Moves token related code into util so it can be reused.
This commit is contained in:
parent
166fb1d13f
commit
82b27b45fe
|
@ -1,58 +1,27 @@
|
|||
-- Token authentication
|
||||
-- Copyright (C) 2015 Atlassian
|
||||
|
||||
local basexx = require "basexx";
|
||||
local have_async, async = pcall(require, "util.async");
|
||||
local hex = require "util.hex";
|
||||
local formdecode = require "util.http".formdecode;
|
||||
local generate_uuid = require "util.uuid".generate;
|
||||
local http = require "net.http";
|
||||
local json = require "cjson";
|
||||
local new_sasl = require "util.sasl".new;
|
||||
local path = require "util.paths";
|
||||
local sasl = require "util.sasl";
|
||||
local sha256 = require "util.hashes".sha256;
|
||||
local timer = require "util.timer";
|
||||
local token_util = module:require "token/util";
|
||||
local token_util = module:require "token/util".new(module);
|
||||
|
||||
-- no token configuration
|
||||
if token_util == nil then
|
||||
return;
|
||||
end
|
||||
|
||||
-- define auth provider
|
||||
local provider = {};
|
||||
|
||||
local host = module.host;
|
||||
|
||||
local appId = module:get_option_string("app_id");
|
||||
local appSecret = module:get_option_string("app_secret");
|
||||
local asapKeyServer = module:get_option_string("asap_key_server");
|
||||
local allowEmptyToken = module:get_option_boolean("allow_empty_token");
|
||||
local disableRoomNameConstraints = module:get_option_boolean("disable_room_name_constraints");
|
||||
|
||||
-- TODO: Figure out a less arbitrary default cache size.
|
||||
local cacheSize = module:get_option_number("jwt_pubkey_cache_size", 128);
|
||||
local cache = require"util.cache".new(cacheSize);
|
||||
|
||||
if allowEmptyToken == true then
|
||||
module:log("warn", "WARNING - empty tokens allowed");
|
||||
end
|
||||
|
||||
if appId == nil then
|
||||
module:log("error", "'app_id' must not be empty");
|
||||
return;
|
||||
end
|
||||
|
||||
if appSecret == nil and asapKeyServer == nil then
|
||||
module:log("error", "'app_secret' or 'asap_key_server' must be specified");
|
||||
return;
|
||||
end
|
||||
|
||||
if asapKeyServer and not have_async then
|
||||
module:log("error", "requires a version of Prosody with util.async");
|
||||
return;
|
||||
end
|
||||
|
||||
-- Extract 'token' param from BOSH URL when session is created
|
||||
module:hook("bosh-session", function(event)
|
||||
local session, request = event.session, event.request;
|
||||
local query = request.url.query;
|
||||
|
||||
if query ~= nil then
|
||||
session.auth_token = query and formdecode(query).token or nil;
|
||||
end
|
||||
|
@ -82,104 +51,12 @@ function provider.delete_user(username)
|
|||
return nil;
|
||||
end
|
||||
|
||||
local http_timeout = 30;
|
||||
local http_headers = {
|
||||
["User-Agent"] = "Prosody ("..prosody.version.."; "..prosody.platform..")"
|
||||
};
|
||||
|
||||
function get_public_key(keyId)
|
||||
local content = cache:get(keyId);
|
||||
if content == nil then
|
||||
-- If the key is not found in the cache.
|
||||
module:log("debug", "Cache miss for key: "..keyId);
|
||||
local code;
|
||||
local wait, done = async.waiter();
|
||||
local function cb(content_, code_, response_, request_)
|
||||
content, code = content_, code_;
|
||||
if code == 200 or code == 204 then
|
||||
cache:set(keyId, content);
|
||||
end
|
||||
done();
|
||||
end
|
||||
local keyurl = path.join(asapKeyServer, hex.to(sha256(keyId))..'.pem');
|
||||
module:log("debug", "Fetching public key from: "..keyurl);
|
||||
|
||||
-- We hash the key ID to work around some legacy behavior and make
|
||||
-- deployment easier. It also helps prevent directory
|
||||
-- traversal attacks (although path cleaning could have done this too).
