Search moodle.org's
Developer Documentation

See Release Notes
Long Term Support Release

  • Bug fixes for general core bugs in 4.1.x will end 13 November 2023 (12 months).
  • Bug fixes for security issues in 4.1.x will end 10 November 2025 (36 months).
  • PHP version: minimum PHP 7.4.0 Note: minimum PHP version has increased since Moodle 4.0. PHP 8.0.x is supported too.
/mod/lti/ -> OAuth.php (source)

Differences Between: [Versions 310 and 401] [Versions 311 and 401] [Versions 39 and 401] [Versions 400 and 401] [Versions 401 and 402] [Versions 401 and 403]

   1  <?php
   2  // This file is part of BasicLTI4Moodle
   3  //
   4  // BasicLTI4Moodle is an IMS BasicLTI (Basic Learning Tools for Interoperability)
   5  // consumer for Moodle 1.9 and Moodle 2.0. BasicLTI is a IMS Standard that allows web
   6  // based learning tools to be easily integrated in LMS as native ones. The IMS BasicLTI
   7  // specification is part of the IMS standard Common Cartridge 1.1 Sakai and other main LMS
   8  // are already supporting or going to support BasicLTI. This project Implements the consumer
   9  // for Moodle. Moodle is a Free Open source Learning Management System by Martin Dougiamas.
  10  // BasicLTI4Moodle is a project iniciated and leaded by Ludo(Marc Alier) and Jordi Piguillem
  11  // at the GESSI research group at UPC.
  12  // SimpleLTI consumer for Moodle is an implementation of the early specification of LTI
  13  // by Charles Severance (Dr Chuck) htp://dr-chuck.com , developed by Jordi Piguillem in a
  14  // Google Summer of Code 2008 project co-mentored by Charles Severance and Marc Alier.
  15  //
  16  // BasicLTI4Moodle is copyright 2009 by Marc Alier Forment, Jordi Piguillem and Nikolas Galanis
  17  // of the Universitat Politecnica de Catalunya http://www.upc.edu
  18  // Contact info: Marc Alier Forment granludo @ gmail.com or marc.alier @ upc.edu
  19  //
  20  // OAuth.php is distributed under the MIT License
  21  //
  22  // The MIT License
  23  //
  24  // Copyright (c) 2007 Andy Smith
  25  //
  26  // Permission is hereby granted, free of charge, to any person obtaining a copy
  27  // of this software and associated documentation files (the "Software"), to deal
  28  // in the Software without restriction, including without limitation the rights
  29  // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  30  // copies of the Software, and to permit persons to whom the Software is
  31  // furnished to do so, subject to the following conditions:
  32  //
  33  // The above copyright notice and this permission notice shall be included in
  34  // all copies or substantial portions of the Software.
  35  //
  36  // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  37  // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  38  // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  39  // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  40  // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  41  // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  42  // THE SOFTWARE.
  43  //
  44  // Moodle is free software: you can redistribute it and/or modify
  45  // it under the terms of the GNU General Public License as published by
  46  // the Free Software Foundation, either version 3 of the License, or
  47  // (at your option) any later version.
  48  //
  49  // Moodle is distributed in the hope that it will be useful,
  50  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  51  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  52  // GNU General Public License for more details.
  53  //
  54  // You should have received a copy of the GNU General Public License
  55  // along with Moodle. If not, see <http://www.gnu.org/licenses/>.
  56  
  57  /**
  58   * This file contains the OAuth 1.0a implementation used for support for LTI 1.1.
