Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
token_security_ondemand, feat: initialize
- Loading branch information
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,96 @@ | ||
| --- Plugin to dynamically enable security features when required by token. | ||
| --- | ||
| --- This module should be added to the main muc component. | ||
| --- | ||
|
|
||
| local LOGLEVEL = "debug"; | ||
|
|
||
| local muc_util = module:require "muc/util"; | ||
| local is_healthcheck_room = module:require "util".is_healthcheck_room; | ||
|
|
||
|
|
||
| module:hook("muc-occupant-joined", function (event) | ||
| local room = event.room; | ||
|
|
||
| if is_healthcheck_room(room.jid) then | ||
| return; | ||
| end | ||
|
|
||
| if not event.origin.auth_token then | ||
| module:log(LOGLEVEL, | ||
| "skip security on demand, no token"); | ||
| return; | ||
| end | ||
|
|
||
| local context_room = event.origin.jitsi_meet_context_room; | ||
|
|
||
| if context_room then | ||
| local lobby_enabled = (room._data.lobbyroom ~= nil); | ||
|
|
||
| -- create lobby if requested | ||
| if context_room["lobby"] == true and not lobby_enabled then | ||
| prosody.events.fire_event("create-persistent-lobby-room", { | ||
| room = room, | ||
| skip_display_name_check = true, | ||
| }); | ||
| end | ||
|
|
||
| -- destroy lobby if requested | ||
| if context_room["lobby"] == false and lobby_enabled then | ||
| room:set_members_only(false); | ||
| prosody.events.fire_event('destroy-lobby-room', { | ||
| room = room, | ||
| newjid = room.jid, | ||
| }); | ||
| end | ||
|
|
||
| -- update password if set | ||
| if type(context_room["password"]) == "string" then | ||
| room:set_password(context_room["password"]); | ||
| end | ||
| end | ||
| end); | ||
|
|
||
|
|
||
| module:hook("muc-occupant-pre-join", function (event) | ||
| local room, occupant, stanza = event.room, event.occupant, event.stanza; | ||
| local MUC_NS = "http://jabber.org/protocol/muc"; | ||
|
|
||
| if is_healthcheck_room(room.jid) then | ||
| return; | ||
| end | ||
|
|
||
| if not event.origin.auth_token then | ||
| module:log(LOGLEVEL, "skip the security bypass, no token"); | ||
| return; | ||
| end | ||
|
|
||
| local context_user = event.origin.jitsi_meet_context_user; | ||
|
|
||
| -- bypass security if allowed | ||
| if context_user and context_user["security_bypass"] == true then | ||
| module:log(LOGLEVEL, "Bypassing security for room %s occupant %s", | ||
| room.jid, occupant.bare_jid); | ||
|
|
||
| -- bypass password if exists | ||
| local room_password = room:get_password(); | ||
| if room_password then | ||
| local join = stanza:get_child("x", MUC_NS); | ||
|
|
||
| if not join then | ||
| join = stanza:tag("x", { xmlns = MUC_NS }); | ||
| end | ||
|
|
||
| join:tag("password", { xmlns = MUC_NS }):text(room_password); | ||
| end | ||
|
|
||
| -- bypass lobby if exists | ||
| local affiliation = room:get_affiliation(occupant.bare_jid); | ||
| if not affiliation or affiliation == 0 then | ||
| occupant.role = 'participant'; | ||
| room:set_affiliation(true, occupant.bare_jid, 'member'); | ||
| end | ||
| end | ||
| end, -2); | ||
| --- Run just before lobby_bypass (priority -3), lobby(-4) and members_only (-5). | ||
| --- Must run after token_verification (99), max_occupants (10), allowners (2). | ||
