--- loncom/lti/ltiauth.pm 2018/01/03 22:04:19 1.4 +++ loncom/lti/ltiauth.pm 2022/03/29 19:37:25 1.35 @@ -1,7 +1,7 @@ # The LearningOnline Network # Basic LTI Authentication Module # -# $Id: ltiauth.pm,v 1.4 2018/01/03 22:04:19 raeburn Exp $ +# $Id: ltiauth.pm,v 1.35 2022/03/29 19:37:25 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -30,30 +30,57 @@ package Apache::ltiauth; use strict; use LONCAPA qw(:DEFAULT :match); +use Encode; use Apache::Constants qw(:common :http); -use Net::OAuth; use Apache::lonlocal; use Apache::lonnet; use Apache::loncommon; use Apache::lonacc; +use Apache::lonrequestcourse; use LONCAPA::ltiutils; sub handler { my $r = shift; my $requri = $r->uri; + my $hostname = $r->hostname; +# +# Check for existing session, and temporarily delete any form items +# in %env, if session exists +# + my %savedform; + my $handle = &Apache::lonnet::check_for_valid_session($r); + if ($handle ne '') { + foreach my $key (sort(keys(%env))) { + if ($key =~ /^form\.(.+)$/) { + $savedform{$1} = $env{$key}; + delete($env{$key}); + } + } + } # -# Retrieve data POSTed by LTI Consumer on launch +# Retrieve data POSTed by LTI launch # &Apache::lonacc::get_posted_cgi($r); my $params = {}; foreach my $key (sort(keys(%env))) { if ($key =~ /^form\.(.+)$/) { - $params->{$1} = $env{$key}; + $params->{$1} = &Encode::decode('UTF-8',$env{$key}); + } + } +# +# Check for existing session, and restore temporarily +# deleted form items to %env, if session exists. +# + if ($handle ne '') { + if (keys(%savedform)) { + foreach my $key (sort(keys(%savedform))) { + $env{'form.'.$key} = $savedform{$key}; + } } } unless (keys(%{$params})) { - &invalid_request($r,1); + &invalid_request($r,'No parameters included in launch request'); return OK; } @@ -63,7 +90,7 @@ sub handler { $params->{'oauth_version'} && $params->{'oauth_signature'} && $params->{'oauth_signature_method'}) { - &invalid_request($r,2); + &invalid_request($r,'One or more required parameters missing from launch request'); return OK; } @@ -71,12 +98,175 @@ sub handler { # Retrieve "internet domains" for all this institution's LON-CAPA # nodes. # - my ($udom,$uname,$uhome,$cdom,$cnum,$symb,$mapurl,@intdoms); + my @intdoms; my $lonhost = $r->dir_config('lonHostID'); my $internet_names = &Apache::lonnet::get_internet_names($lonhost); if (ref($internet_names) eq 'ARRAY') { @intdoms = @{$internet_names}; } +# +# Determine course's domain in LON-CAPA +# for basic launch using key and secret managed +# in LON-CAPA course (i.e., uri begins /adm/launch) +# + + my ($cdom,$cnum); + +# Note: "internet domain" for course's domain must be one of the +# internet domains for the institution's LON-CAPA servers. +# + if ($requri =~ m{^/adm/launch(|/.*)$}) { + my $tail = $1; + if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) { + my ($urlcdom,$urlcnum) = &course_from_tinyurl($tail); + if (($urlcdom ne '') && ($urlcnum ne '')) { + $cdom = $urlcdom; + $cnum = $urlcnum; + my $primary_id = &Apache::lonnet::domain($cdom,'primary'); + if ($primary_id ne '') { + my $intdom = &Apache::lonnet::internet_dom($primary_id); + if (($intdom ne '') && (grep(/^\Q$intdom\E$/,@intdoms))) { +# +# Verify the signed request using the secret for LTI link +# protectors for which the key in the POSTed data matches +# keys in the course configuration. +# +# Request is invalid if the signed request could not be verified +# for the key and secret from LON-CAPA course configuration for +# LTI link protectors or from LON-CAPA configuration for the +# course's domain if there are LTI Providers which may be used. +# +# Determine if nonce in POSTed data has expired. +# If unexpired, confirm it has not already been used. +# +# Retrieve information for LTI link protectors in course +# where url was /adm/launch/tiny/$cdom/$uniqueid +# + + my ($itemid,$ltitype,%crslti,%lti_in_use); + $itemid = &get_lti_itemid($requri,$hostname,$params,$cdom,$cnum,'linkprot'); + if ($itemid) { + %crslti = &Apache::lonnet::get_course_lti($cnum,$cdom); + } + if (($itemid) && (ref($crslti{$itemid}) eq 'HASH')) { + $ltitype = 'c'; + if (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'}, + $crslti{$itemid}{'lifetime'},$cdom,$r->dir_config('lonLTIDir'))) { + %lti_in_use = %{$crslti{$itemid}}; + } else { + &invalid_request($r,'Time limit exceeded for launch request credentials'); + return OK; + } + } else { + $itemid = &get_lti_itemid($requri,$hostname,$params,$cdom,'','linkprot'); + my %lti; + if ($itemid) { + %lti = &Apache::lonnet::get_domain_lti($cdom,'linkprot'); + } + if (($itemid) && (ref($lti{$itemid}) eq 'HASH')) { + $ltitype = 'd'; + if (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'}, + $lti{$itemid}{'lifetime'},$cdom, + $r->dir_config('lonLTIDir'))) { + %lti_in_use = %{$lti{$itemid}}; + } else { + &invalid_request($r,'Time limit exceeded for launch request credentials'); + return OK; + } + } + } + if (($itemid) && ($lti_in_use{'requser'})) { + my %courseinfo = &Apache::lonnet::coursedescription($cdom.'