jfinn
/
jitsi_app_c0
Beobachten 1
Favorisieren 0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 0 Wiki Aktivität
Du kannst nicht mehr als 25 Themen auswählen Themen müssen mit entweder einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
7523 Commits
2 Branches
Struktur: 5e35b69fc9
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „5e35b69fc9“
${ noResults }
jitsi_app_c0/resources/prosody-plugins/token/util.lib.lua

util.lib.lua 16KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432 
  1. -- Token authentication

  2. -- Copyright (C) 2015 Atlassian

  3. 

  4. local basexx = require "basexx";

  5. local have_async, async = pcall(require, "util.async");

  6. local hex = require "util.hex";

  7. local jwt = require "luajwtjitsi";

  8. local http = require "net.http";

  9. local jid = require "util.jid";

  10. local json_safe = require "cjson.safe";

  11. local path = require "util.paths";

  12. local sha256 = require "util.hashes".sha256;

  13. local timer = require "util.timer";

  14. 

  15. local http_timeout = 30;

  16. local http_headers = {

  17.     ["User-Agent"] = "Prosody ("..prosody.version.."; "..prosody.platform..")"

  18. };

  19. 

  20. -- TODO: Figure out a less arbitrary default cache size.

  21. local cacheSize = module:get_option_number("jwt_pubkey_cache_size", 128);

  22. local cache = require"util.cache".new(cacheSize);

  23. 

  24. local Util = {}

  25. Util.__index = Util

  26. 

  27. --- Constructs util class for token verifications.

  28. -- Constructor that uses the passed module to extract all the

  29. -- needed configurations.

  30. -- If confuguration is missing returns nil

  31. -- @param module the module in which options to check for configs.

  32. -- @return the new instance or nil

  33. function Util.new(module)

  34.     local self = setmetatable({}, Util)

  35. 

  36.     self.appId = module:get_option_string("app_id");

  37.     self.appSecret = module:get_option_string("app_secret");

  38.     self.asapKeyServer = module:get_option_string("asap_key_server");

  39.     self.allowEmptyToken = module:get_option_boolean("allow_empty_token");

  40. 

  41.     --[[

  42.         Multidomain can be supported in some deployments. In these deployments

  43.         there is a virtual conference muc, which address contains the subdomain

  44.         to use. Those deployments are accessible

  45.         by URL https://domain/subdomain.

  46.         Then the address of the room will be:

  47.         roomName@conference.subdomain.domain. This is like a virtual address

  48.         where there is only one muc configured by default with address:

  49.         conference.domain and the actual presentation of the room in that muc

  50.         component is [subdomain]roomName@conference.domain.

  51.         These setups relay on configuration 'muc_domain_base' which holds

  52.         the main domain and we use it to substract subdomains from the

  53.         virtual addresses.

  54.         The following confgurations are for multidomain setups and domain name

  55.         verification:

  56.      --]]

  57. 

  58.     -- optional parameter for custom muc component prefix,

  59.     -- defaults to "conference"

  60.     self.muc_domain_prefix = module:get_option_string(

  61.         "muc_mapper_domain_prefix", "conference");

  62.     -- domain base, which is the main domain used in the deployment,

  63.     -- the main VirtualHost for the deployment

  64.     self.muc_domain_base = module:get_option_string("muc_mapper_domain_base");

  65.     -- The "real" MUC domain that we are proxying to

  66.     if self.muc_domain_base then

  67.         self.muc_domain = module:get_option_string(

  68.             "muc_mapper_domain",

  69.             self.muc_domain_prefix.."."..self.muc_domain_base);

  70.     end

  71.     -- whether domain name verification is enabled, by default it is disabled

  72.     self.enableDomainVerification = module:get_option_boolean(

  73.         "enable_domain_verification", false);

  74. 

  75.     if self.allowEmptyToken == true then

  76.         module:log("warn", "WARNING - empty tokens allowed");

  77.     end

  78. 

  79.     if self.appId == nil then

  80.         module:log("error", "'app_id' must not be empty");

  81.         return nil;

  82.     end

  83. 

  84.     if self.appSecret == nil and self.asapKeyServer == nil then

  85.         module:log("error", "'app_secret' or 'asap_key_server' must be specified");

  86.         return nil;

  87.     end

  88. 

  89.     --array of accepted issuers: by default only includes our appId

  90.     self.acceptedIssuers = module:get_option_array('asap_accepted_issuers',{self.appId})

  91. 

