@SuppressWarnings("unchecked")
protected void doPostForm(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String ipAddress = request.getRemoteAddr();
M_log.debug("Basic LTI Service request from IP=" + ipAddress);
String allowOutcomes =
ServerConfigurationService.getString(
SakaiBLTIUtil.BASICLTI_OUTCOMES_ENABLED,
SakaiBLTIUtil.BASICLTI_OUTCOMES_ENABLED_DEFAULT);
if (!"true".equals(allowOutcomes)) allowOutcomes = null;
String allowSettings =
ServerConfigurationService.getString(
SakaiBLTIUtil.BASICLTI_SETTINGS_ENABLED,
SakaiBLTIUtil.BASICLTI_SETTINGS_ENABLED_DEFAULT);
if (!"true".equals(allowSettings)) allowSettings = null;
String allowRoster =
ServerConfigurationService.getString(
SakaiBLTIUtil.BASICLTI_ROSTER_ENABLED, SakaiBLTIUtil.BASICLTI_ROSTER_ENABLED_DEFAULT);
if (!"true".equals(allowRoster)) allowRoster = null;
if (allowOutcomes == null && allowSettings == null && allowRoster == null) {
M_log.warn("LTI Services are disabled IP=" + ipAddress);
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
// Lets return an XML Response
Map<String, Object> theMap = new TreeMap<String, Object>();
Map<String, String[]> params = (Map<String, String[]>) request.getParameterMap();
for (Map.Entry<String, String[]> param : params.entrySet()) {
M_log.debug(param.getKey() + ":" + param.getValue()[0]);
}
// check lti_message_type
String lti_message_type = request.getParameter(BasicLTIConstants.LTI_MESSAGE_TYPE);
theMap.put("/message_response/lti_message_type", lti_message_type);
String sourcedid = null;
String message_type = null;
if (BasicLTIUtil.equals(lti_message_type, "basic-lis-replaceresult")
|| BasicLTIUtil.equals(lti_message_type, "basic-lis-createresult")
|| BasicLTIUtil.equals(lti_message_type, "basic-lis-updateresult")
|| BasicLTIUtil.equals(lti_message_type, "basic-lis-deleteresult")
|| BasicLTIUtil.equals(lti_message_type, "basic-lis-readresult")) {
sourcedid = request.getParameter("sourcedid");
if (allowOutcomes != null) message_type = "basicoutcome";
} else if (BasicLTIUtil.equals(lti_message_type, "basic-lti-loadsetting")
|| BasicLTIUtil.equals(lti_message_type, "basic-lti-savesetting")
|| BasicLTIUtil.equals(lti_message_type, "basic-lti-deletesetting")) {
sourcedid = request.getParameter("id");
if (allowSettings != null) message_type = "toolsetting";
} else if (BasicLTIUtil.equals(lti_message_type, "basic-lis-readmembershipsforcontext")) {
sourcedid = request.getParameter("id");
if (allowRoster != null) message_type = "roster";
} else {
doError(
request,
response,
theMap,
"outcomes.invalid",
"lti_message_type=" + lti_message_type,
null);
return;
}
// If we have not gotten one of our allowed message types, stop now
if (message_type == null) {
doError(
request,
response,
theMap,
"outcomes.invalid",
"lti_message_type=" + lti_message_type,
null);
return;
}
// Perform the Outcomee first because we use the SakaiBLTIUtil code for this
if ("basicoutcome".equals(message_type)) {
processOutcome(request, response, lti_message_type, sourcedid, theMap);
return;
}
// No point continuing without a sourcedid
if (BasicLTIUtil.isBlank(sourcedid)) {
doError(request, response, theMap, "outcomes.missing", "sourcedid", null);
return;
}
String lti_version = request.getParameter(BasicLTIConstants.LTI_VERSION);
if (!BasicLTIUtil.equals(lti_version, "LTI-1p0")) {
doError(request, response, theMap, "outcomes.invalid", "lti_version=" + lti_version, null);
return;
}
String oauth_consumer_key = request.getParameter("oauth_consumer_key");
if (BasicLTIUtil.isBlank(oauth_consumer_key)) {
doError(request, response, theMap, "outcomes.missing", "oauth_consumer_key", null);
return;
}
// Truncate this to the maximum length to insure no cruft at the end
if (sourcedid.length() > 2048) sourcedid = sourcedid.substring(0, 2048);
// Attempt to parse the sourcedid, any failure is fatal
String placement_id = null;
String signature = null;
String user_id = null;
try {
int pos = sourcedid.indexOf(":::");
if (pos > 0) {
signature = sourcedid.substring(0, pos);
String dec2 = sourcedid.substring(pos + 3);
pos = dec2.indexOf(":::");
user_id = dec2.substring(0, pos);
placement_id = dec2.substring(pos + 3);
}
} catch (Exception e) {
// Log some detail for ourselves
M_log.warn(