_'.$cnum); + my $ltiauth; + if (exists($courseinfo{'internal.ltiauth'})) { + $ltiauth = $courseinfo{'internal.ltiauth'}; + } else { + my %domdefs = &Apache::lonnet::get_domain_defaults($cdom); + $ltiauth = $domdefs{'crsltiauth'}; + } + if ($ltiauth) { + my $possuname; + my $mapuser = $lti_in_use{'mapuser'}; + if ($mapuser eq 'sourcedid') { + if ($params->{'lis_person_sourcedid'} =~ /^$match_username$/) { + $possuname = $params->{'lis_person_sourcedid'}; + } + } elsif ($mapuser eq 'email') { + if ($params->{'lis_person_contact_email_primary'} =~ /^$match_username$/) { + $possuname = $params->{'lis_person_contact_email_primary'}; + } + } elsif (exists($params->{$mapuser})) { + if ($params->{$mapuser} =~ /^$match_username$/) { + $possuname = $params->{$mapuser}; + } + } + if ($possuname ne '') { + my $uhome = &Apache::lonnet::homeserver($possuname,$cdom); + unless ($uhome eq 'no_host') { + my $uname = $possuname; + my ($is_student,$is_nonstudent); + my %course_roles = + &Apache::lonnet::get_my_roles($uname,$cdom,,'userroles',['active'], + ['cc','co','in','ta','ep','ad','st','cr'], + [$cdom]); + foreach my $key (keys(%course_roles)) { + my ($trest,$tdomain,$trole,$sec) = split(/:/,$key); + if (($trest eq $cnum) && ($tdomain eq $cdom)) { + if ($trole eq 'st') { + $is_student = 1; + } else { + $is_nonstudent = 1; + last; + } + } + } + if (($is_student) && (!$is_nonstudent)) { + unless (&Apache::lonnet::is_advanced_user($uname,$cdom)) { + foreach my $key (%{$params}) { + delete($env{'form.'.$key}); + } + &linkprot_session($r,$uname,$cnum,$cdom,$uhome,$itemid,$ltitype,$tail,$lonhost); + return OK; + } + } + } + } + if ($lti_in_use{'notstudent'} eq 'reject') { + &invalid_request($r,'Information for valid user missing from launch request'); + } + } + } + if ($itemid) { + foreach my $key (%{$params}) { + delete($env{'form.'.$key}); + } + my $ltoken = &Apache::lonnet::tmpput({'linkprot' => $itemid.$ltitype.':'.$tail}, + $lonhost,'link'); + if ($ltoken) { + $r->internal_redirect($tail.'?ltoken='.$ltoken); + $r->set_handlers('PerlHandler'=> undef); + } else { + &invalid_request($r,'Failed to store information from launch request'); + } + } else { + &invalid_request($r,'Launch request could not be validated'); + } + } else { + &invalid_request($r,'Launch unavailable on this LON-CAPA server'); + } + } else { + &invalid_request($r,'Launch unavailable for this domain'); + } + } else { + &invalid_request($r,'Invalid launch URL'); + } + } else { + &invalid_request($r,'Invalid launch URL'); + } + return OK; + } + + my ($udom,$uname,$uhome,$symb,$mapurl); # # For user who launched LTI in Consumer, determine user's domain in @@ -139,11 +329,11 @@ sub handler { # Order is: # # (a) from custom_coursedomain item in POSTed data -# (b) from tail of requested URL (after /adm/lti) if it has format of a symb +# (b) from tail of requested URL (after /adm/lti/) if it has format of a symb # (c) from tail of requested URL (after /adm/lti) if it has format of a map # (d) from tail of requested URL (after /adm/lti) if it has format /domain/courseID -# (e) from tail of requested URL (after /adm/lti) if it has format /tiny/domain/... -# i.e., a shortened URL (see bug #6400) -- not implemented yet. +# (e) from tail of requested URL (after /adm/lti) if it has format /tiny/domain/\w+ +# i.e., a shortened URL (see bug #6400). # (f) same as user's domain # # Request invalid if custom_coursedomain is defined and is inconsistent with @@ -172,20 +362,32 @@ sub handler { if ($tail =~ m{^/uploaded/($match_domain)/($match_courseid)/(?:default|supplemental)(?:|_\d+)\.(?:sequence|page)(|___\d+___.+)$}) { ($urlcdom,$urlcnum,my $rest) = ($1,$2,$3); if (($cdom ne '') && ($cdom ne $urlcdom)) { - &invalid_request($r,3); + &invalid_request($r,'Incorrect domain in requested URL'); return OK; } if ($rest eq '') { $mapurl = $tail; } else { $symb = $tail; - $symb =~ s{^/+}{}; + $symb =~ s{^/}{}; + } + } elsif ($tail =~ m{^/res/(?:$match_domain)/(?:$match_username)/.+\.(?:sequence|page)(|___\d+___.