function handleOAuthBodyPOST($oauth_consumer_key, $oauth_consumer_secret)
{
$request_headers = OAuthUtil::get_headers();
// print_r($request_headers);
// Must reject application/x-www-form-urlencoded
if ($request_headers['Content-type'] == 'application/x-www-form-urlencoded' ) {
throw new Exception("OAuth request body signing must not use application/x-www-form-urlencoded");
}
if (@substr($request_headers['Authorization'], 0, 6) == "OAuth ") {
$header_parameters = OAuthUtil::split_header($request_headers['Authorization']);
// echo("HEADER PARMS=\n");
// print_r($header_parameters);
$oauth_body_hash = $header_parameters['oauth_body_hash'];
// echo("OBH=".$oauth_body_hash."\n");
}
if ( ! isset($oauth_body_hash) ) {
throw new Exception("OAuth request body signing requires oauth_body_hash body");
}
// Verify the message signature
$store = new TrivialOAuthDataStore();
$store->add_consumer($oauth_consumer_key, $oauth_consumer_secret);
$server = new OAuthServer($store);
$method = new OAuthSignatureMethod_HMAC_SHA1();
$server->add_signature_method($method);
$request = OAuthRequest::from_request();
global $LastOAuthBodyBaseString;
$LastOAuthBodyBaseString = $request->get_signature_base_string();
// echo($LastOAuthBodyBaseString."\n");
try {
$server->verify_request($request);
} catch (Exception $e) {
$message = $e->getMessage();
throw new Exception("OAuth signature failed: " . $message);
}
$postdata = file_get_contents('php://input');
// echo($postdata);
$hash = base64_encode(sha1($postdata, TRUE));
if ( $hash != $oauth_body_hash ) {
throw new Exception("OAuth oauth_body_hash mismatch");
}
return $postdata;
}
function handle_oauth_body_post($oauthconsumerkey, $oauthconsumersecret, $body, $requestheaders = null)
{
if ($requestheaders == null) {
$requestheaders = OAuthUtil::get_headers();
}
// Must reject application/x-www-form-urlencoded.
if (isset($requestheaders['Content-type'])) {
if ($requestheaders['Content-type'] == 'application/x-www-form-urlencoded') {
throw new OAuthException("OAuth request body signing must not use application/x-www-form-urlencoded");
}
}
if (@substr($requestheaders['Authorization'], 0, 6) == "OAuth ") {
$headerparameters = OAuthUtil::split_header($requestheaders['Authorization']);
$oauthbodyhash = $headerparameters['oauth_body_hash'];
}
if (!isset($oauthbodyhash)) {
throw new OAuthException("OAuth request body signing requires oauth_body_hash body");
}
// Verify the message signature.
$store = new TrivialOAuthDataStore();
$store->add_consumer($oauthconsumerkey, $oauthconsumersecret);
$server = new OAuthServer($store);
$method = new OAuthSignatureMethod_HMAC_SHA1();
$server->add_signature_method($method);
$request = OAuthRequest::from_request();
try {
$server->verify_request($request);
} catch (\Exception $e) {
$message = $e->getMessage();
throw new OAuthException("OAuth signature failed: " . $message);
}
$postdata = $body;
$hash = base64_encode(sha1($postdata, true));
if ($hash != $oauthbodyhash) {
throw new OAuthException("OAuth oauth_body_hash mismatch");
}
return $postdata;
}
function __construct($parm = false, $usesession = true, $doredirect = true)
{
// If this request is not an LTI Launch, either
// give up or try to retrieve the context from session
if (!is_lti_request()) {
$this->message = 'Request is missing LTI information';
if ($usesession === false) {
return;
}
if (strlen(session_id()) > 0) {
$row = $_SESSION['_lti_row'];
if (isset($row)) {
$this->row = $row;
}
$context_id = $_SESSION['_lti_context_id'];
if (isset($context_id)) {
$this->context_id = $context_id;
}
$info = $_SESSION['_lti_context'];
if (isset($info)) {
$this->info = $info;
$this->valid = true;
return;
}
$this->message = "Could not find context in session";
return;
}
$this->message = "Session not available";
return;
}
// Insure we have a valid launch
if (empty($_REQUEST["oauth_consumer_key"])) {
$this->message = "Missing oauth_consumer_key in request";
return;
}
$oauth_consumer_key = $_REQUEST["oauth_consumer_key"];
// Find the secret - either form the parameter as a string or