  59   *
  60   * @package    mod_lti
  61   * @copyright moodle
  62   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  63   */
  64  namespace moodle\mod\lti;//Using a namespace as the basicLTI module imports classes with the same names
  65  
  66  defined('MOODLE_INTERNAL') || die;
  67  
  68  $lastcomputedsignature = false;
  69  
  70  /**
  71   * Generic exception class
  72   */
  73  class OAuthException extends \Exception {
  74      // pass
  75  }
  76  
  77  /**
  78   * OAuth 1.0 Consumer class
  79   */
  80  class OAuthConsumer {
  81      public $key;
  82      public $secret;
  83  
  84      function __construct($key, $secret, $callback_url = null) {
  85          $this->key = $key;
  86          $this->secret = $secret;
  87          $this->callback_url = $callback_url;
  88      }
  89  
  90      function __toString() {
  91          return "OAuthConsumer[key=$this->key,secret=$this->secret]";
  92      }
  93  }
  94  
  95  class OAuthToken {
  96      // access tokens and request tokens
  97      public $key;
  98      public $secret;
  99  
 100      /**
 101       * key = the token
 102       * secret = the token secret
 103       */
 104      function __construct($key, $secret) {
 105          $this->key = $key;
 106          $this->secret = $secret;
 107      }
 108  
 109      /**
 110       * generates the basic string serialization of a token that a server
 111       * would respond to request_token and access_token calls with
 112       */
 113      function to_string() {
 114          return "oauth_token=" .
 115          OAuthUtil::urlencode_rfc3986($this->key) .
 116          "&oauth_token_secret=" .
 117          OAuthUtil::urlencode_rfc3986($this->secret);
 118      }
 119  
 120      function __toString() {
 121          return $this->to_string();
 122      }
 123  }
 124  
 125  class OAuthSignatureMethod {
 126      public function check_signature(&$request, $consumer, $token, $signature) {
 127          $built = $this->build_signature($request, $consumer, $token);
 128          return $built == $signature;
 129      }
 130  }
 131  
 132  
 133  /**
 134   * Base class for the HMac based signature methods.
 135   */
 136  abstract class OAuthSignatureMethod_HMAC extends OAuthSignatureMethod {
 137  
 138      /**
 139       * Name of the Algorithm used.
 140       *
 141       * @return string algorithm name.
 142       */
 143      abstract public function get_name(): string;
 144  
 145      public function build_signature($request, $consumer, $token) {
 146          global $lastcomputedsignature;
 147          $lastcomputedsignature = false;
 148  
 149          $basestring = $request->get_signature_base_string();
 150          $request->base_string = $basestring;
 151  
 152          $key_parts = array(
 153              $consumer->secret,
 154               ($token) ? $token->secret : ""
 155          );
 156  
 157          $key_parts = OAuthUtil::urlencode_rfc3986($key_parts);
 158          $key = implode('&', $key_parts);
 159  
 160          $computedsignature = base64_encode(hash_hmac(strtolower(substr($this->get_name(), 5)), $basestring, $key, true));
 161          $lastcomputedsignature = $computedsignature;
 162          return $computedsignature;
 163      }
 164  
 165  }
 166  
 167  /**
 168   * Implementation for SHA 1.
 169   */
 170  class OAuthSignatureMethod_HMAC_SHA1 extends OAuthSignatureMethod_HMAC {
 171      /**
 172       * Name of the Algorithm used.
 173       *
 174       * @return string algorithm name.
 175       */
 176      public function get_name(): string {
 177          return "HMAC-SHA1";
 178      }
 179  }
 180  
 181  /**
 182   * Implementation for SHA 256.
 183   */
 184  class OAuthSignatureMethod_HMAC_SHA256 extends OAuthSignatureMethod_HMAC {
 185      /**
 186       * Name of the Algorithm used.
 187       *
 188       * @return string algorithm name.
 189       */
 190      public function get_name(): string {
 191          return "HMAC-SHA256";
 192      }
 193  }
 194  
 195  class OAuthSignatureMethod_PLAINTEXT extends OAuthSignatureMethod {
 196      /**
 197       * Name of the Algorithm used.
 198       *
 199       * @return string algorithm name.
 200       */
 201      public function get_name(): string {
 202          return "PLAINTEXT";
 203      }
 204  
 205      public function build_signature($request, $consumer, $token) {
 206          $sig = array(
 207              OAuthUtil::urlencode_rfc3986($consumer->secret)
 208          );
 209  
 210          if ($token) {
 211              array_push($sig, OAuthUtil::urlencode_rfc3986($token->secret));
 212          } else {
 213              array_push($sig, '');
 214          }
 215  
 216          $raw = implode("&", $sig);
 217          // for debug purposes
 218          $request->base_string = $raw;
 219  
 220          return OAuthUtil::urlencode_rfc3986($raw);
 221      }
 222  }
 223  
 224  class OAuthSignatureMethod_RSA_SHA1 extends OAuthSignatureMethod {
 225      /**
 226       * Name of the Algorithm used.
