prosody: introduce AUTH_TYPE

It simplifies selecting the desired authentication type, instead of
having a boolean for each.

README.md

@@ -130,9 +130,27 @@ Variable | Description | Example
 --- | --- | ---
 `ENABLE_AUTH` | Enable authentication | 1
 `ENABLE_GUESTS` | Enable guest access | 1
-`ENABLE_LDAP_AUTH` | Enable authentication via LDAP. Depends on `ENABLE_AUTH` | 1
+`AUTH_TYPE` | Select authentication type (internal, jwt or ldap) | internal
 
-Variables that might be configured if the `ENABLE_LDAP_AUTH` is set:
+#### Internal authentication
+
+The default authentication mode (`internal`) uses XMPP credentials to authenticate users.
+To enable it you have to enable authentication with `ENABLE_AUTH` and set `AUTH_TYPE` to `internal`,
+then configure the settings you can see below.
+
+Internal users must be created with the ``prosodyctl`` utility in the ``prosody`` container.
+In order to do that, first execute a shell in the corresponding container:
+
+``docker-compose exec prosody /bin/bash``
+
+Once in the container, run the following command to create a user:
+
+``prosodyctl --config /config/prosody.cfg.lua register user meet.jitsi password``
+
+#### Authentication using LDAP
+
+You can use LDAP to authenticate users. To enable it you have to enable authentication with `ENABLE_AUTH` and
+set `AUTH_TYPE` to `ldap`, then configure the settings you can see below.
 
 Variable | Description | Example
 --- | --- | ---
@@ -149,23 +167,13 @@ Variable | Description | Example
 `LDAP_TLS_CACERT_FILE` | Path to CA cert file. Used when server sertificate verify is enabled | /etc/ssl/certs/ca-certificates.crt
 `LDAP_TLS_CACERT_DIR` | Path to CA certs directory. Used when server sertificate verify is enabled. | /etc/ssl/certs
 
-Internal users must be created with the ``prosodyctl`` utility in the ``prosody`` container.
-In order to do that, first execute a shell in the corresponding container:
-
-``docker-compose exec prosody /bin/bash``
-
-Once in the container, run the following command to create a user:
-
-``prosodyctl --config /config/prosody.cfg.lua register user meet.jitsi password``
-
 #### Authentication using JWT tokens
 
-You can also use JWT tokens to authenticate users. To enable it you have to enable authentication via both
-`ENABLE_AUTH` & `JWT_ENABLE_TOKEN_AUTH` environment variables and configure the settings you can see below.
+You can use JWT tokens to authenticate users. To enable it you have to enable authentication with `ENABLE_AUTH` and
+set `AUTH_TYPE` to `jwt`, then configure the settings you can see below.
 
 Variable | Description | Example
 --- | --- | ---
-`JWT_ENABLE_TOKEN_AUTH` | Enable authentication via JWT tokens | 1
 `JWT_APP_ID` | Application identifier | my_jitsi_app_id
 `JWT_APP_SECRET` | Application secret known only to your token | my_jitsi_app_secret
 `JWT_ACCEPTED_ISSUERS` | (Optional) Set asap_accepted_issuers as a comma separated list | my_web_client,my_app_client

docker-compose.yml

@@ -38,9 +38,9 @@ services:
         volumes:
             - ${CONFIG}/prosody:/config
         environment:
+            - AUTH_TYPE
             - ENABLE_AUTH
             - ENABLE_GUESTS
-            - ENABLE_LDAP_AUTH
             - LDAP_URL
             - LDAP_BASE
             - LDAP_BINDDN
@@ -68,7 +68,6 @@ services:
             - JVB_AUTH_PASSWORD
             - JIGASI_XMPP_USER
             - JIGASI_XMPP_PASSWORD
-            - JWT_ENABLE_TOKEN_AUTH
             - JWT_APP_ID
             - JWT_APP_SECRET
             - JWT_ACCEPTED_ISSUERS

env.example

@@ -62,13 +62,12 @@ TZ=Europe/Amsterdam
 # Enable guest access.
 #ENABLE_GUESTS=1
 
