haskal
/
jiti-meet
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX: add flag to control whether to check room claim in JWT validation 

jibri queue component stop checking room validation in token
Jibri queue component debug output when bad token is found
This commit is contained in:
Aaron van Meerten 2020-08-12 14:43:34 -05:00
parent 3da7798e9f
commit d05fa32413
2 changed files with 22 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
resources/prosody-plugins/mod_jibri_queue_component.lua
View File

@ -62,8 +62,11 @@ token_util:set_asap_accepted_issuers(ASAPAcceptedIssuers);
local ASAPAcceptedAudiences local ASAPAcceptedAudiences
= module:get_option_array('asap_accepted_audiences',{'*'}); = module:get_option_array('asap_accepted_audiences',{'*'});
module:log("info", "ASAP Accepted Audiences %s", ASAPAcceptedAudiences); module:log("info", "ASAP Accepted Audiences %s", ASAPAcceptedAudiences);
token_util:set_asap_accepted_audiences(ASAPAcceptedAudiences); token_util:set_asap_accepted_audiences(ASAPAcceptedAudiences);
-- do not require room to be set on tokens for jibri queue
token_util:set_asap_require_room_claim(false);
local ASAPTTL local ASAPTTL
= module:get_option_number("asap_ttl", 3600); = module:get_option_number("asap_ttl", 3600);
@ -410,14 +413,15 @@ function verify_token(token, room_jid, session)
local verified, reason, message = token_util:process_and_verify_token(session); local verified, reason, message = token_util:process_and_verify_token(session);
if not verified then if not verified then
log("warn", "not a valid token %s: %s", tostring(reason), tostring(message)); log("warn", "not a valid token %s: %s", tostring(reason), tostring(message));
log("debug", "invalid token %s", token);
return false; return false;
end end
if not token_util:verify_room(session, room_jid) then -- if not token_util:verify_room(session, room_jid) then
log("warn", "Token %s not allowed to access: %s", -- log("warn", "Token %s not allowed to access: %s",
tostring(token), tostring(room_jid)); -- tostring(token), tostring(room_jid));
return false; -- return false;
end -- end
return true; return true;
end end

14
resources/prosody-plugins/token/util.lib.lua
View File

@ -92,6 +92,8 @@ function Util.new(module)
--array of accepted audiences: by default only includes our appId --array of accepted audiences: by default only includes our appId
self.acceptedAudiences = module:get_option_array('asap_accepted_audiences',{'*'}) self.acceptedAudiences = module:get_option_array('asap_accepted_audiences',{'*'})
self.requireRoomClaim = module:get_option_boolean('asap_require_room_claim', true);
if self.asapKeyServer and not have_async then if self.asapKeyServer and not have_async then
module:log("error", "requires a version of Prosody with util.async"); module:log("error", "requires a version of Prosody with util.async");
return nil; return nil;
@ -112,6 +114,10 @@ function Util:set_asap_accepted_audiences(acceptedAudiences)
self.acceptedAudiences = acceptedAudiences; self.acceptedAudiences = acceptedAudiences;
end end
function Util:set_asap_require_room_claim(checkRoom)
self.requireRoomClaim = checkRoom;
end
--- Returns the public key by keyID --- Returns the public key by keyID
-- @param keyId the key ID to request -- @param keyId the key ID to request
-- @return the public key (the content of requested resource) or nil -- @return the public key (the content of requested resource) or nil
@ -222,9 +228,11 @@ function Util:verify_token(token, secret)
return nil, issCheckErr; return nil, issCheckErr;
end end
local roomClaim = claims["room"]; if self.requireRoomClaim then
if roomClaim == nil then local roomClaim = claims["room"];
return nil, "'room' claim is missing"; if roomClaim == nil then
return nil, "'room' claim is missing";
end
end end
local audClaim = claims["aud"]; local audClaim = claims["aud"];