File:  [LON-CAPA] / loncom / lti / ltiauth.pm
Revision 1.27: download - view: text, annotated - select for diffs
Wed Nov 24 04:25:03 2021 UTC (2 years, 4 months ago) by raeburn
Branches: MAIN
CVS tags: HEAD
- Bug 6754
  - Storing mapping of Consumer course identifier to LON-CAPA courseID
    honors rules for allowable course types, and also general Y/N option for
    any type.
  - When a course is created due to launch from LTI Consumer, course's
    environment.db contains internal.lti set to 1, and extended course type
    is identified as "lti".

# The LearningOnline Network
# Basic LTI Authentication Module
#
# $Id: ltiauth.pm,v 1.27 2021/11/24 04:25:03 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#

package Apache::ltiauth;

use strict;
use LONCAPA qw(:DEFAULT :match);
use Apache::Constants qw(:common :http);
use Net::OAuth;
use Apache::lonlocal;
use Apache::lonnet;
use Apache::loncommon;
use Apache::lonacc;
use Apache::lonrequestcourse;
use LONCAPA::ltiutils;

sub handler {
    my $r = shift;
    my $requri = $r->uri;
    my $hostname = $r->hostname;
#
# Check for existing session, and temporarily delete any form items
# in %env, if session exists
#
    my %savedform;
    my $handle = &Apache::lonnet::check_for_valid_session($r);
    if ($handle ne '') {
        foreach my $key (sort(keys(%env))) {
            if ($key =~ /^form\.(.+)$/) {
                $savedform{$1} = $env{$key};
                delete($env{$key});
            }
        }
    }
#
# Retrieve data POSTed by LTI launch
#
    &Apache::lonacc::get_posted_cgi($r);
    my $params = {};
    foreach my $key (sort(keys(%env))) {
        if ($key =~ /^form\.(.+)$/) {
            $params->{$1} = $env{$key};
        }
    }
#
# Check for existing session, and restore temporarily
# deleted form items to %env, if session exists.
#
    if ($handle ne '') {
        if (keys(%savedform)) {
            foreach my $key (sort(keys(%savedform))) {
                $env{'form.'.$key} = $savedform{$key};
            }
        }
    }

    unless (keys(%{$params})) {
        &invalid_request($r,1);
        return OK;
    }

    unless ($params->{'oauth_consumer_key'} &&
            $params->{'oauth_nonce'} &&
            $params->{'oauth_timestamp'} &&
            $params->{'oauth_version'} &&
            $params->{'oauth_signature'} &&
            $params->{'oauth_signature_method'}) {
        &invalid_request($r,2);
        return OK;
    }

#
# Retrieve "internet domains" for all this institution's LON-CAPA
# nodes.
#
    my @intdoms;
    my $lonhost = $r->dir_config('lonHostID');
    my $internet_names = &Apache::lonnet::get_internet_names($lonhost);
    if (ref($internet_names) eq 'ARRAY') {
        @intdoms = @{$internet_names};
    }
#
# Determine course's domain in LON-CAPA
# for basic launch using key and secret managed
# in LON-CAPA course (i.e., uri begins /adm/launch)
#

   my ($cdom,$cnum);

