feat: Adds an option to validate a recording token.

2020-06-15 11:55:21 -05:00 · 2020-06-15 11:55:21 -05:00 · 6d3d15a64b
parent b10a45bf98
commit 6d3d15a64b
2 changed files with 47 additions and 15 deletions
--- a/resources/prosody-plugins/mod_filter_iq_jibri.lua
+++ b/resources/prosody-plugins/mod_filter_iq_jibri.lua
@ -1,5 +1,8 @@
 local st = require "util.stanza";
 local is_feature_allowed = module:require "util".is_feature_allowed;
+local token_util = module:require "token/util".new(module);
+
+local accepted_rayo_iq_token_issuers = module:get_option_array("accepted_rayo_iq_token_issuers");

 -- filters jibri iq in case of requested from jwt authenticated session that
 -- has features in the user context, but without feature for recording
@ -11,15 +14,37 @@ module:hook("pre-iq/full", function(event)
            local session = event.origin;
            local token = session.auth_token;

-            if jibri.attr.action == 'start'
-                and (token == nil
+            if jibri.attr.action == 'start' then
+                local errorReason;
+                if accepted_rayo_iq_token_issuers then
+                    local iq_token = jibri.attr.token;
+                    if iq_token then
+                        local session = {};
+                        session.auth_token = iq_token;
+                        local verified, reason = token_util:process_and_verify_token(
+                            session, accepted_rayo_iq_token_issuers);
+                        if verified then
+                            return nil; -- this will proceed with dispatching the stanza
+                        end
+                        errorReason = reason;
+                    else
+                        errorReason = 'No recording token provided';
+                    end
+
+                    module:log("warn", "not a valid token %s", tostring(errorReason));
+                    session.send(st.error_reply(stanza, "auth", "forbidden"));
+                    return true;
+                end
+
+                if token == nil
                    or not is_feature_allowed(session,
-                        (jibri.attr.recording_mode == 'file' and 'recording' or 'livestreaming'))
+                    (jibri.attr.recording_mode == 'file' and 'recording' or 'livestreaming')
                ) then
-                module:log("info",
-                    "Filtering jibri start recording, stanza:%s", tostring(stanza));
-                session.send(st.error_reply(stanza, "auth", "forbidden"));
-                return true;
+                    module:log("info",
+                        "Filtering jibri start recording, stanza:%s", tostring(stanza));
+                    session.send(st.error_reply(stanza, "auth", "forbidden"));
+                    return true;
+                end
            end
        end
    end
--- a/resources/prosody-plugins/token/util.lib.lua
+++ b/resources/prosody-plugins/token/util.lib.lua
@ -159,9 +159,10 @@ end

 --- Verifies issuer part of token
 -- @param 'iss' claim from the token to verify
+-- @param 'acceptedIssuers' list of issuers to check
 -- @return nil and error string or true for accepted claim
-function Util:verify_issuer(issClaim)
-    for i, iss in ipairs(self.acceptedIssuers) do
+function Util:verify_issuer(issClaim, acceptedIssuers)
+    for i, iss in ipairs(acceptedIssuers) do
        if issClaim == iss then
            --claim matches an accepted issuer so return success
            return true;
@ -192,8 +193,9 @@ end
 --- Verifies token
 -- @param token the token to verify
 -- @param secret the secret to use to verify token
+-- @param acceptedIssuers the list of accepted issuers to check
 -- @return nil and error or the extracted claims from the token
-function Util:verify_token(token, secret)
+function Util:verify_token(token, secret, acceptedIssuers)
    local claims, err = jwt.decode(token, secret, true);
    if claims == nil then
        return nil, err;
@ -209,7 +211,7 @@ function Util:verify_token(token, secret)
        return nil, "'iss' claim is missing";
    end
    --check the issuer against the accepted list
-    local issCheck, issCheckErr = self:verify_issuer(issClaim);
+    local issCheck, issCheckErr = self:verify_issuer(issClaim, acceptedIssuers);
    if issCheck == nil then
        return nil, issCheckErr;
    end
@ -241,8 +243,13 @@ end
 -- session.jitsi_meet_context_group - the group value from the token
 -- session.jitsi_meet_context_features - the features value from the token
 -- @param session the current session
+-- @param acceptedIssuers optional list of accepted issuers to check
 -- @return false and error
-function Util:process_and_verify_token(session)
+function Util:process_and_verify_token(session, acceptedIssuers)
+    if not acceptedIssuers then
+        acceptedIssuers = self.acceptedIssuers;
+    end
+
    if session.auth_token == nil then
        if self.allowEmptyToken then
            return true;
@ -272,9 +279,9 @@ function Util:process_and_verify_token(session)
    -- now verify the whole token
    local claims, msg;
    if self.asapKeyServer then
-        claims, msg = self:verify_token(session.auth_token, pubKey);
+        claims, msg = self:verify_token(session.auth_token, pubKey, acceptedIssuers);
    else
-        claims, msg = self:verify_token(session.auth_token, self.appSecret);
+        claims, msg = self:verify_token(session.auth_token, self.appSecret, acceptedIssuers);
    end
    if claims ~= nil then
        -- Binds room name to the session which is later checked on MUC join
@ -401,4 +408,4 @@ function Util:verify_room(session, room_address)
    end
 end

-return Util;
+return Util;