lti2 0.0.1

data/lib/lti2_commons/lib/lti2_commons/lti2_launch.rb

@@ -0,0 +1,158 @@
+require 'lti2_commons/signer'
+require 'lti2_commons/message_support'
+require 'lti2_commons/substitution_support'
+
+include Lti2Commons::Signer
+include Lti2Commons::MessageSupport
+include Lti2Commons::SubstitutionSupport
+
+module Lti2Commons
+  module Core
+    def lti2_launch(user, link, return_url)
+      tool_proxy = link.resource.tool.get_tool_proxy
+
+      tool = link.resource.tool
+      tool_name = tool_proxy.first_at('tool_profile.product_instance.product_info.product_name.default_value')
+      fail "Tool #{tool_name} is currently disabled" unless tool.is_enabled
+
+      base_url = tool_proxy.select('tool_profile.base_url_choice', 'selector.applies_to',
+                                   'MessageHandler', 'default_base_url')
+      resource_type = link.resource.resource_type
+      resource_handler_node = tool_proxy.search('tool_profile.resource_handler', { 'resource_type' => resource_type }, '@')
+      resource_handler = JsonWrapper.new(resource_handler_node)
+      message = resource_handler.search('@..message', { 'message_type' => 'basic-lti-launch-request' }, '@')
+      path = message['path']
+      tp_parameters = message['parameter']
+      service_endpoint = base_url + path
+
+      enrollment = Enrollment.where(admin_user_id: user.id, course_id: link.course.id).first
+      if enrollment
+        role = enrollment.role
+      else
+        role = user.role
+      end
+
+      tool_consumer_registry = Rails.application.config.tool_consumer_registry
+      parameters = {
+        'lti_version' => tool_proxy.first_at('lti_version'),
+        'lti_message_type' => 'basic-lti-launch-request',
+        'resource_link_id' => link.id.to_s,
+        'user_id' => user.id.to_s,
+        'roles' => role,
+        'launch_presentation_return_url' => "#{tool_consumer_registry.tc_deployment_url}#{return_url}",
+
+        # optional
+        'context_id' => link.course.id.to_s
+      }
+
+      # add parameters from ToolProxy
+      tp_parameters.each do |parameter|
+        name = parameter['name']
+        if parameter.key? 'fixed'
+          value = parameter['fixed']
+        elsif parameter.key? 'variable'
+          value = parameter['variable']
+        else
+          value = '[link-to-resolve]'
+        end
+        parameters[name] = value
+      end
+
+      # add parameters from Link
+      link_parameter_json = link.link_parameters
+      if link_parameter_json
+        link_parameters = JSON.parse(link_parameter_json)
+        parameters.merge! link_parameters
+      end
+
+      # auto-create result (if required) and add to reference to parameters
+      capabilities = resource_handler.first_at('message[0].enabled_capability')
+      if capabilities && capabilities.include?('Result.autocreate')
+        if link.grade_item_id
+          grade_result = GradeResult.where(link_id: link.id, admin_user_id: user.id).first
+          # TEST ONLY
+          # grade_result.delete if grade_result
+          # grade_result = nil
+
+          if grade_result
+            # note that a nil grade_result still let's us through
+            unless grade_result.result.nil?
