From 8e1744b264f7b4c6129c57d5747983232c60f94c Mon Sep 17 00:00:00 2001 From: farhatahmad Date: Thu, 9 Nov 2023 10:21:17 -0500 Subject: [PATCH] Initial work for custom lrs integration --- .rubocop.yml | 2 + .../bigbluebutton_api_controller.rb | 5 ++ app/models/tenant.rb | 16 ++++- app/services/lrs_payload_service.rb | 63 +++++++++++++++++++ lib/tasks/tenants.rake | 38 +++++++++++ 5 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 app/services/lrs_payload_service.rb diff --git a/.rubocop.yml b/.rubocop.yml index b17ad0f7..d939fb4b 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -135,6 +135,7 @@ Metrics/PerceivedComplexity: Exclude: - app/models/recording.rb - app/models/server.rb + - app/models/tenant.rb - lib/server_sync.rb # Avoid classes longer than 100 lines of code. @@ -164,6 +165,7 @@ Metrics/CyclomaticComplexity: Exclude: - app/models/recording.rb - app/models/server.rb + - app/models/tenant.rb - lib/server_sync.rb # Checks for method parameter names that contain capital letters, end in numbers, or do not meet a minimal length. diff --git a/app/controllers/bigbluebutton_api_controller.rb b/app/controllers/bigbluebutton_api_controller.rb index 93c22837..5e2d0f13 100644 --- a/app/controllers/bigbluebutton_api_controller.rb +++ b/app/controllers/bigbluebutton_api_controller.rb @@ -198,6 +198,11 @@ def create params[:voiceBridge] = meeting.voice_bridge + if @tenant&.lrs_endpoint.present? + lrs_payload = LrsPayloadService.new(tenant: @tenant, secret: server.secret).call + params[:'meta_secret-lrs-payload'] = lrs_payload if lrs_payload.present? + end + logger.debug("Creating meeting #{params[:meetingID]} on BigBlueButton server #{server.id}") params_hash = params diff --git a/app/models/tenant.rb b/app/models/tenant.rb index 1fce1188..8ee40cdf 100644 --- a/app/models/tenant.rb +++ b/app/models/tenant.rb @@ -3,7 +3,7 @@ class Tenant < ApplicationRedisRecord SECRETS_SEPARATOR = ':' - define_attribute_methods :id, :name, :secrets + define_attribute_methods :id, :name, :secrets, :lrs_endpoint, :kc_token_url, :kc_client_id, :kc_client_secret, :kc_username, :kc_password # Unique ID for this tenant application_redis_attr :id @@ -14,6 +14,14 @@ class Tenant < ApplicationRedisRecord # Shared secrets for making API requests for this tenant (: separated) application_redis_attr :secrets + # Custom LRS work + application_redis_attr :lrs_endpoint + application_redis_attr :kc_token_url + application_redis_attr :kc_client_id + application_redis_attr :kc_client_secret + application_redis_attr :kc_username + application_redis_attr :kc_password + def save! with_connection do |redis| raise RecordNotSaved.new('Cannot update id field', self) if id_changed? && !@new_record @@ -34,6 +42,12 @@ def save! pipeline.del(old_names_key) if !id_changed? && name_changed? # Delete the old name key if it's not a new record and the name was updated pipeline.hset(id_key, 'name', name) if name_changed? pipeline.hset(id_key, 'secrets', secrets) if secrets_changed? + pipeline.hset(id_key, 'lrs_endpoint', lrs_endpoint) if lrs_endpoint_changed? + pipeline.hset(id_key, 'kc_token_url', kc_token_url) if kc_token_url_changed? + pipeline.hset(id_key, 'kc_client_id', kc_client_id) if kc_client_id_changed? + pipeline.hset(id_key, 'kc_client_secret', kc_client_secret) if kc_client_secret_changed? + pipeline.hset(id_key, 'kc_username', kc_username) if kc_username_changed? + pipeline.hset(id_key, 'kc_password', kc_password) if kc_password_changed? pipeline.sadd?