jfinn
/
jitsi_corner8
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7322 Commits
3 Branches
Tree: 1b8e5d0244
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1b8e5d0244'
${ noResults }
jitsi_corner8/resources/prosody-plugins/token/util.lib.lua

util.lib.lua 15KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404 
  1. -- Token authentication

  2. -- Copyright (C) 2015 Atlassian

  3. 

  4. local basexx = require "basexx";

  5. local have_async, async = pcall(require, "util.async");

  6. local hex = require "util.hex";

  7. local jwt = require "luajwtjitsi";

  8. local http = require "net.http";

  9. local jid = require "util.jid";

  10. local json_safe = require "cjson.safe";

  11. local path = require "util.paths";

  12. local sha256 = require "util.hashes".sha256;

  13. local timer = require "util.timer";

  14. 

  15. local http_timeout = 30;

  16. local http_headers = {

  17.     ["User-Agent"] = "Prosody ("..prosody.version.."; "..prosody.platform..")"

  18. };

  19. 

  20. -- TODO: Figure out a less arbitrary default cache size.

  21. local cacheSize = module:get_option_number("jwt_pubkey_cache_size", 128);

  22. local cache = require"util.cache".new(cacheSize);

  23. 

  24. local Util = {}

  25. Util.__index = Util

  26. 

  27. --- Constructs util class for token verifications.

  28. -- Constructor that uses the passed module to extract all the

  29. -- needed configurations.

  30. -- If confuguration is missing returns nil

  31. -- @param module the module in which options to check for configs.

  32. -- @return the new instance or nil

  33. function Util.new(module)

  34.     local self = setmetatable({}, Util)

  35. 

  36.     self.appId = module:get_option_string("app_id");

  37.     self.appSecret = module:get_option_string("app_secret");

  38.     self.asapKeyServer = module:get_option_string("asap_key_server");

  39.     self.allowEmptyToken = module:get_option_boolean("allow_empty_token");

  40. 

  41.     --[[

  42.         Multidomain can be supported in some deployments. In these deployments

  43.         there is a virtual conference muc, which address contains the subdomain

  44.         to use. Those deployments are accessible

  45.         by URL https://domain/subdomain.

  46.         Then the address of the room will be:

  47.         roomName@conference.subdomain.domain. This is like a virtual address

  48.         where there is only one muc configured by default with address:

  49.         conference.domain and the actual presentation of the room in that muc

  50.         component is [subdomain]roomName@conference.domain.

  51.         These setups relay on configuration 'muc_domain_base' which holds

  52.         the main domain and we use it to substract subdomains from the

  53.         virtual addresses.

  54.         The following confgurations are for multidomain setups and domain name

  55.         verification:

  56.      --]]

  57. 

  58.     -- optional parameter for custom muc component prefix,

  59.     -- defaults to "conference"

  60.     self.muc_domain_prefix = module:get_option_string(

  61.         "muc_mapper_domain_prefix", "conference");

  62.     -- domain base, which is the main domain used in the deployment,

  63.     -- the main VirtualHost for the deployment

  64.     self.muc_domain_base = module:get_option_string("muc_mapper_domain_base");

  65.     -- The "real" MUC domain that we are proxying to

  66.     if self.muc_domain_base then

  67.         self.muc_domain = module:get_option_string(

  68.             "muc_mapper_domain",

  69.             self.muc_domain_prefix.."."..self.muc_domain_base);

  70.     end

  71.     -- whether domain name verification is enabled, by default it is disabled

  72.     self.enableDomainVerification = module:get_option_boolean(

  73.         "enable_domain_verification", false);

  74. 

  75.     if self.allowEmptyToken == true then

  76.         module:log("warn", "WARNING - empty tokens allowed");

  77.     end

  78. 

  79.     if self.appId == nil then

  80.         module:log("error", "'app_id' must not be empty");

  81.         return nil;

  82.     end

  83. 

  84.     if self.appSecret == nil and self.asapKeyServer == nil then

  85.         module:log("error", "'app_secret' or 'asap_key_server' must be specified");

  86.         return nil;

  87.     end

  88. 

