# The LearningOnline Network # Basic LTI Authentication Module # # $Id: ltiauth.pm,v 1.27 2021/11/24 04:25:03 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # # This file is part of the LearningOnline Network with CAPA (LON-CAPA). # # LON-CAPA is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # LON-CAPA is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with LON-CAPA; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # /home/httpd/html/adm/gpl.txt # # http://www.lon-capa.org/ # package Apache::ltiauth; use strict; use LONCAPA qw(:DEFAULT :match); use Apache::Constants qw(:common :http); use Net::OAuth; use Apache::lonlocal; use Apache::lonnet; use Apache::loncommon; use Apache::lonacc; use Apache::lonrequestcourse; use LONCAPA::ltiutils; sub handler { my $r = shift; my $requri = $r->uri; my $hostname = $r->hostname; # # Check for existing session, and temporarily delete any form items # in %env, if session exists # my %savedform; my $handle = &Apache::lonnet::check_for_valid_session($r); if ($handle ne '') { foreach my $key (sort(keys(%env))) { if ($key =~ /^form\.(.+)$/) { $savedform{$1} = $env{$key}; delete($env{$key}); } } } # # Retrieve data POSTed by LTI launch # &Apache::lonacc::get_posted_cgi($r); my $params = {}; foreach my $key (sort(keys(%env))) { if ($key =~ /^form\.(.+)$/) { $params->{$1} = $env{$key}; } } # # Check for existing session, and restore temporarily # deleted form items to %env, if session exists. # if ($handle ne '') { if (keys(%savedform)) { foreach my $key (sort(keys(%savedform))) { $env{'form.'.$key} = $savedform{$key}; } } } unless (keys(%{$params})) { &invalid_request($r,1); return OK; } unless ($params->{'oauth_consumer_key'} && $params->{'oauth_nonce'} && $params->{'oauth_timestamp'} && $params->{'oauth_version'} && $params->{'oauth_signature'} && $params->{'oauth_signature_method'}) { &invalid_request($r,2); return OK; } # # Retrieve "internet domains" for all this institution's LON-CAPA # nodes. # my @intdoms; my $lonhost = $r->dir_config('lonHostID'); my $internet_names = &Apache::lonnet::get_internet_names($lonhost); if (ref($internet_names) eq 'ARRAY') { @intdoms = @{$internet_names}; } # # Determine course's domain in LON-CAPA # for basic launch using key and secret managed # in LON-CAPA course (i.e., uri begins /adm/launch) # my ($cdom,$cnum); # Note: "internet domain" for course's domain must be one of the # internet domains for the institution's LON-CAPA servers. # if ($requri =~ m{^/adm/launch(|/.*)$}) { my $tail = $1; if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) { my ($urlcdom,$urlcnum) = &course_from_tinyurl($tail); if (($urlcdom ne '') && ($urlcnum ne '')) { $cdom = $urlcdom; $cnum = $urlcnum; my $primary_id = &Apache::lonnet::domain($cdom,'primary'); if ($primary_id ne '') { my $intdom = &Apache::lonnet::internet_dom($primary_id); if (($intdom ne '') && (grep(/^\Q$intdom\E$/,@intdoms))) { # # Retrieve information for LTI link protectors in course # where url was /adm/launch/tiny/$cdom/$uniqueid # my (%crslti,%crslti_by_key,$itemid,$ltitype); %crslti = &Apache::lonnet::get_course_lti($cnum,$cdom,'provider'); if (keys(%crslti)) { foreach my $id (keys(%crslti)) { if (ref($crslti{$id}) eq 'HASH') { my $key = $crslti{$id}{'key'}; push(@{$crslti_by_key{$key}},$id); } } } # # Verify the signed request using the secret for LTI link # protectors for which the key in the POSTed data matches # keys in the course configuration. # # Request is invalid if the signed request could not be verified # for the key and secret from LON-CAPA course configuration for # LTI link protectors or from LON-CAPA configuration for the # course's domain if there are LTI Providers which may be used. # # Determine if nonce in POSTed data has