// look it up in a database from parameters we are given
$secret = false;
$row = false;
if (is_string($parm)) {
$secret = $parm;
} else {
if (!is_array($parm)) {
$this->message = "Constructor requires a secret or database information.";
return;
} else {
$sql = 'SELECT * FROM ' . $parm['table'] . ' WHERE ' . ($parm['key_column'] ? $parm['key_column'] : 'oauth_consumer_key') . '=' . "'" . mysql_real_escape_string($oauth_consumer_key) . "'";
$result = mysql_query($sql);
$num_rows = mysql_num_rows($result);
if ($num_rows != 1) {
$this->message = "Your consumer is not authorized oauth_consumer_key=" . $oauth_consumer_key;
return;
} else {
while ($row = mysql_fetch_assoc($result)) {
$secret = $row[$parms['secret_column'] ? $parms['secret_column'] : 'secret'];
$context_id = $row[$parms['context_column'] ? $parms['context_column'] : 'context_id'];
if ($context_id) {
$this->context_id = $context_id;
}
$this->row = $row;
break;
}
if (!is_string($secret)) {
$this->message = "Could not retrieve secret oauth_consumer_key=" . $oauth_consumer_key;
return;
}
}
}
}
// Verify the message signature
$store = new TrivialOAuthDataStore();
$store->add_consumer($oauth_consumer_key, $secret);
$server = new OAuthServer($store);
$request = OAuthRequest::from_request();
$method = new OAuthSignatureMethod_HMAC_SHA1();
$server->add_signature_method($method);
$method = new OAuthSignatureMethod_HMAC_SHA256();
$server->add_signature_method($method);
$this->basestring = $request->get_signature_base_string();
try {
$server->verify_request($request);
$this->valid = true;
} catch (Exception $e) {
$this->message = $e->getMessage();
return;
}
// Store the launch information in the session for later
$newinfo = array();
foreach ($_POST as $key => $value) {
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
if ($key == "basiclti_submit") {
continue;
}
if (strpos($key, "oauth_") === false) {
$newinfo[$key] = $value;
continue;
}
if ($key == "oauth_consumer_key") {
$newinfo[$key] = $value;
continue;
}
}
$this->info = $newinfo;
if ($usesession == true and strlen(session_id()) > 0) {
$_SESSION['_lti_context'] = $this->info;
unset($_SESSION['_lti_row']);
unset($_SESSION['_lti_context_id']);
if ($this->row) {
$_SESSION['_lti_row'] = $this->row;
}
if ($this->context_id) {
$_SESSION['_lti_context_id'] = $this->context_id;
}
}
if ($this->valid && $doredirect) {
$this->redirect();
$this->complete = true;
}
}
$hashsig = hash('sha256', $plaintext, false);
}
if ( $hashsig != $signature ) {
doError("Invalid sourcedid");
}
// Check the OAuth Signature
$oauth_consumer_key = $basiclti_tool_row['resourcekey'];
$oauth_secret = $basiclti_tool_row['password'];
if ( ! isset($oauth_secret) ) doError("Not permitted");
if ( ! isset($oauth_consumer_key) ) doError("Not permitted");
// Verify the message signature
$store = new TrivialOAuthDataStore();
$store->add_consumer($oauth_consumer_key, $oauth_secret);
$server = new OAuthServer($store);
$method = new OAuthSignatureMethod_HMAC_SHA1();
$server->add_signature_method($method);
$request = OAuthRequest::from_request();
$basestring = $request->get_signature_base_string();
try {
$server->verify_request($request);
} catch (Exception $e) {
doError($e->getMessage());
}
function __construct($parm = false, $usesession = true, $doredirect = true)
{
global $link;
$this->message = "blti loaded";
// If this request is not an LTI Launch, either
// give up or try to retrieve the context from session
if (!is_basic_lti_request()) {
if ($usesession === false) {
return;
}
if (strlen(session_id()) > 0) {
$row = $_SESSION['_basiclti_lti_row'];
if (isset($row)) {
$this->row = $row;
}
$context_id = $_SESSION['_basiclti_lti_context_id'];
if (isset($context_id)) {
$this->context_id = $context_id;
}
$info = $_SESSION['_basic_lti_context'];
if (isset($info)) {
$this->info = $info;
$this->valid = true;
return;
}
$this->message = "Could not find context in session";
return;
}
$this->message = "Session not available";
return;
}
// Insure we have a valid launch
