xmpp: add support for authentication

2018-10-17 23:02:10 +02:00 · 2018-10-17 23:02:10 +02:00 · ee90a92d43
parent 136460578d
commit ee90a92d43
8 changed files with 89 additions and 14 deletions
--- a/README.md
+++ b/README.md
@ -91,6 +91,8 @@ Variable | Description | Example
 `HTTPS_PORT` | Exposed port for HTTPS traffic | 8443
 `DOCKER_HOST_ADDRESS` | IP addrss of the Docker host, needed for LAN environments | 192.168.1.1

+### SIP gateway configuration
+
 If you want to enable the SIP gateway, these options are required:

 Variable | Description | Example
@ -99,6 +101,27 @@ Variable | Description | Example
 `JIGASI_SIP_PASSWORD` | Password for the specified SIP account | passw0rd
 `JIGASI_SIP_SERVER` | SIP server (use the SIP account domain if in doubt) | sip2sip.info

+### Authentication
+
+Authentication can be controlled with the environment variables below. If guest
+access is enabled, unauthenticated users will need to wait until a user authenticates
+before they can join a room. If guest access is not enabled, every user will need
+to authenticate before they can join.
+
+Variable | Description | Example
+--- | --- | ---
+`ENABLE_AUTH` | Enable authentication | 1
+`ENABLE_GUESTS` | Enable guest access | 1
+
+Users must be created with the ``prosodyctl`` utility in the ``prosody`` container.
+In order to do that, first execute a shell in the corresponding container:
+
+``docker-compose exec prosody /bin/bash``
+
+Once in the container, run the following command to create a user:
+
+``prosodyctl --config /config/prosody.cfg.lua register user meet.jitsi password``
+
 ### Advanced configuration

 These configuration options are already set and generally don't need to be changed.
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -10,10 +10,13 @@ services:
        volumes:
            - ${CONFIG}/meet:/config
        environment:
+            - ENABLE_AUTH
+            - ENABLE_GUESTS
            - JICOFO_AUTH_USER
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
+            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - TZ
        networks:
@ -29,8 +32,11 @@ services:
        volumes:
            - ${CONFIG}/prosody:/config
        environment:
+            - ENABLE_AUTH
+            - ENABLE_GUESTS
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
+            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - JICOFO_COMPONENT_SECRET
@ -52,6 +58,7 @@ services:
        volumes:
            - ${CONFIG}/jicofo:/config
        environment:
+            - ENABLE_AUTH
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
--- a/env.example
+++ b/env.example
@ -23,16 +23,26 @@ TZ=Europe/Amsterdam
 # Basic Jigasi configuration options (needed for SIP gateway support)
 #

-# SIP URI for incoming / outgoing calls
+# SIP URI for incoming / outgoing calls.
 #JIGASI_SIP_URI=test@sip2sip.info

-# Password for the specified SIP account
+# Password for the specified SIP account.
 #JIGASI_SIP_PASSWORD=passw0rd

-# SIP server (use the SIP account domain if in doubt)
+# SIP server (use the SIP account domain if in doubt).
 #JIGASI_SIP_SERVER=sip2sip.info


+#
+# Authentication configuration (see README for details)
+#
+
+# Enable authentication.
+#ENABLE_AUTH=1
+
+# Enable guest access.
+#ENABLE_GUESTS=1
+
 #
 # Advanced configuration options (you generally don't need to change these)
 #
@ -49,6 +59,9 @@ XMPP_MUC_DOMAIN=muc.meet.jitsi
 # XMPP domain for the internal MUC used for jibri, jigasi and jvb pools.
 XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi

+# XMPP domain for unauthenticated users.
+XMPP_GUEST_DOMAIN=guest.meet.jitsi
+
 # MUC for the JVB pool.
 JVB_BREWERY_MUC=jvbbrewery

--- a/jicofo/rootfs/defaults/sip-communicator.properties
+++ b/jicofo/rootfs/defaults/sip-communicator.properties
@ -2,3 +2,6 @@ org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true
 org.jitsi.jicofo.BRIDGE_MUC={{ .Env.JVB_BREWERY_MUC }}@{{ .Env.XMPP_INTERNAL_MUC_DOMAIN }}
 org.jitsi.jicofo.jigasi.BREWERY={{ .Env.JIGASI_BREWERY_MUC}}@{{ .Env.XMPP_INTERNAL_MUC_DOMAIN }}

