--- loncom/lti/ltiutils.pm 2019/07/18 18:28:46 1.17 +++ loncom/lti/ltiutils.pm 2023/07/05 21:25:10 1.17.2.4 @@ -1,7 +1,7 @@ # The LearningOnline Network with CAPA # Utility functions for managing LON-CAPA LTI interactions # -# $Id: ltiutils.pm,v 1.17 2019/07/18 18:28:46 raeburn Exp $ +# $Id: ltiutils.pm,v 1.17.2.4 2023/07/05 21:25:10 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -32,7 +32,9 @@ use strict; use Net::OAuth; use Digest::SHA; use Digest::MD5 qw(md5_hex); +use Encode; use UUID::Tiny ':std'; +use LWP::UserAgent(); use Apache::lonnet; use Apache::loncommon; use Apache::loncoursedata; @@ -41,6 +43,7 @@ use Apache::lonenc(); use Apache::longroup(); use Apache::lonlocal; use Math::Round(); +use LONCAPA::Lond; use LONCAPA qw(:DEFAULT :match); # @@ -96,8 +99,8 @@ sub check_nonce { # LON-CAPA as LTI Consumer # # Determine the domain and the courseID of the LON-CAPA course -# for which access is needed by a Tool Provider -- either to -# retrieve a roster or store the grade for an instance of an +# for which access is needed by a Tool Provider -- either to +# retrieve a roster or store the grade for an instance of an # external tool in the course. # @@ -142,8 +145,8 @@ sub get_loncapa_course { # # LON-CAPA as LTI Consumer # -# Determine the symb and (optionally) LON-CAPA user for an -# instance of an external tool in a course -- either to +# Determine the symb and (optionally) LON-CAPA user for an +# instance of an external tool in a course -- either to # to retrieve a roster or store a grade. # # Use the digested symb to lookup the real symb in exttools.db @@ -155,7 +158,7 @@ sub get_tool_instance { my ($cdom,$cnum,$digsymb,$diguser,$errors) = @_; return unless (ref($errors) eq 'HASH'); my ($marker,$symb,$uname,$udom); - my @keys = ($digsymb); + my @keys = ($digsymb); if ($diguser) { push(@keys,$diguser); } @@ -186,15 +189,15 @@ sub get_tool_instance { # LON-CAPA as LTI Consumer # # Retrieve data needed to validate a request from a Tool Provider -# for a roster or to store a grade for an instance of an external +# for a roster or to store a grade for an instance of an external # tool in a LON-CAPA course. # -# Retrieve the Consumer key and Consumer secret from the domain +# Retrieve the Consumer key and Consumer secret from the domain # configuration or the Tool Provider ID stored in the # exttool_$marker db file and compare the Consumer key with the # one in the POSTed data. # -# Side effect is to populate the $toolsettings hashref with the +# Side effect is to populate the $toolsettings hashref with the # contents of the .db file (instance of tool in course) and the # $ltitools hashref with the configuration for the tool (at # domain level). @@ -209,11 +212,30 @@ sub get_tool_secret { %{$toolsettings}=&Apache::lonnet::dump('exttool_'.$marker,$cdom,$cnum); if ($toolsettings->{'id'}) { my $idx = $toolsettings->{'id'}; - my %lti = &Apache::lonnet::get_domain_lti($cdom,'consumer'); - if (ref($lti{$idx}) eq 'HASH') { - %{$ltitools} = %{$lti{$idx}}; - if ($ltitools->{'key'} eq $key) { - $consumer_secret = $ltitools->{'secret'}; + my ($crsdef,$ltinum); + if ($idx =~ /^c(\d+)$/) { + $ltinum = $1; + $crsdef = 1; + my %crslti = &Apache::lonnet::get_course_lti($cnum,$cdom,'consumer'); + if (ref($crslti{$ltinum}) eq 'HASH') { + %{$ltitools} = %{$crslti{$ltinum}}; + } else { + undef($ltinum); + } + } elsif ($idx =~ /^\d+$/) { + my %lti = &Apache::lonnet::get_domain_lti($cdom,'consumer'); + if (ref($lti{$idx}) eq 'HASH') { + %{$ltitools} = %{$lti{$idx}}; + $ltinum = $idx; + } + } + if ($ltinum ne '') { + my $loncaparev = &Apache::lonnet::get_server_loncaparev($cdom); + my $keynum = $ltitools->{'cipher'}; + my ($poss_key,$poss_secret) = + &LONCAPA::Lond::get_lti_credentials($cdom,$cnum,$crsdef,'tools',$ltinum,$keynum,$loncaparev); + if ($poss_key eq $key) { + $consumer_secret = $poss_secret; $nonce_lifetime = $ltitools->{'lifetime'}; } else { $errors->{11} = 1; @@ -241,6 +263,8 @@ sub get_tool_secret { # secret for the specific LTI Provider. # +# FIXME Move to Lond.pm and perform on course's homeserver + sub verify_request { my ($oauthtype,$protocol,$hostname,$requri,$reqmethod,$consumer_secret,$params, $authheaders,$errors) = @_; @@ -286,7 +310,7 @@ sub verify_request { sub verify_lis_item { my ($sigrec,$context,$digsymb,$diguser,$cdom,$cnum,$toolsettings,$ltitools,$errors) = @_; - return unless ((ref($toolsettings) eq 'HASH') && (ref($ltitools) eq 'HASH') && + return unless ((ref($toolsettings) eq 'HASH') && (ref($ltitools) eq 'HASH') && (ref($errors) eq 'HASH')); my ($has_action, $valid_for); if ($context eq 'grade') { @@ -307,7 +331,7 @@ sub verify_lis_item { my $expected_sig; if ($context eq 'grade') { my $uniqid = $digsymb.':::'.$diguser.':::'.$cdom.'_'.$cnum; - $expected_sig = (split(/:::/,&get_service_id($secret,$uniqid)))[0]; + $expected_sig = (split(/:::/,&get_service_id($secret,$uniqid)))[0]; if ($expected_sig eq $sigrec) { return 1; } else { @@ -315,7 +339,7 @@ sub verify_lis_item { } } elsif ($context eq 'roster') { my $uniqid = $digsymb.':::'.$cdom.'_'.$cnum; - $expected_sig = (split(/:::/,&get_service_id($secret,$uniqid)))[0]; + $expected_sig = (split(/:::/,&get_service_id($secret,$uniqid)))[0]; if ($expected_sig eq $sigrec) { return 1; } else { @@ -394,12 +418,12 @@ sub get_service_id { # grade store). An existing secret past its expiration date # will be stored as oldsecret, and a new secret # secret will be stored. -# -# Secrets are specific to service name and to the tool instance +# +# Secrets are specific to service name and to the tool instance # (and are stored in the exttool_$marker db file). -# The time period a secret remains valid is determined by the +# The time period a secret remains valid is determined by the # domain configuration for the specific tool and the service. -# +# sub set_service_secret { my ($cdom,$cnum,$marker,$name,$now,$toolsettings,$ltitools) = @_; @@ -449,7 +473,7 @@ sub set_service_secret { # # LON-CAPA as LTI Consumer # -# Add a lock key to exttools.db for the instance of an external tool +# Add a lock key to exttools.db for the instance of an external tool # when generating and storing a service secret. # @@ -516,7 +540,7 @@ sub parse_grade_xml { my ($text) = @_; if ("@state" eq "imsx_POXEnvelopeRequest imsx_POXBody replaceResultRequest resultRecord sourcedGUID sourcedId") { $data{$count}{sourcedid} = $text; - } elsif ("@state" eq "imsx_POXEnvelopeRequest imsx_POXBody replaceResultRequest resultRecord result resultScore textString") { + } elsif ("@state" eq "imsx_POXEnvelopeRequest imsx_POXBody replaceResultRequest resultRecord result resultScore textString") { $data{$count}{score} = $text; } }, "dtext"], @@ -652,14 +676,16 @@ sub lti_provider_scope { # sub get_roster { - my ($id,$url,$ckey,$secret) = @_; + my ($cdom,$cnum,$ltinum,$keynum,$id,$url) = @_; my %ltiparams = ( lti_version => 'LTI-1p0', lti_message_type => 'basic-lis-readmembershipsforcontext', ext_ims_lis_memberships_id => $id, ); - my $hashref = &sign_params($url,$ckey,$secret,\%ltiparams); - if (ref($hashref) eq 'HASH') { + my %info = (); + my ($status,$hashref) = + &Apache::lonnet::sign_lti($cdom,$cnum,'','lti','roster',$url,$ltinum,$keynum,\%ltiparams,\%info); + if (($status eq 'ok') && (ref($hashref) eq 'HASH')) { my $request=new HTTP::Request('POST',$url); $request->content(join('&',map { my $name = escape($_); @@ -667,7 +693,9 @@ sub get_roster { ? join("&$name=", map {escape($_) } @{$hashref->{$_}}) : &escape($hashref->{$_}) ); } keys(%{$hashref}))); - my $response = &LONCAPA::LWPReq::makerequest('',$request,'','',10); + my $ua=new LWP::UserAgent; + $ua->timeout(10); + my $response=$ua->request($request); my $message=$response->status_line; if (($response->is_success) && ($response->content ne '')) { my %data = (); @@ -717,7 +745,7 @@ sub get_roster { # sub send_grade { - my ($id,$url,$ckey,$secret,$scoretype,$sigmethod,$msgformat,$total,$possible) = @_; + my ($cdom,$cnum,$crsdef,$type,$ltinum,$keynum,$id,$url,$scoretype,$sigmethod,$msgformat,$total,$possible) = @_; my $score; if ($possible > 0) { if ($scoretype eq 'ratio') { @@ -746,8 +774,13 @@ sub send_grade { result_statusofresult => 'final', result_date => $date, ); - my $hashref = &sign_params($url,$ckey,$secret,\%ltiparams,$sigmethod); - if (ref($hashref) eq 'HASH') { + my %info = ( + method => $sigmethod, + ); + my ($status,$hashref) = + &Apache::lonnet::sign_lti($cdom,$cnum,$crsdef,$type,'grade',$url,$ltinum,$keynum, + \%ltiparams,\%info); + if (($status eq 'ok') && (ref($hashref) eq 'HASH')) { $request=new HTTP::Request('POST',$url); $request->content(join('&',map { my $name = escape($_); @@ -755,10 +788,10 @@ sub send_grade { ? join("&$name=", map {escape($_) } @{$hashref->{$_}}) : &escape($hashref->{$_}) ); } keys(%{$hashref}))); +#FIXME Need to handle case where passback failed. } } else { srand( time() ^ ($$ + ($$ << 15)) ); # Seed rand. - my $nonce = Digest::SHA::sha1_hex(sprintf("%06x%06x",rand(0xfffff0),rand(0xfffff0))); my $uniqmsgid = int(rand(2**32)); my $gradexml = < @@ -772,15 +805,15 @@ sub send_grade { - - $id - - - - en - $score - - + + $id + + + + en + $score + + @@ -791,37 +824,40 @@ END while (length($bodyhash) % 4) { $bodyhash .= '='; } - my $gradereq = Net::OAuth->request('consumer')->new( - consumer_key => $ckey, - consumer_secret => $secret, - request_url => $url, - request_method => 'POST', - signature_method => $sigmethod, - timestamp => time(), - nonce => $nonce, - body_hash => $bodyhash, - ); - $gradereq->add_required_message_params('body_hash'); - $gradereq->sign(); - $request = HTTP::Request->new( - $gradereq->request_method, - $gradereq->request_url, - [ - 'Authorization' => $gradereq->to_authorization_header, - 'Content-Type' => 'application/xml', - ], - $gradexml, - ); - } - my $response = &LONCAPA::LWPReq::makerequest('',$request,'','',10); - my $message=$response->status_line; + my $reqmethod = 'POST'; + my %info = ( + body_hash => $bodyhash, + method => $sigmethod, + reqtype => 'consumer', + reqmethod => $reqmethod, + respfmt => 'to_authorization_header', + ); + my %params; + my ($status,$authheader) = + &Apache::lonnet::sign_lti($cdom,$cnum,$crsdef,$type,'grade',$url,$ltinum,$keynum,\%params,\%info); + if (($status eq 'ok') && ($authheader ne '')) { + $request = HTTP::Request->new( + $reqmethod, + $url, + [ + 'Authorization' => $authheader, + 'Content-Type' => 'application/xml', + ], + $gradexml, + ); + my $ua=new LWP::UserAgent; + $ua->timeout(10); + my $response=$ua->request($request); + my $message=$response->status_line; #FIXME Handle case where pass back of score to LTI Consumer failed. + } + } } sub setup_logout_callback { - my ($uname,$udom,$server,$ckey,$secret,$service_url,$idsdir,$protocol,$hostname) = @_; + my ($cdom,$cnum,$crstool,$idx,$keynum,$uname,$udom,$server,$service_url,$idsdir,$protocol,$hostname) = @_; if ($service_url =~ m{^https?://[^/]+/}) { - my $digest_user = &Encode::decode_utf8($uname.':'.