Introducing JWT auth, disable unused config, drop prosody <11 checks

This commit is contained in:
Luis Guzmán 2020-12-11 16:06:15 -06:00
parent c8f9ec0dc4
commit 0e8065b036
1 changed files with 69 additions and 55 deletions

View File

@ -488,18 +488,43 @@ done
# echo "Local audio recording option will be enabled" # echo "Local audio recording option will be enabled"
#fi #fi
#done #done
#Secure room initial user #Secure room initial user
while [[ "$ENABLE_SC" != "yes" && "$ENABLE_SC" != "no" ]] #while [[ "$ENABLE_SC" != "yes" && "$ENABLE_SC" != "no" ]]
#do
#read -p "> Do you want to enable secure rooms?: (yes or no)"$'\n' -r ENABLE_SC
#if [ "$ENABLE_SC" = "no" ]; then
# echo "-- Secure rooms won't be enabled."
#elif [ "$ENABLE_SC" = "yes" ]; then
# echo "-- Secure rooms will be enabled."
# read -p "Set username for secure room moderator: "$'\n' -r SEC_ROOM_USER
# read -p "Secure room moderator password: "$'\n' -r SEC_ROOM_PASS
#fi
#done
PS3='Select the authentication method for your Jitsi Meet instance: '
options=("Local" "JWT" "None")
select opt in "${options[@]}"
do do
read -p "> Do you want to enable secure rooms?: (yes or no)"$'\n' -r ENABLE_SC case $opt in
if [ "$ENABLE_SC" = "no" ]; then "Local")
echo "-- Secure rooms won't be enabled." echo -e "\n > Users are created manually using prosodyctl, only moderators can open a room or launch recording."
elif [ "$ENABLE_SC" = "yes" ]; then ENABLE_SC="yes"
echo "-- Secure rooms will be enabled." break
read -p "Set username for secure room moderator: "$'\n' -r SEC_ROOM_USER ;;
read -p "Secure room moderator password: "$'\n' -r SEC_ROOM_PASS "JWT")
fi echo -e "\n > A external app manage the token usage/creation, like RocketChat does."
ENABLE_JWT="yes"
break
;;
"None")
echo -e "\n > Everyone can access the room as moderators as there is no auth mechanism."
break
;;
*) echo "Invalid option $REPLY, choose 1, 2 or 3";;
esac
done done
#Jibri Records Access (JRA) via Nextcloud #Jibri Records Access (JRA) via Nextcloud
while [[ "$ENABLE_NC_ACCESS" != "yes" && "$ENABLE_NC_ACCESS" != "no" ]] while [[ "$ENABLE_NC_ACCESS" != "yes" && "$ENABLE_NC_ACCESS" != "no" ]]
do do
@ -627,20 +652,8 @@ restart_services() {
sed -i "/shard.HOSTNAME/s|localhost|$DOMAIN|" /etc/jitsi/videobridge/sip-communicator.properties sed -i "/shard.HOSTNAME/s|localhost|$DOMAIN|" /etc/jitsi/videobridge/sip-communicator.properties
# Configure Jibri # Configure Jibri
if [ "$ENABLE_SC" = "yes" ]; then
## PROSODY ## PROSODY
if dpkg-compare prosody lt 0.11.0 ; then
cat << MUC-JIBRI >> $PROSODY_FILE
-- internal muc component, meant to enable pools of jibri and jigasi clients
Component "internal.auth.$DOMAIN" "muc"
modules_enabled = {
"ping";
}
storage = "null"
muc_room_cache_size = 1000
MUC-JIBRI
fi
cat << REC-JIBRI >> $PROSODY_FILE cat << REC-JIBRI >> $PROSODY_FILE
VirtualHost "recorder.$DOMAIN" VirtualHost "recorder.$DOMAIN"
@ -650,16 +663,25 @@ VirtualHost "recorder.$DOMAIN"
authentication = "internal_plain" authentication = "internal_plain"
REC-JIBRI REC-JIBRI
if [ ! -f $MOD_LIST_FILE ]; then
echo -e "\n-> Adding external module to list prosody users...\n"
curl -s $MOD_LISTU > $MOD_LIST_FILE
echo -e "Now you can check registered users with:\nprosodyctl mod_listusers\n"
else
echo -e "Prosody support for listing users seems to be enabled. \ncheck with: prosodyctl mod_listusers\n"
fi
fi
#Enable Jibri withelist #Enable Jibri withelist
sed -i "s| -- muc_lobby_whitelist| muc_lobby_whitelist|" $PROSODY_FILE sed -i "s| -- muc_lobby_whitelist| muc_lobby_whitelist|" $PROSODY_FILE
