--- loncom/lti/ltiauth.pm 2018/01/12 20:42:38 1.5 +++ loncom/lti/ltiauth.pm 2018/03/23 01:01:47 1.6 @@ -1,7 +1,7 @@ # The LearningOnline Network # Basic LTI Authentication Module # -# $Id: ltiauth.pm,v 1.5 2018/01/12 20:42:38 raeburn Exp $ +# $Id: ltiauth.pm,v 1.6 2018/03/23 01:01:47 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -36,6 +36,7 @@ use Apache::lonlocal; use Apache::lonnet; use Apache::loncommon; use Apache::lonacc; +use Apache::lonrequestcourse; use LONCAPA::ltiutils; sub handler { @@ -181,7 +182,6 @@ sub handler { $symb = $tail; $symb =~ s{^/+}{}; } -#FIXME Need to handle encrypted URLs } elsif ($tail =~ m{^/($match_domain)/($match_courseid)$}) { ($urlcdom,$urlcnum) = ($1,$2); if (($cdom ne '') && ($cdom ne $urlcdom)) { @@ -262,7 +262,7 @@ sub handler { $protocol = 'https'; } - my ($itemid,$consumer_key,$secret,@ltiroles); + my ($itemid,$consumer_key,$secret); $consumer_key = $params->{'oauth_consumer_key'}; if (ref($lti_by_key{$consumer_key}) eq 'ARRAY') { foreach my $id (@{$lti_by_key{$consumer_key}}) { @@ -301,7 +301,7 @@ sub handler { } # -# Determinine if source of username matches requirement from the +# Determine if source of username matches requirement from the # domain configuration for the specific LTI Consumer. # @@ -387,39 +387,40 @@ sub handler { } # -# Get LON-CAPA role to use from role-mapping of Consumer roles +# Get LON-CAPA role(s) to use from role-mapping of Consumer roles # defined in domain configuration for the appropriate LTI # Consumer. # -# If multiple LON-CAPA roles are indicated, choose based -# on the order: cc, in, ta, ep, st +# If multiple LON-CAPA roles are indicated for the current user, +# ordering (from first to last) is: cc/co, in, ta, ep, st. # - my $reqrole; + my (@ltiroles,@lcroles); - my @roleorder = ('cc','in','ta','ep','st'); + my @lcroleorder = ('cc','in','ta','ep','st'); + my @ltiroleorder = ('Instructor','TeachingAssistant','Mentor','Learner'); if ($params->{'roles'} =~ /,/) { - @ltiroles = split(/\s*,\s*/,$params->{'role'}); + my @possltiroles = split(/\s*,\s*/,$params->{'role'}); + foreach my $ltirole (@ltiroleorder) { + if (grep(/^\Q$ltirole\E$/,@possltiroles)) { + push(@ltiroles,$ltirole); + } + } } else { my $singlerole = $params->{'roles'}; $singlerole =~ s/^\s|\s+$//g; - @ltiroles = ($singlerole); + if (grep(/^\Q$singlerole\E$/,@ltiroleorder)) { + @ltiroles = ($singlerole); + } } if (@ltiroles) { if (ref($lti{$itemid}{maproles}) eq 'HASH') { my %possroles; map { $possroles{$lti{$itemid}{maproles}{$_}} = 1; } @ltiroles; - my @possibles = keys(%possroles); - if (@possibles == 1) { - if (grep(/^\Q$possibles[0]\E$/,@roleorder)) { - $reqrole = $possibles[0]; - - } - } elsif (@possibles > 1) { - foreach my $item (@roleorder) { + if (keys(%possroles) > 0) { + foreach my $item (@lcroleorder) { if ($possroles{$item}) { - $reqrole = $item; - last; + push(@lcroles,$item); } } } @@ -440,38 +441,148 @@ sub handler { foreach my $ltirole (@ltiroles) { if (grep(/^\Q$ltirole\E$/,@{$lti{$itemid}{'makeuser'}})) { $selfcreate = 1; + last; } } } } if ($selfcreate) { -#FIXME Do user creation here. - return OK + my (%rulematch,%inst_results,%curr_rules,%got_rules,%alerts,%info); + my $checkhash = { "$uname:$udom" => { 'newuser' => 1, }, }; + my $checks = { 'username' => 1, }; + &Apache::loncommon::user_rule_check($checkhash,$checks,\%alerts,\%rulematch, + \%inst_results,\%curr_rules,\%got_rules); + my ($userchkmsg,$lcauth,$lcauthparm); + my $allowed = 1; + if (ref($alerts{'username'}) eq 'HASH') { + if (ref($alerts{'username'}{$udom}) eq 'HASH') { + my $domdesc = + &Apache::lonnet::domain($udom,'description'); + if ($alerts{'username'}{$udom}{$uname}) { + if (ref($curr_rules{$udom}) eq 'HASH') { + $userchkmsg = + &Apache::loncommon::instrule_disallow_msg('username',$domdesc,1). + &Apache::loncommon::user_rule_formats($udom,$domdesc, + $curr_rules{$udom}{'username'}, + 'username'); + } + $allowed = 0; + } + } + } + if ($allowed) { + if (ref($rulematch{$uname.':'.$udom}) eq 'HASH') { + my $matchedrule = $rulematch{$uname.':'.$udom}{'username'}; + my ($rules,$ruleorder) = + &Apache::lonnet::inst_userrules($udom,'username'); + if (ref($rules) eq 'HASH') { + if (ref($rules->{$matchedrule}) eq 'HASH') { + $lcauth = $rules->{$matchedrule}{'authtype'}; + $lcauthparm = $rules->{$matchedrule}{'authparm'}; + } + } + } + if ($lcauth eq '') { + $lcauth = $lti{$itemid}{'lcauth'}; + $lcauthparm = $lti{$itemid}{'lcauthparm'}; + } + } else { + &invalid_request($r,12); + } + my @userinfo = ('firstname','middlename','lastname','generation', + 'permanentemail','id'); + my %useinstdata; + if (ref($lti{$itemid}{'instdata'}) eq 'ARRAY') { + map { $useinstdata{$_} = 1; } @{$lti{$itemid}{'instdata'}}; + } + foreach my $item (@userinfo) { + if (($useinstdata{$item}) && (ref($inst_results{$uname.':'.$udom}) eq 'HASH') && + ($inst_results{$uname.':'.$udom}{$item} ne '')) { + $info{$item} = $inst_results{$uname.':'.$udom}{$item}; + } else { + if ($item eq 'permanentemail') { + if ($env{'form.lis_person_contact_email_primary'} =~/^[^\@]+\@[^@]+$/) { + $info{$item} = $env{'form.lis_person_contact_email_primary'}; + } + } elsif ($item eq 'firstname') { + $info{$item} = $env{'form.lis_person_name_given'}; + } elsif ($item eq 'lastname') { + $info{$item} = $env{'form.lis_person_name_family'}; + } + } + } + if (($info{'middlename'} eq '') && ($env{'form.lis_person_name_full'} ne '')) { + unless ($useinstdata{'middlename'}) { + my $fullname = $env{'form.lis_person_name_full'}; + if ($info{'firstname'}) { + $fullname =~ s/^\s*\Q$info{'firstname'}\E\s*//i; + } + if ($info{'lastname'}) { + $fullname =~ s/\s*\Q$info{'lastname'}\E\s*$//i; + } + if ($fullname ne '') { + $fullname =~ s/^\s+|\s+$//g; + if ($fullname ne '') { + $info{'middlename'} = $fullname; + } + } + } + } + if (ref($inst_results{$uname.':'.$udom}{'inststatus'}) eq 'ARRAY') { + my @inststatuses = @{$inst_results{$uname.':'.