  92.     --array of accepted audiences: by default only includes our appId

  93.     self.acceptedAudiences = module:get_option_array('asap_accepted_audiences',{'*'})

  94. 

  95.     self.requireRoomClaim = module:get_option_boolean('asap_require_room_claim', true);

  96. 

  97.     if self.asapKeyServer and not have_async then

  98.         module:log("error", "requires a version of Prosody with util.async");

  99.         return nil;

  100.     end

  101. 

  102.     return self

  103. end

  104. 

  105. function Util:set_asap_key_server(asapKeyServer)

  106.     self.asapKeyServer = asapKeyServer;

  107. end

  108. 

  109. function Util:set_asap_accepted_issuers(acceptedIssuers)

  110.     self.acceptedIssuers = acceptedIssuers;

  111. end

  112. 

  113. function Util:set_asap_accepted_audiences(acceptedAudiences)

  114.     self.acceptedAudiences = acceptedAudiences;

  115. end

  116. 

  117. function Util:set_asap_require_room_claim(checkRoom)

  118.     self.requireRoomClaim = checkRoom;

  119. end

  120. 

  121. --- Returns the public key by keyID

  122. -- @param keyId the key ID to request

  123. -- @return the public key (the content of requested resource) or nil

  124. function Util:get_public_key(keyId)

  125.     local content = cache:get(keyId);

  126.     if content == nil then

  127.         -- If the key is not found in the cache.

  128.         module:log("debug", "Cache miss for key: "..keyId);

  129.         local code;

  130.         local timeout_occurred;

  131.         local wait, done = async.waiter();

  132.         local function cb(content_, code_, response_, request_)

  133.             if timeout_occurred == nil then

  134.                 content, code = content_, code_;

  135.                 if code == 200 or code == 204 then

  136.                     cache:set(keyId, content);

  137.                 end

  138.                 done();

  139.             else

  140.                 module:log("warn", "public key reply delivered after timeout from: %s",keyurl);

  141.             end

  142.         end

  143.         -- TODO: Is the done() call racey? Can we cancel this if the request

  144.         --       succeedes?

  145.         local function cancel()

  146.             -- TODO: This check is racey. Not likely to be a problem, but we should

  147.             --       still stick a mutex on content / code at some point.

  148.             if code == nil then

  149.                 timeout_occurred = true;

  150.                 module:log("warn", "Timeout %s seconds fetching public key from: %s",http_timeout,keyurl);

  151.                 if http.destroy_request then

  152.                     http.destroy_request(request);

  153.                 end

  154.                 done();

  155.             end

  156.         end

  157. 

  158.         local keyurl = path.join(self.asapKeyServer, hex.to(sha256(keyId))..'.pem');

  159.         module:log("debug", "Fetching public key from: "..keyurl);

  160. 

  161.         -- We hash the key ID to work around some legacy behavior and make

  162.         -- deployment easier. It also helps prevent directory

  163.         -- traversal attacks (although path cleaning could have done this too).

  164.         local request = http.request(keyurl, {

  165.             headers = http_headers or {},

  166.             method = "GET"

  167.         }, cb);

  168. 

  169.         timer.add_task(http_timeout, cancel);

  170.         wait();

  171. 

  172.         if code == 200 or code == 204 then

  173.             return content;

  174.         end

  175.     else

  176.         -- If the key is in the cache, use it.

  177.         module:log("debug", "Cache hit for key: "..keyId);

  178.         return content;

  179.     end

  180. 

  181.     return nil;

  182. end

  183. 

  184. --- Verifies issuer part of token

  185. -- @param 'iss' claim from the token to verify

  186. -- @return nil and error string or true for accepted claim

  187. function Util:verify_issuer(issClaim)

  188.     module:log("debug","verify_issuer claim: %s against accepted: %s",issClaim, self.acceptedIssuers);

  189.     for i, iss in ipairs(self.acceptedIssuers) do

  190.         if issClaim == iss then

  191.             --claim matches an accepted issuer so return success

  192.             return true;

  193.         end

  194.     end

  195.     --if issClaim not found in acceptedIssuers, fail claim

  196.     return nil, "Invalid issuer ('iss' claim)";

  197. end

  198. 

