2015-11-02 21:02:50 +00:00
|
|
|
-- Token authentication
|
|
|
|
-- Copyright (C) 2015 Atlassian
|
|
|
|
|
2016-08-29 14:39:47 +00:00
|
|
|
local basexx = require "basexx";
|
2016-08-23 19:42:49 +00:00
|
|
|
local have_async, async = pcall(require, "util.async");
|
2016-08-31 21:25:49 +00:00
|
|
|
local hex = require "util.hex";
|
2016-08-23 19:42:49 +00:00
|
|
|
local formdecode = require "util.http".formdecode;
|
2015-12-22 18:51:43 +00:00
|
|
|
local generate_uuid = require "util.uuid".generate;
|
2016-08-23 19:42:49 +00:00
|
|
|
local http = require "net.http";
|
2016-08-29 14:39:47 +00:00
|
|
|
local json = require "cjson";
|
2015-11-02 21:02:50 +00:00
|
|
|
local new_sasl = require "util.sasl".new;
|
2016-08-31 21:25:49 +00:00
|
|
|
local path = require "util.paths";
|
2015-12-22 18:51:43 +00:00
|
|
|
local sasl = require "util.sasl";
|
2016-08-31 14:24:15 +00:00
|
|
|
local sha256 = require "util.hashes".sha256;
|
2016-08-23 19:42:49 +00:00
|
|
|
local timer = require "util.timer";
|
2015-11-02 21:02:50 +00:00
|
|
|
local token_util = module:require "token/util";
|
|
|
|
|
|
|
|
-- define auth provider
|
|
|
|
local provider = {};
|
|
|
|
|
2015-12-22 18:51:43 +00:00
|
|
|
local host = module.host;
|
2015-11-02 21:02:50 +00:00
|
|
|
|
|
|
|
local appId = module:get_option_string("app_id");
|
|
|
|
local appSecret = module:get_option_string("app_secret");
|
2016-08-23 19:42:49 +00:00
|
|
|
local asapKeyServer = module:get_option_string("asap_key_server");
|
2015-12-22 18:51:43 +00:00
|
|
|
local allowEmptyToken = module:get_option_boolean("allow_empty_token");
|
2016-06-13 21:11:44 +00:00
|
|
|
local disableRoomNameConstraints = module:get_option_boolean("disable_room_name_constraints");
|
2015-11-02 21:02:50 +00:00
|
|
|
|
2016-08-24 19:24:40 +00:00
|
|
|
-- TODO: Figure out a less arbitrary default cache size.
|
|
|
|
local cacheSize = module:get_option_number("jwt_pubkey_cache_size", 128);
|
|
|
|
local cache = require"util.cache".new(cacheSize);
|
|
|
|
|
2015-12-22 18:51:43 +00:00
|
|
|
if allowEmptyToken == true then
|
|
|
|
module:log("warn", "WARNING - empty tokens allowed");
|
|
|
|
end
|
|
|
|
|
|
|
|
if appId == nil then
|
|
|
|
module:log("error", "'app_id' must not be empty");
|
|
|
|
return;
|
|
|
|
end
|
|
|
|
|
2016-08-23 19:42:49 +00:00
|
|
|
if appSecret == nil and asapKeyServer == nil then
|
|
|
|
module:log("error", "'app_secret' or 'asap_key_server' must be specified");
|
|
|
|
return;
|
|
|
|
end
|
|
|
|
|
|
|
|
if asapKeyServer and not have_async then
|
|
|
|
module:log("error", "requires a version of Prosody with util.async");
|
2015-12-22 18:51:43 +00:00
|
|
|
return;
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Extract 'token' param from BOSH URL when session is created
|
|
|
|
module:hook("bosh-session", function(event)
|
|
|
|
local session, request = event.session, event.request;
|
|
|
|
local query = request.url.query;
|
|
|
|
if query ~= nil then
|
|
|
|
session.auth_token = query and formdecode(query).token or nil;
|
2015-11-02 21:02:50 +00:00
|
|
|
end
|
2016-08-29 14:39:47 +00:00
|
|
|
end);
|
2015-12-22 18:51:43 +00:00
|
|
|
|
|
|
|
function provider.test_password(username, password)
|
|
|
|
return nil, "Password based auth not supported";
|
2015-11-02 21:02:50 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
function provider.get_password(username)
|
|
|
|
return nil;
|
|
|
|
end
|
|
|
|
|
|
|
|
function provider.set_password(username, password)
|
|
|
|
return nil, "Set password not supported";
|
|
|
|
end
|
|
|
|
|
|
|
|
function provider.user_exists(username)
|
|
|
|
return nil;
|
|
|
|
end
|
|
|
|
|
|
|
|
function provider.create_user(username, password)
|
|
|
|
return nil;
|
|
|
|
end
|
|
|
|
|
|
|
|
function provider.delete_user(username)
|
|
|
|
return nil;
|
|
|
|
end
|
|
|
|
|
2016-08-23 19:42:49 +00:00
|
|
|
local http_timeout = 30;
|
|
|
|
local http_headers = {
|
|
|
|
["User-Agent"] = "Prosody ("..prosody.version.."; "..prosody.platform..")"