#Fix Jibri conectivity issues #Fix Jibri conectivity issues
#if dpkg-compare prosody lt 0.11.0 ; then
sed -i "s|c2s_require_encryption = .*|c2s_require_encryption = false|" $PROSODY_SYS sed -i "s|c2s_require_encryption = .*|c2s_require_encryption = false|" $PROSODY_SYS
sed -i "/c2s_require_encryption = false/a \\ sed -i "/c2s_require_encryption = false/a \\
\\ \\
consider_bosh_secure = true" $PROSODY_SYS consider_bosh_secure = true" $PROSODY_SYS
#fi
if [ ! -z $L10N_PARTICIPANT ]; then if [ ! -z $L10N_PARTICIPANT ]; then
sed -i "s|PART_USER=.*|PART_USER=\"$L10N_PARTICIPANT\"|" jm-bm.sh sed -i "s|PART_USER=.*|PART_USER=\"$L10N_PARTICIPANT\"|" jm-bm.sh
@ -667,15 +689,7 @@ fi
if [ ! -z $L10N_ME ]; then if [ ! -z $L10N_ME ]; then
sed -i "s|LOCAL_USER=.*|LOCAL_USER=\"$L10N_ME\"|" jm-bm.sh sed -i "s|LOCAL_USER=.*|LOCAL_USER=\"$L10N_ME\"|" jm-bm.sh
fi fi
if [ ! -f $MOD_LIST_FILE ]; then
echo -e "\n-> Adding external module to list prosody users...\n"
curl -s $MOD_LISTU > $MOD_LIST_FILE
echo -e "Now you can check registered users with:\nprosodyctl mod_listusers\n"
else
echo -e "Prosody support for listing users seems to be enabled.
check with: prosodyctl mod_listusers\n"
fi
### Prosody users ### Prosody users
prosodyctl register jibri auth.$DOMAIN $JB_AUTH_PASS prosodyctl register jibri auth.$DOMAIN $JB_AUTH_PASS
@ -698,13 +712,13 @@ sed -i "s|// liveStreamingEnabled: false,|liveStreamingEnabled: true,\\
hiddenDomain: \'recorder.$DOMAIN\',|" $MEET_CONF hiddenDomain: \'recorder.$DOMAIN\',|" $MEET_CONF
#Dropbox feature #Dropbox feature
if [ "$ENABLE_DB" = "yes" ]; then #if [ "$ENABLE_DB" = "yes" ]; then
DB_STR=$(grep -n "dropbox:" $MEET_CONF | cut -d ":" -f1) #DB_STR=$(grep -n "dropbox:" $MEET_CONF | cut -d ":" -f1)
DB_END=$((DB_STR + 10)) #DB_END=$((DB_STR + 10))
sed -i "$DB_STR,$DB_END{s|// dropbox: {|dropbox: {|}" $MEET_CONF #sed -i "$DB_STR,$DB_END{s|// dropbox: {|dropbox: {|}" $MEET_CONF
sed -i "$DB_STR,$DB_END{s|// appKey: '<APP_KEY>'|appKey: \'$DB_CID\'|}" $MEET_CONF #sed -i "$DB_STR,$DB_END{s|// appKey: '<APP_KEY>'|appKey: \'$DB_CID\'|}" $MEET_CONF
sed -i "$DB_STR,$DB_END{s|// },|},|}" $MEET_CONF #sed -i "$DB_STR,$DB_END{s|// },|},|}" $MEET_CONF
fi #fi
#LocalRecording #LocalRecording
if [ "$ENABLE_LAR" = "yes" ]; then if [ "$ENABLE_LAR" = "yes" ]; then
@ -948,16 +962,28 @@ sed -i "s|'videobackgroundblur', ||" $INT_CONF
#================== Setup prosody conf file ================= #================== Setup prosody conf file =================
#===Setup secure rooms ===# ###Setup secure rooms
if [ "$ENABLE_SC" = "yes" ]; then if [ "$ENABLE_SC" = "yes" ]; then
SRP_STR=$(grep -n "VirtualHost \"$DOMAIN\"" $PROSODY_FILE | head -n1 | cut -d ":" -f1) SRP_STR=$(grep -n "VirtualHost \"$DOMAIN\"" $PROSODY_FILE | head -n1 | cut -d ":" -f1)
SRP_END=$((SRP_STR + 10)) SRP_END=$((SRP_STR + 10))
sed -i "$SRP_STR,$SRP_END{s|authentication = \"anonymous\"|authentication = \"internal_plain\"|}" $PROSODY_FILE sed -i "$SRP_STR,$SRP_END{s|authentication = \"anonymous\"|authentication = \"internal_plain\"|}" $PROSODY_FILE
sed -i "s|// anonymousdomain: 'guest.example.com'|anonymousdomain: \'guest.$DOMAIN\'|" $MEET_CONF sed -i "s|// anonymousdomain: 'guest.example.com'|anonymousdomain: \'guest.$DOMAIN\'|" $MEET_CONF
echo -e "\nSecure rooms are being enabled..."
echo "You'll be able to login Secure Room chat with '${SEC_ROOM_USER}' \
or '${SEC_ROOM_USER}@${DOMAIN}' using the password you just entered.
