mirror of
https://github.com/strukturag/nextcloud-spreed-signaling
synced 2024-06-08 08:52:27 +02:00
Merge pull request #44 from strukturag/proxy-tokens-etcd
Add support for fetching proxy tokens from etcd cluster.
This commit is contained in:
commit
b7d5f2a639
4
.github/workflows/test.yml
vendored
4
.github/workflows/test.yml
vendored
|
@ -13,10 +13,6 @@ jobs:
|
|||
strategy:
|
||||
matrix:
|
||||
go-version:
|
||||
- "1.6"
|
||||
- "1.7"
|
||||
- "1.8"
|
||||
- "1.9"
|
||||
- "1.10"
|
||||
- "1.11"
|
||||
- "1.12"
|
||||
|
|
|
@ -15,7 +15,7 @@ The following tools are required for building the signaling server.
|
|||
|
||||
- curl
|
||||
- git
|
||||
- go >= 1.6
|
||||
- go >= 1.10
|
||||
- make
|
||||
- python3
|
||||
|
||||
|
|
|
@ -9,6 +9,7 @@ github.com/nats-io/go-nats git d4ca4c8b588d5da9c2ac82d6e445ce4feaba18ba 2017-06-
|
|||
github.com/nats-io/nuid git 3cf34f9fca4e88afa9da8eabd75e3326c9941b44 2017-03-03T15:02:24Z
|
||||
github.com/notedit/janus-go git 10eb8b95d1a0469ac8921c5ce5fb55b4c0d3ad7d 2020-05-17T10:12:15Z
|
||||
github.com/oschwald/maxminddb-golang git 1960b16a5147df3a4c61ac83b2f31cd8f811d609 2019-05-23T23:57:38Z
|
||||
go.etcd.io/etcd git ae9734ed278b7a1a7dfc82e800471ebbf9fce56f 2020-08-24T19:11:28Z
|
||||
golang.org/x/net git f01ecb60fe3835d80d9a0b7b2bf24b228c89260e 2017-07-11T18:12:19Z
|
||||
golang.org/x/sys git ac767d655b305d4e9612f5f6e33120b9176c4ad4 2018-07-15T08:55:29Z
|
||||
gopkg.in/dgrijalva/jwt-go.v3 git 06ea1031745cb8b3dab3f6a236daf2b0aa468b7e 2018-03-08T23:13:08Z
|
||||
|
|
|
|
@ -17,7 +17,8 @@
|
|||
#
|
||||
# Possible values:
|
||||
# - static: A mapping of token id -> public key is configured below.
|
||||
token_type = static
|
||||
# - etcd: Token information are retrieved from an etcd cluster (see below).
|
||||
tokentype = static
|
||||
|
||||
[sessions]
|
||||
# Secret value used to generate checksums of sessions. This should be a random
|
||||
|
@ -37,11 +38,30 @@ blockkey = -encryption-key-
|
|||
#url = nats://localhost:4222
|
||||
|
||||
[tokens]
|
||||
# For token_type "static": Mapping of <tokenid> = <publickey> of signaling
|
||||
# For token type "static": Mapping of <tokenid> = <publickey> of signaling
|
||||
# servers allowed to connect.
|
||||
#server1 = pubkey1.pem
|
||||
#server2 = pubkey2.pem
|
||||
|
||||
# For token type "etcd": Comma-separated list of static etcd endpoints to
|
||||
# connect to.
|
||||
#endpoints = 127.0.0.1:2379,127.0.0.1:22379,127.0.0.1:32379
|
||||
|
||||
# For token type "etcd": Options to perform endpoint discovery through DNS SRV.
|
||||
# Only used if no endpoints are configured manually.
|
||||
#discoverysrv = example.com
|
||||
#discoveryservice = foo
|
||||
|
||||
# For token type "etcd": Path to private key, client certificate and CA
|
||||
# certificate if TLS authentication should be used.
|
||||
#clientkey = /path/to/etcd-client.key
|
||||
#clientcert = /path/to/etcd-client.crt
|
||||
#cacert = /path/to/etcd-ca.crt
|
||||
|
||||
# For token type "etcd": Format of key name to retrieve the public key from,
|
||||
# "%s" will be replaced with the token id.
|
||||
#keyformat = /signaling/proxy/tokens/%s/public-key
|
||||
|
||||
[mcu]