# Note: "internet domain" for course's domain must be one of the
# internet domains for the institution's LON-CAPA servers.
#
    if ($requri =~ m{^/adm/launch(|/.*)$}) {
        my $tail = $1;
        if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) {
            my ($urlcdom,$urlcnum) = &course_from_tinyurl($tail);
            if (($urlcdom ne '') && ($urlcnum ne '')) {
                $cdom = $urlcdom;
                $cnum = $urlcnum;
                my $primary_id = &Apache::lonnet::domain($cdom,'primary');
                if ($primary_id ne '') {
                    my $intdom = &Apache::lonnet::internet_dom($primary_id);
                    if (($intdom ne '') && (grep(/^\Q$intdom\E$/,@intdoms))) {
#
# Retrieve information for LTI link protectors in course
# where url was /adm/launch/tiny/$cdom/$uniqueid
#
                        my (%crslti,%crslti_by_key,$itemid,$ltitype);
                        %crslti = &Apache::lonnet::get_course_lti($cnum,$cdom,'provider');
                        if (keys(%crslti)) {
                            foreach my $id (keys(%crslti)) {
                                if (ref($crslti{$id}) eq 'HASH') {
                                    my $key = $crslti{$id}{'key'};
                                    push(@{$crslti_by_key{$key}},$id);
                                }
                            }
                        }
#
# Verify the signed request using the secret for LTI link
# protectors for which the key in the POSTed data matches
# keys in the course configuration.
#
# Request is invalid if the signed request could not be verified
# for the key and secret from LON-CAPA course configuration for
# LTI link protectors or from LON-CAPA configuration for the
# course's domain if there are LTI Providers which may be used.
#
# Determine if nonce in POSTed data has expired.
# If unexpired, confirm it has not already been used.
#
                        if (keys(%crslti)) {
                            $itemid = &get_lti_itemid($requri,$hostname,$params,\%crslti,\%crslti_by_key);
                        }
                        if (($itemid) && (ref($crslti{$itemid}) eq 'HASH')) {
                            $ltitype = 'c';
                            unless (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'},
                                                                    $crslti{$itemid}{'lifetime'},$cdom,$r->dir_config('lonLTIDir'))) {
                                &invalid_request($r,3);
                                return OK;
                            }
                        } else {
                            my %lti = &Apache::lonnet::get_domain_lti($cdom,'provider');
                            unless (keys(%lti) > 0) {
                                &invalid_request($r,4);
                                return OK;
                            }
                            my (%domlti_by_key,%domlti);
                            foreach my $id (keys(%lti)) {
                                if (ref($lti{$id}) eq 'HASH') {
                                    my $key = $lti{$id}{'key'};
                                    if (!$lti{$itemid}{'requser'}) {
                                        push(@{$domlti_by_key{$key}},$id);
                                        $domlti{$id} = $lti{$id};
                                    }
                                }
                            }
                            if (keys(%domlti)) {
                                $itemid = &get_lti_itemid($requri,$hostname,$params,\%domlti,\%domlti_by_key);
                            }
                            if (($itemid) && (ref($domlti{$itemid}) eq 'HASH')) {
                                $ltitype = 'd';
                                unless (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'},
                                                                        $domlti{$itemid}{'lifetime'},$cdom,
                                                                        $r->dir_config('lonLTIDir'))) {
                                    &invalid_request($r,5);
                                    return OK;
                                }
                            }
                        }
                        if ($itemid) {
                            foreach my $key (%{$params}) {
                                delete($env{'form.'.$key});
                            }
                            my $ltoken = &Apache::lonnet::tmpput({'linkprot' => $itemid.$ltitype.':'.$tail},
                                                                 $lonhost,'link');
                            if ($ltoken) {
                                $r->internal_redirect($tail.'?ltoken='.$ltoken);
                                $r->set_handlers('PerlHandler'=> undef);
                            } else {
                                &invalid_request($r,6);
                            }
                        } else {
                            &invalid_request($r,7);
                        }
                    } else {
                        &invalid_request($r,8);
                    }
                } else {
                    &invalid_request($r,9);
                }
            } else {
                &invalid_request($r,10);
            }
        } else {
            &invalid_request($r,11);
        }
        return OK;
    }

    my ($udom,$uname,$uhome,$symb,$mapurl);

#
# For user who launched LTI in Consumer, determine user's domain in 
# LON-CAPA.
#
# Order is:
#
# (a) from custom_userdomain item in POSTed data
# (b) from lis_person_sourcedid in POSTed data
# (c) from default "log-in" domain for node
#     (can support multidomain servers, where specific domain is 
#      first part of hostname).
#
# Note: "internet domain" for user's domain must be one of the
# "internet domain(s)" for the institution's LON-CAPA servers.
#
    if (exists($params->{'custom_userdomain'})) {
        if ($params->{'custom_userdomain'} =~ /^$match_domain$/) {
            my $uprimary_id = &Apache::lonnet::domain($params->{'custom_userdomain'},'primary');
            if ($uprimary_id ne '') {
                my $uintdom = &Apache::lonnet::internet_dom($uprimary_id);
                if (($uintdom ne '') && (grep(/^\Q$uintdom\E$/,@intdoms))) {
                    $udom = $params->{'custom_userdomain'};
                }
            }
        }
    }
    my $defdom = &Apache::lonnet::default_login_domain();
    my ($domain,$possuname,$possudom,$possmapuser);
    if ($env{'form.lis_person_sourcedid'} =~ /^($match_username)\:($match_domain)$/) {
        ($possuname,$possudom) = ($1,$2);
        if ($udom eq '') {
            my $uintdom = &Apache::lonnet::domain($possudom,'primary');
            if (($uintdom ne '') && (grep(/^\Q$uintdom\E$/,@intdoms))) {
                $udom = $possudom;
                $possmapuser = 'lis_person_sourcedid';
            } else {
                $udom = $defdom;
            }
        } elsif ($udom eq $possudom) {
            $possmapuser = 'lis_person_sourcedid';
        }
    }
    unless ($possuname) {
        if ($env{'form.lis_person_sourcedid'} =~ /^$match_username$/) {
            $possuname = $env{'form.lis_person_sourcedid'};
            $possmapuser = 'lis_person_sourcedid';
        } elsif ($env{'form.lis_person_contact_email_primary'} =~ /^$match_username$/) {
            $possuname = $env{'form.lis_person_contact_email_primary'};
            $possmapuser = 'lis_person_contact_email_primary';
        }
        unless ($udom) {
            $udom = $defdom;
        }
    }

