jfinn
/
jitsi_app_c0
Suivre 1
Ajouter aux favoris 0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
7917 Révisions
2 Branches
Aborescence: 9742e90bb5
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '9742e90bb5'
${ noResults }
jitsi_app_c0/resources/prosody-plugins/token/util.lib.lua

util.lib.lua 15KB
Historique Brut

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409 
  1. -- Token authentication

  2. -- Copyright (C) 2015 Atlassian

  3. 

  4. local basexx = require "basexx";

  5. local have_async, async = pcall(require, "util.async");

  6. local hex = require "util.hex";

  7. local jwt = require "luajwtjitsi";

  8. local jid = require "util.jid";

  9. local json_safe = require "cjson.safe";

  10. local path = require "util.paths";

  11. local sha256 = require "util.hashes".sha256;

  12. local http_get_with_retry = module:require "util".http_get_with_retry;

  13. 

  14. local nr_retries = 3;

  15. 

  16. -- TODO: Figure out a less arbitrary default cache size.

  17. local cacheSize = module:get_option_number("jwt_pubkey_cache_size", 128);

  18. 

  19. local Util = {}

  20. Util.__index = Util

  21. 

  22. --- Constructs util class for token verifications.

  23. -- Constructor that uses the passed module to extract all the

  24. -- needed configurations.

  25. -- If confuguration is missing returns nil

  26. -- @param module the module in which options to check for configs.

  27. -- @return the new instance or nil

  28. function Util.new(module)

  29.     local self = setmetatable({}, Util)

  30. 

  31.     self.appId = module:get_option_string("app_id");

  32.     self.appSecret = module:get_option_string("app_secret");

  33.     self.asapKeyServer = module:get_option_string("asap_key_server");

  34.     self.allowEmptyToken = module:get_option_boolean("allow_empty_token");

  35. 

  36.     self.cache = require"util.cache".new(cacheSize);

  37. 

  38.     --[[

  39.         Multidomain can be supported in some deployments. In these deployments

  40.         there is a virtual conference muc, which address contains the subdomain

  41.         to use. Those deployments are accessible

  42.         by URL https://domain/subdomain.

  43.         Then the address of the room will be:

  44.         roomName@conference.subdomain.domain. This is like a virtual address

  45.         where there is only one muc configured by default with address:

  46.         conference.domain and the actual presentation of the room in that muc

  47.         component is [subdomain]roomName@conference.domain.

  48.         These setups relay on configuration 'muc_domain_base' which holds

  49.         the main domain and we use it to substract subdomains from the

  50.         virtual addresses.

  51.         The following confgurations are for multidomain setups and domain name

  52.         verification:

  53.      --]]

  54. 

  55.     -- optional parameter for custom muc component prefix,

  56.     -- defaults to "conference"

  57.     self.muc_domain_prefix = module:get_option_string(

  58.         "muc_mapper_domain_prefix", "conference");

  59.     -- domain base, which is the main domain used in the deployment,

  60.     -- the main VirtualHost for the deployment

  61.     self.muc_domain_base = module:get_option_string("muc_mapper_domain_base");

  62.     -- The "real" MUC domain that we are proxying to

  63.     if self.muc_domain_base then

  64.         self.muc_domain = module:get_option_string(

  65.             "muc_mapper_domain",

  66.             self.muc_domain_prefix.."."..self.muc_domain_base);

  67.     end

  68.     -- whether domain name verification is enabled, by default it is disabled

  69.     self.enableDomainVerification = module:get_option_boolean(

  70.         "enable_domain_verification", false);

  71. 

  72.     if self.allowEmptyToken == true then

  73.         module:log("warn", "WARNING - empty tokens allowed");

  74.     end

  75. 

  76.     if self.appId == nil then

  77.         module:log("error", "'app_id' must not be empty");

  78.         return nil;

  79.     end

  80. 

  81.     if self.appSecret == nil and self.asapKeyServer == nil then

  82.         module:log("error", "'app_secret' or 'asap_key_server' must be specified");

  83.         return nil;

  84.     end

  85. 

  86.     --array of accepted issuers: by default only includes our appId

  87.     self.acceptedIssuers = module:get_option_array('asap_accepted_issuers',{self.appId})

  88. 

  89.     --array of accepted audiences: by default only includes our appId

  90.     self.acceptedAudiences = module:get_option_array('asap_accepted_audiences',{'*'})

  91. 

