From b06e6d54245410b7c63b1fcad48eef7063dede94 Mon Sep 17 00:00:00 2001 From: anhefti Date: Mon, 25 Oct 2021 13:31:05 +0200 Subject: [PATCH] Fixed Zoom SDK JWT-Token generation --- .../ch/ethz/seb/sebserver/gbl/util/Utils.java | 5 ++ .../proctoring/ZoomProctoringService.java | 85 +++++++++++++++++-- 2 files changed, 82 insertions(+), 8 deletions(-) diff --git a/src/main/java/ch/ethz/seb/sebserver/gbl/util/Utils.java b/src/main/java/ch/ethz/seb/sebserver/gbl/util/Utils.java index cc097985..8d79797b 100644 --- a/src/main/java/ch/ethz/seb/sebserver/gbl/util/Utils.java +++ b/src/main/java/ch/ethz/seb/sebserver/gbl/util/Utils.java @@ -530,6 +530,10 @@ public final class Utils { return getMillisecondsNow() / 1000; } + public static long toSeconds(final long millis) { + return millis / 1000; + } + public static RGB toRGB(final String rgbString) { if (StringUtils.isNotBlank(rgbString)) { return new RGB( @@ -661,4 +665,5 @@ public final class Utils { return false; // Either timeout or unreachable or failed DNS lookup. } } + } diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/session/impl/proctoring/ZoomProctoringService.java b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/session/impl/proctoring/ZoomProctoringService.java index e4157f39..0118f4b9 100644 --- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/session/impl/proctoring/ZoomProctoringService.java +++ b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/session/impl/proctoring/ZoomProctoringService.java @@ -56,6 +56,7 @@ import ch.ethz.seb.sebserver.gbl.api.JSONMapper; import ch.ethz.seb.sebserver.gbl.async.AsyncService; import ch.ethz.seb.sebserver.gbl.async.CircuitBreaker; import ch.ethz.seb.sebserver.gbl.client.ClientCredentials; +import ch.ethz.seb.sebserver.gbl.model.exam.Exam; import ch.ethz.seb.sebserver.gbl.model.exam.ProctoringRoomConnection; import ch.ethz.seb.sebserver.gbl.model.exam.ProctoringServiceSettings; import ch.ethz.seb.sebserver.gbl.model.exam.ProctoringServiceSettings.ProctoringServerType; @@ -92,6 +93,8 @@ public class ZoomProctoringService implements ExamProctoringService { "{\"alg\":\"HS256\",\"typ\":\"JWT\"}"; private static final String ZOOM_API_ACCESS_TOKEN_PAYLOAD = "{\"iss\":\"%s\",\"exp\":%s}"; + private static final String ZOOM_SDK_ACCESS_TOKEN_PAYLOAD = + "{\"appKey\":\"%s\",\"iat\":%s,\"exp\":%s,\"tokenExp\":%s}"; private static final Map SEB_API_NAME_INSTRUCTION_NAME_MAPPING = Utils.immutableMapOf(Arrays.asList( new Tuple<>( @@ -260,7 +263,7 @@ public class ZoomProctoringService implements ExamProctoringService { proctoringSettings.appSecret, remoteProctoringRoom.joinKey); - final String jwt = this.createJWTForMeetingAccess( + final String jwt = this.createSignatureForMeetingAccess( credentials, String.valueOf(additionalZoomRoomData.meeting_id), true); @@ -275,7 +278,7 @@ public class ZoomProctoringService implements ExamProctoringService { sdkJWT = this.createJWTForSDKAccess( sdkCredentials, - String.valueOf(additionalZoomRoomData.meeting_id)); + forExam(proctoringSettings)); } return new ProctoringRoomConnection( @@ -316,7 +319,7 @@ public class ZoomProctoringService implements ExamProctoringService { proctoringSettings.appSecret, remoteProctoringRoom.joinKey); - final String jwt = this.createJWTForMeetingAccess( + final String signature = this.createSignatureForMeetingAccess( credentials, String.valueOf(additionalZoomRoomData.meeting_id), false); @@ -335,7 +338,7 @@ public class ZoomProctoringService implements ExamProctoringService { sdkJWT = this.createJWTForSDKAccess( sdkCredentials, - String.valueOf(additionalZoomRoomData.meeting_id)); + forExam(proctoringSettings)); } return new ProctoringRoomConnection( @@ -345,7 +348,7 @@ public class ZoomProctoringService implements ExamProctoringService { additionalZoomRoomData.join_url, roomName, subject, - jwt, + signature, sdkJWT, credentials.accessToken, credentials.clientId, @@ -646,12 +649,57 @@ public class ZoomProctoringService implements ExamProctoringService { private String createJWTForSDKAccess( final ClientCredentials sdkCredentials, - final String meetingId) { + final Long expTime) { - return createJWTForMeetingAccess(sdkCredentials, meetingId, false); + try { + + final CharSequence decryptedSecret = this.cryptor + .decrypt(sdkCredentials.secret) + .getOrThrow(); + + final StringBuilder builder = new StringBuilder(); + final Encoder urlEncoder = Base64.getUrlEncoder().withoutPadding(); + + final String jwtHeaderPart = urlEncoder + .encodeToString(ZOOM_ACCESS_TOKEN_HEADER.getBytes(StandardCharsets.UTF_8)); + + // epoch time in seconds + final long secondsNow = Utils.getSecondsNow(); + + final String jwtPayload = String.format( + ZOOM_SDK_ACCESS_TOKEN_PAYLOAD + .replaceAll(" ", "") + .replaceAll("\n", ""), + sdkCredentials.clientIdAsString(), + secondsNow, + expTime, + expTime); + + final String jwtPayloadPart = urlEncoder + .encodeToString(jwtPayload.getBytes(StandardCharsets.UTF_8)); + + final String message = jwtHeaderPart + "." + jwtPayloadPart; + + final Mac sha256_HMAC = Mac.getInstance(TOKEN_ENCODE_ALG); + final SecretKeySpec secret_key = new SecretKeySpec( + Utils.toByteArray(decryptedSecret), + TOKEN_ENCODE_ALG); + + sha256_HMAC.init(secret_key); + final String hash = urlEncoder + .encodeToString(sha256_HMAC.doFinal(Utils.toByteArray(message))); + + builder.append(message) + .append(".") + .append(hash); + + return builder.toString(); + } catch (final Exception e) { + throw new RuntimeException("Failed to create JWT for Zoom API access: ", e); + } } - private String createJWTForMeetingAccess( + private String createSignatureForMeetingAccess( final ClientCredentials credentials, final String meetingId, final boolean host) { @@ -683,6 +731,27 @@ public class ZoomProctoringService implements ExamProctoringService { } } + private long forExam(final ProctoringServiceSettings examProctoring) { + if (examProctoring.examId == null) { + throw new IllegalStateException("Missing exam identifier from ExamProctoring data"); + } + + long expTime = Utils.toSeconds(System.currentTimeMillis() + Constants.DAY_IN_MILLIS); + if (this.examSessionService.isExamRunning(examProctoring.examId)) { + final Exam exam = this.examSessionService.getRunningExam(examProctoring.examId) + .getOrThrow(); + if (exam.endTime != null) { + expTime = Utils.toSeconds(exam.endTime.getMillis()); + } + } + // refer to https://marketplace.zoom.us/docs/sdk/native-sdks/auth + // "exp": 0, //JWT expiration date (Min:1800 seconds greater than iat value, Max: 48 hours greater than iat value) in epoch format. + if (expTime - Utils.getSecondsNow() > Utils.toSeconds(2 * Constants.DAY_IN_MILLIS)) { + expTime = Utils.toSeconds(System.currentTimeMillis() + Constants.DAY_IN_MILLIS); + } + return expTime; + } + private final static class ZoomRestTemplate { private static final int LIZENSED_USER = 2;