|
|
|
|
};
|
|
|
|
|
|
|
|
function get_public_key(keyId)
|
2016-08-24 19:24:40 +00:00
|
|
|
local content = cache:get(keyId);
|
|
|
|
if content == nil then
|
|
|
|
-- If the key is not found in the cache.
|
|
|
|
module:log("debug", "Cache miss for key: "..keyId);
|
|
|
|
local code;
|
|
|
|
local wait, done = async.waiter();
|
|
|
|
local function cb(content_, code_, response_, request_)
|
|
|
|
content, code = content_, code_;
|
2016-08-31 14:25:10 +00:00
|
|
|
if code == 200 or code == 204 then
|
|
|
|
cache:set(keyId, content);
|
|
|
|
end
|
2016-08-24 19:24:40 +00:00
|
|
|
done();
|
|
|
|
end
|
2016-08-31 21:25:49 +00:00
|
|
|
local keyurl = path.join(asapKeyServer, hex.to(sha256(keyId))..'.pem');
|
|
|
|
module:log("debug", "Fetching public key from: "..keyurl);
|
2016-08-31 14:24:15 +00:00
|
|
|
|
2016-08-31 14:25:10 +00:00
|
|
|
-- We hash the key ID to work around some legacy behavior and make
|
|
|
|
-- deployment easier. It also helps prevent directory
|
2016-08-31 14:24:15 +00:00
|
|
|
-- traversal attacks (although path cleaning could have done this too).
|
2016-08-31 21:25:49 +00:00
|
|
|
local request = http.request(keyurl, {
|
2016-08-24 19:24:40 +00:00
|
|
|
headers = http_headers or {},
|
|
|
|
method = "GET"
|
|
|
|
}, cb);
|
2016-08-31 14:24:15 +00:00
|
|
|
|
2016-08-26 14:48:02 +00:00
|
|
|
-- TODO: Is the done() call racey? Can we cancel this if the request
|
|
|
|
-- succeedes?
|
2016-08-26 21:17:19 +00:00
|
|
|
local function cancel()
|
|
|
|
-- TODO: This check is racey. Not likely to be a problem, but we should
|
|
|
|
-- still stick a mutex on content / code at some point.
|
|
|
|
if code == nil then
|
|
|
|
http.destroy_request(request);
|
|
|
|
done();
|
|
|
|
end
|
|
|
|
end
|
|
|
|
timer.add_task(http_timeout, cancel);
|
2016-08-24 19:24:40 +00:00
|
|
|
wait();
|
|
|
|
|
|
|
|
if code == 200 or code == 204 then
|
|
|
|
return content;
|
|
|
|
end
|
|
|
|
else
|
|
|
|
-- If the key is in the cache, use it.
|
2016-08-26 21:03:08 +00:00
|
|
|
module:log("debug", "Cache hit for key: "..keyId);
|
2016-08-23 19:42:49 +00:00
|
|
|
return content;
|
|
|
|
end
|
|
|
|
|
2016-08-26 19:11:50 +00:00
|
|
|
return nil;
|
2016-08-23 19:42:49 +00:00
|
|
|
end
|
|
|
|
|
2015-12-22 18:51:43 +00:00
|
|
|
function provider.get_sasl_handler(session)
|
|
|
|
-- JWT token extracted from BOSH URL
|
|
|
|
local token = session.auth_token;
|
|
|
|
|
|
|
|
local function get_username_from_token(self, message)
|
|
|
|
|
|
|
|
if token == nil then
|
2016-08-23 19:42:49 +00:00
|
|
|
if allowEmptyToken then
|
2016-08-26 19:11:50 +00:00
|
|
|
return true;
|
2015-12-22 18:51:43 +00:00
|
|
|
else
|
|
|
|
return false, "not-allowed", "token required";
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-08-23 19:42:49 +00:00
|
|
|
local pubKey;
|
|
|
|
if asapKeyServer and session.auth_token ~= nil then
|
2016-08-29 14:39:47 +00:00
|
|
|
local dotFirst = session.auth_token:find("%.");
|
2016-08-23 19:42:49 +00:00
|
|
|
if not dotFirst then return nil, "Invalid token" end
|
2016-08-29 14:39:47 +00:00
|
|
|
local header = json.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)));
|
|
|
|
local kid = header["kid"];
|
2016-08-23 19:42:49 +00:00
|
|
|
if kid == nil then
|
|
|
|
return false, "not-allowed", "'kid' claim is missing";
|
|
|
|
end
|
|
|
|
pubKey = get_public_key(kid);
|
|
|
|
if pubKey == nil then
|
|
|
|
return false, "not-allowed", "could not obtain public key";
|
|
|
|
end
|
2015-12-22 18:51:43 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
-- now verify the whole token
|
2016-08-26 19:41:06 +00:00
|
|
|
local claims, msg;
|
2016-08-23 19:42:49 +00:00
|
|
|
if asapKeyServer then
|
2016-08-26 19:41:06 +00:00
|
|
|
claims, msg = token_util.verify_token(token, appId, pubKey, disableRoomNameConstraints);
|
2016-08-23 19:42:49 +00:00
|
|
|
else
|
2016-08-26 19:41:06 +00:00
|
|
|
claims, msg = token_util.verify_token(token, appId, appSecret, disableRoomNameConstraints);
|
2016-08-23 19:42:49 +00:00
|
|
|
end
|
2016-08-26 19:47:34 +00:00
|
|
|
if claims ~= nil then
|
2015-12-22 18:51:43 +00:00
|
|
|
-- Binds room name to the session which is later checked on MUC join
|
2016-08-26 19:41:06 +00:00
|
|
|
session.jitsi_meet_room = claims["room"];
|
2016-08-26 19:11:50 +00:00
|
|
|
return true;
|
2015-12-22 18:51:43 +00:00
|
|
|
else
|
2016-08-29 14:39:47 +00:00
|
|
|
return false, "not-allowed", msg;
|
2015-11-02 21:02:50 +00:00
|
|
|
end
|
2015-12-22 18:51:43 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
return new_sasl(host, { anonymous = get_username_from_token });
|
2015-11-02 21:02:50 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
module:provides("auth", provider);
|
2015-12-22 18:51:43 +00:00
|
|
|
|
|
|
|
local function anonymous(self, message)
|
|
|
|
|
|
|
|
local username = generate_uuid();
|
|
|
|
|
|
|
|
-- This calls the handler created in 'provider.get_sasl_handler(session)'
|
|
|
|
local result, err, msg = self.profile.anonymous(self, username, self.realm);
|
|
|
|
|
|
|
|
self.username = username;
|
|
|
|
|
|
|
|
if result == true then
|
2016-08-29 14:39:47 +00:00
|
|
|
return "success";
|
2015-12-22 18:51:43 +00:00
|
|
|
else
|
|
|
|
|
2016-08-29 14:39:47 +00:00
|
|
|
return "failure", err, msg;
|
2015-12-22 18:51:43 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
sasl.registerMechanism("ANONYMOUS", {"anonymous"}, anonymous);
|