  89.     --array of accepted issuers: by default only includes our appId

  90.     self.acceptedIssuers = module:get_option_array('asap_accepted_issuers',{self.appId})

  91. 

  92.     --array of accepted audiences: by default only includes our appId

  93.     self.acceptedAudiences = module:get_option_array('asap_accepted_audiences',{'*'})

  94. 

  95.     if self.asapKeyServer and not have_async then

  96.         module:log("error", "requires a version of Prosody with util.async");

  97.         return nil;

  98.     end

  99. 

  100.     return self

  101. end

  102. 

  103. function Util:set_asap_key_server(asapKeyServer)

  104.     self.asapKeyServer = asapKeyServer

  105. end

  106. 

  107. --- Returns the public key by keyID

  108. -- @param keyId the key ID to request

  109. -- @return the public key (the content of requested resource) or nil

  110. function Util:get_public_key(keyId)

  111.     local content = cache:get(keyId);

  112.     if content == nil then

  113.         -- If the key is not found in the cache.

  114.         module:log("debug", "Cache miss for key: "..keyId);

  115.         local code;

  116.         local wait, done = async.waiter();

  117.         local function cb(content_, code_, response_, request_)

  118.             content, code = content_, code_;

  119.             if code == 200 or code == 204 then

  120.                 cache:set(keyId, content);

  121.             end

  122.             done();

  123.         end

  124.         local keyurl = path.join(self.asapKeyServer, hex.to(sha256(keyId))..'.pem');

  125.         module:log("debug", "Fetching public key from: "..keyurl);

  126. 

  127.         -- We hash the key ID to work around some legacy behavior and make

  128.         -- deployment easier. It also helps prevent directory

  129.         -- traversal attacks (although path cleaning could have done this too).

  130.         local request = http.request(keyurl, {

  131.             headers = http_headers or {},

  132.             method = "GET"

  133.         }, cb);

  134. 

  135.         -- TODO: Is the done() call racey? Can we cancel this if the request

  136.         --       succeedes?

  137.         local function cancel()

  138.             -- TODO: This check is racey. Not likely to be a problem, but we should

  139.             --       still stick a mutex on content / code at some point.

  140.             if code == nil then

  141.                 http.destroy_request(request);

  142.                 done();

  143.             end

  144.         end

  145.         timer.add_task(http_timeout, cancel);

  146.         wait();

  147. 

  148.         if code == 200 or code == 204 then

  149.             return content;

  150.         end

  151.     else

  152.         -- If the key is in the cache, use it.

  153.         module:log("debug", "Cache hit for key: "..keyId);

  154.         return content;

  155.     end

  156. 

  157.     return nil;

  158. end

  159. 

  160. --- Verifies issuer part of token

  161. -- @param 'iss' claim from the token to verify

  162. -- @return nil and error string or true for accepted claim

  163. function Util:verify_issuer(issClaim)

  164.     for i, iss in ipairs(self.acceptedIssuers) do

  165.         if issClaim == iss then

  166.             --claim matches an accepted issuer so return success

  167.             return true;

  168.         end

  169.     end

  170.     --if issClaim not found in acceptedIssuers, fail claim

  171.     return nil, "Invalid issuer ('iss' claim)";

  172. end

  173. 

  174. --- Verifies audience part of token

  175. -- @param 'aud' claim from the token to verify

  176. -- @return nil and error string or true for accepted claim

  177. function Util:verify_audience(audClaim)

  178.     for i, aud in ipairs(self.acceptedAudiences) do

  179.         if aud == '*' then

  180.             --* indicates to accept any audience in the claims so return success

  181.             return true;

  182.         end

  183.         if audClaim == aud then

  184.             --claim matches an accepted audience so return success

  185.             return true;

  186.         end

  187.     end

  188.     --if issClaim not found in acceptedIssuers, fail claim

  189.     return nil, "Invalid audience ('aud' claim)";

  190. end

  191. 

  192. --- Verifies token

  193. -- @param token the token to verify

  194. -- @param secret the secret to use to verify token

  195. -- @return nil and error or the extracted claims from the token

  196. function Util:verify_token(token, secret)

  197.     local claims, err = jwt.decode(token, secret, true);

  198.     if claims == nil then

  199.         return nil, err;

  200.     end

  201. 

