Adding oauth_body_hash to lti requests signed with LtiSigner, fixes #20

Paul Gray · Paul Gray · commit a50adaff7779 · 2016-07-21T12:22:47.000-04:00
diff --git a/pom.xml b/pom.xml
@@ -165,7 +165,6 @@
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
             <version>2.4</version>
-            <scope>test</scope>
             <type>jar</type>
         </dependency>
     </dependencies>
diff --git a/src/main/java/org/imsglobal/lti/launch/LtiOauthSigner.java b/src/main/java/org/imsglobal/lti/launch/LtiOauthSigner.java
@@ -8,10 +8,18 @@
 import oauth.signpost.exception.OAuthCommunicationException;
 import oauth.signpost.exception.OAuthExpectationFailedException;
 import oauth.signpost.exception.OAuthMessageSignerException;
+import oauth.signpost.http.HttpParameters;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.http.HttpEntity;
+import org.apache.http.HttpEntityEnclosingRequest;
 import org.apache.http.HttpRequest;
+import org.apache.commons.io.IOUtils;
 
 import java.io.IOException;
 import java.net.URISyntaxException;
+import java.net.URLEncoder;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -22,12 +30,33 @@
  */
 public class LtiOauthSigner implements LtiSigner {
 
+    private MessageDigest md;
+
+    public LtiOauthSigner() {
+        try{
+            md = MessageDigest.getInstance("SHA1");
+        } catch(NoSuchAlgorithmException e) {
+            throw new RuntimeException("Could not construct new instance of LtiOauthSigner", e);
+        }
+    }
+
+    public LtiOauthSigner(MessageDigest md) {
+        this.md = md;
+    }
+
     @Override
     public HttpRequest sign(HttpRequest request, String key, String secret) throws LtiSigningException {
         CommonsHttpOAuthConsumer signer = new CommonsHttpOAuthConsumer(key, secret);
         try {
+            String body = getRequestBody(request);
+            String bodyHash = new String(Base64.encodeBase64(md.digest(body.getBytes())));
+
+            HttpParameters params = new HttpParameters();
+            params.put("oauth_body_hash", URLEncoder.encode(bodyHash, "UTF-8"));
+            signer.setAdditionalParameters(params);
+
             signer.sign(request);
-        } catch (OAuthMessageSignerException|OAuthExpectationFailedException|OAuthCommunicationException e) {
+        } catch (OAuthMessageSignerException|OAuthExpectationFailedException|OAuthCommunicationException|IOException e) {
             throw new LtiSigningException("Exception encountered while singing Lti request...", e);
         }
         return request;
@@ -51,4 +80,14 @@ public Map<String, String> signParameters(Map<String, String> parameters, String
         }
     }
 
+    private String getRequestBody(HttpRequest req) throws IOException {
+        if(req instanceof HttpEntityEnclosingRequest){
+            HttpEntity body = ((HttpEntityEnclosingRequest) req).getEntity();
+            return IOUtils.toString(body.getContent());
+        } else {
+            // requests with no entity have an empty string as the body
+            return "";
+        }
+    }
+
 }
