Chapril/xmpp.chapril.org-ejabberd
25
1
Fork 0
mirror of https://github.com/processone/ejabberd.git synced 2024-12-22 17:28:25 +01:00
Code Releases Activity

Improve robustness of reading jwt_key option

Browse Source
This commit is contained in:
Evgeny Khramtsov 2019-07-18 22:31:08 +03:00
parent 50ef982eff
commit 6d6e3e348d
4 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/econf.erl
View File

@ -159,6 +159,8 @@ format_error({bad_pem, Why, Path}) ->
[Path, pkix:format_error(Why)]); [Path, pkix:format_error(Why)]);
format_error({bad_cert, Why, Path}) -> format_error({bad_cert, Why, Path}) ->
format_error({bad_pem, Why, Path}); format_error({bad_pem, Why, Path});
format_error({bad_jwt_key, Path}) ->
format("No valid JWT key found in file: ~s", [Path]);
format_error({bad_jid, Bad}) -> format_error({bad_jid, Bad}) ->
format("Invalid XMPP address: ~s", [Bad]); format("Invalid XMPP address: ~s", [Bad]);
format_error({bad_user, Bad}) -> format_error({bad_user, Bad}) ->

5
src/ejabberd_auth_jwt.erl
View File

@ -64,7 +64,7 @@ check_password(User, AuthzId, Server, Token) ->
%%% Internal functions %%% Internal functions
%%%---------------------------------------------------------------------- %%%----------------------------------------------------------------------
check_jwt_token(User, Server, Token) -> check_jwt_token(User, Server, Token) ->
JWK = get_jwk(Server), JWK = ejabberd_option:jwt_key(Server),
try jose_jwt:verify(JWK, Token) of try jose_jwt:verify(JWK, Token) of
{true, {jose_jwt, Fields}, Signature} -> {true, {jose_jwt, Fields}, Signature} ->
?DEBUG("jwt verify: ~p - ~p~n", [Fields, Signature]), ?DEBUG("jwt verify: ~p - ~p~n", [Fields, Signature]),
@ -100,9 +100,6 @@ check_jwt_token(User, Server, Token) ->
false false
end. end.
get_jwk(Host) ->
jose_jwk:from_binary(ejabberd_option:jwt_key(Host)).
%% TODO: auth0 username is defined in 'jid' field, but we should %% TODO: auth0 username is defined in 'jid' field, but we should
%% allow customizing the name of the field containing the username %% allow customizing the name of the field containing the username
%% to adapt to custom claims. %% to adapt to custom claims.

4
src/ejabberd_option.erl
View File

@ -424,10 +424,10 @@ include_config_file() ->
include_config_file(Host) -> include_config_file(Host) ->
ejabberd_config:get_option({include_config_file, Host}). ejabberd_config:get_option({include_config_file, Host}).
-spec jwt_key() -> binary(). -spec jwt_key() -> jose_jwk:key().
jwt_key() -> jwt_key() ->
jwt_key(global). jwt_key(global).
-spec jwt_key(global | binary()) -> binary(). -spec jwt_key(global | binary()) -> jose_jwk:key().
jwt_key(Host) -> jwt_key(Host) ->
ejabberd_config:get_option({jwt_key, Host}). ejabberd_config:get_option({jwt_key, Host}).

10
src/ejabberd_options.erl
View File

@ -399,7 +399,13 @@ opt_type(jwt_key) ->
econf:file(), econf:file(),
fun(Path) -> fun(Path) ->
case file:read_file(Path) of case file:read_file(Path) of
{ok, Binary} -> Binary; {ok, Data} ->
try jose_jwk:from_binary(Data) of
{error, _} -> econf:fail({bad_jwt_key, Path});
Ret -> Ret
catch _:_ ->
econf:fail({bad_jwt_key, Path})
end;
{error, Reason} -> {error, Reason} ->
econf:fail({read_file, Reason, Path}) econf:fail({read_file, Reason, Path})
end end
@ -422,7 +428,7 @@ opt_type(jwt_key) ->
{shaper, #{atom() => ejabberd_shaper:shaper_rate()}} | {shaper, #{atom() => ejabberd_shaper:shaper_rate()}} |
{shaper_rules, [{atom(), [ejabberd_shaper:shaper_rule()]}]} | {shaper_rules, [{atom(), [ejabberd_shaper:shaper_rule()]}]} |
{api_permissions, [ejabberd_access_permissions:permission()]} | {api_permissions, [ejabberd_access_permissions:permission()]} |
{jwt_key, binary()} | {jwt_key, jose_jwk:key()} |
{append_host_config, [{binary(), any()}]} | {append_host_config, [{binary(), any()}]} |
{host_config, [{binary(), any()}]} | {host_config, [{binary(), any()}]} |
{define_macro, any()} | {define_macro, any()} |