ff-ltitoolkit 0.1.0__py3-none-any.whl

ltitoolkit/dynamic_registration/service.py

@@ -0,0 +1,156 @@
+"""The Dynamic Registration flow.
+
+One method, :meth:`DynamicRegistrationService.register`, performs the whole
+exchange: fetch the platform's OpenID configuration, POST a tool registration to
+the platform, capture the returned ``client_id``/``deployment_id``, and persist
+the result. The admin only ever pastes a single URL — this is what makes
+"install on any LMS without re-reading the docs" real.
+"""
+
+from __future__ import annotations
+
+import typing as t
+
+import requests
+
+from ..exceptions import ExternalRequestError
+from ..http import build_session
+from .models import (
+    CLOSE_SUBJECT,
+    LTI_TOOL_CONFIGURATION,
+    PlatformConfiguration,
+    ToolRegistration,
+    ToolRegistrationConfig,
+)
+from .store import RegistrationStore
+
+
+class DynamicRegistrationService:
+    def __init__(
+        self,
+        tool_config: ToolRegistrationConfig,
+        store: RegistrationStore,
+        *,
+        session: requests.Session | None = None,
+        timeout: float | tuple[float, float] = (10.0, 30.0),
+    ) -> None:
+        self._config = tool_config
+        self._store = store
+        self._session = session if session is not None else build_session(timeout=timeout)
+        self._timeout = timeout
+
+    def register(
+        self, openid_configuration_url: str, registration_token: str | None = None
+    ) -> ToolRegistration:
+        """Run the full registration handshake and persist the result."""
+        platform = self._fetch_platform_configuration(openid_configuration_url)
+        request_body = self._config.build_request(platform)
+        response_body = self._post_registration(platform, request_body, registration_token)
+        registration = self._to_registration(platform, response_body)
+        self._store.save(registration)
+        return registration
+
+    @staticmethod
+    def completion_html(
+        message: str = "Registration complete. You may close this window."
+    ) -> str:
+        """HTML that signals the platform (via postMessage) that we're done."""
+        return (
+            "<!DOCTYPE html><html><head><meta charset='utf-8'>"
+            "<title>Registration complete</title></head><body>"
+            f"<p>{message}</p>"
+            "<script>(window.opener || window.parent)."
+            f"postMessage({{subject:'{CLOSE_SUBJECT}'}}, '*');</script>"
+            "</body></html>"
+        )
+
+    # -- internals ---------------------------------------------------------
+
+    def _fetch_platform_configuration(self, url: str) -> PlatformConfiguration:
+        try:
+            response = self._session.get(url, timeout=self._timeout)
+        except requests.Timeout as exc:
+            raise ExternalRequestError(
+                f"Timed out fetching OpenID configuration: {exc}", url=url, is_timeout=True
+            ) from exc
+        except requests.RequestException as exc:
+            raise ExternalRequestError(
+                f"Error fetching OpenID configuration: {exc}", url=url
+            ) from exc
+
+        if not response.ok:
+            raise ExternalRequestError(
+                "Platform rejected the OpenID configuration request",
+                status_code=response.status_code,
+                url=url,
+                response_text=response.text,
+            )
+        try:
+            return PlatformConfiguration.from_dict(response.json())
+        except (ValueError, TypeError) as exc:
+            raise ExternalRequestError(
+                f"Invalid OpenID configuration document: {exc}", url=url
+            ) from exc
+
+    def _post_registration(
+        self,
+        platform: PlatformConfiguration,
+        body: dict[str, t.Any],
+        registration_token: str | None,
+    ) -> dict[str, t.Any]:
+        headers = {"Accept": "application/json"}
+        if registration_token:
+            headers["Authorization"] = f"Bearer {registration_token}"
+
+        url = platform.registration_endpoint
+        try:
+            response = self._session.post(
+                url, json=body, headers=headers, timeout=self._timeout
+            )
+        except requests.Timeout as exc:
+            raise ExternalRequestError(
+                f"Timed out posting registration: {exc}", url=url, is_timeout=True
+            ) from exc
+        except requests.RequestException as exc:
+            raise ExternalRequestError(
+                f"Error posting registration: {exc}", url=url
+            ) from exc
+
+        if not response.ok:
+            raise ExternalRequestError(
+                "Platform rejected the tool registration",
+                status_code=response.status_code,
+                url=url,
+                response_text=response.text,
+            )
+        try:
+            return response.json()
+        except (ValueError, TypeError) as exc:
+            raise ExternalRequestError(
+                f"Invalid registration response: {exc}", url=url
+            ) from exc
+
+    @staticmethod
+    def _to_registration(
+        platform: PlatformConfiguration, response_body: t.Mapping[str, t.Any]
+    ) -> ToolRegistration:
+        client_id = response_body.get("client_id")
+        if not client_id:
+            raise ExternalRequestError(
+                "Registration response did not include a client_id",
+                url=platform.registration_endpoint,
+            )
+
+        lti_config = response_body.get(LTI_TOOL_CONFIGURATION, {}) or {}
+        deployment_id = lti_config.get("deployment_id")
+        deployment_ids = (deployment_id,) if deployment_id else ()
+
+        return ToolRegistration(
+            issuer=platform.issuer,
+            client_id=str(client_id),
+            auth_login_url=platform.authorization_endpoint,
+            auth_token_url=platform.token_endpoint,
+            key_set_url=platform.jwks_uri,
+            auth_audience=platform.authorization_server,
+            deployment_ids=deployment_ids,
+        )

