jfinn
/
jitsi_corner8
Слідкувати 1
В обрані 0
Форк 0
Код Проблеми 0 Запити на злиття 0 Релізи 0 Вікі Активність
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.
5825 Коміти
3 Гілки
Дерево: 3ad99e24cf
Гілки Теги
${ item.name }
Створити гілку ${ searchTerm }
з '3ad99e24cf'
${ noResults }
jitsi_corner8/resources/prosody-plugins/token/util.lib.lua

util.lib.lua 15KB
Історія Неформатований

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398 
  1. -- Token authentication

  2. -- Copyright (C) 2015 Atlassian

  3. 

  4. local basexx = require "basexx";

  5. local have_async, async = pcall(require, "util.async");

  6. local hex = require "util.hex";

  7. local jwt = require "luajwtjitsi";

  8. local http = require "net.http";

  9. local jid = require "util.jid";

  10. local json = require "cjson";

  11. local path = require "util.paths";

  12. local sha256 = require "util.hashes".sha256;

  13. local timer = require "util.timer";

  14. 

  15. local http_timeout = 30;

  16. local http_headers = {

  17.     ["User-Agent"] = "Prosody ("..prosody.version.."; "..prosody.platform..")"

  18. };

  19. 

  20. -- TODO: Figure out a less arbitrary default cache size.

  21. local cacheSize = module:get_option_number("jwt_pubkey_cache_size", 128);

  22. local cache = require"util.cache".new(cacheSize);

  23. 

  24. local Util = {}

  25. Util.__index = Util

  26. 

  27. --- Constructs util class for token verifications.

  28. -- Constructor that uses the passed module to extract all the

  29. -- needed configurations.

  30. -- If confuguration is missing returns nil

  31. -- @param module the module in which options to check for configs.

  32. -- @return the new instance or nil

  33. function Util.new(module)

  34.     local self = setmetatable({}, Util)

  35. 

  36.     self.appId = module:get_option_string("app_id");

  37.     self.appSecret = module:get_option_string("app_secret");

  38.     self.asapKeyServer = module:get_option_string("asap_key_server");

  39.     self.allowEmptyToken = module:get_option_boolean("allow_empty_token");

  40. 

  41.     --[[

  42.         Multidomain can be supported in some deployments. In these deployments

  43.         there is a virtual conference muc, which address contains the subdomain

  44.         to use. Those deployments are accessible

  45.         by URL https://domain/subdomain.

  46.         Then the address of the room will be:

  47.         roomName@conference.subdomain.domain. This is like a virtual address

  48.         where there is only one muc configured by default with address:

  49.         conference.domain and the actual presentation of the room in that muc

  50.         component is [subdomain]roomName@conference.domain.

  51.         These setups relay on configuration 'muc_domain_base' which holds

  52.         the main domain and we use it to substract subdomains from the

  53.         virtual addresses.

  54.         The following confgurations are for multidomain setups and domain name

  55.         verification:

  56.      --]]

  57. 

  58.     -- optional parameter for custom muc component prefix,

  59.     -- defaults to "conference"

  60.     self.muc_domain_prefix = module:get_option_string(

  61.         "muc_mapper_domain_prefix", "conference");

  62.     -- domain base, which is the main domain used in the deployment,

  63.     -- the main VirtualHost for the deployment

  64.     self.muc_domain_base = module:get_option_string("muc_mapper_domain_base");

  65.     -- The "real" MUC domain that we are proxying to

  66.     if self.muc_domain_base then

  67.         self.muc_domain = module:get_option_string(

  68.             "muc_mapper_domain",

  69.             self.muc_domain_prefix.."."..self.muc_domain_base);

  70.     end

  71.     -- whether domain name verification is enabled, by default it is disabled

  72.     self.enableDomainVerification = module:get_option_boolean(

  73.         "enable_domain_verification", false);

  74. 

  75.     if self.allowEmptyToken == true then

  76.         module:log("warn", "WARNING - empty tokens allowed");

  77.     end

  78. 

  79.     if self.appId == nil then

  80.         module:log("error", "'app_id' must not be empty");

  81.         return nil;

  82.     end

  83. 

