function handleOAuthBodyPOST($oauth_consumer_key, $oauth_consumer_secret) { $request_headers = OAuthUtil::get_headers(); // print_r($request_headers); // Must reject application/x-www-form-urlencoded if ($request_headers['Content-type'] == 'application/x-www-form-urlencoded' ) { throw new Exception("OAuth request body signing must not use application/x-www-form-urlencoded"); } if (@substr($request_headers['Authorization'], 0, 6) == "OAuth ") { $header_parameters = OAuthUtil::split_header($request_headers['Authorization']); // echo("HEADER PARMS=\n"); // print_r($header_parameters); $oauth_body_hash = $header_parameters['oauth_body_hash']; // echo("OBH=".$oauth_body_hash."\n"); } if ( ! isset($oauth_body_hash) ) { throw new Exception("OAuth request body signing requires oauth_body_hash body"); } // Verify the message signature $store = new TrivialOAuthDataStore(); $store->add_consumer($oauth_consumer_key, $oauth_consumer_secret); $server = new OAuthServer($store); $method = new OAuthSignatureMethod_HMAC_SHA1(); $server->add_signature_method($method); $request = OAuthRequest::from_request(); global $LastOAuthBodyBaseString; $LastOAuthBodyBaseString = $request->get_signature_base_string(); // echo($LastOAuthBodyBaseString."\n"); try { $server->verify_request($request); } catch (Exception $e) { $message = $e->getMessage(); throw new Exception("OAuth signature failed: " . $message); } $postdata = file_get_contents('php://input'); // echo($postdata); $hash = base64_encode(sha1($postdata, TRUE)); if ( $hash != $oauth_body_hash ) { throw new Exception("OAuth oauth_body_hash mismatch"); } return $postdata; }
function handle_oauth_body_post($oauthconsumerkey, $oauthconsumersecret, $body, $requestheaders = null) { if ($requestheaders == null) { $requestheaders = OAuthUtil::get_headers(); } // Must reject application/x-www-form-urlencoded. if (isset($requestheaders['Content-type'])) { if ($requestheaders['Content-type'] == 'application/x-www-form-urlencoded') { throw new OAuthException("OAuth request body signing must not use application/x-www-form-urlencoded"); } } if (@substr($requestheaders['Authorization'], 0, 6) == "OAuth ") { $headerparameters = OAuthUtil::split_header($requestheaders['Authorization']); $oauthbodyhash = $headerparameters['oauth_body_hash']; } if (!isset($oauthbodyhash)) { throw new OAuthException("OAuth request body signing requires oauth_body_hash body"); } // Verify the message signature. $store = new TrivialOAuthDataStore(); $store->add_consumer($oauthconsumerkey, $oauthconsumersecret); $server = new OAuthServer($store); $method = new OAuthSignatureMethod_HMAC_SHA1(); $server->add_signature_method($method); $request = OAuthRequest::from_request(); try { $server->verify_request($request); } catch (\Exception $e) { $message = $e->getMessage(); throw new OAuthException("OAuth signature failed: " . $message); } $postdata = $body; $hash = base64_encode(sha1($postdata, true)); if ($hash != $oauthbodyhash) { throw new OAuthException("OAuth oauth_body_hash mismatch"); } return $postdata; }
function __construct($parm = false, $usesession = true, $doredirect = true) { // If this request is not an LTI Launch, either // give up or try to retrieve the context from session if (!is_lti_request()) { $this->message = 'Request is missing LTI information'; if ($usesession === false) { return; } if (strlen(session_id()) > 0) { $row = $_SESSION['_lti_row']; if (isset($row)) { $this->row = $row; } $context_id = $_SESSION['_lti_context_id']; if (isset($context_id)) { $this->context_id = $context_id; } $info = $_SESSION['_lti_context']; if (isset($info)) { $this->info = $info; $this->valid = true; return; } $this->message = "Could not find context in session"; return; } $this->message = "Session not available"; return; } // Insure we have a valid launch if (empty($_REQUEST["oauth_consumer_key"])) { $this->message = "Missing oauth_consumer_key in request"; return; } $oauth_consumer_key = $_REQUEST["oauth_consumer_key"]; // Find the secret - either form the