ltitoolkit/dynamic_registration/store.py

@@ -0,0 +1,40 @@
+"""Persistence interface for dynamically-registered platforms.
+
+After a successful registration the resulting :class:`ToolRegistration` must be
+stored so later launches can resolve ``(issuer, client_id)`` to its config. The
+store is an interface so applications can back it with a database; the default
+is in-process only (fine for a single worker / tests).
+"""
+
+from __future__ import annotations
+
+import typing as t
+
+from .models import ToolRegistration
+
+
+@t.runtime_checkable
+class RegistrationStore(t.Protocol):
+    """Stores and retrieves tool registrations keyed by issuer + client_id."""
+
+    def save(self, registration: ToolRegistration) -> None: ...
+
+    def get(self, issuer: str, client_id: str) -> ToolRegistration | None: ...
+
+    def find_by_issuer(self, issuer: str) -> list[ToolRegistration]: ...
+
+
+class InMemoryRegistrationStore:
+    """Default per-process store. Swap for a DB-backed store in production."""
+
+    def __init__(self) -> None:
+        self._by_key: dict[tuple[str, str], ToolRegistration] = {}
+
+    def save(self, registration: ToolRegistration) -> None:
+        self._by_key[(registration.issuer, registration.client_id)] = registration
+
+    def get(self, issuer: str, client_id: str) -> ToolRegistration | None:
+        return self._by_key.get((issuer, client_id))
+
+    def find_by_issuer(self, issuer: str) -> list[ToolRegistration]:
+        return [reg for (iss, _), reg in self._by_key.items() if iss == issuer]

ltitoolkit/dynamic_registration/tool_conf.py

@@ -0,0 +1,102 @@
+"""Bridge dynamically-registered platforms into the launch machinery.
+
+``StoredToolConf`` is a :class:`ToolConfAbstract` backed by a
+:class:`RegistrationStore`, so the same OIDC login / message launch flow that
+works with a static ``ToolConfDict`` also works for platforms that registered
+themselves via Dynamic Registration. The tool's own key pair is supplied once
+and attached to every resolved registration (used to sign client assertions).
+"""
+
+from __future__ import annotations
+
+from ..core.deployment import Deployment
+from ..core.exception import LtiException
+from ..core.registration import Registration
+from ..core.tool_config.abstract import ToolConfAbstract
+from .models import ToolRegistration
+from .store import RegistrationStore
+
+
+class StoredToolConf(ToolConfAbstract):
+    """Tool configuration resolved from a registration store at runtime."""
+
+    def __init__(
+        self,
+        store: RegistrationStore,
+        *,
+        private_key: str,
+        public_key: str | None = None,
+    ) -> None:
+        super().__init__()
+        self._store = store
+        self._private_key = private_key
+        self._public_key = public_key
+
+    # Dynamic registration always works in the (recommended) many-clients model:
+    # an issuer may have multiple client_ids, and we always know the client_id.
+    def check_iss_has_one_client(self, iss: str) -> bool:
+        return False
+
+    def check_iss_has_many_clients(self, iss: str) -> bool:
+        return True
+
+    # -- registration resolution ------------------------------------------
+
+    def _build_registration(self, record: ToolRegistration) -> Registration:
+        registration = (
+            Registration()
+            .set_issuer(record.issuer)
+            .set_client_id(record.client_id)
+            .set_auth_login_url(record.auth_login_url)
+            .set_auth_token_url(record.auth_token_url)
+            .set_key_set_url(record.key_set_url)
+            .set_tool_private_key(self._private_key)
+        )
+        if record.auth_audience:
+            registration.set_auth_audience(record.auth_audience)
+        if self._public_key:
+            registration.set_tool_public_key(self._public_key)
+        return registration
+
+    def _lookup(self, iss: str, client_id: str | None) -> ToolRegistration:
+        record = None
+        if client_id:
+            record = self._store.get(iss, client_id)
+        else:
+            candidates = self._store.find_by_issuer(iss)
+            record = candidates[0] if candidates else None
+        if record is None:
+            raise LtiException(
+                f"No registration found for issuer={iss} client_id={client_id}"
+            )
+        return record
+
+    def find_registration_by_issuer(self, iss, *args, **kwargs) -> Registration:
+        return self._build_registration(self._lookup(iss, None))
+
+    def find_registration_by_params(self, iss, client_id, *args, **kwargs) -> Registration:
+        return self._build_registration(self._lookup(iss, client_id))
+
+    # -- deployment resolution --------------------------------------------
+
+    def _deployment(self, record: ToolRegistration, deployment_id: str):
+        # If the registration captured specific deployment_ids, enforce them;
+        # otherwise accept the launch's deployment_id (deployments are often
+        # created separately from registration, e.g. on Canvas).
+        if record.deployment_ids and deployment_id not in record.deployment_ids:
+            return None
+        return Deployment().set_deployment_id(deployment_id)
+
+    def find_deployment(self, iss, deployment_id):
+        try:
+            record = self._lookup(iss, None)
+        except LtiException:
+            return None
+        return self._deployment(record, deployment_id)
+
+    def find_deployment_by_params(self, iss, deployment_id, client_id, *args, **kwargs):
+        try:
+            record = self._lookup(iss, client_id)
+        except LtiException:
+            return None
+        return self._deployment(record, deployment_id)

