prosody: introduce AUTH_TYPE

It simplifies selecting the desired authentication type, instead of having a boolean for each.
6 years ago · 8da61612e9
parent 9ff3ce295c
commit 8da61612e9
5 changed files with 38 additions and 32 deletions
--- a/README.md
+++ b/README.md
@ -130,9 +130,27 @@ Variable | Description | Example
 --- | --- | ---
 `ENABLE_AUTH` | Enable authentication | 1
 `ENABLE_GUESTS` | Enable guest access | 1
-`ENABLE_LDAP_AUTH` | Enable authentication via LDAP. Depends on `ENABLE_AUTH` | 1
+`AUTH_TYPE` | Select authentication type (internal, jwt or ldap) | internal

-Variables that might be configured if the `ENABLE_LDAP_AUTH` is set:
+#### Internal authentication
+
+The default authentication mode (`internal`) uses XMPP credentials to authenticate users.
+To enable it you have to enable authentication with `ENABLE_AUTH` and set `AUTH_TYPE` to `internal`,
+then configure the settings you can see below.
+
+Internal users must be created with the ``prosodyctl`` utility in the ``prosody`` container.
+In order to do that, first execute a shell in the corresponding container:
+
+``docker-compose exec prosody /bin/bash``
+
+Once in the container, run the following command to create a user:
+
+``prosodyctl --config /config/prosody.cfg.lua register user meet.jitsi password``
+
+#### Authentication using LDAP
+
+You can use LDAP to authenticate users. To enable it you have to enable authentication with `ENABLE_AUTH` and
+set `AUTH_TYPE` to `ldap`, then configure the settings you can see below.

 Variable | Description | Example
 --- | --- | ---
@ -149,23 +167,13 @@ Variable | Description | Example
 `LDAP_TLS_CACERT_FILE` | Path to CA cert file. Used when server sertificate verify is enabled | /etc/ssl/certs/ca-certificates.crt
 `LDAP_TLS_CACERT_DIR` | Path to CA certs directory. Used when server sertificate verify is enabled. | /etc/ssl/certs

-Internal users must be created with the ``prosodyctl`` utility in the ``prosody`` container.
-In order to do that, first execute a shell in the corresponding container:
-
-``docker-compose exec prosody /bin/bash``
-
-Once in the container, run the following command to create a user:
-
-``prosodyctl --config /config/prosody.cfg.lua register user meet.jitsi password``
-
 #### Authentication using JWT tokens

-You can also use JWT tokens to authenticate users. To enable it you have to enable authentication via both
-`ENABLE_AUTH` & `JWT_ENABLE_TOKEN_AUTH` environment variables and configure the settings you can see below.
+You can use JWT tokens to authenticate users. To enable it you have to enable authentication with `ENABLE_AUTH` and
+set `AUTH_TYPE` to `jwt`, then configure the settings you can see below.

 Variable | Description | Example
 --- | --- | ---
-`JWT_ENABLE_TOKEN_AUTH` | Enable authentication via JWT tokens | 1
 `JWT_APP_ID` | Application identifier | my_jitsi_app_id
 `JWT_APP_SECRET` | Application secret known only to your token | my_jitsi_app_secret
 `JWT_ACCEPTED_ISSUERS` | (Optional) Set asap_accepted_issuers as a comma separated list | my_web_client,my_app_client
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -38,9 +38,9 @@ services:
        volumes:
            - ${CONFIG}/prosody:/config
        environment:
+            - AUTH_TYPE
            - ENABLE_AUTH
            - ENABLE_GUESTS
-            - ENABLE_LDAP_AUTH
            - LDAP_URL
            - LDAP_BASE
            - LDAP_BINDDN
@ -68,7 +68,6 @@ services:
            - JVB_AUTH_PASSWORD
            - JIGASI_XMPP_USER
            - JIGASI_XMPP_PASSWORD
-            - JWT_ENABLE_TOKEN_AUTH
            - JWT_APP_ID
            - JWT_APP_SECRET
            - JWT_ACCEPTED_ISSUERS
--- a/env.example
+++ b/env.example
@ -62,13 +62,12 @@ TZ=Europe/Amsterdam
 # Enable guest access.
 #ENABLE_GUESTS=1

