From f17ce4fe830dac0f3a2c17f2b12e1cc98c1d02ac Mon Sep 17 00:00:00 2001
From: mom040267 <mom040267@users.noreply.github.com>
Date: Wed, 7 Jan 2015 07:57:56 +0000
Subject: [PATCH] new turn_admin table

---
 INSTALL                               |  31 +++++++++++++++++---------
 examples/var/db/turndb                | Bin 20480 -> 22528 bytes
 src/apps/relay/dbdrivers/dbd_redis.c  |   4 ++--
 src/apps/relay/dbdrivers/dbd_sqlite.c |  23 ++++++++++---------
 src/apps/relay/userdb.h               |   4 ----
 src/client/ns_turn_msg.h              |   3 +--
 src/client/ns_turn_msg_defs.h         |   3 ++-
 turndb/schema.mongo.sh                |   1 +
 turndb/schema.sql                     |  25 +++++++++++++--------
 turndb/schema.userdb.redis            |  13 ++++++++++-
 turndb/testmongosetup.sh              |   3 +++
 turndb/testredisdbsetup.sh            |   3 +++
 turndb/testsqldbsetup.sql             |   3 +++
 13 files changed, 77 insertions(+), 39 deletions(-)

diff --git a/INSTALL b/INSTALL
index dccc7f77..5435dbd6 100644
--- a/INSTALL
+++ b/INSTALL
@@ -669,7 +669,7 @@ The schema description:
 # Table for long-term credentials mechanism authorization:
 #
 CREATE TABLE turnusers_lt (
-    realm varchar(512) default '',
+    realm varchar(127) default '',
     name varchar(512),
     hmackey char(128),
     PRIMARY KEY (realm,name)
@@ -688,7 +688,7 @@ or 64 characters (HEX representation of 32 bytes) for SHA256.
 #
 CREATE TABLE turnusers_st (
     name varchar(512) PRIMARY KEY,
-    password varchar(512)
+    password varchar(127)
 );
 
 # Table holding shared secrets for secret-based authorization
@@ -696,15 +696,15 @@ CREATE TABLE turnusers_st (
 # mechanism:
 #
 CREATE TABLE turn_secret (
-	realm varchar(512) default '',
-    value varchar(512),
+	realm varchar(127) default '',
+    value varchar(127),
 	primary key (realm,value)
 );
 
 # Table holding "white" allowed peer IP ranges.
 #
 CREATE TABLE allowed_peer_ip (
-	realm varchar(512) default '',
+	realm varchar(127) default '',
 	ip_range varchar(256),
 	primary key (realm,ip_range)
 );
@@ -712,7 +712,7 @@ CREATE TABLE allowed_peer_ip (
 # Table holding "black" denied peer IP ranges.
 #
 CREATE TABLE denied_peer_ip (
-	realm varchar(512) default '',
+	realm varchar(127) default '',
 	ip_range varchar(256),
 	primary key (realm,ip_range)
 );
@@ -723,8 +723,8 @@ CREATE TABLE denied_peer_ip (
 # then the default realm is used.
 #
 CREATE TABLE turn_origin_to_realm (
-	origin varchar(512),
-	realm varchar(512),
+	origin varchar(127),
+	realm varchar(127),
 	primary key (origin,realm)
 );
 
@@ -734,7 +734,7 @@ CREATE TABLE turn_origin_to_realm (
 # Values for them are integers (in text form).
 #
 CREATE TABLE turn_realm_option (
-	realm varchar(512) default '',
+	realm varchar(127) default '',
 	opt varchar(32),
 	value varchar(128),
 	primary key (realm,opt)
@@ -753,7 +753,7 @@ CREATE TABLE oauth_key (
 	auth_alg varchar(64) default '',
 	auth_key varchar(256) default '',
 	primary key (kid)
-);
+); 
 
 The oauth_key table fields meanings are:
 
@@ -791,6 +791,17 @@ The oauth_key table fields meanings are:
 		calculated with ikm_key and hkdf_hash_func. The auth_key length 
 		is defined by auth_alg.
 
