Lti 1.3 plus roster update

.gitignore

@@ -19,3 +19,7 @@ tags
 vendor/
 .idea
 .data
+composer.phar
+composer.lock
+app/config/**/*.key
+.DS_Store

Dockerfile-app

@@ -10,7 +10,7 @@ RUN apt-get update && apt-get install --no-install-recommends --no-install-sugge
     && rm -rf /var/lib/apt/lists/* \
     && ln -s /usr/lib/x86_64-linux-gnu/libldap.so /usr/lib/libldap.so \
     && ln -s /usr/lib/x86_64-linux-gnu/liblber.so /usr/lib/liblber.so \
-    && docker-php-ext-install -j$(nproc) xml gd ldap mysqli \
+    && docker-php-ext-install -j$(nproc) xml gd ldap mysqli intl \
     && pecl install timezonedb \
     && docker-php-ext-enable timezonedb \
     && curl https://getcomposer.org/download/1.8.4/composer.phar -o /usr/local/bin/composer \

Dockerfile-app-unittest

@@ -12,7 +12,7 @@ RUN apt-get update && apt-get install --no-install-recommends --no-install-sugge
     && rm -rf /var/lib/apt/lists/* \
     && ln -s /usr/lib/x86_64-linux-gnu/libldap.so /usr/lib/libldap.so \
     && ln -s /usr/lib/x86_64-linux-gnu/liblber.so /usr/lib/liblber.so \
-    && docker-php-ext-install -j$(nproc) xml gd ldap mysqli pdo_mysql\
+    && docker-php-ext-install -j$(nproc) xml gd ldap mysqli pdo_mysql intl \
     && pecl install timezonedb \
     && docker-php-ext-enable timezonedb \
     && curl https://getcomposer.org/download/1.8.4/composer.phar -o /usr/local/bin/composer \

app/config/lti13/canvas/Dockerfile.diff

@@ -0,0 +1,5 @@
+105c105,106
+< RUN COMPILE_ASSETS_NPM_INSTALL=0 bundle exec rake canvas:compile_assets
+---
+> # RUN COMPILE_ASSETS_NPM_INSTALL=0 bundle exec rake canvas:compile_assets
+> RUN COMPILE_ASSETS_BUILD_JS=0 bundle exec rake canvas:compile_assets_dev

app/config/lti13/canvas/postgres-Dockerfile.diff

@@ -0,0 +1,5 @@
+18a19
+>     postgresql-server-dev-9.6 \
+32a34,35
+>     postgresql-server-dev-9.6 \
+>     postgresql-client-9.6 \

app/config/lti13/ipeer/Cookie.php.diff

@@ -0,0 +1,13 @@
+26a27,38
+>         if (PHP_VERSION_ID < 70300) {
+>             $options += [
+>                 'path' => "/",
+>                 'domain' => "",
+>                 'secure' => false,
+>                 'httponly' => false
+>             ];
+>             extract(array_merge($cookie_options, $options)); // => $expires, $path, $domain, $secure, $httponly
+>             setcookie("LEGACY_" . $name, $value, $expires, $path, $domain, $secure, $httponly);
+>             return $this;
+>         }
+> 

app/config/lti13/registration.json

@@ -0,0 +1,24 @@
+{
+    "https://lti-ri.imsglobal.org": {
+        "client_id": "ipeer-lti13-001",
+        "auth_login_url": "https://lti-ri.imsglobal.org/platforms/652/authorizations/new",
+        "auth_token_url": "https://lti-ri.imsglobal.org/platforms/652/access_tokens",
+        "key_set_url": "https://lti-ri.imsglobal.org/platforms/652/platform_keys/654.json",
+        "private_key_file": "app/config/lti13/tool.private.key",
+        "deployment": [
+            "1"
+        ]
+    },
+    "https://canvas.instructure.com": {
+        "client_id": "10000000000001",
+        "auth_login_url": "http://canvas.docker/api/lti/authorize_redirect",
+        "auth_token_url": "http://canvas.docker/login/oauth2/token",
+        "key_set_url": "http://canvas.docker/api/lti/security/jwks",
+        "private_key_file": "app/config/lti13/tool.private.key",
+        "deployment": [
+            "1:4dde05e8ca1973bcca9bffc13e1548820eee93a3",
+            "2:f97330a96452fc363a34e0ef6d8d0d3e9e1007d2",
+            "3:d3a2504bba5184799a38f141e8df2335cfa8206d"
+        ]
+    }
+}

app/config/routes.php

@@ -32,6 +32,7 @@
  * */
 
 if (IS_INSTALLED) {
+
   // Disable access to the installer by redirecting all attempts to access
   // the installer to the index page. Except for install5, which is needed
   // to tell the user that an install was successful.