#
# Determine course's domain in LON-CAPA
#
# Order is:
#
# (a) from custom_coursedomain item in POSTed data
# (b) from tail of requested URL (after /adm/lti/) if it has format of a symb  
# (c) from tail of requested URL (after /adm/lti) if it has format of a map 
# (d) from tail of requested URL (after /adm/lti) if it has format /domain/courseID
# (e) from tail of requested URL (after /adm/lti) if it has format /tiny/domain/\w+
#     i.e., a shortened URL (see bug #6400).
# (f) same as user's domain 
#
# Request invalid if custom_coursedomain is defined and is inconsistent with
# domain contained in requested URL.
#
# Note: "internet domain" for course's domain must be one of the
# internet domains for the institution's LON-CAPA servers.
#

    if (exists($params->{'custom_coursedomain'})) {
        if ($params->{'custom_coursedomain'} =~ /^$match_domain$/) {
            my $cprimary_id = &Apache::lonnet::domain($params->{'custom_coursedomain'},'primary');
            if ($cprimary_id ne '') {
                my $cintdom = &Apache::lonnet::internet_dom($cprimary_id);
                if (($cintdom ne '') && (grep(/^\Q$cintdom\E$/,@intdoms))) {
                    $cdom = $params->{'custom_coursedomain'};
                }
            }
        }
    }

    my ($tail) = ($requri =~ m{^/adm/lti(|/.*)$});
    my $urlcnum;
    if ($tail ne '') {
        my $urlcdom;
        if ($tail =~ m{^/uploaded/($match_domain)/($match_courseid)/(?:default|supplemental)(?:|_\d+)\.(?:sequence|page)(|___\d+___.+)$}) {
            ($urlcdom,$urlcnum,my $rest) = ($1,$2,$3);
            if (($cdom ne '') && ($cdom ne $urlcdom)) {
                &invalid_request($r,12);
                return OK;
            }
            if ($rest eq '') {
                $mapurl = $tail;
            } else {
                $symb = $tail;
                $symb =~ s{^/}{};
            }
        } elsif ($tail =~ m{^/res/(?:$match_domain)/(?:$match_username)/.+\.(?:sequence|page)(|___\d+___.+)$}) {
            if ($1 eq '') {
                $mapurl = $tail;
            } else {
                $symb = $tail;
                $symb =~ s{^/res/}{};
            }
        } elsif ($tail =~ m{^/($match_domain)/($match_courseid)$}) {
            ($urlcdom,$urlcnum) = ($1,$2);
            if (($cdom ne '') && ($cdom ne $urlcdom)) {
                &invalid_request($r,13);
                return OK;
            }
        } elsif ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) {
            ($urlcdom,$urlcnum) = &course_from_tinyurl($tail);
            if (($urlcdom eq '') || ($urlcnum eq '')) {
                &invalid_request($r,14);
                return OK;
            }
        }
        if (($cdom eq '') && ($urlcdom ne '')) { 
            my $cprimary_id = &Apache::lonnet::domain($urlcdom,'primary');
            if ($cprimary_id ne '') {
                my $cintdom = &Apache::lonnet::internet_dom($cprimary_id);
                if (($cintdom ne '') && (grep(/^\Q$cintdom\E$/,@intdoms))) {
                    $cdom = $urlcdom;
                }
            } else {
                $urlcnum = '';
            }
        }
    }
    if ($cdom eq '') {
        if ($udom ne '') {
            $cdom = $udom;
        } else {
            $cdom = $defdom;
        }
    }

#
# Retrieve information for LTI Consumers in course's domain
# and populate hash --  %lti_by_key -- for which keys
# are those defined in domain configuration for LTI.
#
 
    my %lti = &Apache::lonnet::get_domain_lti($cdom,'provider');
    unless (keys(%lti) > 0) {
        &invalid_request($r,15);
        return OK;
    }
    my %lti_by_key;
    if (keys(%lti)) {
        foreach my $id (keys(%lti)) {
            if (ref($lti{$id}) eq 'HASH') {
                my $key = $lti{$id}{'key'};
                push(@{$lti_by_key{$key}},$id);
            }
        }
    }

#
# Verify the signed request using the secret for those
# Consumers for which the key in the POSTed data matches 
# keys in the course configuration or the domain configuration
# for LTI.
#

    my $itemid = &get_lti_itemid($requri,$hostname,$params,\%lti,\%lti_by_key);

#
# Request is invalid if the signed request could not be verified
# for the Consumer key and Consumer secret from the domain
# configuration in LON-CAPA for that LTI Consumer.
#
    unless (($itemid) && (ref($lti{$itemid}) eq 'HASH')) {
        &invalid_request($r,16);
        return OK;
    }

#
# Determine if nonce in POSTed data has expired.
# If unexpired, confirm it has not already been used.
#
    unless (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'},
                                            $lti{$itemid}{'lifetime'},$cdom,$r->dir_config('lonLTIDir'))) {
        &invalid_request($r,17);
        return OK;
    }

#
# Determine if a username is required from the domain
# configuration for the specific LTI Consumer
#

    if (!$lti{$itemid}{'requser'}) {
        if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) {
            my $ltitype = 'd';
            foreach my $key (%{$params}) {
                delete($env{'form.'.$key});
            }
            my $ltoken = &Apache::lonnet::tmpput({'linkprot' => $itemid.$ltitype.':'.$tail},
                                                   $lonhost);
            if ($ltoken) {
                $r->internal_redirect($tail.'?ltoken='.$ltoken);
                $r->set_handlers('PerlHandler'=> undef);
            } else {
                &invalid_request($r,18);
            }
        } else {
            &invalid_request($r,19);
        }
        return OK;
    }

