OAuth signature should be verified against URL provided to the tool. There is…

OAuth signature should be verified against URL provided to the tool. There is possibility that a proxy will change URL along the way (for example protocol from https to http) which would invalidate signature. (cherry picked from commit 8494473a0592908b948e17a9204b91f36bb20c28)

OAuth signature should be verified against URL provided to the tool. There is…
OAuth signature should be verified against URL provided to the tool. There is possibility that a proxy will change URL along the way (for example protocol from https to http) which would invalidate signature. (cherry picked from commit 8494473a0592908b948e17a9204b91f36bb20c28)
df9541f4 · Ivica Ceraj · Carson Gee · 308f33c1 · df9541f4 · df9541f4
Commit df9541f4 authored Aug 28, 2014 by Ivica Ceraj Committed by Carson Gee Aug 29, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 46 additions and 1 deletions

common/lib/xmodule/xmodule/lti_module.py
+3 -1

common/lib/xmodule/xmodule/tests/test_lti_unit.py
+43 -0

No files found.
--- a/common/lib/xmodule/xmodule/lti_module.py
+++ b/common/lib/xmodule/xmodule/lti_module.py
@@ -734,16 +734,18 @@ oauth_consumer_key="", oauth_signature="frVp4JuvT1mVXlxktiAUjQ7%2F1cw%3D"'}
        oauth_headers = dict(oauth_params)
        oauth_signature = oauth_headers.pop('oauth_signature')
        mock_request = mock.Mock(
-            uri=unicode(urllib.unquote(request.url)),
+            uri=unicode(urllib.unquote(self.get_outcome_service_url())),
            http_method=unicode(request.method),
            params=oauth_headers.items(),
            signature=oauth_signature
        )

        if oauth_body_hash != oauth_headers.get('oauth_body_hash'):
+            log.exception( "OAuth body hash verification failed, provided: {} calculated: {}, for url: {}, body is: {}".format(oauth_headers.get('oauth_body_hash'),oauth_body_hash,self.get_outcome_service_url(),request.body))
            raise LTIError("OAuth body hash verification is failed.")

        if not signature.verify_hmac_sha1(mock_request, client_secret):
+            log.exception( "OAuth signature verification failed, for url:{}".format(oauth_headers,self.get_outcome_service_url()))
            raise LTIError("OAuth signature verification is failed.")

    def get_client_key_secret(self):

--- a/common/lib/xmodule/xmodule/tests/test_lti_unit.py
+++ b/common/lib/xmodule/xmodule/tests/test_lti_unit.py
@@ -331,6 +331,49 @@ class LTIModuleTest(LogicTest):
        except LTIError as err:
            self.fail("verify_oauth_body_sign() raised LTIError: " + err.message)

+    @patch('xmodule.lti_module.LTIModule.get_outcome_service_url', Mock(return_value=u'https://testurl/'))
+    @patch('xmodule.lti_module.LTIModule.get_client_key_secret',
+           Mock(return_value=(u'__consumer_key__', u'__lti_secret__')))
+    def test_failed_verify_oauth_body_sign_proxy_mangle_url(self):
+        """
+        Oauth signing verify fail.
+        """
+        try:
+            request = self.get_signed_grade_mock_request_with_correct_signature()
+            self.xmodule.verify_oauth_body_sign(request)
+            # we should verify against get_outcome_service_url not request url
+            # proxy and load balancer along the way may change url presented to the method
+            request.uri = 'http://testurl/'
+            self.xmodule.verify_oauth_body_sign(request)
+        except LTIError as err:
+            self.fail("verify_oauth_body_sign() raised LTIError: " + err.message)
+            pass
+
+    def get_signed_grade_mock_request_with_correct_signature(self):
+        mock_request = Mock()
+        mock_request.headers = {
+            'X-Requested-With': 'XMLHttpRequest',
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Authorization': u'OAuth realm="https://testurl/", oauth_body_hash="wwzA3s8gScKD1VpJ7jMt9b%2BMj9Q%3D", \
+            oauth_nonce="18821463", oauth_timestamp="1409321145", \
+            oauth_consumer_key="__consumer_key__", oauth_signature_method="HMAC-SHA1", \
+            oauth_version="1.0", oauth_signature="fHsE1hhIz76/msUoMR3Lyb7Aou4%3D"'
+        }
+        mock_request.url = u'https://testurl'
+        mock_request.http_method = u'POST'
+        mock_request.method = mock_request.http_method
+
+        mock_request.body = '<?xml version=\'1.0\' encoding=\'utf-8\'?>\n\
+<imsx_POXEnvelopeRequest xmlns="http://www.imsglobal.org/services/ltiv1p1/xsd/imsoms_v1p0">\
+<imsx_POXHeader><imsx_POXRequestHeaderInfo><imsx_version>V1.0</imsx_version>\
+<imsx_messageIdentifier>edX_fix</imsx_messageIdentifier></imsx_POXRequestHeaderInfo>\
+</imsx_POXHeader><imsx_POXBody><replaceResultRequest><resultRecord><sourcedGUID>\
+<sourcedId>MITxLTI/MITxLTI/201x:localhost%3A8000-i4x-MITxLTI-MITxLTI-lti-3751833a214a4f66a0d18f63234207f2:363979ef768ca171b50f9d1bfb322131</sourcedId>\
+</sourcedGUID><result><resultScore><language>en</language><textString>0.32</textString></resultScore>\
+</result></resultRecord></replaceResultRequest></imsx_POXBody></imsx_POXEnvelopeRequest>'
+
+        return mock_request
+
    def test_wrong_xml_namespace(self):
        """
        Test wrong XML Namespace.