prosody: authentication by matrix user authentication service

Added env variables and prosody plugins to authenticate prosody users by the matrix user authentication service, refer to https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification

Co-authored-by: Markus Münzel <[email protected]>

Author: mm28ajos

docker-compose.yml

@@ -170,6 +170,10 @@ services:
             - JWT_ALLOW_EMPTY
             - JWT_AUTH_TYPE
             - JWT_TOKEN_AUTH_MODULE
+            - MATRIX_UVS_URL
+            - MATRIX_UVS_ISSUER
+            - MATRIX_UVS_AUTH_TOKEN
+            - MATRIX_UVS_SYNC_POWER_LEVELS
             - LOG_LEVEL
             - LDAP_AUTH_METHOD
             - LDAP_BASE

env.example

@@ -142,7 +142,7 @@ ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background
 # Enable guest access
 #ENABLE_GUESTS=1
 
-# Select authentication type: internal, jwt or ldap
+# Select authentication type: internal, jwt, ldap or matrix
 #AUTH_TYPE=internal
 
 # JWT authentication
@@ -207,6 +207,22 @@ ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background
 # LDAP_START_TLS=1
 
 
+# Matrix authentication (for more information see the documention of the "Prosody Auth Matrix User Verification" at https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification)
+#
+
+# Base URL to the matrix user verification service (without ending slash)
+#MATRIX_UVS_URL=https://uvs.example.com:3000
+
+# (optional) The issuer of the auth token to be passed through. Must match what is being set as `iss` in the JWT. Defaut value is "issuer".
+#MATRIX_UVS_ISSUER=issuer
+
+# (optional) user verification service auth token, if authentication enabled
+#MATRIX_UVS_AUTH_TOKEN=changeme
+
+# (optional) Make Matrix room moderators owners of the Prosody room.
+#MATRIX_UVS_SYNC_POWER_LEVELS=1
+
+
 #
 # Advanced configuration options (you generally don't need to change these)
 #

prosody/Dockerfile

@@ -26,6 +26,8 @@ LABEL org.opencontainers.image.documentation="https://jitsi.github.io/handbook/"
 
 ENV XMPP_CROSS_DOMAIN="false"
 
+ARG VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN="1.7.0"
+
 RUN wget -qO /etc/apt/trusted.gpg.d/prosody.gpg https://prosody.im/files/prosody-debian-packages.key && \
     echo "deb http://packages.prosody.im/debian bullseye main" > /etc/apt/sources.list.d/prosody.list && \
     apt-dpkg-wrap apt-get update && \
@@ -47,7 +49,12 @@ RUN wget -qO /etc/apt/trusted.gpg.d/prosody.gpg https://prosody.im/files/prosody
     mv /tmp/pkg/usr/share/jitsi-meet/prosody-plugins /prosody-plugins && \
     apt-cleanup && \
     rm -rf /tmp/pkg /var/cache/apt && \
-    patch -d /usr/lib/prosody/modules/muc -p0 < /prosody-plugins/muc_owner_allow_kick.patch
+    patch -d /usr/lib/prosody/modules/muc -p0 < /prosody-plugins/muc_owner_allow_kick.patch && \
+    wget https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification/archive/refs/tags/v$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN.tar.gz && \
+    tar -xf v$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN.tar.gz && \
+    mv prosody-mod-auth-matrix-user-verification-$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN/mod_auth_matrix_user_verification.lua $PROSODY_PLUGINS_FOLDER && \
+    mv prosody-mod-auth-matrix-user-verification-$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN/mod_matrix_power_sync.lua $PROSODY_PLUGINS_FOLDER && \
+    rm -rf prosody-mod-auth-matrix-user-verification-$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN v$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN.tar.gz
 
 COPY rootfs/ /
 

prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua

@@ -4,6 +4,8 @@
 {{ $JWT_ASAP_KEYSERVER := .Env.JWT_ASAP_KEYSERVER | default "" }}
 {{ $JWT_ALLOW_EMPTY := .Env.JWT_ALLOW_EMPTY | default "0" | toBool }}
 {{ $JWT_AUTH_TYPE := .Env.JWT_AUTH_TYPE | default "token" }}
+{{ $MATRIX_UVS_ISSUER := .Env.MATRIX_UVS_ISSUER | default "issuer" }}
+{{ $MATRIX_UVS_SYNC_POWER_LEVELS := .Env.MATRIX_UVS_SYNC_POWER_LEVELS | default "0" | toBool }}
 {{ $JWT_TOKEN_AUTH_MODULE := .Env.JWT_TOKEN_AUTH_MODULE | default "token_verification" }}
 {{ $ENABLE_LOBBY := .Env.ENABLE_LOBBY | default "true" | toBool }}
 {{ $ENABLE_AV_MODERATION := .Env.ENABLE_AV_MODERATION | default "true" | toBool }}
@@ -85,11 +87,20 @@ VirtualHost "{{ .Env.XMPP_DOMAIN }}"
     {{ if $JWT_ASAP_KEYSERVER }}
     asap_key_server = "{{ .Env.JWT_ASAP_KEYSERVER }}"
     {{ end }}
-
-    {{ else if eq $AUTH_TYPE "ldap" }}
+  {{ else if eq $AUTH_TYPE "ldap" }}
     authentication = "cyrus"
     cyrus_application_name = "xmpp"
     allow_unencrypted_plain_auth = true
+  {{ else if eq $AUTH_TYPE "matrix" }}
+    authentication = "matrix_user_verification"
+    app_id = "{{ $MATRIX_UVS_ISSUER }}"
+    uvs_base_url = "{{ .Env.MATRIX_UVS_URL }}"
+    {{ if .Env.MATRIX_UVS_AUTH_TOKEN }}
+    uvs_auth_token = "{{ .Env.MATRIX_UVS_AUTH_TOKEN }}"
+    {{ end }}
+    {{ if $MATRIX_UVS_SYNC_POWER_LEVELS }}
+    uvs_sync_power_levels = true
+    {{ end }}
   {{ else if eq $AUTH_TYPE "internal" }}
     authentication = "internal_hashed"
   {{ end }}
@@ -198,6 +209,9 @@ Component "{{ .Env.XMPP_MUC_DOMAIN }}" "muc"
         {{ end -}}
         {{ if and $ENABLE_AUTH (eq $AUTH_TYPE "jwt") -}}
         "{{ $JWT_TOKEN_AUTH_MODULE }}";
+        {{ end }}
+        {{ if and $ENABLE_AUTH (eq $AUTH_TYPE "matrix") $MATRIX_UVS_SYNC_POWER_LEVELS -}}
+        "matrix_power_sync";
         {{ end -}}
         {{ if not $DISABLE_POLLS -}}
         "polls";