+)$}) { + if ($1 eq '') { + $mapurl = $tail; + } else { + $symb = $tail; + $symb =~ s{^/res/}{}; } -#FIXME Need to handle encrypted URLs } elsif ($tail =~ m{^/($match_domain)/($match_courseid)$}) { ($urlcdom,$urlcnum) = ($1,$2); if (($cdom ne '') && ($cdom ne $urlcdom)) { - &invalid_request($r,4); + &invalid_request($r,'Incorrect domain in requested URL'); + return OK; + } + } elsif ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) { + ($urlcdom,$urlcnum) = &course_from_tinyurl($tail); + if (($urlcdom eq '') || ($urlcnum eq '')) { + &invalid_request($r,'Invalid URL shortcut'); return OK; } } @@ -210,53 +412,19 @@ sub handler { } # -# Retrieve information for LTI Consumers in course domain -# and populate hash -- %lti_by_key -- for which keys -# are those defined in domain configuration for LTI. -# - - my %lti = &Apache::lonnet::get_domain_lti($cdom,'provider'); - unless (keys(%lti) > 0) { - &invalid_request($r,5); - return OK; - } - my %lti_by_key; - if (keys(%lti)) { - foreach my $id (keys(%lti)) { - if (ref($lti{$id}) eq 'HASH') { - my $key = $lti{$id}{'key'}; - push(@{$lti_by_key{$key}},$id); - } - } - } - +# Retrieve information for LTI Consumers in course's domain +# defined in domain configuration for LTI. # # Verify the signed request using the secret for those -# Consumers for which the key in the POSTed data matches -# keys in the domain configuration for LTI. +# Consumers for which the key in the POSTed data matches +# keys in the course configuration or the domain configuration +# for LTI. # - my $hostname = $r->hostname; - my $protocol = 'http'; - if ($ENV{'SERVER_PORT'} == 443) { - $protocol = 'https'; - } - my ($itemid,$consumer_key,$secret,@ltiroles); - $consumer_key = $params->{'oauth_consumer_key'}; - if (ref($lti_by_key{$consumer_key}) eq 'ARRAY') { - foreach my $id (@{$lti_by_key{$consumer_key}}) { - if (ref($lti{$id}) eq 'HASH') { - $secret = $lti{$id}{'secret'}; - my $request = Net::OAuth->request('request token')->from_hash($params, - request_url => $protocol.'://'.$hostname.$requri, - request_method => $env{'request.method'}, - consumer_secret => $secret,); - if ($request->verify()) { - $itemid = $id; - last; - } - } - } + my %lti; + my $itemid = &get_lti_itemid($requri,$hostname,$params,$cdom); + if ($itemid) { + %lti = &Apache::lonnet::get_domain_lti($cdom,'provider'); } # @@ -265,7 +433,7 @@ sub handler { # configuration in LON-CAPA for that LTI Consumer. # unless (($itemid) && (ref($lti{$itemid}) eq 'HASH')) { - &invalid_request($r,6); + &invalid_request($r,'Launch request could not be validated'); return OK; } @@ -275,12 +443,37 @@ sub handler { # unless (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'}, $lti{$itemid}{'lifetime'},$cdom,$r->dir_config('lonLTIDir'))) { - &invalid_request($r,7); + &invalid_request($r,'Time limit exceeded for launch request credentials'); + return OK; + } + +# +# Determine if a username is required from the domain +# configuration for the specific LTI Consumer +# + + if (!$lti{$itemid}{'requser'}) { + if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) { + my $ltitype = 'd'; + foreach my $key (%{$params}) { + delete($env{'form.'.$key}); + } + my $ltoken = &Apache::lonnet::tmpput({'linkprot' => $itemid.$ltitype.':'.$tail}, + $lonhost); + if ($ltoken) { + $r->internal_redirect($tail.'?ltoken='.$ltoken); + $r->set_handlers('PerlHandler'=> undef); + } else { + &invalid_request($r,'Failed to store information from launch request'); + } + } else { + &invalid_request($r,'Launch URL invalid for matched launch credentials'); + } return OK; } # -# Determinine if source of username matches requirement from the +# Determine if source of username matches requirement from the # domain configuration for the specific LTI Consumer. # @@ -308,11 +501,11 @@ sub handler { # # (a) from course mapping (if the link between Consumer "course" and # Provider "course" has been established previously). -# (b) from tail of requested URL (after /adm/lti) if it has format of a symb +# (b) from tail of requested URL (after /adm/lti/) if it has format of a symb # (c) from tail of requested URL (after /adm/lti) if it has format of a map # (d) from tail of requested URL (after /adm/lti) if it has format /domain/courseID -# (e) from tail of requested URL (after /adm/lti) if it has format /tiny/domain/... -# i.e., a shortened URL (see bug #6400) -- not implemented yet. +# (e) from tail of requested URL (after /adm/lti) if it has format /tiny/domain/\w+ +# i.e., a shortened URL (see bug #6400). # # If Consumer course included in POSTed data points as a target course which # has a format which matches a LON-CAPA courseID, but the course does not @@ -332,13 +525,14 @@ sub handler { if ($sourcecrs ne '') { %consumers = &Apache::lonnet::get_dom('lticonsumers',[$sourcecrs],$cdom); if (exists($consumers{$sourcecrs})) { - if ($consumers{$sourcecrs} =~ /^$match_courseid$/) { - my $crshome = &Apache::lonnet::homeserver($consumers{$sourcecrs},$cdom); + if ($consumers{$sourcecrs} =~ /^\Q$itemid:\E($match_courseid)$/) { + my $storedcnum = $1; + my $crshome = &Apache::lonnet::homeserver($storedcnum,$cdom); if ($crshome =~ /(con_lost|no_host|no_such_host)/) { - &invalid_request($r,8); + &invalid_request($r,'Invalid courseID included in launch data'); return OK; } else { - $posscnum = $consumers{$sourcecrs}; + $posscnum = $storedcnum; } } } @@ -347,7 +541,7 @@ sub handler { if ($urlcnum ne '') { if ($posscnum ne '') { if ($posscnum ne $urlcnum) { - &invalid_request($r,9); + &invalid_request($r,'Course ID included in launch data incompatible with URL'); return OK; } else { $cnum = $posscnum; @@ -355,7 +549,7 @@ sub handler { } else { my $crshome = &Apache::lonnet::homeserver($urlcnum,$cdom); if ($crshome =~ /(con_lost|no_host|no_such_host)/) { - &invalid_request($r,10); + &invalid_request($r,'Valid course ID could not be extracted from requested URL'); return OK; } else { $cnum = $urlcnum; @@ -366,43 +560,25 @@ sub handler { } # -# Get LON-CAPA role to use from role-mapping of Consumer roles +# Get LON-CAPA role(s) to use from role-mapping of Consumer roles # defined in domain configuration for the appropriate LTI # Consumer. # -# If multiple LON-CAPA roles are indicated, choose based -# on the order: cc, in, ta, ep, st +# If multiple LON-CAPA roles are indicated for the current user, +# ordering (from first to last) is: cc/co, in, ta, ep, st. # - my $reqrole; - - my @roleorder = ('cc','in','ta','ep','st'); - if ($params->{'roles'} =~ /,/) { - @ltiroles = split(/\s*,\s*/,$params->{'role'}); - } else { - my $singlerole = $params->{'roles'}; - $singlerole =~ s/^\s|\s+$//g; - @ltiroles = ($singlerole); - } - if (@ltiroles) { - if (ref($lti{$itemid}{maproles}) eq 'HASH') { - my %possroles; - map { $possroles{$lti{$itemid}{maproles}{$_}} = 1; } @ltiroles; - my @possibles = keys(%possroles); - if (@possibles == 1) { - if (grep(/^\Q$possibles[0]\E$/,@roleorder)) { - $reqrole = $possibles[0]; - - } - } elsif (@possibles > 1) { - foreach my $item (@roleorder) { - if ($possroles{$item}) { - $reqrole = $item; - last; - } - } - } - } + my (@ltiroles,@lcroles); + my @lcroleorder = ('cc','in','ta','ep','st'); + my ($lcrolesref,$ltirolesref) = + &LONCAPA::ltiutils::get_lc_roles($params->{'roles'}, + \@lcroleorder, + $lti{$itemid}{maproles}); + if (ref($lcrolesref) eq 'ARRAY') { + @lcroles = @{$lcrolesref}; + } + if (ref($ltirolesref) eq 'ARRAY') { + @ltiroles = @{$ltirolesref}; } # @@ -419,115 +595,355 @@ sub handler { foreach my $ltirole (@ltiroles) { if (grep(/^\Q$ltirole\E$/,@{$lti{$itemid}{'makeuser'}})) { $selfcreate = 1; + last; } } } } if ($selfcreate) { -#FIXME Do user creation here. - return OK + my (%rulematch,%inst_results,%curr_rules,%got_rules,%alerts); + my $domdesc = &Apache::lonnet::domain($udom,'description'); + my %data = ( + 'permanentemail' => $env{'form.lis_person_contact_email_primary'}, + 'firstname' => $env{'form.lis_person_name_given'}, + 'lastname' => $env{'form.lis_person_name_family'}, + 'fullname' => $env{'form.lis_person_name_full'}, + ); + my $result = + &LONCAPA::ltiutils::create_user($lti{$itemid},$uname,$udom, + $domdesc,\%data,\%alerts,\%rulematch, + \%inst_results,\%curr_rules,%got_rules); + if ($result eq 'notallowed') { + &invalid_request($r,'Account creation not permitted for this user'); + } elsif ($result eq 'ok') { + if (($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'mapcrs'}) && + ($lti{$itemid}{'makecrs'})) { + unless (&Apache::lonnet::usertools_access($uname,$udom,'lti','reload','requestcourses')) { + &Apache::lonnet::put('environment',{ 'requestcourses.lti' => 'autolimit=', },$udom,$uname); + } + } + } else { + &invalid_request($r,'An error occurred during account creation'); + return OK; + } } else { - &invalid_request($r,11); + &invalid_request($r,'Account creation not permitted'); return OK; - } - } + } + } } else { - &invalid_request($r,12); + &invalid_request($r,'Could not determine username and/or domain for user'); return OK; } # # If no LON-CAPA course available, check if domain's configuration # for the specific LTI Consumer allows a new course to be created -# (requires role in Consumer to be: Instructor). +# (requires role in Consumer to be: Instructor and Instructor to map to CC) # + my $reqcrs; if ($cnum eq '') { - if ((@ltiroles) && (grep(/^Instructor$/,@ltiroles)) && - ($lti{$itemid}{'mapcrs'})) { -#FIXME Create a new LON-CAPA course here. - return OK; + if ($lti{$itemid}{'crsinc'}) { + if ((@ltiroles) && ($lti{$itemid}{'mapcrs'}) && + ($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'makecrs'})) { + my (%can_request,%request_domains); + &Apache::lonnet::check_can_request($cdom,\%can_request,\%request_domains,$uname,$udom); + if ($can_request{'lti'}) { + $reqcrs = 1; + <i_session($r,$itemid,$uname,$udom,$uhome,$lonhost,undef,$mapurl,$tail, + $symb,$cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles, + $reqcrs,$sourcecrs); + } else { + &invalid_request($r,'No LON-CAPA course available, and creation is not permitted for this user'); + } + } else { + &invalid_request($r,'No LON-CAPA course available, and creation is not permitted'); + } } else { - &invalid_request($r,13); - return OK; + <i_session($r,$itemid,$uname,$udom,$uhome,$lonhost,undef,$mapurl,$tail, + $symb,$cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles, + $reqcrs,$sourcecrs); } + return OK; } # # If LON-CAPA course is a Community, and LON-CAPA role # indicated is cc, change role indicated to co. -# +# - if ($reqrole eq 'cc') { + my %crsenv; + if ($lcroles[0] eq 'cc') { if (($cdom ne '') && ($cnum ne '')) { - my %crsenv = &Apache::lonnet::coursedescription($cnum.'_'.$cdom,{ 'one_time' => 1,}); + %crsenv = &Apache::lonnet::coursedescription($cdom.'_'.$cnum,{ 'one_time' => 1,}); if ($crsenv{'type'} eq 'Community') { - $reqrole = 'co'; + $lcroles[0] = 'co'; } } } # -# Determine if user has required LON-CAPA role -# in the mapped LON-CAPA course. +# Determine if user has a LON-CAPA role in the mapped LON-CAPA course. +# If multiple LON-CAPA roles are available for the user's assigned LTI roles, +# choose the first available LON-CAPA role in the order: cc/co, in, ta, ep, st # - my $role; - my %crsroles = &Apache::lonnet::get_my_roles($uname,$udom,'userroles',undef,[$reqrole],[$cdom]); - if (exists($crsroles{$cnum.':'.$cdom.':'.$reqrole})) { - $role = $reqrole.'./'.$cdom.'/'.$cnum; -#FIXME Need to accommodate sections - } elsif (ref($lti{$itemid}{'selfenroll'}) eq 'ARRAY') { - if (grep(/^\Q$reqrole\E$/,@{$lti{$itemid}{'selfenroll'}})) { -#FIXME Do self-enrollment here + my ($role,$usec,$withsec); + unless ((($lcroles[0] eq 'cc') || ($lcroles[0] eq 'co')) && (@lcroles == 1)) { + if ($lti{$itemid}{'section'} ne '') { + if ($lti{$itemid}{'section'} eq 'course_section_sourcedid') { + if ($env{'form.course_section_sourcedid'} !~ /\W/) { + $usec = $env{'form.course_section_sourcedid'}; + } + } elsif ($env{'form.'.$lti{$itemid}{'section'}} !~ /\W/) { + $usec = $env{'form.'.$lti{$itemid}{'section'}}; + } + } + if ($usec ne '') { + $withsec = 1; + } + } + + if (@lcroles) { + my %crsroles = &Apache::lonnet::get_my_roles($uname,$udom,'userroles',undef,\@lcroles, + [$cdom],$withsec); + foreach my $reqrole (@lcroles) { + if ($withsec) { + my $incsec; + if (($reqrole eq 'cc') || ($reqrole eq 'co')) { + $incsec = ''; + } else { + $incsec = $usec; + } + if (exists($crsroles{$cnum.':'.$cdom.':'.$reqrole.':'.$incsec})) { + $role = $reqrole.'./'.$cdom.'/'.$cnum; + if ($incsec ne '') { + $role .= '/'.$usec; + } + last; + } + } else { + if (exists($crsroles{$cnum.':'.$cdom.':'.$reqrole})) { + $role = $reqrole.'./'.$cdom.'/'.$cnum; + last; + } + } + } + } + +# +# Determine if user can selfenroll +# + + my ($reqrole,$selfenrollrole); + if ($role eq '') { + if ((@ltiroles) && (ref($lti{$itemid}{'selfenroll'}) eq 'ARRAY')) { + foreach my $ltirole (@ltiroles) { + if (grep(/^\Q$ltirole\E$/,@{$lti{$itemid}{'selfenroll'}})) { + if (ref($lti{$itemid}{maproles}) eq 'HASH') { + $reqrole = $lti{$itemid}{maproles}{$ltirole}; + last; + } + } + } + } + if ($reqrole eq '') { + &invalid_request($r,'No matching role available in LON-CAPA course, and not permitted to self-enroll'); return OK; } else { - &invalid_request($r,14); - return OK; + unless (%crsenv) { + %crsenv = &Apache::lonnet::coursedescription($cdom.'_'.$cnum); + } + my $default_enrollment_start_date = $crsenv{'default_enrollment_start_date'}; + my $default_enrollment_end_date = $crsenv{'default_enrollment_end_date'}; + my $now = time; + if ($default_enrollment_end_date && $default_enrollment_end_date <= $now) { + &invalid_request($r,'No active role available in LON-CAPA course, and past end date for self-enrollment'); + return OK; + } elsif ($default_enrollment_start_date && $default_enrollment_start_date >$now) { + &invalid_request($r,'No active role available in LON-CAPA course, and brefor start date for self-enrollment'); + return OK; + } else { + $selfenrollrole = $reqrole.'