parameter as a string or // look it up in a database from parameters we are given $secret = false; $row = false; if (is_string($parm)) { $secret = $parm; } else { if (!is_array($parm)) { $this->message = "Constructor requires a secret or database information."; return; } else { $sql = 'SELECT * FROM ' . $parm['table'] . ' WHERE ' . ($parm['key_column'] ? $parm['key_column'] : 'oauth_consumer_key') . '=' . "'" . mysql_real_escape_string($oauth_consumer_key) . "'"; $result = mysql_query($sql); $num_rows = mysql_num_rows($result); if ($num_rows != 1) { $this->message = "Your consumer is not authorized oauth_consumer_key=" . $oauth_consumer_key; return; } else { while ($row = mysql_fetch_assoc($result)) { $secret = $row[$parms['secret_column'] ? $parms['secret_column'] : 'secret']; $context_id = $row[$parms['context_column'] ? $parms['context_column'] : 'context_id']; if ($context_id) { $this->context_id = $context_id; } $this->row = $row; break; } if (!is_string($secret)) { $this->message = "Could not retrieve secret oauth_consumer_key=" . $oauth_consumer_key; return; } } } } // Verify the message signature $store = new TrivialOAuthDataStore(); $store->add_consumer($oauth_consumer_key, $secret); $server = new OAuthServer($store); $request = OAuthRequest::from_request(); $method = new OAuthSignatureMethod_HMAC_SHA1(); $server->add_signature_method($method); $method = new OAuthSignatureMethod_HMAC_SHA256(); $server->add_signature_method($method); $this->basestring = $request->get_signature_base_string(); try { $server->verify_request($request); $this->valid = true; } catch (Exception $e) { $this->message = $e->getMessage(); return; } // Store the launch information in the session for later $newinfo = array(); foreach ($_POST as $key => $value) { if (get_magic_quotes_gpc()) { $value = stripslashes($value); } if ($key == "basiclti_submit") { continue; } if (strpos($key, "oauth_") === false) { $newinfo[$key] = $value; continue; } if ($key == "oauth_consumer_key") { $newinfo[$key] = $value; continue; } } $this->info = $newinfo; if ($usesession == true and strlen(session_id()) > 0) { $_SESSION['_lti_context'] = $this->info; unset($_SESSION['_lti_row']); unset($_SESSION['_lti_context_id']); if ($this->row) { $_SESSION['_lti_row'] = $this->row; } if ($this->context_id) { $_SESSION['_lti_context_id'] = $this->context_id; } } if ($this->valid && $doredirect) { $this->redirect(); $this->complete = true; } }
} if ( $hashsig != $signature ) { doError("Invalid sourcedid"); } // Check the OAuth Signature $oauth_consumer_key = $basiclti_tool_row['resourcekey']; $oauth_secret = $basiclti_tool_row['password']; if ( ! isset($oauth_secret) ) doError("Not permitted"); if ( ! isset($oauth_consumer_key) ) doError("Not permitted"); // Verify the message signature $store = new TrivialOAuthDataStore(); $store->add_consumer($oauth_consumer_key, $oauth_secret); $server = new OAuthServer($store); $method = new OAuthSignatureMethod_HMAC_SHA1(); $server->add_signature_method($method); $request = OAuthRequest::from_request(); $basestring = $request->get_signature_base_string(); try { $server->verify_request($request); } catch (Exception $e) { doError($e->getMessage()); }
function __construct($parm = false, $usesession = true, $doredirect = true) { global $link; $this->message = "blti loaded"; // If this request is not an LTI Launch, either // give up or try to retrieve the context from session if (!is_basic_lti_request()) { if ($usesession === false) { return; } if (strlen(session_id()) > 0) { $row = $_SESSION['_basiclti_lti_row']; if (isset($row)) { $this->row = $row; } $context_id = $_SESSION['_basiclti_lti_context_id']; if (isset($context_id)) { $this->context_id = $context_id; } $info = $_SESSION['_basic_lti_context']; if (isset($info)) { $this->info = $info; $this->valid = true; return; } $this->message = "Could not find context in session"; return; } $this->message = "Session not available"; return; } // Insure we have a valid launch if (empty($_REQUEST["oauth_consumer_key"])) { $this->message = "Missing oauth_consumer_key in request"; return; } $oauth_consumer_key = $_REQUEST["oauth_consumer_key"]; // Find the secret - either from the parameter as a string or // look it up in a database from parameters we are given $secret = false; $row = false; if (is_string($parm)) { $secret = $parm; } else { if (!is_array($parm)) { $this->message = "Constructor requires a secret or database information."; return; } else { //changelog: parms -> parm (typo) throughout $sql = 'SELECT * FROM ' . $parm['table'] . ' WHERE ' . ($parm['key_column'] ? $parm['key_column'] : 'oauth_consumer_key') . '=' . "'" . mysqli_real_escape_string($link, $oauth_consumer_key) . "'"; $result = mysqli_query($link, $sql); //echo $sql; $num_rows = mysqli_num_rows($result); if ($num_rows != 1) { $this->message = "Your consumer is not authorized oauth_consumer_key=" . $oauth_consumer_key . " " . $sql; return; } else { while ($row = mysqli_fetch_assoc($result)) { $secret = $row[$parm['secret_column'] ? $parm['secret_column'] : 'secret']; $context_id = $row[$parm['context_column'] ? $parm['context_column'] : 'context_id']; if ($context_id) { $this->context_id = $context_id; } //changelog: look for token. probably get rid of this at some point, since I've separated the key/secret table from tokens //if($row['token'] !="")$token = $_SESSION['token']=$row['token']; //setcookie("ttable",$parm['table']);//use this to update bad tokens in get_token_domain $this->row = $row; break; } if (!is_string($secret)) { $this->message = "Could not retrieve secret oauth_consumer_key=" . $oauth_consumer_key; return; } } } } // Verify the message signature $store = new TrivialOAuthDataStore(); $store->add_consumer($oauth_consumer_key, $secret); $server = new OAuthServer($store); $method = new OAuthSignatureMethod_HMAC_SHA1(); $server->add_signature_method($method); $request = OAuthRequest::from_request(); $this->basestring = $request->get_signature_base_string(); try { $server->verify_request($request); $this->valid = true; } catch (Exception $e) { $this->message = $e->getMessage(); return; } // Store the launch information in the session for later $newinfo = array(); foreach ($_POST as $key => $value) { if ($key == "basiclti_submit") { continue; } if (strpos($key, "oauth_") === false) { $newinfo[$key] = $value; continue; } if ($key == "oauth_consumer_key") { $newinfo[$key] = $value; continue; } } $this->info = $newinfo; if ($usesession == true and strlen(session_id()) > 0) { $_SESSION['_basic_lti_context'] = $this->info; unset($_SESSION['_basiclti_lti_row']); unset($_SESSION['_basiclti_lti_context_id']); if ($this->row) { $_SESSION['_basiclti_lti_row'] = $this->row; } if ($this->context_id) { $_SESSION['_basiclti_lti_context_id'] = $this->context_id; } } if ($this->valid && $doredirect) { $this->redirect(); $this->complete = true; } }
/** * Function to initilise the lti class * @param bool $usesession * @param bool $doredirect * @return */ public function init_lti($usesession = true, $doredirect = false) { if (!isset($_REQUEST["lti_message_type"])) { $_REQUEST["lti_message_type"] = ''; } if (!isset($_REQUEST["lti_version"])) { $_REQUEST["lti_version"] = ''; } if (!isset($_REQUEST["resource_link_id"])) { $_REQUEST["resource_link_id"] = ''; } // If this request is not an LTI Launch, either // give up or try to retrieve the context from session if (!is_lti_request()) { if ($usesession === false) { return; } if (strlen(session_id()) > 0) { if (isset($_SESSION['_lti_row'])) { $row = $_SESSION['_lti_row']; } if (isset($row)) { $this->row = $row; } if (isset($_SESSION['_lti_context_id'])) { $context_id = $_SESSION['_lti_context_id']; } if (isset($context_id)) { $this->context_id = $context_id; } if (isset($_SESSION['_lti_context'])) { $info = $_SESSION['_lti_context']; } if (isset($info)) { $this->info = $info; $this->valid = true; return; } $this->message = "Could not find context in session"; return; } $this->message = "Session not available"; return; } // Insure we have a valid launch if (empty($_REQUEST["oauth_consumer_key"])) { $this->message = "Missing oauth_consumer_key in request"; return; } $oauth_consumer_key = $_REQUEST["oauth_consumer_key"]; // Find the secret - either form the parameter as a string or // look it up in a database from parameters we are given $secret = false; $row = false; if (is_string($this->parm)) { $secret = $this->parm; } else { if (!is_array($this->parm)) { $this->message = "Constructor requires a secret or database information."; return; } else { if ($this->parm['dbtype'] == 'mysql') { $sql = 'SELECT * FROM ' . ($this->parm['table'] ? $this->parm['table'] : 'lti_keys') . ' WHERE ' . ($this->parm['key_column'] ? $this->parm['key_column'] : 'oauth_consumer_key') . '=' . "'" . mysql_real_escape_string($oauth_consumer_key) . "'"; $result = mysql_query($sql); $num_rows = mysql_num_rows($result); if ($num_rows != 1) { $this->message = "Your consumer is not authorized oauth_consumer_key=" . $oauth_consumer_key; return; } else { while ($row = mysql_fetch_assoc($result)) { $secret = $row[$this->parms['secret_column'] ? $this->parms['secret_column'] : 'secret']; $context_id = $row[$this->parms['context_column'] ? $this->parms['context_column'] : 'context_id']; if ($context_id) { $this->context_id = $context_id; } $this->row = $row; break; } if (!is_string($secret)) { $this->message = "Could not retrieve secret oauth_consumer_key=" . $oauth_consumer_key; return; } } } elseif ($this->parm['dbtype'] == 'mysqli') { if ($this->db->error) { try { throw new Exception("0MySQL error {$mysqli->error} <br> Query:<br> {$query}", $msqli->errno); } catch (Exception $e) { echo "Error No: " . $e->getCode() . " - " . $e->getMessage() . "<br >"; echo nl2br($e->getTraceAsString()); } } $stmt = $this->db->prepare("SELECT secret,context_id,name FROM " . $this->parm['table_prefix'] . "lti_keys WHERE oauth_consumer_key=? AND `deleted` IS NULL"); $db = $this->db; if ($db->error) { try { throw new Exception("0MySQL error {$db->error} <br> Query:<br> ", $db->errno); } catch (Exception $e) { echo "Error No: " . $e->getCode() . " - " . $e->getMessage() . "<br >"; echo nl2br($e->getTraceAsString()); exit; } } $stmt->bind_param('s', $oauth_consumer_key); $stmt->execute(); $stmt->store_result(); $stmt->bind_result($rsecret, $rcontext_id, $rname); $stmt->fetch(); $secret = $rsecret; $name = $rname; if (isset($rcontext_id)) { $this->context_id = $rcontext_id; } $stmt->close(); if (!is_string($secret)) { $this->message = "Could not retrieve secret oauth_consumer_key=" . $oauth_consumer_key; return; } } } } // Verify the message signature $store = new TrivialOAuthDataStore(); $store->add_consumer($oauth_consumer_key, $secret); $server = new OAuthServer($store); $method = new OAuthSignatureMethod_HMAC_SHA1(); $server->add_signature_method($method); $request = OAuthRequest::from_request(); $this->basestring = $request->get_signature_base_string(); try { $server->verify_request($request); $this->valid = true; } catch (Exception $e) { $this->message = $e->getMessage(); return; } // Store the launch information in the session for later $newinfo = array(); foreach ($_POST as $key => $value) { if ($key == "basiclti_submit") { continue; } if (strpos($key, "oauth_") === false) { $newinfo[$key] = $value; continue; } if ($key == "oauth_consumer_key") { $newinfo[$key] = $value; continue; } } $newinfo['oauth_consumer_secret'] = $secret; $this->info = $newinfo; if ($usesession == true and strlen(session_id()) > 0) { $_SESSION['_lti_context'] = $this->info; unset($_SESSION['_lti_row']); unset($_SESSION['_lti_context_id']); if ($this->row) { $_SESSION['_lti_row'] = $this->row; } if ($this->context_id) { $_SESSION['_lti_context_id'] = $this->context_id; } } if ($this->valid && $doredirect) { $this->redirect(); $this->complete = true; } }