+              fail 'Grade result associated with this tool launch has already been filled in'
+            end
+          else
+            grade_result = GradeResult.new
+            grade_result.link_id = link.id
+            grade_result.admin_user_id = user.id
+            grade_result.save
+          end
+        end
+      end
+
+      # perform variable substition on all parameters
+      resolver = Resolver.new
+      resolver.add_resolver('$User', user.method(:user_resolver))
+      resolver.add_resolver('$Person', user.method(:person_resolver))
+      course = Course.find(parameters['context_id'])
+      resolver.add_resolver('$CourseOffering', course.method(:course_resolver))
+      resolver.add_resolver('$Result', grade_result.method(:grade_result_resolver)) if grade_result
+
+      # and resolve and normalize
+      final_parameters = {}
+      parameters.each do |k, v|
+        # only apply substitution when the value looks like a candidate
+        if v =~ /^\$\w+\.\w/
+          resolved_value = resolver.resolve(v)
+        else
+          resolved_value = v
+        end
+        if known_lti2_parameters.include?(k) || deprecated_lti_parameters.include?(k)
+          final_parameters[k] = v
+        else
+          name = 'custom_' + k
+          lti1_name = slugify(name)
+          final_parameters[lti1_name] = resolved_value unless name == lti1_name
+          final_parameters[name] = resolved_value
+        end
+      end
+
+      key = link.resource.tool.key
+      secret = link.resource.tool.secret
+
+      signed_request = Signer.create_signed_request(service_endpoint, 'post', key, secret, final_parameters)
+      puts "TC Signed Request: #{signed_request.signature_base_string}"
+      puts 'before'
+      puts Rails.application.config.wire_log.inspect
+      puts 'after'
+      body = MessageSupport.create_lti_message_body(
+        service_endpoint, final_parameters, Rails.application.config.wire_log, 'Lti Launch')
+      puts body
+      body
+    end
+
+    private
+
+    def deprecated_lti_parameters
+      ['context_title', 'context_label', 'resource_link_title', 'resource_link_description',
+       'lis_person_name_given', 'lis_person_name_family', 'lis_person_name_full', 'lis_person_contact_email_primary',
+       'user_image', 'lis_person_sourcedid', 'lis_course_offering_sourcedid', 'lis_course_section_sourcedid',
+       'tool_consumer_instance_name', 'tool_consumer_instance_description', 'tool_consumer_instance_url',
+       'tool_consumer_instance_contact_email']
+    end
+
+    def known_lti2_parameters
+      ['lti_message_type', 'lti_version', 'user_id', 'roles', 'resource_link_id',
+       'context_id', 'context_type',
+       'launch_presentation_locale', 'launch_presentation_document_target', 'launch_presentation_css_url',
+       'launch_presentation_width', 'launch_presentation_height', 'launch_presentation_return_url',
+       'reg_key', 'reg_password', 'tc_profile_url']
+    end
+
+    def slugify(name)
+      result = ''
+      name.each_char do |c|
+        result << (c =~ /\w/ ? c.downcase : '_')
+      end
+      result
+    end
+  end
+end

data/lib/lti2_commons/lib/lti2_commons/message_support.rb

@@ -0,0 +1,218 @@
+require 'httparty'
+
+module Lti2Commons
+  # Module to support LTI 1 and 2 secure messaging.
+  # This messaging is documented in the LTI 2 Security Document
+  #
+  # LTI 2 defines two types of LTI secure messaging:
+  #   1. LTI Messages
+  #     This is the model used exclusively in LTI 1.
+  #     It is also used in LTI 2 for user-submitted actions such as LtiLaunch and ToolDeployment.
+  #
+  #     It works the following way:
+  #       1. LTI parameters are signed by OAuth.
+  #       2. The message is marshalled into an HTML Form with the params
+  #          specified in form fields.
+  #       3. The form is sent to the browser with a redirect.
+  #       4. An attached Javascript script 'auto-submits' the form.
+  #
+  #     This structure appears to the Tool Provider as a user submission with all user browser context
+  #     intact.
+  #
+  #   2. LTI Services
+  #     This is a standard REST web service with OAuth message security added.
+  #     In LTI 2.0 Services are only defined for Tool Provider --> Tool Consumer services;
+  #     such as, GetToolConsumerProfile, RegisterToolProxy, and LTI 2 Outcomes.
+  #     LTI 2.x will add Tool Consumer --> Tool Provider services using the same machinery.
+
+  module MessageSupport
+    TIMEOUT = 300
+
+    # Convenience method signs and then invokes create_lti_message_from_signed_request
+    #
+    # @params launch_url [String] Launch url
+    # @params parameters [Hash] Full set of params for message
+    # @return [String] Post body ready for use
+    #
+    def create_lti_message_body(launch_url, parameters, wire_log = nil, title = nil, is_open_in_external_window = false)
+      result = create_message_header(launch_url, is_open_in_external_window)
+      result += create_message_body(parameters)
+      result += create_message_footer(is_open_in_external_window)
+
+      if wire_log
+        wire_log.timestamp
+        wire_log.raw_log((title.nil?) ? 'LtiMessage' : "LtiMessage: #{title}")
+        wire_log.raw_log "LaunchUrl: #{launch_url}"
+        wire_log.raw_log result.strip
+        wire_log.newline
+        wire_log.flush
+      end
+
+      result
+    end
+
+    # Creates an LTI Message (POST body) ready for redirecting to the launch_url.
