ims-lti 2.1.2 → 2.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2bdd06e5c60fc13eb134e231cf0e0ee7738eb9a8
-  data.tar.gz: 56c1d472a02e4d5359b9e03977a0d9f604a3a09f
+  metadata.gz: 64af3f1aebf17f2f5cc0029cabbead8ecc7a0370
+  data.tar.gz: 33ba505d3df21a88f8a10e9bc810ba9b4f4605fc
 SHA512:
-  metadata.gz: 264a0293b2ccad3c5047d081ba08d6f2967a3e26c621855a1add4cafd113f3627d95cb75d95b491cc47293a35ded64ef9d82aa6ac61e393dde2e69189398fb91
-  data.tar.gz: 47cfe33a68b1a8ee738ab6d80bc8e8e8d4b75d8fc47c25da6e42fef69b9ca55f04a5b343b82687d161434943670f6149f75da13ec6fb5be30c2485f965bc6819
+  metadata.gz: 194581f7c78f74ba27eb759eb0a39bc23c4c913a085737be6e5839b5d26fe74989c146bbd8e803cc1eb22d7419dbedf5ef0070480e9066068799de32821c0b6a
+  data.tar.gz: b0973c1dbfb50d420d7a93416d30f1d78370735dfbf0dde8be16684042911f4987e1b00fdc3a75d6de01dd0095d7815656a5f15e80338ec7b5226698bef0f42e

data/README.md

@@ -37,7 +37,7 @@ return false unless authenticator.valid_signature?
 # check if `params['oauth_nonce']` has already been used
 
 #check if the message is too old
-return false if DateTime.strptime(request.request_parameters['oauth_timestamp'],'%s') > 5.minutes.ago
+return false if DateTime.strptime(request.request_parameters['oauth_timestamp'],'%s') < 5.minutes.ago
 
 ```
 

data/lib/ims/lti.rb

@@ -1,17 +1,19 @@
-require 'json'
-require 'securerandom'
-require 'simple_oauth'
+require 'addressable/uri'
+require 'builder'
 require 'faraday'
 require 'faraday_middleware'
-require 'builder'
+require 'json'
+require 'json/jwt'
 require 'rexml/document'
+require 'securerandom'
+require 'simple_oauth'
 
 module IMS
   module LTI
-    require_relative 'lti/models'
     require_relative 'lti/converters'
-    require_relative 'lti/services'
     require_relative 'lti/errors'
+    require_relative 'lti/models'
     require_relative 'lti/serializers'
+    require_relative 'lti/services'
   end
 end

data/lib/ims/lti/errors.rb

@@ -3,5 +3,6 @@ module IMS::LTI
     require_relative 'errors/invalid_lti_config_error'
     require_relative 'errors/tool_proxy_registration_error'
     require_relative 'errors/invalid_tool_consumer_profile'
+    require_relative 'errors/authentication_failed_error'
   end
 end

data/lib/ims/lti/errors/authentication_failed_error.rb

@@ -0,0 +1,11 @@
+module IMS::LTI::Errors
+  class AuthenticationFailedError < StandardError
+
+    attr_reader :response
+
+    def initialize(response: nil)
+      @response = response
+    end
+
+  end
+end

data/lib/ims/lti/models/messages/message.rb

@@ -40,7 +40,7 @@ module IMS::LTI::Models::Messages
       def inherited(klass)
         @descendants ||= Set.new
         @descendants << klass
-        superclass.inherited(klass) unless(self == Message)
+        superclass.inherited(klass) unless (self == Message)
       end
 
       def descendants
@@ -81,20 +81,34 @@ module IMS::LTI::Models::Messages
     OAUTH_KEYS = :oauth_callback, :oauth_consumer_key, :oauth_nonce, :oauth_signature, :oauth_signature_method,
       :oauth_timestamp, :oauth_token, :oauth_verifier, :oauth_version
 
-    attr_accessor :launch_url, *OAUTH_KEYS
+    attr_accessor :launch_url, :jwt, *OAUTH_KEYS
     attr_reader :unknown_params, :custom_params, :ext_params
 
     add_required_params :lti_message_type, :lti_version
 
-    def self.generate(params)
-      klass = self.descendants.select{|d| d::MESSAGE_TYPE == params['lti_message_type']}.first
-      klass ? klass.new(params) : Message.new(params)
+    def self.generate(launch_params)
+      params = launch_params.key?('jwt') ? parse_jwt(jwt: launch_params['jwt']) : launch_params
+      klass = self.descendants.select {|d| d::MESSAGE_TYPE == params['lti_message_type']}.first
