xmpp: add support for authentication

README.md

@@ -91,6 +91,8 @@ Variable | Description | Example
 `HTTPS_PORT` | Exposed port for HTTPS traffic | 8443
 `DOCKER_HOST_ADDRESS` | IP addrss of the Docker host, needed for LAN environments | 192.168.1.1
 
+### SIP gateway configuration
+
 If you want to enable the SIP gateway, these options are required:
 
 Variable | Description | Example
@@ -99,6 +101,27 @@ Variable | Description | Example
 `JIGASI_SIP_PASSWORD` | Password for the specified SIP account | passw0rd
 `JIGASI_SIP_SERVER` | SIP server (use the SIP account domain if in doubt) | sip2sip.info
 
+### Authentication
+
+Authentication can be controlled with the environment variables below. If guest
+access is enabled, unauthenticated users will need to wait until a user authenticates
+before they can join a room. If guest access is not enabled, every user will need
+to authenticate before they can join.
+
+Variable | Description | Example
+--- | --- | ---
+`ENABLE_AUTH` | Enable authentication | 1
+`ENABLE_GUESTS` | Enable guest access | 1
+
+Users must be created with the ``prosodyctl`` utility in the ``prosody`` container.
+In order to do that, first execute a shell in the corresponding container:
+
+``docker-compose exec prosody /bin/bash``
+
+Once in the container, run the following command to create a user:
+
+``prosodyctl --config /config/prosody.cfg.lua register user meet.jitsi password``
+
 ### Advanced configuration
 
 These configuration options are already set and generally don't need to be changed.

docker-compose.yml

@@ -10,10 +10,13 @@ services:
         volumes:
             - ${CONFIG}/meet:/config
         environment:
+            - ENABLE_AUTH
+            - ENABLE_GUESTS
             - JICOFO_AUTH_USER
             - XMPP_DOMAIN
             - XMPP_AUTH_DOMAIN
             - XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
+            - XMPP_GUEST_DOMAIN
             - XMPP_MUC_DOMAIN
             - TZ
         networks:
@@ -29,8 +32,11 @@ services:
         volumes:
             - ${CONFIG}/prosody:/config
         environment:
+            - ENABLE_AUTH
+            - ENABLE_GUESTS
             - XMPP_DOMAIN
             - XMPP_AUTH_DOMAIN
+            - XMPP_GUEST_DOMAIN
             - XMPP_MUC_DOMAIN
             - XMPP_INTERNAL_MUC_DOMAIN
             - JICOFO_COMPONENT_SECRET
@@ -52,6 +58,7 @@ services:
         volumes:
             - ${CONFIG}/jicofo:/config
         environment:
+            - ENABLE_AUTH
             - XMPP_DOMAIN
             - XMPP_AUTH_DOMAIN
             - XMPP_INTERNAL_MUC_DOMAIN

env.example

@@ -23,16 +23,26 @@ TZ=Europe/Amsterdam
 # Basic Jigasi configuration options (needed for SIP gateway support)
 #
 
-# SIP URI for incoming / outgoing calls
+# SIP URI for incoming / outgoing calls.
 #JIGASI_SIP_URI=test@sip2sip.info
 
-# Password for the specified SIP account
+# Password for the specified SIP account.
 #JIGASI_SIP_PASSWORD=passw0rd
 
-# SIP server (use the SIP account domain if in doubt)
+# SIP server (use the SIP account domain if in doubt).
 #JIGASI_SIP_SERVER=sip2sip.info
 
 
+#
+# Authentication configuration (see README for details)
+#
+
+# Enable authentication.
+#ENABLE_AUTH=1
+
+# Enable guest access.
+#ENABLE_GUESTS=1
+
 #
 # Advanced configuration options (you generally don't need to change these)
 #
@@ -49,6 +59,9 @@ XMPP_MUC_DOMAIN=muc.meet.jitsi
 # XMPP domain for the internal MUC used for jibri, jigasi and jvb pools.
 XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
 
+# XMPP domain for unauthenticated users.
+XMPP_GUEST_DOMAIN=guest.meet.jitsi
+
 # MUC for the JVB pool.
 JVB_BREWERY_MUC=jvbbrewery
 

jicofo/rootfs/defaults/sip-communicator.properties

@@ -2,3 +2,6 @@ org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true
 org.jitsi.jicofo.BRIDGE_MUC={{ .Env.JVB_BREWERY_MUC }}@{{ .Env.XMPP_INTERNAL_MUC_DOMAIN }}
 org.jitsi.jicofo.jigasi.BREWERY={{ .Env.JIGASI_BREWERY_MUC}}@{{ .Env.XMPP_INTERNAL_MUC_DOMAIN }}
 
