Merge pull request #2 from oat-sa/develop

Develop
oat-sa · Jul 11, 2022 · 128034c · 128034c
2 parents c9cbfdd + c477e39
commit 128034c
Show file tree

Hide file tree

Showing 5 changed files with 82 additions and 24 deletions.
diff --git a/.github/workflows/conventional_commits_check.yml b/.github/workflows/conventional_commits_check.yml
@@ -0,0 +1,19 @@
+# Action to check conventional commits on OAT pull requests
+
+name: Conventional commits check
+
+on:
+  pull_request:
+    branches: [ develop ]
+
+jobs:
+  pr-check:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v2
+      - run: git fetch --unshallow --tags
+      - name: Check commit
+        if: always()
+        uses: oat-sa/conventional-commit-action@v0
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release_tao_extension.yml b/.github/workflows/release_tao_extension.yml
@@ -0,0 +1,23 @@
+# Make an extension release after merging to develop branch
+
+name: Release Tao extension
+
+on:
+  pull_request:
+    branches:
+      - develop
+    types: [closed]
+jobs:
+  auto-release:
+    if: github.event.pull_request.merged == true
+    name: Automated Tao extension release
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Release
+        uses: oat-sa/extension-release-action@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+        with:
+          github_token: ${{ secrets.GH_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+.idea
diff --git a/composer.json b/composer.json
@@ -1,19 +1,18 @@
 {
-    "name": "imsglobal/lti",
-    "version" : "3.0.2",
+    "name": "oat-sa/imsglobal-lti",
     "description": "LTI Tool Provider Library",
     "keywords": ["lti"],
     "homepage": "https://www.imsglobal.org/lti",
     "type": "library",
     "license": "Apache-2.0",
     "authors":[
         {
-            "name": "Stephen Vickers",
-            "email": "svickers@imsglobal.org"
+            "homepage": "https://www.taotesting.com",
+            "name": "Open Assessment Technologies S.A."
         }
     ],
     "require":{
-        "php": ">=5.6.0"
+        "php": ">=7.4,<=8.1"
     },
     "autoload":{
         "psr-4": {

diff --git a/src/OAuth/OAuthSignatureMethod.php b/src/OAuth/OAuthSignatureMethod.php
@@ -1,21 +1,36 @@
 <?php
 
-namespace IMSGlobal\LTI\OAuth;
-
 /**
- * Class to represent an %OAuth Signature Method
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; under version 2
+ * of the License (non-upgradable).
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  *
- * @copyright  Andy Smith
- * @version 2008-08-04
- * @license https://opensource.org/licenses/MIT The MIT License
+ * Copyright (c) 2022 (original work) Open Assessment Technologies SA.
  */
+
+declare(strict_types=1);
+
+namespace IMSGlobal\LTI\OAuth;
+
 /**
  * A class for implementing a Signature Method
  * See section 9 ("Signing Requests") in the spec
  */
-abstract class OAuthSignatureMethod {
+abstract class OAuthSignatureMethod
+{
     /**
      * Needs to return the name of the Signature Method (ie HMAC-SHA1)
+     *
      * @return string
      */
     abstract public function get_name();
@@ -25,42 +40,43 @@ abstract public function get_name();
      * NOTE: The output of this function MUST NOT be urlencoded.
      * the encoding is handled in OAuthRequest when the final
      * request is serialized
+     *
      * @param OAuthRequest $request
      * @param OAuthConsumer $consumer
      * @param OAuthToken $token
+     *
      * @return string
      */
     abstract public function build_signature($request, $consumer, $token);
 
     /**
      * Verifies that a given signature is correct
+     *
      * @param OAuthRequest $request
      * @param OAuthConsumer $consumer
      * @param OAuthToken $token
      * @param string $signature
+     *
      * @return bool
      */
-    public function check_signature($request, $consumer, $token, $signature) {
-
+    public function check_signature($request, $consumer, $token, $signature)
+    {
         $built = $this->build_signature($request, $consumer, $token);
+        $builtLength = strlen($built);
+        $signatureLength = strlen($signature);
 
         // Check for zero length, although unlikely here
-        if (strlen($built) == 0 || strlen($signature) == 0) {
-            return false;
-        }
-
-        if (strlen($built) != strlen($signature)) {
+        if ($builtLength === 0 || $signatureLength === 0 || $builtLength !== $signatureLength) {
             return false;
         }
 
         // Avoid a timing leak with a (hopefully) time insensitive compare
         $result = 0;
-        for ($i = 0; $i < strlen($signature); $i++) {
-            $result |= ord($built{$i}) ^ ord($signature{$i});
-        }
 
-        return $result == 0;
+        for ($i = 0; $i < $signatureLength; ++$i) {
+            $result |= ord($built[$i]) ^ ord($signature[$i]);
+        }
 
+        return $result === 0;
     }
-
 }