kjg/cdist-contrib
1
0
Fork 0
forked from ungleich-public/cdist-contrib
Code Issues Pull requests Projects Releases Wiki Activity

Merge branch 'fix_jitsi_user_manifest' into 'master'

Browse source 
[__jitsi_meet_user] adds user validation and directory creation

Closes #7

See merge request ungleich-public/cdist-contrib!35
This commit is contained in:
evilham 2021-05-23 19:15:14 +02:00
commit 05f2bd394c
2 changed files with 31 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
type/__jitsi_meet_user/man.rst
View file

@ -12,8 +12,17 @@ This type manages a user identified by `$__object_id` that is allowed to start
meetings in a Jitsi Meet instance managed by `__jitsi_meet(7)` and meetings in a Jitsi Meet instance managed by `__jitsi_meet(7)` and
`__jitsi_meet_domain(7)`. `__jitsi_meet_domain(7)`.
It does so by taking advantage of Prosody's plaintext authentication and These users are mapped to XMPP users which means that they must be a valid
managing a file per user with the credentials. localpart as defined in `RFC6122`_. This implies that users are case
insensitive and cannot contain the following symbols: `"&'/:<>@`.
.. _RFC6122: https://xmpp.org/rfcs/rfc6122.html#nodeprep-prohibited
To preserve idempotency we only allow lowercase for the users which correspond
to the `$__object_id` of this type.
This type takes advantage of Prosody's plaintext authentication and managing a
file per user with the credentials.
If a different authentication mechanism is needed, `__jitsi_meet(7)` should be If a different authentication mechanism is needed, `__jitsi_meet(7)` should be
patched accordingly. patched accordingly.

24
type/__jitsi_meet_user/manifest
View file

@ -1,5 +1,9 @@
#!/bin/sh -e #!/bin/sh -e
basic_urlencode() {
echo "${1}" | sed 's/\./%2e/g' | sed 's/-/%2d/g' | sed 's/_/%5f/g'
}
PASSWD="$(cat "${__object}/parameter/password" 2>/dev/null || true)" PASSWD="$(cat "${__object}/parameter/password" 2>/dev/null || true)"
STATE="$(cat "${__object}/parameter/state")" STATE="$(cat "${__object}/parameter/state")"
@ -9,11 +13,23 @@ if [ -z "${PASSWD}" ] && [ "${STATE}" != "absent" ]; then
EOF EOF
fi fi
USER="${__object_id}" JITSI_USER_RAW="${__object_id}"
FQDN="$(echo "${__target_host}" | sed 's/\./%2e/g' | sed 's/-/%2d/g')" if echo "${JITSI_USER_RAW}" | grep -q ".*[A-Z\"&'/:<>@]"; then
FILENAME="/var/lib/prosody/${FQDN}/accounts/${USER}.dat" cat > /dev/stderr <<EOF
Username (XMPP's localpart) ${JITSI_USER_RAW} has uppercase characters or
contains invalid symbols ("&'/:<>@) according to RFC6122.
EOF
exit 1
fi
__file "${FILENAME}" --owner prosody --group prosody --mode 0440 \ JITSI_USER="$(basic_urlencode "${JITSI_USER_RAW}")"
FQDN="$(basic_urlencode "${__target_host}")"
FQDN_PATH="/var/lib/prosody/${FQDN}/accounts"
FILENAME="${FQDN_PATH}/${JITSI_USER}.dat"
__directory "${FQDN_PATH}" --parents --owner prosody --group prosody --state "present"
require="__directory${FQDN_PATH}" __file "${FILENAME}" --owner prosody --group prosody --mode 0440 \
--state "${STATE}" --source - <<EOF --state "${STATE}" --source - <<EOF
return { return {
["password"] = "${PASSWD}"; ["password"] = "${PASSWD}";