+{{ if .Env.ENABLE_AUTH }}
+org.jitsi.jicofo.auth.URL=XMPP:{{ .Env.XMPP_DOMAIN }}
+{{ end }}

jigasi.yml

@@ -9,6 +9,7 @@ services:
         volumes:
             - ${CONFIG}/jigasi:/config
         environment:
+            - ENABLE_AUTH
             - XMPP_AUTH_DOMAIN
             - XMPP_INTERNAL_MUC_DOMAIN
             - XMPP_SERVER=xmpp.meet.jitsi

jigasi/rootfs/defaults/sip-communicator.properties

@@ -86,6 +86,12 @@ org.jitsi.jigasi.BREWERY_ENABLED=true
 
 org.jitsi.jigasi.xmpp.acc.IS_SERVER_OVERRIDDEN=true
 org.jitsi.jigasi.xmpp.acc.SERVER_ADDRESS={{ .Env.XMPP_SERVER }}
+{{ if .Env.ENABLE_AUTH }}
+org.jitsi.jigasi.xmpp.acc.USER_ID={{ .Env.JIGASI_XMPP_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}
+org.jitsi.jigasi.xmpp.acc.PASS={{ .Env.JIGASI_XMPP_PASSWORD }}
+org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false
+org.jitsi.jigasi.xmpp.acc.ALLOW_NON_SECURE=true
+{{ end }}
 
 # Activate this property if you are using self-signed certificates or other
 # type of non-trusted certicates. In this mode your service trust in the

prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua

@@ -1,18 +1,28 @@
 admins = { "{{ .Env.JICOFO_AUTH_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}" }
 
 VirtualHost "{{ .Env.XMPP_DOMAIN }}"
-        authentication = "anonymous"
-        ssl = {
-                key = "/config/certs/{{ .Env.XMPP_DOMAIN }}.key";
-                certificate = "/config/certs/{{ .Env.XMPP_DOMAIN }}.crt";
-        }
-        modules_enabled = {
-            "bosh";
-            "pubsub";
-            "ping";
-        }
-
-        c2s_require_encryption = false
+    {{ if .Env.ENABLE_AUTH }}
+    authentication = "internal_plain"
+    {{ else }}
+    authentication = "anonymous"
+    {{ end }}
+    ssl = {
+            key = "/config/certs/{{ .Env.XMPP_DOMAIN }}.key";
+            certificate = "/config/certs/{{ .Env.XMPP_DOMAIN }}.crt";
+    }
+    modules_enabled = {
+        "bosh";
+        "pubsub";
+        "ping";
+    }
+
+    c2s_require_encryption = false
+
+{{ if and .Env.ENABLE_AUTH .Env.ENABLE_GUESTS }}
+VirtualHost "{{ .Env.XMPP_GUEST_DOMAIN }}"
+    authentication = "anonymous"
+    c2s_require_encryption = false
+{{ end }}
 
 VirtualHost "{{ .Env.XMPP_AUTH_DOMAIN }}"
     ssl = {

web/rootfs/etc/cont-init.d/10-config

@@ -24,6 +24,18 @@ if [[ ! -f /config/config.js ]]; then
         -e "s#muc:.*#muc: '${XMPP_MUC_DOMAIN}',#" \
         -e "s#// focusUserJid:.*#focusUserJid: '${JICOFO_AUTH_USER}@${XMPP_AUTH_DOMAIN}',#" \
         /config/config.js
+
+    if [[ $ENABLE_AUTH -eq 1 ]]; then
+        if [[ $ENABLE_GUESTS -eq 1 ]]; then
+            sed -i \
+                -e "s#// anonymousdomain:.*#anonymousdomain: '${XMPP_GUEST_DOMAIN}',#" \
+                /config/config.js
+        fi
+
+        sed -i \
+            -e "s#// authdomain:.*#authdomain: '${XMPP_DOMAIN}',#" \
+            /config/config.js
+    fi
 fi
 
 if [[ ! -f /config/interface_config.js ]]; then