atomic_lti 1.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 1001c55b8a026812a60d322798ed5838ccfa9f9aebe538563b5f33befc7f339b
+  data.tar.gz: 2b19bd4852d7a04517677331951c2a0c9968c79d4e7121e0ffe07892e8f8474a
+SHA512:
+  metadata.gz: fa00363f1e618f46db5c5bcb0a0efab5b5b4ebb470b316f3e3a10367e8e5b2dd6b7dca7309c17c59576a086367f99b8109ea7b9e6cc77252c98cfe9f312fa236
+  data.tar.gz: 4b537933b0208bdb34b88e893fd5817a6b5b21bea6a0ac6d2457ed7ba8ac6d71ecd721054e0638a2666c4d559973cf21ecfe05827bd5575bf36f50d956b70b1a

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2022 Matt Petro
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,22 @@
+# AtomicLti
+Atomic LTI implements the LTI Advantage specification.
+
+## Usage
+Add the gem:
+
+  `gem 'atomic_lti', git: 'https://github.com/atomicjolt/atomic_lti.git', tag: '1.0.9'`
+
+Add an initializer
+  `config/initializers/atomic_lti.rb`
+
+with the following contents. Adjust paths as needed.
+
+  `
+  AtomicLti.oidc_init_path = "/oidc/init"
+  AtomicLti.oidc_redirect_path = "/oidc/redirect"
+  AtomicLti.target_link_path_prefixes = ["/lti_launches"]
+  AtomicLti.default_deep_link_path = "/lti_launches"
+  AtomicLti.jwt_secret = Rails.application.secrets.auth0_client_secret
+  AtomicLti.scopes = AtomicLti::Definitions.scopes.join(" ")
+  `
+

data/Rakefile

@@ -0,0 +1,13 @@
+require "bundler/setup"
+
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load "rails/tasks/engine.rake"
+
+load "rails/tasks/statistics.rake"
+
+require "bundler/gem_tasks"
+
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+task default: :spec

data/app/assets/config/atomic_lti_manifest.js

@@ -0,0 +1 @@
+//= link_directory ../stylesheets/atomic_lti .css

data/app/assets/stylesheets/atomic_lti/jwks.css

@@ -0,0 +1,4 @@
+/*
+  Place all the styles related to the matching controller here.
+  They will automatically be included in application.css.
+*/

data/app/controllers/atomic_lti/jwks_controller.rb

@@ -0,0 +1,17 @@
+module AtomicLti
+  class JwksController < ::ApplicationController
+    def index
+      respond_to do |format|
+        # Map is required or the outer to_json will show your private keys to the world
+        format.json { render json: { keys: jwks_from_domain.map(&:to_json) }.to_json }
+        format.text { render plain: jwks_from_domain.map(&:to_pem).join('\n') }
+      end
+    end
+
+    protected
+
+    def jwks_from_domain
+      Jwk.where(domain: request.host_with_port).presence || Jwk.where(domain: nil)
+    end
+  end
+end

data/app/helpers/atomic_lti/launch_helper.rb

@@ -0,0 +1,4 @@
+module AtomicLti
+  module LaunchHelper
+  end
+end

data/app/jobs/atomic_lti/application_job.rb

@@ -0,0 +1,4 @@
+module AtomicLti
+  class ApplicationJob < ActiveJob::Base
+  end
+end

data/app/lib/atomic_lti/auth_token.rb

@@ -0,0 +1,35 @@
+require "jwt"
+
+module AtomicLti
+  module AuthToken
+
+    ALGORITHM = "HS512".freeze
+
+    # More information on jwt available at
+    # http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#rfc.section.4.1.6
+    def self.issue_token(payload, exp = 24.hours.from_now, secret = nil, aud = nil, header_fields = {})
+      payload["iat"] = DateTime.now.to_i    # issued at claim
+      payload["exp"] = exp.to_i             # Default expiration set to 24 hours.
+      payload["aud"] = aud || Rails.application.secrets.auth0_client_id
+      JWT.encode(
+        payload,
+        AtomicLti.jwt_secret,
+        ALGORITHM,
+        header_fields,
+      )
+    end
+
+    def self.valid?(token, secret = nil, algorithm = ALGORITHM)
+      decode(token, secret, true, algorithm)
+    end
+
+    def self.decode(token, secret = nil, validate = true, algorithm = ALGORITHM)
+      JWT.decode(
+        token,
+        AtomicLti.jwt_secret,
+        validate,
+        { algorithm: algorithm },
+      )
+    end
+  end
+end

