From 88997f580c2902a2dd2e77ce9de497d246e5689c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=BCnzel?= Date: Fri, 25 Feb 2022 19:40:20 +0100 Subject: [PATCH] prosody: authentication by matrix user authentication service MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added env variables and prosody plugins to authenticate prosody users by the matrix user authentication service, refer to https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification Co-authored-by: Markus Münzel --- docker-compose.yml | 4 ++++ env.example | 18 +++++++++++++++++- prosody/Dockerfile | 9 ++++++++- .../rootfs/defaults/conf.d/jitsi-meet.cfg.lua | 18 ++++++++++++++++-- 4 files changed, 45 insertions(+), 4 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 3563821..daec649 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -170,6 +170,10 @@ services: - JWT_ALLOW_EMPTY - JWT_AUTH_TYPE - JWT_TOKEN_AUTH_MODULE + - MATRIX_UVS_URL + - MATRIX_UVS_ISSUER + - MATRIX_UVS_AUTH_TOKEN + - MATRIX_UVS_SYNC_POWER_LEVELS - LOG_LEVEL - LDAP_AUTH_METHOD - LDAP_BASE diff --git a/env.example b/env.example index 36cc2a7..4b5f65e 100644 --- a/env.example +++ b/env.example @@ -142,7 +142,7 @@ ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background # Enable guest access #ENABLE_GUESTS=1 -# Select authentication type: internal, jwt or ldap +# Select authentication type: internal, jwt, ldap or matrix #AUTH_TYPE=internal # JWT authentication @@ -207,6 +207,22 @@ ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background # LDAP_START_TLS=1 +# Matrix authentication (for more information see the documention of the "Prosody Auth Matrix User Verification" at https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification) +# + +# Base URL to the matrix user verification service (without ending slash) +#MATRIX_UVS_URL=https://uvs.example.com:3000 + +# (optional) The issuer of the auth token to be passed through. Must match what is being set as `iss` in the JWT. Defaut value is "issuer". +#MATRIX_UVS_ISSUER=issuer + +# (optional) user verification service auth token, if authentication enabled +#MATRIX_UVS_AUTH_TOKEN=changeme + +# (optional) Make Matrix room moderators owners of the Prosody room. +#MATRIX_UVS_SYNC_POWER_LEVELS=1 + + # # Advanced configuration options (you generally don't need to change these) # diff --git a/prosody/Dockerfile b/prosody/Dockerfile index 30b3b7b..8872fdd 100644 --- a/prosody/Dockerfile +++ b/prosody/Dockerfile @@ -26,6 +26,8 @@ LABEL org.opencontainers.image.documentation="https://jitsi.github.io/handbook/" ENV XMPP_CROSS_DOMAIN="false" +ARG VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN="1.7.0" + RUN wget -qO /etc/apt/trusted.gpg.d/prosody.gpg https://prosody.im/files/prosody-debian-packages.key && \ echo "deb http://packages.prosody.im/debian bullseye main" > /etc/apt/sources.list.d/prosody.list && \ apt-dpkg-wrap apt-get update && \ @@ -47,7 +49,12 @@ RUN wget -qO /etc/apt/trusted.gpg.d/prosody.gpg https://prosody.im/files/prosody mv /tmp/pkg/usr/share/jitsi-meet/prosody-plugins /prosody-plugins && \ apt-cleanup && \ rm -rf /tmp/pkg /var/cache/apt && \ - patch -d /usr/lib/prosody/modules/muc -p0 < /prosody-plugins/muc_owner_allow_kick.patch + patch -d /usr/lib/prosody/modules/muc -p0 < /prosody-plugins/muc_owner_allow_kick.patch && \ + wget https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification/archive/refs/tags/v$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN.tar.gz && \ + tar -xf v$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN.tar.gz && \ + mv prosody-mod-auth-matrix-user-verification-$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN/mod_auth_matrix_user_verification.lua $PROSODY_PLUGINS_FOLDER && \ + mv prosody-mod-auth-matrix-user-verification-$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN/mod_matrix_power_sync.lua $PROSODY_PLUGINS_FOLDER && \ + rm -rf prosody-mod-auth-matrix-user-verification-$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN v$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN.tar.gz COPY rootfs/ / diff --git a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua index e8d6873..bb1e570 100644 --- a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua +++ b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua @@ -4,6 +4,8 @@ {{ $JWT_ASAP_KEYSERVER := .Env.JWT_ASAP_KEYSERVER | default "" }} {{ $JWT_ALLOW_EMPTY := .Env.JWT_ALLOW_EMPTY | default "0" | toBool }} {{ $JWT_AUTH_TYPE := .Env.JWT_AUTH_TYPE | default "token" }} +{{ $MATRIX_UVS_ISSUER := .Env.MATRIX_UVS_ISSUER | default "issuer" }} +{{ $MATRIX_UVS_SYNC_POWER_LEVELS := .Env.MATRIX_UVS_SYNC_POWER_LEVELS | default "0" | toBool }} {{ $JWT_TOKEN_AUTH_MODULE := .Env.JWT_TOKEN_AUTH_MODULE | default "token_verification" }} {{ $ENABLE_LOBBY := .Env.ENABLE_LOBBY | default "true" | toBool }} {{ $ENABLE_AV_MODERATION := .Env.ENABLE_AV_MODERATION | default "true" | toBool }} @@ -85,11 +87,20 @@ VirtualHost "{{ .Env.XMPP_DOMAIN }}" {{ if $JWT_ASAP_KEYSERVER }} asap_key_server = "{{ .Env.JWT_ASAP_KEYSERVER }}" {{ end }} - - {{ else if eq $AUTH_TYPE "ldap" }} + {{ else if eq $AUTH_TYPE "ldap" }} authentication = "cyrus" cyrus_application_name = "xmpp" allow_unencrypted_plain_auth = true + {{ else if eq $AUTH_TYPE "matrix" }} + authentication = "matrix_user_verification" + app_id = "{{ $MATRIX_UVS_ISSUER }}" + uvs_base_url = "{{ .Env.MATRIX_UVS_URL }}" + {{ if .Env.MATRIX_UVS_AUTH_TOKEN }} + uvs_auth_token = "{{ .Env.MATRIX_UVS_AUTH_TOKEN }}" + {{ end }} + {{ if $MATRIX_UVS_SYNC_POWER_LEVELS }} + uvs_sync_power_levels = true + {{ end }} {{ else if eq $AUTH_TYPE "internal" }} authentication = "internal_hashed" {{ end }} @@ -198,6 +209,9 @@ Component "{{ .Env.XMPP_MUC_DOMAIN }}" "muc" {{ end -}} {{ if and $ENABLE_AUTH (eq $AUTH_TYPE "jwt") -}} "{{ $JWT_TOKEN_AUTH_MODULE }}"; + {{ end }} + {{ if and $ENABLE_AUTH (eq $AUTH_TYPE "matrix") $MATRIX_UVS_SYNC_POWER_LEVELS -}} + "matrix_power_sync"; {{ end -}} {{ if not $DISABLE_POLLS -}} "polls";