|
||||
local request = http.request(keyurl, {
|
||||
headers = http_headers or {},
|
||||
method = "GET"
|
||||
}, cb);
|
||||
|
||||
-- TODO: Is the done() call racey? Can we cancel this if the request
|
||||
-- succeedes?
|
||||
local function cancel()
|
||||
-- TODO: This check is racey. Not likely to be a problem, but we should
|
||||
-- still stick a mutex on content / code at some point.
|
||||
if code == nil then
|
||||
http.destroy_request(request);
|
||||
done();
|
||||
end
|
||||
end
|
||||
timer.add_task(http_timeout, cancel);
|
||||
wait();
|
||||
|
||||
if code == 200 or code == 204 then
|
||||
return content;
|
||||
end
|
||||
else
|
||||
-- If the key is in the cache, use it.
|
||||
module:log("debug", "Cache hit for key: "..keyId);
|
||||
return content;
|
||||
end
|
||||
|
||||
return nil;
|
||||
end
|
||||
|
||||
function provider.get_sasl_handler(session)
|
||||
-- JWT token extracted from BOSH URL
|
||||
local token = session.auth_token;
|
||||
|
||||
local function get_username_from_token(self, message)
|
||||
|
||||
if token == nil then
|
||||
if allowEmptyToken then
|
||||
return true;
|
||||
else
|
||||
return false, "not-allowed", "token required";
|
||||
end
|
||||
end
|
||||
|
||||
local pubKey;
|
||||
if asapKeyServer and session.auth_token ~= nil then
|
||||
local dotFirst = session.auth_token:find("%.");
|
||||
if not dotFirst then return nil, "Invalid token" end
|
||||
local header = json.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)));
|
||||
local kid = header["kid"];
|
||||
if kid == nil then
|
||||
return false, "not-allowed", "'kid' claim is missing";
|
||||
end
|
||||
pubKey = get_public_key(kid);
|
||||
if pubKey == nil then
|
||||
return false, "not-allowed", "could not obtain public key";
|
||||
end
|
||||
end
|
||||
|
||||
-- now verify the whole token
|
||||
local claims, msg;
|
||||
if asapKeyServer then
|
||||
claims, msg = token_util.verify_token(token, appId, pubKey, disableRoomNameConstraints);
|
||||
else
|
||||
claims, msg = token_util.verify_token(token, appId, appSecret, disableRoomNameConstraints);
|
||||
end
|
||||
if claims ~= nil then
|
||||
-- Binds room name to the session which is later checked on MUC join
|
||||
session.jitsi_meet_room = claims["room"];
|
||||
return true;
|
||||
else
|
||||
return false, "not-allowed", msg;
|
||||
end
|
||||
return token_util:process_and_verify_token(session, token);
|
||||
end
|
||||
|
||||
return new_sasl(host, { anonymous = get_username_from_token });
|
||||
|
|
|
@ -21,15 +21,17 @@ if parentCtx == nil then
|
|||
return;
|
||||
end
|
||||
|
||||
local appId = parentCtx:get_option_string("app_id");
|
||||
local appSecret = parentCtx:get_option_string("app_secret");
|
||||
local allowEmptyToken = parentCtx:get_option_boolean("allow_empty_token");
|
||||
local disableRoomNameConstraints = parentCtx:get_option_boolean("disable_room_name_constraints")
|
||||
local token_util = module:require "token/util".new(parentCtx);
|
||||
|
||||
-- no token configuration
|
||||
if token_util == nil then
|
||||
return;
|
||||
end
|
||||
|
||||
log("debug",
|
||||
"%s - starting MUC token verifier app_id: %s app_secret: %s allow empty: %s",
|
||||
tostring(host), tostring(appId), tostring(appSecret),
|