 227       *
 228       * @return string algorithm name.
 229       */
 230      public function get_name(): string {
 231          return "RSA-SHA1";
 232      }
 233  
 234      protected function fetch_public_cert(&$request) {
 235          // not implemented yet, ideas are:
 236          // (1) do a lookup in a table of trusted certs keyed off of consumer
 237          // (2) fetch via http using a url provided by the requester
 238          // (3) some sort of specific discovery code based on request
 239          //
 240          // either way should return a string representation of the certificate
 241          throw new OAuthException("fetch_public_cert not implemented");
 242      }
 243  
 244      protected function fetch_private_cert(&$request) {
 245          // not implemented yet, ideas are:
 246          // (1) do a lookup in a table of trusted certs keyed off of consumer
 247          //
 248          // either way should return a string representation of the certificate
 249          throw new OAuthException("fetch_private_cert not implemented");
 250      }
 251  
 252      public function build_signature(&$request, $consumer, $token) {
 253          $base_string = $request->get_signature_base_string();
 254          $request->base_string = $base_string;
 255  
 256          // Fetch the private key cert based on the request
 257          $cert = $this->fetch_private_cert($request);
 258  
 259          // Pull the private key ID from the certificate
 260          $privatekeyid = openssl_get_privatekey($cert);
 261  
 262          // Sign using the key
 263          $ok = openssl_sign($base_string, $signature, $privatekeyid);
 264  
 265          // Avoid passing null values to base64_encode.
 266          if (!$ok) {
 267              throw new OAuthException("OpenSSL unable to sign data");
 268          }
 269  
 270          // TODO: Remove this block once PHP 8.0 becomes required.
 271          if (PHP_MAJOR_VERSION < 8) {
 272              // Release the key resource
 273              openssl_free_key($privatekeyid);
 274          }
 275  
 276          return base64_encode($signature);
 277      }
 278  
 279      public function check_signature(&$request, $consumer, $token, $signature) {
 280          $decoded_sig = base64_decode($signature);
 281  
 282          $base_string = $request->get_signature_base_string();
 283  
 284          // Fetch the public key cert based on the request
 285          $cert = $this->fetch_public_cert($request);
 286  
 287          // Pull the public key ID from the certificate
 288          $publickeyid = openssl_get_publickey($cert);
 289  
 290          // Check the computed signature against the one passed in the query
 291          $ok = openssl_verify($base_string, $decoded_sig, $publickeyid);
 292  
 293          // TODO: Remove this block once PHP 8.0 becomes required.
 294          if (PHP_MAJOR_VERSION < 8) {
 295              // Release the key resource
 296              openssl_free_key($publickeyid);
 297          }
 298  
 299          return $ok == 1;
 300      }
 301  }
 302  
 303  class OAuthRequest {
 304      private $parameters;
 305      private $http_method;
 306      private $http_url;
 307      // for debug purposes
 308      public $base_string;
 309      public static $version = '1.0';
 310      public static $POST_INPUT = 'php://input';
 311  
 312      function __construct($http_method, $http_url, $parameters = null) {
 313          @$parameters or $parameters = array();
 314          $this->parameters = $parameters;
 315          $this->http_method = $http_method;
 316          $this->http_url = $http_url;
 317      }
 318  
 319      /**
 320       * attempt to build up a request from what was passed to the server
 321       */
 322      public static function from_request($http_method = null, $http_url = null, $parameters = null) {
 323          $scheme = (!is_https()) ? 'http' : 'https';
 324          $port = "";
 325          if ($_SERVER['SERVER_PORT'] != "80" && $_SERVER['SERVER_PORT'] != "443" && strpos(':', $_SERVER['HTTP_HOST']) < 0) {
 326              $port = ':' . $_SERVER['SERVER_PORT'];
 327          }
 328          @$http_url or $http_url = $scheme .