ltitoolkit/exceptions.py

@@ -0,0 +1,42 @@
+"""Typed exception taxonomy for ltitoolkit.
+
+A small, explicit hierarchy so callers can catch precisely (``except
+AccessTokenError``) or broadly (``except LtiToolkitError``). External HTTP
+failures are wrapped in rich exceptions that carry the status code and response
+body, mirroring the practice used by production LTI tools.
+"""
+
+from __future__ import annotations
+
+
+class LtiToolkitError(Exception):
+    """Base class for every error raised by ltitoolkit."""
+
+
+class ExternalRequestError(LtiToolkitError):
+    """An HTTP request to the LMS failed (network error or non-2xx response)."""
+
+    def __init__(
+        self,
+        message: str,
+        *,
+        status_code: int | None = None,
+        url: str | None = None,
+        response_text: str | None = None,
+        is_timeout: bool = False,
+    ) -> None:
+        super().__init__(message)
+        self.status_code = status_code
+        self.url = url
+        self.response_text = response_text
+        self.is_timeout = is_timeout
+
+    def __str__(self) -> str:  # pragma: no cover - cosmetic
+        base = super().__str__()
+        if self.status_code is not None:
+            base = f"{base} (status={self.status_code}, url={self.url})"
+        return base
+
+
+class AccessTokenError(ExternalRequestError):
+    """Failed to obtain a client-credentials access token from the platform."""

ltitoolkit/fastapi/__init__.py

@@ -0,0 +1,30 @@
+"""FastAPI adapter for ltitoolkit.
+
+PyLTI1p3 ships Django and Flask adapters only; FastAPI is the gap this package
+fills. This subpackage maps FastAPI/Starlette ``Request``/``Response`` semantics
+(query/form params, cookies, sessions, redirects) onto the vendored core's
+abstractions, and adds async-aware helpers
+(:meth:`FastApiRequest.from_request`, :meth:`FastApiMessageLaunch.validate_async`).
+
+Requirements:
+- ``SessionMiddleware`` must be installed for the default session-backed launch
+  storage to persist data across the login → launch round trip.
+- ``python-multipart`` must be installed to read the form-encoded ``id_token``
+  POST (pulled in by the ``ltitoolkit[fastapi]`` extra).
+"""
+
+from .cookie import FastApiCookieService
+from .message_launch import FastApiMessageLaunch
+from .oidc_login import FastApiOIDCLogin
+from .redirect import FastApiRedirect
+from .request import FastApiRequest
+from .session import FastApiSessionService
+
+__all__ = [
+    "FastApiRequest",
+    "FastApiCookieService",
+    "FastApiSessionService",
+    "FastApiRedirect",
+    "FastApiOIDCLogin",
+    "FastApiMessageLaunch",
+]