$udom}{'inststatus'}}; + $info{'inststatus'} = join(':',map { &escape($_); } @inststatuses); + } + my $result = + &Apache::lonnet::modifyuser($udom,$uname,$info{'id'}, + $lcauth,$lcauthparm,$info{'firstname'}, + $info{'middlename'},$info{'lastname'}, + $info{'generation'},undef,undef, + $info{'permanentemail'},$info{'inststatus'}); + if ($result eq 'ok') { + if (($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'mapcrs'}) && + ($lti{$itemid}{'makecrs'})) { + unless (&Apache::lonnet::usertools_access($uname,$udom,'lti','reload','requestcourses')) { + &Apache::lonnet::put('environment',{ 'requestcourses.lti' => 1, },$udom,$uname); + } + } + } else { + &invalid_request($r,13); + return OK; + } } else { - &invalid_request($r,12); + &invalid_request($r,14); return OK; - } - } + } + } } else { - &invalid_request($r,13); + &invalid_request($r,15); return OK; } # # If no LON-CAPA course available, check if domain's configuration # for the specific LTI Consumer allows a new course to be created -# (requires role in Consumer to be: Instructor). +# (requires role in Consumer to be: Instructor and Instructor to map to CC) # + my $reqcrs; if ($cnum eq '') { - if ((@ltiroles) && (grep(/^Instructor$/,@ltiroles)) && - ($lti{$itemid}{'mapcrs'})) { -#FIXME Create a new LON-CAPA course here. - return OK; + if ((@ltiroles) && ($lti{$itemid}{'mapcrs'}) && + ($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'makecrs'})) { + my (%can_request,%request_domains); + &Apache::lonnet::check_can_request($cdom,\%can_request,\%request_domains,$uname,$udom); + if ($can_request{'lti'}) { + $reqcrs = 1; + <i_session($r,$itemid,$uname,$udom,$uhome,$lonhost,undef,$mapurl,$tail, + $symb,$cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles, + $reqcrs,$sourcecrs); + } else { + &invalid_request($r,16); + } } else { - &invalid_request($r,14); - return OK; + &invalid_request($r,17); } + return OK; } # @@ -479,48 +590,204 @@ sub handler { # indicated is cc, change role indicated to co. # - if ($reqrole eq 'cc') { + my %crsenv; + if ($lcroles[0] eq 'cc') { if (($cdom ne '') && ($cnum ne '')) { - my %crsenv = &Apache::lonnet::coursedescription($cnum.'_'.$cdom,{ 'one_time' => 1,}); + %crsenv = &Apache::lonnet::coursedescription($cdom.'_'.$cnum,{ 'one_time' => 1,}); if ($crsenv{'type'} eq 'Community') { - $reqrole = 'co'; + $lcroles[0] = 'co'; } } } # -# Determine if user has required LON-CAPA role -# in the mapped LON-CAPA course. +# Determine if user has a LON-CAPA role in the mapped LON-CAPA course. +# If multiple LON-CAPA roles are available for the user's assigned LTI roles, +# choose the first available LON-CAPA role in the order: cc/co, in, ta, ep, st # - my $role; - my %crsroles = &Apache::lonnet::get_my_roles($uname,$udom,'userroles',undef,[$reqrole],[$cdom]); - if (exists($crsroles{$cnum.':'.$cdom.':'.$reqrole})) { - $role = $reqrole.'./'.$cdom.'/'.