haskal
/
jiti-meet
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option.

This commit is contained in:
paweldomas 2015-12-22 19:51:43 +01:00
parent baf31aa9f3
commit 9d60af1a9d
8 changed files with 171 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
debian/control vendored
View File

@ -35,6 +35,6 @@ Description: Prosody configuration for Jitsi Meet
Package: jitsi-meet-tokens
Architecture: all
Depends: ${misc:Depends}, prosody | prosody-trunk, jitsi-meet-prosody
Depends: ${misc:Depends}, prosody-trunk (>= 1nightly603), libssl-dev, luarocks, jitsi-meet-prosody
Description: Prosody token authentication plugin for Jitsi Meet

24
debian/jitsi-meet-tokens.postinst vendored
View File

@ -62,25 +62,23 @@ case "$1" in
sed -i 's/--plugin_paths/plugin_paths/g' $PROSODY_HOST_CONFIG
sed -i 's/authentication = "anonymous"/authentication = "token"/g' $PROSODY_HOST_CONFIG
sed -i 's/ --allow_unencrypted_plain_auth/ allow_unencrypted_plain_auth/g' $PROSODY_HOST_CONFIG
sed -i "s/ --app_id=example_app_id/ app_id=$APP_ID/g" $PROSODY_HOST_CONFIG
sed -i "s/ --app_secret=example_app_secret/ app_secret=$APP_SECRET/g" $PROSODY_HOST_CONFIG
sed -i "s/ --app_id=\"example_app_id\"/ app_id=\"$APP_ID\"/g" $PROSODY_HOST_CONFIG
sed -i "s/ --app_secret=\"example_app_secret\"/ app_secret=\"$APP_SECRET\"/g" $PROSODY_HOST_CONFIG
sed -i 's/ --modules_enabled = { "token_verification" }/ modules_enabled = { "token_verification" }/g' $PROSODY_HOST_CONFIG
# Configure Jicofo properties
JICOFO_CONFIG="/etc/jitsi/jicofo/sip-communicator.properties"
if ! grep -q "org.jitsi.jicofo.auth.jwt.APP_ID" $JICOFO_CONFIG && \
! grep -q "org.jitsi.jicofo.auth.jwt.APP_SECRET" $JICOFO_CONFIG; then
echo "org.jitsi.jicofo.auth.jwt.APP_ID=$APP_ID" >> $JICOFO_CONFIG
echo "org.jitsi.jicofo.auth.jwt.APP_SECRET=$APP_SECRET" >> $JICOFO_CONFIG
# Restart Jicofo
if [ -x "/etc/init.d/jicofo" ]; then
invoke-rc.d jicofo restart
fi
# Install luajwt
if ! luarocks install luajwt; then
echo "Failed to install luajwt - try installing it manually"
fi
if [ -x "/etc/init.d/prosody" ]; then
invoke-rc.d prosody reload
invoke-rc.d prosody restart
fi
echo "This package requires BOSH Prosody module to be patched !"
echo "Use the following command, after this package has been installed and"
echo "after every prosody-trunk upgrade:"
echo "sudo patch -N /usr/lib/prosody/modules/mod_bosh.lua /usr/share/jitsi-meet/prosody-plugins/mod_bosh.lua.patch"
else
echo "Failed apply auto-config to $PROSODY_HOST_CONFIG which most likely comes from not supported version of jitsi-meet"
fi

21
debian/jitsi-meet-tokens.postrm vendored
View File

@ -39,27 +39,12 @@ case "$1" in
# Revert prosody config
sed -i 's/plugin_paths/--plugin_paths/g' $PROSODY_HOST_CONFIG
sed -i 's/authentication = "token"/authentication = "anonymous"/g' $PROSODY_HOST_CONFIG
sed -i 's/ allow_unencrypted_plain_auth/ --allow_unencrypted_plain_auth/g' $PROSODY_HOST_CONFIG
sed -i "s/ app_id=$APP_ID/ --app_id=example_app_id/g" $PROSODY_HOST_CONFIG
sed -i "s/ app_secret=$APP_SECRET/ --app_secret=example_app_secret/g" $PROSODY_HOST_CONFIG
sed -i "s/ app_id=\"$APP_ID\"/ --app_id=\"example_app_id\"/g" $PROSODY_HOST_CONFIG
sed -i "s/ app_secret=\"$APP_SECRET\"/ --app_secret=\"example_app_secret\"/g" $PROSODY_HOST_CONFIG
sed -i 's/ modules_enabled = { "token_verification" }/ --modules_enabled = { "token_verification" }/g' $PROSODY_HOST_CONFIG
JICOFO_CONFIG="/etc/jitsi/jicofo/sip-communicator.properties"
if [ -f "$JICOFO_CONFIG" ] ; then
if grep -q "org.jitsi.jicofo.auth.jwt.APP_ID" $JICOFO_CONFIG || \
grep -q "org.jitsi.jicofo.auth.jwt.APP_SECRET" $JICOFO_CONFIG; then
sed -i.old "/org.jitsi.jicofo.auth.jwt.APP_ID=$APP_ID/d" $JICOFO_CONFIG
sed -i.old "/org.jitsi.jicofo.auth.jwt.APP_SECRET=$APP_SECRET/d" $JICOFO_CONFIG
rm "$JICOFO_CONFIG.old"
# Restart Jicofo
if [ -x "/etc/init.d/jicofo" ]; then
invoke-rc.d jicofo restart
fi
fi
fi
if [ -x "/etc/init.d/prosody" ]; then
invoke-rc.d prosody reload
invoke-rc.d prosody restart
fi
fi

