allows override of asap key server in token utility

2019-06-06 14:41:46 -05:00 · 2019-06-06 14:41:46 -05:00 · 41e0d782ce
parent 2a8fafdd36
commit 41e0d782ce
1 changed files with 14 additions and 5 deletions
--- a/resources/prosody-plugins/token/util.lib.lua
+++ b/resources/prosody-plugins/token/util.lib.lua
@ -103,7 +103,10 @@ end
 --- Returns the public key by keyID
 -- @param keyId the key ID to request
 -- @return the public key (the content of requested resource) or nil
-function Util:get_public_key(keyId)
+function Util:get_public_key(keyId,asapKeyServer)
+    if asapKeyServer == "" then
+        asapKeyServer = self.asapKeyServer)
+    end
    local content = cache:get(keyId);
    if content == nil then
        -- If the key is not found in the cache.
@ -117,7 +120,7 @@ function Util:get_public_key(keyId)
            end
            done();
        end
-        local keyurl = path.join(self.asapKeyServer, hex.to(sha256(keyId))..'.pem');
+        local keyurl = path.join(asapKeyServer, hex.to(sha256(keyId))..'.pem');
        module:log("debug", "Fetching public key from: "..keyurl);

        -- We hash the key ID to work around some legacy behavior and make
@ -239,6 +242,12 @@ end
 -- @param session the current session
 -- @return false and error
 function Util:process_and_verify_token(session)
+    return self:process_and_verify_token_with_keyserver(session,"")
+end
+function Util:process_and_verify_token_with_keyserver(session,asapKeyServer)
+    if asapKeyServer == "" then
+        asapKeyServer = self.asapKeyServer
+    end

    if session.auth_token == nil then
        if self.allowEmptyToken then
@ -249,7 +258,7 @@ function Util:process_and_verify_token(session)
    end

    local pubKey;
-    if self.asapKeyServer and session.auth_token ~= nil then
+    if asapKeyServer and session.auth_token ~= nil then
        local dotFirst = session.auth_token:find("%.");
        if not dotFirst then return nil, "Invalid token" end
        local header = json.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)));
@ -257,7 +266,7 @@ function Util:process_and_verify_token(session)
        if kid == nil then
            return false, "not-allowed", "'kid' claim is missing";
        end
-        pubKey = self:get_public_key(kid);
+        pubKey = self:get_public_key(kid,asapKeyServer);
        if pubKey == nil then
            return false, "not-allowed", "could not obtain public key";
        end
@ -265,7 +274,7 @@ function Util:process_and_verify_token(session)

    -- now verify the whole token
    local claims, msg;
-    if self.asapKeyServer then
+    if asapKeyServer then
        claims, msg = self:verify_token(session.auth_token, pubKey);
    else
        claims, msg = self:verify_token(session.auth_token, self.appSecret);