./'.$cdom.'/'.$cnum; + if (($withsec) && ($reqrole ne 'cc') && ($reqrole ne 'co')) { + if ($usec ne '') { + $selfenrollrole .= '/'.$usec; + } + } + } } } # -# Store consumer-to-LON-CAPA course mapping -# - if (($sourcecrs ne '') && ($consumers{$sourcecrs} eq '') && ($cnum ne '')) { - &Apache::lonnet::put_dom('lticonsumers',{ $sourcecrs => $cnum },$cdom); +# Retrieve course type of LON-CAPA course to check if mapping from a Consumer +# course identifier permitted for this type of course (one of: official, +# unofficial, community, textbook, placement or lti. +# + + unless (%crsenv) { + %crsenv = &Apache::lonnet::coursedescription($cdom.'_'.$cnum); + } + my $crstype = lc($crsenv{'type'}); + if ($crstype eq '') { + $crstype = 'course'; + } + if ($crstype eq 'course') { + if ($crsenv{'internal.coursecode'}) { + $crstype = 'official'; + } elsif ($crsenv{'internal.textbook'}) { + $crstype = 'textbook'; + } elsif ($crsenv{'internal.lti'}) { + $crstype = 'lti'; + } else { + $crstype = 'unofficial'; + } } # -# Check if user should be hosted here or switched to another server. +# Store consumer-to-LON-CAPA course mapping if permitted # - &Apache::lonnet::logthis(" LTI authorized user: $uname:$udom role: $role course: $cdom\_$cnum"); - $r->user($uname); - my ($is_balancer,$otherserver,$hosthere); - ($is_balancer,$otherserver) = - &Apache::lonnet::check_loadbalancing($uname,$udom,'login'); - if ($is_balancer) { - if ($otherserver eq '') { - my $lowest_load; - ($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($udom); - if ($lowest_load > 100) { - $otherserver = &Apache::lonnet::spareserver($lowest_load,$lowest_load,1,$udom); + if (($lti{$itemid}{'storecrs'}) && ($sourcecrs ne '') && + ($consumers{$sourcecrs} eq '') && ($cnum ne '')) { + if (ref($lti{$itemid}{'mapcrstype'}) eq 'ARRAY') { + if (grep(/^$crstype$/,@{$lti{$itemid}{'mapcrstype'}})) { + &Apache::lonnet::put_dom('lticonsumers',{ $sourcecrs => $itemid.':'.$cnum },$cdom); } } - if ($otherserver ne '') { - my @hosts = &Apache::lonnet::current_machine_ids(); - if (grep(/^\Q$otherserver\E$/,@hosts)) { - $hosthere = $otherserver; - } + } + +# +# Start user session +# + + <i_session($r,$itemid,$uname,$udom,$uhome,$lonhost,$role,$mapurl,$tail,$symb, + $cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles,undef,$sourcecrs, + $selfenrollrole); + return OK; +} + +sub get_lti_itemid { + my ($requri,$hostname,$params,$cdom,$cnum,$context) = @_; + return unless (ref($params) eq 'HASH'); + my $protocol = 'http'; + if ($ENV{'SERVER_PORT'} == 443) { + $protocol = 'https'; + } + my $url = $protocol.'://'.$hostname.$requri; + my $method = $env{'request.method'}; + if ($cnum ne '') { + return &Apache::lonnet::courselti_itemid($cnum,$cdom,$url,$method,$params,$context); + } else { + return &Apache::lonnet::domainlti_itemid($cdom,$url,$method,$params,$context); + } +} + +sub lti_enroll { + my ($uname,$udom,$selfenrollrole) = @_; + my $enrollresult; + my ($role,$cdom,$cnum,$sec) = + ($selfenrollrole =~ m{^(\w+)\./($match_domain)/($match_courseid)(?:|/(\w*))$}); + if (($cnum ne '') && ($cdom ne '')) { + my $chome = &Apache::lonnet::homeserver($cnum,$cdom); + if ($chome ne 'no_host') { + my %coursehash = &Apache::lonnet::coursedescription($cdom.'_'.$cnum); + my $start = $coursehash{'default_enrollment_start_date'}; + my $end = $coursehash{'default_enrollment_end_date'}; + $enrollresult = &LONCAPA::ltiutils::enrolluser($udom,$uname,$role,$cdom,$cnum,$sec, + $start,$end,1); } } + return $enrollresult; +} + +sub lti_reqcrs { + my ($r,$cdom,$form,$uname,$udom) = @_; + my (%can_request,%request_domains); + &Apache::lonnet::check_can_request($cdom,\%can_request,\%request_domains,$uname,$udom); + if ($can_request{'lti'}) { + my %domconfig = &Apache::lonnet::get_dom('configuration',['requestcourses'],$cdom); + my %domdefs = &Apache::lonnet::get_domain_defaults($cdom); + &Apache::lonrequestcourse::print_textbook_form($r,$cdom,[$cdom],\%domdefs, + $domconfig{'requestcourses'}, + \%can_request,'lti',$form); + } else { + $r->print( + &Apache::loncommon::start_page('Invalid LTI call',undef,{'only_body' => 1}). + &mt('Invalid LTI call'). + &Apache::loncommon::end_page() + ); + } +} + +sub lti_session { + my ($r,$itemid,$uname,$udom,$uhome,$lonhost,$role,$mapurl,$tail,$symb,$cdom,$cnum, + $params,$ltiroles,$ltihash,$lcroles,$reqcrs,$sourcecrs,$selfenrollrole) = @_; + return unless ((ref($params) eq 'HASH') && (ref($ltiroles) eq 'ARRAY') && + (ref($ltihash) eq 'HASH') && (ref($lcroles) eq 'ARRAY')); +# +# Check if user should be hosted here or switched to another server. +# + $r->user($uname); + if ($cnum) { + if ($role) { + &Apache::lonnet::logthis(" LTI authorized user ($itemid): $uname:$udom, role: $role, course: $cdom\_$cnum"); + } elsif ($selfenrollrole =~ m{^(\w+)\./$cdom/$cnum}) { + &Apache::lonnet::logthis(" LTI authorized user ($itemid): $uname:$udom, desired role: $1 course: $cdom\_$cnum"); + } + } else { + &Apache::lonnet::logthis(" LTI authorized user ($itemid): $uname:$udom, course dom: $cdom"); + } + my ($is_balancer,$otherserver,$hosthere) = &check_balancer($r,$uname,$udom); + my $protocol = 'http'; + if ($ENV{'SERVER_PORT'} == 443) { + $protocol = 'https'; + } if (($is_balancer) && (!