app/config/sql/delta_18.sql

@@ -0,0 +1,47 @@
+ALTER TABLE `users` MODIFY `lti_id` varchar(64) NULL DEFAULT NULL;
+
+ALTER TABLE `courses` MODIFY `canvas_id` varchar(64) NULL DEFAULT NULL;
+DROP INDEX IF EXISTS `canvas_id` ON `courses`;
+ALTER TABLE `courses` ADD INDEX `canvas_id` (`canvas_id`);
+
+DROP TABLE IF EXISTS `lti_platform_deployments`;
+CREATE TABLE `lti_platform_deployments` (
+  `iss` varchar(255) NOT NULL,
+  `deployment` varchar(64) NOT NULL COMMENT 'Platform deployment ID hash. https://purl.imsglobal.org/spec/lti/claim/deployment_id',
+  KEY `iss` (`iss`)
+) ENGINE=InnoDB AUTO_INCREMENT=0 DEFAULT CHARSET=utf8;
+
+INSERT INTO `lti_platform_deployments` VALUES
+('https://lti-ri.imsglobal.org', '1'),
+('https://canvas.instructure.com', '1:4dde05e8ca1973bcca9bffc13e1548820eee93a3'),
+('https://canvas.instructure.com', '2:f97330a96452fc363a34e0ef6d8d0d3e9e1007d2'),
+('https://canvas.instructure.com', '3:d3a2504bba5184799a38f141e8df2335cfa8206d');
+
+DROP TABLE IF EXISTS `lti_tool_registrations`;
+CREATE TABLE `lti_tool_registrations` (
+  `iss` varchar(255) NOT NULL,
+  `client_id` varchar(255) NOT NULL,
+  `auth_login_url` varchar(255) NOT NULL,
+  `auth_token_url` varchar(255) NOT NULL,
+  `key_set_url` varchar(255) NOT NULL,
+  `private_key_file` varchar(255) NOT NULL,
+  PRIMARY KEY `iss` (`iss`)
+) ENGINE=InnoDB AUTO_INCREMENT=0 DEFAULT CHARSET=utf8;
+
+INSERT INTO `lti_tool_registrations` VALUES
+(
+  'https://lti-ri.imsglobal.org',
+  'ipeer-lti13-001',
+  'https://lti-ri.imsglobal.org/platforms/652/authorizations/new',
+  'https://lti-ri.imsglobal.org/platforms/652/access_tokens',
+  'https://lti-ri.imsglobal.org/platforms/652/platform_keys/654.json',
+  'app/config/lti13/tool.private.key'
+),
+(
+  'https://canvas.instructure.com',
+  '10000000000001',
+  'http://canvas.docker/api/lti/authorize_redirect',
+  'http://canvas.docker/login/oauth2/token',
+  'http://canvas.docker/api/lti/security/jwks',
+  'app/config/lti13/tool.private.key'
+);