  202.     local alg = claims["alg"];

  203.     if alg ~= nil and (alg == "none" or alg == "") then

  204.         return nil, "'alg' claim must not be empty";

  205.     end

  206. 

  207.     local issClaim = claims["iss"];

  208.     if issClaim == nil then

  209.         return nil, "'iss' claim is missing";

  210.     end

  211.     --check the issuer against the accepted list

  212.     local issCheck, issCheckErr = self:verify_issuer(issClaim);

  213.     if issCheck == nil then

  214.         return nil, issCheckErr;

  215.     end

  216. 

  217.     local roomClaim = claims["room"];

  218.     if roomClaim == nil then

  219.         return nil, "'room' claim is missing";

  220.     end

  221. 

  222.     local audClaim = claims["aud"];

  223.     if audClaim == nil then

  224.         return nil, "'aud' claim is missing";

  225.     end

  226.     --check the audience against the accepted list

  227.     local audCheck, audCheckErr = self:verify_audience(audClaim);

  228.     if audCheck == nil then

  229.         return nil, audCheckErr;

  230.     end

  231. 

  232.     return claims;

  233. end

  234. 

  235. --- Verifies token and process needed values to be stored in the session.

  236. -- Token is obtained from session.auth_token.

  237. -- Stores in session the following values:

  238. -- session.jitsi_meet_room - the room name value from the token

  239. -- session.jitsi_meet_domain - the domain name value from the token

  240. -- session.jitsi_meet_context_user - the user details from the token

  241. -- session.jitsi_meet_context_group - the group value from the token

  242. -- session.jitsi_meet_context_features - the features value from the token

  243. -- @param session the current session

  244. -- @return false and error

  245. function Util:process_and_verify_token(session)

  246.     if session.auth_token == nil then

  247.         if self.allowEmptyToken then

  248.             return true;

  249.         else

  250.             return false, "not-allowed", "token required";

  251.         end

  252.     end

  253. 

  254.     local pubKey;

  255.     if self.asapKeyServer and session.auth_token ~= nil then

  256.         local dotFirst = session.auth_token:find("%.");

  257.         if not dotFirst then return nil, "Invalid token" end

  258.         local header, err = json_safe.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)));

  259.         if err then

  260.             return false, "not-allowed", "bad token format";

  261.         end

  262.         local kid = header["kid"];

  263.         if kid == nil then

  264.             return false, "not-allowed", "'kid' claim is missing";

  265.         end

  266.         pubKey = self:get_public_key(kid);

  267.         if pubKey == nil then

  268.             return false, "not-allowed", "could not obtain public key";

  269.         end

  270.     end

  271. 

  272.     -- now verify the whole token

  273.     local claims, msg;

  274.     if self.asapKeyServer then

  275.         claims, msg = self:verify_token(session.auth_token, pubKey);

  276.     else

  277.         claims, msg = self:verify_token(session.auth_token, self.appSecret);

  278.     end

  279.     if claims ~= nil then

  280.         -- Binds room name to the session which is later checked on MUC join

  281.         session.jitsi_meet_room = claims["room"];

  282.         -- Binds domain name to the session

  283.         session.jitsi_meet_domain = claims["sub"];

  284. 

  285.         -- Binds the user details to the session if available

  286.         if claims["context"] ~= nil then

  287.           if claims["context"]["user"] ~= nil then

  288.             session.jitsi_meet_context_user = claims["context"]["user"];

  289.           end

  290. 

  291.           if claims["context"]["group"] ~= nil then

  292.             -- Binds any group details to the session

  293.             session.jitsi_meet_context_group = claims["context"]["group"];

  294.           end

  295. 

  296.           if claims["context"]["features"] ~= nil then

  297.             -- Binds any features details to the session

  298.             session.jitsi_meet_context_features = claims["context"]["features"];

  299.           end

  300.         end

  301.         return true;

  302.     else

  303.         return false, "not-allowed", msg;

  304.     end

  305. end

  306. 

  307. --- Verifies room name and domain if necesarry.

