use the extracted lti security code

rivernate · rivernate · commit 5dcf89be8bd0 · 2016-06-08T18:16:19.000Z
fixes PLAT-1570 test plan: enable the disable_lti_post_only feature flag install the test tool create a launch with a query param launch to newly created launch endpoint it should launch correctly regression test lti launches in canvas Change-Id: I624ede3fd579a8ad7a2e6bcaa340e0b9490b9357 Reviewed-on: https://gerrit.instructure.com/81756 Tested-by: Jenkins Reviewed-by: Brad Horrocks <bhorrocks@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
diff --git a/app/controllers/external_tools_controller.rb b/app/controllers/external_tools_controller.rb
@@ -467,8 +467,13 @@ def content_item_selection(tool, placement, message_type, opts = {})
 
     lti_launch = @tool.settings['post_only'] ? Lti::Launch.new(post_only: true) : Lti::Launch.new
     lti_launch.resource_url = opts[:launch_url] || tool.extension_setting(placement, :url)
-    lti_launch.params = LtiOutbound::ToolLaunch.generate_params(params, lti_launch.resource_url, tool.consumer_key, tool.shared_secret,
-                                                                disable_lti_post_only: @context.root_account.feature_enabled?(:disable_lti_post_only))
+    lti_launch.params = Lti::Security.signed_post_params(
+      params,
+      lti_launch.resource_url,
+      tool.consumer_key,
+      tool.shared_secret,
+      @context.root_account.feature_enabled?(:disable_lti_post_only)
+    )
     lti_launch.link_text = tool.label_for(placement.to_sym)
     lti_launch.analytics_id = tool.tool_id
 
@@ -545,8 +550,13 @@ def content_item_selection_request(tool, placement, opts = {})
 
     lti_launch = @tool.settings['post_only'] ? Lti::Launch.new(post_only: true) : Lti::Launch.new
     lti_launch.resource_url = opts[:launch_url]|| tool.extension_setting(placement, :url)
-    lti_launch.params = LtiOutbound::ToolLaunch.generate_params(params, lti_launch.resource_url, tool.consumer_key, tool.shared_secret,
-                                                                disable_lti_post_only: @context.root_account.feature_enabled?(:disable_lti_post_only))
+    lti_launch.params = Lti::Security.signed_post_params(
+      params,
+      lti_launch.resource_url,
+      tool.consumer_key,
+      tool.shared_secret,
+      @context.root_account.feature_enabled?(:disable_lti_post_only)
+    )
     lti_launch.link_text = tool.label_for(placement.to_sym, I18n.locale)
     lti_launch.analytics_id = tool.tool_id
 
diff --git a/app/models/lti/lti_outbound_adapter.rb b/app/models/lti/lti_outbound_adapter.rb
@@ -51,16 +51,21 @@ def prepare_tool_launch(return_url, variable_expander, opts = {})
               user: lti_user,
               tool: lti_tool,
               account: lti_account,
-              variable_expander: variable_expander,
-              disable_lti_post_only: @root_account.feature_enabled?(:disable_lti_post_only)
+              variable_expander: variable_expander
           }
       )
       self
     end
 
     def generate_post_payload
       raise('Called generate_post_payload before calling prepare_tool_launch') unless @tool_launch
-      @tool_launch.generate(@overrides)
+      hash = @tool_launch.generate(@overrides)
+      Lti::Security.signed_post_params(
+        hash,
+        @tool_launch.url,
+        @tool.consumer_key,
+        @tool.shared_secret,
+        @root_account.feature_enabled?(:disable_lti_post_only))
     end
 
     def generate_post_payload_for_assignment(assignment, outcome_service_url, legacy_outcome_service_url, lti_turnitin_outcomes_placement_url)
diff --git a/gems/lti_outbound/lib/lti_outbound/tool_launch.rb b/gems/lti_outbound/lib/lti_outbound/tool_launch.rb
@@ -39,7 +39,6 @@ def initialize(options)
       @consumer_instance = context.consumer_instance || raise('Consumer instance required for generating LTI content')
 
       @variable_expander = options[:variable_expander] || raise('VariableExpander is required for generating LTI content')
-      @post_only = options[:disable_lti_post_only]
 
       @hash = {}
     end
@@ -127,7 +126,7 @@ def generate(overrides={})
       hash['oauth_callback'] = 'about:blank'
 
