From d05fa32413ab1dd80efe811901fa86d5ef265e6f Mon Sep 17 00:00:00 2001 From: Aaron van Meerten Date: Wed, 12 Aug 2020 14:43:34 -0500 Subject: [PATCH] FIX: add flag to control whether to check room claim in JWT validation jibri queue component stop checking room validation in token Jibri queue component debug output when bad token is found --- .../mod_jibri_queue_component.lua | 18 +++++++++++------- resources/prosody-plugins/token/util.lib.lua | 14 +++++++++++--- 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/resources/prosody-plugins/mod_jibri_queue_component.lua b/resources/prosody-plugins/mod_jibri_queue_component.lua index 62f8045c8a..4fbc66d669 100644 --- a/resources/prosody-plugins/mod_jibri_queue_component.lua +++ b/resources/prosody-plugins/mod_jibri_queue_component.lua @@ -62,8 +62,11 @@ token_util:set_asap_accepted_issuers(ASAPAcceptedIssuers); local ASAPAcceptedAudiences = module:get_option_array('asap_accepted_audiences',{'*'}); - module:log("info", "ASAP Accepted Audiences %s", ASAPAcceptedAudiences); - token_util:set_asap_accepted_audiences(ASAPAcceptedAudiences); +module:log("info", "ASAP Accepted Audiences %s", ASAPAcceptedAudiences); +token_util:set_asap_accepted_audiences(ASAPAcceptedAudiences); + +-- do not require room to be set on tokens for jibri queue +token_util:set_asap_require_room_claim(false); local ASAPTTL = module:get_option_number("asap_ttl", 3600); @@ -410,14 +413,15 @@ function verify_token(token, room_jid, session) local verified, reason, message = token_util:process_and_verify_token(session); if not verified then log("warn", "not a valid token %s: %s", tostring(reason), tostring(message)); + log("debug", "invalid token %s", token); return false; end - if not token_util:verify_room(session, room_jid) then - log("warn", "Token %s not allowed to access: %s", - tostring(token), tostring(room_jid)); - return false; - end + -- if not token_util:verify_room(session, room_jid) then + -- log("warn", "Token %s not allowed to access: %s", + -- tostring(token), tostring(room_jid)); + -- return false; + -- end return true; end diff --git a/resources/prosody-plugins/token/util.lib.lua b/resources/prosody-plugins/token/util.lib.lua index 4b1f620907..5d7284bc70 100644 --- a/resources/prosody-plugins/token/util.lib.lua +++ b/resources/prosody-plugins/token/util.lib.lua @@ -92,6 +92,8 @@ function Util.new(module) --array of accepted audiences: by default only includes our appId self.acceptedAudiences = module:get_option_array('asap_accepted_audiences',{'*'}) + self.requireRoomClaim = module:get_option_boolean('asap_require_room_claim', true); + if self.asapKeyServer and not have_async then module:log("error", "requires a version of Prosody with util.async"); return nil; @@ -112,6 +114,10 @@ function Util:set_asap_accepted_audiences(acceptedAudiences) self.acceptedAudiences = acceptedAudiences; end +function Util:set_asap_require_room_claim(checkRoom) + self.requireRoomClaim = checkRoom; +end + --- Returns the public key by keyID -- @param keyId the key ID to request -- @return the public key (the content of requested resource) or nil @@ -222,9 +228,11 @@ function Util:verify_token(token, secret) return nil, issCheckErr; end - local roomClaim = claims["room"]; - if roomClaim == nil then - return nil, "'room' claim is missing"; + if self.requireRoomClaim then + local roomClaim = claims["room"]; + if roomClaim == nil then + return nil, "'room' claim is missing"; + end end local audClaim = claims["aud"];