Moderated rooms or subdomains (#6959)

* fix: Fixes using token with no user context.

* feat(moderated): Adds option to add moderated rooms and subdomains.

When a user joins such room or subdomain in order to be a moderator needs to provide a valid jwt token for that room.

* squash: Renames function.

* ref: Removes filtering jicofo setting owners.

This will be disabled on jicofo side and will greatly simplify logic.
Also check the checks to avoid jwt for main domain to access subdomains and the other way around.

* fix: Skips allowners logic for admins.
This commit is contained in:
Дамян Минков 2020-06-05 07:57:49 -05:00 committed by GitHub
parent ff23f81dfe
commit e6dbe65193
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 63 additions and 2 deletions

View File

@ -141,7 +141,7 @@ function _setJWT(store, next, action) {
action.jwt = jwt;
action.issuer = iss;
if (context) {
const user = _user2participant(context.user);
const user = _user2participant(context.user || {});
action.callee = context.callee;
action.group = context.group;

View File

@ -1,12 +1,71 @@
local jid = require "util.jid";
local um_is_admin = require "core.usermanager".is_admin;
local is_healthcheck_room = module:require "util".is_healthcheck_room;
local moderated_subdomains;
local moderated_rooms;
local function load_config()
moderated_subdomains = module:get_option_set("allowners_moderated_subdomains", {})
moderated_rooms = module:get_option_set("allowners_moderated_rooms", {})
end
load_config();
local function is_admin(jid)
return um_is_admin(jid, module.host);
end
-- Checks whether the jid is moderated, the room name is in moderated_rooms
-- or if the subdomain is in the moderated_subdomains
-- @return returns on of the:
-- -> false
-- -> true, room_name, subdomain
-- -> true, room_name, nil (if no subdomain is used for the room)
local function is_moderated(room_jid)
local room_node = jid.node(room_jid);
-- parses bare room address, for multidomain expected format is:
-- [subdomain]roomName@conference.domain
local target_subdomain, target_room_name = room_node:match("^%[([^%]]+)%](.+)$");
if target_subdomain then
if moderated_subdomains:contains(target_subdomain) then
return true, target_room_name, target_subdomain;
end
elseif moderated_rooms:contains(room_node) then
return true, room_node, nil;
end
return false;
end
module:hook("muc-occupant-joined", function (event)
local room, occupant = event.room, event.occupant;
if is_healthcheck_room(room.jid) then
if is_healthcheck_room(room.jid) or is_admin(occupant.jid) then
return;
end
local moderated, room_name, subdomain = is_moderated(room.jid);
if moderated then
local session = event.origin;
local token = session.auth_token;
if not token then
module:log('debug', 'skip allowners for non-auth user subdomain:%s room_name:%s', subdomain, room_name);
return;
end
if not (room_name == session.jitsi_meet_room) then
module:log('debug', 'skip allowners for auth user and non matching room name: %s, jwt room name: %s', room_name, session.jitsi_meet_room);
return;
end
if not (subdomain == session.jitsi_meet_context_group) then
module:log('debug', 'skip allowners for auth user and non matching room subdomain: %s, jwt subdomain: %s', subdomain, session.jitsi_meet_context_group);
return;
end
end
room:set_affiliation(true, occupant.bare_jid, "owner");
end, 2);
@ -19,3 +78,5 @@ module:hook("muc-occupant-left", function (event)
room:set_affiliation(true, occupant.bare_jid, nil);
end, 2);
module:hook_global('config-reloaded', load_config);