$oauth_consumer_key = $_SESSION['cert_consumer_key']; if (!isset($oauth_consumer_key)) { doerror("No oauth_consumer_key found"); return; } // Check the signature require_once 'OAuth.php'; require_once 'TrivialOAuthDataStore.php'; // Set up our two consumer/secret pairs $store = new TrivialOAuthDataStore(); if (!isset($_SESSION['cert_consumer_key'])) { echo "<p>Please set an LMS-wide consumer</p>\n"; return; } else { if ($oauth_consumer_key == $_SESSION['cert_consumer_key']) { $store->add_consumer($oauth_consumer_key, $_SESSION['cert_secret']); } else { echo "<p>Unexpected oauth_consumer_key={$oauth_consumer_key} - should be " . $_SESSION['cert_consumer_key'] . "</p>\n"; return; } } $server = new OAuthServer($store); $method = new OAuthSignatureMethod_HMAC_SHA1(); $server->add_signature_method($method); $request = OAuthRequest::from_request(); $base = $request->get_signature_base_string(); print "<!--\nOAuth Base String:\n" . $base . "\n-->\n"; try { $server->verify_request($request); } catch (Exception $e) { doerror('Caught OAuth exception: ' . $e->getMessage());
/** * Check the reqest signature * @return mixed Exception or true */ private function checkSignature($a_key, $a_secret) { require_once $this->plugin_path . '/lib/OAuth.php'; require_once $this->plugin_path . '/lib/TrivialOAuthDataStore.php'; $store = new TrivialOAuthDataStore(); $store->add_consumer($this->fields['KEY'], $this->fields['SECRET']); $server = new OAuthServer($store); $method = new OAuthSignatureMethod_HMAC_SHA1(); $server->add_signature_method($method); $request = OAuthRequest::from_request(); try { $server->verify_request($request); } catch (Exception $e) { return $e; } return true; }
function __construct($consumer = false, $shared_secret = false, $usesession = true, $doredirect = true) { // If this request is not an LTI Launch, either // give up or try to retrieve the context from session $myKeys[$consumer] = $shared_secret; if (!is_basic_lti_request()) { if ($usesession === false) { return; } if (strlen(session_id()) > 0) { $row = $_SESSION['_basiclti_lti_row']; if (isset($row)) { $this->row = $row; } $context_id = $_SESSION['_basiclti_lti_context_id']; if (isset($context_id)) { $this->context_id = $context_id; } $info = $_SESSION['_basic_lti_context']; if (isset($info)) { $this->info = $info; $this->valid = true; return; } $this->message = "Could not find context in session"; return; } $this->message = "Session not available"; return; } // Insure we have a valid launch if (empty($_REQUEST["oauth_consumer_key"])) { $this->message = "Missing oauth_consumer_key in request"; return; } $oauth_consumer_key = $_REQUEST["oauth_consumer_key"]; // Find the secret - either form the parameter as a string or // look it up in a database from parameters we are given $secret = false; $row = false; if (is_string($consumer)) { $secret = $consumer; } else { $secret = $keys['secret']; // echo "SECRET: " . $secret; } $secret = $myKeys[$oauth_consumer_key]; // echo "SECRET: " . $secret; // Verify the message signature $store = new TrivialOAuthDataStore(); $store->add_consumer($oauth_consumer_key, $secret); $server = new OAuthServer($store); $method = new OAuthSignatureMethod_HMAC_SHA1(); $server->add_signature_method($method); $request = OAuthRequest::from_request(); $this->basestring = $request->get_signature_base_string(); //echo $this->basestring; try { $server->verify_request($request); $this->valid = true; } catch (Exception $e) { $this->message = $e->getMessage(); return; } // Store the launch information in the session for later $newinfo = array(); foreach ($_POST as $key => $value) { if ($key == "basiclti_submit") { continue; } if (strpos($key, "oauth_") === false) { $newinfo[$key] = $value; continue; } if ($key == "oauth_consumer_key") { $newinfo[$key] = $value; continue; } } $this->info = $newinfo; if ($usesession == true and strlen(session_id()) > 0) { $_SESSION['_basic_lti_context'] = $this->info; unset($_SESSION['_basiclti_lti_row']); unset($_SESSION['_basiclti_lti_context_id']); if ($this->row) { $_SESSION['_basiclti_lti_row'] = $this->row; } if ($this->context_id) { $_SESSION['_basiclti_lti_context_id'] = $this->context_id; } } if ($this->valid && $doredirect) { $this->redirect(); $this->complete = true; } }