jfinn
/
jitsi_app_c0
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Kods Problēmas 0 Izmaiņu pieprasījumi 0 Laidieni 0 Vikivietne Aktivitāte
Pārlūkot izejas kodu

feat: Adds an option to validate a recording token.

master
damencho 4 gadus atpakaļ
vecāks
b10a45bf98
revīzija
6d3d15a64b
2 mainītis faili ar 47 papildinājumiem un 15 dzēšanām
Apvienotais skats Rādīt salīdzināšanas statistiku
  1. 32
    7
      resources/prosody-plugins/mod_filter_iq_jibri.lua
  2. 15
    8
      resources/prosody-plugins/token/util.lib.lua

+ 32
- 7
resources/prosody-plugins/mod_filter_iq_jibri.lua Parādīt failu

1 
 local st = require "util.stanza";
 1 
 local st = require "util.stanza";
2 
 local is_feature_allowed = module:require "util".is_feature_allowed;
 2 
 local is_feature_allowed = module:require "util".is_feature_allowed;
3 
+local token_util = module:require "token/util".new(module);
4 
+
5 
+local accepted_rayo_iq_token_issuers = module:get_option_array("accepted_rayo_iq_token_issuers");
3
6
4 
 -- filters jibri iq in case of requested from jwt authenticated session that
 7 
 -- filters jibri iq in case of requested from jwt authenticated session that
5 
 -- has features in the user context, but without feature for recording
 8 
 -- has features in the user context, but without feature for recording
11 
             local session = event.origin;
 14 
             local session = event.origin;
12 
             local token = session.auth_token;
 15 
             local token = session.auth_token;
13
16
14 
-            if jibri.attr.action == 'start'
15 
-                and (token == nil
17 
+            if jibri.attr.action == 'start' then
18 
+                local errorReason;
19 
+                if accepted_rayo_iq_token_issuers then
20 
+                    local iq_token = jibri.attr.token;
21 
+                    if iq_token then
22 
+                        local session = {};
23 
+                        session.auth_token = iq_token;
24 
+                        local verified, reason = token_util:process_and_verify_token(
25 
+                            session, accepted_rayo_iq_token_issuers);
26 
+                        if verified then
27 
+                            return nil; -- this will proceed with dispatching the stanza
28 
+                        end
29 
+                        errorReason = reason;
30 
+                    else
31 
+                        errorReason = 'No recording token provided';
32 
+                    end
33 
+
34 
+                    module:log("warn", "not a valid token %s", tostring(errorReason));
35 
+                    session.send(st.error_reply(stanza, "auth", "forbidden"));
36 
+                    return true;
37 
+                end
38 
+
39 
+                if token == nil
16 
                     or not is_feature_allowed(session,
 40 
                     or not is_feature_allowed(session,
17 
-                        (jibri.attr.recording_mode == 'file' and 'recording' or 'livestreaming'))
41 
+                    (jibri.attr.recording_mode == 'file' and 'recording' or 'livestreaming')
18 
                 ) then
 42 
                 ) then
19 
-                module:log("info",
20 
-                    "Filtering jibri start recording, stanza:%s", tostring(stanza));
21 
-                session.send(st.error_reply(stanza, "auth", "forbidden"));
22 
-                return true;
43 
+                    module:log("info",
44 
+                        "Filtering jibri start recording, stanza:%s", tostring(stanza));
45 
+                    session.send(st.error_reply(stanza, "auth", "forbidden"));
46 
+                    return true;
47 
+                end
23 
             end
 48 
             end
24 
         end
 49 
         end
25 
     end
 50 
     end

