|;i UdZddlZddlZddlZddlZddlZddlZddlmZmZddl m Z m Z m Z ddl mZddlmZmZmZmZmZmZmZddlmZmZmZddlmZdd lmZdd lm Z dd l!m"Z"m#Z#dd l$m%Z%dd l&m'Z'ddl(m)Z)m*Z*ddl&m+Z+ddl,m-Z-ddl.Z.ddl m/Z/ddl0m1Z1m2Z2m3Z3m4Z4m5Z5m6Z6ddl7m8Z9ddl:m;Z;e;eZZ>m?Z?m@Z@mAZAmBZBmCZCmDZDmEZEmFZFmGZGmHZHejejejeLZMejddZOejeOdejddZQeOdeQZRdZSdeTdeUfd ZVdgd!eUfd"ZWeXeRd#5ZYe)jeYjde-$Z\ddde\jjZ_d%d&d'eSeVe_jeVe_jd(ZbiZciZde eUeUfeed)<deTfd*Zfd+eUd,eUd!eUdeUfd-Zgd.eUde e5fd/Zhd0eUdeUfd1Zid2eUfd3ZjeeUde fd?Zpe LTI launch (id_token verification) - Token exchange (client_assertion JWT) - Calls to Names & Roles / AGS / Deep Linking - JWKS hosting for the Tool (demo) N)datetime timedelta)DictAnyOptional) urlencode)FastAPI APIRouterDependsRequestResponseForm HTTPException)RedirectResponse JSONResponse HTMLResponse) StaticFiles)URL) BaseModel)jwtjwk)base64url_decode)rsa) serializationhashes)padding)default_backend)urlparse) LMSPlatform DeploymentUser UserCourseLog AccessToken LoginState) load_dotenv) TOOL_CLIENT_IDTOOL_REDIRECT_URI TOOL_BASE_URLTOOL_JWKS_PATH TOOL_JWKS_URL PLATFORM_ISSPLATFORM_OIDC_AUTHPLATFORM_TOKEN_URLPLATFORM_JWKS_URL DEPLOYMENT_IDSCOPES)level TOOL_KEY_DIRz./keysT)exist_okTOOL_PRIVATE_KEY_PEMz private.pem/ tool-key-1valreturnc|j|jdzdzd}tj|j dj dS)z1Convert integer to base64url string (no padding).big) byteorder=zutf-8)to_bytes bit_lengthbase64urlsafe_b64encoderstripdecode)r7 int_bytess ./var/www/html/content_weaver/routers/canvas.py b64url_uintrGHsL cnn.2q8E JI  # #I . 5 5d ; B B7 KKkidc tjddt}ttd5}|j |j tjjtjjtjdddtd|j}|j}ddd t t#|j$t#|j&d }tt(d d 5}t+j,||d dddtd|S#1swYxYw#1swY"xYw)Nii)public_exponentkey_sizebackendwbencodingformatencryption_algorithmu$✅ Saved private key to private.pemRSARS256sigktyalguserInez/public_jwk.jsonw)indentu'✅ Saved public JWK to public_jwk.json)rgenerate_private_keyropenPRIVATE_KEY_PATHwrite private_bytesrEncodingPEM PrivateFormatPKCS8 NoEncryptionprint public_keypublic_numbersPRIVATE_KEY_KIDrGrZr[r2jsondump)rI private_keyfrjnumbersrs rFgenerate_rsa_keypairrrMs***!K  %    % %&//33$2288%2%?%?%A &    01'')J'')G  #  #  C ./ 5$ #q#$ 34 J9  0$$sA&D>E >E ErbpasswordrMrSrTrUrV NONCE_STOREc<ttjSN)inttimerHrFnowr|s tyy{ rH client_id token_urlc ttjj}|dz}|||||t t j d}|jtjjtjjtj}d|d}tjd|tjd|t!j"||d|S) zO Create a signed JWT client assertion for Canvas OAuth2 token request. i,)isssubaudiatexpjtirOrT)rXrIzClient assertion headers: %szClient assertion payload: %s algorithmheaders)ryrutcnow timestampstruuiduuid4rcrrdrerfrgrhloggerinforencode) r}r~rorIrrpayloadpemrs rFcreate_client_assertionrs hoo))+ ,C )C4::< G  # #''++**00*779 $ C c*G KK.8 KK.8 ::gsgw GGrHemailc|jtjtj|k(j }|jt jt j |jk(tj|k(jt jjj }|r.