added checks for audience and issuer values (#1772)

* added checks for audience and issuer values
default audience and issuer checks to validate only appId
added missing documentation lines from the previous PR for context_user and context_group session values

* support for accepting any audience
option set to accept any audience by default
This commit is contained in:
Aaron van Meerten 2017-07-13 13:30:17 -05:00 committed by Дамян Минков
parent 3de6f1cd7f
commit 622d4ba89c
1 changed files with 49 additions and 2 deletions

View File

@ -86,6 +86,12 @@ function Util.new(module)
return nil; return nil;
end end
--array of accepted issuers: by default only includes our appId
self.acceptedIssuers = module:get_option_array('asap_accepted_issuers',{self.appId})
--array of accepted audiences: by default only includes our appId
self.acceptedAudiences = module:get_option_array('asap_accepted_audiences',{'*'})
if self.asapKeyServer and not have_async then if self.asapKeyServer and not have_async then
module:log("error", "requires a version of Prosody with util.async"); module:log("error", "requires a version of Prosody with util.async");
return nil; return nil;
@ -147,6 +153,38 @@ function Util:get_public_key(keyId)
return nil; return nil;
end end
--- Verifies issuer part of token
-- @param 'iss' claim from the token to verify
-- @return nil and error string or true for accepted claim
function Util:verify_issuer(issClaim)
for i, iss in ipairs(self.acceptedIssuers) do
if issClaim == iss then
--claim matches an accepted issuer so return success
return true;
end
end
--if issClaim not found in acceptedIssuers, fail claim
return nil, "Invalid issuer ('iss' claim)";
end
--- Verifies audience part of token
-- @param 'aud' claim from the token to verify
-- @return nil and error string or true for accepted claim
function Util:verify_audience(audClaim)
for i, aud in ipairs(self.acceptedAudiences) do
if aud == '*' then
--* indicates to accept any audience in the claims so return success
return true;
end
if audClaim == aud then
--claim matches an accepted audience so return success
return true;
end
end
--if issClaim not found in acceptedIssuers, fail claim
return nil, "Invalid audience ('aud' claim)";
end
--- Verifies token --- Verifies token
-- @param token the token to verify -- @param token the token to verify
-- @param secret the secret to use to verify token -- @param secret the secret to use to verify token
@ -166,8 +204,10 @@ function Util:verify_token(token, secret)
if issClaim == nil then if issClaim == nil then
return nil, "'iss' claim is missing"; return nil, "'iss' claim is missing";
end end
if issClaim ~= self.appId then --check the issuer against the accepted list
return nil, "Invalid application ID('iss' claim)"; local issCheck, issCheckErr = self:verify_issuer(issClaim);
if issCheck == nil then
return nil, issCheckErr;
end end
local roomClaim = claims["room"]; local roomClaim = claims["room"];
@ -179,6 +219,11 @@ function Util:verify_token(token, secret)
if audClaim == nil then if audClaim == nil then
return nil, "'aud' claim is missing"; return nil, "'aud' claim is missing";
end end
--check the audience against the accepted list
local audCheck, audCheckErr = self:verify_audience(audClaim);
if audCheck == nil then
return nil, audCheckErr;
end
return claims; return claims;
end end
@ -188,6 +233,8 @@ end
-- Stores in session the following values: -- Stores in session the following values:
-- session.jitsi_meet_room - the room name value from the token -- session.jitsi_meet_room - the room name value from the token
-- session.jitsi_meet_domain - the domain name value from the token -- session.jitsi_meet_domain - the domain name value from the token
-- session.jitsi_meet_context_user - the user details from the token
-- session.jitsi_meet_context_group - the group value from the token
-- @param session the current session -- @param session the current session
-- @return false and error -- @return false and error
function Util:process_and_verify_token(session) function Util:process_and_verify_token(session)