  92.     self.requireRoomClaim = module:get_option_boolean('asap_require_room_claim', true);

  93. 

  94.     if self.asapKeyServer and not have_async then

  95.         module:log("error", "requires a version of Prosody with util.async");

  96.         return nil;

  97.     end

  98. 

  99.     return self

  100. end

  101. 

  102. function Util:set_asap_key_server(asapKeyServer)

  103.     self.asapKeyServer = asapKeyServer;

  104. end

  105. 

  106. function Util:set_asap_accepted_issuers(acceptedIssuers)

  107.     self.acceptedIssuers = acceptedIssuers;

  108. end

  109. 

  110. function Util:set_asap_accepted_audiences(acceptedAudiences)

  111.     self.acceptedAudiences = acceptedAudiences;

  112. end

  113. 

  114. function Util:set_asap_require_room_claim(checkRoom)

  115.     self.requireRoomClaim = checkRoom;

  116. end

  117. 

  118. function Util:clear_asap_cache()

  119.     self.cache = require"util.cache".new(cacheSize);

  120. end

  121. 

  122. --- Returns the public key by keyID

  123. -- @param keyId the key ID to request

  124. -- @return the public key (the content of requested resource) or nil

  125. function Util:get_public_key(keyId)

  126.     local content = self.cache:get(keyId);

  127.     if content == nil then

  128.         -- If the key is not found in the cache.

  129.         module:log("debug", "Cache miss for key: "..keyId);

  130.         local keyurl = path.join(self.asapKeyServer, hex.to(sha256(keyId))..'.pem');

  131.         module:log("debug", "Fetching public key from: "..keyurl);

  132.         content = http_get_with_retry(keyurl, nr_retries);

  133.         if content ~= nil then

  134.             self.cache:set(keyId, content);

  135.         end

  136.         return content;

  137.     else

  138.         -- If the key is in the cache, use it.

  139.         module:log("debug", "Cache hit for key: "..keyId);

  140.         return content;

  141.     end

  142. end

  143. 

  144. --- Verifies issuer part of token

  145. -- @param 'issClaim' claim from the token to verify

  146. -- @param 'acceptedIssuers' list of issuers to check

  147. -- @return nil and error string or true for accepted claim

  148. function Util:verify_issuer(issClaim, acceptedIssuers)

  149.     if not acceptedIssuers then

  150.         acceptedIssuers = self.acceptedIssuers

  151.     end

  152.     module:log("debug", "verify_issuer claim: %s against accepted: %s", issClaim, acceptedIssuers);

  153.     for i, iss in ipairs(acceptedIssuers) do

  154.         if iss == '*' then

  155.             -- "*" indicates to accept any issuer in the claims so return success

  156.             return true;

  157.         end

  158.         if issClaim == iss then

  159.             -- claim matches an accepted issuer so return success

  160.             return true;

  161.         end

  162.     end

  163.     -- if issClaim not found in acceptedIssuers, fail claim

  164.     return nil, "Invalid issuer ('iss' claim)";

  165. end

  166. 

  167. --- Verifies audience part of token

  168. -- @param 'audClaim' claim from the token to verify

  169. -- @return nil and error string or true for accepted claim

  170. function Util:verify_audience(audClaim)

  171.     module:log("debug", "verify_audience claim: %s against accepted: %s", audClaim, self.acceptedAudiences);

  172.     for i, aud in ipairs(self.acceptedAudiences) do

  173.         if aud == '*' then

  174.             -- "*" indicates to accept any audience in the claims so return success

  175.             return true;

  176.         end

  177.         if audClaim == aud then

  178.             -- claim matches an accepted audience so return success

  179.             return true;

  180.         end

  181.     end

  182.     -- if audClaim not found in acceptedAudiences, fail claim

  183.     return nil, "Invalid audience ('aud' claim)";

  184. end

  185. 

  186. --- Verifies token

  187. -- @param token the token to verify

  188. -- @param secret the secret to use to verify token

  189. -- @param acceptedIssuers the list of accepted issuers to check

  190. -- @return nil and error or the extracted claims from the token

  191. function Util:verify_token(token, secret, acceptedIssuers)

  192.     local claims, err = jwt.decode(token, secret, true);

  193.     if claims == nil then

  194.         return nil, err;

  195.     end

  196. 