+# Select authentication type: internal, jwt or ldap
+#AUTH_TYPE=internal

 # JWT auuthentication
 #

-# Enable authentication via JWT tokens.
-#JWT_ENABLE_TOKEN_AUTH=1
-
 # Application identifier.
 #JWT_APP_ID=my_jitsi_app_id

@ -85,10 +84,6 @@ TZ=Europe/Amsterdam
 # LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
 #

-# Enable LDAP authentication in prosody via SASL mechanism.
-# Note: turn on ENABLE_AUTH for get it work.
-#ENABLE_LDAP_AUTH=1
-
 # LDAP url for connection.
 #LDAP_URL=ldaps://ldap.domain.com/

--- a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
+++ b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
@ -2,26 +2,29 @@ admins = { "{{ .Env.JICOFO_AUTH_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}" }
 plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" }
 http_default_host = "{{ .Env.XMPP_DOMAIN }}"

-{{ if and (.Env.ENABLE_AUTH | default "0" | toBool) (.Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool) .Env.JWT_ACCEPTED_ISSUERS }}
+{{ $ENABLE_AUTH := .Env.ENABLE_AUTH | default "0" | toBool }}
+{{ $AUTH_TYPE := .Env.AUTH_TYPE | default "internal" }}
+
+{{ if and $ENABLE_AUTH (eq $AUTH_TYPE "jwt") .Env.JWT_ACCEPTED_ISSUERS }}
 asap_accepted_issuers = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_ISSUERS) }}" }
 {{ end }}

-{{ if and (.Env.ENABLE_AUTH | default "0" | toBool) (.Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool) .Env.JWT_ACCEPTED_AUDIENCES }}
+{{ if and $ENABLE_AUTH (eq $AUTH_TYPE "jwt") .Env.JWT_ACCEPTED_AUDIENCES }}
 asap_accepted_audiences = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_AUDIENCES) }}" }
 {{ end }}

 VirtualHost "{{ .Env.XMPP_DOMAIN }}"
-{{ if .Env.ENABLE_AUTH | default "0" | toBool }}
-  {{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }}
+{{ if $ENABLE_AUTH }}
+  {{ if eq $AUTH_TYPE "jwt" }}
    authentication = "token"
    app_id = "{{ .Env.JWT_APP_ID }}"
    app_secret = "{{ .Env.JWT_APP_SECRET }}"
    allow_empty_token = false
-  {{ else if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
+  {{ else if eq $AUTH_TYPE "ldap" }}
    authentication = "cyrus"
    cyrus_application_name = "xmpp"
    allow_unencrypted_plain_auth = true
-  {{ else }}
+  {{ else if eq $AUTH_TYPE "internal" }}
    authentication = "internal_plain"
  {{ end }}
 {{ else }}
@ -38,14 +41,14 @@ VirtualHost "{{ .Env.XMPP_DOMAIN }}"
        {{ if .Env.XMPP_MODULES }}
        "{{ join "\";\n\"" (splitList "," .Env.XMPP_MODULES) }}";
        {{ end }}
-        {{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
+        {{ if and $ENABLE_AUTH (eq $AUTH_TYPE "ldap") }}
        "auth_cyrus";
        {{end}}
    }

    c2s_require_encryption = false

-{{ if and (.Env.ENABLE_AUTH | default "0" | toBool) (.Env.ENABLE_GUESTS | default "0" | toBool) }}
+{{ if and $ENABLE_AUTH (.Env.ENABLE_GUESTS | default "0" | toBool) }}
 VirtualHost "{{ .Env.XMPP_GUEST_DOMAIN }}"
    authentication = "anonymous"
    c2s_require_encryption = false
@ -81,3 +84,4 @@ Component "{{ .Env.XMPP_MUC_DOMAIN }}" "muc"

 Component "focus.{{ .Env.XMPP_DOMAIN }}"
    component_secret = "{{ .Env.JICOFO_COMPONENT_SECRET }}"
+
--- a/prosody/rootfs/defaults/saslauthd.conf
+++ b/prosody/rootfs/defaults/saslauthd.conf
@ -1,4 +1,4 @@
-{{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
+{{ if eq (.Env.AUTH_TYPE | default "internal") "ldap" }}
 ldap_servers: {{ .Env.LDAP_URL }}
 ldap_search_base: {{ .Env.LDAP_BASE }}
 ldap_bind_dn: {{ .Env.LDAP_BINDDN }}