MarkUsProject / Markus / 18991026219

class LtiDeploymentsController < ApplicationController

  skip_verify_authorized except: [:choose_course]

  skip_forgery_protection except: [:choose_course]

  before_action :authenticate, :check_course_switch, :check_record,

  before_action(except: [:get_config, :launch, :public_jwk, :redirect_login]) { authorize! }

  before_action :check_host, only: [:launch, :redirect_login]

  USE_SECURE_COOKIES = !Rails.env.local?

  def launch

    if params[:client_id].blank? || params[:login_hint].blank? ||

      head :unprocessable_content

      return

    nonce = rand(10 ** 30).to_s.rjust(30, '0')

    session_nonce = rand(10 ** 30).to_s.rjust(30, '0')

    lti_launch_data = {}

    lti_launch_data[:client_id] = params[:client_id]

    lti_launch_data[:iss] = params[:iss]

    lti_launch_data[:nonce] = nonce

    lti_launch_data[:state] = session_nonce

    cookies.permanent.encrypted[:lti_launch_data] =

      scope: 'openid',

    auth_request_uri = construct_redirect_with_port(request.referer, endpoint: self.class::LMS_REDIRECT_ENDPOINT)

    http = Net::HTTP.new(auth_request_uri.host, auth_request_uri.port)

    http.use_ssl = true if auth_request_uri.instance_of? URI::HTTPS

    req = Net::HTTP::Post.new(auth_request_uri)

    req.set_form_data(auth_params)

    res = http.request(req)

    location = URI(res['location'])

    location.query = auth_params.to_query

    redirect_to location.to_s, allow_other_host: true

  def redirect_login

    if request.post?

      lti_launch_data = JSON.parse(cookies.encrypted[:lti_launch_data]).symbolize_keys

      if params[:id_token].blank? || params[:state] != lti_launch_data[:state]

        render 'shared/http_status', locals: { code: '422', message: I18n.t('lti.config_error') },

        return

      jwk_url = construct_redirect_with_port(request.referer, endpoint: self.class::LMS_JWK_ENDPOINT)

      lms_jwks = JSON.parse(Net::HTTP.get_response(jwk_url).body)

        decoded_token = JWT.decode(

        lti_params = decoded_token[0]

        unless lti_params['nonce'] == lti_launch_data[:nonce]

      lti_data = { host: construct_redirect_with_port(request.referer).to_s,

      if lti_params.key?(LtiDeployment::LTI_CLAIMS[:names_role])

      if lti_params.key?(LtiDeployment::LTI_CLAIMS[:ags_lineitem])

      lti_data[:lti_user_id] = lti_params[LtiDeployment::LTI_CLAIMS[:user_id]]

      unless logged_in?

    elsif logged_in? && cookies.encrypted[:lti_data].present?

      lti_data = JSON.parse(cookies.encrypted[:lti_data]).symbolize_keys

      cookies.delete(:lti_data)

      render 'shared/http_status', locals: { code: '422', message: I18n.t('lti.config_error') },

      return

    lti_client = LtiClient.find_or_create_by(client_id: lti_data[:client_id], host: lti_data[:host])

    lti_deployment = LtiDeployment.find_or_initialize_by(lti_client: lti_client,

    lti_deployment.update!(lms_course_name: lti_data[:lms_course_name])

    session[:lti_course_label] = lti_data[:lms_course_label]

    if lti_data.key?(:names_role_service)

    if lti_data.key?(:line_items)

    LtiUser.find_or_create_by(user: @real_user, lti_client: lti_client,

    if lti_deployment.course.nil?

      has_privileged_role = lti_data[:user_roles].any? do |role_uri|

        LtiDeployment::LTI_PRIVILEGED_ROLES.include?(role_uri)

      has_ta_role = lti_data[:user_roles].include?(LtiDeployment::LTI_ROLES[:ta])

      if has_privileged_role && !has_ta_role

        redirect_to choose_course_lti_deployment_path(lti_deployment)

        redirect_to course_not_set_up_lti_deployment_path(lti_deployment)

    cookies.delete(:lti_launch_data)

  def public_jwk

    key = OpenSSL::PKey::RSA.new File.read(LtiClient::KEY_PATH)

    jwk = JWT::JWK.new(key)

    render json: { keys: [jwk.export] }

  def course_not_set_up

  def choose_course

    @lti_deployment = record

    if request.post?

        course = Course.find(params[:course])

        unless allowed_to?(:manage_lti_deployments?, course, with: CoursePolicy)

          flash_message(:error, t('lti.course_link_error'))

          render 'choose_course'

          return

        @lti_deployment.update!(course: course)

        flash_message(:success, t('lti.course_link_success', markus_course_name: course.name))

        redirect_to course_path(course)

  def check_host

    known_lti_hosts = Settings.lti.domains

    known_lti_hosts << URI(root_url).host

    if known_lti_hosts.exclude?(URI(request.referer).host)

      render 'shared/http_status', locals: { code: '422', message: I18n.t('lti.config_error') },

  def create_course

    if LtiConfig.respond_to?(:allowed_to_create_course?) && !LtiConfig.allowed_to_create_course?(record)

      @title = I18n.t('lti.course_creation_denied')

      @message = format(

      render 'message', status: :forbidden

      return

    name = params['name'].gsub(/[^a-zA-Z0-9\-_]/, '-')  # Sanitize name to comply with Course name validation

    new_course = Course.find_or_initialize_by(name: name)

    unless new_course.new_record?

      flash_message(:error, I18n.t('lti.course_exists'))

      redirect_to choose_course_lti_deployment_path

      return

    new_course.update!(display_name: params['display_name'], is_hidden: true)

    if current_user.admin_user?

      AdminRole.find_or_create_by(user: current_user, course: new_course)

      Instructor.find_or_create_by(user: current_user, course: new_course)

    lti_deployment = record

    lti_deployment.update!(course: new_course)

    redirect_to edit_course_path(new_course)

  def get_config

  def construct_redirect_with_port(url, endpoint: nil)

    referer = URI(url)

    referer_host = "#{referer.scheme}://#{referer.host}"

    referer_host_with_port = "#{referer_host}:#{referer.port}"

    referer_host = referer_host_with_port if referer.to_s.start_with?(referer_host_with_port)

    URI("#{referer_host}#{endpoint}")

  def default_url_options(_options = {})

    {}