Restrict LTI authentication by LTI course map.

This was requested by @dlglin, and restricts authentication into a
webwork course to only users in the LMS course that matches the context
id of the webwork course set in the LTI course map for the site.

If the new `$LTI{v1p3}{restrictAuthenticationByCourseMap}` option is set
to 1, then this restriction is in effect.

Author: drgrice1

conf/authen_LTI_1_3.conf.dist

@@ -261,6 +261,11 @@ $LTI{v1p3}{ignoreMissingSourcedID} = 0;
 
 $LTI{v1p3}{autoSyncSetDatesToLMS} = 0;
 
+# If this is set then authentication into a webwork course is only allowed if the LMS context id
+# is set in the LTI course map for the site and that matches that of the LMS course from which
+# the current user is attempting to sign in.
+$LTI{v1p3}{restrictAuthenticationByCourseMap} = 0;
+
 # If this is set and an instructor attempts to use content selection from an LMS course that is
 # that is not in the LTI course map, then the instructor will be offered a list of WeBWorK
 # courses to choose from.  The WeBWorK courses that will be listed for the instructor are

lib/WeBWorK/Authen/LTIAdvantage.pm

@@ -101,6 +101,23 @@ sub get_credentials ($self) {
 		return 0;
 	}
 
+	if ($ce->{LTI}{v1p3}{restrictAuthenticationByCourseMap} && !$c->stash->{courseChoices}) {
+		my $courseMap = $c->db->getLTICourseMap($ce->{courseName});
+		unless ($courseMap
+			&& $courseMap->lms_context_id eq
+			$c->stash->{lti_jwt_claims}{'https://purl.imsglobal.org/spec/lti/claim/context'}{id})
+		{
+			warn 'LTI authentication into incorrect course attempted. '
+				. "Please contact your instructor or system administrator.\n";
+			$self->{error} = $c->maketext(
+				'There was an error during the login process.  Please speak to your instructor or system administrator.'
+			);
+			debug("LTI authentication into $ce->{courseName} attempted, but this course is not in the LTI course map "
+					. 'or the context id of the LMS course from which the user came does not match.');
+			return 0;
+		}
+	}
+
 	# Determine the user_id to use, if possible.
 	if (!$ce->{LTI}{v1p3}{preferred_source_of_username}) {
 		warn 'LTI is not properly configured (no preferred_source_of_username). '

lib/WeBWorK/DB.pm

@@ -976,6 +976,16 @@ BEGIN {
 	*deleteLTICourseMapWhere = gen_delete_where("lti_course_map");
 }
 
+sub getLTICourseMap {
+	my ($self, $courseID) = shift->checkArgs(\@_, qw/course_id/);
+	return ($self->getLTICourseMaps($courseID))[0];
+}
+
+sub getLTICourseMaps {
+	my ($self, @courseIDs) = shift->checkArgs(\@_, qw/course_id*/);
+	return $self->{lti_course_map}->gets(map { [$_] } @courseIDs);
+}
+
 sub setLTICourseMap {
 	my ($self, $course_id, $lms_context_id) = shift->checkArgs(\@_, qw/course_id lms_context_id/);
 	if ($self->existsLTICourseMapWhere({ course_id => $course_id })) {