protected Map getPayloadAsMap(HttpServletRequest request) {
Map payload = new HashMap();
for (Enumeration e = request.getParameterNames(); e.hasMoreElements(); ) {
String key = (String) e.nextElement();
payload.put(key, request.getParameter(key));
}
String requestURL = SakaiBLTIUtil.getOurServletPath(request);
payload.put("oauth_message", OAuthServlet.getMessage(request, requestURL));
payload.put("tool_id", request.getPathInfo());
return payload;
}
private void handleCanvasConfig(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String title =
ServerConfigurationService.getString(
"canvas.config.title", rb.getString("canvas.config.title"));
String description =
ServerConfigurationService.getString(
"canvas.config.description", rb.getString("canvas.config.description"));
String launch =
ServerConfigurationService.getString(
"canvas.config.launch", SakaiLTIProviderUtil.getProviderLaunchUrl("content.item"));
String icon =
ServerConfigurationService.getString(
"canvas.config.domain",
"https://www.apereo.org/sites/all/themes/apereo/images/apereo-logo-white-bg.png");
request.setAttribute("title", title);
request.setAttribute("description", description);
request.setAttribute("launch", launch);
request.setAttribute("icon", icon);
try {
String serverUrl = SakaiBLTIUtil.getOurServerUrl();
URL netUrl = new URL(serverUrl);
String host = netUrl.getHost();
String domain = ServerConfigurationService.getString("canvas.config.domain", host);
request.setAttribute("domain", domain);
} catch (MalformedURLException e) {
doError(request, response, "canvas.error.missing.domain", e.getMessage(), e.getCause());
}
// Forward to the JSP
ServletContext sc = this.getServletContext();
RequestDispatcher rd = sc.getRequestDispatcher("/canvas-config.jsp");
try {
rd.forward(request, response);
} catch (Exception e) {
e.printStackTrace();
}
}
protected void processOutcomeXml(
HttpServletRequest request,
HttpServletResponse response,
String lti_message_type,
String sourcedid,
IMSPOXRequest pox)
throws java.io.IOException {
// Things look good - time to process the grade
boolean isRead = BasicLTIUtil.equals(lti_message_type, "readResultRequest");
boolean isDelete = BasicLTIUtil.equals(lti_message_type, "deleteResultRequest");
Map<String, String> bodyMap = pox.getBodyMap();
String result_resultscore_textstring =
bodyMap.get("/resultRecord/result/resultScore/textString");
String result_resultdata_text = bodyMap.get("/resultRecord/result/resultData/text");
String sourced_id = bodyMap.get("/resultRecord/result/sourcedId");
// System.out.println("comment="+result_resultdata_text);
// System.out.println("grade="+result_resultscore_textstring);
if (BasicLTIUtil.isBlank(result_resultscore_textstring) && !isRead && !isDelete) {
doErrorXML(request, response, pox, "outcomes.missing", "result_resultscore_textstring", null);
return;
}
// Lets return an XML Response
Map<String, Object> theMap = new TreeMap<String, Object>();
String theGrade = null;
boolean success = false;
String message = null;
Object retval = null;
boolean strict = ServerConfigurationService.getBoolean(SakaiBLTIUtil.LTI_STRICT, false);
try {
Double dGrade;
if (isRead) {
retval = SakaiBLTIUtil.getGrade(sourcedid, request, ltiService);
String sGrade = "";
String comment = "";
if (retval instanceof Map) {
Map grade = (Map) retval;
comment = (String) grade.get("comment");
dGrade = (Double) grade.get("grade");
if (dGrade != null) {
sGrade = dGrade.toString();
}
} else {
Object check = SakaiBLTIUtil.checkSourceDid(sourcedid, request, ltiService);
if (check instanceof Boolean && ((Boolean) check)) {
// Read fail with Good SourceDID is treated as empty
} else {
doErrorXML(request, response, pox, "outcomes.fail", (String) retval, null);
return;
}
}
theMap.put("/readResultResponse/result/sourcedId", sourced_id);
theMap.put("/readResultResponse/result/resultScore/textString", sGrade);
theMap.put("/readResultResponse/result/resultScore/language", "en");
if (!strict) {
theMap.put("/readResultResponse/result/resultData/text", comment);
}
message = "Result read";
} else if (isDelete) {
retval = SakaiBLTIUtil.deleteGrade(sourcedid, request, ltiService);
if (retval instanceof String) {
doErrorXML(request, response, pox, "outcomes.fail", (String) retval, null);
return;
}