|jtjkDr |jSyyrx)queryr!filterrfirstr#user_ididorder_by expires_atdescrrtoken)dbruserrs rFget_latest_tokenrs 88D> u!4 5 ; ; =D $$   477 * JJ%   (;))..0 1%%'   !!HOO$55{{6urHscopectj}|jtj tj |j k(tj|j k(tj|j k(tj|k(tj|kDjtjjj}|r |jSt|j |j"t$t&}t(j+d|dd||d}t(j+d|t-j.|j"|} t(j+d| j0| j3| j5} | d } | j7d d } |t9| z} t|j |j |j || | }|j;||j=|j?||jS)z Return a valid access_token for the given platform/deployment/user/scope. If expired or missing, request a new one from Canvas and store it. )r}r~rorIzclient_assertion: %sclient_credentialsz6urn:ietf:params:oauth:client-assertion-type:jwt-bearer) grant_typeclient_assertion_typeclient_assertionrzToken request payload: %s)datazToken response status: %s access_token expires_ini)seconds) platform_id deployment_idrrrr) rrrr#rrrrrrrrrrrrr}r~ PRIVATE_KEYrlrrhttpxposttextraise_for_statusrmgetraddcommitrefresh)rplatform deploymentrrr|rrrresponse token_jsonrrr new_tokens rFget_valid_tokenrs // C    # #x{{ 2  % % 6   477 *    &  " "S (   +((--/ 0   {{/$$$$   KK&(89*!Y, G  KK+W5zz(,,7;H KK+X]]; Jn-L d3Jy44JKK mm IFF9IIKJJy ??rH tenant_domainc|d}|d}|d}|d}|jdi}|jdd}|jdd} |jtj|| j } | sEt||| |||| } |j | |j |j| n3|| _| | _ || _ || _ || _ |j |d } |jtj| j| j } | sIt| j| } |j | |j |j| |d } |jdg}d|vrd}nd}|jtj|jdj }|st|jd|jd|jd|jd| j| t!j"|d|dddt%j&t%j&}|j ||j |j||dk(rDt)|jd| jd}|j ||j | | |fS)Nrr/api/lti/security/jwksz/login/oauth2/token7https://purl.imsglobal.org/spec/lti/claim/tool_platformnameguidissuerr}rr tenant_id tenant_namer}jwks_urlr~7https://purl.imsglobal.org/spec/lti/claim/deployment_id)rrr/https://purl.imsglobal.org/spec/lti/claim/rolesGhttp://purl.imsglobal.org/vocab/lis/v2/institution/person#Administratorr]rr given_name family_nameactiver)r first_name last_namerrr lti_roles is_activerole_idsubscription_statusis_email_verifiedis_phone_verified created_at updated_at Credit)rnumber_of_coursertype)rrr filter_byrrrrrrrrr~r rr!rmdumpsrrr")r decoded_tokenrrr}rr~tool_plateform platform_namerrrrrrolesrrUserCourseLogEntrys rF store_launchrs 5 !Fe$I  67H /!45I #&&'`bdeN"&&vr2M $$VR0Kxx $../ eg  '!%  x  8"/&*$& ""[\M*%//KK#0 eg HKK}U  z  :  C   OQS TEPTYY 88D> # #-*;*;G*D # E K K MD ""6*$((6#'' 6##G,  5) (((  t   4 a