|
||||
# The type of the MCU to use. Currently only "janus" is supported.
|
||||
type = janus
|
||||
|
|
|
@ -131,12 +131,14 @@ func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile, na
|
|||
|
||||
var tokens ProxyTokens
|
||||
var err error
|
||||
tokenType, _ := config.GetString("app", "token_type")
|
||||
tokenType, _ := config.GetString("app", "tokentype")
|
||||
if tokenType == "" {
|
||||
tokenType = TokenTypeDefault
|
||||
}
|
||||
|
||||
switch tokenType {
|
||||
case TokenTypeEtcd:
|
||||
tokens, err = NewProxyTokensEtcd(config)
|
||||
case TokenTypeStatic:
|
||||
tokens, err = NewProxyTokensStatic(config)
|
||||
default:
|
||||
|
@ -363,6 +365,7 @@ func (s *ProxyServer) Stop() {
|
|||
}
|
||||
|
||||
s.mcu.Stop()
|
||||
s.tokens.Close()
|
||||
}
|
||||
|
||||
func (s *ProxyServer) ShutdownChannel() chan bool {
|
||||
|
|
|
@ -28,6 +28,7 @@ import (
|
|||
)
|
||||
|
||||
const (
|
||||
TokenTypeEtcd = "etcd"
|
||||
TokenTypeStatic = "static"
|
||||
|
||||
TokenTypeDefault = TokenTypeStatic
|
||||
|
@ -42,4 +43,5 @@ type ProxyTokens interface {
|
|||
Get(id string) (*ProxyToken, error)
|
||||
|
||||
Reload(config *goconf.ConfigFile)
|
||||
Close()
|
||||
}
|
||||
|
|
212
src/proxy/proxy_tokens_etcd.go
Normal file
212
src/proxy/proxy_tokens_etcd.go
Normal file
|
@ -0,0 +1,212 @@
|
|||
/**
|
||||
* Standalone signaling server for the Nextcloud Spreed app.
|
||||
* Copyright (C) 2020 struktur AG
|
||||
*
|
||||
* @author Joachim Bauch <bauch@struktur.de>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"fmt"
|
||||
"log"
|
||||
"strings"
|
||||
"sync/atomic"
|
||||
"time"
|
||||
|
||||
"github.com/dlintw/goconf"
|
||||
|
||||
"go.etcd.io/etcd/clientv3"
|
||||
"go.etcd.io/etcd/pkg/srv"
|
||||
"go.etcd.io/etcd/pkg/transport"
|
||||
|
||||
"gopkg.in/dgrijalva/jwt-go.v3"
|
||||
|
||||
"signaling"
|
||||
)
|
||||
|
||||
const (
|
||||
tokenCacheSize = 4096
|
||||
)
|
||||
|
||||
type tokenCacheEntry struct {
|
||||
keyValue []byte
|
||||
token *ProxyToken
|
||||
}
|
||||
|
||||
type tokensEtcd struct {
|
||||
client atomic.Value
|
||||
|
||||
tokenFormat atomic.Value
|
||||
tokenCache *signaling.LruCache
|
||||
}
|
||||
|
||||
func NewProxyTokensEtcd(config *goconf.ConfigFile) (ProxyTokens, error) {
|
||||
result := &tokensEtcd{
|
||||
tokenCache: signaling.NewLruCache(tokenCacheSize),
|
||||
}
|
||||
if err := result.load(config, false); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return result, nil
|
||||
}
|
||||
|
||||
func (t *tokensEtcd) getClient() *clientv3.Client {
|
||||
c := t.client.Load()
|
||||
if c == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
return c.(*clientv3.Client)
|
||||
}
|
||||
|
||||
func (t *tokensEtcd) getKey(id string) string {
|
||||
format := t.tokenFormat.Load().(string)
|
||||
return fmt.Sprintf(format, id)
|
||||
}
|
||||
|
||||
func (t *tokensEtcd) Get(id string) (*ProxyToken, error) {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), time.Second)
|
||||
defer cancel()
|
||||
resp, err := t.getClient().Get(ctx, t.getKey(id))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if len(resp.Kvs) == 0 {
|
||||
return nil, nil
|
||||
} else if len(resp.Kvs) > 1 {
|
||||
log.Printf("Received multiple keys for %s, using last", id)
|
||||
}
|
||||
|
||||
keyValue := resp.Kvs[len(resp.Kvs)-1].Value
|
||||
cached, _ := t.tokenCache.Get(id).(*tokenCacheEntry)
|
||||
if cached == nil || !bytes.Equal(cached.keyValue, keyValue) {
|
||||
// Parsed public keys are cached to avoid the parse overhead.
