// Hand out a request token if the consumer key and secret are valid
private void createRequestToken(
HttpServletRequest servletRequest, HttpServletResponse servletResponse)
throws IOException, OAuthException, URISyntaxException {
OAuthMessage requestMessage = OAuthServlet.getMessage(servletRequest, null);
String consumerKey = requestMessage.getConsumerKey();
if (consumerKey == null) {
OAuthProblemException e = new OAuthProblemException(OAuth.Problems.PARAMETER_ABSENT);
e.setParameter(OAuth.Problems.OAUTH_PARAMETERS_ABSENT, OAuth.OAUTH_CONSUMER_KEY);
throw e;
}
OAuthConsumer consumer = dataStore.getConsumer(consumerKey);
if (consumer == null) throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
OAuthAccessor accessor = new OAuthAccessor(consumer);
VALIDATOR.validateMessage(requestMessage, accessor);
String callback = null;
if (enableSignedCallbacks) {
callback = requestMessage.getParameter(OAuth.OAUTH_CALLBACK);
}
if (callback == null && !enableOAuth10) {
OAuthProblemException e = new OAuthProblemException(OAuth.Problems.PARAMETER_ABSENT);
e.setParameter(OAuth.Problems.OAUTH_PARAMETERS_ABSENT, OAuth.OAUTH_CALLBACK);
throw e;
}
// generate request_token and secret
OAuthEntry entry =
dataStore.generateRequestToken(
consumerKey, requestMessage.getParameter(OAuth.OAUTH_VERSION), callback);
List<Parameter> responseParams =
OAuth.newList(OAuth.OAUTH_TOKEN, entry.token, OAuth.OAUTH_TOKEN_SECRET, entry.tokenSecret);
if (callback != null) {
responseParams.add(new Parameter(OAuthConstants.OAUTH_CALLBACK_CONFIRMED, "true"));
}
sendResponse(servletResponse, responseParams);
}
private OAuthEntry getValidatedEntry(OAuthMessage requestMessage)
throws IOException, ServletException, OAuthException, URISyntaxException {
OAuthEntry entry = dataStore.getEntry(requestMessage.getToken());
if (entry == null) throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
if (entry.type != OAuthEntry.Type.REQUEST)
throw new OAuthProblemException(OAuth.Problems.TOKEN_USED);
if (entry.isExpired()) throw new OAuthProblemException(OAuth.Problems.TOKEN_EXPIRED);
// find consumer key, compare with supplied value, if present.
if (requestMessage.getConsumerKey() == null) {
OAuthProblemException e = new OAuthProblemException(OAuth.Problems.PARAMETER_ABSENT);
e.setParameter(OAuth.Problems.OAUTH_PARAMETERS_ABSENT, OAuth.OAUTH_CONSUMER_KEY);
throw e;
}
String consumerKey = entry.consumerKey;
if (!consumerKey.equals(requestMessage.getConsumerKey()))
throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_REFUSED);
OAuthConsumer consumer = dataStore.getConsumer(consumerKey);
if (consumer == null) throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
OAuthAccessor accessor = new OAuthAccessor(consumer);
accessor.requestToken = entry.token;
accessor.tokenSecret = entry.tokenSecret;
VALIDATOR.validateMessage(requestMessage, accessor);
return entry;
}
/**
* Check that the message is valid.
*
* @throws IOException
* @throws URISyntaxException
* @throws OAuthProblemException the message is invalid
*/
public void validateMessage(OAuthAccessor accessor, OAuthValidator validator)
throws OAuthException, IOException, URISyntaxException {
validator.validateMessage(this, accessor);
}
protected void validate(Map payload, boolean isTrustedConsumer) throws LTIException {
// check parameters
String lti_message_type = (String) payload.get(BasicLTIConstants.LTI_MESSAGE_TYPE);
String lti_version = (String) payload.get(BasicLTIConstants.LTI_VERSION);
String oauth_consumer_key = (String) payload.get("oauth_consumer_key");
String resource_link_id = (String) payload.get(BasicLTIConstants.RESOURCE_LINK_ID);
String user_id = (String) payload.get(BasicLTIConstants.USER_ID);
String context_id = (String) payload.get(BasicLTIConstants.CONTEXT_ID);
boolean launch = true;
if (BasicLTIUtil.equals(lti_message_type, "basic-lti-launch-request")) {
launch = true;
} else if (BasicLTIUtil.equals(lti_message_type, "ContentItemSelectionRequest")) {
launch = false;
} else {
throw new LTIException("launch.invalid", "lti_message_type=" + lti_message_type, null);
}
if (!BasicLTIUtil.equals(lti_version, "LTI-1p0")) {
throw new LTIException("launch.invalid", "lti_version=" + lti_version, null);
}
if (BasicLTIUtil.isBlank(oauth_consumer_key)) {
throw new LTIException("launch.missing", "oauth_consumer_key", null);
}
if (launch && BasicLTIUtil.isBlank(resource_link_id)) {
throw new LTIException("launch.missing", "resource_link_id", null);
}
if (BasicLTIUtil.isBlank(user_id)) {
throw new LTIException("launch.missing", "user_id", null);
}
if (M_log.isDebugEnabled()) {
M_log.debug("user_id=" + user_id);
}
// check tool_id
String tool_id = (String) payload.get("tool_id");
if (tool_id == null) {
throw new LTIException("launch.tool_id.required", null, null);
}
// Trim off the leading slash and any trailing space
tool_id = tool_id.substring(1).trim();
if (M_log.isDebugEnabled()) {
M_log.debug("tool_id=" + tool_id);
}
// store modified tool_id back in payload
payload.put("tool_id", tool_id);
final String allowedToolsConfig =
ServerConfigurationService.getString("basiclti.provider.allowedtools", "");
final String[] allowedTools = allowedToolsConfig.split(":");
final List<String> allowedToolsList = Arrays.asList(allowedTools);
if (launch && allowedTools != null && !allowedToolsList.contains(tool_id)) {
throw new LTIException("launch.tool.notallowed", tool_id, null);
}
final Tool toolCheck = ToolManager.getTool(tool_id);
if (launch && toolCheck == null) {
throw new LTIException("launch.tool.notfound", tool_id, null);
}
// Check for the ext_sakai_provider_eid param. If set, this will contain the eid that we are to
// use
// in place of using the user_id parameter
// WE still need that parameter though, so translate it from the given eid.