expired. # If unexpired, confirm it has not already been used. # if (keys(%crslti)) { $itemid = &get_lti_itemid($requri,$hostname,$params,\%crslti,\%crslti_by_key); } if (($itemid) && (ref($crslti{$itemid}) eq 'HASH')) { $ltitype = 'c'; unless (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'}, $crslti{$itemid}{'lifetime'},$cdom,$r->dir_config('lonLTIDir'))) { &invalid_request($r,3); return OK; } } else { my %lti = &Apache::lonnet::get_domain_lti($cdom,'provider'); unless (keys(%lti) > 0) { &invalid_request($r,4); return OK; } my (%domlti_by_key,%domlti); foreach my $id (keys(%lti)) { if (ref($lti{$id}) eq 'HASH') { my $key = $lti{$id}{'key'}; if (!$lti{$itemid}{'requser'}) { push(@{$domlti_by_key{$key}},$id); $domlti{$id} = $lti{$id}; } } } if (keys(%domlti)) { $itemid = &get_lti_itemid($requri,$hostname,$params,\%domlti,\%domlti_by_key); } if (($itemid) && (ref($domlti{$itemid}) eq 'HASH')) { $ltitype = 'd'; unless (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'}, $domlti{$itemid}{'lifetime'},$cdom, $r->dir_config('lonLTIDir'))) { &invalid_request($r,5); return OK; } } } if ($itemid) { foreach my $key (%{$params}) { delete($env{'form.'.$key}); } my $ltoken = &Apache::lonnet::tmpput({'linkprot' => $itemid.$ltitype.':'.$tail}, $lonhost,'link'); if ($ltoken) { $r->internal_redirect($tail.'?ltoken='.$ltoken); $r->set_handlers('PerlHandler'=> undef); } else { &invalid_request($r,6); } } else { &invalid_request($r,7); } } else { &invalid_request($r,8); } } else { &invalid_request($r,9); } } else { &invalid_request($r,10); } } else { &invalid_request($r,11); } return OK; } my ($udom,$uname,$uhome,$symb,$mapurl); # # For user who launched LTI in Consumer, determine user's domain in # LON-CAPA. # # Order is: # # (a) from custom_userdomain item in POSTed data # (b) from lis_person_sourcedid in POSTed data # (c) from default "log-in" domain for node # (can support multidomain servers, where specific domain is # first part of hostname). # # Note: "internet domain" for user's domain must be one of the # "internet domain(s)" for the institution's LON-CAPA servers. # if (exists($params->{'custom_userdomain'})) { if ($params->{'custom_userdomain'} =~ /^$match_domain$/) { my $uprimary_id = &Apache::lonnet::domain($params->{'custom_userdomain'},'primary'); if ($uprimary_id ne '') { my $uintdom = &Apache::lonnet::internet_dom($uprimary_id); if (($uintdom ne '') && (grep(/^\Q$uintdom\E$/,@intdoms))) { $udom = $params->{'custom_userdomain'}; } } } } my $defdom = &Apache::lonnet::default_login_domain(); my ($domain,$possuname,$possudom,$possmapuser); if ($env{'form.lis_person_sourcedid'} =~ /^($match_username)\:($match_domain)$/) { ($possuname,$possudom) = ($1,$2); if ($udom eq '') { my $uintdom = &Apache::lonnet::domain($possudom,'primary'); if (($uintdom ne '') && (grep(/^\Q$uintdom\E$/,@intdoms))) { $udom = $possudom; $possmapuser = 'lis_person_sourcedid'; } else { $udom = $defdom; } } elsif ($udom eq $possudom) { $possmapuser = 'lis_person_sourcedid'; } } unless ($possuname) { if ($env{'form.lis_person_sourcedid'} =~ /^$match_username$/) { $possuname = $env{'form.lis_person_sourcedid'}; $possmapuser = 'lis_person_sourcedid'; } elsif ($env{'form.lis_person_contact_email_primary'} =~ /^$match_username$/) { $possuname = $env{'form.lis_person_contact_email_primary'}; $possmapuser = 'lis_person_contact_email_primary'; } unless ($udom) { $udom = $defdom; } } # # Determine course's domain in LON-CAPA # # Order is: # # (a) from custom_coursedomain item in POSTed data # (b) from tail of requested URL (after /adm/lti/) if it has format of a symb # (c) from tail of requested URL (after /adm/lti) if it has format of a map # (d) from tail of requested URL (after /adm/lti) if it has format /domain/courseID # (e) from tail of requested URL (after /adm/lti) if it has format /tiny/domain/\w+ # i.e., a shortened URL (see bug #6400). # (f) same as user's domain # # Request invalid if custom_coursedomain is defined and is inconsistent with # domain contained in requested URL. # # Note: "internet domain" for course's domain must be one of the # internet domains for the institution's LON-CAPA servers. # if (exists($params->{'custom_coursedomain'})) { if ($params->{'custom_coursedomain'} =~ /^$match_domain$/) { my $cprimary_id = &Apache::lonnet::domain($params->{'custom_coursedomain'},'primary'); if ($cprimary_id ne '') { my $cintdom = &Apache::lonnet::internet_dom($cprimary_id); if (($cintdom ne '') && (grep(/^\Q$cintdom\E$/,@intdoms))) { $cdom = $params->{'custom_coursedomain'}; } } } } my ($tail) = ($requri =~ m{^/adm/lti(|/.*)$}); my $urlcnum; if ($tail ne '') { my $urlcdom; if ($tail =~ m{^/uploaded/($match_domain)/($match_courseid)/(?:default|supplemental)(?:|_\d+)\.(?:sequence|page)(|___\d+___.+)$}) { ($urlcdom,$urlcnum,my $rest) = ($1,$2,$3); if (($cdom ne '') && ($cdom ne $urlcdom)) { &invalid_request($r,12); return OK; } if ($rest eq '') { $mapurl = $tail; } else { $symb = $tail; $symb =~ s{^/}{}; } } elsif ($tail =~ m{^/res/(?:$match_domain)/(?:$match_username)/.+\.(?:sequence|page)(|___\d+___.+)$}) { if ($1 eq '') { $mapurl = $tail; } else { $symb = $tail; $symb =~ s{^/res/}{}; } } elsif ($tail =~ m{^/($match_domain)/($match_courseid)$}) { ($urlcdom,$urlcnum) = ($1,$2); if (($cdom ne '') && ($cdom ne $urlcdom)) { &invalid_request($r,13); return OK; } } elsif ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) { ($urlcdom,$urlcnum) = &course_from_tinyurl($tail); if (($urlcdom eq '') || ($urlcnum eq '')) { &invalid_request($r,14); return OK; } } if (($cdom eq '') && ($urlcdom ne '')) { my $cprimary_id = &Apache::lonnet::domain($urlcdom,'primary'); if ($cprimary_id ne '') { my $cintdom = &Apache::lonnet::internet_dom($cprimary_id); if (($cintdom ne '') && (grep(/^\Q$cintdom\E$/,@intdoms))) { $cdom = $urlcdom; } } else { $urlcnum = ''; } } } if ($cdom eq '') { if ($udom ne '') { $cdom = $udom; } else { $cdom = $defdom; } } # # Retrieve information for LTI Consumers in course's domain # and populate hash -- %lti_by_key -- for which keys # are those defined in domain configuration for LTI. # my %lti = &Apache::lonnet::get_domain_lti($cdom,'provider'); unless (keys(%lti) > 0) { &invalid_request($r,15); return OK; } my %lti_by_key; if (keys(%lti)) { foreach my $id (keys(%lti)) { if (ref($lti{$id}) eq 'HASH') { my $key = $lti{$id}{'key'}; push(@{$lti_by_key{$key}},$id); } } } # # Verify the signed request using the secret for those # Consumers for which the key in the POSTed data matches # keys in the course configuration or the domain configuration # for LTI. # my $itemid = &get_lti_itemid($requri,$hostname,$params,\%lti,\%lti_by_key); # # Request is invalid if the signed request could not be verified # for the Consumer key and Consumer secret from the domain # configuration in LON-CAPA for that LTI Consumer. # unless (($itemid) && (ref($lti{$itemid}) eq 'HASH')) { &invalid_request($r,16); return OK; } # # Determine if nonce in POSTed data has expired. # If unexpired, confirm it has not already been used. # unless (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'}, $lti{$itemid}{'lifetime'},$cdom,$r->dir_config('lonLTIDir'))) { &invalid_request($r,17); return OK; } # # Determine if a username is required from the domain # configuration for the specific LTI Consumer # if (!$lti{$itemid}{'requser'}) { if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) { my $ltitype = 'd'; foreach my $key (%{$params}) { delete($env{'form.'.$key}); } my $ltoken = &Apache::lonnet::tmpput({'linkprot' => $itemid.