From ee90a92d436959350cc98ff42b9c6ca3bc7fd3c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= Date: Wed, 17 Oct 2018 23:02:10 +0200 Subject: [PATCH] xmpp: add support for authentication --- README.md | 23 +++++++++++++ docker-compose.yml | 7 ++++ env.example | 19 +++++++++-- .../defaults/sip-communicator.properties | 3 ++ jigasi.yml | 1 + .../defaults/sip-communicator.properties | 6 ++++ .../rootfs/defaults/conf.d/jitsi-meet.cfg.lua | 32 ++++++++++++------- web/rootfs/etc/cont-init.d/10-config | 12 +++++++ 8 files changed, 89 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index d4542b9..bdd5799 100644 --- a/README.md +++ b/README.md @@ -91,6 +91,8 @@ Variable | Description | Example `HTTPS_PORT` | Exposed port for HTTPS traffic | 8443 `DOCKER_HOST_ADDRESS` | IP addrss of the Docker host, needed for LAN environments | 192.168.1.1 +### SIP gateway configuration + If you want to enable the SIP gateway, these options are required: Variable | Description | Example @@ -99,6 +101,27 @@ Variable | Description | Example `JIGASI_SIP_PASSWORD` | Password for the specified SIP account | passw0rd `JIGASI_SIP_SERVER` | SIP server (use the SIP account domain if in doubt) | sip2sip.info +### Authentication + +Authentication can be controlled with the environment variables below. If guest +access is enabled, unauthenticated users will need to wait until a user authenticates +before they can join a room. If guest access is not enabled, every user will need +to authenticate before they can join. + +Variable | Description | Example +--- | --- | --- +`ENABLE_AUTH` | Enable authentication | 1 +`ENABLE_GUESTS` | Enable guest access | 1 + +Users must be created with the ``prosodyctl`` utility in the ``prosody`` container. +In order to do that, first execute a shell in the corresponding container: + +``docker-compose exec prosody /bin/bash`` + +Once in the container, run the following command to create a user: + +``prosodyctl --config /config/prosody.cfg.lua register user meet.jitsi password`` + ### Advanced configuration These configuration options are already set and generally don't need to be changed. diff --git a/docker-compose.yml b/docker-compose.yml index 76ee055..2577cb1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,10 +10,13 @@ services: volumes: - ${CONFIG}/meet:/config environment: + - ENABLE_AUTH + - ENABLE_GUESTS - JICOFO_AUTH_USER - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280 + - XMPP_GUEST_DOMAIN - XMPP_MUC_DOMAIN - TZ networks: @@ -29,8 +32,11 @@ services: volumes: - ${CONFIG}/prosody:/config environment: + - ENABLE_AUTH + - ENABLE_GUESTS - XMPP_DOMAIN - XMPP_AUTH_DOMAIN + - XMPP_GUEST_DOMAIN - XMPP_MUC_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - JICOFO_COMPONENT_SECRET @@ -52,6 +58,7 @@ services: volumes: - ${CONFIG}/jicofo:/config environment: + - ENABLE_AUTH - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN diff --git a/env.example b/env.example index 903a5bf..d9d1c8f 100644 --- a/env.example +++ b/env.example @@ -23,16 +23,26 @@ TZ=Europe/Amsterdam # Basic Jigasi configuration options (needed for SIP gateway support) # -# SIP URI for incoming / outgoing calls +# SIP URI for incoming / outgoing calls. #JIGASI_SIP_URI=test@sip2sip.info -# Password for the specified SIP account +# Password for the specified SIP account. #JIGASI_SIP_PASSWORD=passw0rd -# SIP server (use the SIP account domain if in doubt) +# SIP server (use the SIP account domain if in doubt). #JIGASI_SIP_SERVER=sip2sip.info +# +# Authentication configuration (see README for details) +# + +# Enable authentication. +#ENABLE_AUTH=1 + +# Enable guest access. +#ENABLE_GUESTS=1 + # # Advanced configuration options (you generally don't need to change these) # @@ -49,6 +59,9 @@ XMPP_MUC_DOMAIN=muc.meet.jitsi # XMPP domain for the internal MUC used for jibri, jigasi and jvb pools. XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi +# XMPP domain for unauthenticated users. +XMPP_GUEST_DOMAIN=guest.meet.jitsi + # MUC for the JVB pool. JVB_BREWERY_MUC=jvbbrewery diff --git a/jicofo/rootfs/defaults/sip-communicator.properties b/jicofo/rootfs/defaults/sip-communicator.properties index 045f462..01a9b37 100644 --- a/jicofo/rootfs/defaults/sip-communicator.properties +++ b/jicofo/rootfs/defaults/sip-communicator.properties @@ -2,3 +2,6 @@ org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true org.jitsi.jicofo.BRIDGE_MUC={{ .Env.JVB_BREWERY_MUC }}@{{ .Env.XMPP_INTERNAL_MUC_DOMAIN }} org.jitsi.jicofo.jigasi.BREWERY={{ .Env.JIGASI_BREWERY_MUC}}@{{ .Env.XMPP_INTERNAL_MUC_DOMAIN }} +{{ if .Env.ENABLE_AUTH }} +org.jitsi.jicofo.auth.URL=XMPP:{{ .Env.XMPP_DOMAIN }} +{{ end }} diff --git a/jigasi.yml b/jigasi.yml index 2fb9aa1..4f72903 100644 --- a/jigasi.yml +++ b/jigasi.yml @@ -9,6 +9,7 @@ services: volumes: - ${CONFIG}/jigasi:/config environment: + - ENABLE_AUTH - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - XMPP_SERVER=xmpp.meet.jitsi diff --git a/jigasi/rootfs/defaults/sip-communicator.properties b/jigasi/rootfs/defaults/sip-communicator.properties index d557e4f..1f04d8d 100644 --- a/jigasi/rootfs/defaults/sip-communicator.properties +++ b/jigasi/rootfs/defaults/sip-communicator.properties @@ -86,6 +86,12 @@ org.jitsi.jigasi.BREWERY_ENABLED=true org.jitsi.jigasi.xmpp.acc.IS_SERVER_OVERRIDDEN=true org.jitsi.jigasi.xmpp.acc.SERVER_ADDRESS={{ .Env.XMPP_SERVER }} +{{ if .Env.ENABLE_AUTH }} +org.jitsi.jigasi.xmpp.acc.USER_ID={{ .Env.JIGASI_XMPP_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }} +org.jitsi.jigasi.xmpp.acc.PASS={{ .Env.JIGASI_XMPP_PASSWORD }} +org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false +org.jitsi.jigasi.xmpp.acc.ALLOW_NON_SECURE=true +{{ end }} # Activate this property if you are using self-signed certificates or other # type of non-trusted certicates. In this mode your service trust in the diff --git a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua index d508e63..ddb72cf 100644 --- a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua +++ b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua @@ -1,18 +1,28 @@ admins = { "{{ .Env.JICOFO_AUTH_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}" } VirtualHost "{{ .Env.XMPP_DOMAIN }}" - authentication = "anonymous" - ssl = { - key = "/config/certs/{{ .Env.XMPP_DOMAIN }}.key"; - certificate = "/config/certs/{{ .Env.XMPP_DOMAIN }}.crt"; - } - modules_enabled = { - "bosh"; - "pubsub"; - "ping"; - } + {{ if .Env.ENABLE_AUTH }} + authentication = "internal_plain" + {{ else }} + authentication = "anonymous" + {{ end }} + ssl = { + key = "/config/certs/{{ .Env.XMPP_DOMAIN }}.key"; + certificate = "/config/certs/{{ .Env.XMPP_DOMAIN }}.crt"; + } + modules_enabled = { + "bosh"; + "pubsub"; + "ping"; + } - c2s_require_encryption = false + c2s_require_encryption = false + +{{ if and .Env.ENABLE_AUTH .Env.ENABLE_GUESTS }} +VirtualHost "{{ .Env.XMPP_GUEST_DOMAIN }}" + authentication = "anonymous" + c2s_require_encryption = false +{{ end }} VirtualHost "{{ .Env.XMPP_AUTH_DOMAIN }}" ssl = { diff --git a/web/rootfs/etc/cont-init.d/10-config b/web/rootfs/etc/cont-init.d/10-config index b1a5bb3..cb4cb1b 100644 --- a/web/rootfs/etc/cont-init.d/10-config +++ b/web/rootfs/etc/cont-init.d/10-config @@ -24,6 +24,18 @@ if [[ ! -f /config/config.js ]]; then -e "s#muc:.*#muc: '${XMPP_MUC_DOMAIN}',#" \ -e "s#// focusUserJid:.*#focusUserJid: '${JICOFO_AUTH_USER}@${XMPP_AUTH_DOMAIN}',#" \ /config/config.js + + if [[ $ENABLE_AUTH -eq 1 ]]; then + if [[ $ENABLE_GUESTS -eq 1 ]]; then + sed -i \ + -e "s#// anonymousdomain:.*#anonymousdomain: '${XMPP_GUEST_DOMAIN}',#" \ + /config/config.js + fi + + sed -i \ + -e "s#// authdomain:.*#authdomain: '${XMPP_DOMAIN}',#" \ + /config/config.js + fi fi if [[ ! -f /config/interface_config.js ]]; then