From fbdcd8d6fc78d1378e0ffccae8153dd2e04b597c Mon Sep 17 00:00:00 2001 From: Evilham Date: Mon, 10 May 2021 17:04:44 +0200 Subject: [PATCH] [__jitsi_meet*] Improve documentation Also improve __jitsi_meet_user's support for removing users in that a password is not required to remove them. --- type/__jitsi_meet/man.rst | 15 +++++--- type/__jitsi_meet_domain/man.rst | 14 +++++--- type/__jitsi_meet_user/man.rst | 43 ++++++++++++++--------- type/__jitsi_meet_user/manifest | 8 ++++- type/__jitsi_meet_user/parameter/optional | 1 + type/__jitsi_meet_user/parameter/required | 1 - 6 files changed, 55 insertions(+), 27 deletions(-) delete mode 100644 type/__jitsi_meet_user/parameter/required diff --git a/type/__jitsi_meet/man.rst b/type/__jitsi_meet/man.rst index 787219c..bf7cd86 100644 --- a/type/__jitsi_meet/man.rst +++ b/type/__jitsi_meet/man.rst @@ -1,5 +1,5 @@ cdist-type__jitsi_meet(7) -================================= +========================= NAME @@ -57,6 +57,13 @@ disable-prometheus-exporter The explorer is based on: https://github.com/systemli/prometheus-jitsi-meet-exporter +secured-domains + If this flag is present, all domains that use this Jitsi instance will + require that an authenticated user starts a meeting. + For information on how this is achieved, see + https://jitsi.github.io/handbook/docs/devops-guide/secure-domain . + You will need to create the users with `__jitsi_meet_user(7)`. + EXAMPLES -------- @@ -74,8 +81,8 @@ EXAMPLES SEE ALSO -------- -- `__jitsi_meet_domain` - +- `__jitsi_meet_domain(7)` +- `__jitsi_meet_user(7)` AUTHORS @@ -85,4 +92,4 @@ Evilham COPYING ------- -Copyright \(C) 2020 Evilham. +Copyright \(C) 2021 Evilham. diff --git a/type/__jitsi_meet_domain/man.rst b/type/__jitsi_meet_domain/man.rst index ba6aaa4..ff78287 100644 --- a/type/__jitsi_meet_domain/man.rst +++ b/type/__jitsi_meet_domain/man.rst @@ -1,5 +1,5 @@ cdist-type__jitsi_meet_domain(7) -======================================== +================================ NAME @@ -107,6 +107,10 @@ enable-third-party-requests them, restoring Jitsi-Meet's defaults. This affects things like avatars, callstats, ... +secured-domains + Whether or not an authetnicated user will be required to start a meeting. + You will need to create the users with `__jitsi_meet_user(7)`. + EXAMPLES -------- @@ -120,7 +124,7 @@ EXAMPLES --notice-message "Hola!" \ --disable-audio-levels \ --turn-secret "WeNeedGoodSecurity" \ - --video-constraints "$(cat < COPYING ------- -Copyright \(C) 2020 Evilham. +Copyright \(C) 2021 Evilham. diff --git a/type/__jitsi_meet_user/man.rst b/type/__jitsi_meet_user/man.rst index 173aa8a..eb298ba 100644 --- a/type/__jitsi_meet_user/man.rst +++ b/type/__jitsi_meet_user/man.rst @@ -1,30 +1,35 @@ cdist-type__jitsi_meet_user(7) -================================= +============================== NAME ---- -cdist-type__jitsi_meet_user - Setup users when using jitsi_meet instance with secure domain configuration +cdist-type__jitsi_meet_user - Manage users in a Jitsi-Meet with secured-domains + DESCRIPTION ----------- -This type just places a file with a user and a password (plaintext) that will be used in a jitsi-meet instance with `secure domain configuration https://jitsi.github.io/handbook/docs/devops-guide/secure-domain`. There is a different from the official approach: to have an `internal_plain` authentication method to facilitate the auth management. That user will be able to create and join rooms on that instance as a moderator. +This type manages a user identified by `$__object_id` that is allowed to start +meetings in a Jitsi Meet instance managed by `__jitsi_meet(7)` and +`__jitsi_meet_domain(7)`. -You will also need to setup first the `__jitsi_meet_domain` and `__jitsi_meet` types. +It does so by taking advantage of Prosody's plaintext authentication and +managing a file per user with the credentials. +If a different authentication mechanism is needed, `__jitsi_meet(7)` should be +patched accordingly. This type only works on De{bi,vu}an systems. -REQUIRED PARAMETERS -------------------- -object id - The user that will be able to authenticate against a Jitsi-Meet instance with secure domain configuration - -passwd - The user's password in plaintext (beware that it is also stored as plaintext in the server) OPTIONAL PARAMETERS ------------------- +password + The user's password in plaintext. + Beware that since Prosody's plaintext authentication is used, this password + will also be stored as plaintext in the server. + Unless `--state` is `absent`, this parameter is required. + state - If user should be (default) present or absent + Whether the user should be `present` (default) or `absent`. EXAMPLES -------- @@ -34,10 +39,16 @@ EXAMPLES # Setup a Jitsi user for secure domain configuration __jitsi_meet_user "user_1" --password "WeNeedGoodSecurity" + # Remove such Jitsi user so it is not allowed to start meetings + __jitsi_meet_user "user_1" --state absent + + SEE ALSO -------- -- `__jitsi_meet` -- `__jitsi_meet_domain` +- Prosody authentication https://modules.prosody.im/type_auth.html +- Jitsi Meet secure domain configuration https://jitsi.github.io/handbook/docs/devops-guide/secure-domain +- `__jitsi_meet(7)` +- `__jitsi_meet_domain(7)` AUTHORS @@ -45,10 +56,10 @@ AUTHORS Pedro Evilham + COPYING ------- -Copyright \(C) 2021 Pedro. You can redistribute it +Copyright \(C) 2021 Pedro and Evilham. You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. -Copyright \(C) 2021 Evilham diff --git a/type/__jitsi_meet_user/manifest b/type/__jitsi_meet_user/manifest index a4d1935..b47795d 100755 --- a/type/__jitsi_meet_user/manifest +++ b/type/__jitsi_meet_user/manifest @@ -1,8 +1,14 @@ #!/bin/sh -e -PASSWD="$(cat "${__object}/parameter/password")" +PASSWD="$(cat "${__object}/parameter/password" 2>/dev/null || true)" STATE="$(cat "${__object}/parameter/state")" +if [ -z "${PASSWD}" ] && [ "${STATE}" != "absent" ]; then + cat >> dev/stderr <<-EOF + A password is required unless you are removing the user '$__object_id'. + EOF +fi + USER="${__object_id}" FQDN="$(echo "${__target_host}" | sed 's/\./%2e/g' | sed 's/-/%2d/g')" FILENAME="/var/lib/prosody/${FQDN}/accounts/${USER}.dat" diff --git a/type/__jitsi_meet_user/parameter/optional b/type/__jitsi_meet_user/parameter/optional index ff72b5c..669cb66 100644 --- a/type/__jitsi_meet_user/parameter/optional +++ b/type/__jitsi_meet_user/parameter/optional @@ -1 +1,2 @@ +password state diff --git a/type/__jitsi_meet_user/parameter/required b/type/__jitsi_meet_user/parameter/required deleted file mode 100644 index f3097ab..0000000 --- a/type/__jitsi_meet_user/parameter/required +++ /dev/null @@ -1 +0,0 @@ -password