WIP LTI verify oauth signature in service - refs BT#13469

7 years ago · 4767a90c9c
parent c8d81c560d
commit 4767a90c9c
4 changed files with 100 additions and 3 deletions
--- a/.htaccess
+++ b/.htaccess
@ -64,6 +64,9 @@ RewriteRule ^main/newscorm/(.*)$ main/lp/$1 [QSA,L]
 # service Information
 RewriteRule ^service/(\d{1,})$ plugin/buycourses/src/service_information.php?service_id=$1 [L]

+# LTI outcome service
+RewriteRule ^ims_lti/outcome_service/(\d{1,})$ plugin/ims_lti/outcome_service.php?t=$1 [L]
+
 # This rule is very generic and should always remain at the bottom of .htaccess
 # http://my.chamilo.net/jdoe to http://my.chamilo.net/user.php?jdoe
 RewriteRule ^([^/.]+)/?$ user.php?$1 [L]
--- a/plugin/ims_lti/OAuthSimple.php
+++ b/plugin/ims_lti/OAuthSimple.php
@ -539,6 +539,45 @@ class OAuthSimple
                break;
        }
    }
+
+    /**
+     * @param $string
+     *
+     * @return string
+     */
+    public static function generateBodyHash($string)
+    {
+        $hash = sha1($string, true);
+
+        return base64_encode($hash);
+    }
+
+    /**
+     * @param string $authorizationHeader
+     *
+     * @return array
+     */
+    public static function getAuthorizationParams($authorizationHeader)
+    {
+        if ('OAuth ' !== substr($authorizationHeader, 0, 6)) {
+            return [];
+        }
+
+        $params = [];
+        $authString = str_replace('OAuth ', '', $authorizationHeader);
+        $authParts = explode(',', $authString);
+
+        foreach ($authParts as $authPart) {
+            list($key, $value) = explode('=', $authPart, 2);
+
+            $key = trim($key);
+            $value = trim($value, " \"");
+
+            $params[$key] = urldecode($value);
+        }
+
+        return $params;
+    }
 }

 /**
--- a/plugin/ims_lti/form.php
+++ b/plugin/ims_lti/form.php
@ -15,7 +15,9 @@ api_block_anonymous_users(false);
 $em = Database::getManager();

 /** @var ImsLtiTool $tool */
-$tool = isset($_GET['id']) ? $em->find('ChamiloPluginBundle:ImsLti\ImsLtiTool', intval($_GET['id'])) : 0;
+$tool = isset($_GET['id'])
+    ? $em->find('ChamiloPluginBundle:ImsLti\ImsLtiTool', (int) $_GET['id'])
+    : null;

 if (!$tool) {
    api_not_allowed(true);
@ -30,6 +32,7 @@ $course = $em->find('ChamiloCoreBundle:Course', api_get_course_int_id());
 /** @var User $user */
 $user = $em->find('ChamiloUserBundle:User', api_get_user_id());

+$pluginPath = api_get_path(WEB_PLUGIN_PATH).'ims_lti/';
 $toolUserId = ImsLtiPlugin::generateToolUserId($user->getId());
 $platformDomain = str_replace(['https://', 'http://'], '', api_get_setting('InstitutionUrl'));

@ -38,7 +41,7 @@ $params['lti_version'] = 'LTI-1p0';

 if ($tool->isActiveDeepLinking()) {
    $params['lti_message_type'] = 'ContentItemSelectionRequest';
-    $params['content_item_return_url'] = api_get_path(WEB_PLUGIN_PATH).'ims_lti/item_return.php';
+    $params['content_item_return_url'] = $pluginPath.'item_return.php';
    $params['accept_media_types'] = '*/*';
    $params['accept_presentation_document_targets'] = 'iframe';
    //$params['accept_unsigned'];
@ -58,7 +61,7 @@ if ($tool->isActiveDeepLinking()) {

    if (!empty($toolEval)) {
        $params['lis_result_sourcedid'] = $toolEval->getId().':'.$user->getId();
-        $params['lis_outcome_service_url'] = api_get_path(WEB_PLUGIN_PATH).'ims_lti/outcome_service.php';
+        $params['lis_outcome_service_url'] = api_get_path(WEB_PATH).'ims_lti/outcome_service/'.$tool->getId();
        $params['lis_person_sourcedid'] = "$platformDomain:$toolUserId";
        $params['lis_course_offering_sourcedid'] = "$platformDomain:".$course->getId();

--- a/plugin/ims_lti/outcome_service.php
+++ b/plugin/ims_lti/outcome_service.php
@ -1,10 +1,62 @@
 <?php
 /* For license terms, see /license.txt */

+use Chamilo\PluginBundle\Entity\ImsLti\ImsLtiTool;
+
 require_once __DIR__.'/../../main/inc/global.inc.php';
+require_once './OAuthSimple.php';

 header('Content-Type: application/xml');

+if (empty($_GET['t'])) {
+    exit;
+}
+
+$em = Database::getManager();
+/** @var ImsLtiTool $tool */
+$tool = $em->find('ChamiloPluginBundle:ImsLti\ImsLtiTool', (int) $_GET['t']);
+
+if (empty($tool)) {
+    exit;
+}
+
+$body = file_get_contents('php://input');
+$bodyHash = OAuthSimple::generateBodyHash($body);
+
+$url = api_get_path(WEB_PATH).'ims_lti/outcome_service/'.$tool->getId();
+$headers = getallheaders();
+
+$params = OAuthSimple::getAuthorizationParams($headers['Authorization']);
+
+if (empty($params)) {
+    exit;
+}
+
+$oauth = new OAuthSimple(
+    $params['oauth_consumer_key'],
+    $tool->getSharedSecret()
+);
+$oauth->setAction('POST');
+$oauth->setSignatureMethod('HMAC-SHA1');
+$result = $oauth->sign(
+    [
+        'path' => $url,
+        'parameters' => [
+            'oauth_body_hash' => $params['oauth_body_hash'],
+            'oauth_nonce' => $params['oauth_nonce'],
+            'oauth_timestamp' => $params['oauth_timestamp'],
+            'oauth_signature_method' => $params['oauth_signature_method'],
+        ],
+    ]
+);
+
+$signatureValid = urldecode($result['signature']) == $params['oauth_signature'];
+$bodyHashValid = $bodyHash === $params['oauth_body_hash'];
+
+if (!$signatureValid || !$bodyHashValid) {
+    exit;
+}
+
 $plugin = ImsLtiPlugin::create();

 $process = $plugin->processServiceRequest();