Merge pull request #395 from defnull/patch-collection

Multiple fixes and features, including security hardening.

Author: defnull

README.md

@@ -81,26 +81,26 @@ A secret seed used to generate other host-local secrets and passwords. Override
 * **`bbb_local_ip`** (default: `127.0.0.1`)\
   IP of your loopback device.
 
-* **`bbb_bind_ip4`** (default: `{{ ansible_default_ipv4.address }}`)\
+* **`bbb_bind_ip4`** (default: `{{ ansible_facts.default_ipv4.address }}`)\
   IP (v4) address public services should bind to. This may be a LAN IP if your
   server is behind a NAT router and does not know its own public IP. Do not
   forget to set `bbb_public_ip4` in this case!
 
-* **`bbb_public_ip4`** (default: `{{ ansible_default_ipv4.address }}`)\
+* **`bbb_public_ip4`** (default: `{{ ansible_facts.default_ipv4.address }}`)\
   Public IPv4 address of your server. Required if ansible cannot detect your
   public IP automatically. This may happen if your server is behind a NAT router
   and your public IP is not assigned to the primary interface, or if your primary
   interface has multiple IPs assigned and the first one is not your public IP.
 
-* **`bbb_bind_ip6`** (default: `{{ ansible_default_ipv6.address | default(None) }}`)\
+* **`bbb_bind_ip6`** (default: `{{ ansible_facts.default_ipv6.address | default(None) }}`)\
   Same as `bbb_bind_ip4` but for IPv6. Set this to `None` to disable IPv6 even
   if your server technically supports it.
 
-* **`bbb_public_ip6`** (default: `{{ ansible_default_ipv6.address | default(None) }}`)\
+* **`bbb_public_ip6`** (default: `{{ ansible_facts.default_ipv6.address | default(None) }}`)\
   Same as `bbb_public_ip4` but for IPv6. Set this to `None` to disable IPv6 even
   if your server technically supports it.
 
-* **`bbb_net_mtu`** (default: `{{ ansible_default_ipv4.mtu | default(1500) }}`)\
+* **`bbb_net_mtu`** (default: `{{ ansible_facts.default_ipv4.mtu | default(1500) }}`)\
   MTU (maximum transfer unit) for outgoing packets. Some cloud environments
   use a smaller MTU and docker needs extra configuration in that case.
 
@@ -150,7 +150,7 @@ You can either use ACME (e.g. letsencrypt) to auto-generate certificates, or cop
 
 * **`bbb_ufw_rules`** (default: `{}`)\
   A hash of named rules. Each rule can define `rule` (default: allow), `direction` (default: in), `from` (default: any), `to` (default: any) and `port` (required) properties. There are a bunch of default rules for BBB that can be overridden by using the same rule-name. Take special care to the `ssh` rule, which allows traffic from any IP to port 22 by default.
-  To remove a named rule, set it to `false`. Just removing the named rule from config will not actually remove the rule in ufw.
+  To remove a named rule, set it to `False`. Just removing the named rule from config will not actually remove the rule in ufw.
 
 * **`bbb_ufw_reject_networks`** (default: `[]`)\
   Block outgoing traffic to these networks in addition to `bbb_ufw_reject_networks_default`, which contains all non-routeable (LAN) networks by default. This prevets a certain group of security issues where the BBB server is tricked into accessing non-public services on the private LAN.
@@ -246,7 +246,7 @@ rest, you are on your own. Good luck!
 * **`bbb_dialin_provider`** (required if `bbb_dialin_enable` is true)\
   Domain or IP of your SIP provider, also known as registrar. Example: `sip.example.com`
 
-* **`bbb_dialin_provider_ip`** (required if `bbb_dialin_enable` and `bbb_firewall_enable` are true)\
+* **`bbb_dialin_provider_ip`** (required if `bbb_dialin_enable` and `bbb_ufw_enable` are true)\
   IP or network of your SIP provider. Example: `1.2.3.4` or ``
 
 * **`bbb_dialin_provider_username`** (required if `bbb_dialin_enable` is true)\
@@ -405,6 +405,8 @@ This role generates configuration with sensible defaults out of the box and cove
 * **`bbb_config_presentation`** (default: `{}`)\
   Custom overrides for `/etc/bigbluebutton/recording/presentation.yml`. This will be deep-merged into the role-managed configuration. List values will not be merged, but replaced.
 