 329          '://' . $_SERVER['HTTP_HOST'] .
 330          $port .
 331          $_SERVER['REQUEST_URI'];
 332          @$http_method or $http_method = $_SERVER['REQUEST_METHOD'];
 333  
 334          // We weren't handed any parameters, so let's find the ones relevant to
 335          // this request.
 336          // If you run XML-RPC or similar you should use this to provide your own
 337          // parsed parameter-list
 338          if (!$parameters) {
 339              // Find request headers
 340              $request_headers = OAuthUtil::get_headers();
 341  
 342              // Parse the query-string to find GET parameters
 343              $parameters = OAuthUtil::parse_parameters($_SERVER['QUERY_STRING']);
 344  
 345              $ourpost = $_POST;
 346              // Add POST Parameters if they exist
 347              $parameters = array_merge($parameters, $ourpost);
 348  
 349              // We have a Authorization-header with OAuth data. Parse the header
 350              // and add those overriding any duplicates from GET or POST
 351              if (@substr($request_headers['Authorization'], 0, 6) == "OAuth ") {
 352                  $header_parameters = OAuthUtil::split_header($request_headers['Authorization']);
 353                  $parameters = array_merge($parameters, $header_parameters);
 354              }
 355  
 356          }
 357  
 358          return new OAuthRequest($http_method, $http_url, $parameters);
 359      }
 360  
 361      /**
 362       * pretty much a helper function to set up the request
 363       */
 364      public static function from_consumer_and_token($consumer, $token, $http_method, $http_url, $parameters = null) {
 365          @$parameters or $parameters = array();
 366          $defaults = array(
 367              "oauth_version" => self::$version,
 368              "oauth_nonce" => self::generate_nonce(),
 369              "oauth_timestamp" => self::generate_timestamp(),
 370              "oauth_consumer_key" => $consumer->key
 371          );
 372          if ($token) {
 373              $defaults['oauth_token'] = $token->key;
 374          }
 375  
 376          $parameters = array_merge($defaults, $parameters);
 377  
 378          // Parse the query-string to find and add GET parameters
 379          $parts = parse_url($http_url);
 380          if (isset($parts['query'])) {
 381              $qparms = OAuthUtil::parse_parameters($parts['query']);
 382              $parameters = array_merge($qparms, $parameters);
 383          }
 384  
 385          return new OAuthRequest($http_method, $http_url, $parameters);
 386      }
 387  
 388      public function set_parameter($name, $value, $allow_duplicates = true) {
 389          if ($allow_duplicates && isset($this->parameters[$name])) {
 390              // We have already added parameter(s) with this name, so add to the list
 391              if (is_scalar($this->parameters[$name])) {
 392                  // This is the first duplicate, so transform scalar (string)
 393                  // into an array so we can add the duplicates
 394                  $this->parameters[$name] = array($this->parameters[$name]);
 395              }
 396  
 397              $this->parameters[$name][] = $value;
 398          } else {
 399              $this->parameters[$name] = $value;
 400          }
 401      }
 402  
 403      public function get_parameter($name) {
 404          return isset($this->parameters[$name]) ? $this->parameters[$name] : null;
 405      }
 406  
 407      public function get_parameters() {
 408          return $this->parameters;
 409      }
 410  
 411      public function unset_parameter($name) {
 412          unset($this->parameters[$name]);
 413      }
 414  
 415      /**
 416       * The request parameters, sorted and concatenated into a normalized string.
 417       * @return string
 418       */
 419      public function get_signable_parameters() {
 420          // Grab all parameters
 421          $params = $this->parameters;
 422  
 423          // Remove oauth_signature if present
 424          // Ref: Spec: 9.1.1 ("The oauth_signature parameter MUST be excluded.")