+ 15
- 8
resources/prosody-plugins/token/util.lib.lua Parādīt failu

159
159
160 
 --- Verifies issuer part of token
 160 
 --- Verifies issuer part of token
161 
 -- @param 'iss' claim from the token to verify
 161 
 -- @param 'iss' claim from the token to verify
162 
+-- @param 'acceptedIssuers' list of issuers to check
162 
 -- @return nil and error string or true for accepted claim
 163 
 -- @return nil and error string or true for accepted claim
163 
-function Util:verify_issuer(issClaim)
164 
-    for i, iss in ipairs(self.acceptedIssuers) do
164 
+function Util:verify_issuer(issClaim, acceptedIssuers)
165 
+    for i, iss in ipairs(acceptedIssuers) do
165 
         if issClaim == iss then
 166 
         if issClaim == iss then
166 
             --claim matches an accepted issuer so return success
 167 
             --claim matches an accepted issuer so return success
167 
             return true;
 168 
             return true;
192 
 --- Verifies token
 193 
 --- Verifies token
193 
 -- @param token the token to verify
 194 
 -- @param token the token to verify
194 
 -- @param secret the secret to use to verify token
 195 
 -- @param secret the secret to use to verify token
196 
+-- @param acceptedIssuers the list of accepted issuers to check
195 
 -- @return nil and error or the extracted claims from the token
 197 
 -- @return nil and error or the extracted claims from the token
196 
-function Util:verify_token(token, secret)
198 
+function Util:verify_token(token, secret, acceptedIssuers)
197 
     local claims, err = jwt.decode(token, secret, true);
 199 
     local claims, err = jwt.decode(token, secret, true);
198 
     if claims == nil then
 200 
     if claims == nil then
199 
         return nil, err;
 201 
         return nil, err;
209 
         return nil, "'iss' claim is missing";
 211 
         return nil, "'iss' claim is missing";
210 
     end
 212 
     end
211 
     --check the issuer against the accepted list
 213 
     --check the issuer against the accepted list
212 
-    local issCheck, issCheckErr = self:verify_issuer(issClaim);
214 
+    local issCheck, issCheckErr = self:verify_issuer(issClaim, acceptedIssuers);
213 
     if issCheck == nil then
 215 
     if issCheck == nil then
214 
         return nil, issCheckErr;
 216 
         return nil, issCheckErr;
215 
     end
 217 
     end
241 
 -- session.jitsi_meet_context_group - the group value from the token
 243 
 -- session.jitsi_meet_context_group - the group value from the token
242 
 -- session.jitsi_meet_context_features - the features value from the token
 244 
 -- session.jitsi_meet_context_features - the features value from the token
243 
 -- @param session the current session
 245 
 -- @param session the current session
246 
+-- @param acceptedIssuers optional list of accepted issuers to check
244 
 -- @return false and error
 247 
 -- @return false and error
245 
-function Util:process_and_verify_token(session)
248 
+function Util:process_and_verify_token(session, acceptedIssuers)
249 
+    if not acceptedIssuers then
250 
+        acceptedIssuers = self.acceptedIssuers;
251 
+    end
252 
+
246 
     if session.auth_token == nil then
 253 
     if session.auth_token == nil then
247 
         if self.allowEmptyToken then
 254 
         if self.allowEmptyToken then
248 
             return true;
 255 
             return true;
272 
     -- now verify the whole token
 279 
     -- now verify the whole token
273 
     local claims, msg;
 280 
     local claims, msg;
274 
     if self.asapKeyServer then
 281 
     if self.asapKeyServer then
275 
-        claims, msg = self:verify_token(session.auth_token, pubKey);
282 
+        claims, msg = self:verify_token(session.auth_token, pubKey, acceptedIssuers);
276 
     else
 283 
     else
277 
-        claims, msg = self:verify_token(session.auth_token, self.appSecret);
284 
+        claims, msg = self:verify_token(session.auth_token, self.appSecret, acceptedIssuers);
278 
     end
 285 
     end
279 
     if claims ~= nil then
 286 
     if claims ~= nil then
280 
         -- Binds room name to the session which is later checked on MUC join
 287 
         -- Binds room name to the session which is later checked on MUC join
401 
     end
 408 
     end
402 
 end
 409 
 end
403
410
404 
-return Util;
411 
+return Util;

Rakstīt Priekšskatītījums
Notiek ielāde…
Atcelt
Saglabāt