theMap.put("/deleteResultResponse", "");
message = "Result deleted";
} else {
dGrade = new Double(result_resultscore_textstring);
if (dGrade < 0.0 || dGrade > 1.0) {
throw new Exception("Grade out of range");
}
dGrade = new Double(result_resultscore_textstring);
retval =
SakaiBLTIUtil.setGrade(sourcedid, request, ltiService, dGrade, result_resultdata_text);
if (retval instanceof String) {
doErrorXML(request, response, pox, "outcomes.fail", (String) retval, null);
return;
}
theMap.put("/replaceResultResponse", "");
message = "Result replaced";
}
success = true;
} catch (Exception e) {
doErrorXML(request, response, pox, "outcome.grade.fail", e.getMessage(), e);
}
if (!success) return;
String output = null;
String theXml = "";
if (theMap.size() > 0) theXml = XMLMap.getXMLFragment(theMap, true);
output = pox.getResponseSuccess(message, theXml);
response.setContentType("application/xml");
PrintWriter out = response.getWriter();
out.println(output);
M_log.debug(output);
}
@SuppressWarnings("unchecked")
protected void doPostXml(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String ipAddress = request.getRemoteAddr();
M_log.debug("LTI POX Service request from IP=" + ipAddress);
String allowOutcomes =
ServerConfigurationService.getString(
SakaiBLTIUtil.BASICLTI_OUTCOMES_ENABLED,
SakaiBLTIUtil.BASICLTI_OUTCOMES_ENABLED_DEFAULT);
if (!"true".equals(allowOutcomes)) allowOutcomes = null;
if (allowOutcomes == null) {
M_log.warn("LTI Services are disabled IP=" + ipAddress);
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
IMSPOXRequest pox = new IMSPOXRequest(request);
if (!pox.valid) {
doErrorXML(request, response, pox, "pox.invalid", pox.errorMessage, null);
return;
}
// check lti_message_type
String lti_message_type = pox.getOperation();
String sourcedid = null;
String message_type = null;
if (M_log.isDebugEnabled()) M_log.debug("POST\n" + XMLMap.prettyPrint(pox.postBody));
Map<String, String> bodyMap = pox.getBodyMap();
if (("replaceResultRequest".equals(lti_message_type)
|| "readResultRequest".equals(lti_message_type)
|| "deleteResultRequest".equals(lti_message_type))
&& allowOutcomes != null) {
sourcedid = bodyMap.get("/resultRecord/sourcedGUID/sourcedId");
message_type = "basicoutcome";
} else {
String output = pox.getResponseUnsupported("Not supported " + lti_message_type);
response.setContentType("application/xml");
PrintWriter out = response.getWriter();
out.println(output);
return;
}
// No point continuing without a sourcedid
if (BasicLTIUtil.isBlank(sourcedid)) {
doErrorXML(request, response, pox, "outcomes.missing", "sourcedid", null);
return;
}
// Handle the outcomes here using the new SakaiBLTIUtil code
if (allowOutcomes != null && "basicoutcome".equals(message_type)) {
processOutcomeXml(request, response, lti_message_type, sourcedid, pox);
return;
}
// Truncate this to the maximum length to insure no cruft at the end
if (sourcedid.length() > 2048) sourcedid = sourcedid.substring(0, 2048);
// Attempt to parse the sourcedid, any failure is fatal
String placement_id = null;
String signature = null;
String user_id = null;
try {
int pos = sourcedid.indexOf(":::");
if (pos > 0) {
signature = sourcedid.substring(0, pos);
String dec2 = sourcedid.substring(pos + 3);
pos = dec2.indexOf(":::");
user_id = dec2.substring(0, pos);
placement_id = dec2.substring(pos + 3);
}
} catch (Exception e) {
// Log some detail for ourselves
M_log.warn(
"Unable to decrypt result_sourcedid IP=" + ipAddress + " Error=" + e.getMessage(), e);
signature = null;
placement_id = null;
user_id = null;
}
// Send a more generic message back to the caller
if (placement_id == null || user_id == null) {
doErrorXML(
request, response, pox, "outcomes.sourcedid", "missing user_id or placement_id", null);
return;
}
M_log.debug("signature=" + signature);
M_log.debug("user_id=" + user_id);
M_log.debug("placement_id=" + placement_id);
Properties pitch = SakaiBLTIUtil.getPropertiesFromPlacement(placement_id, ltiService);
if (pitch == null) {
M_log.debug("Error retrieving result_sourcedid information");
doErrorXML(request, response, pox, "outcomes.sourcedid", "sourcedid", null);
return;
}
String siteId = pitch.getProperty(LTIService.LTI_SITE_ID);
Site site = null;
try {
site = SiteService.getSite(siteId);
} catch (Exception e) {