#
# Determine if source of username matches requirement from the 
# domain configuration for the specific LTI Consumer.
# 

    if ($lti{$itemid}{'mapuser'} eq $possmapuser) {
        $uname = $possuname;
    } elsif ($lti{$itemid}{'mapuser'} eq 'lis_person_sourcedid') {
        if ($params->{'lis_person_sourcedid'} =~ /^$match_username$/) {
            $uname = $possuname;
        }
    } elsif ($lti{$itemid}{'mapuser'} eq 'lis_person_contact_email_primary') {
        if ($params->{'lis_person_contact_email_primary'} =~ /^$match_username$/) {
            $uname = $params->{'lis_person_contact_email_primary'};
        }
    } elsif (exists($params->{$lti{$itemid}{'mapuser'}})) {
        if ($params->{$lti{$itemid}{'mapuser'}} =~ /^$match_username$/) {
            $uname = $params->{$lti{$itemid}{'mapuser'}};
        }
    }

#
# Determine the courseID of the LON-CAPA course to which the
# launch of LON-CAPA should provide access.
#
# Order is:
#
# (a) from course mapping (if the link between Consumer "course" and 
# Provider "course" has been established previously).
# (b) from tail of requested URL (after /adm/lti/) if it has format of a symb
# (c) from tail of requested URL (after /adm/lti) if it has format of a map
# (d) from tail of requested URL (after /adm/lti) if it has format /domain/courseID
# (e) from tail of requested URL (after /adm/lti) if it has format /tiny/domain/\w+
#     i.e., a shortened URL (see bug #6400).
#
# If Consumer course included in POSTed data points as a target course which
# has a format which matches a LON-CAPA courseID, but the course does not
# exist, the request is invalid.
# 

    my ($sourcecrs,%consumers);
    if ($lti{$itemid}{'mapcrs'} eq 'course_offering_sourcedid') {
        $sourcecrs = $params->{'course_offering_sourcedid'};
    } elsif ($lti{$itemid}{'mapcrs'} eq 'context_id') {
        $sourcecrs = $params->{'context_id'};
    } elsif ($lti{$itemid}{'mapcrs'} ne '') {
        $sourcecrs = $params->{$lti{$itemid}{'mapcrs'}};
    }

    my $posscnum;
    if ($sourcecrs ne '') {
        %consumers = &Apache::lonnet::get_dom('lticonsumers',[$sourcecrs],$cdom);
        if (exists($consumers{$sourcecrs})) {
            if ($consumers{$sourcecrs} =~ /^$match_courseid$/) {
                my $crshome = &Apache::lonnet::homeserver($consumers{$sourcecrs},$cdom);
                if ($crshome =~ /(con_lost|no_host|no_such_host)/) {
                    &invalid_request($r,20);
                    return OK;
                } else {
                    $posscnum = $consumers{$sourcecrs};
                }
            }
        }
    }

    if ($urlcnum ne '') {
        if ($posscnum ne '') {
            if ($posscnum ne $urlcnum) {
                &invalid_request($r,21);
                return OK;
            } else {
                $cnum = $posscnum;
            }
        } else {
            my $crshome = &Apache::lonnet::homeserver($urlcnum,$cdom);
            if ($crshome =~ /(con_lost|no_host|no_such_host)/) {
                &invalid_request($r,22);
                return OK;
            } else {
                $cnum = $urlcnum;
            }
        }
    } elsif ($posscnum ne '') {
        $cnum = $posscnum;
    }

#
# Get LON-CAPA role(s) to use from role-mapping of Consumer roles
# defined in domain configuration for the appropriate LTI
# Consumer.
#
# If multiple LON-CAPA roles are indicated for the current user,
# ordering (from first to last) is: cc/co, in, ta, ep, st.
#

    my (@ltiroles,@lcroles);
    my @lcroleorder = ('cc','in','ta','ep','st');
    my ($lcrolesref,$ltirolesref) = 
        &LONCAPA::ltiutils::get_lc_roles($params->{'roles'},
                                         \@lcroleorder,
                                         $lti{$itemid}{maproles});
    if (ref($lcrolesref) eq 'ARRAY') {
        @lcroles = @{$lcrolesref};
    }
    if (ref($ltirolesref) eq 'ARRAY') {
        @ltiroles = @{$ltirolesref};
    }

#
# If no LON-CAPA username  -- is user allowed to create one?
#

    my $selfcreate;
    if (($uname ne '') && ($udom ne '')) {
        $uhome = &Apache::lonnet::homeserver($uname,$udom);
        if ($uhome =~ /(con_lost|no_host|no_such_host)/) {
            &Apache::lonnet::logthis(" LTI authorized unknown user $uname:$udom ");
            if (ref($lti{$itemid}{'makeuser'}) eq 'ARRAY') {
                if (@{$lti{$itemid}{'makeuser'}} > 0) {
                    foreach my $ltirole (@ltiroles) {
                        if (grep(/^\Q$ltirole\E$/,@{$lti{$itemid}{'makeuser'}})) {
                            $selfcreate = 1;
                            last;
                        }
                    }
                }
            }
            if ($selfcreate) {
                my (%rulematch,%inst_results,%curr_rules,%got_rules,%alerts);
                my $domdesc = &Apache::lonnet::domain($udom,'description');
                my %data = (
                    'permanentemail' => $env{'form.lis_person_contact_email_primary'},
                    'firstname'      => $env{'form.lis_person_name_given'},
                    'lastname'       => $env{'form.lis_person_name_family'},
                    'fullname'       => $env{'form.lis_person_name_full'},
                );
                my $result =
                    &LONCAPA::ltiutils::create_user($lti{$itemid},$uname,$udom,
                                                    $domdesc,\%data,\%alerts,\%rulematch,
                                                    \%inst_results,\%curr_rules,%got_rules);
                if ($result eq 'notallowed') {
                    &invalid_request($r,23);
                } elsif ($result eq 'ok') {
                    if (($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'mapcrs'}) &&
                        ($lti{$itemid}{'makecrs'})) {
                        unless (&Apache::lonnet::usertools_access($uname,$udom,'lti','reload','requestcourses')) {
                            &Apache::lonnet::put('environment',{ 'requestcourses.lti' => 'autolimit=', },$udom,$uname);
                        }
                    }
                } else {
                    &invalid_request($r,24);
                    return OK;
                }
            } else {
                &invalid_request($r,25);
                return OK;
            }
        }
    } else {
        &invalid_request($r,26);
        return OK;
    }