+# Https access admin users.
+# Leave this table empty if you do not want 
+# remote https access to the admin functions.
+#
+CREATE TABLE admin_user (
+	uname varchar(32),
+	realm varchar(127),
+	password varchar(127),
+	primary key (uname)
+);
+
 You can use turnadmin program to manage the database - you can either use 
 turnadmin to add/modify/delete users, or you can use turnadmin to produce 
 the hmac keys and modify the database with your favorite tools.
diff --git a/examples/var/db/turndb b/examples/var/db/turndb
index a71001bb82de43fe30558f6a3c98b511a0e16f1b..d122bb1c172b0f8cd214a4358a8a22c3406e6fc8 100644
GIT binary patch
delta 352
zcmZozz}T>Xae}m<76Su=7!bn%_e33IMy-tr3%v!IL>O2Z0~nYjn4+1_G6pc--`Hr!
zSl`Ga$S$s^$k>=%l9-f}nwXNCnHOJLoLYoni8=?lI)=C^gg83+xGEsT6*Nlo5_3}(
z$`Xr`GZKq5jEyvP6pB(4b8_KAhDPQ<v4X_n;`02W6m;RD%v`a=qDqDA)JmvXnwrK!
zY~t>Ull=@OrQlA9H$+$p@*K-%3BMPNJiI_A6Z0ho=7-FeHVcXzW47XDViD&RO-igx
ztjbMH&y;0kk(HM%&Q2`K$;?a7%P%U)&`ZxR%gE19$w@6P<^t<~#lZZE`O9WOj~mPr
V1K7kknZ+5w1~73m%W}f>0ss(5W>^3K

delta 58
zcmZqJz}T>Wae}m<G6MsH2oS>n$3z`tM&*qO3%z-PLd;AO3``PC(adKzHgYj-mhgMQ
F2mmS{3lIPR

diff --git a/src/apps/relay/dbdrivers/dbd_redis.c b/src/apps/relay/dbdrivers/dbd_redis.c
index eb54c940..030fbf13 100644
--- a/src/apps/relay/dbdrivers/dbd_redis.c
+++ b/src/apps/relay/dbdrivers/dbd_redis.c
@@ -533,8 +533,8 @@ static int redis_get_user_pwd(u08bits *usname, st_password_t pwd) {
 				if (rget->type != REDIS_REPLY_NIL)
 					TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unexpected type: %d\n", rget->type);
 			} else {
-				strncpy((char*)pwd,rget->str,SHORT_TERM_PASSWORD_SIZE);
-				pwd[SHORT_TERM_PASSWORD_SIZE]=0;
+				strncpy((char*)pwd,rget->str,STUN_MAX_PWD_SIZE);
+				pwd[STUN_MAX_PWD_SIZE]=0;
 				ret = 0;
 			}
 			turnFreeRedisReply(rget);
diff --git a/src/apps/relay/dbdrivers/dbd_sqlite.c b/src/apps/relay/dbdrivers/dbd_sqlite.c
index dff544d8..3339be74 100644
--- a/src/apps/relay/dbdrivers/dbd_sqlite.c
+++ b/src/apps/relay/dbdrivers/dbd_sqlite.c
@@ -148,14 +148,15 @@ static void fix_user_directory(char *dir0) {
 static void init_sqlite_database(sqlite3 *sqliteconnection) {
 
