unavailable on this LON-CAPA server');
+ }
+ } else {
+ &invalid_request($r,'Launch unavailable for this domain');
+ }
+ } else {
+ &invalid_request($r,'Invalid launch URL');
+ }
+ } else {
+ &invalid_request($r,'Invalid launch URL');
+ }
+ return OK;
+ }
+
+ my ($udom,$uname,$uhome,$symb,$mapurl);
#
# For user who launched LTI in Consumer, determine user's domain in
@@ -139,11 +328,11 @@ sub handler {
# Order is:
#
# (a) from custom_coursedomain item in POSTed data
-# (b) from tail of requested URL (after /adm/lti) if it has format of a symb
+# (b) from tail of requested URL (after /adm/lti/) if it has format of a symb
# (c) from tail of requested URL (after /adm/lti) if it has format of a map
# (d) from tail of requested URL (after /adm/lti) if it has format /domain/courseID
-# (e) from tail of requested URL (after /adm/lti) if it has format /tiny/domain/...
-# i.e., a shortened URL (see bug #6400) -- not implemented yet.
+# (e) from tail of requested URL (after /adm/lti) if it has format /tiny/domain/\w+
+# i.e., a shortened URL (see bug #6400).
# (f) same as user's domain
#
# Request invalid if custom_coursedomain is defined and is inconsistent with
@@ -172,20 +361,32 @@ sub handler {
if ($tail =~ m{^/uploaded/($match_domain)/($match_courseid)/(?:default|supplemental)(?:|_\d+)\.(?:sequence|page)(|___\d+___.+)$}) {
($urlcdom,$urlcnum,my $rest) = ($1,$2,$3);
if (($cdom ne '') && ($cdom ne $urlcdom)) {
- &invalid_request($r,3);
+ &invalid_request($r,'Incorrect domain in requested URL');
return OK;
}
if ($rest eq '') {
$mapurl = $tail;
} else {
$symb = $tail;
- $symb =~ s{^/+}{};
+ $symb =~ s{^/}{};
+ }
+ } elsif ($tail =~ m{^/res/(?:$match_domain)/(?:$match_username)/.+\.(?:sequence|page)(|___\d+___.+)$}) {
+ if ($1 eq '') {
+ $mapurl = $tail;
+ } else {
+ $symb = $tail;
+ $symb =~ s{^/res/}{};
}
-#FIXME Need to handle encrypted URLs
} elsif ($tail =~ m{^/($match_domain)/($match_courseid)$}) {
($urlcdom,$urlcnum) = ($1,$2);
if (($cdom ne '') && ($cdom ne $urlcdom)) {
- &invalid_request($r,4);
+ &invalid_request($r,'Incorrect domain in requested URL');
+ return OK;
+ }
+ } elsif ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) {
+ ($urlcdom,$urlcnum) = &course_from_tinyurl($tail);
+ if (($urlcdom eq '') || ($urlcnum eq '')) {
+ &invalid_request($r,'Invalid URL shortcut');
return OK;
}
}
@@ -210,53 +411,19 @@ sub handler {
}
#
-# Retrieve information for LTI Consumers in course domain
-# and populate hash -- %lti_by_key -- for which keys
-# are those defined in domain configuration for LTI.
-#
-
- my %lti = &Apache::lonnet::get_domain_lti($cdom,'provider');
- unless (keys(%lti) > 0) {
- &invalid_request($r,5);
- return OK;
- }
- my %lti_by_key;
- if (keys(%lti)) {
- foreach my $id (keys(%lti)) {
- if (ref($lti{$id}) eq 'HASH') {
- my $key = $lti{$id}{'key'};
- push(@{$lti_by_key{$key}},$id);
- }
- }
- }
-
+# Retrieve information for LTI Consumers in course's domain
+# defined in domain configuration for LTI.
#
# Verify the signed request using the secret for those
-# Consumers for which the key in the POSTed data matches
-# keys in the domain configuration for LTI.
+# Consumers for which the key in the POSTed data matches
+# keys in the course configuration or the domain configuration
+# for LTI.
#
- my $hostname = $r->hostname;
- my $protocol = 'http';
- if ($ENV{'SERVER_PORT'} == 443) {
- $protocol = 'https';
- }
- my ($itemid,$key,$secret,@ltiroles);
- $key = $params->{'oauth_consumer_key'};
- if (ref($lti_by_key{$key}) eq 'ARRAY') {
- foreach my $id (@{$lti_by_key{$key}}) {
- if (ref($lti{$id}) eq 'HASH') {
- $secret = $lti{$id}{'secret'};
- my $request = Net::OAuth->request('request token')->from_hash($params,
- request_url => $protocol.'://'.$hostname.$requri,
- request_method => $env{'request.method'},
- consumer_secret => $secret,);
- if ($request->verify()) {
- $itemid = $id;
- last;
- }
- }
- }
+ my %lti;
+ my $itemid = &get_lti_itemid($requri,$hostname,$params,$cdom);
+ if ($itemid) {
+ %lti = &Apache::lonnet::get_domain_lti($cdom,'provider');