boolean useProvidedEid = false;
String ext_sakai_provider_eid = (String) payload.get(BasicLTIConstants.EXT_SAKAI_PROVIDER_EID);
if (BasicLTIUtil.isNotBlank(ext_sakai_provider_eid)) {
useProvidedEid = true;
try {
user_id = UserDirectoryService.getUserId(ext_sakai_provider_eid);
} catch (Exception e) {
M_log.error(e.getLocalizedMessage(), e);
throw new LTIException(
"launch.provided.eid.invalid", "ext_sakai_provider_eid=" + ext_sakai_provider_eid, e);
}
}
if (M_log.isDebugEnabled()) {
M_log.debug("ext_sakai_provider_eid=" + ext_sakai_provider_eid);
}
// Contextualize the context_id with the OAuth consumer key
// Also use the resource_link_id for the context_id if we did not get a context_id
// BLTI-31: if trusted, context_id is required and use the param without modification
if (BasicLTIUtil.isBlank(context_id)) {
if (isTrustedConsumer) {
throw new LTIException("launch.missing", context_id, null);
} else {
context_id = "res:" + resource_link_id;
payload.put(BasicLTIConstants.CONTEXT_ID, context_id);
}
}
// Check if context_id is simply a ~. If so, get the id of that user's My Workspace site
// and use that to construct the full context_id
if (BasicLTIUtil.equals(context_id, "~")) {
if (useProvidedEid) {
String userSiteId = null;
try {
userSiteId = SiteService.getUserSiteId(user_id);
} catch (Exception e) {
M_log.warn("Failed to get My Workspace site for user_id:" + user_id);
M_log.error(e.getLocalizedMessage(), e);
throw new LTIException("launch.user.site.unknown", "user_id=" + user_id, e);
}
context_id = userSiteId;
payload.put(BasicLTIConstants.CONTEXT_ID, context_id);
}
}
if (M_log.isDebugEnabled()) {
M_log.debug("context_id=" + context_id);
}
// Lookup the secret
final String configPrefix = "basiclti.provider." + oauth_consumer_key + ".";
final String oauth_secret = ServerConfigurationService.getString(configPrefix + "secret", null);
if (oauth_secret == null) {
throw new LTIException("launch.key.notfound", oauth_consumer_key, null);
}
final OAuthMessage oam = (OAuthMessage) payload.get("oauth_message");
final String forcedURIScheme =
ServerConfigurationService.getString("basiclti.provider.forcedurischeme", null);
if (forcedURIScheme != null) {
try {
URI testURI = new URI(oam.URL);
URI newURI = new URI(forcedURIScheme, testURI.getSchemeSpecificPart(), null);
oam.URL = newURI.toString();
} catch (URISyntaxException use) {
}
}
final OAuthValidator oav = new SimpleOAuthValidator();
final OAuthConsumer cons =
new OAuthConsumer(
"about:blank#OAuth+CallBack+NotUsed", oauth_consumer_key, oauth_secret, null);
final OAuthAccessor acc = new OAuthAccessor(cons);
String base_string = null;
try {
base_string = OAuthSignatureMethod.getBaseString(oam);
} catch (Exception e) {
M_log.error(e.getLocalizedMessage(), e);
base_string = null;
}
try {
oav.validateMessage(oam, acc);
} catch (Exception e) {
M_log.warn("Provider failed to validate message");
M_log.warn(e.getLocalizedMessage(), e);
if (base_string != null) {
M_log.warn(base_string);
}
throw new LTIException("launch.no.validate", context_id, e);
}
final Session sess = SessionManager.getCurrentSession();
if (sess == null) {
throw new LTIException("launch.no.session", context_id, null);
}
}