Update to 2024-07-22 23:00

2025-08-03 23:26:58 +02:00 · 2024-07-22 23:00:11 +02:00
parent f5421b17f0
commit cd302033bd
112 changed files with 15413 additions and 340 deletions
--- a/roles/jitsi/files/prosody/modules/mod_muc_auth_ban.lua
+++ b/roles/jitsi/files/prosody/modules/mod_muc_auth_ban.lua
@@ -0,0 +1,88 @@
+-- Can be used to ban users based on external http service
+-- Copyright (C) 2023-present 8x8, Inc.
+
+local ACCESS_MANAGER_URL = module:get_option_string("muc_prosody_jitsi_access_manager_url");
+if not ACCESS_MANAGER_URL then
+    module:log("warn", "No 'muc_prosody_jitsi_access_manager_url' option set, disabling module");
+    return
+end
+
+local json = require "cjson.safe";
+local http = require "net.http";
+local inspect = require 'inspect';
+
+local ban_check_count = module:measure("muc_auth_ban_check", "rate")
+local ban_check_users_banned_count = module:measure("muc_auth_ban_users_banned", "rate")
+
+-- we will cache banned tokens to avoid extra requests
+-- on destroying session, websocket retries 2 more times before giving up
+local cache = require "util.cache".new(100);
+
+local CACHE_DURATION = 5*60; -- 5 mins
+
+local cache_timer = module:add_timer(CACHE_DURATION, function()
+    for k, v in cache:items() do
+        if socket.gettime() > v + CACHE_DURATION then
+            cache:set(k, nil);
+        end
+    end
+
+    if cache:count() > 0 then
+        -- rescheduling the timer
+        return CACHE_DURATION;
+    end
+
+    -- skipping return value stops the timer
+end);
+
+local function shouldAllow(session)
+    local token = session.auth_token;
+
+    if token ~= nil then
+        -- module:log("debug", "Checking whether user should be banned ")
+
+        -- cached tokens are banned
+        if cache:get(token) then
+            return false;
+        end
+
+        -- TODO: do this only for enabled customers
+        ban_check_count();
+        local function cb(content, code, response, request)
+            if code == 200 then
+
+                local r = json.decode(content)
+                if r['access'] ~= nil and r['access'] == false then
+                    module:log("info", "User is banned room:%s tenant:%s user_id:%s group:%s",
+                        session.jitsi_meet_room, session.jitsi_web_query_prefix,
+                        inspect(session.jitsi_meet_context_user), session.jitsi_meet_context_group);
+
+                    ban_check_users_banned_count();
+
+                    session:close();
+
+                    -- if the cache is empty and the timer is not running reschedule it
+                    if cache:count() == 0 then
+                        cache_timer:reschedule(CACHE_DURATION);
+                    end
+
+                    cache:set(token, socket.gettime());
+                end
+            end
+        end
+
+        local request_headers = {}
+        request_headers['Authorization'] = 'Bearer ' .. token;
+
+        http.request(ACCESS_MANAGER_URL, {
+            headers = request_headers,
+            method = "GET",
+        }, cb);
+
+        return true;
+    end
+end
+
+prosody.events.add_handler("jitsi-access-ban-check", function(session)
+    return shouldAllow(session)
+end)