$hosthere)) { # login but immediately go to switch server. &Apache::lonauth::success($r,$uname,$udom,$uhome,'noredirect'); + if (($ltihash->{'callback'}) && ($params->{$ltihash->{'callback'}})) { + &LONCAPA::ltiutils::setup_logout_callback($uname,$udom,$otherserver, + $ltihash->{'key'}, + $ltihash->{'secret'}, + $params->{$ltihash->{'callback'}}, + $r->dir_config('ltiIDsDir'), + $protocol,$r->hostname); + } if ($symb) { $env{'form.symb'} = $symb; + $env{'request.lti.uri'} = $tail; + } else { + if ($mapurl) { + $env{'form.origurl'} = $mapurl; + $env{'request.lti.uri'} = $mapurl; + } elsif ($tail =~ m{^\Q/tiny/$cdom/\E\w+$}) { + $env{'form.origurl'} = $tail; + $env{'request.lti.uri'} = $tail; + } elsif ($tail eq "/$cdom/$cnum") { + $env{'form.origurl'} = '/adm/navmaps'; + $env{'request.lti.uri'} = $tail; + } else { + unless ($tail eq '/adm/roles') { + if ($cnum) { + $env{'form.origurl'} = '/adm/navmaps'; + } + } + } } if ($role) { $env{'form.role'} = $role; } - if ($lti{$itemid}{'passback'}) { + if (($lcroles->[0] eq 'cc') && ($reqcrs)) { + $env{'request.lti.reqcrs'} = 1; + $env{'request.lti.reqrole'} = 'cc'; + $env{'request.lti.sourcecrs'} = $sourcecrs; + } + if ($selfenrollrole) { + $env{'request.lti.selfenrollrole'} = $selfenrollrole; + $env{'request.lti.sourcecrs'} = $sourcecrs; + } + if ($ltihash->{'passback'}) { if ($params->{'lis_result_sourcedid'}) { $env{'request.lti.passbackid'} = $params->{'lis_result_sourcedid'}; } @@ -535,16 +951,19 @@ sub handler { $env{'request.lti.passbackurl'} = $params->{'lis_outcome_service_url'}; } } - if (($lti{$itemid}{'roster'}) && (grep(/^Instructor$/,@ltiroles))) { + if (($ltihash->{'roster'}) && (grep(/^Instructor$/,@{$ltiroles}))) { if ($params->{'ext_ims_lis_memberships_id'}) { - $env{'request.lti.rosterid'} = $params->{'ext_ims_lis_memberships_id'}; + $env{'request.lti.rosterid'} = $params->{'ext_ims_lis_memberships_id'}; } if ($params->{'ext_ims_lis_memberships_url'}) { $env{'request.lti.rosterurl'} = $params->{'ext_ims_lis_memberships_url'}; } } - $env{'request.lti.login'} = 1; - foreach my $key (%{$params}) { + $env{'request.lti.login'} = $itemid; + if ($params->{'launch_presentation_document_target'}) { + $env{'request.lti.target'} = $params->{'launch_presentation_document_target'}; + } + foreach my $key (keys(%{$params})) { delete($env{'form.'.$key}); } my $redirecturl = '/adm/switchserver'; @@ -554,25 +973,41 @@ sub handler { $r->internal_redirect($redirecturl); $r->set_handlers('PerlHandler'=> undef); } else { - # need to login them in, so generate the need data that - # migrate expects to do login - foreach my $key (%{$params}) { + # need to login them in, so generate the data migrate expects to do login + foreach my $key (keys(%{$params})) { delete($env{'form.'.$key}); } + if (($ltihash->{'callback'}) && ($params->{$ltihash->{'callback'}})) { + &LONCAPA::ltiutils::setup_logout_callback($uname,$udom,$lonhost, + $ltihash->{'key'}, + $ltihash->{'secret'}, + $params->{$ltihash->{'callback'}}, + $r->dir_config('ltiIDsDir'), + $protocol,$r->hostname); + } my $ip = $r->get_remote_host(); my %info=('ip' => $ip, 'domain' => $udom, 'username' => $uname, 'server' => $lonhost, - 'lti.login' => 1, + 'lti.login' => $itemid, + 'lti.uri' => $tail, ); if ($role) { $info{'role'} = $role; } if ($symb) { - $info{'symb'} = $symb; + $info{'symb'} = $symb; + } + if (($lcroles->[0] eq 'cc') && ($reqcrs)) { + $info{'lti.reqcrs'} = 1; + $info{'lti.reqrole'} = 'cc'; + $info{'lti.sourcecrs'} = $sourcecrs; } - if ($lti{$itemid}{'passback'}) { + if ($selfenrollrole) { + $info{'lti.selfenrollrole'} = $selfenrollrole; + } + if ($ltihash->{'passback'}) { if ($params->{'lis_result_sourcedid'}) { $info{'lti.passbackid'} = $params->{'lis_result_sourcedid'} } @@ -580,7 +1015,7 @@ sub handler { $info{'lti.passbackurl'} = $params->{'lis_outcome_service_url'} } } - if (($lti{$itemid}{'roster'}) && (grep(/^Instructor$/,@ltiroles))) { + if (($ltihash->{'roster'}) && (grep(/^Instructor$/,@{$ltiroles}))) { if ($params->{'ext_ims_lis_memberships_id'}) { $info{'lti.rosterid'} = $params->{'ext_ims_lis_memberships_id'}; } @@ -588,15 +1023,20 @@ sub handler { $info{'lti.rosterurl'} = $params->{'ext_ims_lis_memberships_url'}; } } + if ($params->{'launch_presentation_document_target'}) { + $info{'lti.target'} = $params->{'launch_presentation_document_target'}; + } + unless ($info{'symb'}) { if ($mapurl) { $info{'origurl'} = $mapurl; - if ($mapurl =~ m{/default_\d+\.sequence$}) { - $info{'origurl'} .