$ltitype.':'.$tail}, $lonhost); if ($ltoken) { $r->internal_redirect($tail.'?ltoken='.$ltoken); $r->set_handlers('PerlHandler'=> undef); } else { &invalid_request($r,18); } } else { &invalid_request($r,19); } return OK; } # # Determine if source of username matches requirement from the # domain configuration for the specific LTI Consumer. # if ($lti{$itemid}{'mapuser'} eq $possmapuser) { $uname = $possuname; } elsif ($lti{$itemid}{'mapuser'} eq 'lis_person_sourcedid') { if ($params->{'lis_person_sourcedid'} =~ /^$match_username$/) { $uname = $possuname; } } elsif ($lti{$itemid}{'mapuser'} eq 'lis_person_contact_email_primary') { if ($params->{'lis_person_contact_email_primary'} =~ /^$match_username$/) { $uname = $params->{'lis_person_contact_email_primary'}; } } elsif (exists($params->{$lti{$itemid}{'mapuser'}})) { if ($params->{$lti{$itemid}{'mapuser'}} =~ /^$match_username$/) { $uname = $params->{$lti{$itemid}{'mapuser'}}; } } # # Determine the courseID of the LON-CAPA course to which the # launch of LON-CAPA should provide access. # # Order is: # # (a) from course mapping (if the link between Consumer "course" and # Provider "course" has been established previously). # (b) from tail of requested URL (after /adm/lti/) if it has format of a symb # (c) from tail of requested URL (after /adm/lti) if it has format of a map # (d) from tail of requested URL (after /adm/lti) if it has format /domain/courseID # (e) from tail of requested URL (after /adm/lti) if it has format /tiny/domain/\w+ # i.e., a shortened URL (see bug #6400). # # If Consumer course included in POSTed data points as a target course which # has a format which matches a LON-CAPA courseID, but the course does not # exist, the request is invalid. # my ($sourcecrs,%consumers); if ($lti{$itemid}{'mapcrs'} eq 'course_offering_sourcedid') { $sourcecrs = $params->{'course_offering_sourcedid'}; } elsif ($lti{$itemid}{'mapcrs'} eq 'context_id') { $sourcecrs = $params->{'context_id'}; } elsif ($lti{$itemid}{'mapcrs'} ne '') { $sourcecrs = $params->{$lti{$itemid}{'mapcrs'}}; } my $posscnum; if ($sourcecrs ne '') { %consumers = &Apache::lonnet::get_dom('lticonsumers',[$sourcecrs],$cdom); if (exists($consumers{$sourcecrs})) { if ($consumers{$sourcecrs} =~ /^$match_courseid$/) { my $crshome = &Apache::lonnet::homeserver($consumers{$sourcecrs},$cdom); if ($crshome =~ /(con_lost|no_host|no_such_host)/) { &invalid_request($r,20); return OK; } else { $posscnum = $consumers{$sourcecrs}; } } } } if ($urlcnum ne '') { if ($posscnum ne '') { if ($posscnum ne $urlcnum) { &invalid_request($r,21); return OK; } else { $cnum = $posscnum; } } else { my $crshome = &Apache::lonnet::homeserver($urlcnum,$cdom); if ($crshome =~ /(con_lost|no_host|no_such_host)/) { &invalid_request($r,22); return OK; } else { $cnum = $urlcnum; } } } elsif ($posscnum ne '') { $cnum = $posscnum; } # # Get LON-CAPA role(s) to use from role-mapping of Consumer roles # defined in domain configuration for the appropriate LTI # Consumer. # # If multiple LON-CAPA roles are indicated for the current user, # ordering (from first to last) is: cc/co, in, ta, ep, st. # my (@ltiroles,@lcroles); my @lcroleorder = ('cc','in','ta','ep','st'); my ($lcrolesref,$ltirolesref) = &LONCAPA::ltiutils::get_lc_roles($params->{'roles'}, \@lcroleorder, $lti{$itemid}{maproles}); if (ref($lcrolesref) eq 'ARRAY') { @lcroles = @{$lcrolesref}; } if (ref($ltirolesref) eq 'ARRAY') { @ltiroles = @{$ltirolesref}; } # # If no LON-CAPA username -- is user allowed to create one? # my $selfcreate; if (($uname ne '') && ($udom ne '')) { $uhome = &Apache::lonnet::homeserver($uname,$udom); if ($uhome =~ /(con_lost|no_host|no_such_host)/) { &Apache::lonnet::logthis(" LTI authorized unknown user $uname:$udom "); if (ref($lti{$itemid}{'makeuser'}) eq 'ARRAY') { if (@{$lti{$itemid}{'makeuser'}} > 0) { foreach my $ltirole (@ltiroles) { if (grep(/^\Q$ltirole\E$/,@{$lti{$itemid}{'makeuser'}})) { $selfcreate = 1; last; } } } } if ($selfcreate) { my (%rulematch,%inst_results,%curr_rules,%got_rules,%alerts); my $domdesc = &Apache::lonnet::domain($udom,'description'); my %data = ( 'permanentemail' => $env{'form.lis_person_contact_email_primary'}, 'firstname' => $env{'form.lis_person_name_given'}, 'lastname' => $env{'form.lis_person_name_family'}, 'fullname' => $env{'form.lis_person_name_full'}, ); my $result = &LONCAPA::ltiutils::create_user($lti{$itemid},$uname,$udom, $domdesc,\%data,\%alerts,\%rulematch, \%inst_results,\%curr_rules,%got_rules); if ($result eq 'notallowed') { &invalid_request($r,23); } elsif ($result eq 'ok') { if (($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'mapcrs'}) && ($lti{$itemid}{'makecrs'})) { unless (&Apache::lonnet::usertools_access($uname,$udom,'lti','reload','requestcourses')) { &Apache::lonnet::put('environment',{ 'requestcourses.lti' => 'autolimit=', },$udom,$uname); } } } else { &invalid_request($r,24); return OK; } } else { &invalid_request($r,25); return OK; } } } else { &invalid_request($r,26); return OK; } # # If no LON-CAPA course available, check if domain's configuration # for the specific LTI Consumer allows a new course to be created # (requires role in Consumer to be: Instructor and Instructor to map to CC) # my $reqcrs; if ($cnum eq '') { if ($lti{$itemid}{'crsinc'}) { if ((@ltiroles) && ($lti{$itemid}{'mapcrs'}) && ($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'makecrs'})) { my (%can_request,%request_domains); &Apache::lonnet::check_can_request($cdom,\%can_request,\%request_domains,$uname,$udom); if ($can_request{'lti'}) { $reqcrs = 1; <i_session($r,$itemid,$uname,$udom,$uhome,$lonhost,undef,$mapurl,$tail, $symb,$cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles, $reqcrs,$sourcecrs); } else { &invalid_request($r,27); } } else { &invalid_request($r,28); } } else { <i_session($r,$itemid,$uname,$udom,$uhome,$lonhost,undef,$mapurl,$tail, $symb,$cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles, $reqcrs,$sourcecrs); } return OK; } # # If LON-CAPA course is a Community, and LON-CAPA role # indicated is cc, change role indicated to co. # my %crsenv; if ($lcroles[0] eq 'cc') { if (($cdom ne '') && ($cnum ne '')) { %crsenv = &Apache::lonnet::coursedescription($cdom.'_'.$cnum,{ 'one_time' => 1,}); if ($crsenv{'type'} eq 'Community') { $lcroles[0] = 'co'; } } } # # Determine if user has a LON-CAPA role in the mapped LON-CAPA course. # If multiple LON-CAPA roles are available for the user's assigned LTI roles, # choose the first available LON-CAPA role in the order: cc/co, in, ta, ep, st # my ($role,$usec,$withsec); unless ((($lcroles[0] eq 'cc') || ($lcroles[0] eq 'co')) && (@lcroles == 1)) { if ($lti{$itemid}{'section'} ne '') { if ($lti{$itemid}{'section'} eq 'course_section_sourcedid') { if ($env{'form.course_section_sourcedid'} !~ /\W/) { $usec = $env{'form.course_section_sourcedid'}; } } elsif ($env{'form.'.$lti{$itemid}{'section'}} !~ /\W/) { $usec = $env{'form.'.$lti{$itemid}{'section'}}; } } if ($usec ne '') { $withsec = 1; } } if (@lcroles) { my %crsroles = &Apache::lonnet::get_my_roles($uname,$udom,'userroles',undef,\@lcroles, [$cdom],$withsec); foreach my $reqrole (@lcroles) { if ($withsec) { my $incsec; if (($reqrole eq 'cc') || ($reqrole eq 'co')) { $incsec = ''; } else { $incsec = $usec; } if (exists($crsroles{$cnum.':'.$cdom.':'.$reqrole.':'.$incsec})) { $role = $reqrole.'./'.$cdom.'/'.$cnum; if ($incsec ne '') { $role .= '/'.$usec; } last; } } else { if (exists($crsroles{$cnum.':'.$cdom.':'.$reqrole})) { $role = $reqrole.'