       @variable_expander.expand_variables!(hash)
-      self.class.generate_params(hash, url, tool.consumer_key, tool.shared_secret, disable_lti_post_only: @post_only)
+      hash
     end
 
     private
@@ -163,54 +162,5 @@ def set_resource_type_keys
       end
     end
 
-    def self.generate_params(params, url, key, secret, feature_flags = {})
-      uri = URI.parse(url)
-
-      if uri.port == uri.default_port
-        host = uri.host
-      else
-        host = "#{uri.host}:#{uri.port}"
-      end
-
-      consumer = OAuth::Consumer.new(key, secret, {
-                                            :site => "#{uri.scheme}://#{host}",
-                                            :signature_method => 'HMAC-SHA1'
-                                        })
-
-      path = uri.path
-      path = '/' if path.empty?
-      unless feature_flags[:disable_lti_post_only]
-        if uri.query && uri.query != ''
-          CGI.parse(uri.query).each do |query_key, query_values|
-            unless params[query_key]
-              params[query_key] = query_values.first
-            end
-          end
-        end
-      end
-      options = {
-          :scheme           => 'body',
-          :timestamp        => @timestamp,
-          :nonce            => @nonce
-      }
-
-      request = consumer.create_signed_request(:post, path, nil, options, stringify_hash(params))
-
-      # the request is made by a html form in the user's browser, so we
-      # want to revert the escapage and return the hash of post parameters ready
-      # for embedding in a html view
-      hash = {}
-      request.body.split(/&/).each do |param|
-        key, val = param.split(/=/).map{|v| CGI.unescape(v) }
-        hash[key] = val
-      end
-      hash
-    end
-
-    def self.stringify_hash(hash)
-      hash.dup.tap do |new_hash|
-        new_hash.keys.each { |k| new_hash[k.to_s] = new_hash.delete(k) unless k.is_a?(String) }
-      end
-    end
   end
 end
diff --git a/gems/lti_outbound/spec/lti_outbound/tool_launch_spec.rb b/gems/lti_outbound/spec/lti_outbound/tool_launch_spec.rb
@@ -141,7 +141,7 @@
       expect(hash['lis_person_name_family']).to eq 'last_name'
       expect(hash['lis_person_name_given']).to eq 'first_name'
       expect(hash['lis_person_sourcedid']).to eq '$Person.sourcedId'
-      expect(hash['launch_presentation_locale']).to eq 'en' #was I18n.default_locale.to_s
+      expect(hash['launch_presentation_locale']).to eq :en #was I18n.default_locale.to_s
       expect(hash['launch_presentation_document_target']).to eq 'iframe'
       expect(hash['launch_presentation_return_url']).to eq 'http://www.google.com'
       expect(hash['tool_consumer_instance_guid']).to eq 'root_account_lti_guid'
@@ -196,7 +196,7 @@
       I18n.stub(:localizer).and_return(-> { :es })
       hash = tool_launch.generate
 
-      expect(hash['launch_presentation_locale']).to eq 'es'
+      expect(hash['launch_presentation_locale']).to eq :es
     end
 
     it 'adds account info in launch data for account navigation' do
@@ -230,19 +230,6 @@
       expect(hash['tool_consumer_instance_guid']).to eq 'root_account_lti_guid' #was hash['tool_consumer_instance_guid']).to eq sub_account.root_account.lti_guid
     end
 
-    it 'includes URI query parameters' do
-      hash = LtiOutbound::ToolLaunch.new(:url => 'http://www.yahoo.com?paramater_a=value_a&parameter_b=value_b',
-                                         :tool => tool,
-                                         :user => user,
-                                         :account => account,
-                                         :context => course,
-                                         :link_code => '123456',
-                                         :return_url => 'http://www.google.com',
-                                         :variable_expander => variable_expander).generate
-      expect(hash['paramater_a']).to eq 'value_a'
-      expect(hash['parameter_b']).to eq 'value_b'
-    end
-
     it 'does not allow overwriting other parameters from the URI query string' do
       hash = LtiOutbound::ToolLaunch.new(:url => 'http://www.yahoo.com?user_id=ATTEMPT_TO_SET_DATA&oauth_callback=ATTEMPT_TO_SET_DATA',
                                          :tool => tool,
@@ -269,7 +256,7 @@
       expect(hash['custom_bob']).to eql('bob')
       expect(hash['custom_fred']).to eql('fred')
       expect(hash['custom_john']).to eql('john')
-      expect(hash['custom___taa____']).to eql('123')
+      expect(hash['custom___taa____']).to eql(123)
       expect(hash).to_not have_key '@$TAA$#$#'
       expect(hash).to_not have_key 'john'
     end
@@ -321,8 +308,8 @@
                                          :return_url => 'http://www.yahoo.com',
                                          :resource_type => 'editor_button',
                                          :variable_expander => variable_expander).generate
-      expect(hash['launch_presentation_width']).to eq '1000'
-      expect(hash['launch_presentation_height']).to eq '300'
+      expect(hash['launch_presentation_width']).to eq 1000
+      expect(hash['launch_presentation_height']).to eq 300
     end
 
     it 'does not copy query params to POST body if disable_lti_post_only feature flag is set' do
@@ -394,109 +381,4 @@
     end
   end
 