 	const char * statements[] = {
-		"CREATE TABLE turnusers_lt ( realm varchar(512) default '', name varchar(512), hmackey char(128), PRIMARY KEY (realm,name))",
-		"CREATE TABLE turnusers_st (name varchar(512) PRIMARY KEY, password varchar(512))",
-		"CREATE TABLE turn_secret (realm varchar(512) default '', value varchar(512), primary key (realm,value))",
-		"CREATE TABLE allowed_peer_ip (realm varchar(512) default '', ip_range varchar(256), primary key (realm,ip_range))",
-		"CREATE TABLE denied_peer_ip (realm varchar(512) default '', ip_range varchar(256), primary key (realm,ip_range))",
-		"CREATE TABLE turn_origin_to_realm (origin varchar(512),realm varchar(512),primary key (origin))",
-		"CREATE TABLE turn_realm_option (realm varchar(512) default '',	opt varchar(32),	value varchar(128),	primary key (realm,opt))",
+		"CREATE TABLE turnusers_lt ( realm varchar(127) default '', name varchar(512), hmackey char(128), PRIMARY KEY (realm,name))",
+		"CREATE TABLE turnusers_st (name varchar(512) PRIMARY KEY, password varchar(127))",
+		"CREATE TABLE turn_secret (realm varchar(127) default '', value varchar(127), primary key (realm,value))",
+		"CREATE TABLE allowed_peer_ip (realm varchar(127) default '', ip_range varchar(256), primary key (realm,ip_range))",
+		"CREATE TABLE denied_peer_ip (realm varchar(127) default '', ip_range varchar(256), primary key (realm,ip_range))",
+		"CREATE TABLE turn_origin_to_realm (origin varchar(127),realm varchar(127),primary key (origin))",
+		"CREATE TABLE turn_realm_option (realm varchar(127) default '',	opt varchar(32),	value varchar(128),	primary key (realm,opt))",
 		"CREATE TABLE oauth_key (kid varchar(128),ikm_key varchar(256) default '',timestamp bigint default 0,lifetime integer default 0,hkdf_hash_func varchar(64) default '',as_rs_alg varchar(64) default '',as_rs_key varchar(256) default '',auth_alg varchar(64) default '',auth_key varchar(256) default '',primary key (kid))",
+		"CREATE TABLE admin_user (uname varchar(32), realm varchar(127), password varchar(127), primary key (uname))",
 		NULL
 	};
 
@@ -188,10 +189,12 @@ static sqlite3 * get_sqlite_connection(void) {
 				sqliteconnection=NULL;
 			}
 			turn_params.default_users_db.userdb_type = TURN_USERDB_TYPE_UNKNOWN;
-		} else if(!donot_print_connection_success){
+		} else {
 			init_sqlite_database(sqliteconnection);
-			TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "SQLite DB connection success: %s\n",pud->userdb);
-			donot_print_connection_success = 1;
+			if(!donot_print_connection_success){
+				TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "SQLite DB connection success: %s\n",pud->userdb);
+				donot_print_connection_success = 1;
+			}
 		}
 		if(sqliteconnection) {
 			(void) pthread_setspecific(connection_key, sqliteconnection);
diff --git a/src/apps/relay/userdb.h b/src/apps/relay/userdb.h
index 1d66a710..71dbbfe2 100644
--- a/src/apps/relay/userdb.h
+++ b/src/apps/relay/userdb.h
@@ -46,10 +46,6 @@
 extern "C" {
 #endif
 
-//////////// Defines //////////////////////////////
-
-#define AUTH_SECRET_SIZE (512)
-
 //////////// REALM //////////////
 
 struct _realm_status_t;
diff --git a/src/client/ns_turn_msg.h b/src/client/ns_turn_msg.h
index 88d2e3d2..2b24231d 100644
--- a/src/client/ns_turn_msg.h
+++ b/src/client/ns_turn_msg.h
@@ -66,8 +66,7 @@ typedef u08bits hmackey_t[64];
 /**
  * Short-term credentials password
  */
-#define SHORT_TERM_PASSWORD_SIZE (512)
-typedef u08bits st_password_t[SHORT_TERM_PASSWORD_SIZE+1];
+typedef u08bits st_password_t[STUN_MAX_PWD_SIZE+1];
 typedef unsigned int band_limit_t;
 
