Merge branch 'master' into aaronkvanmeerten/jibri-queue-component-modules

2025-12-30 03:12:29 +00:00 · 2020-08-14 14:21:13 -05:00
parent 5e35b69fc9 5dcecdbb54
commit 0c48e205d7
299 changed files with 13802 additions and 3496 deletions
--- a/resources/prosody-plugins/token/util.lib.lua
+++ b/resources/prosody-plugins/token/util.lib.lua
@@ -19,7 +19,6 @@ local http_headers = {

 -- TODO: Figure out a less arbitrary default cache size.
 local cacheSize = module:get_option_number("jwt_pubkey_cache_size", 128);
-local cache = require"util.cache".new(cacheSize);

 local Util = {}
 Util.__index = Util
@@ -38,6 +37,8 @@ function Util.new(module)
    self.asapKeyServer = module:get_option_string("asap_key_server");
    self.allowEmptyToken = module:get_option_boolean("allow_empty_token");

+    self.cache = require"util.cache".new(cacheSize);
+
    --[[
        Multidomain can be supported in some deployments. In these deployments
        there is a virtual conference muc, which address contains the subdomain
@@ -122,7 +123,7 @@ end
 -- @param keyId the key ID to request
 -- @return the public key (the content of requested resource) or nil
 function Util:get_public_key(keyId)
-    local content = cache:get(keyId);
+    local content = self.cache:get(keyId);
    if content == nil then
        -- If the key is not found in the cache.
        module:log("debug", "Cache miss for key: "..keyId);
@@ -133,7 +134,10 @@ function Util:get_public_key(keyId)
            if timeout_occurred == nil then
                content, code = content_, code_;
                if code == 200 or code == 204 then
-                    cache:set(keyId, content);
+                    self.cache:set(keyId, content);
+                else
+                    module:log("warn", "Error on public key request: Code %s, Content %s",
+                    code_, content_);
                end
                done();
            else
@@ -148,7 +152,7 @@ function Util:get_public_key(keyId)
            if code == nil then
                timeout_occurred = true;
                module:log("warn", "Timeout %s seconds fetching public key from: %s",http_timeout,keyurl);
-                if http.destroy_request then
+                if http.destroy_request ~= nil then
                    http.destroy_request(request);
                end
                done();
@@ -183,10 +187,14 @@ end

 --- Verifies issuer part of token
 -- @param 'iss' claim from the token to verify
+-- @param 'acceptedIssuers' list of issuers to check
 -- @return nil and error string or true for accepted claim
-function Util:verify_issuer(issClaim)
-    module:log("debug","verify_issuer claim: %s against accepted: %s",issClaim, self.acceptedIssuers);
-    for i, iss in ipairs(self.acceptedIssuers) do
+function Util:verify_issuer(issClaim, acceptedIssuers)
+    if not acceptedIssuers then
+        acceptedIssuers = self.acceptedIssuers
+    end
+    module:log("debug","verify_issuer claim: %s against accepted: %s",issClaim, acceptedIssuers);
+    for i, iss in ipairs(acceptedIssuers) do
        if issClaim == iss then
            --claim matches an accepted issuer so return success
            return true;
@@ -218,8 +226,9 @@ end
 --- Verifies token
 -- @param token the token to verify
 -- @param secret the secret to use to verify token
+-- @param acceptedIssuers the list of accepted issuers to check
 -- @return nil and error or the extracted claims from the token
-function Util:verify_token(token, secret)
+function Util:verify_token(token, secret, acceptedIssuers)
    local claims, err = jwt.decode(token, secret, true);
    if claims == nil then
        return nil, err;
@@ -235,7 +244,7 @@ function Util:verify_token(token, secret)
        return nil, "'iss' claim is missing";
    end
    --check the issuer against the accepted list
-    local issCheck, issCheckErr = self:verify_issuer(issClaim);
+    local issCheck, issCheckErr = self:verify_issuer(issClaim, acceptedIssuers);
    if issCheck == nil then
        return nil, issCheckErr;
    end
@@ -269,8 +278,13 @@ end
 -- session.jitsi_meet_context_group - the group value from the token
 -- session.jitsi_meet_context_features - the features value from the token
 -- @param session the current session
+-- @param acceptedIssuers optional list of accepted issuers to check
 -- @return false and error
-function Util:process_and_verify_token(session)
+function Util:process_and_verify_token(session, acceptedIssuers)
+    if not acceptedIssuers then
+        acceptedIssuers = self.acceptedIssuers;
+    end
+
    if session.auth_token == nil then
        if self.allowEmptyToken then
            return true;
@@ -300,9 +314,9 @@ function Util:process_and_verify_token(session)
    -- now verify the whole token
    local claims, msg;
    if self.asapKeyServer then
-        claims, msg = self:verify_token(session.auth_token, pubKey);
+        claims, msg = self:verify_token(session.auth_token, pubKey, acceptedIssuers);
    else
-        claims, msg = self:verify_token(session.auth_token, self.appSecret);
+        claims, msg = self:verify_token(session.auth_token, self.appSecret, acceptedIssuers);
    end
    if claims ~= nil then
        -- Binds room name to the session which is later checked on MUC join
@@ -429,4 +443,4 @@ function Util:verify_room(session, room_address)
    end
 end

-return Util;
+return Util;