+    # Note that the is_include_oauth_params option specifies that 'oauth_' params are
+    # included in the body.  This option should be false when sender is putting them in the
+    # HTTP Authorization header (now recommended).
+    #
+    # @param params [Hash] Full set of params for message (including OAuth provided params)
+    # @return [String] Post body ready for use
+    #
+    def create_lti_message_body_from_signed_request(signed_request, is_include_oauth_params = true,
+                                                    is_open_in_external_window = false)
+      result = create_message_header(signed_request.uri, is_open_in_external_window)
+      result += create_message_body(signed_request.parameters, is_include_oauth_params)
+      result += create_message_footer(is_open_in_external_window)
+      result
+    end
+
+    # Invokes an LTI Service.
+    # This is fully-compliant REST request suitable for LTI server-to-server services.
+    #
+    # @param request [Request] Signed Request encapsulates everything needed for service.
+    def invoke_service(request, wire_log = nil, title = nil, other_headers = {})
+      uri = request.uri.to_s
+      # set_headers_proc = lambda { |http|
+      # http.headers['Authorization'] = request.oauth_header
+      # http.headers['Content-Type'] = request.content_type if request.content_type
+      # http.headers['Accept'] = request.content_type if request.content_type
+      # # http.headers['Content-Length'] = request.body.length if request.body
+      # }
+      method = request.method.downcase
+
+      headers = {}
+      headers['Authorization'] = request.oauth_header
+      headers['Content-Type'] = request.content_type if request.content_type
+      headers['Accept'] = request.accept if request.accept
+      headers['Content-Length'] = request.body.length.to_s if request.body
+      headers.merge!(other_headers)
+
+      parameters = request.parameters
+      output_parameters = {}
+      parameters.each { |k, v| output_parameters[k] = v unless k =~ /^oauth_/ }
+
+      (write_wirelog_header wire_log, title, request.method, uri, headers, parameters, request.body, output_parameters) if wire_log
+
+      full_uri = uri
+      full_uri += '?' unless uri.include? '?'
+      full_uri += '&' unless full_uri =~ /[?&]$/
+      output_parameters.each_pair do |key, _value|
+        full_uri << '&' unless key == output_parameters.keys.first
+        full_uri << "#{URI.encode(key.to_s)}=#{URI.encode(output_parameters[key] || '')}"
+      end
+
+      case method
+      when 'get'
+        response = HTTParty.get(full_uri, headers: headers, timeout: TIMEOUT)
+      when 'post'
+        response = HTTParty.post(full_uri, body: request.body, headers: headers, timeout: TIMEOUT)
+      when 'put'
+        response = HTTParty.put(full_uri, body: request.body, headers: headers, timeout: TIMEOUT)
+      when 'delete'
+        response = HTTParty.delete(full_uri, headers: headers, timeout: TIMEOUT)
+      end
+
+      wire_log.log_response(response, title) if wire_log
+
+      response
+    end
+
+    def invoke_unsigned_service(uri, method, params = {}, headers = {},
+                                data = nil, wire_log = nil, title = nil)
+      full_uri = uri
+      full_uri += '?' unless uri.include? '?'