"Unable to decrypt result_sourcedid IP=" + ipAddress + " Error=" + e.getMessage(), e);
signature = null;
placement_id = null;
user_id = null;
}
// Send a more generic message back to the caller
if (placement_id == null || user_id == null) {
doError(request, response, theMap, "outcomes.sourcedid", "sourcedid", null);
return;
}
M_log.debug("signature=" + signature);
M_log.debug("user_id=" + user_id);
M_log.debug("placement_id=" + placement_id);
Properties pitch = SakaiBLTIUtil.getPropertiesFromPlacement(placement_id, ltiService);
if (pitch == null) {
M_log.debug("Error retrieving result_sourcedid information");
doError(request, response, theMap, "outcomes.sourcedid", "sourcedid", null);
return;
}
String siteId = pitch.getProperty(LTIService.LTI_SITE_ID);
Site site = null;
try {
site = SiteService.getSite(siteId);
} catch (Exception e) {
M_log.debug("Error retrieving result_sourcedid site: " + e.getLocalizedMessage(), e);
}
// Send a more generic message back to the caller
if (site == null) {
doError(request, response, theMap, "outcomes.sourcedid", "sourcedid", null);
return;
}
// Check the message signature using OAuth
String oauth_secret = pitch.getProperty(LTIService.LTI_SECRET);
M_log.debug("oauth_secret: " + oauth_secret);
oauth_secret = SakaiBLTIUtil.decryptSecret(oauth_secret);
M_log.debug("oauth_secret (decrypted): " + oauth_secret);
String URL = SakaiBLTIUtil.getOurServletPath(request);
OAuthMessage oam = OAuthServlet.getMessage(request, URL);
OAuthValidator oav = new SimpleOAuthValidator();
OAuthConsumer cons =
new OAuthConsumer(
"about:blank#OAuth+CallBack+NotUsed", oauth_consumer_key, oauth_secret, null);
OAuthAccessor acc = new OAuthAccessor(cons);
String base_string = null;
try {
base_string = OAuthSignatureMethod.getBaseString(oam);
} catch (Exception e) {
M_log.error(e.getLocalizedMessage(), e);
base_string = null;
}
try {
oav.validateMessage(oam, acc);
} catch (Exception e) {
M_log.warn("Provider failed to validate message");
M_log.warn(e.getLocalizedMessage(), e);
if (base_string != null) {
M_log.warn(base_string);
}
doError(request, response, theMap, "outcome.no.validate", oauth_consumer_key, null);
return;
}
// Check the signature of the sourcedid to make sure it was not altered
String placement_secret = pitch.getProperty(LTIService.LTI_PLACEMENTSECRET);
// Send a generic message back to the caller
if (placement_secret == null) {
doError(request, response, theMap, "outcomes.sourcedid", "sourcedid", null);
return;
}
String pre_hash = placement_secret + ":::" + user_id + ":::" + placement_id;
String received_signature = LegacyShaUtil.sha256Hash(pre_hash);
M_log.debug("Received signature=" + signature + " received=" + received_signature);
boolean matched = signature.equals(received_signature);
String old_placement_secret = pitch.getProperty(LTIService.LTI_OLDPLACEMENTSECRET);
if (old_placement_secret != null && !matched) {
pre_hash = placement_secret + ":::" + user_id + ":::" + placement_id;
received_signature = LegacyShaUtil.sha256Hash(pre_hash);
M_log.debug("Received signature II=" + signature + " received=" + received_signature);
matched = signature.equals(received_signature);
}
// Send a message back to the caller
if (!matched) {
doError(request, response, theMap, "outcomes.sourcedid", "sourcedid", null);
return;
}
// Perform the message-specific handling
if ("toolsetting".equals(message_type))
processSetting(
request, response, lti_message_type, site, siteId, placement_id, pitch, user_id, theMap);
if ("roster".equals(message_type))
processRoster(
request, response, lti_message_type, site, siteId, placement_id, pitch, user_id, theMap);
}
@SuppressWarnings("unchecked")
protected void doPostXml(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String ipAddress = request.getRemoteAddr();
M_log.debug("LTI POX Service request from IP=" + ipAddress);
String allowOutcomes =
ServerConfigurationService.getString(
SakaiBLTIUtil.BASICLTI_OUTCOMES_ENABLED,
SakaiBLTIUtil.BASICLTI_OUTCOMES_ENABLED_DEFAULT);
if (!"true".equals(allowOutcomes)) allowOutcomes = null;
if (allowOutcomes == null) {
M_log.warn("LTI Services are disabled IP=" + ipAddress);
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
IMSPOXRequest pox = new IMSPOXRequest(request);
if (!pox.valid) {