+{{ if .Env.ENABLE_AUTH }}
+org.jitsi.jicofo.auth.URL=XMPP:{{ .Env.XMPP_DOMAIN }}
+{{ end }}
--- a/jigasi.yml
+++ b/jigasi.yml
@ -9,6 +9,7 @@ services:
        volumes:
            - ${CONFIG}/jigasi:/config
        environment:
+            - ENABLE_AUTH
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER=xmpp.meet.jitsi
--- a/jigasi/rootfs/defaults/sip-communicator.properties
+++ b/jigasi/rootfs/defaults/sip-communicator.properties
@ -86,6 +86,12 @@ org.jitsi.jigasi.BREWERY_ENABLED=true

 org.jitsi.jigasi.xmpp.acc.IS_SERVER_OVERRIDDEN=true
 org.jitsi.jigasi.xmpp.acc.SERVER_ADDRESS={{ .Env.XMPP_SERVER }}
+{{ if .Env.ENABLE_AUTH }}
+org.jitsi.jigasi.xmpp.acc.USER_ID={{ .Env.JIGASI_XMPP_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}
+org.jitsi.jigasi.xmpp.acc.PASS={{ .Env.JIGASI_XMPP_PASSWORD }}
+org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false
+org.jitsi.jigasi.xmpp.acc.ALLOW_NON_SECURE=true
+{{ end }}

 # Activate this property if you are using self-signed certificates or other
 # type of non-trusted certicates. In this mode your service trust in the
--- a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
+++ b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
@ -1,18 +1,28 @@
 admins = { "{{ .Env.JICOFO_AUTH_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}" }

 VirtualHost "{{ .Env.XMPP_DOMAIN }}"
-        authentication = "anonymous"
-        ssl = {
-                key = "/config/certs/{{ .Env.XMPP_DOMAIN }}.key";
-                certificate = "/config/certs/{{ .Env.XMPP_DOMAIN }}.crt";
-        }
-        modules_enabled = {
-            "bosh";
-            "pubsub";
-            "ping";
-        }
+    {{ if .Env.ENABLE_AUTH }}
+    authentication = "internal_plain"
+    {{ else }}
+    authentication = "anonymous"
+    {{ end }}
+    ssl = {
+            key = "/config/certs/{{ .Env.XMPP_DOMAIN }}.key";
+            certificate = "/config/certs/{{ .Env.XMPP_DOMAIN }}.crt";
+    }
+    modules_enabled = {
+        "bosh";
+        "pubsub";
+        "ping";
+    }

-        c2s_require_encryption = false
+    c2s_require_encryption = false
+
+{{ if and .Env.ENABLE_AUTH .Env.ENABLE_GUESTS }}
+VirtualHost "{{ .Env.XMPP_GUEST_DOMAIN }}"
+    authentication = "anonymous"
+    c2s_require_encryption = false
+{{ end }}

 VirtualHost "{{ .Env.XMPP_AUTH_DOMAIN }}"
    ssl = {
--- a/web/rootfs/etc/cont-init.d/10-config
+++ b/web/rootfs/etc/cont-init.d/10-config
@ -24,6 +24,18 @@ if [[ ! -f /config/config.js ]]; then
        -e "s#muc:.*#muc: '${XMPP_MUC_DOMAIN}',#" \
        -e "s#// focusUserJid:.*#focusUserJid: '${JICOFO_AUTH_USER}@${XMPP_AUTH_DOMAIN}',#" \
        /config/config.js
+
+    if [[ $ENABLE_AUTH -eq 1 ]]; then
+        if [[ $ENABLE_GUESTS -eq 1 ]]; then
+            sed -i \
+                -e "s#// anonymousdomain:.*#anonymousdomain: '${XMPP_GUEST_DOMAIN}',#" \
+                /config/config.js
+        fi
+
+        sed -i \
+            -e "s#// authdomain:.*#authdomain: '${XMPP_DOMAIN}',#" \
+            /config/config.js
+    fi
 fi

 if [[ ! -f /config/interface_config.js ]]; then