  84.     if self.appSecret == nil and self.asapKeyServer == nil then

  85.         module:log("error", "'app_secret' or 'asap_key_server' must be specified");

  86.         return nil;

  87.     end

  88. 

  89.     --array of accepted issuers: by default only includes our appId

  90.     self.acceptedIssuers = module:get_option_array('asap_accepted_issuers',{self.appId})

  91. 

  92.     --array of accepted audiences: by default only includes our appId

  93.     self.acceptedAudiences = module:get_option_array('asap_accepted_audiences',{'*'})

  94. 

  95.     if self.asapKeyServer and not have_async then

  96.         module:log("error", "requires a version of Prosody with util.async");

  97.         return nil;

  98.     end

  99. 

  100.     return self

  101. end

  102. 

  103. --- Returns the public key by keyID

  104. -- @param keyId the key ID to request

  105. -- @return the public key (the content of requested resource) or nil

  106. function Util:get_public_key(keyId)

  107.     local content = cache:get(keyId);

  108.     if content == nil then

  109.         -- If the key is not found in the cache.

  110.         module:log("debug", "Cache miss for key: "..keyId);

  111.         local code;

  112.         local wait, done = async.waiter();

  113.         local function cb(content_, code_, response_, request_)

  114.             content, code = content_, code_;

  115.             if code == 200 or code == 204 then

  116.                 cache:set(keyId, content);

  117.             end

  118.             done();

  119.         end

  120.         local keyurl = path.join(self.asapKeyServer, hex.to(sha256(keyId))..'.pem');

  121.         module:log("debug", "Fetching public key from: "..keyurl);

  122. 

  123.         -- We hash the key ID to work around some legacy behavior and make

  124.         -- deployment easier. It also helps prevent directory

  125.         -- traversal attacks (although path cleaning could have done this too).

  126.         local request = http.request(keyurl, {

  127.             headers = http_headers or {},

  128.             method = "GET"

  129.         }, cb);

  130. 

  131.         -- TODO: Is the done() call racey? Can we cancel this if the request

  132.         --       succeedes?

  133.         local function cancel()

  134.             -- TODO: This check is racey. Not likely to be a problem, but we should

  135.             --       still stick a mutex on content / code at some point.

  136.             if code == nil then

  137.                 http.destroy_request(request);

  138.                 done();

  139.             end

  140.         end

  141.         timer.add_task(http_timeout, cancel);

  142.         wait();

  143. 

  144.         if code == 200 or code == 204 then

  145.             return content;

  146.         end

  147.     else

  148.         -- If the key is in the cache, use it.

  149.         module:log("debug", "Cache hit for key: "..keyId);

  150.         return content;

  151.     end

  152. 

  153.     return nil;

  154. end

  155. 

  156. --- Verifies issuer part of token

  157. -- @param 'iss' claim from the token to verify

  158. -- @return nil and error string or true for accepted claim

  159. function Util:verify_issuer(issClaim)

  160.     for i, iss in ipairs(self.acceptedIssuers) do

  161.         if issClaim == iss then

  162.             --claim matches an accepted issuer so return success

  163.             return true;

  164.         end

  165.     end

  166.     --if issClaim not found in acceptedIssuers, fail claim

  167.     return nil, "Invalid issuer ('iss' claim)";

  168. end

  169. 

  170. --- Verifies audience part of token

  171. -- @param 'aud' claim from the token to verify

  172. -- @return nil and error string or true for accepted claim

  173. function Util:verify_audience(audClaim)

  174.     for i, aud in ipairs(self.acceptedAudiences) do

  175.         if aud == '*' then

  176.             --* indicates to accept any audience in the claims so return success

  177.             return true;

  178.         end

  179.         if audClaim == aud then

  180.             --claim matches an accepted audience so return success

  181.             return true;

  182.         end

  183.     end

  184.     --if issClaim not found in acceptedIssuers, fail claim

  185.     return nil, "Invalid audience ('aud' claim)";

  186. end

  187. 