+* **`bbb_config_video`** (default: `{}`)\
+  Custom overrides for `/etc/bigbluebutton/recording/video.yml`. This will be deep-merged into the role-managed configuration. List values will not be merged, but replaced.
 
 ### Other stuff not full migrated to BBB 3.0 yet.
 

defaults/main.yml

@@ -37,11 +37,11 @@ bbb_ssl_key: /etc/bigbluebutton/ssl/private.key
 
 bbb_set_hostname: "{{ bbb_hostname }}"
 bbb_local_ip: "127.0.0.1"
-bbb_bind_ip4: "{{ ansible_default_ipv4.address }}"
-bbb_bind_ip6: "{{ ansible_default_ipv6.address | default(None) }}"
-bbb_public_ip4: "{{ ansible_default_ipv4.address }}"
-bbb_public_ip6: "{{ ansible_default_ipv6.address | default(None) }}"
-bbb_net_mtu: "{{ ansible_default_ipv4.mtu | default(1500) }}"
+bbb_bind_ip4: "{{ ansible_facts.default_ipv4.address }}"
+bbb_bind_ip6: "{{ ansible_facts.default_ipv6.address | default(None) }}"
+bbb_public_ip4: "{{ ansible_facts.default_ipv4.address }}"
+bbb_public_ip6: "{{ ansible_facts.default_ipv6.address | default(None) }}"
+bbb_net_mtu: "{{ ansible_facts.default_ipv4.mtu | default(1500) }}"
 
 # Firewall
 
@@ -89,6 +89,7 @@ bbb_config_web: {} # bbb-web.properties
 bbb_config_html5: {} # bbb-html5.yml
 bbb_config_etherpad: {} # etherpad.json
 bbb_config_presentation: {} # recording/presentation.yml
+bbb_config_video: {} # recording/video.yml
 
 ### STUN/TURN Servers
 
@@ -102,6 +103,7 @@ bbb_turn_servers: [] # e.g. [{url: "turns:turn.example.com:443?transport=tcp", s
 
 # bbb_cluster_proxy: frontend.example.com
 bbb_cluster_node: "{{ bbb_hostname | split('.') | first }}"
+bbb_cluster_crossorigin: "{{ bbb_cluster_proxy is defined and not bbb_hostname.endswith('.' + bbb_cluster_proxy) }}"
 
 ### Freeswitch config
 bbb_freeswitch_socket_password: "{{ ('fsp' + bbb_host_seed) | hash('sha256') }}"
@@ -124,6 +126,7 @@ bbb_dialin_enable: false
 # bbb_dialin_default_number: "613-555-1234"
 bbb_dialin_pin_minlen: 5
 bbb_dialin_pin_maxlen: 5
+bbb_dialin_pin_stdlen: "{{ bbb_dialin_pin_minlen }}"
 bbb_dialin_pin_timeout: 10000
 bbb_dialin_pin_maxwait: 5000
 bbb_dialin_pin_retries: 3