+# Select authentication type: internal, jwt or ldap
+#AUTH_TYPE=internal
 
 # JWT auuthentication
 #
 
-# Enable authentication via JWT tokens.
-#JWT_ENABLE_TOKEN_AUTH=1
-
 # Application identifier.
 #JWT_APP_ID=my_jitsi_app_id
 
@@ -85,10 +84,6 @@ TZ=Europe/Amsterdam
 # LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
 #
 
-# Enable LDAP authentication in prosody via SASL mechanism.
-# Note: turn on ENABLE_AUTH for get it work.
-#ENABLE_LDAP_AUTH=1
-
 # LDAP url for connection.
 #LDAP_URL=ldaps://ldap.domain.com/
 

prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua

@@ -2,26 +2,29 @@ admins = { "{{ .Env.JICOFO_AUTH_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}" }
 plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" }
 http_default_host = "{{ .Env.XMPP_DOMAIN }}"
 
-{{ if and (.Env.ENABLE_AUTH | default "0" | toBool) (.Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool) .Env.JWT_ACCEPTED_ISSUERS }}
+{{ $ENABLE_AUTH := .Env.ENABLE_AUTH | default "0" | toBool }}
+{{ $AUTH_TYPE := .Env.AUTH_TYPE | default "internal" }}
+
+{{ if and $ENABLE_AUTH (eq $AUTH_TYPE "jwt") .Env.JWT_ACCEPTED_ISSUERS }}
 asap_accepted_issuers = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_ISSUERS) }}" }
 {{ end }}
 
-{{ if and (.Env.ENABLE_AUTH | default "0" | toBool) (.Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool) .Env.JWT_ACCEPTED_AUDIENCES }}
+{{ if and $ENABLE_AUTH (eq $AUTH_TYPE "jwt") .Env.JWT_ACCEPTED_AUDIENCES }}
 asap_accepted_audiences = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_AUDIENCES) }}" }
 {{ end }}
 
 VirtualHost "{{ .Env.XMPP_DOMAIN }}"
-{{ if .Env.ENABLE_AUTH | default "0" | toBool }}
-  {{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }}
+{{ if $ENABLE_AUTH }}
+  {{ if eq $AUTH_TYPE "jwt" }}
     authentication = "token"
     app_id = "{{ .Env.JWT_APP_ID }}"
     app_secret = "{{ .Env.JWT_APP_SECRET }}"
     allow_empty_token = false
-  {{ else if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
+  {{ else if eq $AUTH_TYPE "ldap" }}
     authentication = "cyrus"
     cyrus_application_name = "xmpp"
     allow_unencrypted_plain_auth = true
-  {{ else }}
+  {{ else if eq $AUTH_TYPE "internal" }}
     authentication = "internal_plain"
   {{ end }}
 {{ else }}
@@ -38,14 +41,14 @@ VirtualHost "{{ .Env.XMPP_DOMAIN }}"
         {{ if .Env.XMPP_MODULES }}
         "{{ join "\";\n\"" (splitList "," .Env.XMPP_MODULES) }}";
         {{ end }}
-        {{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
+        {{ if and $ENABLE_AUTH (eq $AUTH_TYPE "ldap") }}
         "auth_cyrus";
         {{end}}
     }
 
     c2s_require_encryption = false
 
-{{ if and (.Env.ENABLE_AUTH | default "0" | toBool) (.Env.ENABLE_GUESTS | default "0" | toBool) }}
+{{ if and $ENABLE_AUTH (.Env.ENABLE_GUESTS | default "0" | toBool) }}
 VirtualHost "{{ .Env.XMPP_GUEST_DOMAIN }}"
     authentication = "anonymous"
     c2s_require_encryption = false
@@ -81,3 +84,4 @@ Component "{{ .Env.XMPP_MUC_DOMAIN }}" "muc"
 
 Component "focus.{{ .Env.XMPP_DOMAIN }}"
     component_secret = "{{ .Env.JICOFO_COMPONENT_SECRET }}"
+

prosody/rootfs/defaults/saslauthd.conf

@@ -1,4 +1,4 @@
-{{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
+{{ if eq (.Env.AUTH_TYPE | default "internal") "ldap" }}
 ldap_servers: {{ .Env.LDAP_URL }}
 ldap_search_base: {{ .Env.LDAP_BASE }}
 ldap_bind_dn: {{ .Env.LDAP_BINDDN }}