MDL-69542 enrol_lti: add OIDC endpoints for resource link launch

enrol/lti/jwks.php

@@ -0,0 +1,37 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+/**
+ * This file returns an array of available public keys for the LTI 1.3 tool.
+ *
+ * @package    enrol_lti
+ * @copyright  2021 Jake Dallimore <jrhdallimore@gmail.com>
+ * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+
+use Packback\Lti1p3\JwksEndpoint;
+
+define('NO_DEBUG_DISPLAY', true);
+define('NO_MOODLE_COOKIES', true);
+
+require_once(__DIR__ . '/../../config.php');
+
+$privatekey = get_config('enrol_lti', 'lti_13_privatekey');
+$key = get_config('enrol_lti', 'lti_13_kid');
+$keyendpoint = JwksEndpoint::new([$key => $privatekey]);
+
+@header('Content-Type: application/json; charset=utf-8');
+$keyendpoint->outputJwks();

enrol/lti/launch.php

@@ -0,0 +1,144 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+/**
+ * Handles LTI 1.3 resource link launches.
+ *
+ * See enrol/lti/launch_deeplink.php for deep linking launches.
+ *
+ * There are 2 pathways through this page:
+ * 1. When first making a resource linking launch from the platform. The launch data is cached at this point, pending user
+ * authentication, and the page is set such that the post-authentication redirect will return here.
+ * 2. The post-authentication redirect. The launch data is fetched from the session launch cache, and the resource is displayed.
+ *
+ * @package    enrol_lti
+ * @copyright  2021 Jake Dallimore <jrhdallimore@gmail.com>
+ * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+
+use enrol_lti\local\ltiadvantage\lib\http_client;
+use enrol_lti\local\ltiadvantage\lib\issuer_database;
+use enrol_lti\local\ltiadvantage\lib\launch_cache_session;
+use enrol_lti\local\ltiadvantage\repository\application_registration_repository;
+use enrol_lti\local\ltiadvantage\repository\context_repository;
+use enrol_lti\local\ltiadvantage\repository\deployment_repository;
+use enrol_lti\local\ltiadvantage\repository\legacy_consumer_repository;
+use enrol_lti\local\ltiadvantage\repository\resource_link_repository;
+use enrol_lti\local\ltiadvantage\repository\user_repository;
+use enrol_lti\local\ltiadvantage\service\tool_launch_service;
+use enrol_lti\local\ltiadvantage\utility\message_helper;
+use Packback\Lti1p3\ImsStorage\ImsCookie;
+use Packback\Lti1p3\LtiMessageLaunch;
+use Packback\Lti1p3\LtiServiceConnector;
+
+require_once(__DIR__ . '/../../config.php');
+global $CFG;
+require_once($CFG->libdir . '/filelib.php');
+
+$idtoken = optional_param('id_token', null, PARAM_RAW);
+$launchid = optional_param('launchid', null, PARAM_RAW);
+
+if (!is_enabled_auth('lti')) {
+    throw new moodle_exception('pluginnotenabled', 'auth', '', get_string('pluginname', 'auth_lti'));
+}
+if (!enrol_is_enabled('lti')) {
+    throw new moodle_exception('enrolisdisabled', 'enrol_lti');
+}
+if (empty($idtoken) && empty($launchid)) {
+    throw new coding_exception('Error: launch requires id_token');
+}
+
+// Support caching the launch and retrieving it after the account binding process described in auth::complete_login().
+$sesscache = new launch_cache_session();
+$issdb = new issuer_database(new application_registration_repository(), new deployment_repository());
+$cookie = new ImsCookie();
+$serviceconnector = new LtiServiceConnector($sesscache, new http_client(new curl()));
+if ($idtoken) {
+    $messagelaunch = LtiMessageLaunch::new($issdb, $sesscache, $cookie, $serviceconnector)
+        ->validate();
+}
+if ($launchid) {
+    $messagelaunch = LtiMessageLaunch::fromCache($launchid, $issdb, $sesscache, $serviceconnector);
+}
+if (empty($messagelaunch)) {
+    throw new moodle_exception('Bad launch. Message launch data could not be found');
+}
+
+// Authenticate the platform user, which could be an instructor, an admin or a learner.
+// Auth code needs to be told about consumer secrets for the purposes of migration, since these reside in enrol_lti.
+$launchdata = $messagelaunch->getLaunchData();
+if (!empty($launchdata['https://purl.imsglobal.org/spec/lti/claim/lti1p1']['oauth_consumer_key'])) {
+    $legacyconsumerrepo = new legacy_consumer_repository();
+    $legacyconsumersecrets = $legacyconsumerrepo->get_consumer_secrets(
+        $launchdata['https://purl.imsglobal.org/spec/lti/claim/lti1p1']['oauth_consumer_key']
+    );
+}
+
+// To authenticate, we need the resource's account provisioning mode for the given LTI role.
+if (empty($launchdata['https://purl.imsglobal.org/spec/lti/claim/custom']['id'])) {
+    throw new \moodle_exception('ltiadvlauncherror:missingid', 'enrol_lti');
+}
+$resourceuuid = $launchdata['https://purl.imsglobal.org/spec/lti/claim/custom']['id'];
+$resource = array_values(\enrol_lti\helper::get_lti_tools(['uuid' => $resourceuuid]));
+$resource = $resource[0] ?? null;
+if (empty($resource) || $resource->status != ENROL_INSTANCE_ENABLED) {
+    throw new \moodle_exception('ltiadvlauncherror:invalidid', 'enrol_lti', '', $resourceuuid);
+}
+
+$provisioningmode = message_helper::is_instructor_launch($launchdata) ? $resource->provisioningmodeinstructor
+    : $resource->provisioningmodelearner;
+$auth = get_auth_plugin('lti');
+$auth->complete_login(
+    $messagelaunch->getLaunchData(),
+    new moodle_url('/enrol/lti/launch.php', ['launchid' => $messagelaunch->getLaunchId()]),
+    $provisioningmode,
+    $legacyconsumersecrets ?? []
+);
+
+require_login(null, false);
+global $USER, $CFG, $PAGE;
+$PAGE->set_context(context_system::instance());
+$PAGE->set_url(new moodle_url('/enrol/lti/launch.php'));
+$PAGE->set_pagelayout('popup'); // Same layout as the tool.php page in Legacy 1.1/2.0 launches.
+$PAGE->set_title(get_string('opentool', 'enrol_lti'));
+
+$toollaunchservice = new tool_launch_service(
+    new deployment_repository(),
+    new application_registration_repository(),
+    new resource_link_repository(),
+    new user_repository(),
+    new context_repository()
+);
+[$userid, $resource] = $toollaunchservice->user_launches_tool($USER, $messagelaunch);
+
+$context = context::instance_by_id($resource->contextid);
+if ($context->contextlevel == CONTEXT_COURSE) {
+    $courseid = $context->instanceid;
+    $redirecturl = new moodle_url('/course/view.php', ['id' => $courseid]);
+} else if ($context->contextlevel == CONTEXT_MODULE) {
+    $cm = get_coursemodule_from_id(false, $context->instanceid, 0, false, MUST_EXIST);
+    $redirecturl = new moodle_url('/mod/' . $cm->modname . '/view.php', ['id' => $cm->id]);
+} else {
+    throw new moodle_exception('invalidcontext');
+}
+
+if (empty($CFG->allowframembedding)) {
+    $stropentool = get_string('opentool', 'enrol_lti');
+    echo html_writer::tag('p', get_string('frameembeddingnotenabled', 'enrol_lti'));
+    echo html_writer::link($redirecturl, $stropentool, ['target' => '_blank']);
+} else {
+    redirect($redirecturl);
+}

