jfinn
/
jitsi_app_c0
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3973 Commits
2 Branches
Tree: 1d90826098
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1d90826098'
${ noResults }
jitsi_app_c0/resources/prosody-plugins/token/util.lib.lua

util.lib.lua 14KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376 
  1. -- Token authentication

  2. -- Copyright (C) 2015 Atlassian

  3. 

  4. local basexx = require "basexx";

  5. local have_async, async = pcall(require, "util.async");

  6. local hex = require "util.hex";

  7. local jwt = require "luajwtjitsi";

  8. local http = require "net.http";

  9. local jid = require "util.jid";

  10. local json = require "cjson";

  11. local path = require "util.paths";

  12. local sha256 = require "util.hashes".sha256;

  13. local timer = require "util.timer";

  14. 

  15. local http_timeout = 30;

  16. local http_headers = {

  17.     ["User-Agent"] = "Prosody ("..prosody.version.."; "..prosody.platform..")"

  18. };

  19. 

  20. -- TODO: Figure out a less arbitrary default cache size.

  21. local cacheSize = module:get_option_number("jwt_pubkey_cache_size", 128);

  22. local cache = require"util.cache".new(cacheSize);

  23. 

  24. local Util = {}

  25. Util.__index = Util

  26. 

  27. --- Constructs util class for token verifications.

  28. -- Constructor that uses the passed module to extract all the

  29. -- needed configurations.

  30. -- If confuguration is missing returns nil

  31. -- @param module the module in which options to check for configs.

  32. -- @return the new instance or nil

  33. function Util.new(module)

  34.     local self = setmetatable({}, Util)

  35. 

  36.     self.appId = module:get_option_string("app_id");

  37.     self.appSecret = module:get_option_string("app_secret");

  38.     self.asapKeyServer = module:get_option_string("asap_key_server");

  39.     self.allowEmptyToken = module:get_option_boolean("allow_empty_token");

  40. 

  41.     --[[

  42.         Multidomain can be supported in some deployments. In these deployments

  43.         there is a virtual conference muc, which address contains the subdomain

  44.         to use. Those deployments are accessible

  45.         by URL https://domain/subdomain.

  46.         Then the address of the room will be:

  47.         roomName@conference.subdomain.domain. This is like a virtual address

  48.         where there is only one muc configured by default with address:

  49.         conference.domain and the actual presentation of the room in that muc

  50.         component is [subdomain]roomName@conference.domain.

  51.         These setups relay on configuration 'muc_domain_base' which holds

  52.         the main domain and we use it to substract subdomains from the

  53.         virtual addresses.

  54.         The following confgurations are for multidomain setups and domain name

  55.         verification:

  56.      --]]

  57. 

  58.     -- optional parameter for custom muc component prefix,

  59.     -- defaults to "conference"

  60.     self.muc_domain_prefix = module:get_option_string(

  61.         "muc_mapper_domain_prefix", "conference");

  62.     -- domain base, which is the main domain used in the deployment,

  63.     -- the main VirtualHost for the deployment

  64.     self.muc_domain_base = module:get_option_string("muc_mapper_domain_base");

  65.     -- The "real" MUC domain that we are proxying to

  66.     if self.muc_domain_base then

  67.         self.muc_domain = module:get_option_string(

  68.             "muc_mapper_domain",

  69.             self.muc_domain_prefix.."."..self.muc_domain_base);

  70.     end

  71.     -- whether domain name verification is enabled, by default it is disabled

  72.     self.enableDomainVerification = module:get_option_boolean(

  73.         "enable_domain_verification", false);

  74. 

  75.     if self.allowEmptyToken == true then

  76.         module:log("warn", "WARNING - empty tokens allowed");

  77.     end

  78. 

  79.     if self.appId == nil then

  80.         module:log("error", "'app_id' must not be empty");

  81.         return nil;

  82.     end

  83. 

  84.     if self.appSecret == nil and self.asapKeyServer == nil then

  85.         module:log("error", "'app_secret' or 'asap_key_server' must be specified");

  86.         return nil;

  87.     end

  88. 

  89.     --array of accepted issuers: by default only includes our appId

  90.     self.acceptedIssuers = module:get_option_array('asap_accepted_issuers',{self.appId})

  91. 

  92.     --array of accepted audiences: by default only includes our appId

  93.     self.acceptedAudiences = module:get_option_array('asap_accepted_audiences',{'*'})

  94. 

  95.     if self.asapKeyServer and not have_async then

  96.         module:log("error", "requires a version of Prosody with util.async");

  97.         return nil;

  98.     end

  99. 

  100.     return self

  101. end

  102. 

  103. --- Returns the public key by keyID

  104. -- @param keyId the key ID to request

  105. -- @return the public key (the content of requested resource) or nil

  106. function Util:get_public_key(keyId)

  107.     local content = cache:get(keyId);

  108.     if content == nil then

  109.         -- If the key is not found in the cache.