  188. --- Verifies token

  189. -- @param token the token to verify

  190. -- @param secret the secret to use to verify token

  191. -- @return nil and error or the extracted claims from the token

  192. function Util:verify_token(token, secret)

  193.     local claims, err = jwt.decode(token, secret, true);

  194.     if claims == nil then

  195.         return nil, err;

  196.     end

  197. 

  198.     local alg = claims["alg"];

  199.     if alg ~= nil and (alg == "none" or alg == "") then

  200.         return nil, "'alg' claim must not be empty";

  201.     end

  202. 

  203.     local issClaim = claims["iss"];

  204.     if issClaim == nil then

  205.         return nil, "'iss' claim is missing";

  206.     end

  207.     --check the issuer against the accepted list

  208.     local issCheck, issCheckErr = self:verify_issuer(issClaim);

  209.     if issCheck == nil then

  210.         return nil, issCheckErr;

  211.     end

  212. 

  213.     local roomClaim = claims["room"];

  214.     if roomClaim == nil then

  215.         return nil, "'room' claim is missing";

  216.     end

  217. 

  218.     local audClaim = claims["aud"];

  219.     if audClaim == nil then

  220.         return nil, "'aud' claim is missing";

  221.     end

  222.     --check the audience against the accepted list

  223.     local audCheck, audCheckErr = self:verify_audience(audClaim);

  224.     if audCheck == nil then

  225.         return nil, audCheckErr;

  226.     end

  227. 

  228.     return claims;

  229. end

  230. 

  231. --- Verifies token and process needed values to be stored in the session.

  232. -- Token is obtained from session.auth_token.

  233. -- Stores in session the following values:

  234. -- session.jitsi_meet_room - the room name value from the token

  235. -- session.jitsi_meet_domain - the domain name value from the token

  236. -- session.jitsi_meet_context_user - the user details from the token

  237. -- session.jitsi_meet_context_group - the group value from the token

  238. -- session.jitsi_meet_context_features - the features value from the token

  239. -- @param session the current session

  240. -- @return false and error

  241. function Util:process_and_verify_token(session)

  242. 

  243.     if session.auth_token == nil then

  244.         if self.allowEmptyToken then

  245.             return true;

  246.         else

  247.             return false, "not-allowed", "token required";

  248.         end

  249.     end

  250. 

  251.     local pubKey;

  252.     if self.asapKeyServer and session.auth_token ~= nil then

  253.         local dotFirst = session.auth_token:find("%.");

  254.         if not dotFirst then return nil, "Invalid token" end

  255.         local header = json.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)));

  256.         local kid = header["kid"];

  257.         if kid == nil then

  258.             return false, "not-allowed", "'kid' claim is missing";

  259.         end

  260.         pubKey = self:get_public_key(kid);

  261.         if pubKey == nil then

  262.             return false, "not-allowed", "could not obtain public key";

  263.         end

  264.     end

  265. 

  266.     -- now verify the whole token

  267.     local claims, msg;

  268.     if self.asapKeyServer then

  269.         claims, msg = self:verify_token(session.auth_token, pubKey);

  270.     else

  271.         claims, msg = self:verify_token(session.auth_token, self.appSecret);

  272.     end

  273.     if claims ~= nil then

  274.         -- Binds room name to the session which is later checked on MUC join

  275.         session.jitsi_meet_room = claims["room"];

  276.         -- Binds domain name to the session

  277.         session.jitsi_meet_domain = claims["sub"];

  278. 

  279.         -- Binds the user details to the session if available

  280.         if claims["context"] ~= nil then

  281.           if claims["context"]["user"] ~= nil then

  282.             session.jitsi_meet_context_user = claims["context"]["user"];

  283.           end

  284. 

  285.           if claims["context"]["group"] ~= nil then

  286.             -- Binds any group details to the session

  287.             session.jitsi_meet_context_group = claims["context"]["group"];

  288.           end

  289. 

  290.           if claims["context"]["features"] ~= nil then

  291.             -- Binds any features details to the session

  292.             session.jitsi_meet_context_features = claims["context"]["features"];

  293.           end

  294.         end

  295.         return true;

  296.     else

  297.         return false, "not-allowed", msg;

  298.     end

  299. end

  300. 

  301. --- Verifies room name and domain if necesarry.