files/ImageMagick-policy.xml

@@ -0,0 +1,106 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policymap [
+<!ELEMENT policymap (policy)*>
+<!ATTLIST policymap xmlns CDATA #FIXED "">
+<!ELEMENT policy EMPTY>
+<!ATTLIST policy xmlns CDATA #FIXED "">
+<!ATTLIST policy domain NMTOKEN #REQUIRED>
+<!ATTLIST policy name NMTOKEN #IMPLIED>
+<!ATTLIST policy pattern CDATA #IMPLIED>
+<!ATTLIST policy rights NMTOKEN #IMPLIED>
+<!ATTLIST policy stealth NMTOKEN #IMPLIED>
+<!ATTLIST policy value CDATA #IMPLIED>
+]>
+<!-- 
+  Creating a security policy that fits your specific local environment
+  before making use of ImageMagick is highly advised. You can find guidance on
+  setting up this policy at https://imagemagick.org/script/security-policy.php,
+  and it's important to verify your policy using the validation tool located
+  at https://imagemagick-secevaluator.doyensec.com/.
+  Web-safe ImageMagick security policy:
+  This security protocol designed for web-safe usage focuses on situations
+  where ImageMagick is applied in publicly accessible contexts, like websites.
+  It deactivates the capability to read from or write to any image formats
+  other than web-safe formats like GIF, JPEG, and PNG. Additionally, this
+  policy prohibits the execution of image filters and indirect reads, thereby
+  thwarting potential security breaches. By implementing these limitations,
+  the web-safe policy fortifies the safeguarding of systems accessible to
+  the public, reducing the risk of exploiting ImageMagick's capabilities
+  for potential attacks.
+ -->
+<policymap>
+  <!-- Set maximum parallel threads. -->
+  <policy domain="resource" name="thread" value="2"/>
+  <!-- Set maximum time to live in seconds or neumonics, e.g. "2 minutes". When
+       this limit is exceeded, an exception is thrown and processing stops. -->
+  <policy domain="resource" name="time" value="60"/>
+  <!-- Set maximum number of open pixel cache files. When this limit is
+       exceeded, any subsequent pixels cached to disk are closed and reopened
+       on demand. -->
+  <policy domain="resource" name="file" value="768"/>
+  <!-- Set maximum amount of memory in bytes to allocate for the pixel cache
+       from the heap. When this limit is exceeded, the image pixels are cached
+       to memory-mapped disk. -->
+  <policy domain="resource" name="memory" value="256MiB"/>
+  <!-- Set maximum amount of memory map in bytes to allocate for the pixel
+       cache. When this limit is exceeded, the image pixels are cached to
+       disk. -->
+  <policy domain="resource" name="map" value="512MiB"/>
+  <!-- Set the maximum width * height of an image that can reside in the pixel
+       cache memory. Images that exceed the area limit are cached to disk. -->
+  <policy domain="resource" name="area" value="16KP"/>
+  <!-- Set maximum amount of disk space in bytes permitted for use by the pixel
+       cache. When this limit is exceeded, the pixel cache is not be created
+       and an exception is thrown. -->
+  <policy domain="resource" name="disk" value="1GiB"/>
+  <!-- Set the maximum length of an image sequence.  When this limit is
+       exceeded, an exception is thrown. -->
+  <policy domain="resource" name="list-length" value="16"/>
+  <!-- Set the maximum width of an image.  When this limit is exceeded, an
+       exception is thrown. -->
+  <policy domain="resource" name="width" value="4KP"/>
+  <!-- Set the maximum height of an image.  When this limit is exceeded, an
+       exception is thrown. -->
+  <policy domain="resource" name="height" value="4KP"/>
+  <!-- Periodically yield the CPU for at least the time specified in
+       milliseconds. -->
+  <policy domain="resource" name="throttle" value="2"/>
+  <!-- Do not create temporary files in the default shared directories, instead
+       specify a private area to store only ImageMagick temporary files. -->
+  <!-- <policy domain="resource" name="temporary-path" value="/magick/tmp/"/> -->
+  <!-- Force memory initialization by memory mapping select memory
+       allocations. -->
+  <policy domain="cache" name="memory-map" value="anonymous"/>
+  <!-- Ensure all image data is fully flushed and synchronized to disk. -->
+  <policy domain="cache" name="synchronize" value="true"/>
+  <!-- Replace passphrase for secure distributed processing -->
+  <!-- <policy domain="cache" name="shared-secret" value="secret-passphrase" stealth="true"/> -->
+  <!-- Do not permit any delegates to execute. -->
+  <policy domain="delegate" rights="none" pattern="*"/>
+  <!-- Do not permit any image filters to load. -->
+  <policy domain="filter" rights="none" pattern="*"/>
+  <!-- Don't read/write from/to stdin/stdout. -->
+  <policy domain="path" rights="none" pattern="-"/>
+  <!-- don't read sensitive paths. -->
+  <policy domain="path" rights="none" pattern="/*"/>
+  <!-- allow access to required paths. -->
+  <policy domain="path" rights="read|write" pattern="/var/bigbluebutton/*"/>
+  <policy domain="path" rights="read|write" pattern="/tmp/*"/>
+  <!-- Indirect reads are not permitted. -->
+  <policy domain="path" rights="none" pattern="@*"/>
+  <!-- Deny all image modules and specifically exempt reading or writing
+       web-safe image formats. -->
+  <policy domain="module" rights="none" pattern="*" />
+  <policy domain="module" rights="read | write" pattern="{BMP,GIF,JPEG,PDF,PNG,TIFF,WEBP}"/>
+  <policy domain="module" rights="read | write" pattern="{MPC}" stealth="true"/>
+  <policy domain="module" rights="write" pattern="{JSON,INFO,PNM,PS,SVG}"/>
+  <!-- This policy sets the number of times to replace content of certain
+       memory buffers and temporary files before they are freed or deleted. -->
+  <policy domain="system" name="shred" value="1"/>
+  <!-- Enable the initialization of buffers with zeros, resulting in a minor
+       performance penalty but with improved security. -->
+  <policy domain="system" name="memory-map" value="anonymous"/>
+  <!-- Set the maximum amount of memory in bytes that are permitted for
+       allocation requests. -->
+  <policy domain="system" name="max-memory-request" value="256MiB"/>
+</policymap>