-  #TODO: do not test private methods
-  describe '.generate_params' do
-    def explicit_signature_settings(timestamp, nonce)
-      LtiOutbound::ToolLaunch.instance_variable_set(:'@timestamp', timestamp)
-      LtiOutbound::ToolLaunch.instance_variable_set(:'@nonce', nonce)
-    end
-
-    it 'generate a correct signature' do
-      explicit_signature_settings('1251600739', 'c8350c0e47782d16d2fa48b2090c1d8f')
-
-      hash = LtiOutbound::ToolLaunch.send(:generate_params, {
-                                                              :resource_link_id => '120988f929-274612',
-                                                              :user_id => '292832126',
-                                                              :roles => 'Instructor',
-                                                              :lis_person_name_full => 'Jane Q. Public',
-                                                              :lis_person_contact_email_primary => 'user@school.edu',
-                                                              :lis_person_sourced_id => 'school.edu:user',
-                                                              :context_id => '456434513',
-                                                              :context_title => 'Design of Personal Environments',
-                                                              :context_label => 'SI182',
-                                                              :lti_version => 'LTI-1p0',
-                                                              :lti_message_type => 'basic-lti-launch-request',
-                                                              :tool_consumer_instance_guid => 'lmsng.school.edu',
-                                                              :tool_consumer_instance_description => 'University of School (LMSng)',
-                                                              :lti_submit => 'Launch Endpoint with LTI Data'
-                                                          }, 'http://dr-chuck.com/ims/php-simple/tool.php', '12345', 'secret')
-
-      expect(hash['oauth_signature']).to eql('l1ZTsn1HjGXzqeaTQMPbjrqvjLU=')
-    end
-
-    it 'generate a correct signature with URL query parameters' do
-      explicit_signature_settings('1251600739', 'c8350c0e47782d16d2fa48b2090c1d8f')
-      hash = LtiOutbound::ToolLaunch.send(:generate_params, {
-                                                              :resource_link_id => '120988f929-274612',
-                                                              :user_id => '292832126',
-                                                              :roles => 'Instructor',
-                                                              :lis_person_name_full => 'Jane Q. Public',
-                                                              :lis_person_contact_email_primary => 'user@school.edu',
-                                                              :lis_person_sourced_id => 'school.edu:user',
-                                                              :context_id => '456434513',
-                                                              :context_title => 'Design of Personal Environments',
-                                                              :context_label => 'SI182',
-                                                              :lti_version => 'LTI-1p0',
-                                                              :lti_message_type => 'basic-lti-launch-request',
-                                                              :tool_consumer_instance_guid => 'lmsng.school.edu',
-                                                              :tool_consumer_instance_description => 'University of School (LMSng)',
-                                                              :lti_submit => 'Launch Endpoint with LTI Data'
-                                                          }, 'http://dr-chuck.com/ims/php-simple/tool.php?a=1&b=2&c=3%20%26a', '12345', 'secret')
-      expect(hash['oauth_signature']).to eql('k/+aMdax1Jm5kuGF6DG/ptN5VfY=')
-      expect(hash['c']).to eq '3 &a'
-    end
-
-    it 'generate a correct signature with a non-standard port' do
-      #signatures generated using http://oauth.googlecode.com/svn/code/javascript/example/signature.html
-      explicit_signature_settings('1251600739', 'c8350c0e47782d16d2fa48b2090c1d8f')
-      hash = LtiOutbound::ToolLaunch.send(:generate_params, {
-                                                          }, 'http://dr-chuck.com:123/ims/php-simple/tool.php', '12345', 'secret')
-      expect(hash['oauth_signature']).to eql('ghEdPHwN4iJmsM3Nr4AndDx2Kx8=')
-
-      hash = LtiOutbound::ToolLaunch.send(:generate_params, {
-                                                          }, 'http://dr-chuck.com/ims/php-simple/tool.php', '12345', 'secret')
-      expect(hash['oauth_signature']).to eql('WoSpvCr2HEsLzao6Do0eukxwAsk=')
-
-      hash = LtiOutbound::ToolLaunch.send(:generate_params, {
-                                                          }, 'http://dr-chuck.com:80/ims/php-simple/tool.php', '12345', 'secret')
-      expect(hash['oauth_signature']).to eql('WoSpvCr2HEsLzao6Do0eukxwAsk=')
-
-      hash = LtiOutbound::ToolLaunch.send(:generate_params, {
-                                                          }, 'http://dr-chuck.com:443/ims/php-simple/tool.php', '12345', 'secret')
-      expect(hash['oauth_signature']).to eql('KqAV7eIS/+iWIDpvCyDfY8ZpmT4=')
-
-      hash = LtiOutbound::ToolLaunch.send(:generate_params, {
-                                                          }, 'https://dr-chuck.com/ims/php-simple/tool.php', '12345', 'secret')
-      expect(hash['oauth_signature']).to eql('wFRB/1ZXi/91dop6GwahfboWPvQ=')
-
-      hash = LtiOutbound::ToolLaunch.send(:generate_params, {
-                                                          }, 'https://dr-chuck.com:443/ims/php-simple/tool.php', '12345', 'secret')
-      expect(hash['oauth_signature']).to eql('wFRB/1ZXi/91dop6GwahfboWPvQ=')
-
-      hash = LtiOutbound::ToolLaunch.send(:generate_params, {
-                                                          }, 'https://dr-chuck.com:80/ims/php-simple/tool.php', '12345', 'secret')
-      expect(hash['oauth_signature']).to eql('X8Aq2HXSHnr6u/6z/G9zI5aDoR0=')
-    end
-
-    it 'does not copy query params to POST body if disable_lti_post_only feature flag is set' do
-      hash = LtiOutbound::ToolLaunch.send(:generate_params, {
-                                                              :resource_link_id => '120988f929-274612',
-                                                              :user_id => '292832126',
-                                                              :roles => 'Instructor',
-                                                              :lis_person_name_full => 'Jane Q. Public',
-                                                              :lis_person_contact_email_primary => 'user@school.edu',
-                                                              :lis_person_sourced_id => 'school.edu:user',
-                                                              :context_id => '456434513',
-                                                              :context_title => 'Design of Personal Environments',
-                                                              :context_label => 'SI182',
-                                                              :lti_version => 'LTI-1p0',
-                                                              :lti_message_type => 'basic-lti-launch-request',
-                                                              :tool_consumer_instance_guid => 'lmsng.school.edu',
-                                                              :tool_consumer_instance_description => 'University of School (LMSng)',
-                                                              :lti_submit => 'Launch Endpoint with LTI Data'
-                                                          }, 'http://www.instructure.com?first=weston&last=dransfield', 'key', 'secret',
-                                                            disable_lti_post_only: true)
-      expect(hash.key?('first')).to eq false
-    end
-  end
 end
diff --git a/spec/models/lti/lti_outbound_adapter_spec.rb b/spec/models/lti/lti_outbound_adapter_spec.rb
@@ -190,11 +190,12 @@
 