M_log.debug("Error retrieving result_sourcedid site: " + e.getLocalizedMessage(), e);
}
// Send a more generic message back to the caller
if (site == null) {
doErrorXML(request, response, pox, "outcomes.sourcedid", "sourcedid", null);
return;
}
// Check the message signature using OAuth
String oauth_consumer_key = pox.getOAuthConsumerKey();
String oauth_secret = pitch.getProperty(LTIService.LTI_SECRET);
M_log.debug("oauth_secret: " + oauth_secret);
oauth_secret = SakaiBLTIUtil.decryptSecret(oauth_secret);
M_log.debug("oauth_secret (decrypted): " + oauth_secret);
String URL = SakaiBLTIUtil.getOurServletPath(request);
pox.validateRequest(oauth_consumer_key, oauth_secret, request, URL);
if (!pox.valid) {
if (pox.base_string != null) {
M_log.warn(pox.base_string);
}
doErrorXML(request, response, pox, "outcome.no.validate", oauth_consumer_key, null);
return;
}
// Check the signature of the sourcedid to make sure it was not altered
String placement_secret = pitch.getProperty(LTIService.LTI_PLACEMENTSECRET);
// Send a generic message back to the caller
if (placement_secret == null) {
M_log.debug("placement_secret is null");
doErrorXML(request, response, pox, "outcomes.sourcedid", "sourcedid", null);
return;
}
String pre_hash = placement_secret + ":::" + user_id + ":::" + placement_id;
String received_signature = LegacyShaUtil.sha256Hash(pre_hash);
M_log.debug("Received signature=" + signature + " received=" + received_signature);
boolean matched = signature.equals(received_signature);
String old_placement_secret = pitch.getProperty(LTIService.LTI_OLDPLACEMENTSECRET);
if (old_placement_secret != null && !matched) {
pre_hash = placement_secret + ":::" + user_id + ":::" + placement_id;
received_signature = LegacyShaUtil.sha256Hash(pre_hash);
M_log.debug("Received signature II=" + signature + " received=" + received_signature);
matched = signature.equals(received_signature);
}
// Send a message back to the caller
if (!matched) {
doErrorXML(request, response, pox, "outcomes.sourcedid", "sourcedid", null);
return;
}
response.setContentType("application/xml");
PrintWriter writer = response.getWriter();
String desc = "Message received and validated operation=" + pox.getOperation();
String output = pox.getResponseUnsupported(desc);
writer.println(output);
}
protected void processRoster(
HttpServletRequest request,
HttpServletResponse response,
String lti_message_type,
Site site,
String siteId,
String placement_id,
Properties pitch,
String user_id,
Map<String, Object> theMap)
throws java.io.IOException {
// Check for permission in placement
String allowRoster = pitch.getProperty(LTIService.LTI_ALLOWROSTER);
if (!"on".equals(allowRoster)) {
doError(
request,
response,
theMap,
"outcomes.invalid",
"lti_message_type=" + lti_message_type,
null);
return;
}
String roleMapProp = pitch.getProperty("rolemap");
String releaseName = pitch.getProperty(LTIService.LTI_SENDNAME);
String releaseEmail = pitch.getProperty(LTIService.LTI_SENDEMAILADDR);
String assignment = pitch.getProperty("assignment");
String allowOutcomes =
ServerConfigurationService.getString(
SakaiBLTIUtil.BASICLTI_OUTCOMES_ENABLED,
SakaiBLTIUtil.BASICLTI_OUTCOMES_ENABLED_DEFAULT);
if (!"true".equals(allowOutcomes)) allowOutcomes = null;
String maintainRole = site.getMaintainRole();
SakaiBLTIUtil.pushAdvisor();
boolean success = false;
try {
List<Map<String, Object>> lm = new ArrayList<Map<String, Object>>();
Set<Member> members = site.getMembers();
Map<String, String> roleMap = SakaiBLTIUtil.convertRoleMapPropToMap(roleMapProp);
for (Member member : members) {
Map<String, Object> mm = new TreeMap<String, Object>();
Role role = member.getRole();
String ims_user_id = member.getUserId();
mm.put("/user_id", ims_user_id);
String ims_role = "Learner";
// If there is a role mapping, it has precedence over site.update
if (roleMap.containsKey(role.getId())) {
ims_role = roleMap.get(role.getId());
} else if (ComponentManager.get(AuthzGroupService.class)
.isAllowed(ims_user_id, SiteService.SECURE_UPDATE_SITE, "/site/" + siteId)) {
ims_role = "Instructor";
}
// Using "/role" is inconsistent with to
// http://developers.imsglobal.org/ext_membership.html. It
// should be roles. If we can determine that nobody is using
// the role tag, we should remove it.
