jfinn
/
jitsi_corner9
Observar 1
Favorito 0
Fork 0
Código Issues 0 Pull requests 0 Versões 0 Wiki Atividade
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
2233 Commits
4 Branches
Tag: bb56ea4b33
Branches Tags
${ item.name }
Criar branch ${ searchTerm }
de bb56ea4b33
${ noResults }
jitsi_corner9/prosody-plugins/mod_auth_token.lua

mod_auth_token.lua 5.2KB
Histórico Original

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195 
  1. -- Token authentication

  2. -- Copyright (C) 2015 Atlassian

  3. 

  4. local basexx = require "basexx";

  5. local have_async, async = pcall(require, "util.async");

  6. local formdecode = require "util.http".formdecode;

  7. local generate_uuid = require "util.uuid".generate;

  8. local http = require "net.http";

  9. local json = require "cjson";

  10. local new_sasl = require "util.sasl".new;

  11. local sasl = require "util.sasl";

  12. local timer = require "util.timer";

  13. local token_util = module:require "token/util";

  14. 

  15. -- define auth provider

  16. local provider = {};

  17. 

  18. local host = module.host;

  19. 

  20. local appId = module:get_option_string("app_id");

  21. local appSecret = module:get_option_string("app_secret");

  22. local asapKeyServer = module:get_option_string("asap_key_server");

  23. local allowEmptyToken = module:get_option_boolean("allow_empty_token");

  24. local disableRoomNameConstraints = module:get_option_boolean("disable_room_name_constraints");

  25. 

  26. -- TODO: Figure out a less arbitrary default cache size.

  27. local cacheSize = module:get_option_number("jwt_pubkey_cache_size", 128);

  28. local cache = require"util.cache".new(cacheSize);

  29. 

  30. if allowEmptyToken == true then

  31. 	module:log("warn", "WARNING - empty tokens allowed");

  32. end

  33. 

  34. if appId == nil then

  35. 	module:log("error", "'app_id' must not be empty");

  36. 	return;

  37. end

  38. 

  39. if appSecret == nil and asapKeyServer == nil then

  40. 	module:log("error", "'app_secret' or 'asap_key_server' must be specified");

  41. 	return;

  42. end

  43. 

  44. if asapKeyServer and not have_async then

  45. 	module:log("error", "requires a version of Prosody with util.async");

  46. 	return;

  47. end

  48. 

  49. -- Extract 'token' param from BOSH URL when session is created

  50. module:hook("bosh-session", function(event)

  51. 	local session, request = event.session, event.request;

  52. 	local query = request.url.query;

  53. 	if query ~= nil then

  54. 		session.auth_token = query and formdecode(query).token or nil;

  55. 	end

  56. end);

  57. 

  58. function provider.test_password(username, password)

  59. 	return nil, "Password based auth not supported";

  60. end

  61. 

  62. function provider.get_password(username)

  63. 	return nil;

  64. end

  65. 

  66. function provider.set_password(username, password)

  67. 	return nil, "Set password not supported";

  68. end

  69. 

  70. function provider.user_exists(username)

  71. 	return nil;

  72. end

  73. 

  74. function provider.create_user(username, password)

  75. 	return nil;

  76. end

  77. 

  78. function provider.delete_user(username)

  79. 	return nil;

  80. end

  81. 

  82. local http_timeout = 30;

  83. local http_headers = {

  84. 	["User-Agent"] = "Prosody ("..prosody.version.."; "..prosody.platform..")"

  85. };

  86. 

  87. function get_public_key(keyId)

  88. 	local content = cache:get(keyId);

  89. 	if content == nil then

  90. 		-- If the key is not found in the cache.

  91. 		module:log("debug", "Cache miss for key: "..keyId);

  92. 		local code;

  93. 		local wait, done = async.waiter();

  94. 		local function cb(content_, code_, response_, request_)

  95. 			content, code = content_, code_;

  96. 			done();

  97. 		end

  98. 		module:log("debug", "Fetching public key from: "..asapKeyServer..keyId);

  99. 		local request = http.request(asapKeyServer..keyId, {

  100. 			headers = http_headers or {},

  101. 			method = "GET"

  102. 		}, cb);

  103. 		-- TODO: Is the done() call racey? Can we cancel this if the request

  104. 		--       succeedes?

  105. 		local function cancel()

  106. 			-- TODO: This check is racey. Not likely to be a problem, but we should

  107. 			--       still stick a mutex on content / code at some point.

  108. 			if code == nil then

  109. 				http.destroy_request(request);

  110. 				done();

  111. 			end

  112. 		end

  113. 		timer.add_task(http_timeout, cancel);

  114. 		wait();

  115. 

  116. 		if code == 200 or code == 204 then

  117. 			return content;

  118. 		end

  119. 	else

  120. 		-- If the key is in the cache, use it.

  121. 		module:log("debug", "Cache hit for key: "..keyId);

  122. 		return content;

  123. 	end

  124. 

  125. 	return nil;

  126. end

  127. 

  128. function provider.get_sasl_handler(session)

  129. 	-- JWT token extracted from BOSH URL

  130. 	local token = session.auth_token;

  131. 

  132. 	local function get_username_from_token(self, message)

  133. 

  134. 		if token == nil then

  135. 			if allowEmptyToken then

  136. 				return true;

  137. 			else

  138. 				return false, "not-allowed", "token required";

  139. 			end

  140. 		end

  141. 

  142. 		local pubKey;

  143. 		if asapKeyServer and session.auth_token ~= nil then

  144. 			local dotFirst = session.auth_token:find("%.");

  145. 			if not dotFirst then return nil, "Invalid token" end

  146. 			local header = json.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)));

  147. 			local kid = header["kid"];

  148. 			if kid == nil then

  149. 				return false, "not-allowed", "'kid' claim is missing";

  150. 			end

  151. 			pubKey = get_public_key(kid);

  152. 			if pubKey == nil then

  153. 				return false, "not-allowed", "could not obtain public key";

  154. 			end

  155. 		end

  156. 

  157. 		-- now verify the whole token

  158. 		local claims, msg;

  159. 		if asapKeyServer then

  160. 			claims, msg = token_util.verify_token(token, appId, pubKey, disableRoomNameConstraints);

  161. 		else

  162. 			claims, msg = token_util.verify_token(token, appId, appSecret, disableRoomNameConstraints);

  163. 		end

  164. 		if claims ~= nil then

  165. 			-- Binds room name to the session which is later checked on MUC join

  166. 			session.jitsi_meet_room = claims["room"];

  167. 			return true;

  168. 		else

  169. 			return false, "not-allowed", msg;

  170. 		end

  171. 	end

  172. 

  173. 	return new_sasl(host, { anonymous = get_username_from_token });

  174. end

  175. 

  176. module:provides("auth", provider);

  177. 

  178. local function anonymous(self, message)

  179. 

  180. 	local username = generate_uuid();

  181. 

  182. 	-- This calls the handler created in 'provider.get_sasl_handler(session)'

  183. 	local result, err, msg = self.profile.anonymous(self, username, self.realm);

  184. 

  185. 	self.username = username;

  186. 

  187. 	if result == true then

  188. 		return "success";

  189. 	else

  190. 

  191. 		return "failure", err, msg;

  192. 	end

  193. end

  194. 

  195. sasl.registerMechanism("ANONYMOUS", {"anonymous"}, anonymous);