+      message = klass ? klass.new(params) : Message.new(params)
+      message.jwt = launch_params['jwt'] if launch_params.key?('jwt')
+      message
     end
 
-    def initialize(attrs = {})
+    def self.parse_jwt(jwt:)
+      decoded_jwt = JSON::JWT.decode(jwt, :skip_verification)
+      params = decoded_jwt['org.imsglobal.lti.message'] || {}
+      custom = params.delete(:custom)
+      custom.each {|k,v| params["custom_#{k}"] = v }
+      params['consumer_key'] = decoded_jwt[:sub]
+      ext = params.delete(:ext)
+      ext.each {|k,v| params["ext_#{k}"] = v }
+      params
+    end
+
+    def initialize(attrs = {}, custom_params = {}, ext_params = {})
 
-      @custom_params = {}
-      @ext_params = {}
+      @custom_params = custom_params
+      @ext_params = ext_params
       @unknown_params = {}
 
       attrs.each do |k, v|
@@ -114,20 +128,28 @@ module IMS::LTI::Models::Messages
     end
 
     def add_custom_params(params)
-      params.each { |k, v| k.to_s.start_with?('custom_') ? @custom_params[k.to_s] = v : @custom_params["custom_#{k.to_s}"] = v }
+      params.each {|k, v| k.to_s.start_with?('custom_') ? @custom_params[k.to_s] = v : @custom_params["custom_#{k.to_s}"] = v}
     end
 
     def get_custom_params
-      @custom_params.inject({}) { |hash, (k, v)| hash[k.gsub(/\Acustom_/, '')] = v; hash }
+      @custom_params.inject({}) {|hash, (k, v)| hash[k.gsub(/\Acustom_/, '')] = v; hash}
+    end
+
+    def get_ext_params
+      @ext_params.inject({}) {|hash, (k, v)| hash[k.gsub(/\Aext_/, '')] = v; hash}
     end
 
     def post_params
       unknown_params.merge(@custom_params).merge(@ext_params).merge(parameters)
     end
 
+    def jwt_params(private_key:, originating_domain:, algorithm: :HS256)
+      { 'jwt' => to_jwt(private_key: private_key, originating_domain: originating_domain, algorithm: algorithm) }
+    end
+
     def signed_post_params(secret)
-      message_params = { oauth_consumer_key: oauth_consumer_key}.merge(post_params)
-      @message_authenticator = IMS::LTI::Services::MessageAuthenticator.new(launch_url, message_params, secret )
+      message_params = { oauth_consumer_key: oauth_consumer_key }.merge(post_params)
+      @message_authenticator = IMS::LTI::Services::MessageAuthenticator.new(launch_url, message_params, secret)
       @message_authenticator.signed_params
     end
 
@@ -165,6 +187,27 @@ module IMS::LTI::Models::Messages
       end
     end
 
+    def to_jwt(private_key:, originating_domain:, algorithm: :HS256)
+      now = Time.now
+      exp = now + 60 * 5
+      ims = unknown_params.merge(parameters)
+      ims[:custom] = get_custom_params
+      ims[:ext] = get_ext_params
+      claim = {
+        iss: originating_domain,
+        sub: consumer_key,
+        aud: launch_url,
+        iat: now,
+        exp: exp,
+        jti: SecureRandom.uuid,
+        "org.imsglobal.lti.message" => ims
+      }
+      jwt = JSON::JWT.new(claim).sign(private_key, algorithm)
+      jwt.to_s
+    end
+
+    alias_attribute :consumer_key, :oauth_consumer_key
+
     private
 
     def collect_attributes(attributes)

data/lib/ims/lti/models/tool_consumer_profile.rb

@@ -11,6 +11,7 @@ module IMS::LTI::Models
     add_attribute :id, json_key:'@id'
     add_attribute :type, json_key:'@type'
     add_attribute :context, json_key:'@context'
+    add_attribute :security_profile, relation: 'IMS::LTI::Models::SecurityProfile'
     add_attribute :product_instance, relation:'IMS::LTI::Models::ProductInstance'
     add_attribute :service_offered, relation: 'IMS::LTI::Models::RestService'
 
@@ -35,5 +36,10 @@ module IMS::LTI::Models
     def reregistration_capable?