mm.put("/role", ims_role);
mm.put("/roles", ims_role);
User user = null;
if ("true".equals(allowOutcomes) && assignment != null) {
user = UserDirectoryService.getUser(ims_user_id);
String placement_secret = pitch.getProperty(LTIService.LTI_PLACEMENTSECRET);
String result_sourcedid =
SakaiBLTIUtil.getSourceDID(user, placement_id, placement_secret);
if (result_sourcedid != null) mm.put("/lis_result_sourcedid", result_sourcedid);
}
if ("on".equals(releaseName) || "on".equals(releaseEmail)) {
if (user == null) user = UserDirectoryService.getUser(ims_user_id);
if ("on".equals(releaseName)) {
mm.put("/person_name_given", user.getFirstName());
mm.put("/person_name_family", user.getLastName());
mm.put("/person_name_full", user.getDisplayName());
}
if ("on".equals(releaseEmail)) {
mm.put("/person_contact_email_primary", user.getEmail());
mm.put("/person_sourcedid", user.getEid());
}
}
Collection groups = site.getGroupsWithMember(ims_user_id);
if (groups.size() > 0) {
List<Map<String, Object>> lgm = new ArrayList<Map<String, Object>>();
for (Iterator i = groups.iterator(); i.hasNext(); ) {
Group group = (Group) i.next();
Map<String, Object> groupMap = new HashMap<String, Object>();
groupMap.put("/id", group.getId());
groupMap.put("/title", group.getTitle());
groupMap.put("/set", new HashMap(groupMap));
lgm.add(groupMap);
}
mm.put("/groups/group", lgm);
}
lm.add(mm);
}
theMap.put("/message_response/members/member", lm);
success = true;
} catch (Exception e) {
doError(request, response, theMap, "memberships.fail", "", e);
} finally {
SakaiBLTIUtil.popAdvisor();
}
if (!success) return;
theMap.put("/message_response/statusinfo/codemajor", "Success");
theMap.put("/message_response/statusinfo/severity", "Status");
theMap.put("/message_response/statusinfo/codeminor", "fullsuccess");
String theXml = XMLMap.getXML(theMap, true);
PrintWriter out = response.getWriter();
out.println(theXml);
M_log.debug(theXml);
}
protected void processOutcome(
HttpServletRequest request,
HttpServletResponse response,
String lti_message_type,
String sourcedid,
Map<String, Object> theMap)
throws java.io.IOException {
// Things look good - time to process the grade
boolean isRead = BasicLTIUtil.equals(lti_message_type, "basic-lis-readresult");
boolean isDelete = BasicLTIUtil.equals(lti_message_type, "basic-lis-deleteresult");
String result_resultscore_textstring = request.getParameter("result_resultscore_textstring");
String result_resultdata_text = request.getParameter("result_resultdata_text");
if (BasicLTIUtil.isBlank(result_resultscore_textstring) && !isRead) {
doError(request, response, theMap, "outcomes.missing", "result_resultscore_textstring", null);
return;
}
String theGrade = null;
boolean success = false;
Object retval = null;
try {
Double dGrade;
if (isRead) {
retval = SakaiBLTIUtil.getGrade(sourcedid, request, ltiService);
if (retval instanceof Map) {
Map grade = (Map) retval;
dGrade = (Double) grade.get("grade");
theMap.put("/message_response/result/resultscore/textstring", dGrade.toString());
theMap.put("/message_response/result/resultdata/text", (String) grade.get("comment"));
} else {
// Read fail with Good SourceDID is treated as empty
Object check = SakaiBLTIUtil.checkSourceDid(sourcedid, request, ltiService);
if (check instanceof Boolean && ((Boolean) check)) {
theMap.put("/message_response/result/resultscore/textstring", "");
theMap.put("/message_response/result/resultdata/text", "");
} else {
doError(request, response, theMap, "outcome.fail", (String) retval, null);
return;
}
}
} else if (isDelete) {
retval = SakaiBLTIUtil.deleteGrade(sourcedid, request, ltiService);
} else {
dGrade = new Double(result_resultscore_textstring);
retval =
SakaiBLTIUtil.setGrade(sourcedid, request, ltiService, dGrade, result_resultdata_text);
}
success = true;
theMap.put("/message_response/statusinfo/codemajor", "Success");
theMap.put("/message_response/statusinfo/severity", "Status");
theMap.put("/message_response/statusinfo/codeminor", "fullsuccess");
} catch (Exception e) {
doError(request, response, theMap, "outcome.grade.fail", "", e);
}
if (!success) return;
String theXml = XMLMap.getXML(theMap, true);
PrintWriter out = response.getWriter();
out.println(theXml);
}
protected void processSetting(
HttpServletRequest request,
HttpServletResponse response,
String lti_message_type,
Site site,
String siteId,
String placement_id,
Properties pitch,
String user_id,
Map<String, Object> theMap)
throws java.io.IOException {
String setting = null;
// Check for permission in placement
String allowSetting = pitch.getProperty(LTIService.LTI_ALLOWSETTINGS);
if (!"on".equals(allowSetting)) {
doError(
request,
response,
theMap,
"outcomes.invalid",
"lti_message_type=" + lti_message_type,
null);
return;
}
SakaiBLTIUtil.pushAdvisor();
boolean success = false;
try {
if ("basic-lti-loadsetting".equals(lti_message_type)) {
setting = pitch.getProperty(LTIService.LTI_SETTINGS_EXT);
// Remove this after the DB conversion for SAK-25621 is completed
// It is harmless until LTI 2.0 starts to get heavy use.
