From 78f72d313a91e7478f1490acf6393281ff91dfb9 Mon Sep 17 00:00:00 2001 From: Giacomo Vacca Date: Sun, 4 Feb 2024 17:51:13 +0100 Subject: [PATCH] lt_cred support for TURN REST format --- .../turn-server/lt-cred-turn-rest/main.go | 71 +++++++++++++++++++ lt_cred.go | 38 ++++++++++ lt_cred_test.go | 48 +++++++++++++ 3 files changed, 157 insertions(+) create mode 100644 examples/turn-server/lt-cred-turn-rest/main.go diff --git a/examples/turn-server/lt-cred-turn-rest/main.go b/examples/turn-server/lt-cred-turn-rest/main.go new file mode 100644 index 00000000..3dced36e --- /dev/null +++ b/examples/turn-server/lt-cred-turn-rest/main.go @@ -0,0 +1,71 @@ +package main + +import ( + "flag" + "log" + "net" + "os" + "os/signal" + "strconv" + "syscall" + + "github.com/pion/logging" + "github.com/pion/turn/v2" +) + +func main() { + publicIP := flag.String("public-ip", "", "IP Address that TURN can be contacted by.") + port := flag.Int("port", 3478, "Listening port.") + authSecret := flag.String("authSecret", "", "Shared secret for the Long Term Credential Mechanism") + realm := flag.String("realm", "pion.ly", "Realm (defaults to \"pion.ly\")") + flag.Parse() + + if len(*publicIP) == 0 { + log.Fatalf("'public-ip' is required") + } else if len(*authSecret) == 0 { + log.Fatalf("'authSecret' is required") + } + + // Create a UDP listener to pass into pion/turn + // pion/turn itself doesn't allocate any UDP sockets, but lets the user pass them in + // this allows us to add logging, storage or modify inbound/outbound traffic + udpListener, err := net.ListenPacket("udp4", "0.0.0.0:"+strconv.Itoa(*port)) + if err != nil { + log.Panicf("Failed to create TURN server listener: %s", err) + } + + // NewLongTermAuthHandler takes a pion.LeveledLogger. This allows you to intercept messages + // and process them yourself. + logger := logging.NewDefaultLeveledLoggerForScope("lt-creds", logging.LogLevelTrace, os.Stdout) + + s, err := turn.NewServer(turn.ServerConfig{ + Realm: *realm, + // Set AuthHandler callback + // This is called everytime a user tries to authenticate with the TURN server + // Return the key for that user, or false when no user is found + AuthHandler: turn.LongTermTURNRESTAuthHandler(*authSecret, logger), + // PacketConnConfigs is a list of UDP Listeners and the configuration around them + PacketConnConfigs: []turn.PacketConnConfig{ + { + PacketConn: udpListener, + RelayAddressGenerator: &turn.RelayAddressGeneratorStatic{ + RelayAddress: net.ParseIP(*publicIP), // Claim that we are listening on IP passed by user (This should be your Public IP) + Address: "0.0.0.0", // But actually be listening on every interface + }, + }, + }, + }) + if err != nil { + log.Panic(err) + } + + // Block until user sends SIGINT or SIGTERM + sigs := make(chan os.Signal, 1) + signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM) + <-sigs + + if err = s.Close(); err != nil { + log.Panic(err) + } +} + diff --git a/lt_cred.go b/lt_cred.go index 4308ed90..f2e081cc 100644 --- a/lt_cred.go +++ b/lt_cred.go @@ -9,6 +9,7 @@ import ( //nolint:gci "encoding/base64" "net" "strconv" + "strings" "time" "github.com/pion/logging" @@ -22,6 +23,15 @@ func GenerateLongTermCredentials(sharedSecret string, duration time.Duration) (s return username, password, err } +// GenerateLongTermCredentials can be used to create credentials valid for [duration] time +func GenerateLongTermTURNRESTCredentials(sharedSecret string, user string, duration time.Duration) (string, string, error) { + t := time.Now().Add(duration).Unix() + timestamp := strconv.FormatInt(t, 10) + username := timestamp + ":" + user + password, err := longTermCredentials(username, sharedSecret) + return username, password, err +} + func longTermCredentials(username string, sharedSecret string) (string, error) { mac := hmac.New(sha1.New, []byte(sharedSecret)) _, err := mac.Write([]byte(username)) @@ -57,3 +67,31 @@ func NewLongTermAuthHandler(sharedSecret string, l logging.LeveledLogger) AuthHa return GenerateAuthKey(username, realm, password), true } } + +// LongTermTURNRESTAuthHandler returns a turn.AuthAuthHandler used with Long Term (or Time Windowed) Credentials. +// https://tools.ietf.org/search/rfc5389#section-10.2 +// It supports the format timestamp:username used with the TURN REST API +func LongTermTURNRESTAuthHandler(sharedSecret string, l logging.LeveledLogger) AuthHandler { + if l == nil { + l = logging.NewDefaultLoggerFactory().NewLogger("turn") + } + return func(username, realm string, srcAddr net.Addr) (key []byte, ok bool) { + l.Tracef("Authentication username=%q realm=%q srcAddr=%v\n", username, realm, srcAddr) + timestamp := strings.Split(username, ":")[0] + t, err := strconv.Atoi(timestamp) + if err != nil { + l.Errorf("Invalid time-windowed username %q", username) + return nil, false + } + if int64(t) < time.Now().Unix() { + l.Errorf("Expired time-windowed username %q", username) + return nil, false + } + password, err := longTermCredentials(username, sharedSecret) + if err != nil { + l.Error(err.Error()) + return nil, false + } + return GenerateAuthKey(username, realm, password), true + } +} diff --git a/lt_cred_test.go b/lt_cred_test.go index 83164de1..e93be15d 100644 --- a/lt_cred_test.go +++ b/lt_cred_test.go @@ -75,3 +75,51 @@ func TestNewLongTermAuthHandler(t *testing.T) { assert.NoError(t, conn.Close()) assert.NoError(t, server.Close()) } + +func TestLongTermTURNRESTAuthHandler(t *testing.T) { + const sharedSecret = "HELLO_WORLD" + + serverListener, err := net.ListenPacket("udp4", "0.0.0.0:3478") + assert.NoError(t, err) + + server, err := NewServer(ServerConfig{ + AuthHandler: LongTermTURNRESTAuthHandler(sharedSecret, nil), + PacketConnConfigs: []PacketConnConfig{ + { + PacketConn: serverListener, + RelayAddressGenerator: &RelayAddressGeneratorStatic{ + RelayAddress: net.ParseIP("127.0.0.1"), + Address: "0.0.0.0", + }, + }, + }, + Realm: "pion.ly", + LoggerFactory: logging.NewDefaultLoggerFactory(), + }) + assert.NoError(t, err) + + conn, err := net.ListenPacket("udp4", "0.0.0.0:0") + assert.NoError(t, err) + + username, password, err := GenerateLongTermTURNRESTCredentials(sharedSecret, "testuser", time.Minute) + assert.NoError(t, err) + + client, err := NewClient(&ClientConfig{ + STUNServerAddr: "0.0.0.0:3478", + TURNServerAddr: "0.0.0.0:3478", + Conn: conn, + Username: username, + Password: password, + LoggerFactory: logging.NewDefaultLoggerFactory(), + }) + assert.NoError(t, err) + assert.NoError(t, client.Listen()) + + relayConn, err := client.Allocate() + assert.NoError(t, err) + + client.Close() + assert.NoError(t, relayConn.Close()) + assert.NoError(t, conn.Close()) + assert.NoError(t, server.Close()) +}