data/app/lib/atomic_lti/authorization.rb

@@ -0,0 +1,152 @@
+require "jwt"
+
+module AtomicLti
+  class Authorization
+
+    AUTHORIZATION_TRIES = 3
+    # Validates a token provided by an LTI consumer
+    def self.validate_token(token)
+      # Get the iss value from the original request during the oidc call.
+      # Use that value to figure out which jwk we should use.
+      decoded_token = JWT.decode(token, nil, false)
+
+      iss = decoded_token.dig(0, "iss")
+
+      raise AtomicLti::Exceptions::InvalidLTIToken.new("LTI token is missing iss") if iss.blank?
+
+      platform = Platform.find_by(iss: iss)
+
+      raise AtomicLti::Exceptions::NoLTIPlatform(iss: iss, deployment_id: decoded_token.dig(0, "deployment_id")) if platform.nil?
+
+      cache_key = "#{iss}_jwks"
+
+      jwk_loader = ->(options) do
+        jwks = Rails.cache.read(cache_key)
+        if options[:invalidate] || jwks.blank?
+          jwks = JSON.parse(
+            HTTParty.get(platform.jwks_url).body,
+          ).deep_symbolize_keys
+          Rails.cache.write(cache_key, jwks, expires_in: 12.hours)
+        end
+        jwks
+      end
+
+      lti_token, _keys = JWT.decode(token, nil, true, { algorithms: ["RS256"], jwks: jwk_loader })
+      lti_token
+    end
+
+    def self.sign_tool_jwt(payload)
+      jwk = Jwk.current_jwk
+      JWT.encode(payload, jwk.private_key, jwk.alg, kid: jwk.kid, typ: "JWT")
+    end
+
+    def self.client_assertion(iss:, deployment_id:)
+      # https://www.imsglobal.org/spec/lti/v1p3/#token-endpoint-claim-and-services
+      # When requesting an access token, the client assertion JWT iss and sub must both be the
+      # OAuth 2 client_id of the tool as issued by the learning platform during registration.
+      # Additional information:
+      # https://www.imsglobal.org/spec/security/v1p0/#using-json-web-tokens-with-oauth-2-0-client-credentials-grant
+
+      # lti_install = lti_deployment.lti_install
+
+      deployment = AtomicLti::Deployment.find_by(iss: iss, deployment_id: deployment_id)
+
+      raise AtomicLti::Exceptions::NoLTIDeployment.new(iss: iss, deployment_id: deployment_id) if deployment.nil?
+
+      install = deployment.install
+
+      raise AtomicLti::Exceptions::NoLTIInstall.new(iss: iss, deployment_id: deployment_id) if install.nil?
+
+      platform = install.platform
+
+      raise AtomicLti::Exceptions::NoLTIPlatform.new(iss: iss, deployment_id: deployment_id) if platform.nil?
+
+      payload = {
+        iss:  install.client_id,  # A unique identifier for the entity that issued the JWT
+        sub: install.client_id, # "client_id" of the OAuth Client
+        aud: platform.token_url, # Authorization server identifier
+        iat: Time.now.to_i, # Timestamp for when the JWT was created
+        exp: Time.now.to_i + 300, # Timestamp for when the JWT should be treated as having expired
+        # (after allowing a margin for clock skew)
+        jti: SecureRandom.hex(10), # A unique (potentially reusable) identifier for the token
+      }
+      sign_tool_jwt(payload)
+    end
+
+    def self.request_token(iss:, deployment_id:)
+      deployment = AtomicLti::Deployment.find_by(iss: iss, deployment_id: deployment_id)
+
+      raise AtomicLti::Exceptions::NoLTIDeployment.new(iss: iss, deployment_id: deployment_id) if deployment.nil?
+
+      cache_key = "#{deployment.cache_key_with_version}/services_authorization"
+      tries = 1
+
+      begin
+        authorization = Rails.cache.read(cache_key)
+        return authorization if authorization.present?
+
+        authorization = request_token_uncached(iss: iss, deployment_id: deployment_id)
+
+        # Subtract a few seconds so we don't use an expired token
+        expires_in = authorization["expires_in"].to_i - 10
+
+        Rails.cache.write(
+          cache_key,
+          authorization,
+          expires_in: expires_in,
+        )
+
+      rescue AtomicLti::Exceptions::RateLimitError => e
+        if tries < AUTHORIZATION_TRIES
+          Rails.logger.warn("LTI Request token error: Rate limit exception, sleeping")
+          sleep rand(1.0..2.0)
+          tries += 1
+          retry
+        else
+          raise e
+        end
+      end
+      authorization
+    end
+
+    def self.request_token_uncached(iss:, deployment_id:)
+      # Details here:
+      # https://www.imsglobal.org/spec/security/v1p0/#using-json-web-tokens-with-oauth-2-0-client-credentials-grant
+      body = {
+        grant_type: "client_credentials",
+        client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+        scope: AtomicLti.scopes,
+        client_assertion: client_assertion(iss: iss, deployment_id: deployment_id),
+      }
+      headers = {
+        "Content-Type" => "application/x-www-form-urlencoded",
+      }
+
+      deployment = AtomicLti::Deployment.find_by(iss: iss, deployment_id: deployment_id)
+
+      raise AtomicLti::Exceptions::NoLTIDeployment.new(iss: iss, deployment_id: deployment_id) if deployment.nil?
+
+      platform = deployment.platform
+
+      raise AtomicLti::Exceptions::NoLTIPlatform.new(iss: iss, deployment_id: deployment_id) if platform.nil?
+
+      result = HTTParty.post(
+        platform.token_url,
+        body: body,
+        headers: headers
+      )
+
+      if !result.success?
+        Rails.logger.warn(result.body)
+
+        # Canvas rate limit error
+        raise AtomicLti::Exceptions::RateLimitError if /rate limit/i.match?(result.body)
+
+        raise AtomicLti::Exceptions::JwtIssueError.new(result.body)
+      end
+
+      JSON.parse(result.body)
+    end
+
+  end
+end