if (setting == null) {
setting = pitch.getProperty(LTIService.LTI_SETTINGS);
}
if (setting != null) {
theMap.put("/message_response/setting/value", setting);
}
success = true;
} else {
if (SakaiBLTIUtil.isPlacement(placement_id)) {
ToolConfiguration placement = SiteService.findTool(placement_id);
if ("basic-lti-savesetting".equals(lti_message_type)) {
setting = request.getParameter("setting");
if (setting == null) {
M_log.warn("No setting parameter");
doError(request, response, theMap, "setting.empty", "", null);
} else {
if (setting.length() > 8096) setting = setting.substring(0, 8096);
placement.getPlacementConfig().setProperty("toolsetting", setting);
}
} else if ("basic-lti-deletesetting".equals(lti_message_type)) {
placement.getPlacementConfig().remove("toolsetting");
}
try {
placement.save();
success = true;
} catch (Exception e) {
doError(request, response, theMap, "setting.save.fail", "", e);
}
} else {
Map<String, Object> content = null;
String contentStr = pitch.getProperty("contentKey");
Long contentKey = foorm.getLongKey(contentStr);
if (contentKey >= 0) content = ltiService.getContentDao(contentKey, siteId);
if (content != null) {
if ("basic-lti-savesetting".equals(lti_message_type)) {
setting = request.getParameter("setting");
if (setting == null) {
M_log.warn("No setting parameter");
doError(request, response, theMap, "setting.empty", "", null);
} else {
if (setting.length() > 8096) setting = setting.substring(0, 8096);
content.put(LTIService.LTI_SETTINGS_EXT, setting);
success = true;
}
} else if ("basic-lti-deletesetting".equals(lti_message_type)) {
content.put(LTIService.LTI_SETTINGS_EXT, null);
success = true;
}
if (success) {
Object result = ltiService.updateContentDao(contentKey, content, siteId);
if (result instanceof String) {
M_log.warn("Setting update failed: " + result);
doError(request, response, theMap, "setting.fail", "", null);
success = false;
}
}
}
}
}
} catch (Exception e) {
doError(request, response, theMap, "setting.fail", "", e);
} finally {
SakaiBLTIUtil.popAdvisor();
}
if (!success) return;
theMap.put("/message_response/statusinfo/codemajor", "Success");
theMap.put("/message_response/statusinfo/severity", "Status");
theMap.put("/message_response/statusinfo/codeminor", "fullsuccess");
String theXml = XMLMap.getXML(theMap, true);
PrintWriter out = response.getWriter();
out.println(theXml);
}
@SuppressWarnings("unchecked")
protected void doPostForm(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String ipAddress = request.getRemoteAddr();
M_log.debug("Basic LTI Service request from IP=" + ipAddress);
String allowOutcomes =
ServerConfigurationService.getString(
SakaiBLTIUtil.BASICLTI_OUTCOMES_ENABLED,
SakaiBLTIUtil.BASICLTI_OUTCOMES_ENABLED_DEFAULT);
if (!"true".equals(allowOutcomes)) allowOutcomes = null;
String allowSettings =
ServerConfigurationService.getString(
SakaiBLTIUtil.BASICLTI_SETTINGS_ENABLED,
SakaiBLTIUtil.BASICLTI_SETTINGS_ENABLED_DEFAULT);
if (!"true".equals(allowSettings)) allowSettings = null;
String allowRoster =
ServerConfigurationService.getString(
SakaiBLTIUtil.BASICLTI_ROSTER_ENABLED, SakaiBLTIUtil.BASICLTI_ROSTER_ENABLED_DEFAULT);
if (!"true".equals(allowRoster)) allowRoster = null;
if (allowOutcomes == null && allowSettings == null && allowRoster == null) {
M_log.warn("LTI Services are disabled IP=" + ipAddress);
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
// Lets return an XML Response
Map<String, Object> theMap = new TreeMap<String, Object>();
Map<String, String[]> params = (Map<String, String[]>) request.getParameterMap();
for (Map.Entry<String, String[]> param : params.entrySet()) {
M_log.debug(param.getKey() + ":" + param.getValue()[0]);
}
// check lti_message_type
String lti_message_type = request.getParameter(BasicLTIConstants.LTI_MESSAGE_TYPE);
theMap.put("/message_response/lti_message_type", lti_message_type);
String sourcedid = null;
String message_type = null;
if (BasicLTIUtil.equals(lti_message_type, "basic-lis-replaceresult")
|| BasicLTIUtil.equals(lti_message_type, "basic-lis-createresult")
|| BasicLTIUtil.equals(lti_message_type, "basic-lis-updateresult")
|| BasicLTIUtil.equals(lti_message_type, "basic-lis-deleteresult")
|| BasicLTIUtil.equals(lti_message_type, "basic-lis-readresult")) {
sourcedid = request.getParameter("sourcedid");