doErrorXML(request, response, pox, "pox.invalid", pox.errorMessage, null);
return;
}
// check lti_message_type
String lti_message_type = pox.getOperation();
String sourcedid = null;
String message_type = null;
if (M_log.isDebugEnabled()) M_log.debug("POST\n" + XMLMap.prettyPrint(pox.postBody));
Map<String, String> bodyMap = pox.getBodyMap();
if (("replaceResultRequest".equals(lti_message_type)
|| "readResultRequest".equals(lti_message_type)
|| "deleteResultRequest".equals(lti_message_type))
&& allowOutcomes != null) {
sourcedid = bodyMap.get("/resultRecord/sourcedGUID/sourcedId");
message_type = "basicoutcome";
} else {
String output = pox.getResponseUnsupported("Not supported " + lti_message_type);
response.setContentType("application/xml");
PrintWriter out = response.getWriter();
out.println(output);
return;
}
// No point continuing without a sourcedid
if (BasicLTIUtil.isBlank(sourcedid)) {
doErrorXML(request, response, pox, "outcomes.missing", "sourcedid", null);
return;
}
// Handle the outcomes here using the new SakaiBLTIUtil code
if (allowOutcomes != null && "basicoutcome".equals(message_type)) {
processOutcomeXml(request, response, lti_message_type, sourcedid, pox);
return;
}
// Truncate this to the maximum length to insure no cruft at the end
if (sourcedid.length() > 2048) sourcedid = sourcedid.substring(0, 2048);
// Attempt to parse the sourcedid, any failure is fatal
String placement_id = null;
String signature = null;
String user_id = null;
try {
int pos = sourcedid.indexOf(":::");
if (pos > 0) {
signature = sourcedid.substring(0, pos);
String dec2 = sourcedid.substring(pos + 3);
pos = dec2.indexOf(":::");
user_id = dec2.substring(0, pos);
placement_id = dec2.substring(pos + 3);
}
} catch (Exception e) {
// Log some detail for ourselves
M_log.warn(
"Unable to decrypt result_sourcedid IP=" + ipAddress + " Error=" + e.getMessage(), e);
signature = null;
placement_id = null;
user_id = null;
}
// Send a more generic message back to the caller
if (placement_id == null || user_id == null) {
doErrorXML(
request, response, pox, "outcomes.sourcedid", "missing user_id or placement_id", null);
return;
}
M_log.debug("signature=" + signature);
M_log.debug("user_id=" + user_id);
M_log.debug("placement_id=" + placement_id);
Properties pitch = SakaiBLTIUtil.getPropertiesFromPlacement(placement_id, ltiService);
if (pitch == null) {
M_log.debug("Error retrieving result_sourcedid information");
doErrorXML(request, response, pox, "outcomes.sourcedid", "sourcedid", null);
return;
}
String siteId = pitch.getProperty(LTIService.LTI_SITE_ID);
Site site = null;
try {
site = SiteService.getSite(siteId);
} catch (Exception e) {
M_log.debug("Error retrieving result_sourcedid site: " + e.getLocalizedMessage(), e);
}
// Send a more generic message back to the caller
if (site == null) {
doErrorXML(request, response, pox, "outcomes.sourcedid", "sourcedid", null);
return;
}
// Check the message signature using OAuth
String oauth_consumer_key = pox.getOAuthConsumerKey();
String oauth_secret = pitch.getProperty(LTIService.LTI_SECRET);
M_log.debug("oauth_secret: " + oauth_secret);
oauth_secret = SakaiBLTIUtil.decryptSecret(oauth_secret);
M_log.debug("oauth_secret (decrypted): " + oauth_secret);
String URL = SakaiBLTIUtil.getOurServletPath(request);
pox.validateRequest(oauth_consumer_key, oauth_secret, request, URL);
if (!pox.valid) {
if (pox.base_string != null) {
M_log.warn(pox.base_string);
}
doErrorXML(request, response, pox, "outcome.no.validate", oauth_consumer_key, null);
return;
}
// Check the signature of the sourcedid to make sure it was not altered
String placement_secret = pitch.getProperty(LTIService.LTI_PLACEMENTSECRET);
// Send a generic message back to the caller
if (placement_secret == null) {
M_log.debug("placement_secret is null");
doErrorXML(request, response, pox, "outcomes.sourcedid", "sourcedid", null);
return;
}
String pre_hash = placement_secret + ":::" + user_id + ":::" + placement_id;
String received_signature = LegacyShaUtil.sha256Hash(pre_hash);
M_log.debug("Received signature=" + signature + " received=" + received_signature);
boolean matched = signature.equals(received_signature);
String old_placement_secret = pitch.getProperty(LTIService.LTI_OLDPLACEMENTSECRET);
if (old_placement_secret != null && !matched) {