$cnum; -#FIXME Need to accommodate sections - } elsif (ref($lti{$itemid}{'selfenroll'}) eq 'ARRAY') { - if (grep(/^\Q$reqrole\E$/,@{$lti{$itemid}{'selfenroll'}})) { -#FIXME Do self-enrollment here + my ($role,$usec,$withsec); + unless ((($lcroles[0] eq 'cc') || ($lcroles[0] eq 'co')) && (@lcroles == 1)) { + if ($lti{$itemid}{'section'} ne '') { + if ($lti{$itemid}{'section'} eq 'course_section_sourcedid') { + if ($env{'form.course_section_sourcedid'} !~ /\W/) { + $usec = $env{'form.course_section_sourcedid'}; + } + } elsif ($env{'form.'.$lti{$itemid}{'section'}} !~ /\W/) { + $usec = $env{'form.'.$lti{$itemid}{'section'}}; + } + } + if ($usec ne '') { + $withsec = 1; + } + } + + if (@lcroles) { + my %crsroles = &Apache::lonnet::get_my_roles($uname,$udom,'userroles',undef,\@lcroles, + [$cdom],$withsec); + foreach my $reqrole (@lcroles) { + if ($withsec) { + my $incsec; + if (($reqrole eq 'cc') || ($reqrole eq 'co')) { + $incsec = ''; + } else { + $incsec = $usec; + } + if (exists($crsroles{$cnum.':'.$cdom.':'.$reqrole.':'.$incsec})) { + $role = $reqrole.'./'.$cdom.'/'.$cnum; + if ($incsec ne '') { + $role .= '/'.$usec; + } + last; + } + } else { + if (exists($crsroles{$cnum.':'.$cdom.':'.$reqrole})) { + $role = $reqrole.'./'.$cdom.'/'.$cnum; + last; + } + } + } + } + +# +# Determine if user can selfenroll +# + + my ($reqrole,$selfenrollrole); + if ($role eq '') { + if ((@ltiroles) && (ref($lti{$itemid}{'selfenroll'}) eq 'ARRAY')) { + foreach my $ltirole (@ltiroles) { + if (grep(/^\Q$ltirole\E$/,@{$lti{$itemid}{'selfenroll'}})) { + if (ref($lti{$itemid}{maproles}) eq 'HASH') { + $reqrole = $lti{$itemid}{maproles}{$ltirole}; + last; + } + } + } + } + if ($reqrole eq '') { + &invalid_request($r,18); return OK; } else { - &invalid_request($r,15); - return OK; + unless (%crsenv) { + %crsenv = &Apache::lonnet::coursedescription($cdom.'_'.$cnum); + } + my $default_enrollment_start_date = $crsenv{'default_enrollment_start_date'}; + my $default_enrollment_end_date = $crsenv{'default_enrollment_end_date'}; + my $now = time; + if ($default_enrollment_end_date && $default_enrollment_end_date <= $now) { + &invalid_request($r,19); + return OK; + } elsif ($default_enrollment_start_date && $default_enrollment_start_date >$now) { + &invalid_request($r,20); + return OK; + } else { + $selfenrollrole = $reqrole.'./'.$cdom.'/'.$cnum; + if (($withsec) && ($reqrole ne 'cc') && ($reqrole ne 'co')) { + if ($usec ne '') { + $selfenrollrole .= '/'.$usec; + } + } + } } } # # Store consumer-to-LON-CAPA course mapping # + if (($sourcecrs ne '') && ($consumers{$sourcecrs} eq '') && ($cnum ne '')) { &Apache::lonnet::put_dom('lticonsumers',{ $sourcecrs => $cnum },$cdom); } # -# Check if user should be hosted here or switched to another server. +# Start user session # - &Apache::lonnet::logthis(" LTI authorized user: $uname:$udom role: $role course: $cdom\_$cnum"); + <i_session($r,$itemid,$uname,$udom,$uhome,$lonhost,$role,$mapurl,$tail,$symb, + $cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles,undef,$sourcecrs, + $selfenrollrole); + return OK; +} + +sub lti_enroll { + my ($uname,$udom,$selfenrollrole) = @_; + my $enrollresult; + my ($role,$cdom,$cnum,$sec) = + ($selfenrollrole =~ m{^(\w+)\./($match_domain)/($match_courseid)(?:|/(\w*))$}); + if (($cnum ne '') && ($cdom ne '')) { + my $chome = &Apache::lonnet::homeserver($cnum,$cdom); + if ($chome ne 'no_host') { + my %coursehash = &Apache::lonnet::coursedescription($cdom.'