$udom); + my $digest_user = &Encode::decode('UTF-8',$uname.':'.$udom); my $loginfile = &Digest::SHA::sha1_hex($digest_user).&md5_hex(&md5_hex(time.{}.rand().$$)); if ((-d $idsdir) && (open(my $fh,'>',"$idsdir/$loginfile"))) { print $fh "$uname,$udom,$server\n"; @@ -830,11 +866,19 @@ sub setup_logout_callback { my %ltiparams = ( callback => $callback, ); - my $post = &sign_params($service_url,$ckey,$secret,\%ltiparams, - '','','',1); - my $request=new HTTP::Request('POST',$service_url); - $request->content($post); - my $response = &LONCAPA::LWPReq::makerequest('',$request,'','',10); + my %info = ( + respfmt => 'to_post_body', + ); + my ($status,$post) = + &Apache::lonnet::sign_lti($cdom,$cnum,$crstool,'lti','logout',$service_url,$idx, + $keynum,\%ltiparams,\%info); + if (($status eq 'ok') && ($post ne '')) { + my $ua=new LWP::UserAgent; + $ua->timeout(10); + my $request=new HTTP::Request('POST',$service_url); + $request->content($post); + my $response=$ua->request($request); + } } } return; @@ -1028,8 +1072,8 @@ sub enrolluser { # with LTI Instructor status. # # A list of users is obtained by a call to get_roster() -# if the calling Consumer support the LTI extension: -# Context Memberships Service. +# if the calling Consumer support the LTI extension: +# Context Memberships Service. # # If a user included in the retrieved list does not currently # have a user account in LON-CAPA, an account will be created. @@ -1065,20 +1109,21 @@ sub enrolluser { sub batchaddroster { my ($item) = @_; - return unless(ref($item) eq 'HASH'); - return unless (ref($item->{'ltiref'}) eq 'HASH'); + return unless((ref($item) eq 'HASH') && + (ref($item->{'ltiref'}) eq 'HASH')); my ($cdom,$cnum) = split(/_/,$item->{'cid'}); + return if (($cdom eq '') || ($cnum eq '')); my $udom = $cdom; my $id = $item->{'id'}; my $url = $item->{'url'}; + my $ltinum = $item->{'lti'}; + my $keynum = $item->{'ltiref'}->{'cipher'}; my @intdoms; my $intdomsref = $item->{'intdoms'}; if (ref($intdomsref) eq 'ARRAY') { @intdoms = @{$intdomsref}; } my $uriscope = $item->{'uriscope'}; - my $ckey = $item->{'ltiref'}->{'key'}; - my $secret = $item->{'ltiref'}->{'secret'}; my $section = $item->{'ltiref'}->{'section'}; $section =~ s/\W//g; if ($section eq 'none') { @@ -1097,8 +1142,8 @@ sub batchaddroster { if (ref($item->{'possroles'}) eq 'ARRAY') { @possroles = @{$item->{'possroles'}}; } - if (($ckey ne '') && ($secret ne '') && ($id ne '') && ($url ne '')) { - my %data = &get_roster($id,$url,$ckey,$secret); + if (($id ne '') && ($url ne '')) { + my %data = &get_roster($cdom,$cnum,$ltinum,$keynum,$id,$url); if (keys(%data) > 0) { my (%rulematch,%inst_results,%curr_rules,%got_rules,%alerts,%info); my %coursehash = &Apache::lonnet::coursedescription($cdom.'_'.$cnum); @@ -1332,10 +1377,10 @@ sub get_lc_roles { # LON-CAPA as LTI Provider # # Compares current start and dates for a user's role -# with dates to apply for the same user/role to +# with dates to apply for the same user/role to # determine if there is a change between the current # ones and the updated ones. -# +# sub datechange_check { my ($oldstart,$oldend,$startdate,$enddate) = @_;