}
#
@@ -265,7 +432,7 @@ sub handler {
# configuration in LON-CAPA for that LTI Consumer.
#
unless (($itemid) && (ref($lti{$itemid}) eq 'HASH')) {
- &invalid_request($r,6);
+ &invalid_request($r,'Launch request could not be validated');
return OK;
}
@@ -275,12 +442,37 @@ sub handler {
#
unless (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'},
$lti{$itemid}{'lifetime'},$cdom,$r->dir_config('lonLTIDir'))) {
- &invalid_request($r,7);
+ &invalid_request($r,'Time limit exceeded for launch request credentials');
+ return OK;
+ }
+
+#
+# Determine if a username is required from the domain
+# configuration for the specific LTI Consumer
+#
+
+ if (!$lti{$itemid}{'requser'}) {
+ if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) {
+ my $ltitype = 'd';
+ foreach my $key (%{$params}) {
+ delete($env{'form.'.$key});
+ }
+ my $ltoken = &Apache::lonnet::tmpput({'linkprot' => $itemid.$ltitype.':'.$tail},
+ $lonhost);
+ if ($ltoken) {
+ $r->internal_redirect($tail.'?ltoken='.$ltoken);
+ $r->set_handlers('PerlHandler'=> undef);
+ } else {
+ &invalid_request($r,'Failed to store information from launch request');
+ }
+ } else {
+ &invalid_request($r,'Launch URL invalid for matched launch credentials');
+ }
return OK;
}
#
-# Determinine if source of username matches requirement from the
+# Determine if source of username matches requirement from the
# domain configuration for the specific LTI Consumer.
#
@@ -308,11 +500,11 @@ sub handler {
#
# (a) from course mapping (if the link between Consumer "course" and
# Provider "course" has been established previously).
-# (b) from tail of requested URL (after /adm/lti) if it has format of a symb
+# (b) from tail of requested URL (after /adm/lti/) if it has format of a symb
# (c) from tail of requested URL (after /adm/lti) if it has format of a map
# (d) from tail of requested URL (after /adm/lti) if it has format /domain/courseID
-# (e) from tail of requested URL (after /adm/lti) if it has format /tiny/domain/...
-# i.e., a shortened URL (see bug #6400) -- not implemented yet.
+# (e) from tail of requested URL (after /adm/lti) if it has format /tiny/domain/\w+
+# i.e., a shortened URL (see bug #6400).
#
# If Consumer course included in POSTed data points as a target course which
# has a format which matches a LON-CAPA courseID, but the course does not
@@ -332,13 +524,14 @@ sub handler {
if ($sourcecrs ne '') {
%consumers = &Apache::lonnet::get_dom('lticonsumers',[$sourcecrs],$cdom);
if (exists($consumers{$sourcecrs})) {
- if ($consumers{$sourcecrs} =~ /^$match_courseid$/) {
- my $crshome = &Apache::lonnet::homeserver($consumers{$sourcecrs},$cdom);
+ if ($consumers{$sourcecrs} =~ /^\Q$itemid:\E($match_courseid)$/) {
+ my $storedcnum = $1;
+ my $crshome = &Apache::lonnet::homeserver($storedcnum,$cdom);
if ($crshome =~ /(con_lost|no_host|no_such_host)/) {
- &invalid_request($r,8);
+ &invalid_request($r,'Invalid courseID included in launch data');
return OK;
} else {
- $posscnum = $consumers{$sourcecrs};
+ $posscnum = $storedcnum;
}
}
}
@@ -347,7 +540,7 @@ sub handler {
if ($urlcnum ne '') {
if ($posscnum ne '') {
if ($posscnum ne $urlcnum) {
- &invalid_request($r,9);
+ &invalid_request($r,'Course ID included in launch data incompatible with URL');
return OK;
} else {
$cnum = $posscnum;
@@ -355,7 +548,7 @@ sub handler {
} else {
my $crshome = &Apache::lonnet::homeserver($urlcnum,$cdom);
if ($crshome =~ /(con_lost|no_host|no_such_host)/) {
- &invalid_request($r,10);
+ &invalid_request($r,'Valid course ID could not be extracted from requested URL');
return OK;
} else {
$cnum = $urlcnum;
@@ -366,43 +559,25 @@ sub handler {
}
#
-# Get LON-CAPA role to use from role-mapping of Consumer roles
+# Get LON-CAPA role(s) to use from role-mapping of Consumer roles
# defined in domain configuration for the appropriate LTI
# Consumer.
#
-# If multiple LON-CAPA roles are indicated, choose based
-# on the order: cc, in, ta, ep, st
+# If multiple LON-CAPA roles are indicated for the current user,
+# ordering (from first to last) is: cc/co, in, ta, ep, st.
