atomic_lti 1.1.0

data/lib/atomic_lti/open_id_middleware.rb

@@ -0,0 +1,270 @@
+module AtomicLti
+  class OpenIdMiddleware
+    def initialize(app)
+      @app = app
+    end
+
+    def init_paths
+      [
+        AtomicLti.oidc_init_path
+      ]
+    end
+
+    def redirect_paths
+      [
+        AtomicLti.oidc_redirect_path
+      ]
+    end
+
+    def handle_init(request)
+      nonce = SecureRandom.hex(64)
+
+      redirect_uri = [request.base_url, AtomicLti.oidc_redirect_path].join
+
+      state = AtomicLti::OpenId.state
+      url = build_oidc_response(request, state, nonce, redirect_uri)
+
+      headers = { "Location" => url, "Content-Type" => "text/html" }
+      Rack::Utils.set_cookie_header!(headers, "open_id_state", state)
+      [302, headers, ["Found"]]
+    end
+
+    def handle_redirect(request)
+      raise AtomicLti::Exceptions::NoLTIToken if request.params["id_token"].blank?
+
+      lti_token = AtomicLti::Authorization.validate_token(
+        request.params["id_token"],
+      )
+
+      AtomicLti::Lti.validate!(lti_token)
+
+      uri = URI(request.url)
+      # Technically the target_link_uri is not required and the certification suite
+      # does not send it on a deep link launch. Typically target link uri will be present
+      # but at least for the certification suite we have to have a backup default
+      # value that can be set in the configuration of Atomic LTI using
+      # the default_deep_link_path
+      target_link_uri = lti_token[AtomicLti::Definitions::TARGET_LINK_URI_CLAIM] ||
+        File.join("#{uri.scheme}://#{uri.host}", AtomicLti.default_deep_link_path)
+
+        redirect_params = {
+        state: request.params["state"],
+        id_token: request.params["id_token"],
+      }
+      html = ApplicationController.renderer.render(
+        :html,
+        layout: false,
+        template: "atomic_lti/shared/redirect",
+        assigns: { launch_params: redirect_params, launch_url: target_link_uri },
+      )
+
+      [200, { "Content-Type" => "text/html" }, [html]]
+    end
+
+    def matches_redirect?(request)
+      raise AtomicLti::Exceptions::ConfigurationError.new("AtomicLti.oidc_redirect_path is not configured") if AtomicLti.oidc_redirect_path.blank?
+      redirect_uri = URI.parse(AtomicLti.oidc_redirect_path)
+      redirect_path_params = if redirect_uri.query
+                               CGI.parse(redirect_uri.query)
+                             else
+                               []
+                             end
+
+      matches_redirect_path = request.path == redirect_uri.path
+
+      return false if !matches_redirect_path
+
+      params_match = redirect_path_params.all? { |key, values| request.params[key] == values.first }
+
+      matches_redirect_path && params_match
+    end
+
+    def matches_target_link?(request)
+      AtomicLti.target_link_path_prefixes.any? do |prefix|
+        request.path.starts_with? prefix
+      end || request.path.starts_with?(AtomicLti.default_deep_link_path)
+    end
+
+    def handle_lti_launch(env, request)
+      id_token = request.params["id_token"]
+      state = request.params["state"]
+      url = request.url
+
+      payload = valid_token(state: state, id_token: id_token, url: url)
+      if payload
+        decoded_jwt = payload
+
+        update_install(id_token: decoded_jwt)
+        update_platform_instance(id_token: decoded_jwt)
+        update_deployment(id_token: decoded_jwt)
+        update_lti_context(id_token: decoded_jwt)
+
+        errors = decoded_jwt.dig(AtomicLti::Definitions::TOOL_PLATFORM_CLAIM, 'errors')
+        if errors.present? && !errors['errors'].empty?
+          Rails.logger.error("Detected errors in lti launch: #{errors}, id_token: #{id_token}")
+        end
+
+        env['atomic.validated.decoded_id_token'] = decoded_jwt
+        env['atomic.validated.id_token'] = id_token
+
+        @app.call(env)
+      else
+        Rails.logger.info("Invalid lti launch: id_token: #{payload} - id_token: #{id_token} - state: #{state} - url: #{url}")
+        [401, {}, ["Invalid Lti Launch"]]
+      end
+    end
+
+    def error!(body = "Error", status = 500, headers = {"Content-Type" => "text/html"})
+      [status, headers, [body]]
+    end
+
+    def call(env)
+      request = Rack::Request.new(env)
+      if init_paths.include?(request.path)
+        handle_init(request)
+      elsif matches_redirect?(request)
+        handle_redirect(request)
+      elsif matches_target_link?(request) && request.params["id_token"].present?
+        handle_lti_launch(env, request)
+      else
+        @app.call(env)
+      end
+    end
+
+    protected
+