enrol/lti/login.php

@@ -0,0 +1,78 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+/**
+ * LTI 1.3 login endpoint.
+ *
+ * See: http://www.imsglobal.org/spec/security/v1p0/#step-1-third-party-initiated-login
+ *
+ * This must support both POST and GET methods, as per the spec.
+ *
+ * @package    enrol_lti
+ * @copyright  2021 Jake Dallimore <jrhdallimore@gmail.com
+ * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+
+use enrol_lti\local\ltiadvantage\lib\issuer_database;
+use enrol_lti\local\ltiadvantage\lib\launch_cache_session;
+use enrol_lti\local\ltiadvantage\repository\application_registration_repository;
+use enrol_lti\local\ltiadvantage\repository\deployment_repository;
+use Packback\Lti1p3\ImsStorage\ImsCookie;
+use Packback\Lti1p3\LtiOidcLogin;
+
+require_once(__DIR__."/../../config.php");
+
+// Required fields for OIDC 3rd party initiated login.
+// See http://www.imsglobal.org/spec/security/v1p0/#step-1-third-party-initiated-login.
+// Validate these here, despite further validation in the LTI 1.3 library.
+$iss = required_param('iss', PARAM_URL); // Issuer URI of the calling platform.
+$loginhint = required_param('login_hint', PARAM_INT); // Platform ID for the person to login.
+$targetlinkuri = required_param('target_link_uri', PARAM_URL); // The took launch URL.
+
+// Optional lti_message_hint. See https://www.imsglobal.org/spec/lti/v1p3#additional-login-parameters-0.
+// If found, this must be returned unmodified to the platform.
+$ltimessagehint = optional_param('lti_message_hint', null, PARAM_RAW);
+
+// The target_link_uri param should contain the endpoint that will be executed at the end of the OIDC login process.
+// In Moodle, this will either be:
+// - enrol/lti/launch.php endpoint (for regular resource link launches) or
+// - enrol/lti/launch_deeplink.php endpoint (for deep linking launches)
+// Thus, the target_link_uri signifies intent to perform a certain launch type. It can be used to generate the
+// redirect_uri param for the auth request but must first be verified, as it is unsigned data at this stage.
+// See here: https://www.imsglobal.org/spec/lti/v1p3/impl#verify-the-target_link_uri.
+//
+// Also note that final redirection to the resource (after the login process is complete) should rely on the
+// https://purl.imsglobal.org/spec/lti/claim/target_link_uri claim instead of the target_link_uri value provided here.
+// See here: http://www.imsglobal.org/spec/lti/v1p3/#target-link-uri.
+$validuris = [
+    (new moodle_url('/enrol/lti/launch.php'))->out(false), // Resource link launches.
+    (new moodle_url('/enrol/lti/launch_deeplink.php'))->out(false) // Deep linking launches.
+];
+
+// This code verifies the target_link_uri. Only two values are permitted (see endpoints listed above).
+if (!in_array($targetlinkuri, $validuris)) {
+    $msg = 'The target_link_uri param must match one of the redirect URIs set during tool registration.';
+    throw new coding_exception($msg);
+}
+
+// Now, do the OIDC login.
+LtiOidcLogin::new(
+    new issuer_database(new application_registration_repository(), new deployment_repository()),
+    new launch_cache_session(),
+    new ImsCookie()
+)
+    ->doOidcLoginRedirect($targetlinkuri)
+    ->doRedirect();