./'.$cdom.'/'.$cnum; last; } } } } # # Determine if user can selfenroll # my ($reqrole,$selfenrollrole); if ($role eq '') { if ((@ltiroles) && (ref($lti{$itemid}{'selfenroll'}) eq 'ARRAY')) { foreach my $ltirole (@ltiroles) { if (grep(/^\Q$ltirole\E$/,@{$lti{$itemid}{'selfenroll'}})) { if (ref($lti{$itemid}{maproles}) eq 'HASH') { $reqrole = $lti{$itemid}{maproles}{$ltirole}; last; } } } } if ($reqrole eq '') { &invalid_request($r,29); return OK; } else { unless (%crsenv) { %crsenv = &Apache::lonnet::coursedescription($cdom.'_'.$cnum); } my $default_enrollment_start_date = $crsenv{'default_enrollment_start_date'}; my $default_enrollment_end_date = $crsenv{'default_enrollment_end_date'}; my $now = time; if ($default_enrollment_end_date && $default_enrollment_end_date <= $now) { &invalid_request($r,30); return OK; } elsif ($default_enrollment_start_date && $default_enrollment_start_date >$now) { &invalid_request($r,31); return OK; } else { $selfenrollrole = $reqrole.'./'.$cdom.'/'.$cnum; if (($withsec) && ($reqrole ne 'cc') && ($reqrole ne 'co')) { if ($usec ne '') { $selfenrollrole .= '/'.$usec; } } } } } # # Retrieve course type of LON-CAPA course to check if mapping from a Consumer # course identifier permitted for this type of course (one of: official, # unofficial, community, textbook, placement or lti. # unless (%crsenv) { %crsenv = &Apache::lonnet::coursedescription($cdom.'_'.$cnum); } my $crstype = lc($crsenv{'type'}); if ($crstype eq '') { $crstype = 'course'; } if ($crstype eq 'course') { if ($crsenv{'internal.coursecode'}) { $crstype = 'official'; } elsif ($crsenv{'internal.textbook'}) { $crstype = 'textbook'; } elsif ($crsenv{'internal.lti'}) { $crstype = 'lti'; } else { $crstype = 'unofficial'; } } # # Store consumer-to-LON-CAPA course mapping if permitted # if (($lti{$itemid}{'storecrs'}) && ($sourcecrs ne '') && ($consumers{$sourcecrs} eq '') && ($cnum ne '')) { if (ref($lti{$itemid}{'mapcrstype'}) eq 'ARRAY') { if (grep(/^$crstype$/,@{$lti{$itemid}{'mapcrstype'}})) { &Apache::lonnet::put_dom('lticonsumers',{ $sourcecrs => $cnum },$cdom); } } } # # Start user session # <i_session($r,$itemid,$uname,$udom,$uhome,$lonhost,$role,$mapurl,$tail,$symb, $cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles,undef,$sourcecrs, $selfenrollrole); return OK; } sub get_lti_itemid { my ($requri,$hostname,$params,$lti,$lti_by_key) = @_; return unless ((ref($params) eq 'HASH') && (ref($lti) eq 'HASH') && (ref($lti_by_key) eq 'HASH')); if (exists($params->{'oauth_callback'})) { $Net::OAuth::PROTOCOL_VERSION = Net::OAuth::PROTOCOL_VERSION_1_0A; } else { $Net::OAuth::PROTOCOL_VERSION = Net::OAuth::PROTOCOL_VERSION_1_0; } my $protocol = 'http'; if ($ENV{'SERVER_PORT'} == 443) { $protocol = 'https'; } my ($itemid,$consumer_key,$secret); my $consumer_key = $params->{'oauth_consumer_key'}; if (ref($lti_by_key->{$consumer_key}) eq 'ARRAY') { foreach my $id (@{$lti_by_key->{$consumer_key}}) { if (ref($lti->{$id}) eq 'HASH') { $secret = $lti->{$id}{'secret'}; my $request = Net::OAuth->request('request token')->from_hash($params, request_url => $protocol.'://'.$hostname.$requri, request_method => $env{'request.method'}, consumer_secret => $secret,); if ($request->verify()) { $itemid = $id; last; } } } } return $itemid; } sub lti_enroll { my ($uname,$udom,$selfenrollrole) = @_; my $enrollresult; my ($role,$cdom,$cnum,$sec) = ($selfenrollrole =~ m{^(\w+)\./($match_domain)/($match_courseid)(?:|/(\w*))$}); if (($cnum ne '') && ($cdom ne '')) { my $chome = &Apache::lonnet::homeserver($cnum,$cdom); if ($chome ne 'no_host') { my %coursehash = &Apache::lonnet::coursedescription($cdom.'_'.