   describe "#generate_post_payload" do
     it "calls generate on the tool launch" do
-      tool_launch = mock('tool launch', generate: {})
+      tool_launch = mock('tool launch')
+      tool_launch.expects(generate: {})
+      tool_launch.stubs(url: "http://example.com/launch")
       LtiOutbound::ToolLaunch.stubs(:new).returns(tool_launch)
       adapter.prepare_tool_launch(return_url, variable_expander)
-
-      expect(adapter.generate_post_payload).to eq({})
+      adapter.generate_post_payload
     end
 
     it "raises a not prepared error if the tool launch has not been prepared" do
@@ -206,7 +207,7 @@
     let(:outcome_service_url) { '/outcome/service' }
     let(:legacy_outcome_service_url) { '/legacy/service' }
     let(:lti_turnitin_outcomes_placement_url) { 'turnitin/outcomes/placement' }
-    let(:tool_launch) { stub('tool launch', generate: {}) }
+    let(:tool_launch) { stub('tool launch', generate: {}, url: "http://example.com/launch") }
 
     before(:each) do
       LtiOutbound::ToolLaunch.stubs(:new).returns(tool_launch)
@@ -244,7 +245,7 @@
 
   describe "#generate_post_payload_for_homework_submission" do
     it "creates an lti_assignment" do
-      tool_launch = mock('tool launch', generate: {})
+      tool_launch = mock('tool launch', generate: {}, url: "http://example.com/launch")
       LtiOutbound::ToolLaunch.stubs(:new).returns(tool_launch)
       adapter.prepare_tool_launch(return_url, variable_expander)
 