)nextdbaseget_db REGISTRATIONSrrrrrr0r Exceptionrdict__dict__osgetenvjoinrr}rrr)rrregruser_subrrrrrrrr[ roster_data lti_user_idrr FRONTEND_APPresource_link_claim resource_idresource_title context_id context_titlerrrrhtmls rF launch_pagers elln B   I &C 4GHH)nG{{5!H KKI2 NE KK) KK*G4GGO,M{{5!4STT!-b'=!IHj$ 6NE77>*Lq&r8ZuM K++PQUUV_`K KK E ;;v D99_.UVL!++&_acd%))$3K(,,Wb9NPRTUYYZ^`bcJKK SUWX\\]dfhiM[[!Z\^_N"&&vr2M $$VR0K(,,-BBG HHUOE% % %  .% !0% 19/@ % A0 %  19z %  :6 %  7?6H6H5I %  J6 % 7@[% A4% 5@=% A8% 9=y% AA% BF% GM% NSG% TB% CJ++lB[A\% ]C% DK;;}C]B^% _9% :?% @H% INw% O9%  :F!%  G:!% ";H#% "IE#% $FSO%% $T>%% &?I>V>V=W'% &X<'% (=I>)% (J7)% *8Bl+% *C:+% ,;H-% ,I=-% .>IM/% .J@/% 0AO?O1% 0PH1% 2IT}3% 2UH3% 4IV5% 4WW5% 6XkVk7% 6l27% :38;% :9;% DL  { q6RSVWXSYRZZ\]b\ccefjksk|k|f}@DEOEXEX@Y[_`d`m`m[ngnfo5pq qqs,C0N3LHN M>AM99M>>Nrc|jd}|s tdd|d}td} tj d|dd |i}t j|| }|j |jS#t$r6}tjd t|d t|icYd}~Sd}~wwxYw) N?https://purl.imsglobal.org/spec/lti-nrps/claim/namesroleservicerNo NRPS endpoint in id_tokenrcontext_memberships_urlrzUsing access token: %s AuthorizationBearer )rzFailed to fetch roster: %serror) rrr0rrrrrmr r"r)rr nrps_claim context_urlrrrespr[s rF fetch_rosterr&s^_J 4RSS67K 6NE ! ,l;"gl^$<=yyg6 yy{ ! 13q6:Q  !sAB C +B>8C>Cz /oidc/loginrequestc `Kttj}t|j}|j dk(r)|j d{}|j||jd}|jd}|jd}|jd}|jjdxs|jjd}d} |r&t|} | jd | j} | s0|r. tj|} | jd } | rd | } t"j%d | t't)j*}t-|| }|j/||j1t't)j*}dt2|<ddt4t6d||||dd }t8dt;|}t=t'|S7#t$r} t!d | Yd} ~ d} ~ wwxYww)zq OIDC login initiation endpoint. Canvas may call this with POST (hidden form) or GET (query params). rNrrrrrefereroriginz:// canvas_domainzhttps://z"Failed to decode lti_message_hint:zDetected tenant domain: %s)rrpendingid_token form_postopenidnone) response_type response_moder} redirect_urirrrnoncerprompt?)rrrr  query_paramsmethodformupdaterrrschemenetlocrget_unverified_claimsr rirrrrrr$rrrvr&r'r,rr)r'rrr9rrrrr)rparsed decoded_hintr+r[r login_stater4redirect_paramsrs rF oidc_loginrBs elln B '&& 'F~~\\^# d **U CL)Jjj!23Ozz"45oo!!),M0C0CH0MGM'"!==/V]]O<  - ;445EFL(,,_=M"*=/ :  KK,m<  E5 FKFF;IIK  E"K$$#) , O )O"C CH %%m$, ; 6 : : ;s>AH.H B?H.-H CH. H+ H&!H.&H++H.c,eZdZUeed<dZeeed<y)OIDCLaunchFormr-Nr4)__name__ __module__ __qualname__r__annotations__r4rr{rHrFrDrD?sME8C=rHrDz/oidc/callbackcKttj}|jd{}|j d{}|j d}|j d}|sdt ||jdS|jtj|j}|s tdd |j}|s tdd tjd |t!j"4d{}|j |d d{} | j%} dddd{t'j(|} | j d tfd dDd} | s tdd  t'j|| dgt*t,} | j d}t1t3j4}| ||t7t9j8dt:|<|j=||j?| j dt@d}|d|}tC|S7>7)7[7B7%#1d{7swY6xYw#t.$r}tddt1| d}~wwxYww)z OIDC callback endpoint. Canvas POSTs here with id_token + state. After verifying, redirect to target_link_uri (the launch page). Nr-rzCanvas did not send id_token)r"r9raw)rrzInvalid or expired staterzMissing tenant domain for statez"Using tenant domain from state: %srrIc34K|]}|dk(s |yw)rINr{).0krIs rF z oidc_callback..hs;a1U8s?;s rzNo matching JWKS keyrT) algorithmsaudiencerzInvalid id_token: r)rrr issued_atz9https://purl.imsglobal.org/spec/lti/claim/target_link_uriz/canvas/launchz ?launch_id=)"rrrbodyr9rr rDrr$rrrrrrr AsyncClientrmrget_unverified_headerr&r+r rrrryrzr deleterr(r)r'rrJr9r-rr@rclientrrheaderkeyrr[rrr redirect_urlrIs @rF oidc_callbackr[Cst elln B  C Dxx #H HHW E 7dTWT^T^T`aa((:&00u0=CCEK 4NOO--M 4UVV KK4mD  "f** .DEF Fvvx  & &x 0F **U C ;4<;T BC 4JKK S**  y#  KK YZM DJJL!I &%  M)IIkIIKkkC /(O &&k)=L L ))O  & F* S6HQ4QRRSs1KI2K I5 CKI8K!J9I;:J KI>AK,#JB$K5K8K;J>KJJ JK J> J99J>>Kz/lti/canvasdata. canvas_datacKttj}|stdddiSt j |}t jd|i}|jdrd|jd}t jd|jd|jtj|jd j}|r=t jd t|jt jd |j|j s|jt"j|jd r|jd nt$|jd r|jd n|j}|st#|jd r|jd nt$|jd|jd|jd|jd r|jd n|dd}|j'||j)|j+|nR|jd|_|jd|_|jd|_|j)|j2|_|j)|j2|j4|j|j |j6d}n>t j9d|jt"j|jd r|jd nt$|jd r|jd n|j}|st#|jd r|jd nt$|jd|jd|jd|jd r|jd n|dd}|j'||j)|j+|nR|jd|_|jd|_|jd|_|j)|jdd}t;|t<r>|j?dDcgc]#}|jAs|jA%} }nXt;|tBtDfr@|Dcgc]4}t;|t<s|jAs%|jA6} }ng} |jddk(sd|jdvsd| vrd} nd} t|jdd|jdd|jd d|jd|j2|jd!t=tGjHt jJ| d"| d#d$d$tMjNtMjNtMjN%}|j'||j)|j+|| dk(rDtQ|j2|j2d&d'(} |j'| |j)|j2|j4|j|j |j6d}t jd)nt j9d*td+|d,Scc}wcc}ww)-zv Canvas Data Webhook endpoint. Canvas can POST data exports here. canvas_data is a large JSON string. rr"zMissing canvas_data)rcontentz Received Canvas Data webhook: %scustom_canvas_user_login_idzLTI-1p0-client-zData for user: %srz User Data: %szFound user in DB: %srr}rcustom_canvas_api_domaintool_consumer_instance_guidtool_consumer_instance_namerr)rrrrrzUser not found in DB ext_rolesrrz&urn:lti:instrole:ims/lis/Administratorrrr]lis_person_name_fullUnknownlis_person_name_givenlis_person_name_familyrrrr)rrrrrrrrrrrractivation_daterrrr)rrrrzCreated new user in DBzNo user login ID in payloadreceived)statusr))rrrrrmloadsrrrrr!rrr r rrrr+rrrrrrrrrwarning isinstancersplitstriplisttuplerrrrrr") r\rr user_datacustom_client_idrr ext_roles_rawrWrcrrs rFcanvas_data_webhookrus elln B 34  jj%G KK2G<I{{01,W[[9V-W,XY '5R)STxx~''gkk:W.X'Y__a  KKdmm)< = KK. ;##88K0::18U1C7;;u-:A++k:Rgkk+6Xh;%' *5<[[5Gw{{51\&-kk2L&M")++.K"L$+KK0M$N>Ekk+>V'++k":\l!#"$ HFF8$IIKJJx(-4[[9S-TH*)05R)SH&+2;;7T+UH(IIK#+;;   77 #//<< I NN1 2xx ,66-4[[-?w{{5)\6=kk+6N'++k2Td7eg &18U1C7;;u-")++.H"I%kk*GH ' ,I J:A++k:Rgkk+6Xh x   8$)05O)P&%,[[1N%O"'.{{3P'Q$ #KK R8M--0=0C0CC0HV1AGGIQWWYV VMD%=90=b1AsASXYX_X_XaQWWYb b {{7#'OOT]ahalalmtauTuyBFOyO[[!7C";;'>C!++&>Ckk"?@$KKKKs4::<'89 JJy1$,"#"# ( 1#??,#??,D" FF4L IIK JJt !