||||
tostring(allowEmptyToken));
|
||||
tostring(host), tostring(token_util.appId), tostring(token_util.appSecret),
|
||||
tostring(token_util.allowEmptyToken));
|
||||
|
||||
local function verify_user(session, stanza)
|
||||
log("debug", "Session token: %s, session room: %s",
|
||||
|
@ -43,32 +45,18 @@ local function verify_user(session, stanza)
|
|||
return nil;
|
||||
end
|
||||
|
||||
if allowEmptyToken and session.auth_token == nil then
|
||||
module:log(
|
||||
"debug",
|
||||
"Skipped room token verification - empty tokens are allowed");
|
||||
return nil;
|
||||
end
|
||||
|
||||
local room = string.match(stanza.attr.to, "^(%w+)@");
|
||||
log("debug", "Will verify token for user: %s, room: %s ", user_jid, room);
|
||||
if room == nil then
|
||||
log("error",
|
||||
"Unable to get name of the MUC room ? to: %s", stanza.attr.to);
|
||||
return nil;
|
||||
end
|
||||
|
||||
local token = session.auth_token;
|
||||
local auth_room = session.jitsi_meet_room;
|
||||
if disableRoomNameConstraints ~= true and room ~= string.lower(auth_room) then
|
||||
log("debug",
|
||||
"Will verify token for user: %s, room: %s ", user_jid, stanza.attr.to);
|
||||
if not token_util:verify_room(session, stanza.attr.to) then
|
||||
log("error", "Token %s not allowed to join: %s",
|
||||
tostring(token), tostring(auth_room));
|
||||
tostring(session.auth_token), tostring(session.jitsi_meet_room));
|
||||
session.send(
|
||||
st.error_reply(
|
||||
stanza, "cancel", "not-allowed", "Room and token mismatched"));
|
||||
return true;
|
||||
return false; -- we need to just return non nil
|
||||
end
|
||||
log("debug", "allowed: %s to enter/create room: %s", user_jid, room);
|
||||
log("debug",
|
||||
"allowed: %s to enter/create room: %s", user_jid, stanza.attr.to);
|
||||
end
|
||||
|
||||
module:hook("muc-room-pre-create", function(event)
|
||||
|
|
|
@ -1,13 +1,123 @@
|
|||
-- Token authentication
|
||||
-- Copyright (C) 2015 Atlassian
|
||||
|
||||
local basexx = require "basexx";
|
||||
local have_async, async = pcall(require, "util.async");
|
||||
local hex = require "util.hex";
|
||||
local jwt = require "luajwtjitsi";
|
||||
local http = require "net.http";
|
||||
local json = require "cjson";
|
||||
local path = require "util.paths";
|
||||
local sha256 = require "util.hashes".sha256;
|
||||
local timer = require "util.timer";
|
||||
|
||||
local _M = {};
|
||||
local http_timeout = 30;
|
||||
local http_headers = {
|
||||
["User-Agent"] = "Prosody ("..prosody.version.."; "..prosody.platform..")"
|
||||
};
|
||||
|
||||
local function _verify_token(token, appId, appSecret, disableRoomNameConstraints)
|
||||
-- TODO: Figure out a less arbitrary default cache size.
|
||||
local cacheSize = module:get_option_number("jwt_pubkey_cache_size", 128);
|
||||
local cache = require"util.cache".new(cacheSize);
|
||||
|
||||
local claims, err = jwt.decode(token, appSecret, true);
|
||||
local Util = {}
|
||||
Util.__index = Util
|
||||
|
||||
--- Constructs util class for token verifications.
|
||||
-- Constructor that uses the passed module to extract all the
|
||||
-- needed configurations.
|
||||
-- If confuguration is missing returns nil
|
||||
-- @param module the module in which options to check for configs.