#
# If no LON-CAPA course available, check if domain's configuration
# for the specific LTI Consumer allows a new course to be created 
# (requires role in Consumer to be: Instructor and Instructor to map to CC)
#

    my $reqcrs;
    if ($cnum eq '') {
        if ($lti{$itemid}{'crsinc'}) {
            if ((@ltiroles) && ($lti{$itemid}{'mapcrs'}) &&
                ($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'makecrs'})) {
                my (%can_request,%request_domains);
                &Apache::lonnet::check_can_request($cdom,\%can_request,\%request_domains,$uname,$udom);
                if ($can_request{'lti'}) {
                    $reqcrs = 1;
                    &lti_session($r,$itemid,$uname,$udom,$uhome,$lonhost,undef,$mapurl,$tail,
                                 $symb,$cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles,
                                 $reqcrs,$sourcecrs);
                } else {
                    &invalid_request($r,27);
                }
            } else {
                &invalid_request($r,28);
            }
        } else {
            &lti_session($r,$itemid,$uname,$udom,$uhome,$lonhost,undef,$mapurl,$tail,
                         $symb,$cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles,
                         $reqcrs,$sourcecrs);
        }
        return OK;
    }

#
# If LON-CAPA course is a Community, and LON-CAPA role
# indicated is cc, change role indicated to co.
#

    my %crsenv;
    if ($lcroles[0] eq 'cc') {
        if (($cdom ne '') && ($cnum ne '')) {
            %crsenv = &Apache::lonnet::coursedescription($cdom.'_'.$cnum,{ 'one_time' => 1,});
            if ($crsenv{'type'} eq 'Community') {
                $lcroles[0] = 'co';
            }
        }
    }

#
# Determine if user has a LON-CAPA role in the mapped LON-CAPA course.
# If multiple LON-CAPA roles are available for the user's assigned LTI roles,
# choose the first available LON-CAPA role in the order: cc/co, in, ta, ep, st
#

    my ($role,$usec,$withsec);
    unless ((($lcroles[0] eq 'cc') || ($lcroles[0] eq 'co')) && (@lcroles == 1)) {
        if ($lti{$itemid}{'section'} ne '') {
            if ($lti{$itemid}{'section'} eq 'course_section_sourcedid') {
                if ($env{'form.course_section_sourcedid'} !~ /\W/) {
                    $usec = $env{'form.course_section_sourcedid'};
                }
            } elsif ($env{'form.'.$lti{$itemid}{'section'}} !~ /\W/) {
                $usec = $env{'form.'.$lti{$itemid}{'section'}};
            }
        }
        if ($usec ne '') {
            $withsec = 1;
        }
    }

    if (@lcroles) {
        my %crsroles = &Apache::lonnet::get_my_roles($uname,$udom,'userroles',undef,\@lcroles,
                                                     [$cdom],$withsec);
        foreach my $reqrole (@lcroles) {
            if ($withsec) {
                my $incsec;
                if (($reqrole eq 'cc') || ($reqrole eq 'co')) {
                    $incsec = '';
                } else {
                    $incsec = $usec;
                }
                if (exists($crsroles{$cnum.':'.$cdom.':'.$reqrole.':'.$incsec})) {
                    $role = $reqrole.'./'.$cdom.'/'.$cnum;
                    if ($incsec ne '') {
                        $role .= '/'.$usec;
                    }
                    last;
                }
            } else {
                if (exists($crsroles{$cnum.':'.$cdom.':'.$reqrole})) {
                    $role = $reqrole.'./'.$cdom.'/'.$cnum;
                    last;
                }
            }
        }
    }