+      full_uri += '&' unless full_uri =~ /[?&]$/
+      params.each_pair do |key, _value|
+        full_uri << '&' unless key == params.keys.first
+        full_uri << "#{URI.encode(key.to_s)}=#{URI.encode(params[key])}"
+      end
+
+      write_wirelog_header(wire_log, title, method, uri, headers, params, data, {}) if wire_log
+
+      case method
+      when 'get'
+        response = HTTParty.get(full_uri, headers: headers, timeout: 120)
+      when 'post'
+        response = HTTParty.post(full_uri, body: data, headers: headers, timeout: 120)
+      when 'put'
+        response = HTTParty.put(full_uri, body: data, headers: headers, timeout: 120)
+      when 'delete'
+        response = HTTParty.delete(full_uri, headers: headers, timeout: 120)
+      end
+
+      wire_log.log_response(response, title) if wire_log
+
+      response
+    end
+
+    private
+
+    def create_message_header(launch_url, is_open_in_external_window = false)
+      attribute_for_external_window = is_open_in_external_window ? 'target="_blank"' : ''
+      %Q(
+<div id="ltiLaunchFormSubmitArea">
+  <form action="#{launch_url}" #{attribute_for_external_window}
+    name="ltiLaunchForm" id="ltiLaunchForm" method="post"
+    encType="application/x-www-form-urlencoded">
+)
+    end
+
+    def create_message_body(params, is_include_oauth_params = true)
+      result = ''
+      params.each_pair do |k, v|
+        if is_include_oauth_params || ! (k =~ /^oauth_/)
+          result +=
+              %Q(      <input type="hidden" name="#{k}" value="#{CGI.escapeHTML(v)}"/>\n)
+        end
+      end
+      result
+    end
+
+    def create_message_footer(is_open_in_external_window=false)
+      footer = ""
+      if is_open_in_external_window
+        footer += %Q{
+      <a href="/admin/launches" target="_self">Return to Admin</a>\n
+        }
+      end
+      footer += %Q{
+</form>
+</div>
+<script language="javascript">
+  document.ltiLaunchForm.submit();
+</script>        
+      }
+      footer
+    end
+
+    def set_http_headers(http, request)
+      http.headers['Authorization'] = request.oauth_header
+      http.headers['Content-Type'] = request.content_type if request.content_type
+      http.headers['Content-Length'] = request.body.length if request.body
+    end
+
+    def write_wirelog_header(wire_log, title, method, uri, headers = {},
+                             parameters = {}, body = nil, output_parameters = {})
+      wire_log.timestamp
+      wire_log.raw_log((title.nil?) ? 'LtiService' : "LtiService: #{title}")
+      wire_log.raw_log("#{method.upcase} #{uri}")
+      unless headers.blank?
+        wire_log.raw_log('Headers:')
+        headers.each { |k, v| wire_log.raw_log("#{k}: #{v}") }
+      end
+      parameters.each { |k, v| output_parameters[k] = v unless k =~ /^oauth_/ }
+
+      if output_parameters.length > 0
+        wire_log.raw_log('Parameters:')
+        output_parameters.each { |k, v| wire_log.raw_log("#{k}: #{v}") }
+      end
+      if body
+        wire_log.raw_log('Body:')
+        wire_log.raw_log(body)
+      end
+      wire_log.newline
+      wire_log.flush
+    end
+  end
+end

data/lib/lti2_commons/lib/lti2_commons/oauth_request.rb

@@ -0,0 +1,179 @@
+require 'oauth/request_proxy/base'
+
+module OAuth
+  module OAuthProxy
+    # RequestProxy for Hashes to facilitate simpler signature creation.
+    # Usage:
+    #   request = OAuth::RequestProxy.proxy \
+    #      "method" => "iq",
+    #      "uri"    => [from, to] * "&",
+    #      "parameters" => {
+    #        "oauth_consumer_key"     => oauth_consumer_key,
+    #        "oauth_token"            => oauth_token,
+    #        "oauth_signature_method" => "HMAC-SHA1"
+    #      }
+    #
+    #   signature = OAuth::Signature.sign \
+    #     request,
+    #     consumer_secret: oauth_consumer_secret,
+    #     token_secret:    oauth_token_secret,
+
+    # allow a certain amount of clock skew between servers
+    CLOCK_SKEW_ALLOWANCE_IN_SECS = 300
+
+    # nonce must be unique for some period of time
+    NONCE_REPLAY_UNIQUE_WITHIN_SECS = CLOCK_SKEW_ALLOWANCE_IN_SECS
+
+    class OAuthRequest < OAuth::RequestProxy::Base
+      proxies Hash
+
+      attr_accessor :body, :content_type, :accept
+
+      def self.collect_rack_parameters(rack_request)
+        parameters = HashWithIndifferentAccess.new
+        parameters.merge!(rack_request.query_parameters)
+        parameters.merge!(self.parse_authorization_header(rack_request.headers['HTTP_AUTHORIZATION']))
+        @content_type = rack_request.headers['CONTENT_TYPE']
+        @accept = rack_request.headers['ACCEPT']
+        if @content_type == 'application/x-www-form-urlencoded'
+          parameters.merge!(rack_request.request_parameters)
+        end
+        parameters
+      end
+
+      def self.create_from_rack_request(rack_request)
