Merge branch 'main' into issue-3911issue-3911

1 files changed, 135 insertions, 0 deletions

diff --git a/lib/classes/auth_plugins/StudipAuthLTI.php b/lib/classes/auth_plugins/StudipAuthLTI.php
new file mode 100644
index 0000000..d5a2863
--- /dev/null
+++ b/lib/classes/auth_plugins/StudipAuthLTI.php
@@ -0,0 +1,135 @@
+<?php
+/*
+ * StudipAuthLTI.php - Stud.IP authentication against LTI 1.1 consumer
+ * Copyright (c) 2018  Elmar Ludwig
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ */
+
+use Studip\OAuth2\NegotiatesWithPsr7;
+
+class StudipAuthLTI extends StudipAuthSSO
+{
+    use NegotiatesWithPsr7;
+
+    public $consumer_keys;
+    public $username;
+    public $domain;
+
+    /**
+     * Validate the username passed to the auth plugin. Note: This implementation
+     * ignores the username parameter and always uses the data passed via the LTI
+     * parameters "lis_person_sourcedid" or "user_id".
+     *
+     * @param   string $username (ignored)
+     *
+     * @return  string  username derived from LTI parameters
+     *
+     * @throws InvalidArgumentException  if no username can be determined
+     */
+    public function verifyUsername($username)
+    {
+        $consumer_key = Request::get('oauth_consumer_key');
+        $username = Request::get('lis_person_sourcedid', Request::get('user_id'));
+        $override = $this->consumer_keys[$consumer_key]['allow_domain_override'];
+        $domain = $this->consumer_keys[$consumer_key]['domain'];
+
+        if (!$username) {
+            throw new InvalidArgumentException('user_id must not be empty');
+        }
+
+        if ($domain === null) {
+            $domain = $consumer_key;
+        }
+
+        if ($override && strpos($username, '@') !== false) {
+            list($username, $domain) = explode('@', $username);
+        }
+
+        if ($domain !== '') {
+            $username .= '@' . $domain;
+            $this->domain = $domain;
+        }
+
+        return $this->username = parent::verifyUsername($username);
+    }
+
+    /**
+     * Check whether this user can be authenticated. Since we trust the user
+     * information sent by the LTI consumer, only the OAuth signature is checked.
+     *
+     * @param   string $username account name
+     * @param   string $password (ignored)
+     *
+     * @return  bool    true if authentication succeeds
+     *
+     */
+    public function isAuthenticated($username, $password)
+    {
+        $consumer_key = Request::get('oauth_consumer_key');
+        $consumer_secret = $this->consumer_keys[$consumer_key]['consumer_secret'];
+
+        if (!Studip\OAuth1::verifyRequest($this->getPsrRequest(), $consumer_secret, '')) {
+            return false;
+        }
+
+        return parent::isAuthenticated($username, $password);
+    }
+
+    /**
+     * Authenticate this user and handle auto enrollment. If the URL parameter
+     * "sem_id" is set, the user is automatically redircted to the enrollment
+     * action for this course.
+     *
+     * @param   string $username the username to check
+     * @param   string $password the password (ignored)
+     *
+     * @return  mixed   if authentication succeeds: the Stud.IP user, else false
+     */
+    public function authenticateUser($username, $password)
+    {
+        $user = parent::authenticateUser($username, $password);
+        $course_id = Request::option('sem_id');
+
+        if ($user && $course_id) {
+            header('Location: ' . URLHelper::getURL('dispatch.php/lti/index/' . $course_id));
+        }
+
+        return $user;
+    }
+
+    /**
+     * Return the current username of the pending authentication request.
+     */
+    public function getUser()
+    {
+        return $this->username;
+    }
+
+    /**
+     * Get the user domains to assign to the current user (if any).
+     *
+     * @return array    array of user domain names
+     */
+    public function getUserDomains()
+    {
+        return $this->domain ? [$this->domain] : null;
+    }
+
+    /**
+     * Callback that can be used in user_data_mapping array. For LTI, this is
+     * equivalent to Request::get(), since all launch data is POST parameters.
+     * @see http://www.imsglobal.org/specs/ltiv1p1/implementation-guide
+     *
+     * @param   string  key (e.g. "lis_person_contact_email_primary")
+     *
+     * @return  string  parameter value (null if not set)
+     */
+    public function getUserData($key)
+    {
+        return Request::get($key);
+    }
+}