$cnum); my $start = $coursehash{'default_enrollment_start_date'}; my $end = $coursehash{'default_enrollment_end_date'}; $enrollresult = &LONCAPA::ltiutils::enrolluser($udom,$uname,$role,$cdom,$cnum,$sec, $start,$end,1); } } return $enrollresult; } sub lti_reqcrs { my ($r,$cdom,$form,$uname,$udom) = @_; my (%can_request,%request_domains); &Apache::lonnet::check_can_request($cdom,\%can_request,\%request_domains,$uname,$udom); if ($can_request{'lti'}) { my %domconfig = &Apache::lonnet::get_dom('configuration',['requestcourses'],$cdom); my %domdefs = &Apache::lonnet::get_domain_defaults($cdom); &Apache::lonrequestcourse::print_textbook_form($r,$cdom,[$cdom],\%domdefs, $domconfig{'requestcourses'}, \%can_request,'lti',$form); } else { $r->print( &Apache::loncommon::start_page('Invalid LTI call',undef,{'only_body' => 1}). &mt('Invalid LTI call'). &Apache::loncommon::end_page() ); } } sub lti_session { my ($r,$itemid,$uname,$udom,$uhome,$lonhost,$role,$mapurl,$tail,$symb,$cdom,$cnum, $params,$ltiroles,$ltihash,$lcroles,$reqcrs,$sourcecrs,$selfenrollrole) = @_; return unless ((ref($params) eq 'HASH') && (ref($ltiroles) eq 'ARRAY') && (ref($ltihash) eq 'HASH') && (ref($lcroles) eq 'ARRAY')); # # Check if user should be hosted here or switched to another server. # $r->user($uname); if ($cnum) { if ($role) { &Apache::lonnet::logthis(" LTI authorized user ($itemid): $uname:$udom, role: $role, course: $cdom\_$cnum"); } elsif ($selfenrollrole =~ m{^(\w+)\./$cdom/$cnum}) { &Apache::lonnet::logthis(" LTI authorized user ($itemid): $uname:$udom, desired role: $1 course: $cdom\_$cnum"); } } else { &Apache::lonnet::logthis(" LTI authorized user ($itemid): $uname:$udom, course dom: $cdom"); } my ($is_balancer,$otherserver,$hosthere); ($is_balancer,$otherserver) = &Apache::lonnet::check_loadbalancing($uname,$udom,'login'); if ($is_balancer) { if ($otherserver eq '') { my $lowest_load; ($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($udom); if ($lowest_load > 100) { $otherserver = &Apache::lonnet::spareserver($r,$lowest_load,$lowest_load,1,$udom); } } if ($otherserver ne '') { my @hosts = &Apache::lonnet::current_machine_ids(); if (grep(/^\Q$otherserver\E$/,@hosts)) { $hosthere = $otherserver; } } } my $protocol = 'http'; if ($ENV{'SERVER_PORT'} == 443) { $protocol = 'https'; } if (($is_balancer) && (!$hosthere)) { # login but immediately go to switch server. &Apache::lonauth::success($r,$uname,$udom,$uhome,'noredirect'); if (($ltihash->{'callback'}) && ($params->{$ltihash->{'callback'}})) { &LONCAPA::ltiutils::setup_logout_callback($uname,$udom,$otherserver, $ltihash->{'key'}, $ltihash->{'secret'}, $params->{$ltihash->{'callback'}}, $r->dir_config('ltiIDsDir'), $protocol,$r->hostname); } if ($symb) { $env{'form.symb'} = $symb; $env{'request.lti.uri'} = $tail; } else { if ($mapurl) { $env{'form.origurl'} = $mapurl; $env{'request.lti.uri'} = $mapurl; } elsif ($tail =~ m{^\Q/tiny/$cdom/\E\w+$}) { $env{'form.origurl'} = $tail; $env{'request.lti.uri'} = $tail; } elsif ($tail eq "/$cdom/$cnum") { $env{'form.origurl'} = '/adm/navmaps'; $env{'request.lti.uri'} = $tail; } else { unless ($tail eq '/adm/roles') { if ($cnum) { $env{'form.origurl'} = '/adm/navmaps'; } } } } if ($role) { $env{'form.role'} = $role; } if (($lcroles->[0] eq 'cc') && ($reqcrs)) { $env{'request.lti.reqcrs'} = 1; $env{'request.lti.reqrole'} = 'cc'; $env{'request.lti.sourcecrs'} = $sourcecrs; } if ($selfenrollrole) { $env{'request.lti.selfenrollrole'} = $selfenrollrole; $env{'request.lti.sourcecrs'} = $sourcecrs; } if ($ltihash->{'passback'}) { if ($params->{'lis_result_sourcedid'}) { $env{'request.lti.passbackid'} = $params->{'lis_result_sourcedid'}; } if ($params->{'lis_outcome_service_url'}) { $env{'request.lti.passbackurl'} = $params->{'lis_outcome_service_url'}; } } if (($ltihash->{'roster'}) && (grep(/^Instructor$/,@{$ltiroles}))) { if ($params->{'ext_ims_lis_memberships_id'}) { $env{'request.lti.rosterid'} = $params->{'ext_ims_lis_memberships_id'}; } if ($params->{'ext_ims_lis_memberships_url'}) { $env{'request.lti.rosterurl'} = $params->{'ext_ims_lis_memberships_url'}; } } $env{'request.lti.login'} = $itemid; if ($params->{'launch_presentation_document_target'}) { $env{'request.lti.target'} = $params->{'launch_presentation_document_target'}; } foreach my $key (keys(%{$params})) { delete($env{'form.'