if (empty($_REQUEST["oauth_consumer_key"])) {
$this->message = "Missing oauth_consumer_key in request";
return;
}
$oauth_consumer_key = $_REQUEST["oauth_consumer_key"];
// Find the secret - either from the parameter as a string or
// look it up in a database from parameters we are given
$secret = false;
$row = false;
if (is_string($parm)) {
$secret = $parm;
} else {
if (!is_array($parm)) {
$this->message = "Constructor requires a secret or database information.";
return;
} else {
//changelog: parms -> parm (typo) throughout
$sql = 'SELECT * FROM ' . $parm['table'] . ' WHERE ' . ($parm['key_column'] ? $parm['key_column'] : 'oauth_consumer_key') . '=' . "'" . mysqli_real_escape_string($link, $oauth_consumer_key) . "'";
$result = mysqli_query($link, $sql);
//echo $sql;
$num_rows = mysqli_num_rows($result);
if ($num_rows != 1) {
$this->message = "Your consumer is not authorized oauth_consumer_key=" . $oauth_consumer_key . " " . $sql;
return;
} else {
while ($row = mysqli_fetch_assoc($result)) {
$secret = $row[$parm['secret_column'] ? $parm['secret_column'] : 'secret'];
$context_id = $row[$parm['context_column'] ? $parm['context_column'] : 'context_id'];
if ($context_id) {
$this->context_id = $context_id;
}
//changelog: look for token. probably get rid of this at some point, since I've separated the key/secret table from tokens
//if($row['token'] !="")$token = $_SESSION['token']=$row['token'];
//setcookie("ttable",$parm['table']);//use this to update bad tokens in get_token_domain
$this->row = $row;
break;
}
if (!is_string($secret)) {
$this->message = "Could not retrieve secret oauth_consumer_key=" . $oauth_consumer_key;
return;
}
}
}
}
// Verify the message signature
$store = new TrivialOAuthDataStore();
$store->add_consumer($oauth_consumer_key, $secret);
$server = new OAuthServer($store);
$method = new OAuthSignatureMethod_HMAC_SHA1();
$server->add_signature_method($method);
$request = OAuthRequest::from_request();
$this->basestring = $request->get_signature_base_string();
try {
$server->verify_request($request);
$this->valid = true;
} catch (Exception $e) {
$this->message = $e->getMessage();
return;
}
// Store the launch information in the session for later
$newinfo = array();
foreach ($_POST as $key => $value) {
if ($key == "basiclti_submit") {
continue;
}
if (strpos($key, "oauth_") === false) {
$newinfo[$key] = $value;
continue;
}
if ($key == "oauth_consumer_key") {
$newinfo[$key] = $value;
continue;
}
}
$this->info = $newinfo;
if ($usesession == true and strlen(session_id()) > 0) {
$_SESSION['_basic_lti_context'] = $this->info;
unset($_SESSION['_basiclti_lti_row']);
unset($_SESSION['_basiclti_lti_context_id']);
if ($this->row) {
$_SESSION['_basiclti_lti_row'] = $this->row;
}
if ($this->context_id) {
$_SESSION['_basiclti_lti_context_id'] = $this->context_id;
}
}
if ($this->valid && $doredirect) {
$this->redirect();
$this->complete = true;
}
}
/**
* Function to initilise the lti class
* @param bool $usesession
* @param bool $doredirect
* @return
*/
public function init_lti($usesession = true, $doredirect = false)
{
if (!isset($_REQUEST["lti_message_type"])) {
$_REQUEST["lti_message_type"] = '';
}
if (!isset($_REQUEST["lti_version"])) {
$_REQUEST["lti_version"] = '';
}
if (!isset($_REQUEST["resource_link_id"])) {
$_REQUEST["resource_link_id"] = '';
}
// If this request is not an LTI Launch, either
// give up or try to retrieve the context from session
if (!is_lti_request()) {
if ($usesession === false) {
return;
}
if (strlen(session_id()) > 0) {
if (isset($_SESSION['_lti_row'])) {
$row = $_SESSION['_lti_row'];
}
if (isset($row)) {
$this->row = $row;
}
if (isset($_SESSION['_lti_context_id'])) {
$context_id = $_SESSION['_lti_context_id'];
}
if (isset($context_id)) {
$this->context_id = $context_id;
}
if (isset($_SESSION['_lti_context'])) {
$info = $_SESSION['_lti_context'];
}
if (isset($info)) {
$this->info = $info;
$this->valid = true;
return;
}
$this->message = "Could not find context in session";
return;
}
$this->message = "Session not available";
return;
}