  110.         module:log("debug", "Cache miss for key: "..keyId);

  111.         local code;

  112.         local wait, done = async.waiter();

  113.         local function cb(content_, code_, response_, request_)

  114.             content, code = content_, code_;

  115.             if code == 200 or code == 204 then

  116.                 cache:set(keyId, content);

  117.             end

  118.             done();

  119.         end

  120.         local keyurl = path.join(self.asapKeyServer, hex.to(sha256(keyId))..'.pem');

  121.         module:log("debug", "Fetching public key from: "..keyurl);

  122. 

  123.         -- We hash the key ID to work around some legacy behavior and make

  124.         -- deployment easier. It also helps prevent directory

  125.         -- traversal attacks (although path cleaning could have done this too).

  126.         local request = http.request(keyurl, {

  127.             headers = http_headers or {},

  128.             method = "GET"

  129.         }, cb);

  130. 

  131.         -- TODO: Is the done() call racey? Can we cancel this if the request

  132.         --       succeedes?

  133.         local function cancel()

  134.             -- TODO: This check is racey. Not likely to be a problem, but we should

  135.             --       still stick a mutex on content / code at some point.

  136.             if code == nil then

  137.                 http.destroy_request(request);

  138.                 done();

  139.             end

  140.         end

  141.         timer.add_task(http_timeout, cancel);

  142.         wait();

  143. 

  144.         if code == 200 or code == 204 then

  145.             return content;

  146.         end

  147.     else

  148.         -- If the key is in the cache, use it.

  149.         module:log("debug", "Cache hit for key: "..keyId);

  150.         return content;

  151.     end

  152. 

  153.     return nil;

  154. end

  155. 

  156. --- Verifies issuer part of token

  157. -- @param 'iss' claim from the token to verify

  158. -- @return nil and error string or true for accepted claim

  159. function Util:verify_issuer(issClaim)

  160.     for i, iss in ipairs(self.acceptedIssuers) do

  161.         if issClaim == iss then

  162.             --claim matches an accepted issuer so return success

  163.             return true;

  164.         end

  165.     end

  166.     --if issClaim not found in acceptedIssuers, fail claim

  167.     return nil, "Invalid issuer ('iss' claim)";

  168. end

  169. 

  170. --- Verifies audience part of token

  171. -- @param 'aud' claim from the token to verify

  172. -- @return nil and error string or true for accepted claim

  173. function Util:verify_audience(audClaim)

  174.     for i, aud in ipairs(self.acceptedAudiences) do

  175.         if aud == '*' then

  176.             --* indicates to accept any audience in the claims so return success

  177.             return true;

  178.         end

  179.         if audClaim == aud then

  180.             --claim matches an accepted audience so return success

  181.             return true;

  182.         end

  183.     end

  184.     --if issClaim not found in acceptedIssuers, fail claim

  185.     return nil, "Invalid audience ('aud' claim)";

  186. end

  187. 

  188. --- Verifies token

  189. -- @param token the token to verify

  190. -- @param secret the secret to use to verify token

  191. -- @return nil and error or the extracted claims from the token

  192. function Util:verify_token(token, secret)

  193.     local claims, err = jwt.decode(token, secret, true);

  194.     if claims == nil then

  195.         return nil, err;

  196.     end

  197. 

  198.     local alg = claims["alg"];

  199.     if alg ~= nil and (alg == "none" or alg == "") then

  200.         return nil, "'alg' claim must not be empty";

  201.     end

  202. 

  203.     local issClaim = claims["iss"];

  204.     if issClaim == nil then

  205.         return nil, "'iss' claim is missing";

  206.     end

  207.     --check the issuer against the accepted list

  208.     local issCheck, issCheckErr = self:verify_issuer(issClaim);

  209.     if issCheck == nil then

  210.         return nil, issCheckErr;

  211.     end

  212. 

  213.     local roomClaim = claims["room"];

  214.     if roomClaim == nil then

  215.         return nil, "'room' claim is missing";

  216.     end

  217. 

  218.     local audClaim = claims["aud"];

  219.     if audClaim == nil then

  220.         return nil, "'aud' claim is missing";

  221.     end

  222.     --check the audience against the accepted list

  223.     local audCheck, audCheckErr = self:verify_audience(audClaim);

  224.     if audCheck == nil then

  225.         return nil, audCheckErr;

  226.     end

  227. 

  228.     return claims;

  229. end

  230. 

  231. --- Verifies token and process needed values to be stored in the session.

  232. -- Token is obtained from session.auth_token.

  233. -- Stores in session the following values:

  234. -- session.jitsi_meet_room - the room name value from the token

  235. -- session.jitsi_meet_domain - the domain name value from the token

  236. -- session.jitsi_meet_context_user - the user details from the token

  237. -- session.jitsi_meet_context_group - the group value from the token

  238. -- @param session the current session

  239. -- @return false and error

  240. function Util:process_and_verify_token(session)

  241. 

  242.     if session.auth_token == nil then

  243.         if self.allowEmptyToken then

  244.             return true;

  245.         else

  246.             return false, "not-allowed", "token required";

  247.         end

  248.     end

  249. 

