add basic auth to turn server apis, handle host registration on server

2025-09-08 22:24:17 +08:00 · 2023-04-17 15:33:05 +04:00 · 2023-04-17 15:33:05 +04:00 · 4f95e9f562
commit 4f95e9f562
parent a8e234efc9
6 changed files with 51 additions and 8 deletions
--- a/compose/docker-compose.yml
+++ b/compose/docker-compose.yml
@ -32,6 +32,8 @@ services:
      TURN_SERVER_HOST: "turn.NETMAKER_BASE_DOMAIN"
      TURN_SERVER_API_HOST: "https://api.turn.NETMAKER_BASE_DOMAIN"
      TURN_PORT: "3479"
+      TURN_USERNAME: "REPLACE_TURN_USERNAME"
+      TURN_PASSWORD: "REPLACE_TURN_PASSWORD"
    ports:
      - "3478:3478/udp"
  netmaker-ui:
--- a/config/config.go
+++ b/config/config.go
@ -78,6 +78,8 @@ type ServerConfig struct {
 	TurnServer           string    `yaml:"turn_server"`
 	TurnApiServer        string    `yaml:"turn_api_server"`
 	TurnPort             int       `yaml:"turn_port"`
+	TurnUserName         string    `yaml:"turn_username"`
+	TurnPassword         string    `yaml:"turn_password"`
 }

 // ProxyMode - default proxy mode for server
--- a/logic/hosts.go
+++ b/logic/hosts.go
@ -2,6 +2,7 @@ package logic

 import (
 	"crypto/md5"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@ -442,12 +443,12 @@ func ConvHostPassToHash(hostPass string) string {

 // RegisterHostWithTurn - registers the host with the given turn server
 func RegisterHostWithTurn(hostID, hostPass string) error {
-
+	auth := servercfg.GetTurnUserName() + ":" + servercfg.GetTurnPassword()
 	api := httpclient.JSONEndpoint[models.SuccessResponse, models.ErrorResponse]{
-		URL:    servercfg.GetTurnApiHost(),
-		Route:  "/api/v1/host/register",
-		Method: http.MethodPost,
-		//Authorization: fmt.Sprintf("Bearer %s", op.AuthToken),
+		URL:           servercfg.GetTurnApiHost(),
+		Route:         "/api/v1/host/register",
+		Method:        http.MethodPost,
+		Authorization: fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte(auth))),
 		Data: models.HostTurnRegister{
 			HostID:       hostID,
 			HostPassHash: ConvHostPassToHash(hostPass),
@ -467,11 +468,12 @@ func RegisterHostWithTurn(hostID, hostPass string) error {

 // DeRegisterHostWithTurn - to be called when host need to be deregistered from a turn server
 func DeRegisterHostWithTurn(hostID string) error {
-
+	auth := servercfg.GetTurnUserName() + ":" + servercfg.GetTurnPassword()
 	api := httpclient.JSONEndpoint[models.SuccessResponse, models.ErrorResponse]{
 		URL:           servercfg.GetTurnApiHost(),
 		Route:         fmt.Sprintf("/api/v1/host/deregister?host_id=%s", hostID),
 		Method:        http.MethodPost,
+		Authorization: fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte(auth))),
 		Response:      models.SuccessResponse{},
 		ErrorResponse: models.ErrorResponse{},
 	}
--- a/mq/handlers.go
+++ b/mq/handlers.go
@ -141,7 +141,10 @@ func UpdateHost(client mqtt.Client, msg mqtt.Message) {
 		}
 		sendPeerUpdate = true
 	case models.RegisterWithTurn:
-		logic.RegisterHostWithTurn(hostUpdate.Host.ID.String(), hostUpdate.Host.HostPass)
+		err = logic.RegisterHostWithTurn(hostUpdate.Host.ID.String(), hostUpdate.Host.HostPass)
+		if err != nil {
+			logger.Log(0, "failed to register host with turn server: ", err.Error())
+		}
 	}

 	if sendPeerUpdate {
--- a/servercfg/serverconf.go
+++ b/servercfg/serverconf.go
@ -663,6 +663,30 @@ func GetTurnPort() int {
 	return port
 }

+// GetTurnUserName - fetches the turn server username
+func GetTurnUserName() string {
+	userName := ""
+	if os.Getenv("TURN_USERNAME") != "" {
+		userName = os.Getenv("TURN_USERNAME")
+	} else {
+		userName = config.Config.Server.TurnUserName
+	}
+	return userName
+
+}
+
+// GetTurnPassword - fetches the turn server password
+func GetTurnPassword() string {
+	pass := ""
+	if os.Getenv("TURN_PASSWORD") != "" {
+		pass = os.Getenv("TURN_PASSWORD")
+	} else {
+		pass = config.Config.Server.TurnPassword
+	}
+	return pass
+
+}
+
 // IsProxyEnabled - is proxy on or off
 func IsProxyEnabled() bool {
 	var enabled = false //default
--- a/turnserver/internal/auth/auth.go
+++ b/turnserver/internal/auth/auth.go
@ -15,10 +15,12 @@ var (
 	authMapLock    = &sync.RWMutex{}
 	HostMap        = make(map[string]string)
 	authBackUpFile = "auth.json"
+	backUpFilePath = filepath.Join("/etc/config", authBackUpFile)
 )

 func init() {
 	os.MkdirAll("/etc/config", os.ModePerm)
+	loadCredsFromFile()
 }

 func RegisterNewHostWithTurn(hostID, hostPass string) {
@ -42,8 +44,16 @@ func dumpCredsToFile() {
 		return
 	}

-	err = os.WriteFile(filepath.Join("/etc/config", authBackUpFile), d, os.ModePerm)
+	err = os.WriteFile(backUpFilePath, d, os.ModePerm)
 	if err != nil {
 		logger.Log(0, "failed to backup auth data: ", err.Error())
 	}
 }
+
+func loadCredsFromFile() error {
+	d, err := os.ReadFile(backUpFilePath)
+	if err != nil {
+		return err
+	}
+	return json.Unmarshal(d, &HostMap)
+}