#
- my $reqrole;
-
- my @roleorder = ('cc','in','ta','ep','st');
- if ($params->{'roles'} =~ /,/) {
- @ltiroles = split(/\s*,\s*/,$params->{'role'});
- } else {
- my $singlerole = $params->{'roles'};
- $singlerole =~ s/^\s|\s+$//g;
- @ltiroles = ($singlerole);
- }
- if (@ltiroles) {
- if (ref($lti{$itemid}{maproles}) eq 'HASH') {
- my %possroles;
- map { $possroles{$lti{$itemid}{maproles}{$_}} = 1; } @ltiroles;
- my @possibles = keys(%possroles);
- if (@possibles == 1) {
- if (grep(/^\Q$possibles[0]\E$/,@roleorder)) {
- $reqrole = $possibles[0];
-
- }
- } elsif (@possibles > 1) {
- foreach my $item (@roleorder) {
- if ($possroles{$item}) {
- $reqrole = $item;
- last;
- }
- }
- }
- }
+ my (@ltiroles,@lcroles);
+ my @lcroleorder = ('cc','in','ta','ep','st');
+ my ($lcrolesref,$ltirolesref) =
+ &LONCAPA::ltiutils::get_lc_roles($params->{'roles'},
+ \@lcroleorder,
+ $lti{$itemid}{maproles});
+ if (ref($lcrolesref) eq 'ARRAY') {
+ @lcroles = @{$lcrolesref};
+ }
+ if (ref($ltirolesref) eq 'ARRAY') {
+ @ltiroles = @{$ltirolesref};
}
#
@@ -419,114 +594,355 @@ sub handler {
foreach my $ltirole (@ltiroles) {
if (grep(/^\Q$ltirole\E$/,@{$lti{$itemid}{'makeuser'}})) {
$selfcreate = 1;
+ last;
}
}
}
}
if ($selfcreate) {
-#FIXME Do user creation here.
- return OK
+ my (%rulematch,%inst_results,%curr_rules,%got_rules,%alerts);
+ my $domdesc = &Apache::lonnet::domain($udom,'description');
+ my %data = (
+ 'permanentemail' => $env{'form.lis_person_contact_email_primary'},
+ 'firstname' => $env{'form.lis_person_name_given'},
+ 'lastname' => $env{'form.lis_person_name_family'},
+ 'fullname' => $env{'form.lis_person_name_full'},
+ );
+ my $result =
+ &LONCAPA::ltiutils::create_user($lti{$itemid},$uname,$udom,
+ $domdesc,\%data,\%alerts,\%rulematch,
+ \%inst_results,\%curr_rules,%got_rules);
+ if ($result eq 'notallowed') {
+ &invalid_request($r,'Account creation not permitted for this user');
+ } elsif ($result eq 'ok') {
+ if (($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'mapcrs'}) &&
+ ($lti{$itemid}{'makecrs'})) {
+ unless (&Apache::lonnet::usertools_access($uname,$udom,'lti','reload','requestcourses')) {
+ &Apache::lonnet::put('environment',{ 'requestcourses.lti' => 'autolimit=', },$udom,$uname);
+ }
+ }
+ } else {
+ &invalid_request($r,'An error occurred during account creation');
+ return OK;
+ }
} else {
- &invalid_request($r,11);
+ &invalid_request($r,'Account creation not permitted');
return OK;
- }
- }
+ }
+ }
} else {
- &invalid_request($r,12);
+ &invalid_request($r,'Could not determine username and/or domain for user');
return OK;
}
#
# If no LON-CAPA course available, check if domain's configuration
# for the specific LTI Consumer allows a new course to be created
-# (requires role in Consumer to be: Instructor).
+# (requires role in Consumer to be: Instructor and Instructor to map to CC)
#
+ my $reqcrs;
if ($cnum eq '') {
- if ((@ltiroles) && (grep(/^Instructor$/,@ltiroles)) &&
- ($lti{$itemid}{'mapcrs'})) {
-#FIXME Create a new LON-CAPA course here.
- return OK;
+ if ($lti{$itemid}{'crsinc'}) {
+ if ((@ltiroles) && ($lti{$itemid}{'mapcrs'}) &&
+ ($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'makecrs'})) {
+ my (%can_request,%request_domains);
+ &Apache::lonnet::check_can_request($cdom,\%can_request,\%request_domains,$uname,$udom);
+ if ($can_request{'lti'}) {
+ $reqcrs = 1;
+ <i_session($r,$itemid,$uname,$udom,$uhome,$lonhost,undef,$mapurl,$tail,
+ $symb,$cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles,
+ $reqcrs,$sourcecrs);
+ } else {
+ &invalid_request($r,'No LON-CAPA course available, and creation is not permitted for this user');
+ }
+ } else {
+ &invalid_request($r,'No LON-CAPA course available, and creation is not permitted');
+ }
} else {
- &invalid_request($r,13);
- return OK;
+ <i_session($r,$itemid,$uname,$udom,$uhome,$lonhost,undef,$mapurl,$tail,
+ $symb,$cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles,
+ $reqcrs,$sourcecrs);
}
+ return OK;