tasks/check-running.yml

@@ -14,7 +14,7 @@
 - name: Check for running meetings
   when:
     - bbb_check_running
-    - bbb_old_secret
+    - bbb_old_secret is present
   ansible.builtin.uri:
     url: https://{{ bbb_hostname }}/bigbluebutton/api/getMeetings?checksum={{ ('getMeetings' + bbb_old_secret) | hash('sha1') }}
     return_content: true
@@ -25,7 +25,7 @@
 - name: Fail if there are running meetings
   when:
     - bbb_check_running
-    - bbb_old_secret
+    - bbb_old_secret is present
     - meetings_result.status | default(500) == 200
     - "'<messageKey>noMeetings</messageKey>' not in meetings_result.content"
   ansible.builtin.fail:

tasks/check-vars.yml

@@ -19,7 +19,7 @@
     quiet: true
     that: "{{ item }}"
   loop:
-    - ansible_distribution_release | lower == bbb_ubuntu_name
+    - ansible_facts.distribution_release | lower == bbb_ubuntu_name
     - bbb_version.startswith(bbb_ubuntu_name)
 
 - name: Check core variables
@@ -44,7 +44,7 @@
 
 - name: Check IPv4 variables
   when:
-    - bbb_bind_ip4 or bbb_public_ip4
+    - bbb_bind_ip4 is present or bbb_public_ip4 is present
     - bbb_github_ci is undefined
   ansible.builtin.assert:
     quiet: true
@@ -56,7 +56,7 @@
 
 - name: Check IPv6 variables
   when:
-    - bbb_bind_ip6 or bbb_public_ip6
+    - bbb_bind_ip6 is present or bbb_public_ip6 is present
     - bbb_github_ci is undefined
   ansible.builtin.assert:
     quiet: true
@@ -148,8 +148,8 @@
 
 - name: Check dial-in firewall relevant variables
   when:
-     - bbb_dialin_enable
-     - bbb_firewall_enable
+    - bbb_dialin_enable
+    - bbb_ufw_enable
   ansible.builtin.assert:
     quiet: true
     that: "{{ item }}"

tasks/configure-bbb.yml

@@ -5,7 +5,7 @@
     path: "/etc/systemd/system/{{ item }}.service.d"
     state: directory
     mode: "0755"
-  when: item
+  when: item is present
   loop: &systemd_overrides
     - bbb-html5-frontend@
     - bbb-html5-backend@
@@ -22,7 +22,7 @@
     src: "systemd-overrides/{{ item }}.j2"
     dest: "/etc/systemd/system/{{ item }}.service.d/override.conf"
     mode: "0644"
-  when: item
+  when: item is present
   loop: *systemd_overrides
   notify:
     - Restart bigbluebutton
@@ -41,12 +41,12 @@
     path: "{{ item }}"
     state: directory
     mode: "0755"
-  when: item
+  when: item is present
   loop:
     - /etc/bigbluebutton/
     - /etc/bigbluebutton/recording
     - /etc/bigbluebutton/bbb-webrtc-sfu
-    - "{{ '/etc/bigbluebutton/bbb-webhooks' if bbb_webhooks_enable else False }}"
+    - "{{ '/etc/bigbluebutton/bbb-webhooks' if bbb_webhooks_enable else None }}"
 
