turn icon indicating copy to clipboard operation
turn copied to clipboard
verified publisher icon pion

Proposal: Enhance Custom Authorization Abilities

Open adrianosela opened this issue 1 year ago • 4 comments

Description

This PR is a proof-of-concept for extending the ability to write custom authorizers beyond using a custom function to check the value of a string (username in the existing AuthFunc function definition), and specifically facilitating mTLS authentication.

I would like my TURN communication to happen over TLS (which is already possible today), but I would like my TURN clients to present a signed TLS certificate for authn/authz instead of a static username and password.

This PR demonstrates how this could be possible.

This breaks the existing API - but it doesn't need to. Both AuthHandler and Authorizer could co-exist until the next major release (assuming there's interest in this change).

Note that internal/server/authz/tls.go is only included for illustrative purposes -- that shound't go in here... though perhaps maybe an /example would be worthwhile.

adrianosela avatar Oct 14 '24 20:10 adrianosela

Codecov Report

Attention: Patch coverage is 54.54545% with 20 lines in your changes missing coverage. Please review.

Project coverage is 67.78%. Comparing base (cc03474) to head (c4e36b1).

Files with missing lines Patch % Lines
internal/server/authz/tls.go 0.00% 17 Missing :warning:
server.go 78.57% 2 Missing and 1 partial :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #415      +/-   ##
==========================================
- Coverage   68.15%   67.78%   -0.38%     
==========================================
  Files          43       45       +2     
  Lines        2352     2387      +35     
==========================================
+ Hits         1603     1618      +15     
- Misses        582      601      +19     
- Partials      167      168       +1
Flag Coverage Δ
go 67.78% <54.54%> (-0.38%) :arrow_down:
wasm 27.48% <0.00%> (-0.41%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Oct 15 '24 07:10 codecov[bot]

This seems like a really useful addition, I suggest we merge it with minor modifications.

This breaks the existing API - but it doesn't need to. Both AuthHandler and Authorizer could co-exist until the next major release (assuming there's interest in this change).

I think it's OK to break the API with a new major version, it's still better than the confusion two auth handler APIs would create. Plus, the new API seems extensible without another API break.

Note that internal/server/authz/tls.go is only included for illustrative purposes -- that shound't go in here... though perhaps maybe an /example would be worthwhile.

I'm OK with providing this is a prefab functionality, mTLS seems useful and general enough to warrant a built-in implementation. Do you think your implementation is reusable for other users?

But examples/ will definitely need some love. Mostly straightforward porting, but we should make sure each example works.

rg0now avatar Oct 16 '24 10:10 rg0now

This seems like a really useful addition, I suggest we merge it with minor modifications.

Which modifications do you suggest? Happy to do 'em. @rg0now

cc:// @Sean-Der

adrianosela avatar Oct 16 '24 15:10 adrianosela

Which modifications do you suggest? Happy to do 'em. @rg0now

Just updating the examples/, nothing serious

rg0now avatar Oct 16 '24 17:10 rg0now