-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[MM-45001] Add support for generating short-lived TURN credentials (#63)
* Add support for generating short-lived TURN credentials * Validate all URLs * Use dedicated config struct
- Loading branch information
1 parent
ddcf484
commit f54cfd9
Showing
8 changed files
with
286 additions
and
30 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,24 +1,26 @@ | ||
### Config Environment Overrides | ||
|
||
``` | ||
KEY TYPE | ||
RTCD_API_HTTP_LISTENADDRESS String | ||
RTCD_API_HTTP_TLS_ENABLE True or False | ||
RTCD_API_HTTP_TLS_CERTFILE String | ||
RTCD_API_HTTP_TLS_CERTKEY String | ||
RTCD_API_SECURITY_ENABLEADMIN True or False | ||
RTCD_API_SECURITY_ADMINSECRETKEY String | ||
RTCD_API_SECURITY_ALLOWSELFREGISTRATION True or False | ||
RTCD_RTC_ICEPORTUDP Integer | ||
RTCD_RTC_ICEHOSTOVERRIDE String | ||
RTCD_RTC_ICESERVERS Comma-separated list of | ||
RTCD_STORE_DATASOURCE String | ||
RTCD_LOGGER_ENABLECONSOLE True or False | ||
RTCD_LOGGER_CONSOLEJSON True or False | ||
RTCD_LOGGER_CONSOLELEVEL String | ||
RTCD_LOGGER_ENABLEFILE True or False | ||
RTCD_LOGGER_FILEJSON True or False | ||
RTCD_LOGGER_FILELEVEL String | ||
RTCD_LOGGER_FILELOCATION String | ||
RTCD_LOGGER_ENABLECOLOR True or False | ||
KEY TYPE | ||
RTCD_API_HTTP_LISTENADDRESS String | ||
RTCD_API_HTTP_TLS_ENABLE True or False | ||
RTCD_API_HTTP_TLS_CERTFILE String | ||
RTCD_API_HTTP_TLS_CERTKEY String | ||
RTCD_API_SECURITY_ENABLEADMIN True or False | ||
RTCD_API_SECURITY_ADMINSECRETKEY String | ||
RTCD_API_SECURITY_ALLOWSELFREGISTRATION True or False | ||
RTCD_RTC_ICEPORTUDP Integer | ||
RTCD_RTC_ICEHOSTOVERRIDE String | ||
RTCD_RTC_ICESERVERS Comma-separated list of | ||
RTCD_RTC_TURNCONFIG_STATICAUTHSECRET String | ||
RTCD_RTC_TURNCONFIG_CREDENTIALSEXPIRATIONMINUTES Integer | ||
RTCD_STORE_DATASOURCE String | ||
RTCD_LOGGER_ENABLECONSOLE True or False | ||
RTCD_LOGGER_CONSOLEJSON True or False | ||
RTCD_LOGGER_CONSOLELEVEL String | ||
RTCD_LOGGER_ENABLEFILE True or False | ||
RTCD_LOGGER_FILEJSON True or False | ||
RTCD_LOGGER_FILELEVEL String | ||
RTCD_LOGGER_FILELOCATION String | ||
RTCD_LOGGER_ENABLECOLOR True or False | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
// Copyright (c) 2022-present Mattermost, Inc. All Rights Reserved. | ||
// See LICENSE.txt for license information. | ||
|
||
package rtc | ||
|
||
import ( | ||
"crypto/hmac" | ||
"crypto/sha1" | ||
"encoding/base64" | ||
"fmt" | ||
"time" | ||
) | ||
|
||
const MaxTURNCredentialsExpiration = 7 * 24 * 60 // 1 week in minutes | ||
|
||
type TURNConfig struct { | ||
// The secret key used to generate TURN short-lived authentication | ||
// credentials. | ||
StaticAuthSecret string `toml:"static_auth_secret"` | ||
// The number of minutes that the generated TURN credentials will be valid for. | ||
CredentialsExpirationMinutes int `toml:"credentials_expiration_minutes"` | ||
} | ||
|
||
func (c TURNConfig) IsValid() error { | ||
if c.StaticAuthSecret != "" { | ||
if c.CredentialsExpirationMinutes <= 0 { | ||
return fmt.Errorf("invalid CredentialsExpirationMinutes value: should be a positive number") | ||
} | ||
if c.CredentialsExpirationMinutes >= MaxTURNCredentialsExpiration { | ||
return fmt.Errorf("invalid CredentialsExpirationMinutes value: should be less than 1 week") | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func genTURNCredentials(username, secret string, expirationTS int64) (string, string, error) { | ||
if username == "" { | ||
return "", "", fmt.Errorf("username should not be empty") | ||
} | ||
|
||
if secret == "" { | ||
return "", "", fmt.Errorf("secret should not be empty") | ||
} | ||
|
||
if expirationTS <= 0 { | ||
return "", "", fmt.Errorf("expirationTS should be a positive number") | ||
} | ||
|
||
if expirationTS > time.Now().Add(MaxTURNCredentialsExpiration*time.Minute).Unix() { | ||
return "", "", fmt.Errorf("expirationTS cannot be more than a week into the future") | ||
} | ||
|
||
h := hmac.New(sha1.New, []byte(secret)) | ||
username = fmt.Sprintf("%d:%s", expirationTS, username) | ||
_, err := h.Write([]byte(username)) | ||
if err != nil { | ||
return "", "", fmt.Errorf("failed to write hmac: %w", err) | ||
} | ||
password := base64.StdEncoding.EncodeToString(h.Sum(nil)) | ||
return username, password, nil | ||
} | ||
|
||
func GenTURNConfigs(turnServers ICEServers, username, secret string, expiryMinutes int) (ICEServers, error) { | ||
var configs ICEServers | ||
ts := time.Now().Add(time.Duration(expiryMinutes) * time.Minute).Unix() | ||
|
||
for _, cfg := range turnServers { | ||
if cfg.Username != "" || cfg.Credential != "" { | ||
continue | ||
} | ||
username, password, err := genTURNCredentials(username, secret, ts) | ||
if err != nil { | ||
return nil, err | ||
} | ||
configs = append(configs, ICEServerConfig{ | ||
URLs: cfg.URLs, | ||
Username: username, | ||
Credential: password, | ||
}) | ||
} | ||
|
||
return configs, nil | ||
} |
Oops, something went wrong.