  197.     local alg = claims["alg"];

  198.     if alg ~= nil and (alg == "none" or alg == "") then

  199.         return nil, "'alg' claim must not be empty";

  200.     end

  201. 

  202.     local issClaim = claims["iss"];

  203.     if issClaim == nil then

  204.         return nil, "'iss' claim is missing";

  205.     end

  206.     --check the issuer against the accepted list

  207.     local issCheck, issCheckErr = self:verify_issuer(issClaim, acceptedIssuers);

  208.     if issCheck == nil then

  209.         return nil, issCheckErr;

  210.     end

  211. 

  212.     if self.requireRoomClaim then

  213.         local roomClaim = claims["room"];

  214.         if roomClaim == nil then

  215.             return nil, "'room' claim is missing";

  216.         end

  217.     end

  218. 

  219.     local audClaim = claims["aud"];

  220.     if audClaim == nil then

  221.         return nil, "'aud' claim is missing";

  222.     end

  223.     --check the audience against the accepted list

  224.     local audCheck, audCheckErr = self:verify_audience(audClaim);

  225.     if audCheck == nil then

  226.         return nil, audCheckErr;

  227.     end

  228. 

  229.     return claims;

  230. end

  231. 

  232. --- Verifies token and process needed values to be stored in the session.

  233. -- Token is obtained from session.auth_token.

  234. -- Stores in session the following values:

  235. -- session.jitsi_meet_room - the room name value from the token

  236. -- session.jitsi_meet_domain - the domain name value from the token

  237. -- session.jitsi_meet_context_user - the user details from the token

  238. -- session.jitsi_meet_context_group - the group value from the token

  239. -- session.jitsi_meet_context_features - the features value from the token

  240. -- @param session the current session

  241. -- @param acceptedIssuers optional list of accepted issuers to check

  242. -- @return false and error

  243. function Util:process_and_verify_token(session, acceptedIssuers)

  244.     if not acceptedIssuers then

  245.         acceptedIssuers = self.acceptedIssuers;

  246.     end

  247. 

  248.     if session.auth_token == nil then

  249.         if self.allowEmptyToken then

  250.             return true;

  251.         else

  252.             return false, "not-allowed", "token required";

  253.         end

  254.     end

  255. 

  256.     local pubKey;

  257.     if session.public_key then

  258.         module:log("debug","Public key was found on the session");

  259.         pubKey = session.public_key;

  260.     elseif self.asapKeyServer and session.auth_token ~= nil then

  261.         local dotFirst = session.auth_token:find("%.");

  262.         if not dotFirst then return nil, "Invalid token" end

  263.         local header, err = json_safe.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)));

  264.         if err then

  265.             return false, "not-allowed", "bad token format";

  266.         end

  267.         local kid = header["kid"];

  268.         if kid == nil then

  269.             return false, "not-allowed", "'kid' claim is missing";

  270.         end

  271.         pubKey = self:get_public_key(kid);

  272.         if pubKey == nil then

  273.             return false, "not-allowed", "could not obtain public key";

  274.         end

  275.     end

  276. 

  277.     -- now verify the whole token

  278.     local claims, msg;

  279.     if self.asapKeyServer then

  280.         claims, msg = self:verify_token(session.auth_token, pubKey, acceptedIssuers);

  281.     else

  282.         claims, msg = self:verify_token(session.auth_token, self.appSecret, acceptedIssuers);

  283.     end

  284.     if claims ~= nil then

  285.         -- Binds room name to the session which is later checked on MUC join

  286.         session.jitsi_meet_room = claims["room"];

  287.         -- Binds domain name to the session

  288.         session.jitsi_meet_domain = claims["sub"];

  289. 

  290.         -- Binds the user details to the session if available

  291.         if claims["context"] ~= nil then

  292.           if claims["context"]["user"] ~= nil then

  293.             session.jitsi_meet_context_user = claims["context"]["user"];

  294.           end

  295. 

  296.           if claims["context"]["group"] ~= nil then

  297.             -- Binds any group details to the session

  298.             session.jitsi_meet_context_group = claims["context"]["group"];

  299.           end

  300. 

  301.           if claims["context"]["features"] ~= nil then

  302.             -- Binds any features details to the session

  303.             session.jitsi_meet_context_features = claims["context"]["features"];

  304.           end

  305.         end

  306.         return true;

  307.     else

  308.         return false, "not-allowed", msg;

  309.     end

  310. end

  311. 