  308. -- Checks configs and if necessary checks the room name extracted from

  309. -- room_address against the one saved in the session when token was verified.

  310. -- Also verifies domain name from token against the domain in the room_address,

  311. -- if enableDomainVerification is enabled.

  312. -- @param session the current session

  313. -- @param room_address the whole room address as received

  314. -- @return returns true in case room was verified or there is no need to verify

  315. --         it and returns false in case verification was processed

  316. --         and was not successful

  317. function Util:verify_room(session, room_address)

  318.     if self.allowEmptyToken and session.auth_token == nil then

  319.         module:log(

  320.             "debug",

  321.             "Skipped room token verification - empty tokens are allowed");

  322.         return true;

  323.     end

  324. 

  325.     -- extract room name using all chars, except the not allowed ones

  326.     local room,_,_ = jid.split(room_address);

  327.     if room == nil then

  328.         log("error",

  329.             "Unable to get name of the MUC room ? to: %s", room_address);

  330.         return true;

  331.     end

  332. 

  333.     local auth_room = session.jitsi_meet_room;

  334.     if not self.enableDomainVerification then

  335.         -- if auth_room is missing, this means user is anonymous (no token for

  336.         -- its domain) we let it through, jicofo is verifying creation domain

  337.         if auth_room and room ~= string.lower(auth_room) and auth_room ~= '*' then

  338.             return false;

  339.         end

  340. 

  341.         return true;

  342.     end

  343. 

  344.     local room_address_to_verify = jid.bare(room_address);

  345.     local room_node = jid.node(room_address);

  346.     -- parses bare room address, for multidomain expected format is:

  347.     -- [subdomain]roomName@conference.domain

  348.     local target_subdomain, target_room = room_node:match("^%[([^%]]+)%](.+)$");

  349. 

  350.     -- if we have '*' as room name in token, this means all rooms are allowed

  351.     -- so we will use the actual name of the room when constructing strings

  352.     -- to verify subdomains and domains to simplify checks

  353.     local room_to_check;

  354.     if auth_room == '*' then

  355.         -- authorized for accessing any room assign to room_to_check the actual

  356.         -- room name

  357.         if target_room ~= nil then

  358.             -- we are in multidomain mode and we were able to extract room name

  359.             room_to_check = target_room;

  360.         else

  361.             -- no target_room, room_address_to_verify does not contain subdomain

  362.             -- so we get just the node which is the room name

  363.             room_to_check = room_node;

  364.         end

  365.     else

  366.         -- no wildcard, so check room against authorized room in token

  367.         room_to_check = auth_room;

  368.     end

  369. 

  370.     local auth_domain = session.jitsi_meet_domain;

  371.     local subdomain_to_check;

  372.     if target_subdomain then

  373.         if auth_domain == '*' then

  374.             -- check for wildcard in JWT claim, allow access if found

  375.             subdomain_to_check = target_subdomain;

  376.         else

  377.             -- no wildcard in JWT claim, so check subdomain against sub in token

  378.             subdomain_to_check = auth_domain;

  379.         end

  380.         -- from this point we depend on muc_domain_base,

  381.         -- deny access if option is missing

  382.         if not self.muc_domain_base then

  383.             module:log("warn", "No 'muc_domain_base' option set, denying access!");

  384.             return false;

  385.         end

  386. 

  387.         return room_address_to_verify == jid.join(

  388.             "["..string.lower(subdomain_to_check).."]"..string.lower(room_to_check), self.muc_domain);

  389.     else

  390.         if auth_domain == '*' then

  391.             -- check for wildcard in JWT claim, allow access if found

  392.             subdomain_to_check = self.muc_domain;

  393.         else

  394.             -- no wildcard in JWT claim, so check subdomain against sub in token

  395.             subdomain_to_check = self.muc_domain_prefix.."."..auth_domain;

  396.         end

  397.         -- we do not have a domain part (multidomain is not enabled)

  398.         -- verify with info from the token

  399.         return room_address_to_verify == jid.join(

  400.             string.lower(room_to_check), string.lower(subdomain_to_check));

  401.     end

  402. end

  403. 

  404. return Util;