 ///////////////////////////////////
diff --git a/src/client/ns_turn_msg_defs.h b/src/client/ns_turn_msg_defs.h
index cde11dd6..5e22c251 100644
--- a/src/client/ns_turn_msg_defs.h
+++ b/src/client/ns_turn_msg_defs.h
@@ -40,11 +40,12 @@
 #define STUN_HEADER_LENGTH (20)
 #define STUN_CHANNEL_HEADER_LENGTH (4)
 
-#define STUN_MAX_USERNAME_SIZE (513)
+#define STUN_MAX_USERNAME_SIZE (512)
 #define STUN_MAX_REALM_SIZE (127)
 #define STUN_MAX_NONCE_SIZE (127)
 #define STUN_MAX_SERVER_NAME_SIZE (1025)
 #define STUN_MAX_PWD_SIZE (127)
+#define AUTH_SECRET_SIZE STUN_MAX_PWD_SIZE
 
 #define STUN_MAGIC_COOKIE (0x2112A442)
 
diff --git a/turndb/schema.mongo.sh b/turndb/schema.mongo.sh
index 867dbb66..0edec9b0 100755
--- a/turndb/schema.mongo.sh
+++ b/turndb/schema.mongo.sh
@@ -9,6 +9,7 @@ db.turnusers_st.ensureIndex({ name: 1 }, { unique: 1 });
 db.turn_secret.ensureIndex({ realm: 1 }, { unique: 1 });
 db.realm.ensureIndex({ realm: 1 }, { unique: 1 });
 db.oauth_key.ensureIndex({ kid: 1 }, {unique: 1 });
+db.admin_user.ensureIndex({ uname: 1 }, {unique: 1 });
 
 exit
 
diff --git a/turndb/schema.sql b/turndb/schema.sql
index 9c452a0e..5a2396bb 100644
--- a/turndb/schema.sql
+++ b/turndb/schema.sql
@@ -1,6 +1,6 @@
 
 CREATE TABLE turnusers_lt (
-    realm varchar(512) default '',
+    realm varchar(127) default '',
     name varchar(512),
     hmackey char(128),
     PRIMARY KEY (realm,name)
@@ -8,35 +8,35 @@ CREATE TABLE turnusers_lt (
 
 CREATE TABLE turnusers_st (
     name varchar(512) PRIMARY KEY,
-    password varchar(512)
+    password varchar(127)
 );
 
 CREATE TABLE turn_secret (
-	realm varchar(512) default '',
-    value varchar(512),
+	realm varchar(127) default '',
+    value varchar(127),
 	primary key (realm,value)
 );
 
 CREATE TABLE allowed_peer_ip (
-	realm varchar(512) default '',
+	realm varchar(127) default '',
 	ip_range varchar(256),
 	primary key (realm,ip_range)
 );
 
 CREATE TABLE denied_peer_ip (
-	realm varchar(512) default '',
+	realm varchar(127) default '',
 	ip_range varchar(256),
 	primary key (realm,ip_range)
 );
 
 CREATE TABLE turn_origin_to_realm (
-	origin varchar(512),
-	realm varchar(512),
+	origin varchar(127),
+	realm varchar(127),
 	primary key (origin)
 );
 
 CREATE TABLE turn_realm_option (
-	realm varchar(512) default '',
+	realm varchar(127) default '',
 	opt varchar(32),
 	value varchar(128),
 	primary key (realm,opt)
@@ -54,3 +54,10 @@ CREATE TABLE oauth_key (
 	auth_key varchar(256) default '',
 	primary key (kid)
 );
+
+CREATE TABLE admin_user (
+	uname varchar(32),
+	realm varchar(127),
+	password varchar(127),
+	primary key (uname)
+);
diff --git a/turndb/schema.userdb.redis b/turndb/schema.userdb.redis
index 585c2986..fbc550c9 100644
--- a/turndb/schema.userdb.redis
+++ b/turndb/schema.userdb.redis
@@ -72,6 +72,12 @@ and they will be almost immediately "seen" by the turnserver process.
 	auth_key - (optional) base64-encoded AUTH key. If not defined, then 
 		calculated with ikm_key and hkdf_hash_func. The auth_key length 
 		is defined by auth_alg.
+		
+6) admin users (over https interface) are maintained as keys of form:
+"turn/realm/<realm-name>/admin_user/<username>/password" with the password 
+values (for the per-relam admin users), or as keys of form:
+"turn/admin_user/<username>/password" with password values - for the global
+admin users.
 