.$key}); } my $redirecturl = '/adm/switchserver'; if ($otherserver ne '') { $redirecturl .= '?otherserver='.$otherserver; } $r->internal_redirect($redirecturl); $r->set_handlers('PerlHandler'=> undef); } else { # need to login them in, so generate the need data that # migrate expects to do login foreach my $key (keys(%{$params})) { delete($env{'form.'.$key}); } if (($ltihash->{'callback'}) && ($params->{$ltihash->{'callback'}})) { &LONCAPA::ltiutils::setup_logout_callback($uname,$udom,$lonhost, $ltihash->{'key'}, $ltihash->{'secret'}, $params->{$ltihash->{'callback'}}, $r->dir_config('ltiIDsDir'), $protocol,$r->hostname); } my $ip = $r->get_remote_host(); my %info=('ip' => $ip, 'domain' => $udom, 'username' => $uname, 'server' => $lonhost, 'lti.login' => $itemid, 'lti.uri' => $tail, ); if ($role) { $info{'role'} = $role; } if ($symb) { $info{'symb'} = $symb; } if (($lcroles->[0] eq 'cc') && ($reqcrs)) { $info{'lti.reqcrs'} = 1; $info{'lti.reqrole'} = 'cc'; $info{'lti.sourcecrs'} = $sourcecrs; } if ($selfenrollrole) { $info{'lti.selfenrollrole'} = $selfenrollrole; } if ($ltihash->{'passback'}) { if ($params->{'lis_result_sourcedid'}) { $info{'lti.passbackid'} = $params->{'lis_result_sourcedid'} } if ($params->{'lis_outcome_service_url'}) { $info{'lti.passbackurl'} = $params->{'lis_outcome_service_url'} } } if (($ltihash->{'roster'}) && (grep(/^Instructor$/,@{$ltiroles}))) { if ($params->{'ext_ims_lis_memberships_id'}) { $info{'lti.rosterid'} = $params->{'ext_ims_lis_memberships_id'}; } if ($params->{'ext_ims_lis_memberships_url'}) { $info{'lti.rosterurl'} = $params->{'ext_ims_lis_memberships_url'}; } } if ($params->{'launch_presentation_document_target'}) { $info{'lti.target'} = $params->{'launch_presentation_document_target'}; } unless ($info{'symb'}) { if ($mapurl) { $info{'origurl'} = $mapurl; } elsif ($tail =~ m{^\Q/tiny/$cdom/\E\w+$}) { $info{'origurl'} = $tail; } else { unless ($tail eq '/adm/roles') { if ($cnum) { $info{'origurl'} = '/adm/navmaps'; } } } } if (($is_balancer) && ($hosthere)) { $info{'noloadbalance'} = $hosthere; } my $token = &Apache::lonnet::tmpput(\%info,$lonhost); $env{'form.token'} = $token; $r->internal_redirect('/adm/migrateuser'); $r->set_handlers('PerlHandler'=> undef); } return; } sub invalid_request { my ($r,$num) = @_; &Apache::loncommon::content_type($r,'text/html'); $r->send_http_header; if ($r->header_only) { return; } &Apache::lonlocal::get_language_handle($r); $r->print( &Apache::loncommon::start_page('Invalid LTI call','',{ 'only_body' => 1,}). &mt('Invalid LTI call [_1]',$num). &Apache::loncommon::end_page()); return; } sub course_from_tinyurl { my ($tail) = @_; my ($urlcdom,$urlcnum); if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) { ($urlcdom,my $key) = ($1,$2); my $tinyurl; my ($result,$cached)=&Apache::lonnet::is_cached_new('tiny',$urlcdom."\0".$key); if (defined($cached)) { $tinyurl = $result; } else { my $configuname = &Apache::lonnet::get_domainconfiguser($urlcdom); my %currtiny = &Apache::lonnet::get('tiny',[$key],$urlcdom,$configuname); if ($currtiny{$key} ne '') { $tinyurl = $currtiny{$key}; &Apache::lonnet::do_cache_new('tiny',$urlcdom."\0".$key,$currtiny{$key},600); } } if ($tinyurl ne '') { $urlcnum = (split(/\&/,$tinyurl))[0]; } } return ($urlcdom,$urlcnum); } 1;