jfinn
/
jitsi_corner8
보기 1
좋아요 0
포크 0
코드 이슈 0 풀 리퀘스트 0 릴리즈 0 위키 Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2167 커밋
3 브랜치
트리: 7f2fa9597c
브랜치 태그
${ item.name }
Create branch ${ searchTerm }
from '7f2fa9597c'
${ noResults }
jitsi_corner8/prosody-plugins/mod_auth_token.lua

mod_auth_token.lua 4.6KB
히스토리 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175 
  1. -- Token authentication

  2. -- Copyright (C) 2015 Atlassian

  3. 

  4. local basexx = require 'basexx'

  5. local have_async, async = pcall(require, "util.async");

  6. local formdecode = require "util.http".formdecode;

  7. local generate_uuid = require "util.uuid".generate;

  8. local http = require "net.http";

  9. local json = require 'cjson'

  10. json.encode_empty_table('array')

  11. local new_sasl = require "util.sasl".new;

  12. local path = require "util.paths";

  13. local sasl = require "util.sasl";

  14. local timer = require "util.timer";

  15. local token_util = module:require "token/util";

  16. 

  17. -- define auth provider

  18. local provider = {};

  19. 

  20. local host = module.host;

  21. 

  22. local appId = module:get_option_string("app_id");

  23. local appSecret = module:get_option_string("app_secret");

  24. local asapKeyServer = module:get_option_string("asap_key_server");

  25. local allowEmptyToken = module:get_option_boolean("allow_empty_token");

  26. local disableRoomNameConstraints = module:get_option_boolean("disable_room_name_constraints");

  27. 

  28. if allowEmptyToken == true then

  29. 	module:log("warn", "WARNING - empty tokens allowed");

  30. end

  31. 

  32. if appId == nil then

  33. 	module:log("error", "'app_id' must not be empty");

  34. 	return;

  35. end

  36. 

  37. if appSecret == nil and asapKeyServer == nil then

  38. 	module:log("error", "'app_secret' or 'asap_key_server' must be specified");

  39. 	return;

  40. end

  41. 

  42. if asapKeyServer and not have_async then

  43. 	module:log("error", "requires a version of Prosody with util.async");

  44. 	return;

  45. end

  46. 

  47. -- Extract 'token' param from BOSH URL when session is created

  48. module:hook("bosh-session", function(event)

  49. 	local session, request = event.session, event.request;

  50. 	local query = request.url.query;

  51. 	if query ~= nil then

  52. 		session.auth_token = query and formdecode(query).token or nil;

  53. 	end

  54. end)

  55. 

  56. function provider.test_password(username, password)

  57. 	return nil, "Password based auth not supported";

  58. end

  59. 

  60. function provider.get_password(username)

  61. 	return nil;

  62. end

  63. 

  64. function provider.set_password(username, password)

  65. 	return nil, "Set password not supported";

  66. end

  67. 

  68. function provider.user_exists(username)

  69. 	return nil;

  70. end

  71. 

  72. function provider.create_user(username, password)

  73. 	return nil;

  74. end

  75. 

  76. function provider.delete_user(username)

  77. 	return nil;

  78. end

  79. 

  80. local http_timeout = 30;

  81. local http_headers = {

  82. 	["User-Agent"] = "Prosody ("..prosody.version.."; "..prosody.platform..")"

  83. };

  84. 

  85. -- TODO: This *needs* to be memoized before going to prod.

  86. function get_public_key(keyId)

  87. 	local wait, done = async.waiter();

  88. 	local content, code; --, request, response;

  89. 	local function cb(content_, code_, response_, request_)

  90. 		content, code = content_, code_;

  91. 		done();

  92. 	end

  93. 	local request = http.request(path.join(asapKeyServer, keyId), {

  94. 		headers = http_headers or {},

  95. 		method = "GET"

  96. 	}, cb);

  97. 	-- TODO: Is the done() call racey?

  98. 	timer.add_task(http_timeout, function() http.destroy_request(request); done(); end);

  99. 	wait();

  100. 

  101. 	if code == 200 or code == 204 then

  102. 		return content;

  103. 	end

  104. 

  105. 	return nil

  106. end

  107. 

  108. function provider.get_sasl_handler(session)

  109. 	-- JWT token extracted from BOSH URL

  110. 	local token = session.auth_token;

  111. 

  112. 	local function get_username_from_token(self, message)

  113. 

  114. 		if token == nil then

  115. 			if allowEmptyToken then

  116. 				return true

  117. 			else

  118. 				return false, "not-allowed", "token required";

  119. 			end

  120. 		end

  121. 

  122. 		local pubKey;

  123. 		if asapKeyServer and session.auth_token ~= nil then

  124. 			local dotFirst = session.auth_token:find("%.")

  125. 			if not dotFirst then return nil, "Invalid token" end

  126. 			local header = json.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)))

  127. 			local kid = header["kid"]

  128. 			if kid == nil then

  129. 				return false, "not-allowed", "'kid' claim is missing";

  130. 			end

  131. 			pubKey = get_public_key(kid);

  132. 			if pubKey == nil then

  133. 				return false, "not-allowed", "could not obtain public key";

  134. 			end

  135. 		end

  136. 

  137. 		-- now verify the whole token

  138. 		local result, msg;

  139. 		if asapKeyServer then

  140. 			result, msg = token_util.verify_token(token, appId, pubKey, disableRoomNameConstraints);

  141. 		else

  142. 			result, msg = token_util.verify_token(token, appId, appSecret, disableRoomNameConstraints);

  143. 		end

  144. 		if result == true then

  145. 			-- Binds room name to the session which is later checked on MUC join

  146. 			session.jitsi_meet_room = room;

  147. 			return true

  148. 		else

  149. 			return false, "not-allowed", msg

  150. 		end

  151. 	end

  152. 

  153. 	return new_sasl(host, { anonymous = get_username_from_token });

  154. end

  155. 

  156. module:provides("auth", provider);

  157. 

  158. local function anonymous(self, message)

  159. 

  160. 	local username = generate_uuid();

  161. 

  162. 	-- This calls the handler created in 'provider.get_sasl_handler(session)'

  163. 	local result, err, msg = self.profile.anonymous(self, username, self.realm);

  164. 

  165. 	self.username = username;

  166. 

  167. 	if result == true then

  168. 		return "success"

  169. 	else

  170. 

  171. 		return "failure", err, msg

  172. 	end

  173. end

  174. 

  175. sasl.registerMechanism("ANONYMOUS", {"anonymous"}, anonymous);