       @capability_offered.include?(Messages::ToolProxyReregistrationRequest::MESSAGE_TYPE)
     end
+
+    def security_profile_by_name(security_profile_name:)
+      security_profiles.find { |sp| sp.security_profile_name == security_profile_name}
+    end
+
   end
 end

data/lib/ims/lti/services.rb

@@ -1,8 +1,11 @@
 module IMS::LTI
   module Services
+    require_relative 'services/oauth2_client'
     require_relative 'services/tool_proxy_registration_service'
     require_relative 'services/tool_config'
     require_relative 'services/tool_proxy_validator'
     require_relative 'services/message_authenticator'
+    require_relative 'services/tool_consumer_profile_service'
+    require_relative 'services/authentication_service'
   end
-end
+end

data/lib/ims/lti/services/authentication_service.rb

@@ -0,0 +1,67 @@
+module IMS::LTI::Services
+  class AuthenticationService
+
+    attr_accessor :connection, :iss, :aud, :sub, :secret, :grant_type,
+                  :additional_claims, :additional_params
+    attr_writer :secret
+
+    def initialize(iss:, aud:, sub:, secret:)
+      @iss = iss
+      @aud = aud
+      @sub = sub
+      @secret = secret
+      @additional_claims = {}
+      @additional_params = {}
+      @grant_type = 'urn:ietf:params:oauth:grant-type:jwt-bearer'
+    end
+
+    def connection
+      @connection ||= Faraday.new
+    end
+
+    def access_token
+      access_token_request['access_token']
+    end
+
+    def expiration
+      expires_in = access_token_request['expires_in'].to_i
+      @_response_time + expires_in
+    end
+
+    def expired?
+      expiration < Time.now
+    end
+
+    def invalidate!
+      @_access_token_request = nil
+      @_response_time = nil
+    end
+
+    private
+
+    def access_token_request
+      @_access_token_request ||= begin
+        assertion = JSON::JWT.new(
+          iss: iss,
+          sub: sub,
+          aud: aud.to_s,
+          iat: Time.now.to_i,
+          exp: 1.minute.from_now,
+          jti: SecureRandom.uuid
+        )
+        assertion.merge!(@additional_claims)
+        assertion = assertion.sign(@secret, :HS256).to_s
+        body = {
+          grant_type: grant_type,
+          assertion: assertion
+        }
+        body.merge!(@additional_params)
+        response = connection.post(aud, body)
+        raise IMS::LTI::Errors::AuthenticationFailedError.new(response: response) unless response.success?
+        @_response_time = Time.now
+        response.body
+      end
+    end
+
+  end
+end

data/lib/ims/lti/services/message_authenticator.rb

@@ -14,7 +14,7 @@ module IMS::LTI::Services
 
 
     def valid_signature?