#
# Determine if user can selfenroll
#

    my ($reqrole,$selfenrollrole);
    if ($role eq '') {
        if ((@ltiroles) && (ref($lti{$itemid}{'selfenroll'}) eq 'ARRAY')) {
            foreach my $ltirole (@ltiroles) {
                if (grep(/^\Q$ltirole\E$/,@{$lti{$itemid}{'selfenroll'}})) {
                    if (ref($lti{$itemid}{maproles}) eq 'HASH') {
                        $reqrole = $lti{$itemid}{maproles}{$ltirole};
                        last;
                    }
                }
            }
        }
        if ($reqrole eq '') {
            &invalid_request($r,29);
            return OK;
        } else {
            unless (%crsenv) {
                %crsenv = &Apache::lonnet::coursedescription($cdom.'_'.$cnum);
            }
            my $default_enrollment_start_date = $crsenv{'default_enrollment_start_date'};
            my $default_enrollment_end_date   = $crsenv{'default_enrollment_end_date'};
            my $now = time;
            if ($default_enrollment_end_date && $default_enrollment_end_date <= $now) {
                &invalid_request($r,30);
                return OK;
            } elsif ($default_enrollment_start_date && $default_enrollment_start_date >$now) {
                &invalid_request($r,31);
                return OK;
            } else {
                $selfenrollrole = $reqrole.'./'.$cdom.'/'.$cnum;
                if (($withsec) && ($reqrole ne 'cc') && ($reqrole ne 'co')) {
                    if ($usec ne '') {
                        $selfenrollrole .= '/'.$usec;
                    }
                }
            }
        }
    }

#
# Retrieve course type of LON-CAPA course to check if mapping from a Consumer
# course identifier permitted for this type of course (one of: official,
# unofficial, community, textbook, placement or lti.
#

    unless (%crsenv) {
        %crsenv = &Apache::lonnet::coursedescription($cdom.'_'.$cnum);
    }
    my $crstype = lc($crsenv{'type'});
    if ($crstype eq '') {
        $crstype = 'course';
    }
    if ($crstype eq 'course') {
        if ($crsenv{'internal.coursecode'}) {
            $crstype = 'official';
        } elsif ($crsenv{'internal.textbook'}) {
            $crstype = 'textbook';
        } elsif ($crsenv{'internal.lti'}) {
            $crstype = 'lti';
        } else {
            $crstype = 'unofficial';
        }
    }

#
# Store consumer-to-LON-CAPA course mapping if permitted
#

    if (($lti{$itemid}{'storecrs'}) && ($sourcecrs ne '') && 
        ($consumers{$sourcecrs} eq '') && ($cnum ne '')) {
        if (ref($lti{$itemid}{'mapcrstype'}) eq 'ARRAY') {
            if (grep(/^$crstype$/,@{$lti{$itemid}{'mapcrstype'}})) {
                &Apache::lonnet::put_dom('lticonsumers',{ $sourcecrs => $cnum },$cdom);
            }
        }
    }

#
# Start user session
#

    &lti_session($r,$itemid,$uname,$udom,$uhome,$lonhost,$role,$mapurl,$tail,$symb,
                 $cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles,undef,$sourcecrs,
                 $selfenrollrole);
    return OK;
}

sub get_lti_itemid {
    my ($requri,$hostname,$params,$lti,$lti_by_key) = @_;
    return unless ((ref($params) eq 'HASH') && (ref($lti) eq 'HASH')  && (ref($lti_by_key) eq 'HASH'));

    if (exists($params->{'oauth_callback'})) {
        $Net::OAuth::PROTOCOL_VERSION = Net::OAuth::PROTOCOL_VERSION_1_0A;
    } else {
        $Net::OAuth::PROTOCOL_VERSION = Net::OAuth::PROTOCOL_VERSION_1_0;
    }

    my $protocol = 'http';
    if ($ENV{'SERVER_PORT'} == 443) {
        $protocol = 'https';
    }

    my ($itemid,$consumer_key,$secret);
    my $consumer_key = $params->{'oauth_consumer_key'};
    if (ref($lti_by_key->{$consumer_key}) eq 'ARRAY') {
        foreach my $id (@{$lti_by_key->{$consumer_key}}) {
            if (ref($lti->{$id}) eq 'HASH') {
                $secret = $lti->{$id}{'secret'};
                my $request = Net::OAuth->request('request token')->from_hash($params,
                                                   request_url => $protocol.'://'.$hostname.$requri,
                                                   request_method => $env{'request.method'},
                                                   consumer_secret => $secret,);
                if ($request->verify()) {
                    $itemid = $id;
                    last;
                }
            }
        }
    }
    return $itemid;
}

sub lti_enroll {
    my ($uname,$udom,$selfenrollrole) = @_;
    my $enrollresult;
    my ($role,$cdom,$cnum,$sec) =
           ($selfenrollrole =~ m{^(\w+)\./($match_domain)/($match_courseid)(?:|/(\w*))$});
    if (($cnum ne '') && ($cdom ne '')) {
        my $chome = &Apache::lonnet::homeserver($cnum,$cdom);
        if ($chome ne 'no_host') {
            my %coursehash = &Apache::lonnet::coursedescription($cdom.'_'.$cnum);
            my $start = $coursehash{'default_enrollment_start_date'};
            my $end = $coursehash{'default_enrollment_end_date'};
            $enrollresult = &LONCAPA::ltiutils::enrolluser($udom,$uname,$role,$cdom,$cnum,$sec,
                                                           $start,$end,1);
        }
    }
    return $enrollresult;
}