}
#
# If LON-CAPA course is a Community, and LON-CAPA role
# indicated is cc, change role indicated to co.
-#
+#
- if ($reqrole eq 'cc') {
+ my %crsenv;
+ if ($lcroles[0] eq 'cc') {
if (($cdom ne '') && ($cnum ne '')) {
- my %crsenv = &Apache::lonnet::coursedescription($cnum.'_'.$cdom,{ 'one_time' => 1,});
+ %crsenv = &Apache::lonnet::coursedescription($cdom.'_'.$cnum,{ 'one_time' => 1,});
if ($crsenv{'type'} eq 'Community') {
- $reqrole = 'co';
+ $lcroles[0] = 'co';
+ }
+ }
+ }
+
+#
+# Determine if user has a LON-CAPA role in the mapped LON-CAPA course.
+# If multiple LON-CAPA roles are available for the user's assigned LTI roles,
+# choose the first available LON-CAPA role in the order: cc/co, in, ta, ep, st
+#
+
+ my ($role,$usec,$withsec);
+ unless ((($lcroles[0] eq 'cc') || ($lcroles[0] eq 'co')) && (@lcroles == 1)) {
+ if ($lti{$itemid}{'section'} ne '') {
+ if ($lti{$itemid}{'section'} eq 'course_section_sourcedid') {
+ if ($env{'form.course_section_sourcedid'} !~ /\W/) {
+ $usec = $env{'form.course_section_sourcedid'};
+ }
+ } elsif ($env{'form.'.$lti{$itemid}{'section'}} !~ /\W/) {
+ $usec = $env{'form.'.$lti{$itemid}{'section'}};
+ }
+ }
+ if ($usec ne '') {
+ $withsec = 1;
+ }
+ }
+
+ if (@lcroles) {
+ my %crsroles = &Apache::lonnet::get_my_roles($uname,$udom,'userroles',undef,\@lcroles,
+ [$cdom],$withsec);
+ foreach my $reqrole (@lcroles) {
+ if ($withsec) {
+ my $incsec;
+ if (($reqrole eq 'cc') || ($reqrole eq 'co')) {
+ $incsec = '';
+ } else {
+ $incsec = $usec;
+ }
+ if (exists($crsroles{$cnum.':'.$cdom.':'.$reqrole.':'.$incsec})) {
+ $role = $reqrole.'./'.$cdom.'/'.$cnum;
+ if ($incsec ne '') {
+ $role .= '/'.$usec;
+ }
+ last;
+ }
+ } else {
+ if (exists($crsroles{$cnum.':'.$cdom.':'.$reqrole})) {
+ $role = $reqrole.'./'.$cdom.'/'.$cnum;
+ last;
+ }
}
}
}
#
-# Determine if user has required LON-CAPA role
-# in the mapped LON-CAPA course.
+# Determine if user can selfenroll
#
- my $role;
- my %crsroles = &Apache::lonnet::get_my_roles($uname,$udom,'userroles',undef,[$reqrole],[$cdom]);
- if (exists($crsroles{$cnum.':'.$cdom.':'.$reqrole})) {
- $role = $reqrole.'./'.$cdom.'/'.$cnum;
-#FIXME Need to accommodate sections
- } elsif (ref($lti{$itemid}{'selfenroll'}) eq 'ARRAY') {
- if (grep(/^\Q$reqrole\E$/,@{$lti{$itemid}{'selfenroll'}})) {
-#FIXME Do self-enrollment here
+ my ($reqrole,$selfenrollrole);
+ if ($role eq '') {
+ if ((@ltiroles) && (ref($lti{$itemid}{'selfenroll'}) eq 'ARRAY')) {
+ foreach my $ltirole (@ltiroles) {
+ if (grep(/^\Q$ltirole\E$/,@{$lti{$itemid}{'selfenroll'}})) {
+ if (ref($lti{$itemid}{maproles}) eq 'HASH') {
+ $reqrole = $lti{$itemid}{maproles}{$ltirole};
+ last;
+ }
+ }
+ }
+ }
+ if ($reqrole eq '') {
+ &invalid_request($r,'No matching role available in LON-CAPA course, and not permitted to self-enroll');
return OK;
} else {
- &invalid_request($r,14);
+ unless (%crsenv) {
+ %crsenv = &Apache::lonnet::coursedescription($cdom.'_'.$cnum);
+ }
+ my $default_enrollment_start_date = $crsenv{'default_enrollment_start_date'};
+ my $default_enrollment_end_date = $crsenv{'default_enrollment_end_date'};
+ my $now = time;
+ if ($default_enrollment_end_date && $default_enrollment_end_date <= $now) {
+ &invalid_request($r,'No active role available in LON-CAPA course, and past end date for self-enrollment');
+ return OK;
+ } elsif ($default_enrollment_start_date && $default_enrollment_start_date >$now) {
+ &invalid_request($r,'No active role available in LON-CAPA course, and brefor start date for self-enrollment');
+ return OK;
+ } else {
+ $selfenrollrole = $reqrole.'./'.$cdom.'/'.$cnum;
+ if (($withsec) && ($reqrole ne 'cc') && ($reqrole ne 'co')) {
+ if ($usec ne '') {
+ $selfenrollrole .= '/'.$usec;
+ }
+ }
+ }
+ }
+ }
+
+#
+# Retrieve course type of LON-CAPA course to check if mapping from a Consumer
+# course identifier permitted for this type of course (one of: official,
+# unofficial, community, textbook, placement or lti.