ltitoolkit/fastapi/cookie.py

@@ -0,0 +1,53 @@
+"""Cookie service adapter for FastAPI/Starlette responses.
+
+Cookies cannot be written until we have a response object, so ``set_cookie``
+queues them and :meth:`FastApiCookieService.update_response` flushes them onto a
+Starlette ``Response`` just before it is returned.
+
+LTI launches are cross-site POSTs (the LMS posts to the tool), so state cookies
+must be sent in that context: ``SameSite=None; Secure``. When the request is not
+secure (e.g. local ``http`` development) we fall back to ``SameSite=Lax``, since
+browsers reject ``SameSite=None`` without ``Secure``.
+"""
+
+from __future__ import annotations
+
+import typing as t
+
+from starlette.responses import Response
+
+from ltitoolkit.core.cookie import CookieService
+
+if t.TYPE_CHECKING:
+    from .request import FastApiRequest
+
+
+class FastApiCookieService(CookieService):
+    def __init__(self, request: FastApiRequest) -> None:
+        self._request = request
+        self._cookie_data_to_set: dict[str, dict[str, t.Any]] = {}
+
+    def _get_key(self, key: str) -> str:
+        return self._cookie_prefix + "-" + key
+
+    def get_cookie(self, name: str) -> str | None:
+        return self._request.get_cookie(self._get_key(name))
+
+    def set_cookie(
+        self, name: str, value: str | int, exp: int | None = 3600
+    ) -> None:
+        self._cookie_data_to_set[self._get_key(name)] = {"value": value, "exp": exp}
+
+    def update_response(self, response: Response) -> None:
+        """Flush all queued cookies onto ``response``."""
+        secure = self._request.is_secure()
+        for key, cookie_data in self._cookie_data_to_set.items():
+            response.set_cookie(
+                key=key,
+                value=str(cookie_data["value"]),
+                max_age=cookie_data["exp"],
+                path="/",
+                secure=secure,
+                httponly=True,
+                samesite="none" if secure else "lax",
+            )

ltitoolkit/fastapi/dynamic_registration.py

@@ -0,0 +1,40 @@
+"""FastAPI binding for the Dynamic Registration endpoint.
+
+Wire this to a single route (e.g. ``/lti/register``); that URL is what an LMS
+admin pastes to install the tool. The platform may use GET or POST and supplies
+``openid_configuration`` and (optionally) ``registration_token``.
+"""
+
+from __future__ import annotations
+
+from starlette.concurrency import run_in_threadpool
+from starlette.requests import Request as StarletteRequest
+from starlette.responses import HTMLResponse, PlainTextResponse, Response
+
+from ..dynamic_registration.service import DynamicRegistrationService
+
+
+async def handle_dynamic_registration(
+    request: StarletteRequest, service: DynamicRegistrationService
+) -> Response:
+    """Perform registration for an incoming initiation request.
+
+    Returns the completion HTML (which closes the registration window via
+    postMessage) on success, or a 400 if ``openid_configuration`` is missing.
+    """
+    params: dict[str, str] = dict(request.query_params)
+    if request.method == "POST":
+        form = await request.form()
+        for key in ("openid_configuration", "registration_token"):
+            if key in form and key not in params:
+                params[key] = str(form[key])
+
+    openid_configuration = params.get("openid_configuration")
+    if not openid_configuration:
+        return PlainTextResponse("Missing 'openid_configuration'", status_code=400)
+
+    # Registration performs blocking HTTP; keep the event loop free.
+    await run_in_threadpool(
+        service.register, openid_configuration, params.get("registration_token")
+    )
+    return HTMLResponse(service.completion_html())