app/config/sql/ipeer_samples_data.sql

@@ -2391,3 +2391,52 @@ CREATE TABLE IF NOT EXISTS `jobs` (
 -- store course term
 ALTER TABLE `courses` ADD COLUMN `term` VARCHAR(50) NULL DEFAULT NULL;
 --- END: Added by DB upgrade to version 17
+
+--- START: Added by DB upgrade to version 18
+ALTER TABLE `users` MODIFY `lti_id` varchar(64) NULL DEFAULT NULL;
+
+ALTER TABLE `courses` MODIFY `canvas_id` varchar(64) NULL DEFAULT NULL;
+ALTER TABLE `courses` ADD INDEX `canvas_id` (`canvas_id`);
+
+DROP TABLE IF EXISTS `lti_platform_deployments`;
+CREATE TABLE `lti_platform_deployments` (
+  `iss` varchar(255) NOT NULL,
+  `deployment` varchar(64) NOT NULL COMMENT 'Platform deployment ID hash. https://purl.imsglobal.org/spec/lti/claim/deployment_id',
+  KEY `iss` (`iss`)
+) ENGINE=InnoDB AUTO_INCREMENT=0 DEFAULT CHARSET=utf8;
+
+INSERT INTO `lti_platform_deployments` VALUES
+('https://lti-ri.imsglobal.org', '1'),
+('https://canvas.instructure.com', '1:4dde05e8ca1973bcca9bffc13e1548820eee93a3'),
+('https://canvas.instructure.com', '2:f97330a96452fc363a34e0ef6d8d0d3e9e1007d2'),
+('https://canvas.instructure.com', '3:d3a2504bba5184799a38f141e8df2335cfa8206d');
+
+DROP TABLE IF EXISTS `lti_tool_registrations`;
+CREATE TABLE `lti_tool_registrations` (
+  `iss` varchar(255) NOT NULL,
+  `client_id` varchar(255) NOT NULL,
+  `auth_login_url` varchar(255) NOT NULL,
+  `auth_token_url` varchar(255) NOT NULL,
+  `key_set_url` varchar(255) NOT NULL,
+  `private_key_file` varchar(255) NOT NULL,
+  PRIMARY KEY `iss` (`iss`)
+) ENGINE=InnoDB AUTO_INCREMENT=0 DEFAULT CHARSET=utf8;
+
+INSERT INTO `lti_tool_registrations` VALUES
+(
+    'https://lti-ri.imsglobal.org',
+    'ipeer-lti13-001',
+    'https://lti-ri.imsglobal.org/platforms/652/authorizations/new',
+    'https://lti-ri.imsglobal.org/platforms/652/access_tokens',
+    'https://lti-ri.imsglobal.org/platforms/652/platform_keys/654.json',
+    'app/config/lti13/tool.private.key'
+),
+(
+    'https://canvas.instructure.com',
+    '10000000000001',
+    'http://canvas.docker/api/lti/authorize_redirect',
+    'http://canvas.docker/login/oauth2/token',
+    'http://canvas.docker/api/lti/security/jwks',
+    'app/config/lti13/tool.private.key'
+);
+--- END: Added by DB upgrade to version 18

app/controllers/components/lti_requester.php

@@ -8,14 +8,16 @@
  * is that some of the libraries aren't compliant, so couldn't talk to Moodle's
  * OAuth module.
  * ***************************/
+
 /**
  * LtiRequesterComponent
  *
- * @uses Object
- * @package   CTLT.iPeer
- * @author    John Hsu <[email protected]>
- * @copyright 2012 All rights reserved.
- * @license   MIT {@link http://www.opensource.org/licenses/MIT}
+ * @deprecated since 3.4.5
+ * @uses       Object
+ * @package    CTLT.iPeer
+ * @author     John Hsu <[email protected]>
+ * @copyright  2012 All rights reserved.
+ * @license    MIT {@link http://www.opensource.org/licenses/MIT}
  */
 class LtiRequesterComponent extends CakeObject
 {

app/controllers/components/lti_verifier.php

@@ -12,11 +12,12 @@
 /**
  * LtiVerifierComponent
  *
- * @uses Object
- * @package   CTLT.iPeer
- * @author    John Hsu <[email protected]>
- * @copyright 2012 All rights reserved.
- * @license   MIT {@link http://www.opensource.org/licenses/MIT}
+ * @deprecated since 3.4.5
+ * @uses       Object
+ * @package    CTLT.iPeer
+ * @author     John Hsu <[email protected]>
+ * @copyright  2012 All rights reserved.
+ * @license    MIT {@link http://www.opensource.org/licenses/MIT}
  */
 class LtiVerifierComponent extends CakeObject
 {