|%2 GG ( %'! &" )*  77 #//<< I KK0 145 :yA BBkWbs1S=^?]7]7'^]<]<+]<=H^z/call/namesroles/{launch_id}cKttj}tj |}|s t dd|d}t ||j d}|s t dd|j di}|j d }|s t dd d |d d }g}|} tj4d{} | r| j | |dd{} | j| j} |j| j dg| jj d} | r0d| vr,ddl}|j!d| }|r|j#dnd} nd} | rdddd{t%|t'|dS77#tj$rt dd| jwxYw7P#1d{7swY`xYww)z:Canvas: Call Names & Roles (NRPS) with pagination support.rLaunch not foundrrrrNo access token availablerrrr!z8application/vnd.ims.lti-nrps.v2.membershipcontainer+jsonr AcceptN$@rtimeoutrzNRPS call failed: membersLinkz rel="next"rz<([^>]+)>; rel="next"r)r~count)rrrr rrrrrSrHTTPStatusErrorrrmextendrresearchgrouprlen)rrrrrr#rrr~rrVrWrlinkrmatchs rFcall_names_rolesr)s elln B   I &C 4FGG)nG#B G(<=L 4OPP^`bcJ(nn-FG "4RSS#<.1LG G !C  "fjjgtjDDA [""$668D NN488Ir2 399==(D , ":DA(-ekk!n4%* Gc'lC DD+D(( [#>PQRQWQWPXDeep Linking - Select Resource



)r rrr)rrrdl_claimdeep_link_return_urlrs rFdeep_linking_startrs   I &C 4FGG)nG{{VXZ[H#<< 5 4\]]45>;? D  sA-A/z/deep_linking/completez Demo Activityz'http://localhost:8000/canvas/launch/123rrc Ktj|}|s tdd|d}|jdi}|jd}|s tddt}|d z} d ||d ||d d did} t|jd|| t t jdd| g|jdd } tjtjjtjjtj} ddi} t!j"| | d| }d|d|d}t%|Sw)zG Canvas: Build Deep Linking Response JWT and return to Canvas. rrwrrrrrriXltiResourceLinkz Launch this activity in the tool)rr tool_settingexample)rrrrlineItemcustomrLtiDeepLinkingResponsez1.3.0r) rrrrr4z6https://purl.imsglobal.org/spec/lti/claim/message_typez1https://purl.imsglobal.org/spec/lti/claim/versionz:https://purl.imsglobal.org/spec/lti-dl/claim/content_itemsrrOrIr6rTrzS
)r rrr|r&rrrrrcrrdrerfrgrhrrr)rrrrrrrrrr content_itemmessagerrdeep_linking_jwtrs rFdeep_linking_completers{   I &C 4FGG)nG{{VXZ[H#<< 5 4\]] %C )C"2) I  L{{5!TZZ\"BZ=DGSn V$ G  # #''++**00*779 $ C l#Gzz'3'7S,,-22B1CD D  sEEz/_debug/registrationsc ttSrx)rr r{rHrF debug_regsr1s  &&rHz/_debug/access_tokencXttd5}tj|j dt }dddj j}ddddt|jt|jd}t|S#1swYaxYw)NrsrtrSrTrUr6rV) r`rarload_pem_private_keyreadrrjrkrGrZr[r)key_filerorqrs rF debug_tokenr6s  % #88 MMO#%  $$&557G  #  #  C  !  s /B  B))r6)__doc__r rmrArzrloggingrrtypingrrr urllib.parserfastapir r r r r rrfastapi.responsesrrrfastapi.staticfilesrstarlette.datastructuresrpydanticrjoserr jose.utilsr)cryptography.hazmat.primitives.asymmetricrcryptography.hazmat.primitivesrrrcryptography.hazmat.backendsrrrdb_config.modelsrr r!r"r#r$db_config.databasedatabaserdotenvr%routerdependencies.canvas_configr&r'r(r)r*r+r,r-r.r/r0 basicConfigINFO getLoggerrErrr2makedirsr4rarlryrrGrrr`rrrrrjrkPUBLIC_NUMBERSrZr[rr rvrHr|rrrrrrr api_routerr&rBrDrr[rurrfloatrrrrrrr{rHrFrs0 (&&"WWWJJ+('9@=8 !bb"     ',,'   8 $ryy2  L4( ryy!7G"^1%9$:;LSLSL %c%P D!X4-44 !K'')88:     ^%% & ^%% &   ! T#s(^ SHsHsHcHVYH<  (= @3@3@Fb&3b&NL..N&&.)eV_5YY6Yx!!!&-%9C& C&:C&L Y  P* P*P*d CyMCMC MCd *+-Ec-E,-E^ #$"c"%"@ +,8<=N8Ohlmphq""c""#""`e""-""H *+9=cSWX[S\swxzs{UYZ]U^#"#"3#"S#"kp#"MR#",#"PO4 %&#Yo&=>9 HH H H H'HZ #$'%' "#$Es ")O22O<