-      simple_oauth_header.valid?(signature: signature)
+       message.jwt ? valid_jwt? : simple_oauth_header.valid?(signature: signature)
     end
 
     def message
@@ -52,6 +52,19 @@ module IMS::LTI::Services
 
 
     private
+
+    def valid_jwt?
+      begin
+        jwt = JSON::JWT.decode(message.jwt, @secret)
+        aud1 = Addressable::URI.parse(jwt['aud'])
+        aud2 = Addressable::URI.parse(launch_url)
+        [aud1, aud2].each{ |aud| aud.fragment = '' }
+        aud1.normalize == aud2.normalize
+      rescue JSON::JWS::VerificationFailed
+        false
+      end
+    end
+
     def parse_params(params)
       params.inject([{}, {}]) do |array, (k, v)|
         attr = k.to_s.sub('oauth_', '').to_sym

data/lib/ims/lti/services/oauth2_client.rb

@@ -0,0 +1,18 @@
+module IMS::LTI::Services
+
+  class OAuth2Client
+    attr_accessor :token, :base_url
+    attr_writer :connection
+
+    def initialize(token:, base_url: nil)
+      @base_url = base_url
+      @token = token
+    end
+
+    def connection
+      @connection ||= Faraday.new base_url do |conn|
+        conn.authorization :Bearer, token
+      end
+    end
+  end
+end

data/lib/ims/lti/services/tool_consumer_profile_service.rb

@@ -0,0 +1,16 @@
+module IMS::LTI::Services
+  class ToolConsumerProfileService
+
+    attr_accessor :tcp
+
+    def initialize(tool_consumer_profile)
+      @tcp = tool_consumer_profile
+    end
+
+    def supports_capabilities?(capability, *capabilities)
+      capabilities.unshift(capability)
+      (capabilities - tcp.capabilities_offered).empty?
+    end
+
+  end
+end

data/lib/ims/lti/services/tool_proxy_validator.rb

@@ -85,25 +85,42 @@ module IMS::LTI::Services
       ret_val
     end
 
+    def invalid_security_profiles
+      security_profiles = tool_proxy.tool_profile.security_profiles
+      array = security_profiles.each_with_object([]) do |sp, array|
+        tcp_sp = tool_consumer_profile.security_profile_by_name(security_profile_name: sp.security_profile_name)
+        if tcp_sp
+          supported_algorithms = sp.digest_algorithms & tcp_sp.digest_algorithms
+          unsupported_algorithms = sp.digest_algorithms - supported_algorithms
+          unless unsupported_algorithms.empty?
+            array << { name: sp.security_profile_name, algorithms: unsupported_algorithms }
+          end
+        else
+          array << { name: sp.security_profile_name }
+        end
+      end
+      array
+    end
+
     def errors
       ret_val = {}
       ret_val[:invalid_security_contract] = invalid_security_contract unless invalid_security_contract.empty?
       ret_val[:invalid_capabilities] = invalid_capabilities unless invalid_capabilities.empty?
       ret_val[:invalid_message_handlers] = invalid_message_handlers unless invalid_message_handlers.empty?
       ret_val[:invalid_services] = invalid_services unless invalid_services.empty?
-
+      ret_val[:invalid_security_profiles] = invalid_security_profiles unless invalid_security_profiles.empty?
       ret_val
     end
 
     def valid?
-      invalid_capabilities.empty? && invalid_security_contract.empty? && invalid_services.empty? && invalid_message_handlers.empty?
+      errors.keys.empty?
     end
 
     private
 
     def normalize_strings(string, *strings)
       strings.push(string)
-      normalized = strings.map { |s| s.upcase.strip }
+      normalized = strings.map {|s| s.upcase.strip}
       normalized
     end
 
@@ -112,7 +129,7 @@ module IMS::LTI::Services
         invalid_capabilities = mh.enabled_capabilities - capabilities_offered
         invalid_parameters = validate_parameters(mh.parameters)
         if !invalid_parameters.empty? || !invalid_capabilities.empty?