= (($mapurl =~/\?/)?'&':'?').'navmap=1'; - } + } elsif ($tail =~ m{^\Q/tiny/$cdom/\E\w+$}) { + $info{'origurl'} = $tail; } else { unless ($tail eq '/adm/roles') { - $info{'origurl'} = '/adm/navmaps'; + if ($cnum) { + $info{'origurl'} = '/adm/navmaps'; + } } } } @@ -608,11 +1048,75 @@ sub handler { $r->internal_redirect('/adm/migrateuser'); $r->set_handlers('PerlHandler'=> undef); } - return OK; + return; +} + +sub linkprot_session { + my ($r,$uname,$cnum,$cdom,$uhome,$itemid,$ltitype,$dest,$lonhost) = @_; + $r->user($uname); + if ($ltitype eq 'c') { + &Apache::lonnet::logthis("Course Link Protector ($itemid) authorized student: $uname:$cdom, course: $cdom\_$cnum"); + } elsif ($ltitype eq 'd') { + &Apache::lonnet::logthis("Domain LTI for link protection ($itemid) authorized student: $uname:$cdom, course: $cdom\_$cnum"); + } + my ($is_balancer,$otherserver,$hosthere) = &check_balancer($r,$uname,$cdom); + if (($is_balancer) && (!$hosthere)) { + # login but immediately go to switch server + &Apache::lonauth::success($r,$uname,$cdom,$uhome,'noredirect'); + $env{'form.origurl'} = $dest; + $env{'request.linkprot'} = $itemid.$ltitype.':'.$dest; + $env{'request.deeplink.login'} = $dest; + my $redirecturl = '/adm/switchserver'; + if ($otherserver ne '') { + $redirecturl .= '?otherserver='.$otherserver; + } + $r->internal_redirect($redirecturl); + $r->set_handlers('PerlHandler'=> undef); + } else { + # need to login them in, so generate the data migrate expects to do login + my $ip = $r->get_remote_host(); + my %info=('ip' => $ip, + 'domain' => $cdom, + 'username' => $uname, + 'server' => $lonhost, + 'linkprot' => $itemid.$ltitype.':'.$dest, + 'home' => $uhome, + 'origurl' => $dest, + 'deeplink.login' => $dest, + ); + my $token = &Apache::lonnet::tmpput(\%info,$lonhost); + $env{'form.token'} = $token; + $r->internal_redirect('/adm/migrateuser'); + $r->set_handlers('PerlHandler'=> undef); + } + return; +} + +sub check_balancer { + my ($r,$uname,$udom) = @_; + my ($is_balancer,$otherserver,$hosthere); + ($is_balancer,$otherserver) = + &Apache::lonnet::check_loadbalancing($uname,$udom,'login'); + if ($is_balancer) { + if ($otherserver eq '') { + my $lowest_load; + ($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($udom); + if ($lowest_load > 100) { + $otherserver = &Apache::lonnet::spareserver($r,$lowest_load,$lowest_load,1,$udom); + } + } + if ($otherserver ne '') { + my @hosts = &Apache::lonnet::current_machine_ids(); + if (grep(/^\Q$otherserver\E$/,@hosts)) { + $hosthere = $otherserver; + } + } + } + return ($is_balancer,$otherserver,$hosthere); } sub invalid_request { - my ($r,$num) = @_; + my ($r,$msg) = @_; &Apache::loncommon::content_type($r,'text/html'); $r->send_http_header; if ($r->header_only) { @@ -620,10 +1124,39 @@ sub invalid_request { } &Apache::lonlocal::get_language_handle($r); $r->print( - &Apache::loncommon::start_page('Invalid LTI call'). - &mt('Invalid LTI call [_1]',$num). + &Apache::loncommon::start_page('Invalid LTI call','',{ 'only_body' => 1,}). + '
'. + &mt('Launch of LON-CAPA is unavailable from the "external tool" link you had followed in another web application.'). + &mt('Launch failed for the following reason:'). + '
'. + ''.$msg.'
'. &Apache::loncommon::end_page()); return; } +sub course_from_tinyurl { + my ($tail) = @_; + my ($urlcdom,$urlcnum); + if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) { + ($urlcdom,my $key) = ($1,$2); + my $tinyurl; + my ($result,$cached)=&Apache::lonnet::is_cached_new('tiny',$urlcdom."\0".$key); + if (defined($cached)) { + $tinyurl = $result; + } else { + my $configuname = &Apache::lonnet::get_domainconfiguser($urlcdom); + my %currtiny = &Apache::lonnet::get('tiny',[$key],$urlcdom,$configuname); + if ($currtiny{$key} ne '') { + $tinyurl = $currtiny{$key}; + &Apache::lonnet::do_cache_new('tiny',$urlcdom."\0".$key,$currtiny{$key},600); + } + } + if ($tinyurl ne '') { + $urlcnum = (split(/\&/,$tinyurl))[0]; + } + } + return ($urlcdom,$urlcnum); +} + 1;