Adding extra verification method to support validating requests that may contain arrays, solves #33

pfgray · pfgray · commit 83cabd1c00e7 · 2017-09-18T13:51:30.000-04:00
diff --git a/src/main/java/org/imsglobal/lti/launch/LtiLaunch.java b/src/main/java/org/imsglobal/lti/launch/LtiLaunch.java
@@ -1,6 +1,7 @@
 package org.imsglobal.lti.launch;
 
 import javax.servlet.http.HttpServletRequest;
+import java.util.Collection;
 import java.util.Map;
 
 /**
@@ -38,6 +39,16 @@ public LtiLaunch(Map<String, String> parameters) {
         this.toolConsumerInstanceGuid = parameters.get("tool_consumer_instance_guid");
     }
 
+    public LtiLaunch(Collection<? extends Map.Entry> parameters) {
+        this.user = new LtiUser(parameters);
+        this.version = LtiOauthVerifier.getKey(parameters, "lti_version");
+        this.messageType = LtiOauthVerifier.getKey(parameters, "lti_message_type");
+        this.resourceLinkId = LtiOauthVerifier.getKey(parameters, "resource_link_id");
+        this.contextId = LtiOauthVerifier.getKey(parameters, "context_id");
+        this.launchPresentationReturnUrl = LtiOauthVerifier.getKey(parameters, "launch_presentation_return_url");
+        this.toolConsumerInstanceGuid = LtiOauthVerifier.getKey(parameters, "tool_consumer_instance_guid");
+    }
+
     public LtiUser getUser() {
         return user;
     }
diff --git a/src/main/java/org/imsglobal/lti/launch/LtiOauthVerifier.java b/src/main/java/org/imsglobal/lti/launch/LtiOauthVerifier.java
@@ -4,8 +4,7 @@
 import net.oauth.server.OAuthServlet;
 
 import javax.servlet.http.HttpServletRequest;
-import java.util.Arrays;
-import java.util.Map;
+import java.util.*;
 import java.util.logging.Logger;
 
 /**
@@ -15,7 +14,7 @@
  */
 public class LtiOauthVerifier implements LtiVerifier {
 
-    public static final String OAUTH_KEY_PARAMETER= "oauth_consumer_key";
+    public static final String OAUTH_KEY_PARAMETER = "oauth_consumer_key";
 
     private final static Logger logger = Logger.getLogger(LtiOauthVerifier.class.getName());
 
@@ -60,16 +59,39 @@ public LtiVerificationResult verify(HttpServletRequest request, String secret) t
      */
     @Override
     public LtiVerificationResult verifyParameters(Map<String, String> parameters, String url, String method, String secret) throws LtiVerificationException {
-        OAuthMessage oam = new OAuthMessage(method, url, parameters.entrySet());
-        OAuthConsumer cons = new OAuthConsumer(null, parameters.get(OAUTH_KEY_PARAMETER), secret, null);
-        OAuthValidator oav = new SimpleOAuthValidator();
-        OAuthAccessor acc = new OAuthAccessor(cons);
+        return verifyParameters(parameters.entrySet(), url, method, secret);
+    }
 
-        try {
-            oav.validateMessage(oam, acc);
-        } catch (Exception e) {
-            return new LtiVerificationResult(false, LtiError.BAD_REQUEST, "Failed to validate: " + e.getLocalizedMessage() + ", Parameters: " + Arrays.toString(parameters.entrySet().toArray()));
+    @Override
+    public LtiVerificationResult verifyParameters(Collection<? extends Map.Entry> parameters, String url, String method, String secret) throws LtiVerificationException {
+        OAuthMessage oam = new OAuthMessage(method, url, parameters);
+        String key = getKey(parameters, OAUTH_KEY_PARAMETER);
+        if(key == null) {
+            return new LtiVerificationResult(false, LtiError.BAD_REQUEST, "No key found in LTI request with parameters: " + Arrays.toString(parameters.toArray()));
+        } else {
+            OAuthConsumer cons = new OAuthConsumer(null, key, secret, null);
+            OAuthValidator oav = new SimpleOAuthValidator();
+            OAuthAccessor acc = new OAuthAccessor(cons);
+
+            try {
+                oav.validateMessage(oam, acc);
+            } catch (Exception e) {
+                return new LtiVerificationResult(false, LtiError.BAD_REQUEST, "Failed to validate: " + e.getLocalizedMessage() + ", Parameters: " + Arrays.toString(parameters.toArray()));
+            }
+            return new LtiVerificationResult(true, new LtiLaunch(parameters));
+        }
+    }
+
+    /**
+     * Given a collection of parameters, return the first value for the given key.
+     * returns null if no entry is found with the given key.
+     */
+    public static String getKey(Collection<? extends Map.Entry> parameters, String parameterName) {
+        for(Map.Entry<String, String> entry: parameters) {
+            if(entry.getKey().equals(parameterName)) {
+                return entry.getValue();
+            }
         }
-        return new LtiVerificationResult(true, new LtiLaunch(parameters));
+        return null;
     }
 }
diff --git a/src/main/java/org/imsglobal/lti/launch/LtiUser.java b/src/main/java/org/imsglobal/lti/launch/LtiUser.java
@@ -1,6 +1,7 @@
 package org.imsglobal.lti.launch;
 