 425          if (isset($params['oauth_signature'])) {
 426              unset($params['oauth_signature']);
 427          }
 428  
 429          return OAuthUtil::build_http_query($params);
 430      }
 431  
 432      /**
 433       * Returns the base string of this request
 434       *
 435       * The base string defined as the method, the url
 436       * and the parameters (normalized), each urlencoded
 437       * and the concated with &.
 438       */
 439      public function get_signature_base_string() {
 440          $parts = array(
 441              $this->get_normalized_http_method(),
 442              $this->get_normalized_http_url(),
 443              $this->get_signable_parameters()
 444          );
 445  
 446          $parts = OAuthUtil::urlencode_rfc3986($parts);
 447  
 448          return implode('&', $parts);
 449      }
 450  
 451      /**
 452       * just uppercases the http method
 453       */
 454      public function get_normalized_http_method() {
 455          return strtoupper($this->http_method);
 456      }
 457  
 458      /**
 459       * Parses {@see http_url} and returns normalized scheme://host/path if non-empty, otherwise return empty string
 460       *
 461       * @return string
 462       */
 463      public function get_normalized_http_url() {
 464          if ($this->http_url === '') {
 465              return '';
 466          }
 467  
 468          $parts = parse_url($this->http_url);
 469  
 470          $port = @$parts['port'];
 471          $scheme = $parts['scheme'];
 472          $host = $parts['host'];
 473          $path = @$parts['path'];
 474  
 475          $port or $port = ($scheme == 'https') ? '443' : '80';
 476  
 477          if (($scheme == 'https' && $port != '443') || ($scheme == 'http' && $port != '80')) {
 478              $host = "$host:$port";
 479          }
 480          return "$scheme://$host$path";
 481      }
 482  
 483      /**
 484       * builds a url usable for a GET request
 485       */
 486      public function to_url() {
 487          $post_data = $this->to_postdata();
 488          $out = $this->get_normalized_http_url();
 489          if ($post_data) {
 490              $out .= '?'.$post_data;
 491          }
 492          return $out;
 493      }
 494  
 495      /**
 496       * builds the data one would send in a POST request
 497       */
 498      public function to_postdata() {
 499          return OAuthUtil::build_http_query($this->parameters);
 500      }
 501  
 502      /**
 503       * builds the Authorization: header
 504       */
 505      public function to_header() {
 506          $out = 'Authorization: OAuth realm=""';
 507          $total = array();
 508          foreach ($this->parameters as $k => $v) {
 509              if (substr($k, 0, 5) != "oauth") {
 510                  continue;
 511              }
 512              if (is_array($v)) {
 513                  throw new OAuthException('Arrays not supported in headers');
 514              }
 515              $out .= ',' .
 516              OAuthUtil::urlencode_rfc3986($k) .
 517              '="' .
 518              OAuthUtil::urlencode_rfc3986($v) .
 519              '"';
 520          }
 521          return $out;
 522      }
 523  
 524      public function __toString() {
 525          return $this->to_url();
 526      }
 527  
 528      public function sign_request($signature_method, $consumer, $token) {
 529          $this->set_parameter("oauth_signature_method", $signature_method->get_name(), false);
 530          $signature = $this->build_signature($signature_method, $consumer, $token);
 531          $this->set_parameter("oauth_signature", $signature, false);
 532      }
 533  
 534      public function build_signature($signature_method, $consumer, $token) {
 535          $signature = $signature_method->build_signature($this, $consumer, $token);
 536          return $signature;
 537      }
 538  
 539      /**
 540       * util function: current timestamp
 541       */
 542      private static function generate_timestamp() {
 543          return time();
 544      }
 545  
 546      /**
 547       * util function: current nonce
 548       */
 549      private static function generate_nonce() {
 550          $mt = microtime();
 551          $rand = mt_rand();
 552  
 553          return md5($mt.$rand); // md5s look nicer than numbers