if (allowOutcomes != null) message_type = "basicoutcome";
} else if (BasicLTIUtil.equals(lti_message_type, "basic-lti-loadsetting")
|| BasicLTIUtil.equals(lti_message_type, "basic-lti-savesetting")
|| BasicLTIUtil.equals(lti_message_type, "basic-lti-deletesetting")) {
sourcedid = request.getParameter("id");
if (allowSettings != null) message_type = "toolsetting";
} else if (BasicLTIUtil.equals(lti_message_type, "basic-lis-readmembershipsforcontext")) {
sourcedid = request.getParameter("id");
if (allowRoster != null) message_type = "roster";
} else {
doError(
request,
response,
theMap,
"outcomes.invalid",
"lti_message_type=" + lti_message_type,
null);
return;
}
// If we have not gotten one of our allowed message types, stop now
if (message_type == null) {
doError(
request,
response,
theMap,
"outcomes.invalid",
"lti_message_type=" + lti_message_type,
null);
return;
}
// Perform the Outcomee first because we use the SakaiBLTIUtil code for this
if ("basicoutcome".equals(message_type)) {
processOutcome(request, response, lti_message_type, sourcedid, theMap);
return;
}
// No point continuing without a sourcedid
if (BasicLTIUtil.isBlank(sourcedid)) {
doError(request, response, theMap, "outcomes.missing", "sourcedid", null);
return;
}
String lti_version = request.getParameter(BasicLTIConstants.LTI_VERSION);
if (!BasicLTIUtil.equals(lti_version, "LTI-1p0")) {
doError(request, response, theMap, "outcomes.invalid", "lti_version=" + lti_version, null);
return;
}
String oauth_consumer_key = request.getParameter("oauth_consumer_key");
if (BasicLTIUtil.isBlank(oauth_consumer_key)) {
doError(request, response, theMap, "outcomes.missing", "oauth_consumer_key", null);
return;
}
// Truncate this to the maximum length to insure no cruft at the end
if (sourcedid.length() > 2048) sourcedid = sourcedid.substring(0, 2048);
// Attempt to parse the sourcedid, any failure is fatal
String placement_id = null;
String signature = null;
String user_id = null;
try {
int pos = sourcedid.indexOf(":::");
if (pos > 0) {
signature = sourcedid.substring(0, pos);
String dec2 = sourcedid.substring(pos + 3);
pos = dec2.indexOf(":::");
user_id = dec2.substring(0, pos);
placement_id = dec2.substring(pos + 3);
}
} catch (Exception e) {
// Log some detail for ourselves
M_log.warn(
"Unable to decrypt result_sourcedid IP=" + ipAddress + " Error=" + e.getMessage(), e);
signature = null;
placement_id = null;
user_id = null;
}
// Send a more generic message back to the caller
if (placement_id == null || user_id == null) {
doError(request, response, theMap, "outcomes.sourcedid", "sourcedid", null);
return;
}
M_log.debug("signature=" + signature);
M_log.debug("user_id=" + user_id);
M_log.debug("placement_id=" + placement_id);
Properties pitch = SakaiBLTIUtil.getPropertiesFromPlacement(placement_id, ltiService);
if (pitch == null) {
M_log.debug("Error retrieving result_sourcedid information");
doError(request, response, theMap, "outcomes.sourcedid", "sourcedid", null);
return;
}
String siteId = pitch.getProperty(LTIService.LTI_SITE_ID);
Site site = null;
try {
site = SiteService.getSite(siteId);
} catch (Exception e) {
M_log.debug("Error retrieving result_sourcedid site: " + e.getLocalizedMessage(), e);
}
// Send a more generic message back to the caller
if (site == null) {
doError(request, response, theMap, "outcomes.sourcedid", "sourcedid", null);
return;
}
// Check the message signature using OAuth
String oauth_secret = pitch.getProperty(LTIService.LTI_SECRET);
M_log.debug("oauth_secret: " + oauth_secret);
oauth_secret = SakaiBLTIUtil.decryptSecret(oauth_secret);
M_log.debug("oauth_secret (decrypted): " + oauth_secret);
String URL = SakaiBLTIUtil.getOurServletPath(request);
OAuthMessage oam = OAuthServlet.getMessage(request, URL);
OAuthValidator oav = new SimpleOAuthValidator();
OAuthConsumer cons =
new OAuthConsumer(
"about:blank#OAuth+CallBack+NotUsed", oauth_consumer_key, oauth_secret, null);
OAuthAccessor acc = new OAuthAccessor(cons);
String base_string = null;
try {
base_string = OAuthSignatureMethod.getBaseString(oam);
} catch (Exception e) {
M_log.error(e.getLocalizedMessage(), e);
base_string = null;
}
try {
oav.validateMessage(oam, acc);
} catch (Exception e) {
M_log.warn("Provider failed to validate message");