+        parameters = self.collect_rack_parameters(rack_request)
+        result = OAuth::OAuthProxy::OAuthRequest.new(
+          'method' => rack_request.method,
+          'uri' => rack_request.url,
+          'parameters' => parameters
+        )
+        rack_request.body.rewind
+        result.body = rack_request.body.read
+        rack_request.body.rewind
+        result
+      end
+
+      def self.parse_authorization_header(authorization_header)
+        result = {}
+        if authorization_header =~ /^OAuth/
+          authorization_header[6..-1].split(',').inject({}) do |_h, part|
+            parts = part.split('=')
+            name = parts[0].strip.intern
+            value = parts[1..-1].join('=').strip
+            value.gsub!(/\A['"]+|['"]+\Z/, '')
+            result[name] = Rack::Utils.unescape(value) unless name == :realm
+          end
+        end
+        Rails.logger.info "AuthHdr_Parms: #{result.inspect}"
+        result
+      end
+
+      def final_uri
+        @request['final_uri']
+      end
+
+      def log(msg)
+        Rails.logger.info(msg)
+      end
+
+      def parameters
+        @request['parameters']
+      end
+
+      def method
+        @request['method']
+      end
+
+      def normalized_uri
+        super
+      rescue
+        # if this is a non-standard URI, it may not parse properly
+        # in that case, assume that it's already been normalized
+        uri
+      end
+
+      def uri
+        @request['uri']
+      end
+
+      # Creates the value of an OAuth body hash
+      #
+      # @param launch_url [String] Content to be body signed
+      # @return [String] Signature base string (useful for debugging signature problems)
+      #
+      def compute_oauth_body_hash(content)
+        Base64.encode64(Digest::SHA1.digest(content.chomp)).gsub(/\n/, '')
+      end
+
+      # A shallow+1 copy
+      #
+      def copy
+        result = OAuth::OAuthProxy::OAuthRequest.new(
+          'method' => self.method.dup,
+          'uri' => self.uri.dup,
+          'parameters' => self.parameters.dup
+        )
+        result.body = self.body.dup if self.body
+        result
+      end
+
+      def is_timestamp_expired?(timestampString)
+        timestamp = Time.at(timestampString.to_i)
+        now = Time.now
+        (now - timestamp).abs > CLOCK_SKEW_ALLOWANCE_IN_SECS
+      end
+
+      # Validates an OAuth request using the OAuth Gem - https://github.com/oauth/oauth-ruby
+      #
+      # @return [Bool] Whether the request was valid
+      def verify_signature?(secret, nonce_cache, is_handle_error_not_raise_exception = true, ignore_timestamp_and_nonce = false)
+        log 'in verify_signature'
+        test_request = self.copy
+        test_signature = test_request.sign(consumer_secret: secret)
+        # log "DEBUG: signed"
+        begin
+          unless self.oauth_signature == test_signature
+            log "Secret: #{secret}"
+            log "Verify_signature--send_signature: #{self.oauth_signature}  test_signature: #{test_signature}"
+            log "Verify signature_base_string: #{self.signature_base_string}"
+            fail 'Invalid signature'
+          end
+          unless ignore_timestamp_and_nonce
+            fail 'Timestamp expired' if is_timestamp_expired? self.oauth_timestamp
+            fail 'Duplicate nonce to one already received' if nonce_cache.fetch(self.oauth_nonce)
+          end
+          nonce_cache.store(self.oauth_nonce, '<who-cares>')
+
+          # check body-signing if oauth_body_signature
+          if self.body && self.parameters.key?('oauth_body_hash')
+            fail 'Invalid signature of message body' unless compute_oauth_body_hash(self.body) == self.parameters['oauth_body_hash']
+          end
+          [true, test_request.signature_base_string]
+        rescue Exception => e
+          log(e.message)
+          if is_handle_error_not_raise_exception
+            [false, test_request.signature_base_string]
+          else
+            raise e.message
+          end
+        end
+      end
+
+      # Runs validation logic but always returns true
+      #
+      # @return [Bool] Whether the request was valid
+      #
+      def verify_signature_always?(secret, nonce_cache, is_handle_error_not_raise_exception = true,
+          ignore_timestamp_and_nonce = false)
+        test_request = self.copy
+        test_signature = test_request.sign(consumer_secret: secret)
+        log "TC Signature: #{test_signature}"
+        log "TP Signature: #{self.oauth_signature}"
+        log "Signature_Base_String: #{test_request.signature_base_string}"
+        # log "Authorization_Header: #{request.headers['Authorization']}"
+        [self.oauth_signature == test_signature, test_request.signature_base_string]
+      end
+    end
+  end
+end