+    def update_platform_instance(id_token:)
+      if id_token[AtomicLti::Definitions::TOOL_PLATFORM_CLAIM].present? && id_token.dig(AtomicLti::Definitions::TOOL_PLATFORM_CLAIM, 'guid').present?
+        name = id_token.dig(AtomicLti::Definitions::TOOL_PLATFORM_CLAIM, 'name')
+        version = id_token.dig(AtomicLti::Definitions::TOOL_PLATFORM_CLAIM, 'version')
+        product_family_code = id_token.dig(AtomicLti::Definitions::TOOL_PLATFORM_CLAIM, 'product_family_code')
+
+        AtomicLti::PlatformInstance.create_with(
+          name: name,
+          version: version,
+          product_family_code: product_family_code,
+        ).find_or_create_by!(
+          iss: id_token['iss'],
+          guid: id_token.dig(AtomicLti::Definitions::TOOL_PLATFORM_CLAIM, 'guid')
+        ).update!(
+          name: name,
+          version: version,
+          product_family_code: product_family_code,
+        )
+      else
+        Rails.logger.info("No platform guid recieved: #{id_token}")
+      end
+    end
+
+    def update_install(id_token:)
+      client_id = id_token["aud"]
+      iss = id_token["iss"]
+
+      if client_id.present? && iss.present?
+
+        AtomicLti::Install.find_or_create_by!(
+          iss: iss,
+          client_id: client_id
+        )
+      else
+        Rails.logger.info("No client_id recieved: #{id_token}")
+      end
+    end
+
+    def update_lti_context(id_token:)
+      if id_token[AtomicLti::Definitions::CONTEXT_CLAIM].present? && id_token[AtomicLti::Definitions::CONTEXT_CLAIM]['id'].present?
+        iss = id_token['iss']
+        deployment_id = id_token[AtomicLti::Definitions::DEPLOYMENT_ID]
+        context_id = id_token[AtomicLti::Definitions::CONTEXT_CLAIM]['id']
+        label = id_token[AtomicLti::Definitions::CONTEXT_CLAIM]['label']
+        title = id_token[AtomicLti::Definitions::CONTEXT_CLAIM]['title']
+        types = id_token[AtomicLti::Definitions::CONTEXT_CLAIM]['type']
+
+        AtomicLti::Context.create_with(
+          label: label,
+          title: title,
+          types: types,
+        ).find_or_create_by!(
+          iss: iss,
+          deployment_id: deployment_id,
+          context_id: context_id
+        ).update!(
+          label: label,
+          title: title,
+          types: types,
+        )
+      else
+        Rails.logger.info("No context claim recieved: #{id_token}")
+      end
+    end
+
+    def update_deployment(id_token:)
+      client_id = id_token["aud"]
+      iss = id_token["iss"]
+      deployment_id = id_token[AtomicLti::Definitions::DEPLOYMENT_ID]
+      platform_guid = id_token.dig(AtomicLti::Definitions::TOOL_PLATFORM_CLAIM, "guid")
+
+      Rails.logger.debug("Associating deployment: #{iss}/#{deployment_id} with client_id: iss: #{iss} / client_id: #{client_id} / platform_guid: #{platform_guid}")
+
+
+      AtomicLti::Deployment
+        .create_with(
+          client_id: client_id,
+          platform_guid: platform_guid
+        ).find_or_create_by!(
+          iss: iss,
+          deployment_id: deployment_id
+        ).update!(
+          client_id: client_id,
+          platform_guid: platform_guid
+        )
+    end
+
+    def valid_token(state:, id_token:, url:)
+      # Validate the state by checking the database for the nonce
+      valid_state = AtomicLti::OpenId.validate_open_id_state(state)
+
+      return false if !valid_state
+
+      token = false
+
+      begin
+        token = AtomicLti::Authorization.validate_token(id_token)
+      rescue JWT::DecodeError => e
+        Rails.logger.error("Unable to decode jwt: #{e}, #{e.backtrace}")
+        return false
+      end
+
+      return false if token.nil?
+
+      AtomicLti::Lti.validate!(token, url, true)
+
+      token
+    end
+
+    def build_oidc_response(request, state, nonce, redirect_uri)
+      platform = AtomicLti::Platform.find_by(iss: request.params["iss"])
+      if !platform
+        raise AtomicLti::Exceptions::NoLTIPlatform, "No LTI Platform found for iss #{request.params["iss"]}"
+      end
+
+      uri = URI.parse(platform.oidc_url)
+      uri_params = Rack::Utils.parse_query(uri.query)
+      auth_params = {
+        response_type: "id_token",
+        redirect_uri: redirect_uri,
+        response_mode: "form_post",
+        client_id: request.params["client_id"],
+        scope: "openid",
+        state: state,
+        login_hint: request.params["login_hint"],
+        prompt: "none",
+        lti_message_hint: request.params["lti_message_hint"],
+        nonce: nonce,
+      }.merge(uri_params)
+      uri.fragment = uri.query = nil
+
+      [uri.to_s, "?", auth_params.to_query].join
+    end
+  end
+end