sub lti_reqcrs {
    my ($r,$cdom,$form,$uname,$udom) = @_;
    my (%can_request,%request_domains);
    &Apache::lonnet::check_can_request($cdom,\%can_request,\%request_domains,$uname,$udom);
    if ($can_request{'lti'}) {
        my %domconfig = &Apache::lonnet::get_dom('configuration',['requestcourses'],$cdom);
        my %domdefs = &Apache::lonnet::get_domain_defaults($cdom);
        &Apache::lonrequestcourse::print_textbook_form($r,$cdom,[$cdom],\%domdefs,
                                                       $domconfig{'requestcourses'},
                                                       \%can_request,'lti',$form);
    } else {
        $r->print(
              &Apache::loncommon::start_page('Invalid LTI call',undef,{'only_body' => 1}).
              &mt('Invalid LTI call').
              &Apache::loncommon::end_page()
        );
    }
}

sub lti_session {
    my ($r,$itemid,$uname,$udom,$uhome,$lonhost,$role,$mapurl,$tail,$symb,$cdom,$cnum,
        $params,$ltiroles,$ltihash,$lcroles,$reqcrs,$sourcecrs,$selfenrollrole) = @_;
    return unless ((ref($params) eq 'HASH') && (ref($ltiroles) eq 'ARRAY') &&
                   (ref($ltihash) eq 'HASH') && (ref($lcroles) eq 'ARRAY'));
#
# Check if user should be hosted here or switched to another server.
#
    $r->user($uname);
    if ($cnum) {
        if ($role) {
            &Apache::lonnet::logthis(" LTI authorized user ($itemid): $uname:$udom, role: $role, course: $cdom\_$cnum");
        } elsif ($selfenrollrole =~ m{^(\w+)\./$cdom/$cnum}) {
            &Apache::lonnet::logthis(" LTI authorized user ($itemid): $uname:$udom, desired role: $1 course: $cdom\_$cnum");
        }
    } else {
        &Apache::lonnet::logthis(" LTI authorized user ($itemid): $uname:$udom, course dom: $cdom");
    }
    my ($is_balancer,$otherserver,$hosthere);
    ($is_balancer,$otherserver) =
        &Apache::lonnet::check_loadbalancing($uname,$udom,'login');
    if ($is_balancer) {
        if ($otherserver eq '') {
            my $lowest_load;
            ($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($udom);
            if ($lowest_load > 100) {
                $otherserver = &Apache::lonnet::spareserver($r,$lowest_load,$lowest_load,1,$udom);
            }
        }
        if ($otherserver ne '') {
            my @hosts = &Apache::lonnet::current_machine_ids();
            if (grep(/^\Q$otherserver\E$/,@hosts)) {
                $hosthere = $otherserver;
            }
        }
    }
    my $protocol = 'http';
    if ($ENV{'SERVER_PORT'} == 443) {
        $protocol = 'https';
    }
    if (($is_balancer) && (!$hosthere)) {
        # login but immediately go to switch server.
        &Apache::lonauth::success($r,$uname,$udom,$uhome,'noredirect');
        if (($ltihash->{'callback'}) && ($params->{$ltihash->{'callback'}})) {
            &LONCAPA::ltiutils::setup_logout_callback($uname,$udom,$otherserver,
                                                      $ltihash->{'key'},
                                                      $ltihash->{'secret'},
                                                      $params->{$ltihash->{'callback'}},
                                                      $r->dir_config('ltiIDsDir'),
                                                      $protocol,$r->hostname);
        }
        if ($symb) {
            $env{'form.symb'} = $symb;
            $env{'request.lti.uri'} = $tail;
        } else {
            if ($mapurl) {
                $env{'form.origurl'} = $mapurl;
                $env{'request.lti.uri'} = $mapurl;
            } elsif ($tail =~ m{^\Q/tiny/$cdom/\E\w+$}) {
                $env{'form.origurl'} = $tail;
                $env{'request.lti.uri'} = $tail;
            } elsif ($tail eq "/$cdom/$cnum") {
                $env{'form.origurl'} = '/adm/navmaps';
                $env{'request.lti.uri'} = $tail;
            } else {
                unless ($tail eq '/adm/roles') {
                    if ($cnum) {
                        $env{'form.origurl'} = '/adm/navmaps';
                    }
                }
            }
        }
        if ($role) {
            $env{'form.role'} = $role;
        }
        if (($lcroles->[0] eq 'cc') && ($reqcrs)) {
            $env{'request.lti.reqcrs'} = 1;
            $env{'request.lti.reqrole'} = 'cc';
            $env{'request.lti.sourcecrs'} = $sourcecrs;
        }
        if ($selfenrollrole) {
            $env{'request.lti.selfenrollrole'} = $selfenrollrole;
            $env{'request.lti.sourcecrs'} = $sourcecrs;
        }
        if ($ltihash->{'passback'}) {
            if ($params->{'lis_result_sourcedid'}) {
                $env{'request.lti.passbackid'} = $params->{'lis_result_sourcedid'};
            }
            if ($params->{'lis_outcome_service_url'}) {
                $env{'request.lti.passbackurl'} = $params->{'lis_outcome_service_url'};
            }
        }
        if (($ltihash->{'roster'}) && (grep(/^Instructor$/,@{$ltiroles}))) {
            if ($params->{'ext_ims_lis_memberships_id'}) {
                $env{'request.lti.rosterid'} = $params->{'ext_ims_lis_memberships_id'};
            }
            if ($params->{'ext_ims_lis_memberships_url'}) {
                $env{'request.lti.rosterurl'} = $params->{'ext_ims_lis_memberships_url'};
            }
        }
        $env{'request.lti.login'} = $itemid;
        if ($params->{'launch_presentation_document_target'}) {
            $env{'request.lti.target'} = $params->{'launch_presentation_document_target'};
        }
        foreach my $key (keys(%{$params})) {
            delete($env{'form.'.$key});
        }
        my $redirecturl = '/adm/switchserver';
        if ($otherserver ne '') {
            $redirecturl .= '?otherserver='.$otherserver;
        }
        $r->internal_redirect($redirecturl);
        $r->set_handlers('PerlHandler'=> undef);
    } else {
        # need to login them in, so generate the need data that
        # migrate expects to do login
        foreach my $key (keys(%{$params})) {
            delete($env{'form.'.$key});
        }
        if (($ltihash->{'callback'}) && ($params->{$ltihash->{'callback'}})) {
            &LONCAPA::ltiutils::setup_logout_callback($uname,$udom,$lonhost,
                                                      $ltihash->{'key'},
                                                      $ltihash->{'secret'},
                                                      $params->{$ltihash->{'callback'}},
                                                      $r->dir_config('ltiIDsDir'),
                                                      $protocol,$r->hostname);
        }
        my $ip = $r->get_remote_host();
        my %info=('ip'        => $ip,
                  'domain'    => $udom,
                  'username'  => $uname,
                  'server'    => $lonhost,
                  'lti.login' => $itemid,
                  'lti.uri'   => $tail,
                 );
        if ($role) {
            $info{'role'} = $role;
        }
        if ($symb) {
            $info{'symb'} = $symb;
        }
        if (($lcroles->[0] eq 'cc') && ($reqcrs)) {
            $info{'lti.reqcrs'} = 1;
            $info{'lti.reqrole'} = 'cc';
            $info{'lti.sourcecrs'} = $sourcecrs;
        }
        if ($selfenrollrole) {
            $info{'lti.selfenrollrole'} = $selfenrollrole;
        }
        if ($ltihash->{'passback'}) {
            if ($params->{'lis_result_sourcedid'}) {
                $info{'lti.passbackid'} = $params->{'lis_result_sourcedid'}
            }
            if ($params->{'lis_outcome_service_url'}) {
                $info{'lti.passbackurl'} = $params->{'lis_outcome_service_url'}
            }
        }
        if (($ltihash->{'roster'}) && (grep(/^Instructor$/,@{$ltiroles}))) {
            if ($params->{'ext_ims_lis_memberships_id'}) {
                $info{'lti.rosterid'} = $params->{'ext_ims_lis_memberships_id'};
            }
            if ($params->{'ext_ims_lis_memberships_url'}) {
                $info{'lti.rosterurl'} = $params->{'ext_ims_lis_memberships_url'};
            }
        }
        if ($params->{'launch_presentation_document_target'}) {
            $info{'lti.target'} = $params->{'launch_presentation_document_target'};
        }