+#
+
+ unless (%crsenv) {
+ %crsenv = &Apache::lonnet::coursedescription($cdom.'_'.$cnum);
+ }
+ my $crstype = lc($crsenv{'type'});
+ if ($crstype eq '') {
+ $crstype = 'course';
+ }
+ if ($crstype eq 'course') {
+ if ($crsenv{'internal.coursecode'}) {
+ $crstype = 'official';
+ } elsif ($crsenv{'internal.textbook'}) {
+ $crstype = 'textbook';
+ } elsif ($crsenv{'internal.lti'}) {
+ $crstype = 'lti';
+ } else {
+ $crstype = 'unofficial';
}
}
#
-# Store consumer-to-LON-CAPA course mapping
+# Store consumer-to-LON-CAPA course mapping if permitted
#
- if (($sourcecrs ne '') && ($consumers{$sourcecrs} eq '') && ($cnum ne '')) {
- &Apache::lonnet::put_dom('lticonsumers',{ $sourcecrs => $cnum },$cdom);
+
+ if (($lti{$itemid}{'storecrs'}) && ($sourcecrs ne '') &&
+ ($consumers{$sourcecrs} eq '') && ($cnum ne '')) {
+ if (ref($lti{$itemid}{'mapcrstype'}) eq 'ARRAY') {
+ if (grep(/^$crstype$/,@{$lti{$itemid}{'mapcrstype'}})) {
+ &Apache::lonnet::put_dom('lticonsumers',{ $sourcecrs => $itemid.':'.$cnum },$cdom);
+ }
+ }
}
#
-# Check if user should be hosted here or switched to another server.
+# Start user session
#
- &Apache::lonnet::logthis(" LTI authorized user: $uname:$udom role: $role course: $cnum:$cdom");
- $r->user($uname);
- my ($is_balancer,$otherserver,$hosthere);
- ($is_balancer,$otherserver) =
- &Apache::lonnet::check_loadbalancing($uname,$udom,'login');
- if ($is_balancer) {
- if ($otherserver eq '') {
- my $lowest_load;
- ($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($udom);
- if ($lowest_load > 100) {
- $otherserver = &Apache::lonnet::spareserver($lowest_load,$lowest_load,1,$udom);
- }
+ <i_session($r,$itemid,$uname,$udom,$uhome,$lonhost,$role,$mapurl,$tail,$symb,
+ $cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles,undef,$sourcecrs,
+ $selfenrollrole);
+ return OK;
+}
+
+sub get_lti_itemid {
+ my ($requri,$hostname,$params,$cdom,$cnum,$context) = @_;
+ return unless (ref($params) eq 'HASH');
+ my $protocol = 'http';
+ if ($ENV{'SERVER_PORT'} == 443) {
+ $protocol = 'https';
+ }
+ my $url = $protocol.'://'.$hostname.$requri;
+ my $method = $env{'request.method'};
+ if ($cnum ne '') {
+ return &Apache::lonnet::courselti_itemid($cnum,$cdom,$url,$method,$params,$context);
+ } else {
+ return &Apache::lonnet::domainlti_itemid($cdom,$url,$method,$params,$context);
+ }
+}
+
+sub lti_enroll {
+ my ($uname,$udom,$selfenrollrole) = @_;
+ my $enrollresult;
+ my ($role,$cdom,$cnum,$sec) =
+ ($selfenrollrole =~ m{^(\w+)\./($match_domain)/($match_courseid)(?:|/(\w*))$});
+ if (($cnum ne '') && ($cdom ne '')) {
+ my $chome = &Apache::lonnet::homeserver($cnum,$cdom);
+ if ($chome ne 'no_host') {
+ my %coursehash = &Apache::lonnet::coursedescription($cdom.'_'.$cnum);
+ my $start = $coursehash{'default_enrollment_start_date'};
+ my $end = $coursehash{'default_enrollment_end_date'};
+ $enrollresult = &LONCAPA::ltiutils::enrolluser($udom,$uname,$role,$cdom,$cnum,$sec,
+ $start,$end,1);
}
- if ($otherserver ne '') {
- my @hosts = &Apache::lonnet::current_machine_ids();
- if (grep(/^\Q$otherserver\E$/,@hosts)) {
- $hosthere = $otherserver;
- }
+ }
+ return $enrollresult;
+}
+
+sub lti_reqcrs {
+ my ($r,$cdom,$form,$uname,$udom) = @_;
+ my (%can_request,%request_domains);
+ &Apache::lonnet::check_can_request($cdom,\%can_request,\%request_domains,$uname,$udom);
+ if ($can_request{'lti'}) {
+ my %domconfig = &Apache::lonnet::get_dom('configuration',['requestcourses'],$cdom);
+ my %domdefs = &Apache::lonnet::get_domain_defaults($cdom);
+ &Apache::lonrequestcourse::print_textbook_form($r,$cdom,[$cdom],\%domdefs,
+ $domconfig{'requestcourses'},
+ \%can_request,'lti',$form);
+ } else {
+ $r->print(
+ &Apache::loncommon::start_page('Invalid LTI call',undef,{'only_body' => 1}).