app/controllers/lti13_controller.php

@@ -0,0 +1,149 @@
+<?php
+App::import('Lib', 'Lti13Bootstrap');
+App::import('Model', 'Lti13');
+
+use IMSGlobal\LTI\LTI_Exception;
+use IMSGlobal\LTI\LTI_OIDC_Login;
+use IMSGlobal\LTI\OIDC_Exception;
+
+/**
+ * LTI 1.3 Controller
+ *
+ * @uses      AppController
+ * @package   CTLT.iPeer
+ * @since     3.4.5
+ * @author    Steven Marshall <[email protected]>
+ * @copyright 2019 All rights reserved.
+ * @license   MIT {@link http://www.opensource.org/licenses/MIT}
+ * @link      https://www.imsglobal.org/spec/security/v1p0/#fig_oidcflow
+ */
+class Lti13Controller extends AppController
+{
+    public $uses = array('Lti13');
+
+    public function __construct()
+    {
+        parent::__construct();
+    }
+
+    public function beforeFilter()
+    {
+        $this->Auth->allow();
+    }
+
+    /**
+     * OIDC login action called by platform.
+     */
+    public function login()
+    {
+        try {
+
+            $login = LTI_OIDC_Login::new($this->Lti13->db);
+            $url = Router::url('/lti13/launch', true);
+            $redirect = $login->do_oidc_login_redirect($url);
+            $redirect->do_redirect();
+
+        } catch (OIDC_Exception $e) {
+
+            $this->Session->setFlash(sprintf("Error doing OIDC login: %s", $e->getMessage()));
+            $this->redirect(array('controller'=>'home', 'action'=>'index'));
+
+        }
+    }
+
+    /**
+     * Launch action called by platform.
+     */
+    public function launch()
+    {
+        try {
+
+            $launch = $this->Lti13->launch();
+            $data = $this->Lti13->getData($launch->get_launch_id());
+            $this->Lti13->resetLogs();
+            $this->log(json_encode($data, 448), 'lti13/launch');
+
+            $this->Session->setFlash(__('LTI 1.3 launch success', true), 'good');
+
+            if (!$this->Auth->isLoggedIn()) {
+                $this->redirect('/');
+            }
+
+            $user = $this->checkUser();
+
+            if ($this->isAdminOrInstructor($user)) {
+                if ($courseId = @$this->Lti13->getCourseId()) {
+                    $this->redirect(array('controller'=>'courses', 'action'=>'home', $courseId));
+                }
+                $this->redirect(array('controller'=>'courses', 'action'=>'index'));
+            }
+
+            $this->redirect(array('controller'=>'home', 'action'=>'index'));
+
+        } catch (LTI_Exception $e) {
+
+            $this->Session->setFlash($e->getMessage());
+            $this->redirect('/logout');
+
+        }
+    }
+
+    /**
+     * Update roster by course ID from platform.
+     *
+     * Called by tool, not platform.
+     * @param string $courseId
+     */
+    public function roster($courseId)
+    {
+        try {
+
+            $this->Lti13->updateRoster($courseId);
+            $this->log($this->Lti13->rosterUpdatesLog, 'lti13/roster');
+
+            $this->Session->setFlash(__('Updated roster from Canvas', true), 'good');
+            $this->redirect($this->referer(array('controller'=>'home', 'action'=>'index')));
+
+        } catch (LTI_Exception $e) {
+
+            $this->Session->setFlash($e->getMessage());
+            $this->redirect($this->referer(array('controller'=>'home', 'action'=>'index')));
+
+        }
+    }
+
+    /**
+     * Check if current user has LTI user ID in dB.
+     *
+     * @return array
+     */
+    private function checkUser()
+    {
+        if (!$user = $this->Lti13->findUserByLtiUserId()) {
+            throw new LTI_Exception("LTI user ID not found.");
+            return;
+        }
+
+        if ($user['User']['id'] != $this->Auth->user('id')) {
+            throw new LTI_Exception("Mismatched user logged in.");
+            return;
+        }
+
+        $this->log($user, 'lti13/user');
+
+        return $user;
+    }
+
+    /**
+     * Check if current user is in ['superadmin', 'admin', 'instructor']
+     *
+     * @param array $user
+     * @return bool
+     */
+    private function isAdminOrInstructor($user)
+    {
+        $roles = array_column($user['Role'], 'name');
+        return (bool)preg_grep('/superadmin|admin|instructor/i', $roles);
+    }
+
+}

app/controllers/lti_controller.php

@@ -2,11 +2,12 @@
 /**
  * LtiController
  *
- * @uses AppController
- * @package   CTLT.iPeer
- * @author    John Hsu <[email protected]>
- * @copyright 2012 All rights reserved.
- * @license   MIT {@link http://www.opensource.org/licenses/MIT}
+ * @deprecated since 3.4.5
+ * @uses       AppController
+ * @package    CTLT.iPeer
+ * @author     John Hsu <[email protected]>
+ * @copyright  2012 All rights reserved.
+ * @license    MIT {@link http://www.opensource.org/licenses/MIT}
  */
 class LtiController extends AppController
 {