  250.     local pubKey;

  251.     if self.asapKeyServer and session.auth_token ~= nil then

  252.         local dotFirst = session.auth_token:find("%.");

  253.         if not dotFirst then return nil, "Invalid token" end

  254.         local header = json.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)));

  255.         local kid = header["kid"];

  256.         if kid == nil then

  257.             return false, "not-allowed", "'kid' claim is missing";

  258.         end

  259.         pubKey = self:get_public_key(kid);

  260.         if pubKey == nil then

  261.             return false, "not-allowed", "could not obtain public key";

  262.         end

  263.     end

  264. 

  265.     -- now verify the whole token

  266.     local claims, msg;

  267.     if self.asapKeyServer then

  268.         claims, msg = self:verify_token(session.auth_token, pubKey);

  269.     else

  270.         claims, msg = self:verify_token(session.auth_token, self.appSecret);

  271.     end

  272.     if claims ~= nil then

  273.         -- Binds room name to the session which is later checked on MUC join

  274.         session.jitsi_meet_room = claims["room"];

  275.         -- Binds domain name to the session

  276.         session.jitsi_meet_domain = claims["sub"];

  277. 

  278.         -- Binds the user details to the session if available

  279.         if claims["context"] ~= nil then

  280.           if claims["context"]["user"] ~= nil then

  281.             session.jitsi_meet_context_user = claims["context"]["user"];

  282.           end

  283. 

  284.           if claims["context"]["group"] ~= nil then

  285.             -- Binds any group details to the session

  286.             session.jitsi_meet_context_group = claims["context"]["group"];

  287.           end

  288.         end

  289.         return true;

  290.     else

  291.         return false, "not-allowed", msg;

  292.     end

  293. end

  294. 

  295. --- Verifies room name and domain if necesarry.

  296. -- Checks configs and if necessary checks the room name extracted from

  297. -- room_address against the one saved in the session when token was verified.

  298. -- Also verifies domain name from token against the domain in the room_address,

  299. -- if enableDomainVerification is enabled.

  300. -- @param session the current session

  301. -- @param room_address the whole room address as received

  302. -- @return returns true in case room was verified or there is no need to verify

  303. --         it and returns false in case verification was processed

  304. --         and was not successful

  305. function Util:verify_room(session, room_address)

  306.     if self.allowEmptyToken and session.auth_token == nil then

  307.         module:log(

  308.             "debug",

  309.             "Skipped room token verification - empty tokens are allowed");

  310.         return true;

  311.     end

  312. 

  313.     -- extract room name using all chars, except the not allowed ones

  314.     local room,_,_ = jid.split(room_address);

  315.     if room == nil then

  316.         log("error",

  317.             "Unable to get name of the MUC room ? to: %s", room_address);

  318.         return true;

  319.     end

  320. 

  321.     local auth_room = session.jitsi_meet_room;

  322.     if not self.enableDomainVerification then

  323.         -- if auth_room is missing, this means user is anonymous (no token for

  324.         -- its domain) we let it through, jicofo is verifying creation domain

  325.         if auth_room and room ~= string.lower(auth_room) and auth_room ~= '*' then

  326.             return false;

  327.         end

  328. 

  329.         return true;

  330.     end

  331. 

  332.     local room_address_to_verify = jid.bare(room_address);

  333.     local room_node = jid.node(room_address);

  334.     -- parses bare room address, for multidomain expected format is:

  335.     -- [subdomain]roomName@conference.domain

  336.     local target_subdomain, target_room = room_node:match("^%[([^%]]+)%](.+)$");

  337. 

  338.     -- if we have '*' as room name in token, this means all rooms are allowed

  339.     -- so we will use the actual name of the room when constructing strings

  340.     -- to verify subdomains and domains to simplify checks

  341.     local room_to_check;

  342.     if auth_room == '*' then

  343.         -- authorized for accessing any room assign to room_to_check the actual

  344.         -- room name

  345.         if target_room ~= nil then

  346.             -- we are in multidomain mode and we were able to extract room name

  347.             room_to_check = target_room;

  348.         else

  349.             -- no target_room, room_address_to_verify does not contain subdomain

  350.             -- so we get just the node which is the room name

  351.             room_to_check = room_node;

  352.         end

  353.     else

  354.         room_to_check = auth_room;

  355.     end

  356. 

  357.     local auth_domain = session.jitsi_meet_domain;

  358.     if target_subdomain then

  359.         -- from this point we depend on muc_domain_base,

  360.         -- deny access if option is missing

  361.         if not self.muc_domain_base then

  362.             module:log("warn", "No 'muc_domain_base' option set, denying access!");

  363.             return false;

  364.         end

  365. 

  366.         return room_address_to_verify == jid.join(

  367.             "["..auth_domain.."]"..string.lower(room_to_check), self.muc_domain);

  368.     else

  369.         -- we do not have a domain part (multidomain is not enabled)

  370.         -- verify with info from the token

  371.         return room_address_to_verify == jid.join(

  372.             string.lower(room_to_check), self.muc_domain_prefix.."."..auth_domain);

  373.     end

  374. end

  375. 

  376. return Util;