Moderated rooms or subdomains (#6959)

* fix: Fixes using token with no user context.

* feat(moderated): Adds option to add moderated rooms and subdomains.

When a user joins such room or subdomain in order to be a moderator needs to provide a valid jwt token for that room.

* squash: Renames function.

* ref: Removes filtering jicofo setting owners.

This will be disabled on jicofo side and will greatly simplify logic.
Also check the checks to avoid jwt for main domain to access subdomains and the other way around.

* fix: Skips allowners logic for admins.

react/features/base/jwt/middleware.js

@@ -141,7 +141,7 @@ function _setJWT(store, next, action) {
                 action.jwt = jwt;
                 action.issuer = iss;
                 if (context) {
-                    const user = _user2participant(context.user);
+                    const user = _user2participant(context.user || {});
 
                     action.callee = context.callee;
                     action.group = context.group;

resources/prosody-plugins/mod_muc_allowners.lua

@@ -1,12 +1,71 @@
+local jid = require "util.jid";
+local um_is_admin = require "core.usermanager".is_admin;
 local is_healthcheck_room = module:require "util".is_healthcheck_room;
 
+local moderated_subdomains;
+local moderated_rooms;
+
+local function load_config()
+    moderated_subdomains = module:get_option_set("allowners_moderated_subdomains", {})
+    moderated_rooms = module:get_option_set("allowners_moderated_rooms", {})
+end
+load_config();
+
+local function is_admin(jid)
+    return um_is_admin(jid, module.host);
+end
+
+-- Checks whether the jid is moderated, the room name is in moderated_rooms
+-- or if the subdomain is in the moderated_subdomains
+-- @return returns on of the:
+--      -> false
+--      -> true, room_name, subdomain
+--      -> true, room_name, nil (if no subdomain is used for the room)
+local function is_moderated(room_jid)
+    local room_node = jid.node(room_jid);
+    -- parses bare room address, for multidomain expected format is:
+    -- [subdomain]roomName@conference.domain
+    local target_subdomain, target_room_name = room_node:match("^%[([^%]]+)%](.+)$");
+
+    if target_subdomain then
+        if moderated_subdomains:contains(target_subdomain) then
+            return true, target_room_name, target_subdomain;
+        end
+    elseif moderated_rooms:contains(room_node) then
+        return true, room_node, nil;
+    end
+
+    return false;
+end
+
 module:hook("muc-occupant-joined", function (event)
     local room, occupant = event.room, event.occupant;
 
-    if is_healthcheck_room(room.jid) then
+    if is_healthcheck_room(room.jid) or is_admin(occupant.jid) then
         return;
     end
 
+    local moderated, room_name, subdomain = is_moderated(room.jid);
+    if moderated then
+        local session = event.origin;
+        local token = session.auth_token;
+
+        if not token then
+            module:log('debug', 'skip allowners for non-auth user subdomain:%s room_name:%s', subdomain, room_name);
+            return;
+        end
+
+        if not (room_name == session.jitsi_meet_room) then
+            module:log('debug', 'skip allowners for auth user and non matching room name: %s, jwt room name: %s', room_name, session.jitsi_meet_room);
+            return;
+        end
+
+        if not (subdomain == session.jitsi_meet_context_group) then
+            module:log('debug', 'skip allowners for auth user and non matching room subdomain: %s, jwt subdomain: %s', subdomain, session.jitsi_meet_context_group);
+            return;
+        end
+    end
+
     room:set_affiliation(true, occupant.bare_jid, "owner");
 end, 2);
 
@@ -19,3 +78,5 @@ module:hook("muc-occupant-left", function (event)
 
     room:set_affiliation(true, occupant.bare_jid, nil);
 end, 2);
+
+module:hook_global('config-reloaded', load_config);