_'.$cnum); + my $start = $coursehash{'default_enrollment_start_date'}; + my $end = $coursehash{'default_enrollment_end_date'}; + my $area = "/$cdom/$cnum"; + if (($role ne 'cc') && ($role ne 'co') && ($sec ne '')) { + $area .= '/'.$sec; + } + my $spec = $role.'.'.$area; + my $instcid; + if ($role eq 'st') { + $enrollresult = + &Apache::lonnet::modify_student_enrollment($udom,$uname,undef,undef,undef, + undef,undef,$sec,$end,$start, + 'ltienroll',undef,$cdom.'_'.$cnum,1, + 'ltienroll','',$instcid); + } elsif ($role =~ /^(cc|in|ta|ep)$/) { + $enrollresult = + &Apache::lonnet::assignrole($udom,$uname,$area,$role,$end,$start, + undef,1,'ltienroll'); + } + if ($enrollresult eq 'ok') { + my (%userroles,%newrole,%newgroups); + &Apache::lonnet::standard_roleprivs(\%newrole,$role,$cdom,$spec,$cnum, + $area); + &Apache::lonnet::set_userprivs(\%userroles,\%newrole,\%newgroups); + $userroles{'user.role.'.$spec} = $start.'.'.$end; + &Apache::lonnet::appenv(\%userroles,[$role,'cm']); + } + } + } + return $enrollresult; +} + +sub lti_reqcrs { + my ($r,$cdom,$form,$uname,$udom) = @_; + my (%can_request,%request_domains); + &Apache::lonnet::check_can_request($cdom,\%can_request,\%request_domains,$uname,$udom); + if ($can_request{'lti'}) { + my %domconfig = &Apache::lonnet::get_dom('configuration',['requestcourses'],$cdom); + my %domdefs = &Apache::lonnet::get_domain_defaults($cdom); + &Apache::lonrequestcourse::print_textbook_form($r,$cdom,[$cdom],\%domdefs, + $domconfig{'requestcourses'}, + \%can_request,'lti',$form); + } else { + $r->print( + &Apache::loncommon::start_page('Invalid LTI call',undef,{'only_body' => 1}). + &mt('Invalid LTI call'). + &Apache::loncommon::end_page() + ); + } +} + +sub lti_session { + my ($r,$itemid,$uname,$udom,$uhome,$lonhost,$role,$mapurl,$tail,$symb,$cdom,$cnum, + $params,$ltiroles,$ltihash,$lcroles,$reqcrs,$sourcecrs,$selfenrollrole) = @_; + return unless ((ref($params) eq 'HASH') && (ref($ltiroles) eq 'ARRAY') && + (ref($ltihash) eq 'HASH') && (ref($lcroles) eq 'ARRAY')); +# +# Check if user should be hosted here or switched to another server. +# $r->user($uname); + if ($cnum) { + if ($role) { + &Apache::lonnet::logthis(" LTI authorized user ($itemid): $uname:$udom, role: $role, course: $cdom\_$cnum"); + } elsif ($selfenrollrole =~ m{^(\w+)\./$cdom/$cnum}) { + &Apache::lonnet::logthis(" LTI authorized user ($itemid): $uname:$udom, desired role: $1 course: $cdom\_$cnum"); + } + } else { + &Apache::lonnet::logthis(" LTI authorized user ($itemid): $uname:$udom, course dom: $cdom"); + } my ($is_balancer,$otherserver,$hosthere); ($is_balancer,$otherserver) = &Apache::lonnet::check_loadbalancing($uname,$udom,'login'); @@ -544,11 +811,30 @@ sub handler { &Apache::lonauth::success($r,$uname,$udom,$uhome,'noredirect'); if ($symb) { $env{'form.symb'} = $symb; + } else { + if ($mapurl) { + $env{'form.origurl'} = $mapurl; + } elsif ($tail =~ m{^\Q/tiny/$cdom/\E\w+$}) { + $env{'form.origurl'} = $tail; + } else { + unless ($tail eq '/adm/roles') { + $env{'form.origurl'} = '/adm/navmaps'; + } + } } if ($role) { $env{'form.role'} = $role; } - if ($lti{$itemid}{'passback'}) { + if (($lcroles->[0] eq 'cc') && ($reqcrs)) { + $env{'request.lti.reqcrs'} = 1; + $env{'request.lti.reqrole'} = 'cc'; + $env{'request.lti.sourcecrs'} = $sourcecrs; + } + if ($selfenrollrole) { + $env{'request.lti.selfenroll'} = $selfenrollrole; + $env{'request.lti.sourcecrs'} = $sourcecrs; + } + if ($ltihash->{'passback'}) { if ($params->{'lis_result_sourcedid'}) { $env{'request.lti.passbackid'} = $params->{'lis_result_sourcedid'}; } @@ -556,9 +842,9 @@ sub handler { $env{'request.lti.passbackurl'} = $params->{'lis_outcome_service_url'}; } } - if (($lti{$itemid}{'roster'}) && (grep(/^Instructor$/,@ltiroles))) { + if (($ltihash->{'roster'}) && (grep(/^Instructor$/,@{$ltiroles}))) { if ($params->{'ext_ims_lis_memberships_id'}) { - $env{'request.lti.rosterid'} = $params->{'ext_ims_lis_memberships_id'}; + $env{'request.lti.rosterid'} = $params->{'ext_ims_lis_memberships_id'}; } if ($params->{'ext_ims_lis_memberships_url'}) { $env{'request.lti.rosterurl'} = $params->{'ext_ims_lis_memberships_url'}; @@ -591,9 +877,17 @@ sub handler { $info{'role'} = $role; } if ($symb) { - $info{'symb'} = $symb; + $info{'symb'} = $symb; + } + if (($lcroles->[0] eq 'cc') && ($reqcrs)) { + $info{'lti.reqcrs'} = 1; + $info{'lti.reqrole'} = 'cc'; + $info{'lti.sourcecrs'} = $sourcecrs; } - if ($lti{$itemid}{'passback'}) { + if ($selfenrollrole) { + $info{'lti.selfenrollrole'} = $selfenrollrole; + } + if ($ltihash->{'passback'}) { if ($params->{'lis_result_sourcedid'}) { $info{'lti.passbackid'} = $params->{'lis_result_sourcedid'} } @@ -601,7 +895,7 @@ sub handler { $info{'lti.passbackurl'} = $params->{'lis_outcome_service_url'} } } - if (($lti{$itemid}{'roster'}) && (grep(/^Instructor$/,@ltiroles))) { + if (($ltihash->{'roster'}) && (grep(/^Instructor$/,@{$ltiroles}))) { if ($params->{'ext_ims_lis_memberships_id'}) { $info{'lti.rosterid'} = $params->{'ext_ims_lis_memberships_id'}; } @@ -612,9 +906,8 @@ sub handler { unless ($info{'symb'}) { if ($mapurl) { $info{'origurl'} = $mapurl; - if ($mapurl =~ m{/default_\d+\.sequence$}) { - $info{'origurl'} .= (($mapurl =~/\?/)?'&':'?').'navmap=1'; - } + } elsif ($tail =~ m{^\Q/tiny/$cdom/\E\w+$}) { + $info{'origurl'} = $tail; } else { unless ($tail eq '/adm/roles') { $info{'origurl'} = '/adm/navmaps'; @@ -629,7 +922,7 @@ sub handler { $r->internal_redirect('/adm/migrateuser'); $r->set_handlers('PerlHandler'=> undef); } - return OK; + return; } sub invalid_request {