7
doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
View File

@ -4,11 +4,10 @@
VirtualHost "jitmeet.example.com"
-- enabled = false -- Remove this line to enable this host
authentication = "anonymous"
-- Three properties below get uncommented by jitsi-meet-tokens package config
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
--allow_unencrypted_plain_auth = true;
--app_id=example_app_id
--app_secret=example_app_secret
--app_id="example_app_id"
--app_secret="example_app_secret"
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always

115
prosody-plugins/mod_auth_token.lua
View File

@ -1,41 +1,46 @@
-- Token authentication
-- Copyright (C) 2015 Atlassian
local usermanager = require "core.usermanager";
local generate_uuid = require "util.uuid".generate;
local new_sasl = require "util.sasl".new;
local log = module._log;
local host = module.host;
local sasl = require "util.sasl";
local formdecode = require "util.http".formdecode;
local token_util = module:require "token/util";
-- define auth provider
local provider = {};
--do
-- local list;
-- for mechanism in pairs(new_sasl(module.host):mechanisms()) do
-- list = (not(list) and mechanism) or (list..", "..mechanism);
-- end
-- if not list then
-- module:log("error", "No mechanisms");
-- else
-- module:log("error", "Mechanisms: %s", list);
-- end
--end
local host = module.host;
local appId = module:get_option_string("app_id");
local appSecret = module:get_option_string("app_secret");
local allowEmptyToken = module:get_option_boolean("allow_empty_token");
if allowEmptyToken == true then
module:log("warn", "WARNING - empty tokens allowed");
end
if appId == nil then
module:log("error", "'app_id' must not be empty");
return;
end
if appSecret == nil then
module:log("error", "'app_secret' must not be empty");
return;
end
-- Extract 'token' param from BOSH URL when session is created
module:hook("bosh-session", function(event)
local session, request = event.session, event.request;
local query = request.url.query;
if query ~= nil then
session.auth_token = query and formdecode(query).token or nil;
end
end)
function provider.test_password(username, password)
local result, msg = token_util.verify_password(password, appId, appSecret, nil);
if result == true then
return true;
else
log("error", "Token auth failed for user %s, reason: %s",username, msg);
return nil, msg;
end
return nil, "Password based auth not supported";
end
function provider.get_password(username)
@ -50,10 +55,6 @@ function provider.user_exists(username)
return nil;
end
function provider.users()
return next, hosts[module.host].sessions, nil;
end
function provider.create_user(username, password)
return nil;
end
@ -62,13 +63,59 @@ function provider.delete_user(username)
return nil;
end
function provider.get_sasl_handler()
local testpass_authentication_profile = {
plain_test = function(sasl, username, password, realm)
return usermanager.test_password(username, realm, password), true;
function provider.get_sasl_handler(session)
-- JWT token extracted from BOSH URL
local token = session.auth_token;
local function get_username_from_token(self, message)
if token == nil then
if allowEmptyToken == true then
return true;
else
return false, "not-allowed", "token required";
end
end
};
return new_sasl(host, testpass_authentication_profile);
-- here we check if 'room' claim exists
local room, roomErr = token_util.get_room_name(token, appSecret);
if room == nil then
return false, "not-allowed", roomErr;
end
-- now verify the whole token
local result, msg
= token_util.verify_token(token, appId, appSecret, room);
if result == true then
-- Binds room name to the session which is later checked on MUC join
session.jitsi_meet_room = room;
return true
else
return false, "not-allowed", msg
end
end
return new_sasl(host, { anonymous = get_username_from_token });
end
module:provides("auth", provider);
local function anonymous(self, message)
local username = generate_uuid();
-- This calls the handler created in 'provider.get_sasl_handler(session)'
local result, err, msg = self.profile.anonymous(self, username, self.realm);
self.username = username;
if result == true then
return "success"
else
return "failure", err, msg
end
end
sasl.registerMechanism("ANONYMOUS", {"anonymous"}, anonymous);

