From e6dbe65193e794c65bebc0d0e434c7d293603b47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=94=D0=B0=D0=BC=D1=8F=D0=BD=20=D0=9C=D0=B8=D0=BD=D0=BA?= =?UTF-8?q?=D0=BE=D0=B2?= Date: Fri, 5 Jun 2020 07:57:49 -0500 Subject: [PATCH] Moderated rooms or subdomains (#6959) * fix: Fixes using token with no user context. * feat(moderated): Adds option to add moderated rooms and subdomains. When a user joins such room or subdomain in order to be a moderator needs to provide a valid jwt token for that room. * squash: Renames function. * ref: Removes filtering jicofo setting owners. This will be disabled on jicofo side and will greatly simplify logic. Also check the checks to avoid jwt for main domain to access subdomains and the other way around. * fix: Skips allowners logic for admins. --- react/features/base/jwt/middleware.js | 2 +- .../prosody-plugins/mod_muc_allowners.lua | 63 ++++++++++++++++++- 2 files changed, 63 insertions(+), 2 deletions(-) diff --git a/react/features/base/jwt/middleware.js b/react/features/base/jwt/middleware.js index bcfb0c63f..75c013d71 100644 --- a/react/features/base/jwt/middleware.js +++ b/react/features/base/jwt/middleware.js @@ -141,7 +141,7 @@ function _setJWT(store, next, action) { action.jwt = jwt; action.issuer = iss; if (context) { - const user = _user2participant(context.user); + const user = _user2participant(context.user || {}); action.callee = context.callee; action.group = context.group; diff --git a/resources/prosody-plugins/mod_muc_allowners.lua b/resources/prosody-plugins/mod_muc_allowners.lua index 603ef0c1c..8aa9365d8 100644 --- a/resources/prosody-plugins/mod_muc_allowners.lua +++ b/resources/prosody-plugins/mod_muc_allowners.lua @@ -1,12 +1,71 @@ +local jid = require "util.jid"; +local um_is_admin = require "core.usermanager".is_admin; local is_healthcheck_room = module:require "util".is_healthcheck_room; +local moderated_subdomains; +local moderated_rooms; + +local function load_config() + moderated_subdomains = module:get_option_set("allowners_moderated_subdomains", {}) + moderated_rooms = module:get_option_set("allowners_moderated_rooms", {}) +end +load_config(); + +local function is_admin(jid) + return um_is_admin(jid, module.host); +end + +-- Checks whether the jid is moderated, the room name is in moderated_rooms +-- or if the subdomain is in the moderated_subdomains +-- @return returns on of the: +-- -> false +-- -> true, room_name, subdomain +-- -> true, room_name, nil (if no subdomain is used for the room) +local function is_moderated(room_jid) + local room_node = jid.node(room_jid); + -- parses bare room address, for multidomain expected format is: + -- [subdomain]roomName@conference.domain + local target_subdomain, target_room_name = room_node:match("^%[([^%]]+)%](.+)$"); + + if target_subdomain then + if moderated_subdomains:contains(target_subdomain) then + return true, target_room_name, target_subdomain; + end + elseif moderated_rooms:contains(room_node) then + return true, room_node, nil; + end + + return false; +end + module:hook("muc-occupant-joined", function (event) local room, occupant = event.room, event.occupant; - if is_healthcheck_room(room.jid) then + if is_healthcheck_room(room.jid) or is_admin(occupant.jid) then return; end + local moderated, room_name, subdomain = is_moderated(room.jid); + if moderated then + local session = event.origin; + local token = session.auth_token; + + if not token then + module:log('debug', 'skip allowners for non-auth user subdomain:%s room_name:%s', subdomain, room_name); + return; + end + + if not (room_name == session.jitsi_meet_room) then + module:log('debug', 'skip allowners for auth user and non matching room name: %s, jwt room name: %s', room_name, session.jitsi_meet_room); + return; + end + + if not (subdomain == session.jitsi_meet_context_group) then + module:log('debug', 'skip allowners for auth user and non matching room subdomain: %s, jwt subdomain: %s', subdomain, session.jitsi_meet_context_group); + return; + end + end + room:set_affiliation(true, occupant.bare_jid, "owner"); end, 2); @@ -19,3 +78,5 @@ module:hook("muc-occupant-left", function (event) room:set_affiliation(true, occupant.bare_jid, nil); end, 2); + +module:hook_global('config-reloaded', load_config);