jitsi · damencho · Dec 4, 2024 · Dec 4, 2024 · Dec 4, 2024 · Dec 4, 2024
diff --git a/ansible/roles/prosody/files/mod_muc_auth_vpaas.lua b/ansible/roles/prosody/files/mod_muc_auth_vpaas.lua
@@ -1,10 +1,13 @@
+-- Loaded only under main muc module
 local json_safe = require "cjson.safe";
 local basexx = require "basexx";
 local cache = require "util.cache";
 
 local st = require "util.stanza";
 local timer = require "util.timer";
 
+local um_is_admin = require "core.usermanager".is_admin;
+
 local inspect = require('inspect');
 
 local util_internal = module:require "util.internal";
@@ -44,6 +47,10 @@ local token_util = module:require "token/util".new(parentCtx);
 
 local DEBUG = false;
 
+local function is_admin(jid)
+    return um_is_admin(jid, module.host);
+end
+
 function invalidate_cache()
     token_util:clear_asap_cache()
     return CACHE_EXPIRATION_SECONDS;
@@ -161,62 +168,65 @@ local function deny_access(origin, stanza, room_disabled_access, room, occupant)
     local room_jid = room.jid;
     local token = origin.auth_token;
     local tenant = origin.jitsi_meet_domain;
-    if not is_healthcheck_room(room_jid) and not util_internal.is_blacklisted(occupant) then
-        local initiator = stanza:get_child('initiator', 'http://jitsi.org/protocol/jigasi');
-        if initiator then
-            if DEBUG then module:log("debug", "Let Jigasi pass throw"); end
-            return nil;
-        end
 
-        if util.is_sip_jibri_join(stanza) then
-            module:log("info", "Let Sip Jibri pass through %s", occupant);
-            return nil;
-        end
+    if is_healthcheck_room(room_jid)
+        or is_admin(occupant.bare_jid)
 
-        if not is_vpaas(room) then
-            if DEBUG then module:log("debug", "Skip VPAAS related verifications for non VPAAS room %s", room_jid); end
-            return nil;
-        end
+        -- Skip VPAAS related verifications for non VPAAS room
+        or not is_vpaas(room)
 
-        if DEBUG then module:log("debug",
-            "Will verify if VPAAS room: %s has token on user %s pre-join", room_jid, occupant); end
-        -- we allow participants from the main prosody to connect without token to the visitor one
-        if token == nil and origin.type ~= 's2sin' then
-            module:log("warn", "VPAAS room %s does not have a token", room_jid);
-            origin.send(st.error_reply(stanza, "cancel", "not-allowed", "VPAAS room disabled for guests"));
-            return true;
-        end
+        -- Let Jigasi or transcriber pass throw
+        or util.is_sip_jigasi(stanza)
+        or util.is_transcriber_jigasi(stanza)
 
-        if token ~= nil and not starts_with(tenant, VPAAS_PREFIX) then
-            if room._data.vpaas_guest_access then
-                -- make sure it is not authenticated user, a guest (no features are set)
-                origin.auth_token = nil;
-                origin.jitsi_meet_room = nil;
-                origin.jitsi_meet_domain = nil;
-                origin.jitsi_meet_str_tenant = nil;
-                origin.jitsi_meet_context_user = nil;
-                origin.jitsi_meet_context_group = nil;
-                origin.jitsi_meet_context_features = nil;
-                origin.jitsi_meet_context_room = nil;
-                origin.contextRequired = nil;
-                origin.public_key = nil;
-                origin.kid = nil;
-                -- let's mark this session that we cleared the token
-                origin.vpaas_guest_access = true;
-
-                return nil;
-            end
-
-            module:log("warn", "VPAAS room %s is disabled for tenant %s", room_jid, tenant);
-            origin.send(st.error_reply(stanza, "cancel", "not-allowed", "VPAAS room disabled for 8x8 users"));
-            return true;
-        end
+        -- is jibri
+        or util.is_jibri(occupant)
 
-        if room_disabled_access then
-            module:log("warn", "VPAAS room %s has access disabled due to blocked or deleted tenant %s", room_jid, tenant);
-            origin.send(st.error_reply(stanza, "cancel", "not-allowed", "VPAAS room disabled due to blocked or deleted tenant"));
-            return true;
+        -- Let Sip Jibri pass through
+        or util.is_sip_jibri_join(stanza) then
+        return nil;
+    end
+
+    if DEBUG then module:log("debug",
+        "Will verify if VPAAS room: %s has token on user %s pre-join", room_jid, occupant); end
+
+    -- we allow participants from the main prosody to connect without token to the visitor one
+    if token == nil and origin.type ~= 's2sin' then
+        module:log("warn", "VPAAS room %s does not have a token", room_jid);
+        origin.send(st.error_reply(stanza, "cancel", "not-allowed", "VPAAS room disabled for guests"));
+        return true;
+    end
+
+    -- This is the case when a participant with a valid token (8x8) access a jaas room, we want it to join as a guest
+    if token ~= nil and not starts_with(tenant, VPAAS_PREFIX) then
+        if room._data.vpaas_guest_access then
+            -- make sure it is not authenticated user, a guest (no features are set)
+            origin.auth_token = nil;
+            origin.jitsi_meet_room = nil;
+            origin.jitsi_meet_domain = nil;
+            origin.jitsi_meet_str_tenant = nil;
+            origin.jitsi_meet_context_user = nil;
+            origin.jitsi_meet_context_group = nil;
+            origin.jitsi_meet_context_features = nil;
+            origin.jitsi_meet_context_room = nil;
+            origin.contextRequired = nil;
+            origin.public_key = nil;
+            origin.kid = nil;
+            -- let's mark this session that we cleared the token
+            origin.vpaas_guest_access = true;
+
+            return nil;
         end
+
+        module:log("warn", "VPAAS room %s is disabled for tenant %s", room_jid, tenant);
+        origin.send(st.error_reply(stanza, "cancel", "not-allowed", "VPAAS room disabled for 8x8 users"));
+        return true;
+    end
+
+    if room_disabled_access then
+        module:log("warn", "VPAAS room %s has access disabled due to blocked or deleted tenant %s", room_jid, tenant);
+        origin.send(st.error_reply(stanza, "cancel", "not-allowed", "VPAAS room disabled due to blocked or deleted tenant"));
+        return true;
     end
 
     return nil;

diff --git a/ansible/roles/prosody/files/mod_muc_events.lua b/ansible/roles/prosody/files/mod_muc_events.lua
@@ -1,5 +1,6 @@
 module:set_global();
 
+local um_is_admin = require "core.usermanager".is_admin;
 local jid = require "util.jid";
 local http = require "net.http";
 local json = require "cjson";
@@ -8,8 +9,11 @@ local socket = require "socket";
 local uuid_gen = require "util.uuid".generate;
 local jwt = module:require "luajwtjitsi";
 local util = module:require "util.internal";
-local is_healthcheck_room = module:require "util".is_healthcheck_room;
-local is_vpaas = module:require "util".is_vpaas;
+local oss_util = module:require "util";
+local is_healthcheck_room = oss_util.is_healthcheck_room;
+local is_jibri = oss_util.is_jibri;
+local is_vpaas = oss_util.is_vpaas;
+local is_transcriber_jigasi = oss_util.is_transcriber_jigasi;
 
 local event_count = module:measure("muc_events_rate", "rate")
 local event_count_failed = module:measure("muc_events_failed", "rate")
@@ -22,10 +26,6 @@ local function onConfCacheEvict(evictedKey, evictedValue)
 end
 local confCache = require"util.cache".new(confCacheSize, onConfCacheEvict);
 
--- option to ignore events about the focus and other components
-local blacklistPrefixes
-    = module:get_option_array("muc_events_blacklist_prefixes", {'focus@auth.','recorder@recorder.','jibria@recorder.','jibrib@','jvb@auth.','jibri@auth.','jibria@auth.','jibrib@auth.','transcriber@recorder.', 'transcribera@recorder.', 'transcriberb@recorder.'});
-
 local eventURL
     = module:get_option_string("muc_events_url", 'http://127.0.0.1:9880/');
 
@@ -61,6 +61,10 @@ local escaped_muc_domain_prefix = muc_domain_prefix:gsub("%p", "%%%1");
 local target_subdomain_pattern
     = "^"..escaped_muc_domain_prefix..".([^%.]+)%."..escaped_muc_domain_base;
 
+local function is_admin(jid)
+    return um_is_admin(jid, module.host);
+end
+
 local function remove_from_cache(key)
     confCache:set(key, nil);
 end
@@ -162,17 +166,6 @@ local function extract_occupant_details(occupant)
     return r;
 end
 
-local function isBlacklisted(occupant)
-    for i, bPrefix in ipairs(blacklistPrefixes) do
-        if string.sub(occupant.bare_jid,1,string.len(bPrefix)) == bPrefix then
-            if DEBUG then module:log("debug","Blacklist prefix: %s found in %s ", bPrefix, occupant); end
-            return true;
-        end
-    end
-
-    return false;
-end
-
 local function cb(content_, code_, response_, request_)
     if code_ == 200 or code_ == 204 then
         if DEBUG then module:log("debug", "URL Callback: Code %s, Content %s, Request (host %s, path %s, body %s), Response: %s",
@@ -285,15 +278,10 @@ local function processJoinLeftEvent(type,event)
     if DEBUG then module:log("debug", "%s keys in confCache", confCache:count()); end
     local who = event.occupant;
 