 import javax.servlet.http.HttpServletRequest;
+import java.util.Collection;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
@@ -33,6 +34,22 @@ public LtiUser(Map<String, String> parameters) {
         }
     }
 
+    public LtiUser(Collection<? extends Map.Entry> parameters) {
+        this.id = LtiOauthVerifier.getKey(parameters, "user_id");
+        this.roles = new LinkedList<>();
+        String parameterRoles = LtiOauthVerifier.getKey(parameters, "roles");
+        if(parameterRoles != null) {
+            for (String role : parameterRoles.split(",")) {
+                this.roles.add(role.trim());
+            }
+        }
+    }
+
+    public LtiUser(String id, List<String> roles) {
+        this.id = id;
+        this.roles = roles;
+    }
+
     public String getId() {
         return id;
     }
diff --git a/src/main/java/org/imsglobal/lti/launch/LtiVerifier.java b/src/main/java/org/imsglobal/lti/launch/LtiVerifier.java
@@ -2,6 +2,7 @@
 
 
 import javax.servlet.http.HttpServletRequest;
+import java.util.Collection;
 import java.util.Map;
 
 /**
@@ -24,13 +25,13 @@ public interface LtiVerifier {
      * information about the request).
      * @throws LtiVerificationException
      */
-    public LtiVerificationResult verify(HttpServletRequest request, String secret) throws LtiVerificationException;
+    LtiVerificationResult verify(HttpServletRequest request, String secret) throws LtiVerificationException;
 
     /**
      * This method will verify a list of properties (mapped
      * by key &amp; value).
-     * @param parameters the parameters that will be verified. mapped by key &amp; value
-     * @param url the url this request was made at
+     * @param parameters the parameters that will be verified. mapped by key &amp; value. This should only include parameters explicitly included in the body (not the url).
+     * @param url The url this request was made at. The url passed should be the same as sent for the request (along with any parameters).
      * @param method the method this url was requested with
      * @param secret the secret to verify the propertihes with
      * @return an LtiVerificationResult which will
@@ -39,6 +40,23 @@ public interface LtiVerifier {
      * information about the request).
      * @throws LtiVerificationException
      */
-    public LtiVerificationResult verifyParameters(Map<String, String> parameters, String url, String method, String secret) throws LtiVerificationException;
+    LtiVerificationResult verifyParameters(Map<String, String> parameters, String url, String method, String secret) throws LtiVerificationException;
+
+    /**
+     * This method will verify a list of properties (mapped
+     * by key &amp; value).
+     * @param parameters the parameters that will be verified. mapped by key &amp; value. This should only include parameters explicitly included in the body (not the url).
+     *                   The entries must be of type `Entry<String,String>`. If a specific key has multiple values (i.e. an array), each value must be in its own entry, each
+     *                   with the same key.
+     * @param url The url this request was made at. The url passed should be the same as sent for the request (along with any parameters).
+     * @param method the method this url was requested with
+     * @param secret the secret to verify the propertihes with
+     * @return an LtiVerificationResult which will
+     * contain information about the request (whether or
+     * not it is valid, and if it is valid, contextual
+     * information about the request).
+     * @throws LtiVerificationException
+     */
+    LtiVerificationResult verifyParameters(Collection<? extends Map.Entry> parameters, String url, String method, String secret) throws LtiVerificationException;
 
 }
