2015-11-02 21:02:50 +00:00
|
|
|
-- Token authentication
|
2022-09-13 12:55:00 +00:00
|
|
|
-- Copyright (C) 2021-present 8x8, Inc.
|
2015-11-02 21:02:50 +00:00
|
|
|
|
|
|
|
local log = module._log;
|
|
|
|
local host = module.host;
|
|
|
|
local st = require "util.stanza";
|
2021-01-05 11:36:07 +00:00
|
|
|
local um_is_admin = require "core.usermanager".is_admin;
|
2015-11-02 21:02:50 +00:00
|
|
|
|
|
|
|
|
2021-01-05 11:36:07 +00:00
|
|
|
local function is_admin(jid)
|
|
|
|
return um_is_admin(jid, host);
|
|
|
|
end
|
|
|
|
|
2015-11-02 21:02:50 +00:00
|
|
|
local parentHostName = string.gmatch(tostring(host), "%w+.(%w.+)")();
|
|
|
|
if parentHostName == nil then
|
|
|
|
log("error", "Failed to start - unable to get parent hostname");
|
|
|
|
return;
|
|
|
|
end
|
|
|
|
|
|
|
|
local parentCtx = module:context(parentHostName);
|
|
|
|
if parentCtx == nil then
|
2015-12-22 18:51:43 +00:00
|
|
|
log("error",
|
|
|
|
"Failed to start - unable to get parent context for host: %s",
|
|
|
|
tostring(parentHostName));
|
2015-11-02 21:02:50 +00:00
|
|
|
return;
|
|
|
|
end
|
|
|
|
|
2017-05-03 21:48:49 +00:00
|
|
|
local token_util = module:require "token/util".new(parentCtx);
|
|
|
|
|
|
|
|
-- no token configuration
|
|
|
|
if token_util == nil then
|
|
|
|
return;
|
|
|
|
end
|
2015-11-02 21:02:50 +00:00
|
|
|
|
2015-12-22 18:51:43 +00:00
|
|
|
log("debug",
|
|
|
|
"%s - starting MUC token verifier app_id: %s app_secret: %s allow empty: %s",
|
2017-05-03 21:48:49 +00:00
|
|
|
tostring(host), tostring(token_util.appId), tostring(token_util.appSecret),
|
|
|
|
tostring(token_util.allowEmptyToken));
|
2015-11-02 21:02:50 +00:00
|
|
|
|
2020-06-19 19:50:31 +00:00
|
|
|
-- option to disable room modification (sending muc config form) for guest that do not provide token
|
|
|
|
local require_token_for_moderation;
|
|
|
|
local function load_config()
|
|
|
|
require_token_for_moderation = module:get_option_boolean("token_verification_require_token_for_moderation");
|
|
|
|
end
|
|
|
|
load_config();
|
|
|
|
|
2020-09-10 15:07:30 +00:00
|
|
|
-- verify user and whether he is allowed to join a room based on the token information
|
2015-12-22 18:51:43 +00:00
|
|
|
local function verify_user(session, stanza)
|
|
|
|
log("debug", "Session token: %s, session room: %s",
|
|
|
|
tostring(session.auth_token),
|
|
|
|
tostring(session.jitsi_meet_room));
|
2015-11-18 18:49:36 +00:00
|
|
|
|
2015-11-02 21:02:50 +00:00
|
|
|
-- token not required for admin users
|
2015-12-22 18:51:43 +00:00
|
|
|
local user_jid = stanza.attr.from;
|
2015-11-02 21:02:50 +00:00
|
|
|
if is_admin(user_jid) then
|
|
|
|
log("debug", "Token not required from admin user: %s", user_jid);
|
2020-09-10 15:07:30 +00:00
|
|
|
return true;
|
2015-11-02 21:02:50 +00:00
|
|
|
end
|
2015-11-18 18:49:36 +00:00
|
|
|
|
2017-05-03 21:48:49 +00:00
|
|
|
log("debug",
|
|
|
|
"Will verify token for user: %s, room: %s ", user_jid, stanza.attr.to);
|
|
|
|
if not token_util:verify_room(session, stanza.attr.to) then
|
|
|
|
log("error", "Token %s not allowed to join: %s",
|
2017-06-20 18:48:47 +00:00
|
|
|
tostring(session.auth_token), tostring(stanza.attr.to));
|
2017-05-03 21:48:49 +00:00
|
|
|
session.send(
|
|
|
|
st.error_reply(
|
|
|
|
stanza, "cancel", "not-allowed", "Room and token mismatched"));
|
|
|
|
return false; -- we need to just return non nil
|
|
|
|
end
|
|
|
|
log("debug",
|
|
|
|
"allowed: %s to enter/create room: %s", user_jid, stanza.attr.to);
|
2020-09-10 15:07:30 +00:00
|
|
|
return true;
|
2015-11-02 21:02:50 +00:00
|
|
|
end
|
|
|
|
|
2015-12-22 18:51:43 +00:00
|
|
|
module:hook("muc-room-pre-create", function(event)
|
|
|
|
local origin, stanza = event.origin, event.stanza;
|
|
|
|
log("debug", "pre create: %s %s", tostring(origin), tostring(stanza));
|
2020-09-10 15:07:30 +00:00
|
|
|
if not verify_user(origin, stanza) then
|
|
|
|
return true; -- Returning any value other than nil will halt processing of the event
|
|
|
|
end
|
2022-03-10 20:28:58 +00:00
|
|
|
end, 99);
|
2015-12-22 18:51:43 +00:00
|
|
|
|
|
|
|
module:hook("muc-occupant-pre-join", function(event)
|
|
|
|
local origin, room, stanza = event.origin, event.room, event.stanza;
|
|
|
|
log("debug", "pre join: %s %s", tostring(room), tostring(stanza));
|
2020-09-10 15:07:30 +00:00
|
|
|
if not verify_user(origin, stanza) then
|
|
|
|
return true; -- Returning any value other than nil will halt processing of the event
|
|
|
|
end
|
2022-03-10 20:28:58 +00:00
|
|
|
end, 99);
|
2020-06-19 19:50:31 +00:00
|
|
|
|
|
|
|
for event_name, method in pairs {
|
|
|
|
-- Normal room interactions
|
|
|
|
["iq-set/bare/http://jabber.org/protocol/muc#owner:query"] = "handle_owner_query_set_to_room" ;
|
|
|
|
-- Host room
|
|
|
|
["iq-set/host/http://jabber.org/protocol/muc#owner:query"] = "handle_owner_query_set_to_room" ;
|
|
|
|
} do
|
|
|
|
module:hook(event_name, function (event)
|
|
|
|
local session, stanza = event.origin, event.stanza;
|
|
|
|
|
|
|
|
-- if we do not require token we pass it through(default behaviour)
|
|
|
|
-- or the request is coming from admin (focus)
|
|
|
|
if not require_token_for_moderation or is_admin(stanza.attr.from) then
|
|
|
|
return;
|
|
|
|
end
|
|
|
|
|
2020-06-30 13:15:08 +00:00
|
|
|
-- jitsi_meet_room is set after the token had been verified
|
|
|
|
if not session.auth_token or not session.jitsi_meet_room then
|
2020-06-19 19:50:31 +00:00
|
|
|
session.send(
|
|
|
|
st.error_reply(
|
|
|
|
stanza, "cancel", "not-allowed", "Room modification disabled for guests"));
|
|
|
|
return true;
|
|
|
|
end
|
|
|
|
|
|
|
|
end, -1); -- the default prosody hook is on -2
|
|
|
|
end
|
|
|
|
|
|
|
|
module:hook_global('config-reloaded', load_config);
|