If you have issues with the password refer to your sysadmin."
sed -i "s|#org.jitsi.jicofo.auth.URL=XMPP:|org.jitsi.jicofo.auth.URL=XMPP:|" $JICOFO_SIP
#Secure room initial user
prosodyctl register $SEC_ROOM_USER $DOMAIN $SEC_ROOM_PASS
sed -i "s|SEC_ROOM=.*|SEC_ROOM=\"on\"|" jm-bm.sh
fi fi
###JWT
if [ "$ENABLE_JWT" = "yes" ]; then if [ "$ENABLE_JWT" = "yes" ]; then
## focal openssl echo -e "\nJWT auth are being setup..."
## Focal Openssl
if [ "$(lsb_release -sc)" = "focal" ]; then if [ "$(lsb_release -sc)" = "focal" ]; then
echo "deb http://ppa.launchpad.net/rael-gc/rvm/ubuntu focal main" | \ echo "deb http://ppa.launchpad.net/rael-gc/rvm/ubuntu focal main" | \
sudo tee /etc/apt/sources.list.d/rvm.list sudo tee /etc/apt/sources.list.d/rvm.list
@ -965,7 +991,7 @@ if [ "$ENABLE_JWT" = "yes" ]; then
apt-get update apt-get update
fi fi
###JWT
apt-get -y install \ apt-get -y install \
lua5.2 \ lua5.2 \
liblua5.2 \ liblua5.2 \
@ -989,8 +1015,6 @@ sed -i "/app_secret/a \ \ \ \ \ \ \ \ asap_accepted_audiences = { \"$APP_ID\" }"
#allow_empty_token = true #allow_empty_token = true
#SRP_STR=$(grep -n "VirtualHost \"$DOMAIN\"" $PROSODY_FILE | head -n1 | cut -d ":" -f1)
#SRP_END=$((SRP_STR + 10))
sed -i "s|// anonymousdomain: 'guest.example.com'|anonymousdomain: \'guest.$DOMAIN\'|" $MEET_CONF sed -i "s|// anonymousdomain: 'guest.example.com'|anonymousdomain: \'guest.$DOMAIN\'|" $MEET_CONF
fi fi
@ -1019,16 +1043,6 @@ P_SR
fi fi
#====================== #======================
#Secure room initial user
if [ "$ENABLE_SC" = "yes" ]; then
echo -e "\nSecure rooms are being enabled..."
echo "You'll be able to login Secure Room chat with '${SEC_ROOM_USER}' \
or '${SEC_ROOM_USER}@${DOMAIN}' using the password you just entered.
If you have issues with the password refer to your sysadmin."
sed -i "s|#org.jitsi.jicofo.auth.URL=XMPP:|org.jitsi.jicofo.auth.URL=XMPP:|" $JICOFO_SIP
prosodyctl register $SEC_ROOM_USER $DOMAIN $SEC_ROOM_PASS
sed -i "s|SEC_ROOM=.*|SEC_ROOM=\"on\"|" jm-bm.sh
fi
#Start with video muted by default #Start with video muted by default
sed -i "s|// startWithVideoMuted: false,|startWithVideoMuted: true,|" $MEET_CONF sed -i "s|// startWithVideoMuted: false,|startWithVideoMuted: true,|" $MEET_CONF
@ -1058,7 +1072,7 @@ fi
enable_letsencrypt enable_letsencrypt
if dpkg-compare prosody gt 0.11.0 && [ "$ENABLE_SC" = "yes" ]; then if [ "$ENABLE_SC" = "yes" ] || [ "$ENABLE_JWT" = "yes" ];then
echo "Waiting prosody restart to continue configuration, 15s..." echo "Waiting prosody restart to continue configuration, 15s..."
wait_seconds 15 wait_seconds 15
#Move mucs when using secure rooms - https://community.jitsi.org/t/27752/112 #Move mucs when using secure rooms - https://community.jitsi.org/t/27752/112