  199. --- Verifies audience part of token

  200. -- @param 'aud' claim from the token to verify

  201. -- @return nil and error string or true for accepted claim

  202. function Util:verify_audience(audClaim)

  203.     module:log("debug","verify_audience claim: %s against accepted: %s",audClaim, self.acceptedAudiences);

  204.     for i, aud in ipairs(self.acceptedAudiences) do

  205.         if aud == '*' then

  206.             --* indicates to accept any audience in the claims so return success

  207.             return true;

  208.         end

  209.         if audClaim == aud then

  210.             --claim matches an accepted audience so return success

  211.             return true;

  212.         end

  213.     end

  214.     --if issClaim not found in acceptedIssuers, fail claim

  215.     return nil, "Invalid audience ('aud' claim)";

  216. end

  217. 

  218. --- Verifies token

  219. -- @param token the token to verify

  220. -- @param secret the secret to use to verify token

  221. -- @return nil and error or the extracted claims from the token

  222. function Util:verify_token(token, secret)

  223.     local claims, err = jwt.decode(token, secret, true);

  224.     if claims == nil then

  225.         return nil, err;

  226.     end

  227. 

  228.     local alg = claims["alg"];

  229.     if alg ~= nil and (alg == "none" or alg == "") then

  230.         return nil, "'alg' claim must not be empty";

  231.     end

  232. 

  233.     local issClaim = claims["iss"];

  234.     if issClaim == nil then

  235.         return nil, "'iss' claim is missing";

  236.     end

  237.     --check the issuer against the accepted list

  238.     local issCheck, issCheckErr = self:verify_issuer(issClaim);

  239.     if issCheck == nil then

  240.         return nil, issCheckErr;

  241.     end

  242. 

  243.     if self.requireRoomClaim then

  244.         local roomClaim = claims["room"];

  245.         if roomClaim == nil then

  246.             return nil, "'room' claim is missing";

  247.         end

  248.     end

  249. 

  250.     local audClaim = claims["aud"];

  251.     if audClaim == nil then

  252.         return nil, "'aud' claim is missing";

  253.     end

  254.     --check the audience against the accepted list

  255.     local audCheck, audCheckErr = self:verify_audience(audClaim);

  256.     if audCheck == nil then

  257.         return nil, audCheckErr;

  258.     end

  259. 

  260.     return claims;

  261. end

  262. 

  263. --- Verifies token and process needed values to be stored in the session.

  264. -- Token is obtained from session.auth_token.

  265. -- Stores in session the following values:

  266. -- session.jitsi_meet_room - the room name value from the token

  267. -- session.jitsi_meet_domain - the domain name value from the token

  268. -- session.jitsi_meet_context_user - the user details from the token

  269. -- session.jitsi_meet_context_group - the group value from the token

  270. -- session.jitsi_meet_context_features - the features value from the token

  271. -- @param session the current session

  272. -- @return false and error

  273. function Util:process_and_verify_token(session)

  274.     if session.auth_token == nil then

  275.         if self.allowEmptyToken then

  276.             return true;

  277.         else

  278.             return false, "not-allowed", "token required";

  279.         end

  280.     end

  281. 

  282.     local pubKey;

  283.     if self.asapKeyServer and session.auth_token ~= nil then

  284.         local dotFirst = session.auth_token:find("%.");

  285.         if not dotFirst then return nil, "Invalid token" end

  286.         local header, err = json_safe.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)));

  287.         if err then

  288.             return false, "not-allowed", "bad token format";

  289.         end

  290.         local kid = header["kid"];

  291.         if kid == nil then

  292.             return false, "not-allowed", "'kid' claim is missing";

  293.         end

  294.         pubKey = self:get_public_key(kid);

  295.         if pubKey == nil then

  296.             return false, "not-allowed", "could not obtain public key";

  297.         end

  298.     end

  299. 

  300.     -- now verify the whole token

  301.     local claims, msg;

  302.     if self.asapKeyServer then

  303.         claims, msg = self:verify_token(session.auth_token, pubKey);

  304.     else

  305.         claims, msg = self:verify_token(session.auth_token, self.appSecret);

  306.     end

  307.     if claims ~= nil then

  308.         -- Binds room name to the session which is later checked on MUC join

  309.         session.jitsi_meet_room = claims["room"];

  310.         -- Binds domain name to the session

  311.         session.jitsi_meet_domain = claims["sub"];

  312. 

  313.         -- Binds the user details to the session if available

  314.         if claims["context"] ~= nil then

  315.           if claims["context"]["user"] ~= nil then

  316.             session.jitsi_meet_context_user = claims["context"]["user"];

  317.           end

  318. 

  319.           if claims["context"]["group"] ~= nil then

  320.             -- Binds any group details to the session

  321.             session.jitsi_meet_context_group = claims["context"]["group"];

  322.           end

  323. 