data/lib/atomic_lti/version.rb

@@ -0,0 +1,3 @@
+module AtomicLti
+  VERSION = '1.1.0'
+end

data/lib/atomic_lti.rb

@@ -0,0 +1,27 @@
+require "atomic_lti/version"
+require "atomic_lti/engine"
+require "atomic_lti/open_id_middleware"
+require "atomic_lti/error_handling_middleware"
+require_relative "../app/lib/atomic_lti/definitions"
+
+module AtomicLti
+
+  # Set this to true to scope context_id's to the ISS rather than
+  # to the deployment id.  We anticipate LMS's will work this
+  # way, and it means that reinstalling into a course won't change
+  # the context records.
+  mattr_accessor :context_scope_to_iss
+  @@context_scope_to_iss = true
+
+  mattr_accessor :oidc_init_path
+  mattr_accessor :oidc_redirect_path
+  mattr_accessor :target_link_path_prefixes
+  mattr_accessor :default_deep_link_path
+  mattr_accessor :jwt_secret
+  mattr_accessor :scopes
+
+  def self.get_deployments(iss:, deployment_ids:)
+    AtomicLti::Deployment.where(iss: iss, deployment_id: deployment_ids)
+  end
+
+end

data/lib/tasks/atomic_lti_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :atomic_lti do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,129 @@
+--- !ruby/object:Gem::Specification
+name: atomic_lti
+version: !ruby/object:Gem::Version
+  version: 1.1.0
+platform: ruby
+authors:
+- Matt Petro
+- Justin Ball
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2023-02-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 7.0.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 7.0.3
+- !ruby/object:Gem::Dependency
+  name: pg
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.3.5
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.3.5
+description: AtomicLti implements the LTI Advantage specification. This gem does contain
+  source code specific to other Atomic Jolt products
+email:
+- matt.petro@atomicjolt.com
+- justin.ball@atomicjolt.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- app/assets/config/atomic_lti_manifest.js
+- app/assets/stylesheets/atomic_lti/application.css
+- app/assets/stylesheets/atomic_lti/jwks.css
+- app/controllers/atomic_lti/jwks_controller.rb
+- app/helpers/atomic_lti/launch_helper.rb
+- app/jobs/atomic_lti/application_job.rb
+- app/lib/atomic_lti/auth_token.rb
+- app/lib/atomic_lti/authorization.rb
+- app/lib/atomic_lti/config.rb
+- app/lib/atomic_lti/deep_linking.rb
+- app/lib/atomic_lti/definitions.rb
+- app/lib/atomic_lti/exceptions.rb
+- app/lib/atomic_lti/lti.rb
+- app/lib/atomic_lti/open_id.rb
+- app/lib/atomic_lti/params.rb
+- app/lib/atomic_lti/services/base.rb
+- app/lib/atomic_lti/services/line_items.rb
+- app/lib/atomic_lti/services/names_and_roles.rb
+- app/lib/atomic_lti/services/results.rb
+- app/lib/atomic_lti/services/score.rb
+- app/lib/atomic_lti/services/score_canvas.rb
+- app/mailers/atomic_lti/application_mailer.rb
+- app/models/atomic_lti/application_record.rb
+- app/models/atomic_lti/context.rb
+- app/models/atomic_lti/deployment.rb
+- app/models/atomic_lti/install.rb
+- app/models/atomic_lti/jwk.rb
+- app/models/atomic_lti/oauth_state.rb
+- app/models/atomic_lti/open_id_state.rb
+- app/models/atomic_lti/platform.rb
+- app/models/atomic_lti/platform_instance.rb
+- app/views/atomic_lti/launches/index.html.erb
+- app/views/atomic_lti/shared/redirect.html.erb
+- app/views/layouts/atomic_lti/application.html.erb
+- config/routes.rb
+- db/migrate/20220428175127_create_atomic_lti_platforms.rb
+- db/migrate/20220428175128_create_atomic_lti_platform_instances.rb
+- db/migrate/20220428175247_create_atomic_lti_installs.rb
+- db/migrate/20220428175305_create_atomic_lti_deployments.rb
+- db/migrate/20220428175336_create_atomic_lti_contexts.rb
+- db/migrate/20220428175423_create_atomic_lti_oauth_states.rb
+- db/migrate/20220503003528_create_atomic_lti_jwks.rb
+- db/migrate/20221010140920_create_open_id_state.rb
+- db/seeds.rb
+- lib/atomic_lti.rb
+- lib/atomic_lti/engine.rb
+- lib/atomic_lti/error_handling_middleware.rb
+- lib/atomic_lti/open_id_middleware.rb
+- lib/atomic_lti/version.rb
+- lib/tasks/atomic_lti_tasks.rake
+homepage: https://github.com/atomicjolt/atomic_lti
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/atomicjolt/atomic_lti
+  source_code_uri: https://github.com/atomicjolt/atomic_lti
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key:
+specification_version: 4
+summary: AtomicLti implements the LTI Advantage specification.
+test_files: []