pre_hash = placement_secret + ":::" + user_id + ":::" + placement_id;
received_signature = LegacyShaUtil.sha256Hash(pre_hash);
M_log.debug("Received signature II=" + signature + " received=" + received_signature);
matched = signature.equals(received_signature);
}
// Send a message back to the caller
if (!matched) {
doErrorXML(request, response, pox, "outcomes.sourcedid", "sourcedid", null);
return;
}
response.setContentType("application/xml");
PrintWriter writer = response.getWriter();
String desc = "Message received and validated operation=" + pox.getOperation();
String output = pox.getResponseUnsupported(desc);
writer.println(output);
}
protected Site findOrCreateSite(Map payload, boolean trustedConsumer) throws LTIException {
String context_id = (String) payload.get(BasicLTIConstants.CONTEXT_ID);
String oauth_consumer_key = (String) payload.get("oauth_consumer_key");
String siteId = null;
if (trustedConsumer) {
siteId = context_id;
} else {
siteId = LegacyShaUtil.sha1Hash(oauth_consumer_key + ":" + context_id);
}
if (M_log.isDebugEnabled()) {
M_log.debug("siteId=" + siteId);
}
final String context_title = (String) payload.get(BasicLTIConstants.CONTEXT_TITLE);
final String context_label = (String) payload.get(BasicLTIConstants.CONTEXT_LABEL);
Site site = null;
// Get the site if it exists
if (ServerConfigurationService.getBoolean(
"basiclti.provider.lookupSitesByLTIContextIdProperty", false)) {
try {
site = findSiteByLTIContextId(context_id);
if (site != null) {
updateSiteDetailsIfChanged(site, context_title, context_label);
return site;
}
} catch (Exception e) {
if (M_log.isDebugEnabled()) {
M_log.debug(e.getLocalizedMessage(), e);
}
}
} else {
try {
site = SiteService.getSite(siteId);
updateSiteDetailsIfChanged(site, context_title, context_label);
return site;
} catch (Exception e) {
if (M_log.isDebugEnabled()) {
M_log.debug(e.getLocalizedMessage(), e);
}
}
}
// If trusted and site does not exist, error, otherwise, create the site
if (trustedConsumer) {
throw new LTIException("launch.site.invalid", "siteId=" + siteId, null);
} else {
pushAdvisor();
try {
String sakai_type = "project";
// BLTI-154. If an autocreation site template has been specced in sakai.properties, use it.
String autoSiteTemplateId =
ServerConfigurationService.getString("basiclti.provider.autositetemplate", null);
boolean templateSiteExists = SiteService.siteExists(autoSiteTemplateId);
if (!templateSiteExists) {
M_log.warn(
"A template site id was specced ("
+ autoSiteTemplateId
+ ") but no site with this id exists. A default lti site will be created instead.");
}
if (autoSiteTemplateId == null || !templateSiteExists) {
// BLTI-151 If the new site type has been specified in sakai.properties, use it.
sakai_type = ServerConfigurationService.getString("basiclti.provider.newsitetype", null);
if (BasicLTIUtil.isBlank(sakai_type)) {
// It wasn't specced in the props. Test for the ims course context type.
final String context_type = (String) payload.get(BasicLTIConstants.CONTEXT_TYPE);
if (BasicLTIUtil.equalsIgnoreCase(context_type, "course")) {
sakai_type = "course";
} else {
sakai_type = BasicLTIConstants.NEW_SITE_TYPE;
}
}
site = SiteService.addSite(siteId, sakai_type);
site.setType(sakai_type);
} else {
Site autoSiteTemplate = SiteService.getSite(autoSiteTemplateId);
site = SiteService.addSite(siteId, autoSiteTemplate);
}
if (BasicLTIUtil.isNotBlank(context_title)) {
site.setTitle(context_title);
}
if (BasicLTIUtil.isNotBlank(context_label)) {
site.setShortDescription(context_label);
}
site.setJoinable(false);
site.setPublished(true);
site.setPubView(false);
// record the original context_id to a site property
site.getPropertiesEdit().addProperty(LTI_CONTEXT_ID, context_id);
try {
SiteService.save(site);
M_log.info(
"Created site="
+ siteId
+ " label="
+ context_label
+ " type="
+ sakai_type
+ " title="
+ context_title);
} catch (Exception e) {
throw new LTIException("launch.site.save", "siteId=" + siteId, e);
}
} catch (Exception e) {
throw new LTIException("launch.create.site", "siteId=" + siteId, e);
} finally {
popAdvisor();
}
}
try {
return SiteService.getSite(site.getId());
} catch (IdUnusedException e) {
throw new LTIException("launch.site.invalid", "siteId=" + siteId, e);
}
}