+ &mt('Invalid LTI call').
+ &Apache::loncommon::end_page()
+ );
+ }
+}
+
+sub lti_session {
+ my ($r,$itemid,$uname,$udom,$uhome,$lonhost,$role,$mapurl,$tail,$symb,$cdom,$cnum,
+ $params,$ltiroles,$ltihash,$lcroles,$reqcrs,$sourcecrs,$selfenrollrole) = @_;
+ return unless ((ref($params) eq 'HASH') && (ref($ltiroles) eq 'ARRAY') &&
+ (ref($ltihash) eq 'HASH') && (ref($lcroles) eq 'ARRAY'));
+#
+# Check if user should be hosted here or switched to another server.
+#
+ $r->user($uname);
+ if ($cnum) {
+ if ($role) {
+ &Apache::lonnet::logthis(" LTI authorized user ($itemid): $uname:$udom, role: $role, course: $cdom\_$cnum");
+ } elsif ($selfenrollrole =~ m{^(\w+)\./$cdom/$cnum}) {
+ &Apache::lonnet::logthis(" LTI authorized user ($itemid): $uname:$udom, desired role: $1 course: $cdom\_$cnum");
}
+ } else {
+ &Apache::lonnet::logthis(" LTI authorized user ($itemid): $uname:$udom, course dom: $cdom");
+ }
+ my ($is_balancer,$otherserver,$hosthere) = &check_balancer($r,$uname,$udom);
+ my $protocol = 'http';
+ if ($ENV{'SERVER_PORT'} == 443) {
+ $protocol = 'https';
}
if (($is_balancer) && (!$hosthere)) {
# login but immediately go to switch server.
&Apache::lonauth::success($r,$uname,$udom,$uhome,'noredirect');
+ if (($ltihash->{'callback'}) && ($params->{$ltihash->{'callback'}})) {
+ &LONCAPA::ltiutils::setup_logout_callback($uname,$udom,$otherserver,
+ $ltihash->{'key'},
+ $ltihash->{'secret'},
+ $params->{$ltihash->{'callback'}},
+ $r->dir_config('ltiIDsDir'),
+ $protocol,$r->hostname);
+ }
if ($symb) {
$env{'form.symb'} = $symb;
+ $env{'request.lti.uri'} = $tail;
+ } else {
+ if ($mapurl) {
+ $env{'form.origurl'} = $mapurl;
+ $env{'request.lti.uri'} = $mapurl;
+ } elsif ($tail =~ m{^\Q/tiny/$cdom/\E\w+$}) {
+ $env{'form.origurl'} = $tail;
+ $env{'request.lti.uri'} = $tail;
+ } elsif ($tail eq "/$cdom/$cnum") {
+ $env{'form.origurl'} = '/adm/navmaps';
+ $env{'request.lti.uri'} = $tail;
+ } else {
+ unless ($tail eq '/adm/roles') {
+ if ($cnum) {
+ $env{'form.origurl'} = '/adm/navmaps';
+ }
+ }
+ }
}
if ($role) {
$env{'form.role'} = $role;
}
- if ($lti{$itemid}{'passback'}) {
+ if (($lcroles->[0] eq 'cc') && ($reqcrs)) {
+ $env{'request.lti.reqcrs'} = 1;
+ $env{'request.lti.reqrole'} = 'cc';
+ $env{'request.lti.sourcecrs'} = $sourcecrs;
+ }
+ if ($selfenrollrole) {
+ $env{'request.lti.selfenrollrole'} = $selfenrollrole;
+ $env{'request.lti.sourcecrs'} = $sourcecrs;
+ }
+ if ($ltihash->{'passback'}) {
if ($params->{'lis_result_sourcedid'}) {
$env{'request.lti.passbackid'} = $params->{'lis_result_sourcedid'};
}
@@ -534,16 +950,19 @@ sub handler {
$env{'request.lti.passbackurl'} = $params->{'lis_outcome_service_url'};
}
}
- if (($lti{$itemid}{'roster'}) && (grep(/^Instructor$/,@ltiroles))) {
+ if (($ltihash->{'roster'}) && (grep(/^Instructor$/,@{$ltiroles}))) {
if ($params->{'ext_ims_lis_memberships_id'}) {
- $env{'request.lti.rosterid'} = $params->{'ext_ims_lis_memberships_id'};
+ $env{'request.lti.rosterid'} = $params->{'ext_ims_lis_memberships_id'};
}
if ($params->{'ext_ims_lis_memberships_url'}) {
$env{'request.lti.rosterurl'} = $params->{'ext_ims_lis_memberships_url'};
}
}
- $env{'request.lti.login'} = 1;
- foreach my $key (%{$params}) {