-    -- search bare_jid for blacklisted prefixes before sending events
-    if isBlacklisted(who) then
-        if DEBUG then module:log("debug", "processJoinLeftEvent: occupant is blacklisted %s", who); end
-        return;
-    end
-
-    -- search room jid for tenancy prefixes before sending events
-    if is_vpaas(event.room) then
-        if DEBUG then module:log("debug", "processJoinLeftEvent: room tenant is droplisted %s", event.room.jid); end
+    if is_admin(who.bare_jid)
+        or is_vpaas(event.room)
+        or is_jibri(who)
+        or is_transcriber_jigasi(event.stanza) then
         return;
     end
 
@@ -395,15 +383,10 @@ local function handleBroadcastPresence(event)
     local occupant_jid = occupant.jid;
     local room_jid = event.room.jid;
 
-    -- search bare_jid for blacklisted prefixes before broadcasting events
-    if isBlacklisted(occupant) then
-        if DEBUG then module:log("debug", "handleBroadcastPresence: occupant is blacklisted %s", occupant.bare_jid); end
-        return;
-    end
-
-    -- search room jid for tenancy prefixes before sending events
-    if is_vpaas(event.room) then
-        if DEBUG then module:log("debug", "handleBroadcastPresence: room tenant is droplisted %s", room_jid); end
+    if is_admin(occupant.bare_jid)
+        or is_vpaas(event.room)
+        or is_jibri(occupant)
+        or is_transcriber_jigasi(event.stanza) then
         return;
     end
 
@@ -444,8 +427,8 @@ end
 -- used only for vo
 local function processSubjectUpdate(occupant, room, new_subject)
     local room_jid = room.jid;
-    if is_vpaas(room) then
-        if DEBUG then module:log("debug", "processSubjectUpdate: room tenant is droplisted %s", room_jid); end
+
+    if is_admin(occupant.bare_jid) or is_vpaas(room) then
         return;
     end
 
@@ -462,12 +445,6 @@ local function processSubjectUpdate(occupant, room, new_subject)
     pdetails['jid'] = occupant.jid;
     pdetails['bare_jid'] = occupant.bare_jid;
 
-    -- search bare_jid for blacklisted prefixes before sending events
-    if isBlacklisted(occupant) then
-        if DEBUG then module:log("debug", "processSubjectUpdate occupant is blacklisted %s", occupant); end
-        return;
-    end
-
     local cdetails = load_from_cache(room_jid);
     cdetails["subject"] = new_subject;
     store_in_cache(room_jid, cdetails);
@@ -658,12 +635,10 @@ local function handleSpeakerStats(event)
     end
     for user_jid, speakerTime in pairs(event.roomSpeakerStats) do
         if (user_jid ~= "dominantSpeakerId" and user_jid ~= "sessionId" and user_jid ~= "isBreakout" and user_jid ~= "breakoutRoomId") then
-            if not util.is_blacklisted(user_jid) then
-                if speakerTime.context_user ~= nil then
-                    requestBody.speakerStats[user_jid] = { time = speakerTime.totalDominantSpeakerTime; name = speakerTime.context_user.name; email = speakerTime.context_user.email; id = speakerTime.context_user.id; };
-                else
-                    requestBody.speakerStats[user_jid] = { time = speakerTime.totalDominantSpeakerTime;};
-                end
+            if speakerTime.context_user ~= nil then
+                requestBody.speakerStats[user_jid] = { time = speakerTime.totalDominantSpeakerTime; name = speakerTime.context_user.name; email = speakerTime.context_user.email; id = speakerTime.context_user.id; };
+            else
+                requestBody.speakerStats[user_jid] = { time = speakerTime.totalDominantSpeakerTime;};
             end
         end
     end

diff --git a/ansible/roles/prosody/files/mod_muc_permissions_vpaas.lua b/ansible/roles/prosody/files/mod_muc_permissions_vpaas.lua
@@ -113,7 +113,12 @@ module:hook("muc-occupant-pre-join", function(event)
     local room, session, stanza = event.room, event.origin, event.stanza;
     local occupant_jid = stanza.attr.from;
 
-    if is_healthcheck_room(room.jid) or util.is_blacklisted(occupant_jid) then
+    if is_healthcheck_room(room.jid)
+        or is_admin(occupant_jid)
+        or oss_util.is_sip_jigasi(stanza)
+        or oss_util.is_transcriber_jigasi(stanza)
+        or oss_util.is_jibri(occupant)
+        or oss_util.is_sip_jibri_join(stanza) then
         return;
     end