M_log.warn(e.getLocalizedMessage(), e);
if (base_string != null) {
M_log.warn(base_string);
}
doError(request, response, theMap, "outcome.no.validate", oauth_consumer_key, null);
return;
}
// Check the signature of the sourcedid to make sure it was not altered
String placement_secret = pitch.getProperty(LTIService.LTI_PLACEMENTSECRET);
// Send a generic message back to the caller
if (placement_secret == null) {
doError(request, response, theMap, "outcomes.sourcedid", "sourcedid", null);
return;
}
String pre_hash = placement_secret + ":::" + user_id + ":::" + placement_id;
String received_signature = LegacyShaUtil.sha256Hash(pre_hash);
M_log.debug("Received signature=" + signature + " received=" + received_signature);
boolean matched = signature.equals(received_signature);
String old_placement_secret = pitch.getProperty(LTIService.LTI_OLDPLACEMENTSECRET);
if (old_placement_secret != null && !matched) {
pre_hash = placement_secret + ":::" + user_id + ":::" + placement_id;
received_signature = LegacyShaUtil.sha256Hash(pre_hash);
M_log.debug("Received signature II=" + signature + " received=" + received_signature);
matched = signature.equals(received_signature);
}
// Send a message back to the caller
if (!matched) {
doError(request, response, theMap, "outcomes.sourcedid", "sourcedid", null);
return;
}
// Perform the message-specific handling
if ("toolsetting".equals(message_type))
processSetting(
request, response, lti_message_type, site, siteId, placement_id, pitch, user_id, theMap);
if ("roster".equals(message_type))
processRoster(
request, response, lti_message_type, site, siteId, placement_id, pitch, user_id, theMap);
}
@SuppressWarnings("unchecked")
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String ipAddress = request.getRemoteAddr();
if (M_log.isDebugEnabled()) {
M_log.debug("Basic LTI Provider request from IP=" + ipAddress);
}
String enabled = ServerConfigurationService.getString("basiclti.provider.enabled", null);
if (enabled == null || !("true".equals(enabled))) {
M_log.warn("Basic LTI Provider is Disabled IP=" + ipAddress);
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Basic LTI Provider is Disabled");
return;
}
if ("/casa.json".equals(request.getPathInfo())) {
if (ServerConfigurationService.getBoolean("casa.provider.enabled", true)) {
handleCASAList(request, response);
return;
} else {
M_log.warn("CASA Provider is Disabled IP=" + ipAddress);
response.sendError(HttpServletResponse.SC_FORBIDDEN, "CASA Provider is Disabled");
return;
}
}
if ("/canvas-config.xml".equals(request.getPathInfo())) {
if (ServerConfigurationService.getBoolean("canvas.config.enabled", true)) {
handleCanvasConfig(request, response);
return;
} else {
M_log.warn("Canvas config is Disabled IP=" + ipAddress);
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Canvas config is Disabled");
return;
}
}
// If this is a LTI request of any kind, make sure we don't have any
// prior payload in the session.
if (BasicLTIUtil.isRequest(request)) {
Session sess = SessionManager.getCurrentSession();
sess.removeAttribute("payload");
}
// Check if we support ContentItem.
// If we are doing ContentItem and have a payload and are not a launch
// short-circuit to ContentItem
if ("/content.item".equals(request.getPathInfo())) {
if (!ServerConfigurationService.getBoolean("contentitem.provider", true)) {
M_log.warn("ContentItem is Disabled IP=" + ipAddress);
response.sendError(HttpServletResponse.SC_FORBIDDEN, "ContentItem is Disabled");
return;
} else {
Session sess = SessionManager.getCurrentSession();
Map session_payload = (Map) sess.getAttribute("payload");
if (session_payload != null) {
// Post-Login requests to content.item
M_log.debug("ContentItem already logged in " + sess.getUserId());
handleContentItem(request, response, session_payload);
return;
}
}
}
if (M_log.isDebugEnabled()) {
Map<String, String[]> params = (Map<String, String[]>) request.getParameterMap();
for (Map.Entry<String, String[]> param : params.entrySet()) {
M_log.debug(param.getKey() + ":" + param.getValue()[0]);
}
}
Map payload = getPayloadAsMap(request);
// Get the list of highly trusted consumers from sakai.properties.
// If the incoming consumer is highly trusted, we use the context_id and
// site_id as is,
// ie without prefixing them with the oauth_consumer_key first.