 554      }
 555  }
 556  
 557  class OAuthServer {
 558      protected $timestamp_threshold = 300; // in seconds, five minutes
 559      protected $version = 1.0; // hi blaine
 560      protected $signature_methods = array();
 561      protected $data_store;
 562  
 563      function __construct($data_store) {
 564          $this->data_store = $data_store;
 565      }
 566  
 567      public function add_signature_method($signature_method) {
 568          $this->signature_methods[$signature_method->get_name()] = $signature_method;
 569      }
 570  
 571      // high level functions
 572  
 573      /**
 574       * process a request_token request
 575       * returns the request token on success
 576       */
 577      public function fetch_request_token(&$request) {
 578          $this->get_version($request);
 579  
 580          $consumer = $this->get_consumer($request);
 581  
 582          // no token required for the initial token request
 583          $token = null;
 584  
 585          $this->check_signature($request, $consumer, $token);
 586  
 587          $new_token = $this->data_store->new_request_token($consumer);
 588  
 589          return $new_token;
 590      }
 591  
 592      /**
 593       * process an access_token request
 594       * returns the access token on success
 595       */
 596      public function fetch_access_token(&$request) {
 597          $this->get_version($request);
 598  
 599          $consumer = $this->get_consumer($request);
 600  
 601          // requires authorized request token
 602          $token = $this->get_token($request, $consumer, "request");
 603  
 604          $this->check_signature($request, $consumer, $token);
 605  
 606          $new_token = $this->data_store->new_access_token($token, $consumer);
 607  
 608          return $new_token;
 609      }
 610  
 611      /**
 612       * verify an api call, checks all the parameters
 613       */
 614      public function verify_request(&$request) {
 615          global $lastcomputedsignature;
 616          $lastcomputedsignature = false;
 617          $this->get_version($request);
 618          $consumer = $this->get_consumer($request);
 619          $token = $this->get_token($request, $consumer, "access");
 620          $this->check_signature($request, $consumer, $token);
 621          return array(
 622              $consumer,
 623              $token
 624          );
 625      }
 626  
 627      // Internals from here
 628      /**
 629       * version 1
 630       */
 631      private function get_version(&$request) {
 632          $version = $request->get_parameter("oauth_version");
 633          if (!$version) {
 634              $version = 1.0;
 635          }
 636          if ($version && $version != $this->version) {
 637              throw new OAuthException("OAuth version '$version' not supported");
 638          }
 639          return $version;
 640      }
 641  
 642      /**
 643       * figure out the signature with some defaults
 644       */
 645      private function get_signature_method(&$request) {
 646          $signature_method = @ $request->get_parameter("oauth_signature_method");
 647          if (!$signature_method) {
 648              $signature_method = "PLAINTEXT";
 649          }
 650          if (!in_array($signature_method, array_keys($this->signature_methods))) {
 651              throw new OAuthException("Signature method '$signature_method' not supported " .
 652              "try one of the following: " .
 653              implode(", ", array_keys($this->signature_methods)));
 654          }
 655          return $this->signature_methods[$signature_method];
 656      }
 657  
 658      /**
 659       * try to find the consumer for the provided request's consumer key
 660       */
 661      private function get_consumer(&$request) {
 662          $consumer_key = @ $request->get_parameter("oauth_consumer_key");
 663          if (!$consumer_key) {
 664              throw new OAuthException("Invalid consumer key");
 665          }
 666  
 667          $consumer = $this->data_store->lookup_consumer($consumer_key);
 668          if (!$consumer) {
 669              throw new OAuthException("Invalid consumer");
 670          }
 671  
 672          return $consumer;
 673      }
 674  
 675      /**