 II. Extra realms data in the database
 
@@ -104,7 +110,9 @@ This example sets user database for:
   * The realm performance parameters: "max_bps", 
   	"total_quota" and "user_quota" (same names as the turnserver 
   	configuration options, with the same meanings).
-  * The oAuth data for the key with kid "north" and key value "carleon". 
+  * The oAuth data for the key with kid "north" and key value "carleon".
+  * The admin user 'skarling', realm 'north.gov', with password 'hoodless';
+  * The global admin user 'bayaz' with password 'magi';  
   
 The shell command would be:
 
@@ -131,6 +139,9 @@ set turn/user/gorst/password "hero"
 set turn/user/whirrun/password "sword"
 set turn/user/stranger-come-knocking/password "civilization"
 
+set turn/realm/north.gov/admin_user/skarling/password "hoodless"
+set turn/admin_user/bayaz/password "magi"
+
 set turn/realm/north.gov/max-bps 500000
 set turn/realm/north.gov/total-quota 12000
 set turn/realm/north.gov/user-quota 10000
diff --git a/turndb/testmongosetup.sh b/turndb/testmongosetup.sh
index 30538188..0d3f1078 100755
--- a/turndb/testmongosetup.sh
+++ b/turndb/testmongosetup.sh
@@ -23,6 +23,9 @@ db.turnusers_st.insert({ name: 'stranger-come-knocking', password: 'civilization
 db.turn_secret.insert({ realm: 'north.gov', value: 'logen' });
 db.turn_secret.insert({ realm: 'crinna.org', value: 'north' });
 
+db.admin_user.insert({ uname: 'skarling', realm: 'north.gov', password: 'hoodless' });
+db.admin_user.insert({ uname: 'bayaz', realm: '', password: 'magi' });
+
 db.realm.insert({
   realm: 'north.gov',
   options: {
diff --git a/turndb/testredisdbsetup.sh b/turndb/testredisdbsetup.sh
index fbc96622..5e2fb685 100755
--- a/turndb/testredisdbsetup.sh
+++ b/turndb/testredisdbsetup.sh
@@ -32,6 +32,9 @@ set turn/user/bethod/password "king-of-north"
 set turn/user/whirrun/password "sword"
 set turn/user/stranger-come-knocking/password "civilization"
 
+set turn/realm/north.gov/admin_user/skarling/password "hoodless"
+set turn/admin_user/bayaz/password "magi"
+
 set turn/realm/north.gov/max-bps 500000
 set turn/realm/north.gov/total-quota 12000
 set turn/realm/north.gov/user-quota 10000
diff --git a/turndb/testsqldbsetup.sql b/turndb/testsqldbsetup.sql
index 58d5eca0..e9aef977 100644
--- a/turndb/testsqldbsetup.sql
+++ b/turndb/testsqldbsetup.sql
@@ -12,6 +12,9 @@ insert into turnusers_st (name, password) values('stranger-come-knocking','civil
 insert into turn_secret (realm,value) values('north.gov','logen');
 insert into turn_secret (realm,value) values('crinna.org','north');
 
+insert into admin_user (uname, realm, password) values('skarling','north.gov','hoodless');
+insert into admin_user (uname, realm, password) values('bayaz','','magi');
+
 insert into turn_origin_to_realm (origin,realm) values('http://crinna.org:80','crinna.org');
 insert into turn_origin_to_realm (origin,realm) values('https://bligh.edu:443','crinna.org');