  302. -- Checks configs and if necessary checks the room name extracted from

  303. -- room_address against the one saved in the session when token was verified.

  304. -- Also verifies domain name from token against the domain in the room_address,

  305. -- if enableDomainVerification is enabled.

  306. -- @param session the current session

  307. -- @param room_address the whole room address as received

  308. -- @return returns true in case room was verified or there is no need to verify

  309. --         it and returns false in case verification was processed

  310. --         and was not successful

  311. function Util:verify_room(session, room_address)

  312.     if self.allowEmptyToken and session.auth_token == nil then

  313.         module:log(

  314.             "debug",

  315.             "Skipped room token verification - empty tokens are allowed");

  316.         return true;

  317.     end

  318. 

  319.     -- extract room name using all chars, except the not allowed ones

  320.     local room,_,_ = jid.split(room_address);

  321.     if room == nil then

  322.         log("error",

  323.             "Unable to get name of the MUC room ? to: %s", room_address);

  324.         return true;

  325.     end

  326. 

  327.     local auth_room = session.jitsi_meet_room;

  328.     if not self.enableDomainVerification then

  329.         -- if auth_room is missing, this means user is anonymous (no token for

  330.         -- its domain) we let it through, jicofo is verifying creation domain

  331.         if auth_room and room ~= string.lower(auth_room) and auth_room ~= '*' then

  332.             return false;

  333.         end

  334. 

  335.         return true;

  336.     end

  337. 

  338.     local room_address_to_verify = jid.bare(room_address);

  339.     local room_node = jid.node(room_address);

  340.     -- parses bare room address, for multidomain expected format is:

  341.     -- [subdomain]roomName@conference.domain

  342.     local target_subdomain, target_room = room_node:match("^%[([^%]]+)%](.+)$");

  343. 

  344.     -- if we have '*' as room name in token, this means all rooms are allowed

  345.     -- so we will use the actual name of the room when constructing strings

  346.     -- to verify subdomains and domains to simplify checks

  347.     local room_to_check;

  348.     if auth_room == '*' then

  349.         -- authorized for accessing any room assign to room_to_check the actual

  350.         -- room name

  351.         if target_room ~= nil then

  352.             -- we are in multidomain mode and we were able to extract room name

  353.             room_to_check = target_room;

  354.         else

  355.             -- no target_room, room_address_to_verify does not contain subdomain

  356.             -- so we get just the node which is the room name

  357.             room_to_check = room_node;

  358.         end

  359.     else

  360.         -- no wildcard, so check room against authorized room in token

  361.         room_to_check = auth_room;

  362.     end

  363. 

  364.     local auth_domain = session.jitsi_meet_domain;

  365.     local subdomain_to_check;

  366.     if target_subdomain then

  367.         if auth_domain == '*' then

  368.             -- check for wildcard in JWT claim, allow access if found

  369.             subdomain_to_check = target_subdomain;

  370.         else

  371.             -- no wildcard in JWT claim, so check subdomain against sub in token

  372.             subdomain_to_check = auth_domain;

  373.         end

  374.         -- from this point we depend on muc_domain_base,

  375.         -- deny access if option is missing

  376.         if not self.muc_domain_base then

  377.             module:log("warn", "No 'muc_domain_base' option set, denying access!");

  378.             return false;

  379.         end

  380. 

  381.         return room_address_to_verify == jid.join(

  382.             "["..subdomain_to_check.."]"..string.lower(room_to_check), self.muc_domain);

  383.     else

  384.         if auth_domain == '*' then

  385.             -- check for wildcard in JWT claim, allow access if found

  386.             subdomain_to_check = self.muc_domain;

  387.         else

  388.             -- no wildcard in JWT claim, so check subdomain against sub in token

  389.             subdomain_to_check = self.muc_domain_prefix.."."..auth_domain;

  390.         end

  391.         -- we do not have a domain part (multidomain is not enabled)

  392.         -- verify with info from the token

  393.         return room_address_to_verify == jid.join(

  394.             string.lower(room_to_check), subdomain_to_check);

  395.     end

  396. end

  397. 

  398. return Util;