 676       * try to find the token for the provided request's token key
 677       */
 678      private function get_token(&$request, $consumer, $token_type = "access") {
 679          $token_field = @ $request->get_parameter('oauth_token');
 680          if (!$token_field) {
 681              return false;
 682          }
 683          $token = $this->data_store->lookup_token($consumer, $token_type, $token_field);
 684          if (!$token) {
 685              throw new OAuthException("Invalid $token_type token: $token_field");
 686          }
 687          return $token;
 688      }
 689  
 690      /**
 691       * all-in-one function to check the signature on a request
 692       * should guess the signature method appropriately
 693       */
 694      private function check_signature(&$request, $consumer, $token) {
 695          // this should probably be in a different method
 696          global $lastcomputedsignature;
 697          $lastcomputedsignature = false;
 698  
 699          $timestamp = @ $request->get_parameter('oauth_timestamp');
 700          $nonce = @ $request->get_parameter('oauth_nonce');
 701  
 702          $this->check_timestamp($timestamp);
 703          $this->check_nonce($consumer, $token, $nonce, $timestamp);
 704  
 705          $signature_method = $this->get_signature_method($request);
 706  
 707          $signature = $request->get_parameter('oauth_signature');
 708          $valid_sig = $signature_method->check_signature($request, $consumer, $token, $signature);
 709  
 710          if (!$valid_sig) {
 711              $ex_text = "Invalid signature";
 712              if ($lastcomputedsignature) {
 713                  $ex_text = $ex_text . " ours= $lastcomputedsignature yours=$signature";
 714              }
 715              throw new OAuthException($ex_text);
 716          }
 717      }
 718  
 719      /**
 720       * check that the timestamp is new enough
 721       */
 722      private function check_timestamp($timestamp) {
 723          // verify that timestamp is recentish
 724          $now = time();
 725          if ($now - $timestamp > $this->timestamp_threshold) {
 726              throw new OAuthException("Expired timestamp, yours $timestamp, ours $now");
 727          }
 728      }
 729  
 730      /**
 731       * check that the nonce is not repeated
 732       */
 733      private function check_nonce($consumer, $token, $nonce, $timestamp) {
 734          // verify that the nonce is uniqueish
 735          $found = $this->data_store->lookup_nonce($consumer, $token, $nonce, $timestamp);
 736          if ($found) {
 737              throw new OAuthException("Nonce already used: $nonce");
 738          }
 739      }
 740  
 741  }
 742  
 743  class OAuthDataStore {
 744      function lookup_consumer($consumer_key) {
 745          // implement me
 746      }
 747  
 748      function lookup_token($consumer, $token_type, $token) {
 749          // implement me
 750      }
 751  
 752      function lookup_nonce($consumer, $token, $nonce, $timestamp) {
 753          // implement me
 754      }
 755  
 756      function new_request_token($consumer) {
 757          // return a new token attached to this consumer
 758      }
 759  
 760      function new_access_token($token, $consumer) {
 761          // return a new access token attached to this consumer
 762          // for the user associated with this token if the request token
 763          // is authorized
 764          // should also invalidate the request token
 765      }
 766  
 767  }
 768  
 769  class OAuthUtil {
 770      public static function urlencode_rfc3986($input) {
 771          if (is_array($input)) {
 772              return array_map(array(
 773                  'moodle\mod\lti\OAuthUtil',
 774                  'urlencode_rfc3986'
 775              ), $input);
 776          } else {
 777              if (is_scalar($input)) {
 778                  return str_replace('+', ' ', str_replace('%7E', '~', rawurlencode($input)));
 779              } else {
 780                  return '';
 781              }
 782          }
 783      }
 784  
 785      // This decode function isn't taking into consideration the above
 786      // modifications to the encoding process. However, this method doesn't
 787      // seem to be used anywhere so leaving it as is.