ltitoolkit/fastapi/message_launch.py

@@ -0,0 +1,60 @@
+"""Message launch adapter — step 2 of an LTI 1.3 launch.
+
+Validates the ``id_token`` posted back by the platform: state, JWT format,
+nonce, registration, signature, deployment, and message type.
+
+Validation performs **blocking** network I/O (fetching the platform's JWKS via
+``requests``). Calling it directly in an async route would block the event loop,
+so :meth:`validate_async` runs the synchronous validation in a threadpool. Use
+it from async handlers; the inherited synchronous :meth:`validate` remains
+available for non-async contexts.
+"""
+
+from __future__ import annotations
+
+import typing as t
+
+from starlette.concurrency import run_in_threadpool
+
+from ltitoolkit.core.message_launch import MessageLaunch
+
+from .cookie import FastApiCookieService
+from .session import FastApiSessionService
+
+if t.TYPE_CHECKING:
+    import requests
+
+    from ltitoolkit.core.launch_data_storage.base import LaunchDataStorage
+    from ltitoolkit.core.tool_config import ToolConfAbstract
+
+    from .request import FastApiRequest
+
+
+class FastApiMessageLaunch(MessageLaunch):
+    def __init__(
+        self,
+        request: FastApiRequest,
+        tool_config: ToolConfAbstract,
+        session_service: FastApiSessionService | None = None,
+        cookie_service: FastApiCookieService | None = None,
+        launch_data_storage: LaunchDataStorage[t.Any] | None = None,
+        requests_session: requests.Session | None = None,
+    ) -> None:
+        cookie_service = cookie_service or FastApiCookieService(request)
+        session_service = session_service or FastApiSessionService(request)
+        super().__init__(
+            request,
+            tool_config,
+            session_service,
+            cookie_service,
+            launch_data_storage,
+            requests_session,
+        )
+
+    def _get_request_param(self, key: str) -> t.Any:
+        return self._request.get_param(key)
+
+    async def validate_async(self) -> FastApiMessageLaunch:
+        """Run the (blocking) launch validation without blocking the event loop."""
+        await run_in_threadpool(self.validate)
+        return self

ltitoolkit/fastapi/oidc_login.py

@@ -0,0 +1,47 @@
+"""OIDC login adapter — step 1 of an LTI 1.3 launch.
+
+Handles the platform's *third-party initiated login*: validate the request,
+mint state/nonce, set the state cookie, and redirect back to the platform's
+authorization endpoint. Wraps the framework-specific pieces (redirect + raw HTML
+response) around the core's :class:`ltitoolkit.core.oidc_login.OIDCLogin`.
+"""
+
+from __future__ import annotations
+
+import typing as t
+
+from starlette.responses import HTMLResponse, Response
+
+from ltitoolkit.core.oidc_login import OIDCLogin
+
+from .cookie import FastApiCookieService
+from .redirect import FastApiRedirect
+from .session import FastApiSessionService
+
+if t.TYPE_CHECKING:
+    from ltitoolkit.core.launch_data_storage.base import LaunchDataStorage
+    from ltitoolkit.core.tool_config import ToolConfAbstract
+
+    from .request import FastApiRequest
+
+
+class FastApiOIDCLogin(OIDCLogin):
+    def __init__(
+        self,
+        request: FastApiRequest,
+        tool_config: ToolConfAbstract,
+        session_service: FastApiSessionService | None = None,
+        cookie_service: FastApiCookieService | None = None,
+        launch_data_storage: LaunchDataStorage[t.Any] | None = None,
+    ) -> None:
+        cookie_service = cookie_service or FastApiCookieService(request)
+        session_service = session_service or FastApiSessionService(request)
+        super().__init__(
+            request, tool_config, session_service, cookie_service, launch_data_storage
+        )
+
+    def get_redirect(self, url: str) -> FastApiRedirect:
+        return FastApiRedirect(url, self._cookie_service)
+
+    def get_response(self, html: str) -> Response:
+        return HTMLResponse(html)

ltitoolkit/fastapi/redirect.py

@@ -0,0 +1,54 @@
+"""Redirect adapter producing Starlette responses.
+
+The core asks for two redirect styles: a normal HTTP 302 redirect and a
+JavaScript redirect (used to break out of an iframe / re-assert cookies). Both
+flush any queued cookies (e.g. the short-lived OIDC ``state`` cookie) onto the
+outgoing response.
+"""
+
+from __future__ import annotations
+
+import html
+import typing as t
+
+from starlette.responses import HTMLResponse, RedirectResponse, Response
+
+from ltitoolkit.core.redirect import Redirect
+
+if t.TYPE_CHECKING:
+    from .cookie import FastApiCookieService
+
+
+class FastApiRedirect(Redirect):
+    def __init__(
+        self, location: str, cookie_service: FastApiCookieService | None = None
+    ) -> None:
+        super().__init__()
+        self._location = location
+        self._cookie_service = cookie_service
+
+    def do_redirect(self) -> Response:
+        return self._process_response(
+            RedirectResponse(url=self._location, status_code=302)
+        )
+
+    def do_js_redirect(self) -> Response:
+        safe_location = html.escape(self._location, quote=True)
+        return self._process_response(
+            HTMLResponse(
+                f'<script type="text/javascript">'
+                f'window.location="{safe_location}";'
+                f"</script>"
+            )
+        )
+
+    def set_redirect_url(self, location: str) -> None:
+        self._location = location
+
+    def get_redirect_url(self) -> str:
+        return self._location
+
+    def _process_response(self, response: Response) -> Response:
+        if self._cookie_service:
+            self._cookie_service.update_response(response)
+        return response