data/app/lib/atomic_lti/config.rb

@@ -0,0 +1,213 @@
+# https://canvas.instructure.com/doc/api/tools_xml.html
+# LTI gem docs: https://github.com/instructure/ims-lti
+
+# These are the available LTI placements in Canvas.
+# Placements that are implemented:
+# account_navigation
+# course_navigation
+# editor_button
+# global_navigation
+# link_selection
+# post_grades
+# resource_selection
+# assignment_selection
+# user_navigation
+# assignment_configuration
+# assignment_edit
+# assignment_view
+# assignment_menu
+# collaboration
+# course_home_sub_navigation
+# course_settings_sub_navigation
+# discussion_topic_menu
+# file_menu
+# homework_submission
+# migration_selection
+# module_menu
+# quiz_menu
+# tool_configuration
+# wiki_page_menu
+
+module AtomicLti
+  class Config
+    # Converts old lti into lti advantage
+    # NOTE this is a work in progress and may not correctly convert all LTI configs.
+    def self.lti_to_lti_advantage(jwk, domain, args = {})
+      raise ::Exceptions::LtiConfigMissing, "Please provide an LTI launch url" if args[:launch_url].blank?
+      raise ::Exceptions::LtiConfigMissing, "Please provide an LTI secure launch url" if args[:secure_launch_url].blank?
+
+      if args[:content_migration].present?
+        raise Exceptions::LtiConfigMissing, "Please provide an IMS export url" if args[:export_url].blank?
+        raise Exceptions::LtiConfigMissing, "Please provide an IMS import url" if args[:import_url].blank?
+      end
+
+      {
+        title: args[:title],
+        scopes: AtomicLti::Definitions.scopes,
+        icon: icon(domain, args),
+        target_link_uri: args[:launch_url],
+        oidc_initiation_url: "#{args[:launch_url]}/init",
+        public_jwk: jwk.to_json,
+        description: args[:description],
+        custom_fields: custom_fields_from_args(domain, args[:title], args),
+        extensions: [
+          {
+            "platform": "canvas.instructure.com",
+            "domain": "https://#{domain}",
+            "tool_id": "helloworld",
+            "settings": {
+              "privacy_level": "public",
+              "text": args[:title],
+              "icon_url": "https://#{domain}/atomicjolt.png",
+              "selection_width": 500,
+              "selection_height": 500,
+              "placements": placements(domain, args[:title], args),
+            },
+          },
+        ],
+      }
+    end
+
+    def self.placements(domain, text, args)
+      conf = []
+      conf << placement_from_args(:resource_selection, domain, text, args)
+      conf << placement_from_args(:global_navigation, domain, text, args)
+      conf << placement_from_args(:user_navigation, domain, text, args)
+      conf << placement_from_args(:course_navigation, domain, text, args)
+      conf << placement_from_args(:account_navigation, domain, text, args)
+      conf << placement_from_args(:post_grades, domain, text, args)
+      conf << placement_from_args(:assignment_configuration, domain, text, args)
+      conf << placement_from_args(:assignment_edit, domain, text, args)
+      conf << placement_from_args(:assignment_menu, domain, text, args)
+      conf << placement_from_args(:collaboration, domain, text, args)
+      conf << placement_from_args(:course_home_sub_navigation, domain, text, args)
+      conf << placement_from_args(:course_settings_sub_navigation, domain, text, args)
+      conf << placement_from_args(:discussion_topic_menu, domain, text, args)
+      conf << placement_from_args(:file_menu, domain, text, args)
+      conf << placement_from_args(:homework_submission, domain, text, args)
+      conf << placement_from_args(:migration_selection, domain, text, args)
+      conf << placement_from_args(:quiz_menu, domain, text, args)
+      conf << placement_from_args(:tool_configuration, domain, text, args)
+      conf << editor_button_from_args(domain, text, args)
+      conf << assignment_selection_from_args(domain, text, args)
+      conf << link_selection_from_args(domain, text, args)
+      conf << assignment_view_from_args(domain, text, args)
+      conf << module_menu_from_args(domain, text, args)