  324.           if claims["context"]["features"] ~= nil then

  325.             -- Binds any features details to the session

  326.             session.jitsi_meet_context_features = claims["context"]["features"];

  327.           end

  328.         end

  329.         return true;

  330.     else

  331.         return false, "not-allowed", msg;

  332.     end

  333. end

  334. 

  335. --- Verifies room name and domain if necesarry.

  336. -- Checks configs and if necessary checks the room name extracted from

  337. -- room_address against the one saved in the session when token was verified.

  338. -- Also verifies domain name from token against the domain in the room_address,

  339. -- if enableDomainVerification is enabled.

  340. -- @param session the current session

  341. -- @param room_address the whole room address as received

  342. -- @return returns true in case room was verified or there is no need to verify

  343. --         it and returns false in case verification was processed

  344. --         and was not successful

  345. function Util:verify_room(session, room_address)

  346.     if self.allowEmptyToken and session.auth_token == nil then

  347.         module:log(

  348.             "debug",

  349.             "Skipped room token verification - empty tokens are allowed");

  350.         return true;

  351.     end

  352. 

  353.     -- extract room name using all chars, except the not allowed ones

  354.     local room,_,_ = jid.split(room_address);

  355.     if room == nil then

  356.         log("error",

  357.             "Unable to get name of the MUC room ? to: %s", room_address);

  358.         return true;

  359.     end

  360. 

  361.     local auth_room = session.jitsi_meet_room;

  362.     if not self.enableDomainVerification then

  363.         -- if auth_room is missing, this means user is anonymous (no token for

  364.         -- its domain) we let it through, jicofo is verifying creation domain

  365.         if auth_room and room ~= string.lower(auth_room) and auth_room ~= '*' then

  366.             return false;

  367.         end

  368. 

  369.         return true;

  370.     end

  371. 

  372.     local room_address_to_verify = jid.bare(room_address);

  373.     local room_node = jid.node(room_address);

  374.     -- parses bare room address, for multidomain expected format is:

  375.     -- [subdomain]roomName@conference.domain

  376.     local target_subdomain, target_room = room_node:match("^%[([^%]]+)%](.+)$");

  377. 

  378.     -- if we have '*' as room name in token, this means all rooms are allowed

  379.     -- so we will use the actual name of the room when constructing strings

  380.     -- to verify subdomains and domains to simplify checks

  381.     local room_to_check;

  382.     if auth_room == '*' then

  383.         -- authorized for accessing any room assign to room_to_check the actual

  384.         -- room name

  385.         if target_room ~= nil then

  386.             -- we are in multidomain mode and we were able to extract room name

  387.             room_to_check = target_room;

  388.         else

  389.             -- no target_room, room_address_to_verify does not contain subdomain

  390.             -- so we get just the node which is the room name

  391.             room_to_check = room_node;

  392.         end

  393.     else

  394.         -- no wildcard, so check room against authorized room in token

  395.         room_to_check = auth_room;

  396.     end

  397. 

  398.     local auth_domain = session.jitsi_meet_domain;

  399.     local subdomain_to_check;

  400.     if target_subdomain then

  401.         if auth_domain == '*' then

  402.             -- check for wildcard in JWT claim, allow access if found

  403.             subdomain_to_check = target_subdomain;

  404.         else

  405.             -- no wildcard in JWT claim, so check subdomain against sub in token

  406.             subdomain_to_check = auth_domain;

  407.         end

  408.         -- from this point we depend on muc_domain_base,

  409.         -- deny access if option is missing

  410.         if not self.muc_domain_base then

  411.             module:log("warn", "No 'muc_domain_base' option set, denying access!");

  412.             return false;

  413.         end

  414. 

  415.         return room_address_to_verify == jid.join(

  416.             "["..string.lower(subdomain_to_check).."]"..string.lower(room_to_check), self.muc_domain);

  417.     else

  418.         if auth_domain == '*' then

  419.             -- check for wildcard in JWT claim, allow access if found

  420.             subdomain_to_check = self.muc_domain;

  421.         else

  422.             -- no wildcard in JWT claim, so check subdomain against sub in token

  423.             subdomain_to_check = self.muc_domain_prefix.."."..auth_domain;

  424.         end

  425.         -- we do not have a domain part (multidomain is not enabled)

  426.         -- verify with info from the token

  427.         return room_address_to_verify == jid.join(

  428.             string.lower(room_to_check), string.lower(subdomain_to_check));

  429.     end

  430. end

  431. 

  432. return Util;