1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
|
<?php
/*
* StudipAuthLTI.class.php - Stud.IP authentication against an LTI 1.3A consumer
* Copyright (c) 2018 Elmar Ludwig
* Copyright (c) 2023-2024 Moritz Strohm
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; either version 2 of
* the License, or (at your option) any later version.
*/
use Studip\OAuth2\NegotiatesWithPsr7;
use OAT\Library\Lti1p3Core\Registration\RegistrationInterface;
use OAT\Library\Lti1p3Core\Security\User\Result\UserAuthenticationResultInterface;
use OAT\Library\Lti1p3Core\Security\User\UserAuthenticatorInterface;
use OAT\Library\Lti1p3Core\Security\User\Result\UserAuthenticationResult;
use OAT\Library\Lti1p3Core\User\UserIdentity;
class StudipAuthLTI extends StudipAuthSSO implements UserAuthenticatorInterface
{
use NegotiatesWithPsr7;
public $consumer_keys;
public $username;
public $domain;
/**
* Validate the username passed to the auth plugin. Note: This implementation
* ignores the username parameter and always uses the data passed via the LTI
* parameters "lis_person_sourcedid" or "user_id".
*
* @param string $username (ignored)
*
* @return string username derived from LTI parameters
*
* @throws InvalidArgumentException if no username can be determined
*/
public function verifyUsername($username)
{
$consumer_key = Request::get('oauth_consumer_key');
$username = Request::get('lis_person_sourcedid', Request::get('user_id'));
$override = $this->consumer_keys[$consumer_key]['allow_domain_override'];
$domain = $this->consumer_keys[$consumer_key]['domain'];
if (!$username) {
throw new InvalidArgumentException('user_id must not be empty');
}
if ($domain === null) {
$domain = $consumer_key;
}
if ($override && strpos($username, '@') !== false) {
list($username, $domain) = explode('@', $username);
}
if ($domain !== '') {
$username .= '@' . $domain;
$this->domain = $domain;
}
return $this->username = parent::verifyUsername($username);
}
/**
* Check whether this user can be authenticated. Since we trust the user
* information sent by the LTI consumer, only the OAuth signature is checked.
*
* @param string $username account name
* @param string $password (ignored)
*
* @return bool true if authentication succeeds
*
*/
public function isAuthenticated($username, $password)
{
$consumer_key = Request::get('oauth_consumer_key');
$consumer_secret = $this->consumer_keys[$consumer_key]['consumer_secret'];
if (!Studip\OAuth1::verifyRequest($this->getPsrRequest(), $consumer_secret, '')) {
return false;
}
return parent::isAuthenticated($username, $password);
}
/**
* Authenticate this user and handle auto enrollment. If the URL parameter
* "sem_id" is set, the user is automatically redircted to the enrollment
* action for this course.
*
* @param string $username the username to check
* @param string $password the password (ignored)
*
* @return mixed if authentication succeeds: the Stud.IP user, else false
*/
public function authenticateUser($username, $password)
{
$user = parent::authenticateUser($username, $password);
$course_id = Request::option('sem_id');
if ($user && $course_id) {
header('Location: ' . URLHelper::getURL('dispatch.php/lti/index/' . $course_id));
}
return $user;
}
/**
* Return the current username of the pending authentication request.
*/
public function getUser()
{
return $this->username;
}
/**
* Get the user domains to assign to the current user (if any).
*
* @return array array of user domain names
*/
public function getUserDomains()
{
return $this->domain ? [$this->domain] : null;
}
/**
* Callback that can be used in user_data_mapping array. For LTI, this is
* equivalent to Request::get(), since all launch data is POST parameters.
* @see http://www.imsglobal.org/specs/ltiv1p1/implementation-guide
*
* @param string key (e.g. "lis_person_contact_email_primary")
*
* @return string parameter value (null if not set)
*/
public function getUserData($key)
{
return Request::get($key);
}
//\OAT\Library\Lti1p3Core\Security\User\UserAuthenticatorInterface implementation:
public function authenticate(RegistrationInterface $registration, string $loginHint) : UserAuthenticationResultInterface
{
//Check if the user-ID is known:
$user = User::find($loginHint);
if (!$user) {
return new UserAuthenticationResult(false, null);
}
//Authenticate the user:
if ($this->authenticateUser($user->username, '')) {
return new UserAuthenticationResult(
true,
new UserIdentity(
$user->id,
$user->getFullName(),
$user->email,
$user->vorname,
$user->nachname,
'',
$user->preferred_language,
Avatar::getAvatar($user->id)->getURL(Avatar::SMALL)
)
);
}
//The user could not be authenticated:
return new UserAuthenticationResult(false, null);
}
}
|
