[__jitsi_meet_user] refactor user validation
improve user validation and the corresponding docs coauthored with evilham :D
This commit is contained in:
parent
8245f8f0c7
commit
b07ac7a732
2 changed files with 31 additions and 6 deletions
|
@ -12,8 +12,17 @@ This type manages a user identified by `$__object_id` that is allowed to start
|
||||||
meetings in a Jitsi Meet instance managed by `__jitsi_meet(7)` and
|
meetings in a Jitsi Meet instance managed by `__jitsi_meet(7)` and
|
||||||
`__jitsi_meet_domain(7)`.
|
`__jitsi_meet_domain(7)`.
|
||||||
|
|
||||||
It does so by taking advantage of Prosody's plaintext authentication and
|
These users are mapped to XMPP users which means that they must be a valid
|
||||||
managing a file per user with the credentials.
|
localpart as defined in `RFC6122`_. This implies that users are case
|
||||||
|
insensitive and cannot contain the following symbols: `"&'/:<>@`.
|
||||||
|
|
||||||
|
.. _RFC6122: https://xmpp.org/rfcs/rfc6122.html#nodeprep-prohibited
|
||||||
|
|
||||||
|
To preserve idempotency we only allow lowercase for the users which correspond
|
||||||
|
to the `$__object_id` of this type.
|
||||||
|
|
||||||
|
This type takes advantage of Prosody's plaintext authentication and managing a
|
||||||
|
file per user with the credentials.
|
||||||
If a different authentication mechanism is needed, `__jitsi_meet(7)` should be
|
If a different authentication mechanism is needed, `__jitsi_meet(7)` should be
|
||||||
patched accordingly.
|
patched accordingly.
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,9 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
basic_urlencode() {
|
||||||
|
echo "${1}" | sed 's/\./%2e/g' | sed 's/-/%2d/g' | sed 's/_/%5f/g'
|
||||||
|
}
|
||||||
|
|
||||||
PASSWD="$(cat "${__object}/parameter/password" 2>/dev/null || true)"
|
PASSWD="$(cat "${__object}/parameter/password" 2>/dev/null || true)"
|
||||||
STATE="$(cat "${__object}/parameter/state")"
|
STATE="$(cat "${__object}/parameter/state")"
|
||||||
|
|
||||||
|
@ -9,11 +13,23 @@ if [ -z "${PASSWD}" ] && [ "${STATE}" != "absent" ]; then
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
USER="${__object_id}"
|
JITSI_USER_RAW="${__object_id}"
|
||||||
FQDN="$(echo "${__target_host}" | sed 's/\./%2e/g' | sed 's/-/%2d/g')"
|
if echo "${JITSI_USER_RAW}" | grep -q ".*[A-Z\"&'/:<>@]"; then
|
||||||
FILENAME="/var/lib/prosody/${FQDN}/accounts/${USER}.dat"
|
cat > /dev/stderr <<EOF
|
||||||
|
Username (XMPP's localpart) ${JITSI_USER_RAW} has uppercase characters or
|
||||||
|
contains invalid symbols ("&'/:<>@) according to RFC6122.
|
||||||
|
EOF
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
__file "${FILENAME}" --owner prosody --group prosody --mode 0440 \
|
JITSI_USER="$(basic_urlencode "${JITSI_USER_RAW}")"
|
||||||
|
FQDN="$(basic_urlencode "${__target_host}")"
|
||||||
|
FQDN_PATH="/var/lib/prosody/${FQDN}/accounts"
|
||||||
|
FILENAME="${FQDN_PATH}/${JITSI_USER}.dat"
|
||||||
|
|
||||||
|
__directory "${FQDN_PATH}" --parents --owner prosody --group prosody --state "present"
|
||||||
|
|
||||||
|
require="__directory${FQDN_PATH}" __file "${FILENAME}" --owner prosody --group prosody --mode 0440 \
|
||||||
--state "${STATE}" --source - <<EOF
|
--state "${STATE}" --source - <<EOF
|
||||||
return {
|
return {
|
||||||
["password"] = "${PASSWD}";
|
["password"] = "${PASSWD}";
|
||||||
|
|
Loading…
Reference in a new issue