|
||||
key, err := jwt.ParseRSAPublicKeyFromPEM(keyValue)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Could not parse public key for %s: %s", id, err)
|
||||
}
|
||||
|
||||
cached = &tokenCacheEntry{
|
||||
keyValue: keyValue,
|
||||
token: &ProxyToken{
|
||||
id: id,
|
||||
key: key,
|
||||
},
|
||||
}
|
||||
t.tokenCache.Set(id, cached)
|
||||
}
|
||||
|
||||
return cached.token, nil
|
||||
}
|
||||
|
||||
func (t *tokensEtcd) load(config *goconf.ConfigFile, ignoreErrors bool) error {
|
||||
var endpoints []string
|
||||
if endpointsString, _ := config.GetString("tokens", "endpoints"); endpointsString != "" {
|
||||
for _, ep := range strings.Split(endpointsString, ",") {
|
||||
ep := strings.TrimSpace(ep)
|
||||
if ep != "" {
|
||||
endpoints = append(endpoints, ep)
|
||||
}
|
||||
}
|
||||
} else if discoverySrv, _ := config.GetString("tokens", "discoverysrv"); discoverySrv != "" {
|
||||
discoveryService, _ := config.GetString("tokens", "discoveryservice")
|
||||
clients, err := srv.GetClient("etcd-client", discoverySrv, discoveryService)
|
||||
if err != nil {
|
||||
if !ignoreErrors {
|
||||
return fmt.Errorf("Could not discover endpoints for %s: %s", discoverySrv, err)
|
||||
}
|
||||
} else {
|
||||
endpoints = clients.Endpoints
|
||||
}
|
||||
}
|
||||
|
||||
if len(endpoints) == 0 {
|
||||
if !ignoreErrors {
|
||||
return fmt.Errorf("No token endpoints configured")
|
||||
}
|
||||
|
||||
log.Printf("No token endpoints configured, not changing client")
|
||||
} else {
|
||||
cfg := clientv3.Config{
|
||||
Endpoints: endpoints,
|
||||
|
||||
// set timeout per request to fail fast when the target endpoint is unavailable
|
||||
DialTimeout: time.Second,
|
||||
}
|
||||
|
||||
clientKey, _ := config.GetString("tokens", "clientkey")
|
||||
clientCert, _ := config.GetString("tokens", "clientcert")
|
||||
caCert, _ := config.GetString("tokens", "cacert")
|
||||
if clientKey != "" && clientCert != "" && caCert != "" {
|
||||
tlsInfo := transport.TLSInfo{
|
||||
CertFile: clientCert,
|
||||
KeyFile: clientKey,
|
||||
TrustedCAFile: caCert,
|
||||
}
|
||||
tlsConfig, err := tlsInfo.ClientConfig()
|
||||
if err != nil {
|
||||
if !ignoreErrors {
|
||||
return fmt.Errorf("Could not setup TLS configuration: %s", err)
|
||||
}
|
||||
|
||||
log.Printf("Could not setup TLS configuration, will be disabled (%s)", err)
|
||||
} else {
|
||||
cfg.TLS = tlsConfig
|
||||
}
|
||||
}
|
||||
|
||||
c, err := clientv3.New(cfg)
|
||||
if err != nil {
|
||||
if !ignoreErrors {
|
||||
return err
|
||||
}
|
||||
|
||||
log.Printf("Could not create new client from token endpoints %+v: %s", endpoints, err)
|
||||
} else {
|
||||
prev := t.getClient()
|
||||
if prev != nil {
|
||||
prev.Close()
|
||||
}
|
||||
t.client.Store(c)
|
||||
log.Printf("Using token endpoints %+v", endpoints)
|
||||
}
|
||||
}
|
||||
|
||||
tokenFormat, _ := config.GetString("tokens", "keyformat")
|
||||
if tokenFormat == "" {
|
||||
tokenFormat = "/%s"
|
||||
}
|
||||
|
||||
t.tokenFormat.Store(tokenFormat)
|
||||
log.Printf("Using %s as token format", tokenFormat)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (t *tokensEtcd) Reload(config *goconf.ConfigFile) {
|
||||
t.load(config, true)
|
||||
}
|
||||
|
||||
func (t *tokensEtcd) Close() {
|
||||
if client := t.getClient(); client != nil {
|
||||
client.Close()
|
||||
}
|
||||
}
|
|
@ -116,3 +116,7 @@ func (t *tokensStatic) load(config *goconf.ConfigFile, ignoreErrors bool) error
|
|||
func (t *tokensStatic) Reload(config *goconf.ConfigFile) {
|
||||
t.load(config, true)
|
||||
}
|
||||
|
||||
func (t *tokensStatic) Close() {
|
||||
t.setTokenKeys(map[string]*ProxyToken{})
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue