Handles '*' as room name in jwt.

Allows '*' in jwt to allow connecting to any room.
2017-06-20 13:48:47 -05:00 · 2017-06-20 13:48:47 -05:00 · 00afc32b6b
parent 8a01067b62
commit 00afc32b6b
2 changed files with 25 additions and 6 deletions
--- a/resources/prosody-plugins/mod_token_verification.lua
+++ b/resources/prosody-plugins/mod_token_verification.lua
@ -49,7 +49,7 @@ local function verify_user(session, stanza)
        "Will verify token for user: %s, room: %s ", user_jid, stanza.attr.to);
    if not token_util:verify_room(session, stanza.attr.to) then
        log("error", "Token %s not allowed to join: %s",
-            tostring(session.auth_token), tostring(session.jitsi_meet_room));
+            tostring(session.auth_token), tostring(stanza.attr.to));
        session.send(
            st.error_reply(
                stanza, "cancel", "not-allowed", "Room and token mismatched"));
--- a/resources/prosody-plugins/token/util.lib.lua
+++ b/resources/prosody-plugins/token/util.lib.lua
@ -263,7 +263,7 @@ function Util:verify_room(session, room_address)
    if not self.enableDomainVerification then
        -- if auth_room is missing, this means user is anonymous (no token for
        -- its domain) we let it through, jicofo is verifying creation domain
-        if auth_room and room ~= string.lower(auth_room) then
+        if auth_room and room ~= string.lower(auth_room) and auth_room ~= '*' then
            return false;
        end

@ -271,10 +271,29 @@ function Util:verify_room(session, room_address)
    end

    local room_address_to_verify = jid.bare(room_address);
+    local room_node = jid.node(room_address);
    -- parses bare room address, for multidomain expected format is:
    -- [subdomain]roomName@conference.domain
-    local target_subdomain, target_room
-            = room_address_to_verify:match("^%[([^%]]+)%](.+)$");
+    local target_subdomain, target_room = room_node:match("^%[([^%]]+)%](.+)$");
+
+    -- if we have '*' as room name in token, this means all rooms are allowed
+    -- so we will use the actual name of the room when constructing strings
+    -- to verify subdomains and domains to simplify checks
+    local room_to_check;
+    if auth_room == '*' then
+        -- authorized for accessing any room assign to room_to_check the actual
+        -- room name
+        if target_room ~= nil then
+            -- we are in multidomain mode and we were able to extract room name
+            room_to_check = target_room;
+        else
+            -- no target_room, room_address_to_verify does not contain subdomain
+            -- so we get just the node which is the room name
+            room_to_check = room_node;
+        end
+    else
+        room_to_check = auth_room;
+    end

    local auth_domain = session.jitsi_meet_domain;
    if target_subdomain then
@ -286,12 +305,12 @@ function Util:verify_room(session, room_address)
        end

        return room_address_to_verify == jid.join(
-            "["..auth_domain.."]"..string.lower(auth_room), self.muc_domain);
+            "["..auth_domain.."]"..string.lower(room_to_check), self.muc_domain);
    else
        -- we do not have a domain part (multidomain is not enabled)
        -- verify with info from the token
        return room_address_to_verify == jid.join(
-            string.lower(auth_room), self.muc_domain_prefix.."."..auth_domain);
+            string.lower(room_to_check), self.muc_domain_prefix.."."..auth_domain);
    end
 end