('tenants', id) if id_changed? end end diff --git a/app/services/lrs_payload_service.rb b/app/services/lrs_payload_service.rb new file mode 100644 index 00000000..202e8099 --- /dev/null +++ b/app/services/lrs_payload_service.rb @@ -0,0 +1,63 @@ +# frozen_string_literal: true + +class LrsPayloadService + def initialize(tenant:, secret:) + @tenant = tenant + @secret = secret + end + + def call + Rails.logger.debug { "Fetching LRS token from #{@tenant.kc_token_url}" } + + url = URI.parse(@tenant.kc_token_url) + http = Net::HTTP.new(url.host, url.port) + http.use_ssl = (url.scheme == 'https') + + payload = { + client_id: @tenant.kc_client_id, + client_secret: @tenant.kc_client_secret, + username: @tenant.kc_username, + password: @tenant.kc_password, + grant_type: 'password' + } + + request = Net::HTTP::Post.new(url.path) + request.set_form_data(payload) + + response = http.request(request) + + if response.code.to_i != 200 + Rails.logger.warn("Error #{response.message} when trying to fetch LRS Access Token") + return nil + end + + parsed_response = JSON.parse(response.body) + kc_access_token = parsed_response['access_token'] + + lrs_payload = { + lrs_endpoint: @tenant.lrs_endpoint, + lrs_token: kc_access_token + } + + # Generate a random salt + salt = SecureRandom.random_bytes(8) + + # Generate a key and initialization vector (IV) using PBKDF2 with SHA-256 + key_iv = OpenSSL::PKCS5.pbkdf2_hmac(@secret, salt, 10_000, 48, OpenSSL::Digest.new('SHA256')) + key = key_iv[0, 32] # 32 bytes for the key + iv = key_iv[32, 16] # 16 bytes for the IV + + # Encrypt the data using AES-256-CBC + cipher = OpenSSL::Cipher.new('AES-256-CBC') + cipher.encrypt + cipher.key = key + cipher.iv = iv + + # Encrypt and Base64 encode the data + Base64.strict_encode64(Random.random_bytes(8) + salt + cipher.update(lrs_payload.to_json) + cipher.final) + rescue StandardError => e + Rails.logger.warn("Error #{e} when trying to compute LRS Payload") + + nil + end +end diff --git a/lib/tasks/tenants.rake b/lib/tasks/tenants.rake index 6a10a277..5af6167b 100644 --- a/lib/tasks/tenants.rake +++ b/lib/tasks/tenants.rake @@ -14,6 +14,12 @@ task tenants: :environment do |_t, _args| puts("id: #{tenant.id}") puts("\tname: #{tenant.name}") puts("\tsecrets: #{tenant.secrets}") + puts("\tlrs_endpoint: #{tenant.lrs_endpoint}") if tenant.lrs_endpoint.present? + puts("\tkc_token_url: #{tenant.kc_token_url}") if tenant.kc_token_url.present? + puts("\tkc_client_id: #{tenant.kc_client_id}") if tenant.kc_client_id.present? + puts("\tkc_client_secret: #{tenant.kc_client_secret}") if tenant.kc_client_secret.present? + puts("\tkc_username: #{tenant.kc_username}") if tenant.kc_username.present? + puts("\tkc_password: #{tenant.kc_password}") if tenant.kc_password.present? end end @@ -53,6 +59,38 @@ namespace :tenants do tenant = Tenant.find(id) tenant.name = name if name.present? tenant.secrets = secrets if secrets.present? + + tenant.save! + + puts('OK') + puts("Updated Tenant id: #{tenant.id}") + end + + desc 'Update an existing Tenants LRS credentials' + task :update_lrs, [:id, :lrs_endpoint, :kc_token_url, :kc_client_id, :kc_client_secret, :kc_username, :kc_password] => :environment do |_t, args| + check_multitenancy + id = args[:id] + lrs_endpoint = args[:lrs_endpoint] + kc_token_url = args[:kc_token_url] + kc_client_id = args[:kc_client_id] + kc_client_secret = args[:kc_client_secret] + kc_username = args[:kc_username] + kc_password = args[:kc_password] + + if id.blank? || lrs_endpoint.blank? || kc_token_url.blank? || kc_client_id.blank? || + kc_client_secret.blank? || kc_username.blank? || kc_password.blank? + puts('Error: id and either name or secrets are required to update a Tenant') + exit(1) + end + + tenant = Tenant.find(id) + tenant.lrs_endpoint = lrs_endpoint + tenant.kc_token_url = kc_token_url + tenant.kc_client_id = kc_client_id + tenant.kc_client_secret = kc_client_secret + tenant.kc_username = kc_username + tenant.kc_password = kc_password + tenant.save! puts('OK')