-          hash = {message_type: mh.message_type, }
+          hash = { message_type: mh.message_type, }
           hash[:invalid_capabilities] = invalid_capabilities unless invalid_capabilities.empty?
           hash[:invalid_parameters] = invalid_parameters unless invalid_parameters.empty?
           array << hash
@@ -124,7 +141,7 @@ module IMS::LTI::Services
     def validate_parameters(parameters)
       parameters.each_with_object([]) do |p, array|
         if !p.fixed? && !capabilities_offered.include?(p.variable)
-          array << {name: p.name, variable: p.variable}
+          array << { name: p.name, variable: p.variable }
         end
       end
     end
@@ -142,7 +159,7 @@ module IMS::LTI::Services
         invalid_mhs = validate_message_handlers(rh.messages)
         if !invalid_mhs.empty? || !invalid_message_types.empty?
           hash = {
-              code: rh.resource_type.code,
+            code: rh.resource_type.code,
           }
           hash[:messages] = invalid_mhs unless invalid_mhs.empty?
           hash[:invalid_message_types] = invalid_message_types unless invalid_message_types.empty?
@@ -161,6 +178,5 @@ module IMS::LTI::Services
       hash
     end
 
-
   end
 end

metadata

@@ -1,29 +1,49 @@
 --- !ruby/object:Gem::Specification
 name: ims-lti
 version: !ruby/object:Gem::Version
-  version: 2.1.2
+  version: 2.1.3
 platform: ruby
 authors:
 - Instructure
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-27 00:00:00.000000000 Z
+date: 2017-06-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: simple_oauth
+  name: addressable
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.2'
+        version: '2.5'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.2'
+        version: '2.5'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.5.1
+- !ruby/object:Gem::Dependency
+  name: builder
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
@@ -53,47 +73,47 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0.8'
 - !ruby/object:Gem::Dependency
-  name: builder
+  name: json-jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.2'
+        version: '1.7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.2'
+        version: '1.7'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: simple_oauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
-        version: '10.4'
-  type: :development
+        version: '0.2'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
-        version: '10.4'
+        version: '0.2'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: byebug
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.2'
+        version: '8.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.2'
+        version: '8.2'
 - !ruby/object:Gem::Dependency
   name: guard
   requirement: !ruby/object:Gem::Requirement
@@ -151,19 +171,47 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0.10'
 - !ruby/object:Gem::Dependency
-  name: byebug
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '8.2'
+        version: '10.4'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '8.2'
+        version: '10.4'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
 description: 
 email: opensource@instructure.com
 executables: []
@@ -189,6 +237,7 @@ files:
 - lib/ims/lti/converters.rb
 - lib/ims/lti/converters/time_json_converter.rb
 - lib/ims/lti/errors.rb
+- lib/ims/lti/errors/authentication_failed_error.rb
 - lib/ims/lti/errors/invalid_lti_config_error.rb
 - lib/ims/lti/errors/invalid_tool_consumer_profile.rb
 - lib/ims/lti/errors/tool_proxy_registration_error.rb
@@ -259,8 +308,11 @@ files:
 - lib/ims/lti/serializers/membership_service/page_serializer.rb
 - lib/ims/lti/serializers/membership_service/person_serializer.rb
 - lib/ims/lti/services.rb
+- lib/ims/lti/services/authentication_service.rb
 - lib/ims/lti/services/message_authenticator.rb
+- lib/ims/lti/services/oauth2_client.rb
 - lib/ims/lti/services/tool_config.rb
+- lib/ims/lti/services/tool_consumer_profile_service.rb
 - lib/ims/lti/services/tool_proxy_registration_service.rb
 - lib/ims/lti/services/tool_proxy_validator.rb
 - lib/ims/lti/version.rb
@@ -284,7 +336,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: Ruby library for creating IMS LTI tool providers and consumers