        unless ($info{'symb'}) {
            if ($mapurl) {
                $info{'origurl'} = $mapurl;
            } elsif ($tail =~ m{^\Q/tiny/$cdom/\E\w+$}) {
                $info{'origurl'} = $tail;
            } else {
                unless ($tail eq '/adm/roles') {
                    if ($cnum) {
                        $info{'origurl'} = '/adm/navmaps';
                    }
                }
            }
        }
        if (($is_balancer) && ($hosthere)) {
            $info{'noloadbalance'} = $hosthere;
        }
        my $token = &Apache::lonnet::tmpput(\%info,$lonhost);
        $env{'form.token'} = $token;
        $r->internal_redirect('/adm/migrateuser');
        $r->set_handlers('PerlHandler'=> undef);
    }
    return;
}

sub invalid_request {
    my ($r,$num) = @_;
    &Apache::loncommon::content_type($r,'text/html');
    $r->send_http_header;
    if ($r->header_only) {
        return;
    }
    &Apache::lonlocal::get_language_handle($r);
    $r->print(
        &Apache::loncommon::start_page('Invalid LTI call','',{ 'only_body' => 1,}).
        &mt('Invalid LTI call [_1]',$num).
        &Apache::loncommon::end_page());
    return;
}

sub course_from_tinyurl {
    my ($tail) = @_;
    my ($urlcdom,$urlcnum);
    if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) {
        ($urlcdom,my $key) = ($1,$2);
        my $tinyurl;
        my ($result,$cached)=&Apache::lonnet::is_cached_new('tiny',$urlcdom."\0".$key);
        if (defined($cached)) {
            $tinyurl = $result;
        } else {
            my $configuname = &Apache::lonnet::get_domainconfiguser($urlcdom);
            my %currtiny = &Apache::lonnet::get('tiny',[$key],$urlcdom,$configuname);
            if ($currtiny{$key} ne '') {
                $tinyurl = $currtiny{$key};
                &Apache::lonnet::do_cache_new('tiny',$urlcdom."\0".$key,$currtiny{$key},600);
            }
        }
        if ($tinyurl ne '') {
            $urlcnum = (split(/\&/,$tinyurl))[0];
        }
    }
    return ($urlcdom,$urlcnum);
}

1;

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>