// Insure we have a valid launch
if (empty($_REQUEST["oauth_consumer_key"])) {
$this->message = "Missing oauth_consumer_key in request";
return;
}
$oauth_consumer_key = $_REQUEST["oauth_consumer_key"];
// Find the secret - either form the parameter as a string or
// look it up in a database from parameters we are given
$secret = false;
$row = false;
if (is_string($this->parm)) {
$secret = $this->parm;
} else {
if (!is_array($this->parm)) {
$this->message = "Constructor requires a secret or database information.";
return;
} else {
if ($this->parm['dbtype'] == 'mysql') {
$sql = 'SELECT * FROM ' . ($this->parm['table'] ? $this->parm['table'] : 'lti_keys') . ' WHERE ' . ($this->parm['key_column'] ? $this->parm['key_column'] : 'oauth_consumer_key') . '=' . "'" . mysql_real_escape_string($oauth_consumer_key) . "'";
$result = mysql_query($sql);
$num_rows = mysql_num_rows($result);
if ($num_rows != 1) {
$this->message = "Your consumer is not authorized oauth_consumer_key=" . $oauth_consumer_key;
return;
} else {
while ($row = mysql_fetch_assoc($result)) {
$secret = $row[$this->parms['secret_column'] ? $this->parms['secret_column'] : 'secret'];
$context_id = $row[$this->parms['context_column'] ? $this->parms['context_column'] : 'context_id'];
if ($context_id) {
$this->context_id = $context_id;
}
$this->row = $row;
break;
}
if (!is_string($secret)) {
$this->message = "Could not retrieve secret oauth_consumer_key=" . $oauth_consumer_key;
return;
}
}
} elseif ($this->parm['dbtype'] == 'mysqli') {
if ($this->db->error) {
try {
throw new Exception("0MySQL error {$mysqli->error} <br> Query:<br> {$query}", $msqli->errno);
} catch (Exception $e) {
echo "Error No: " . $e->getCode() . " - " . $e->getMessage() . "<br >";
echo nl2br($e->getTraceAsString());
}
}
$stmt = $this->db->prepare("SELECT secret,context_id,name FROM " . $this->parm['table_prefix'] . "lti_keys WHERE oauth_consumer_key=? AND `deleted` IS NULL");
$db = $this->db;
if ($db->error) {
try {
throw new Exception("0MySQL error {$db->error} <br> Query:<br> ", $db->errno);
} catch (Exception $e) {
echo "Error No: " . $e->getCode() . " - " . $e->getMessage() . "<br >";
echo nl2br($e->getTraceAsString());
exit;
}
}
$stmt->bind_param('s', $oauth_consumer_key);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($rsecret, $rcontext_id, $rname);
$stmt->fetch();
$secret = $rsecret;
$name = $rname;
if (isset($rcontext_id)) {
$this->context_id = $rcontext_id;
}
$stmt->close();
if (!is_string($secret)) {
$this->message = "Could not retrieve secret oauth_consumer_key=" . $oauth_consumer_key;
return;
}
}
}
}
// Verify the message signature
$store = new TrivialOAuthDataStore();
$store->add_consumer($oauth_consumer_key, $secret);
$server = new OAuthServer($store);
$method = new OAuthSignatureMethod_HMAC_SHA1();
$server->add_signature_method($method);
$request = OAuthRequest::from_request();
$this->basestring = $request->get_signature_base_string();
try {
$server->verify_request($request);
$this->valid = true;
} catch (Exception $e) {
$this->message = $e->getMessage();
return;
}
// Store the launch information in the session for later
$newinfo = array();
foreach ($_POST as $key => $value) {
if ($key == "basiclti_submit") {
continue;
}
if (strpos($key, "oauth_") === false) {
$newinfo[$key] = $value;
continue;
}
if ($key == "oauth_consumer_key") {
$newinfo[$key] = $value;
continue;
}
}
$newinfo['oauth_consumer_secret'] = $secret;
$this->info = $newinfo;
if ($usesession == true and strlen(session_id()) > 0) {
$_SESSION['_lti_context'] = $this->info;
unset($_SESSION['_lti_row']);
unset($_SESSION['_lti_context_id']);
if ($this->row) {
$_SESSION['_lti_row'] = $this->row;
}
if ($this->context_id) {
$_SESSION['_lti_context_id'] = $this->context_id;
}
}
if ($this->valid && $doredirect) {
$this->redirect();
$this->complete = true;
}
}
$requests[$current_date] = $reqdebug;
}
if (!$protocol_minimum) {
doerror("Protocol minimum not reached lti_message_type=basic-lti-launch-request lti_version=LTI-1p0 resource_link_id required.");
return;
}