|
||||
-- @return the new instance or nil
|
||||
function Util.new(module)
|
||||
local self = setmetatable({}, Util)
|
||||
|
||||
self.appId = module:get_option_string("app_id");
|
||||
self.appSecret = module:get_option_string("app_secret");
|
||||
self.asapKeyServer = module:get_option_string("asap_key_server");
|
||||
self.allowEmptyToken = module:get_option_boolean("allow_empty_token");
|
||||
self.disableRoomNameConstraints = module:get_option_boolean("disable_room_name_constraints");
|
||||
|
||||
if self.allowEmptyToken == true then
|
||||
module:log("warn", "WARNING - empty tokens allowed");
|
||||
end
|
||||
|
||||
if self.appId == nil then
|
||||
module:log("error", "'app_id' must not be empty");
|
||||
return nil;
|
||||
end
|
||||
|
||||
if self.appSecret == nil and self.asapKeyServer == nil then
|
||||
module:log("error", "'app_secret' or 'asap_key_server' must be specified");
|
||||
return nil;
|
||||
end
|
||||
|
||||
if self.asapKeyServer and not have_async then
|
||||
module:log("error", "requires a version of Prosody with util.async");
|
||||
return nil;
|
||||
end
|
||||
|
||||
return self
|
||||
end
|
||||
|
||||
--- Returns the public key by keyID
|
||||
-- @param keyId the key ID to request
|
||||
-- @return the public key (the content of requested resource) or nil
|
||||
function Util:get_public_key(keyId)
|
||||
local content = cache:get(keyId);
|
||||
if content == nil then
|
||||
-- If the key is not found in the cache.
|
||||
module:log("debug", "Cache miss for key: "..keyId);
|
||||
local code;
|
||||
local wait, done = async.waiter();
|
||||
local function cb(content_, code_, response_, request_)
|
||||
content, code = content_, code_;
|
||||
if code == 200 or code == 204 then
|
||||
cache:set(keyId, content);
|
||||
end
|
||||
done();
|
||||
end
|
||||
local keyurl = path.join(self.asapKeyServer, hex.to(sha256(keyId))..'.pem');
|
||||
module:log("debug", "Fetching public key from: "..keyurl);
|
||||
|
||||
-- We hash the key ID to work around some legacy behavior and make
|
||||
-- deployment easier. It also helps prevent directory
|
||||
-- traversal attacks (although path cleaning could have done this too).
|
||||
local request = http.request(keyurl, {
|
||||
headers = http_headers or {},
|
||||
method = "GET"
|
||||
}, cb);
|
||||
|
||||
-- TODO: Is the done() call racey? Can we cancel this if the request
|
||||
-- succeedes?
|
||||
local function cancel()
|
||||
-- TODO: This check is racey. Not likely to be a problem, but we should
|
||||
-- still stick a mutex on content / code at some point.
|
||||
if code == nil then
|
||||
http.destroy_request(request);
|
||||
done();
|
||||
end
|
||||
end
|
||||
timer.add_task(http_timeout, cancel);
|
||||
wait();
|
||||
|
||||
if code == 200 or code == 204 then
|
||||
return content;
|
||||
end
|
||||
else
|
||||
-- If the key is in the cache, use it.