  312. --- Verifies room name and domain if necesarry.

  313. -- Checks configs and if necessary checks the room name extracted from

  314. -- room_address against the one saved in the session when token was verified.

  315. -- Also verifies domain name from token against the domain in the room_address,

  316. -- if enableDomainVerification is enabled.

  317. -- @param session the current session

  318. -- @param room_address the whole room address as received

  319. -- @return returns true in case room was verified or there is no need to verify

  320. --         it and returns false in case verification was processed

  321. --         and was not successful

  322. function Util:verify_room(session, room_address)

  323.     if self.allowEmptyToken and session.auth_token == nil then

  324.         module:log(

  325.             "debug",

  326.             "Skipped room token verification - empty tokens are allowed");

  327.         return true;

  328.     end

  329. 

  330.     -- extract room name using all chars, except the not allowed ones

  331.     local room,_,_ = jid.split(room_address);

  332.     if room == nil then

  333.         log("error",

  334.             "Unable to get name of the MUC room ? to: %s", room_address);

  335.         return true;

  336.     end

  337. 

  338.     local auth_room = session.jitsi_meet_room;

  339.     if not self.enableDomainVerification then

  340.         -- if auth_room is missing, this means user is anonymous (no token for

  341.         -- its domain) we let it through, jicofo is verifying creation domain

  342.         if auth_room and room ~= string.lower(auth_room) and auth_room ~= '*' then

  343.             return false;

  344.         end

  345. 

  346.         return true;

  347.     end

  348. 

  349.     local room_address_to_verify = jid.bare(room_address);

  350.     local room_node = jid.node(room_address);

  351.     -- parses bare room address, for multidomain expected format is:

  352.     -- [subdomain]roomName@conference.domain

  353.     local target_subdomain, target_room = room_node:match("^%[([^%]]+)%](.+)$");

  354. 

  355.     -- if we have '*' as room name in token, this means all rooms are allowed

  356.     -- so we will use the actual name of the room when constructing strings

  357.     -- to verify subdomains and domains to simplify checks

  358.     local room_to_check;

  359.     if auth_room == '*' then

  360.         -- authorized for accessing any room assign to room_to_check the actual

  361.         -- room name

  362.         if target_room ~= nil then

  363.             -- we are in multidomain mode and we were able to extract room name

  364.             room_to_check = target_room;

  365.         else

  366.             -- no target_room, room_address_to_verify does not contain subdomain

  367.             -- so we get just the node which is the room name

  368.             room_to_check = room_node;

  369.         end

  370.     else

  371.         -- no wildcard, so check room against authorized room in token

  372.         room_to_check = auth_room;

  373.     end

  374. 

  375.     local auth_domain = session.jitsi_meet_domain;

  376.     local subdomain_to_check;

  377.     if target_subdomain then

  378.         if auth_domain == '*' then

  379.             -- check for wildcard in JWT claim, allow access if found

  380.             subdomain_to_check = target_subdomain;

  381.         else

  382.             -- no wildcard in JWT claim, so check subdomain against sub in token

  383.             subdomain_to_check = auth_domain;

  384.         end

  385.         -- from this point we depend on muc_domain_base,

  386.         -- deny access if option is missing

  387.         if not self.muc_domain_base then

  388.             module:log("warn", "No 'muc_domain_base' option set, denying access!");

  389.             return false;

  390.         end

  391. 

  392.         return room_address_to_verify == jid.join(

  393.             "["..string.lower(subdomain_to_check).."]"..string.lower(room_to_check), self.muc_domain);

  394.     else

  395.         if auth_domain == '*' then

  396.             -- check for wildcard in JWT claim, allow access if found

  397.             subdomain_to_check = self.muc_domain;

  398.         else

  399.             -- no wildcard in JWT claim, so check subdomain against sub in token

  400.             subdomain_to_check = self.muc_domain_prefix.."."..auth_domain;

  401.         end

  402.         -- we do not have a domain part (multidomain is not enabled)

  403.         -- verify with info from the token

  404.         return room_address_to_verify == jid.join(

  405.             string.lower(room_to_check), string.lower(subdomain_to_check));

  406.     end

  407. end

  408. 

  409. return Util;