+ $env{'request.lti.login'} = $itemid;
+ if ($params->{'launch_presentation_document_target'}) {
+ $env{'request.lti.target'} = $params->{'launch_presentation_document_target'};
+ }
+ foreach my $key (keys(%{$params})) {
delete($env{'form.'.$key});
}
my $redirecturl = '/adm/switchserver';
@@ -553,25 +972,41 @@ sub handler {
$r->internal_redirect($redirecturl);
$r->set_handlers('PerlHandler'=> undef);
} else {
- # need to login them in, so generate the need data that
- # migrate expects to do login
- foreach my $key (%{$params}) {
+ # need to login them in, so generate the data migrate expects to do login
+ foreach my $key (keys(%{$params})) {
delete($env{'form.'.$key});
}
+ if (($ltihash->{'callback'}) && ($params->{$ltihash->{'callback'}})) {
+ &LONCAPA::ltiutils::setup_logout_callback($uname,$udom,$lonhost,
+ $ltihash->{'key'},
+ $ltihash->{'secret'},
+ $params->{$ltihash->{'callback'}},
+ $r->dir_config('ltiIDsDir'),
+ $protocol,$r->hostname);
+ }
my $ip = $r->get_remote_host();
my %info=('ip' => $ip,
'domain' => $udom,
'username' => $uname,
'server' => $lonhost,
- 'lti.login' => 1,
+ 'lti.login' => $itemid,
+ 'lti.uri' => $tail,
);
if ($role) {
$info{'role'} = $role;
}
if ($symb) {
- $info{'symb'} = $symb;
+ $info{'symb'} = $symb;
+ }
+ if (($lcroles->[0] eq 'cc') && ($reqcrs)) {
+ $info{'lti.reqcrs'} = 1;
+ $info{'lti.reqrole'} = 'cc';
+ $info{'lti.sourcecrs'} = $sourcecrs;
}
- if ($lti{$itemid}{'passback'}) {
+ if ($selfenrollrole) {
+ $info{'lti.selfenrollrole'} = $selfenrollrole;
+ }
+ if ($ltihash->{'passback'}) {
if ($params->{'lis_result_sourcedid'}) {
$info{'lti.passbackid'} = $params->{'lis_result_sourcedid'}
}
@@ -579,7 +1014,7 @@ sub handler {
$info{'lti.passbackurl'} = $params->{'lis_outcome_service_url'}
}
}
- if (($lti{$itemid}{'roster'}) && (grep(/^Instructor$/,@ltiroles))) {
+ if (($ltihash->{'roster'}) && (grep(/^Instructor$/,@{$ltiroles}))) {
if ($params->{'ext_ims_lis_memberships_id'}) {
$info{'lti.rosterid'} = $params->{'ext_ims_lis_memberships_id'};
}
@@ -587,15 +1022,20 @@ sub handler {
$info{'lti.rosterurl'} = $params->{'ext_ims_lis_memberships_url'};
}
}
+ if ($params->{'launch_presentation_document_target'}) {
+ $info{'lti.target'} = $params->{'launch_presentation_document_target'};
+ }
+
unless ($info{'symb'}) {
if ($mapurl) {
$info{'origurl'} = $mapurl;
- if ($mapurl =~ m{/default_\d+\.sequence$}) {
- $info{'origurl'} .= (($mapurl =~/\?/)?'&':'?').'navmap=1';
- }
+ } elsif ($tail =~ m{^\Q/tiny/$cdom/\E\w+$}) {
+ $info{'origurl'} = $tail;
} else {
unless ($tail eq '/adm/roles') {
- $info{'origurl'} = '/adm/navmaps';
+ if ($cnum) {
+ $info{'origurl'} = '/adm/navmaps';
+ }
}
}
}
@@ -607,11 +1047,74 @@ sub handler {
$r->internal_redirect('/adm/migrateuser');
$r->set_handlers('PerlHandler'=> undef);
}
- return OK;
+ return;
+}
+
+sub linkprot_session {
+ my ($r,$uname,$cnum,$cdom,$uhome,$itemid,$ltitype,$dest,$lonhost) = @_;
+ $r->user($uname);
+ if ($ltitype eq 'c') {
+ &Apache::lonnet::logthis("Course Link Protector ($itemid) authorized student: $uname:$cdom, course: $cdom\_$cnum");
+ } elsif ($ltitype eq 'd') {
+ &Apache::lonnet::logthis("Domain LTI for link protection ($itemid) authorized student: $uname:$cdom, course: $cdom\_$cnum");