// We also don't both checking their roles in the site.
boolean isTrustedConsumer = BasicLTIProviderUtil.isHighlyTrustedConsumer(payload);
/*
* Get the list of email trusted consumers from sakai.properties. If the
* incoming consumer is email trusted, we use the email address provided
* by the consumer and look up the "user" info from sakai instead of
* consumer's. This use case is especially valuable if 2 different LMS's
* acting as TP and TC referring to same user and can be uniquely
* identified by email address. more details SAK-29372
*/
boolean isEmailTrustedConsumer = BasicLTIProviderUtil.isEmailTrustedConsumer(payload);
/*
* Checking if the email trusted consumer property and trusted consumer
* and not both enabled. the case would be an error condition
*/
if (isTrustedConsumer && isEmailTrustedConsumer) {
M_log.warn(
"Both Email Trusted and Trusted Consumer property is enabled, this is invalid IP="
+ ipAddress);
response.sendError(
HttpServletResponse.SC_FORBIDDEN,
"Both Email Trusted and Trusted Consumer property is enabled, this is invalid ");
return;
}
try {
invokeProcessors(payload, isTrustedConsumer, ProcessingState.beforeValidation);
validate(payload, isTrustedConsumer);
invokeProcessors(payload, isTrustedConsumer, ProcessingState.afterValidation);
User user =
userFinderOrCreator.findOrCreateUser(payload, isTrustedConsumer, isEmailTrustedConsumer);
invokeProcessors(payload, isTrustedConsumer, ProcessingState.afterUserCreation, user);
// Check if we are loop-backing on the same server, and already logged in as same user
Session sess = SessionManager.getCurrentSession();
String serverUrl = SakaiBLTIUtil.getOurServerUrl();
String ext_sakai_server = (String) payload.get("ext_sakai_server");
if ("/content.item".equals(request.getPathInfo())
&& isTrustedConsumer
&& ext_sakai_server != null
&& ext_sakai_server.equals(serverUrl)
&& user.getId().equals(sess.getUserId())) {
M_log.debug("ContentItem looping back as " + sess.getUserId());
sess.setAttribute("payload", payload);
handleContentItem(request, response, payload);
return;
}
loginUser(ipAddress, user);
// Re-grab the session
sess = SessionManager.getCurrentSession();
invokeProcessors(payload, isTrustedConsumer, ProcessingState.afterLogin, user);
// This needs to happen after login, when we have a session for the user.
userLocaleSetter.setupUserLocale(payload, user, isTrustedConsumer, isEmailTrustedConsumer);
userPictureSetter.setupUserPicture(payload, user, isTrustedConsumer, isEmailTrustedConsumer);
// The first launch of content.item - no site needed
if ("/content.item".equals(request.getPathInfo())) {
M_log.debug("ContentItem inital external login " + sess.getUserId());
sess.setAttribute("payload", payload);
handleContentItem(request, response, payload);
return;
}
Site site = findOrCreateSite(payload, isTrustedConsumer);
invokeProcessors(payload, isTrustedConsumer, ProcessingState.afterSiteCreation, user, site);
siteEmailPreferenceSetter.setupUserEmailPreferenceForSite(
payload, user, site, isTrustedConsumer);
site =
siteMembershipUpdater.addOrUpdateSiteMembership(payload, isTrustedConsumer, user, site);
invokeProcessors(payload, isTrustedConsumer, ProcessingState.afterSiteMembership, user, site);
String toolPlacementId = addOrCreateTool(payload, isTrustedConsumer, user, site);
invokeProcessors(payload, isTrustedConsumer, ProcessingState.beforeLaunch, user, site);
syncSiteMembershipsOnceThenSchedule(payload, site, isTrustedConsumer, isEmailTrustedConsumer);
// Construct a URL to this tool
StringBuilder url = new StringBuilder();
url.append(SakaiBLTIUtil.getOurServerUrl());
url.append(ServerConfigurationService.getString("portalPath", "/portal"));
url.append("/tool-reset/");
url.append(toolPlacementId);
url.append("?panel=Main");
if (M_log.isDebugEnabled()) {
M_log.debug("url=" + url.toString());
}
// String toolLink = ServerConfigurationService.getPortalUrl()+ "/tool-reset/" + placement_id
// + "?panel=Main";
// Compensate for bug in getPortalUrl()
// toolLink = toolLink.replace("IMS BLTI Portlet", "portal");
response.setContentType("text/html");
response.setStatus(HttpServletResponse.SC_FOUND);
response.sendRedirect(url.toString());
} catch (LTIException ltiException) {
doError(
request,
response,
ltiException.getErrorKey(),
ltiException.getMessage(),
ltiException.getCause());
}
/*
PrintWriter out = response.getWriter();
out.println("<body><div style=\"text-align: center\">");
out.println(" <br/> <br/> <br/> <br/>");
out.println(" <br/> <br/> <br/> <br/>");
out.println("<a href=\"" + url.toString() + "\">");
out.println("<span id=\"hideme\">" + rb.getString("launch.continue")
+ "</span>");
out.println("</a>");
out.println(" <script language=\"javascript\"> \n"
+ " document.getElementById(\"hideme\").style.display = \"none\";\n"
+ " location.href=\"" + url.toString() + "\";\n"
+ " </script> \n");
out.println("</div>");
out.println("</body>");
out.close();
*/
}