|
||||
module:log("debug", "Cache hit for key: "..keyId);
|
||||
return content;
|
||||
end
|
||||
|
||||
return nil;
|
||||
end
|
||||
|
||||
--- Verifies token
|
||||
-- @param token the token to verify
|
||||
-- @return nil and error or the extracted claims from the token
|
||||
function Util:verify_token(token)
|
||||
local claims, err = jwt.decode(token, self.appSecret, true);
|
||||
if claims == nil then
|
||||
return nil, err;
|
||||
end
|
||||
|
@ -21,20 +131,94 @@ local function _verify_token(token, appId, appSecret, disableRoomNameConstraints
|
|||
if issClaim == nil then
|
||||
return nil, "'iss' claim is missing";
|
||||
end
|
||||
if issClaim ~= appId then
|
||||
if issClaim ~= self.appId then
|
||||
return nil, "Invalid application ID('iss' claim)";
|
||||
end
|
||||
|
||||
local roomClaim = claims["room"];
|
||||
if roomClaim == nil and disableRoomNameConstraints ~= true then
|
||||
if roomClaim == nil and self.disableRoomNameConstraints ~= true then
|
||||
return nil, "'room' claim is missing";
|
||||
end
|
||||
|
||||
return claims;
|
||||
end
|
||||
|
||||
function _M.verify_token(token, appId, appSecret, disableRoomNameConstraints)
|
||||
return _verify_token(token, appId, appSecret, disableRoomNameConstraints);
|
||||
--- Verifies token and process needed values to be stored in the session.
|
||||
-- Stores in session the following values:
|
||||
-- session.jitsi_meet_room - the room name value from the token
|
||||
-- @param session the current session
|
||||
-- @param token the token to verify
|
||||
-- @return false and error
|
||||
function Util:process_and_verify_token(session, token)
|
||||
|
||||
if token == nil then
|
||||
if self.allowEmptyToken then
|
||||
return true;
|
||||
else
|
||||
return false, "not-allowed", "token required";
|
||||
end
|
||||
end
|
||||
|
||||
return _M;
|
||||
local pubKey;
|
||||
if self.asapKeyServer and session.auth_token ~= nil then
|
||||
local dotFirst = session.auth_token:find("%.");
|
||||
if not dotFirst then return nil, "Invalid token" end
|
||||
local header = json.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)));
|
||||
local kid = header["kid"];
|
||||
if kid == nil then
|
||||
return false, "not-allowed", "'kid' claim is missing";
|
||||
end
|
||||
pubKey = self:get_public_key(kid);
|
||||
if pubKey == nil then
|
||||
return false, "not-allowed", "could not obtain public key";
|
||||
end
|
||||
end
|
||||
|
||||
-- now verify the whole token
|
||||
local claims, msg;
|
||||
if self.asapKeyServer then
|
||||
claims, msg = self:verify_token(token);
|
||||
else
|
||||
claims, msg = self:verify_token(token);
|
||||
end
|
||||
if claims ~= nil then
|
||||
-- Binds room name to the session which is later checked on MUC join
|
||||
session.jitsi_meet_room = claims["room"];
|
||||
return true;
|
||||
else
|
||||
return false, "not-allowed", msg;
|
||||
end
|
||||
end
|
||||
|
||||
--- Verifies room name if necesarry.
|
||||
-- Checks configs and if necessary checks the room name extracted from
|
||||
-- room_address against the one saved in the session when token was verified
|
||||
-- @param session the current session
|
||||
-- @param room_address the whole room address as received
|
||||
-- @return returns true in case room was verified or there is no need to verify
|
||||
-- it and returns false in case verification was processed
|
||||
-- and was not successful
|
||||
function Util:verify_room(session, room_address)
|
||||
if self.allowEmptyToken and session.auth_token == nil then
|
||||
module:log(
|
||||
"debug",
|
||||
"Skipped room token verification - empty tokens are allowed");
|
||||
return true;
|
||||
end
|
||||
|
||||
local room = string.match(room_address, "^(%w+)@");
|
||||
if room == nil then
|
||||
log("error",
|
||||
"Unable to get name of the MUC room ? to: %s", room_address);
|
||||
return true;
|
||||
end
|
||||
|
||||
local auth_room = session.jitsi_meet_room;
|
||||
if self.disableRoomNameConstraints ~= true and room ~= string.lower(auth_room) then
|
||||
return false;
|
||||
end
|
||||
|
||||
return true;
|
||||
end
|
||||
|
||||
return Util;
|
||||
|
|
Loading…
Reference in New Issue