+ }
+ my ($is_balancer,$otherserver,$hosthere) = &check_balancer($r,$uname,$cdom);
+ if (($is_balancer) && (!$hosthere)) {
+ # login but immediately go to switch server
+ $env{'form.origurl'} = $dest;
+ $env{'request.linkprot'} = $itemid.$ltitype.':'.$dest;
+ $env{'request.deeplink.login'} = $dest;
+ my $redirecturl = '/adm/switchserver';
+ if ($otherserver ne '') {
+ $redirecturl .= '?otherserver='.$otherserver;
+ }
+ $r->internal_redirect($redirecturl);
+ $r->set_handlers('PerlHandler'=> undef);
+ } else {
+ # need to login them in, so generate the data migrate expects to do login
+ my $ip = $r->get_remote_host();
+ my %info=('ip' => $ip,
+ 'domain' => $cdom,
+ 'username' => $uname,
+ 'server' => $lonhost,
+ 'linkprot' => $itemid.$ltitype.':'.$dest,
+ 'home' => $uhome,
+ 'origurl' => $dest,
+ 'deeplink.login' => $dest,
+ );
+ my $token = &Apache::lonnet::tmpput(\%info,$lonhost);
+ $env{'form.token'} = $token;
+ $r->internal_redirect('/adm/migrateuser');
+ $r->set_handlers('PerlHandler'=> undef);
+ }
+ return;
+}
+
+sub check_balancer {
+ my ($r,$uname,$udom) = @_;
+ my ($is_balancer,$otherserver,$hosthere);
+ ($is_balancer,$otherserver) =
+ &Apache::lonnet::check_loadbalancing($uname,$udom,'login');
+ if ($is_balancer) {
+ if ($otherserver eq '') {
+ my $lowest_load;
+ ($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($udom);
+ if ($lowest_load > 100) {
+ $otherserver = &Apache::lonnet::spareserver($r,$lowest_load,$lowest_load,1,$udom);
+ }
+ }
+ if ($otherserver ne '') {
+ my @hosts = &Apache::lonnet::current_machine_ids();
+ if (grep(/^\Q$otherserver\E$/,@hosts)) {
+ $hosthere = $otherserver;
+ }
+ }
+ }
+ return ($is_balancer,$otherserver,$hosthere);
}
sub invalid_request {
- my ($r,$num) = @_;
+ my ($r,$msg) = @_;
&Apache::loncommon::content_type($r,'text/html');
$r->send_http_header;
if ($r->header_only) {
@@ -619,10 +1122,39 @@ sub invalid_request {
}
&Apache::lonlocal::get_language_handle($r);
$r->print(
- &Apache::loncommon::start_page('Invalid LTI call').
- &mt('Invalid LTI call [_1]',$num).
+ &Apache::loncommon::start_page('Invalid LTI call','',{ 'only_body' => 1,}).
+ ''.&mt('Invalid LTI launch request').'
'.
+ ''.
+ &mt('Launch of LON-CAPA is unavailable from the "external tool" link you had followed in another web application.').
+ &mt('Launch failed for the following reason:').
+ '
'.
+ ''.$msga'.
'.
&Apache::loncommon::end_page());
return;
}
+sub course_from_tinyurl {
+ my ($tail) = @_;
+ my ($urlcdom,$urlcnum);
+ if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) {
+ ($urlcdom,my $key) = ($1,$2);
+ my $tinyurl;
+ my ($result,$cached)=&Apache::lonnet::is_cached_new('tiny',$urlcdom."\0".$key);
+ if (defined($cached)) {
+ $tinyurl = $result;
+ } else {
+ my $configuname = &Apache::lonnet::get_domainconfiguser($urlcdom);
+ my %currtiny = &Apache::lonnet::get('tiny',[$key],$urlcdom,$configuname);
+ if ($currtiny{$key} ne '') {
+ $tinyurl = $currtiny{$key};
+ &Apache::lonnet::do_cache_new('tiny',$urlcdom."\0".$key,$currtiny{$key},600);
+ }
+ }
+ if ($tinyurl ne '') {
+ $urlcnum = (split(/\&/,$tinyurl))[0];
+ }
+ }
+ return ($urlcdom,$urlcnum);
+}
+
1;