12
prosody-plugins/mod_bosh.lua.patch Normal file
View File

@ -0,0 +1,12 @@
--- /usr/lib/prosody/modules/mod_bosh.lua 2015-12-16 14:28:34.000000000 -0600
+++ /usr/lib/prosody/modules/mod_bosh.lua 2015-12-22 10:45:59.818197967 -0600
@@ -294,6 +294,9 @@
session.log("debug", "BOSH session created for request from %s", session.ip);
log("info", "New BOSH session, assigned it sid '%s'", sid);
+
+ hosts[session.host].events.fire_event(
+ "bosh-session", { session = session, request = request });
-- Send creation response
local creating_session = true;

59
prosody-plugins/mod_token_verification.lua
View File

@ -4,7 +4,6 @@
local log = module._log;
local host = module.host;
local st = require "util.stanza";
local token_util = module:require("token/util");
local is_admin = require "core.usermanager".is_admin;
@ -16,23 +15,35 @@ end
local parentCtx = module:context(parentHostName);
if parentCtx == nil then
log("error", "Failed to start - unable to get parent context for host: %s", tostring(parentHostName));
log("error",
"Failed to start - unable to get parent context for host: %s",
tostring(parentHostName));
return;
end
local appId = parentCtx:get_option_string("app_id");
local appSecret = parentCtx:get_option_string("app_secret");
local allowEmptyToken = parentCtx:get_option_boolean("allow_empty_token");
log("debug", "%s - starting MUC token verifier app_id: %s app_secret: %s",
tostring(host), tostring(appId), tostring(appSecret));
log("debug",
"%s - starting MUC token verifier app_id: %s app_secret: %s allow empty: %s",
tostring(host), tostring(appId), tostring(appSecret),
tostring(allowEmptyToken));
local function handle_pre_create(event)
local function verify_user(session, stanza)
log("debug", "Session token: %s, session room: %s",
tostring(session.auth_token),
tostring(session.jitsi_meet_room));
local origin, stanza = event.origin, event.stanza;
local token = stanza:get_child("token", "http://jitsi.org/jitmeet/auth-token");
if allowEmptyToken and session.auth_token == nil then
module:log(
"debug",
"Skipped room token verification - empty tokens are allowed");
return nil;
end
-- token not required for admin users
local user_jid = stanza.attr.from;
local user_jid = stanza.attr.from;
if is_admin(user_jid) then
log("debug", "Token not required from admin user: %s", user_jid);
return nil;
@ -41,21 +52,33 @@ local function handle_pre_create(event)
local room = string.match(stanza.attr.to, "^(%w+)@");
log("debug", "Will verify token for user: %s, room: %s ", user_jid, room);
if room == nil then
log("error", "Unable to get name of the MUC room ? to: %s", stanza.attr.to);
log("error",
"Unable to get name of the MUC room ? to: %s", stanza.attr.to);
return nil;
end
if token ~= nil then
token = token[1];
end
local result, msg = token_util.verify_password(token, appId, appSecret, room);
if result ~= true then
log("debug", "Token verification failed: %s", msg);
origin.send(st.error_reply(stanza, "cancel", "not-allowed", msg));
local token = session.auth_token;
local auth_room = session.jitsi_meet_room;
if room ~= auth_room then
log("error", "Token %s not allowed to join: %s",
tostring(token), tostring(auth_room));
session.send(
st.error_reply(
stanza, "cancel", "not-allowed", "Room and token mismatched"));
return true;
end
log("debug", "allowed: %s to enter/create room: %s", user_jid, room);
end
module:hook("muc-room-pre-create", handle_pre_create);
module:hook("muc-room-pre-create", function(event)
local origin, stanza = event.origin, event.stanza;
log("debug", "pre create: %s %s", tostring(origin), tostring(stanza));
return verify_user(origin, stanza);
end);
module:hook("muc-occupant-pre-join", function(event)
local origin, room, stanza = event.origin, event.room, event.stanza;
log("debug", "pre join: %s %s", tostring(room), tostring(stanza));
return verify_user(origin, stanza);
end);

25
prosody-plugins/token/util.lib.lua
View File

@ -5,9 +5,18 @@ local jwt = require "luajwt";
local _M = {};
local function verify_password_impl(password, appId, appSecret, roomName)
local function _get_room_name(token, appSecret)
local claims, err = jwt.decode(token, appSecret);
if claims ~= nil then
return claims["room"];
else
return nil, err;
end
end
local claims, err = jwt.decode(password, appSecret, true);
local function _verify_token(token, appId, appSecret, roomName)
local claims, err = jwt.decode(token, appSecret, true);
if claims == nil then
return nil, err;
end
@ -27,12 +36,16 @@ local function verify_password_impl(password, appId, appSecret, roomName)
if roomName ~= nil and roomName ~= roomClaim then
return nil, "Invalid room name('room' claim)";
end
return true;
end
function _M.verify_password(password, appId, appSecret, roomName)
return verify_password_impl(password, appId, appSecret, roomName);
function _M.verify_token(token, appId, appSecret, roomName)
return _verify_token(token, appId, appSecret, roomName);
end
return _M;
function _M.get_room_name(token, appSecret)
return _get_room_name(token, appSecret);
end
return _M;