$oauth_consumer_key = $_SESSION['cert_consumer_key'];
if (!isset($oauth_consumer_key)) {
doerror("No oauth_consumer_key found");
return;
}
// Check the signature
require_once 'OAuth.php';
require_once 'TrivialOAuthDataStore.php';
// Set up our two consumer/secret pairs
$store = new TrivialOAuthDataStore();
if (!isset($_SESSION['cert_consumer_key'])) {
echo "<p>Please set an LMS-wide consumer</p>\n";
return;
} else {
if ($oauth_consumer_key == $_SESSION['cert_consumer_key']) {
$store->add_consumer($oauth_consumer_key, $_SESSION['cert_secret']);
} else {
echo "<p>Unexpected oauth_consumer_key={$oauth_consumer_key} - should be " . $_SESSION['cert_consumer_key'] . "</p>\n";
return;
}
}
$server = new OAuthServer($store);
$method = new OAuthSignatureMethod_HMAC_SHA1();
$server->add_signature_method($method);
$request = OAuthRequest::from_request();
/**
* Check the reqest signature
* @return mixed Exception or true
*/
private function checkSignature($a_key, $a_secret)
{
require_once $this->plugin_path . '/lib/OAuth.php';
require_once $this->plugin_path . '/lib/TrivialOAuthDataStore.php';
$store = new TrivialOAuthDataStore();
$store->add_consumer($this->fields['KEY'], $this->fields['SECRET']);
$server = new OAuthServer($store);
$method = new OAuthSignatureMethod_HMAC_SHA1();
$server->add_signature_method($method);
$request = OAuthRequest::from_request();
try {
$server->verify_request($request);
} catch (Exception $e) {
return $e;
}
return true;
}
function __construct($consumer = false, $shared_secret = false, $usesession = true, $doredirect = true)
{
// If this request is not an LTI Launch, either
// give up or try to retrieve the context from session
$myKeys[$consumer] = $shared_secret;
if (!is_basic_lti_request()) {
if ($usesession === false) {
return;
}
if (strlen(session_id()) > 0) {
$row = $_SESSION['_basiclti_lti_row'];
if (isset($row)) {
$this->row = $row;
}
$context_id = $_SESSION['_basiclti_lti_context_id'];
if (isset($context_id)) {
$this->context_id = $context_id;
}
$info = $_SESSION['_basic_lti_context'];
if (isset($info)) {
$this->info = $info;
$this->valid = true;
return;
}
$this->message = "Could not find context in session";
return;
}
$this->message = "Session not available";
return;
}
// Insure we have a valid launch
if (empty($_REQUEST["oauth_consumer_key"])) {
$this->message = "Missing oauth_consumer_key in request";
return;
}
$oauth_consumer_key = $_REQUEST["oauth_consumer_key"];
// Find the secret - either form the parameter as a string or
// look it up in a database from parameters we are given
$secret = false;
$row = false;
if (is_string($consumer)) {
$secret = $consumer;
} else {
$secret = $keys['secret'];
// echo "SECRET: " . $secret;
}
$secret = $myKeys[$oauth_consumer_key];
// echo "SECRET: " . $secret;
// Verify the message signature
$store = new TrivialOAuthDataStore();
$store->add_consumer($oauth_consumer_key, $secret);
$server = new OAuthServer($store);
$method = new OAuthSignatureMethod_HMAC_SHA1();
$server->add_signature_method($method);
$request = OAuthRequest::from_request();
$this->basestring = $request->get_signature_base_string();
//echo $this->basestring;
try {
$server->verify_request($request);
$this->valid = true;
} catch (Exception $e) {
$this->message = $e->getMessage();
return;
}
// Store the launch information in the session for later
$newinfo = array();
foreach ($_POST as $key => $value) {
if ($key == "basiclti_submit") {
continue;
}
if (strpos($key, "oauth_") === false) {
$newinfo[$key] = $value;
continue;
}
if ($key == "oauth_consumer_key") {
$newinfo[$key] = $value;
continue;
}
}
$this->info = $newinfo;
if ($usesession == true and strlen(session_id()) > 0) {
$_SESSION['_basic_lti_context'] = $this->info;
unset($_SESSION['_basiclti_lti_row']);
unset($_SESSION['_basiclti_lti_context_id']);
if ($this->row) {
$_SESSION['_basiclti_lti_row'] = $this->row;
}
if ($this->context_id) {
$_SESSION['_basiclti_lti_context_id'] = $this->context_id;
}
}
if ($this->valid && $doredirect) {
$this->redirect();
$this->complete = true;
}
}