 - name: Deploy bbb config files
   become: true
@@ -56,7 +56,7 @@
     owner: "{{ item.owner | default('root') }}"
     group: "{{ item.group | default('bigbluebutton') }}"
     mode: "{{ item.mode | default('0640') }}"
-  when: item.when | default(true)
+  when: item.when | default(True) is true
   loop_control:
     label: "{{ item.dest | default('/etc/' + item.src) }}"
   loop: &configfiles
@@ -66,12 +66,13 @@
     - src: bigbluebutton/bbb-html5.yml
     - src: bigbluebutton/bbb-graphql-server.env
     - src: bigbluebutton/bbb-graphql-middleware.yml
-      when: "{{ bbb_cluster_proxy is defined }}"
+      when: "{{ bbb_cluster_proxy is present }}"
     - src: bigbluebutton/turn-stun-servers.xml
     - src: bigbluebutton/etherpad.json
       group: etherpad
     - src: bigbluebutton/recording/recording.yml
     - src: bigbluebutton/recording/presentation.yml
+    - src: bigbluebutton/recording/video.yml
     - src: bigbluebutton/bbb-webrtc-sfu/production.yml
     - src: bigbluebutton/bbb-webhooks/production.yml
       when: "{{ bbb_webhooks_enable }}"
@@ -96,16 +97,31 @@
 # changes and restarts. They are also incomplete and buggy...
 # TODO: /usr/local/bigbluebutton/bbb-transcription-controller/config/default.yml
 
-- name: Patch more config files
+- name: Patch more config files in-place
   become: true
   ansible.builtin.lineinfile:
     path: "{{ item.path }}"
     regexp: "{{ item.regexp }}"
     line: "{{ item.line }}"
   loop_control:
     label: "{{ item.path }} ({{ item.line }})"
+  when: "item.get('when', True) | bool"
   loop:
     # https://github.com/bigbluebutton/bigbluebutton/issues/22980
     - path: /usr/local/bigbluebutton/core/scripts/bigbluebutton.yml
       regexp: "^playback_host: .*"
       line: "playback_host: {{ bbb_hostname }}"
+    - path: /usr/share/bbb-web/WEB-INF/classes/application.properties
+      regexp: "^server.servlet.session.cookie.secure=.*"
+      line: "server.servlet.session.cookie.secure=true"
+    - path: /usr/share/bbb-web/WEB-INF/classes/application.properties
+      regexp: "^server.servlet.session.cookie.SameSite=.*"
+      line: "server.servlet.session.cookie.SameSite={{ bbb_cluster_crossorigin | ternary('None', 'Lax') }}"
+  notify: Restart bigbluebutton
+
+- name: Copy hardened ImageMagick profile
+  become: true
+  copy:
+    src: ImageMagick-policy.xml
+    dest: /etc/ImageMagick-6/policy.xml
+    mode: "0644"

tasks/configure-freeswitch.yml

@@ -131,8 +131,8 @@
   lineinfile:
     path: /usr/local/bin/fs_clibbb
     regexp: ^/opt/freeswitch/bin/fs_cli
-    line: /opt/freeswitch/bin/fs_cli -p $(xmlstarlet sel -t -m 'configuration/settings/param[@name="password"]' -v @value /opt/freeswitch/etc/freeswitch/autoload_configs/event_socket.conf.xml)
-      "$@"
+    line: /opt/freeswitch/bin/fs_cli -p $(xmlstarlet sel -t -m 'configuration/settings/param[@name="password"]' -v @value
+      /opt/freeswitch/etc/freeswitch/autoload_configs/event_socket.conf.xml) "$@"
 
 - name: Configure different mute sound
   become: true

tasks/main.yml

@@ -23,7 +23,6 @@
 
 - import_tasks: mixin-helper.yml
 - import_tasks: mixin-proxy.yml
-  when: "bbb_cluster_proxy is defined"
 - import_tasks: mixin-backgrounds.yml
 - import_tasks: mixin-assets.yml
 - import_tasks: mixin-styles.yml

tasks/mixin-assets.yml

@@ -5,7 +5,7 @@
     src: "{{ item.src }}"
     dest: "{{ bbb_nginx_root }}/{{ item.dest }}"
     mode: "0644"
-  when: item.src
+  when: item.src is present
   loop_control:
     label: "{{ item.dest }}"
   loop:

tasks/mixin-proxy.yml

@@ -1,5 +1,6 @@
 ---
 - name: "Update config for proxy mode"
+  when: "bbb_cluster_proxy is defined"
   ansible.builtin.set_fact:
     bbb_config_web_base: |
       {{bbb_config_web_base | combine({
@@ -36,3 +37,7 @@
           }
         }
       }, recursive=True)}}
+    bbb_config_etherpad_base: |
+      {{bbb_config_etherpad_base | combine({
+        "cluster_proxies": ["https://"+bbb_cluster_proxy]
+      })}}