MDL-70500 lti: dyn reg can be used to update tools

abgreeve · Apr 20, 2021 · ca80d53 · ca80d53
1 parent d65ed58
commit ca80d53
Show file tree

Hide file tree

Showing 14 changed files with 623 additions and 133 deletions.
diff --git a/mod/lti/OAuth.php b/mod/lti/OAuth.php
@@ -54,18 +54,29 @@
 // You should have received a copy of the GNU General Public License
 // along with Moodle. If not, see <http://www.gnu.org/licenses/>.
 
+/**
+ * This file contains the OAuth 1.0a implementation used for support for LTI 1.1.
+ *
+ * @package    mod_lti
+ * @copyright moodle
+ * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
 namespace moodle\mod\lti;//Using a namespace as the basicLTI module imports classes with the same names
 
 defined('MOODLE_INTERNAL') || die;
 
-$oauth_last_computed_signature = false;
+$lastcomputedsignature = false;
 
-/* Generic exception class
+/**
+ * Generic exception class
  */
 class OAuthException extends \Exception {
     // pass
 }
 
+/**
+ * OAuth 1.0 Consumer class
+ */
 class OAuthConsumer {
     public $key;
     public $secret;
@@ -118,17 +129,25 @@ public function check_signature(&$request, $consumer, $token, $signature) {
     }
 }
 
-class OAuthSignatureMethod_HMAC_SHA1 extends OAuthSignatureMethod {
-    function get_name() {
-        return "HMAC-SHA1";
-    }
+
+/**
+ * Base class for the HMac based signature methods.
+ */
+abstract class OAuthSignatureMethod_HMAC extends OAuthSignatureMethod {
+
+    /**
+     * Name of the Algorithm used.
+     *
+     * @return string algorithm name.
+     */
+    abstract public function get_name(): string;
 
     public function build_signature($request, $consumer, $token) {
-        global $oauth_last_computed_signature;
-        $oauth_last_computed_signature = false;
+        global $lastcomputedsignature;
+        $lastcomputedsignature = false;
 
-        $base_string = $request->get_signature_base_string();
-        $request->base_string = $base_string;
+        $basestring = $request->get_signature_base_string();
+        $request->base_string = $basestring;
 
         $key_parts = array(
             $consumer->secret,
@@ -138,15 +157,48 @@ public function build_signature($request, $consumer, $token) {
         $key_parts = OAuthUtil::urlencode_rfc3986($key_parts);
         $key = implode('&', $key_parts);
 
-        $computed_signature = base64_encode(hash_hmac('sha1', $base_string, $key, true));
-        $oauth_last_computed_signature = $computed_signature;
-        return $computed_signature;
+        $computedsignature = base64_encode(hash_hmac(strtolower(substr($this->get_name(), 5)), $basestring, $key, true));
+        $lastcomputedsignature = $computedsignature;
+        return $computedsignature;
     }
 
 }
 
+/**
+ * Implementation for SHA 1.
+ */
+class OAuthSignatureMethod_HMAC_SHA1 extends OAuthSignatureMethod_HMAC {
+    /**
+     * Name of the Algorithm used.
+     *
+     * @return string algorithm name.
+     */
+    public function get_name(): string {
+        return "HMAC-SHA1";
+    }
+}
+
+/**
+ * Implementation for SHA 256.
+ */
+class OAuthSignatureMethod_HMAC_SHA256 extends OAuthSignatureMethod_HMAC {
+    /**
+     * Name of the Algorithm used.
+     *
+     * @return string algorithm name.
+     */
+    public function get_name(): string {
+        return "HMAC-SHA256";
+    }
+}
+
 class OAuthSignatureMethod_PLAINTEXT extends OAuthSignatureMethod {
-    public function get_name() {
+    /**
+     * Name of the Algorithm used.
+     *
+     * @return string algorithm name.
+     */
+    public function get_name(): string {
         return "PLAINTEXT";
     }
 
@@ -170,7 +222,12 @@ public function build_signature($request, $consumer, $token) {
 }
 
 class OAuthSignatureMethod_RSA_SHA1 extends OAuthSignatureMethod {
-    public function get_name() {
+    /**
+     * Name of the Algorithm used.
+     *
+     * @return string algorithm name.
+     */
+    public function get_name(): string {
         return "RSA-SHA1";
     }
 
@@ -539,8 +596,8 @@ public function fetch_access_token(&$request) {
      * verify an api call, checks all the parameters
      */
     public function verify_request(&$request) {
-        global $oauth_last_computed_signature;
-        $oauth_last_computed_signature = false;
+        global $lastcomputedsignature;
+        $lastcomputedsignature = false;
         $this->get_version($request);
         $consumer = $this->get_consumer($request);
         $token = $this->get_token($request, $consumer, "access");
@@ -620,8 +677,8 @@ private function get_token(&$request, $consumer, $token_type = "access") {
      */
     private function check_signature(&$request, $consumer, $token) {
         // this should probably be in a different method
-        global $oauth_last_computed_signature;
-        $oauth_last_computed_signature = false;
+        global $lastcomputedsignature;
+        $lastcomputedsignature = false;
 
         $timestamp = @ $request->get_parameter('oauth_timestamp');
         $nonce = @ $request->get_parameter('oauth_nonce');
@@ -636,8 +693,8 @@ private function check_signature(&$request, $consumer, $token) {
 
         if (!$valid_sig) {
             $ex_text = "Invalid signature";
-            if ($oauth_last_computed_signature) {
-                $ex_text = $ex_text . " ours= $oauth_last_computed_signature yours=$signature";
+            if ($lastcomputedsignature) {
+                $ex_text = $ex_text . " ours= $lastcomputedsignature yours=$signature";
             }
             throw new OAuthException($ex_text);
         }

diff --git a/mod/lti/amd/build/tool_configure_controller.min.js b/mod/lti/amd/build/tool_configure_controller.min.js
diff --git a/mod/lti/amd/build/tool_configure_controller.min.js.map b/mod/lti/amd/build/tool_configure_controller.min.js.map
diff --git a/mod/lti/amd/src/tool_configure_controller.js b/mod/lti/amd/src/tool_configure_controller.js
@@ -26,8 +26,8 @@
  * @since      3.1
  */
 define(['jquery', 'core/ajax', 'core/notification', 'core/templates', 'mod_lti/events', 'mod_lti/keys', 'mod_lti/tool_type',
-        'mod_lti/tool_proxy', 'core/str'],
-        function($, ajax, notification, templates, ltiEvents, KEYS, toolType, toolProxy, str) {
+        'mod_lti/tool_proxy', 'core/str', 'core/config'],
+        function($, ajax, notification, templates, ltiEvents, KEYS, toolType, toolProxy, str, config) {
 
     var SELECTORS = {
         EXTERNAL_REGISTRATION_CONTAINER: '#external-registration-container',
@@ -116,7 +116,7 @@ define(['jquery', 'core/ajax', 'core/notification', 'core/templates', 'mod_lti/e
         $(SELECTORS.EXTERNAL_REGISTRATION_PAGE_CONTAINER).removeClass('hidden');
         var container = $(SELECTORS.EXTERNAL_REGISTRATION_TEMPLATE_CONTAINER);
         container.append($("<iframe src='startltiadvregistration.php?url="
-                         + encodeURIComponent(url) + "'></iframe>"));
+                         + encodeURIComponent(url) + "&sesskey=" + config.sesskey + "'></iframe>"));
         showExternalRegistration();
         window.addEventListener("message", closeLTIAdvRegistration, false);
     };