+      conf << wiki_page_menu_from_args(domain, text, args)
+      conf << content_migration_args(domain, text, args)
+      conf.compact
+    end
+
+    def self.icon(domain, args)
+      if args[:icon].present?
+        args[:icon].include?("http") ? args[:icon] : "https://#{domain}/#{args[:icon]}"
+      end
+    end
+
+    def self.custom_fields_from_args(_domain, _text, args = {})
+      custom_fields = {
+        custom_canvas_api_domain: "$Canvas.api.domain",
+      }
+      if args[:custom_fields].present?
+        custom_fields.merge(args[:custom_fields]).stringify_keys
+      else
+        custom_fields.stringify_keys
+      end
+    end
+
+    def self.placement_from_args(placement, domain, text, args = {})
+      if args[placement].present?
+        default_configs_from_args(args, domain, text, placement).merge(
+          args[:placement].stringify_keys,
+        )
+      end
+    end
+
+    def self.editor_button_from_args(domain, _text, args = {})
+      if args[:editor_button].present?
+        config = args[:editor_button].stringify_keys
+        config["icon_url"] = "https://#{domain}/#{args[:editor_button][:icon_url]}"
+        config.delete("icon")
+        selection_config_from_args!(args, config, :editor_button)
+      end
+    end
+
+    def self.assignment_selection_from_args(_domain, _text, args = {})
+      if args[:assignment_selection].present?
+        config = args[:assignment_selection].stringify_keys
+        selection_config_from_args!(args, config, :assignment_selection)
+      end
+    end
+
+    def self.link_selection_from_args(_domain, _text, args = {})
+      if args[:link_selection].present?
+        config = args[:link_selection].stringify_keys
+        selection_config_from_args!(args, config, :link_selection)
+      end
+    end
+
+    def self.assignment_view_from_args(domain, text, args = {})
+      if args[:assignment_view].present?
+        config = default_configs_from_args(args, domain, text, :assignment_view)
+        config["visibility"] ||= "admins"
+        config
+      end
+    end
+
+    def self.module_menu_from_args(domain, text, args = {})
+      if args[:module_menu].present?
+        config["module_menu"] = args[:module_menu].stringify_keys
+        if config["module_menu"]["message_type"].present?
+          selection_config_from_args!(args, config, :module_menu)
+        end
+        default_configs_from_args(args, domain, text, :module_menu)
+      end
+    end
+
+    def self.wiki_page_menu_from_args(domain, text, args = {})
+      if args[:wiki_page_menu].present?
+        config = default_configs_from_args(args, domain, text, :wiki_page_menu).merge(
+          args[:wiki_page_menu].stringify_keys,
+        )
+        if args[:wiki_page_menu][:message_type].present?
+          selection_config_from_args!(args, config, :wiki_page_menu)
+        else
+          config
+        end
+      end
+    end
+
+    def self.content_migration_args(_domain, _text, args = {})
+      if args[:content_migration].present?
+        config = args[:content_migration] || {}
+        config["export_start_url"] ||= args[:export_url]
+        config["import_start_url"] ||= args[:import_url]
+        config
+      end
+    end
+
+    def self.selection_config_from_args!(args, config, placement)
+      config["placement"] = placement
+      config["message_type"] ||= "ContentItemSelectionRequest"
+      config["url"] ||= args[:launch_url]
+      config
+    end
+
+    def self.assignment_configs_from_args!(args, config, key)
+      config[key] = args[key].stringify_keys
+      config[key]["url"] ||= args[:launch_url]
+      # launch_height and launch_width are optional. Include them in the LTI config to set to a specific value
+    end
+
+    def self.default_configs_from_args(_args, _domain, text, placement)
+      {
+        "placement": placement,
+        "text": text,
+        "enabled": true,
+        "icon_url": "https://{domain}/atomicjolt.png",
+        "message_type": "LtiResourceLinkRequest",
+        "target_link_uri": "https://{domain}/lti_launches",
+      }
+    end
+  end
+end