 788      public static function urldecode_rfc3986($string) {
 789          return urldecode($string);
 790      }
 791  
 792      // Utility function for turning the Authorization: header into
 793      // parameters, has to do some unescaping
 794      // Can filter out any non-oauth parameters if needed (default behaviour)
 795      public static function split_header($header, $only_allow_oauth_parameters = true) {
 796          $pattern = '/(([-_a-z]*)=("([^"]*)"|([^,]*)),?)/';
 797          $offset = 0;
 798          $params = array();
 799          while (preg_match($pattern, $header, $matches, PREG_OFFSET_CAPTURE, $offset) > 0) {
 800              $match = $matches[0];
 801              $header_name = $matches[2][0];
 802              $header_content = (isset($matches[5])) ? $matches[5][0] : $matches[4][0];
 803              if (preg_match('/^oauth_/', $header_name) || !$only_allow_oauth_parameters) {
 804                  $params[$header_name] = self::urldecode_rfc3986($header_content);
 805              }
 806              $offset = $match[1] + strlen($match[0]);
 807          }
 808  
 809          if (isset($params['realm'])) {
 810              unset($params['realm']);
 811          }
 812  
 813          return $params;
 814      }
 815  
 816      // helper to try to sort out headers for people who aren't running apache
 817      public static function get_headers() {
 818          if (function_exists('apache_request_headers')) {
 819              // we need this to get the actual Authorization: header
 820              // because apache tends to tell us it doesn't exist
 821              $in = apache_request_headers();
 822              $out = array();
 823              foreach ($in as $key => $value) {
 824                  $key = str_replace(" ", "-", ucwords(strtolower(str_replace("-", " ", $key))));
 825                  $out[$key] = $value;
 826              }
 827              return $out;
 828          }
 829          // otherwise we don't have apache and are just going to have to hope
 830          // that $_SERVER actually contains what we need
 831          $out = array();
 832          foreach ($_SERVER as $key => $value) {
 833              if (substr($key, 0, 5) == "HTTP_") {
 834                  // this is chaos, basically it is just there to capitalize the first
 835                  // letter of every word that is not an initial HTTP and strip HTTP
 836                  // code from przemek
 837                  $key = str_replace(" ", "-", ucwords(strtolower(str_replace("_", " ", substr($key, 5)))));
 838                  $out[$key] = $value;
 839              }
 840          }
 841          return $out;
 842      }
 843  
 844      // This function takes a input like a=b&a=c&d=e and returns the parsed
 845      // parameters like this
 846      // array('a' => array('b','c'), 'd' => 'e')
 847      public static function parse_parameters($input) {
 848          if (!isset($input) || !$input) {
 849              return array();
 850          }
 851  
 852          $pairs = explode('&', $input);
 853  
 854          $parsed_parameters = array();
 855          foreach ($pairs as $pair) {
 856              $split = explode('=', $pair, 2);
 857              $parameter = self::urldecode_rfc3986($split[0]);
 858              $value = isset($split[1]) ? self::urldecode_rfc3986($split[1]) : '';
 859  
 860              if (isset($parsed_parameters[$parameter])) {
 861                  // We have already recieved parameter(s) with this name, so add to the list
 862                  // of parameters with this name
 863  
 864                  if (is_scalar($parsed_parameters[$parameter])) {
 865                      // This is the first duplicate, so transform scalar (string) into an array
 866                      // so we can add the duplicates
 867                      $parsed_parameters[$parameter] = array(
 868                          $parsed_parameters[$parameter]
 869                      );
 870                  }
 871  
 872                  $parsed_parameters[$parameter][] = $value;
 873              } else {
 874                  $parsed_parameters[$parameter] = $value;
 875              }
 876          }
 877          return $parsed_parameters;
 878      }
 879  
 880      public static function build_http_query($params) {
 881          if (!$params) {
 882              return '';
 883          }
 884  
 885          // Urlencode both keys and values
 886          $keys = self::urlencode_rfc3986(array_keys($params));
 887          $values = self::urlencode_rfc3986(array_values($params));
 888          $params = array_combine($keys, $values);
 889  
 890          // Parameters are sorted by name, using lexicographical byte value ordering.
 891          // Ref: Spec: 9.1.1 (1)
 892          uksort($params, 'strcmp');
 893  
 894          $pairs = array();
 895          foreach ($params as $parameter => $value) {
 896              if (is_array($value)) {
 897                  // If two or more parameters share the same name, they are sorted by their value
 898                  // Ref: Spec: 9.1.1 (1)
 899                  natsort($value);
 900                  foreach ($value as $duplicate_value) {
 901                      $pairs[] = $parameter . '=' . $duplicate_value;
 902                  }
 903              } else {
 904                  $pairs[] = $parameter . '=' . $value;
 905              }
 906          }
 907          // For each parameter, the name is separated from the corresponding value by an '=' character (ASCII code 61)
 908          // Each name-value pair is separated by an '&' character (ASCII code 38)
 909          return implode('&', $pairs);
 910      }
 911  }