data/app/lib/atomic_lti/deep_linking.rb

@@ -0,0 +1,36 @@
+module AtomicLti
+
+  module DeepLinking
+
+#   # ###########################################################
+#   # Create a jwt to sign a response to the platform
+    def self.create_deep_link_jwt(iss:, deployment_id:, content_items:, deep_link_claim_data: nil)
+      deployment = AtomicLti::Deployment.find_by(iss: iss, deployment_id: deployment_id)
+
+      raise AtomicLti::Exceptions::NoLTIDeployment(iss, deployment_id) if deployment.nil?
+
+      install = deployment.install
+      raise AtomicLti::Exceptions::NoLTIInstall(iss, deployment_id) if install.nil?
+
+      payload = {
+        iss: install.client_id, # A unique identifier for the entity that issued the JWT
+        aud: iss, # Authorization server identifier
+        iat: Time.now.to_i, # Timestamp for when the JWT was created
+        exp: Time.now.to_i + 300, # Timestamp for when the JWT should be treated as having expired
+        # (after allowing a margin for clock skew)
+        azp: install.client_id,
+        nonce: SecureRandom.hex(10),
+        AtomicLti::Definitions::MESSAGE_TYPE => "LtiDeepLinkingResponse",
+        AtomicLti::Definitions::LTI_VERSION => "1.3.0",
+        AtomicLti::Definitions::DEPLOYMENT_ID => deployment_id,
+        AtomicLti::Definitions::CONTENT_ITEM_CLAIM => content_items
+      }
+
+      if deep_link_claim_data.present?
+        payload[AtomicLti::Definitions::DEEP_LINKING_DATA_CLAIM] = deep_link_claim_data
+      end
+
+      AtomicLti::Authorization.sign_tool_jwt(payload)
+    end
+  end
+end