new turn_admin table

INSTALL

@@ -669,7 +669,7 @@ The schema description:
 # Table for long-term credentials mechanism authorization:
 #
 CREATE TABLE turnusers_lt (
-    realm varchar(512) default '',
+    realm varchar(127) default '',
     name varchar(512),
     hmackey char(128),
     PRIMARY KEY (realm,name)
@@ -688,7 +688,7 @@ or 64 characters (HEX representation of 32 bytes) for SHA256.
 #
 CREATE TABLE turnusers_st (
     name varchar(512) PRIMARY KEY,
-    password varchar(512)
+    password varchar(127)
 );
 
 # Table holding shared secrets for secret-based authorization
@@ -696,15 +696,15 @@ CREATE TABLE turnusers_st (
 # mechanism:
 #
 CREATE TABLE turn_secret (
-	realm varchar(512) default '',
+	realm varchar(127) default '',
-    value varchar(512),
+    value varchar(127),
 	primary key (realm,value)
 );
 
 # Table holding "white" allowed peer IP ranges.
 #
 CREATE TABLE allowed_peer_ip (
-	realm varchar(512) default '',
+	realm varchar(127) default '',
 	ip_range varchar(256),
 	primary key (realm,ip_range)
 );
@@ -712,7 +712,7 @@ CREATE TABLE allowed_peer_ip (
 # Table holding "black" denied peer IP ranges.
 #
 CREATE TABLE denied_peer_ip (
-	realm varchar(512) default '',
+	realm varchar(127) default '',
 	ip_range varchar(256),
 	primary key (realm,ip_range)
 );
@@ -723,8 +723,8 @@ CREATE TABLE denied_peer_ip (
 # then the default realm is used.
 #
 CREATE TABLE turn_origin_to_realm (
-	origin varchar(512),
+	origin varchar(127),
-	realm varchar(512),
+	realm varchar(127),
 	primary key (origin,realm)
 );
 
@@ -734,7 +734,7 @@ CREATE TABLE turn_origin_to_realm (
 # Values for them are integers (in text form).
 #
 CREATE TABLE turn_realm_option (
-	realm varchar(512) default '',
+	realm varchar(127) default '',
 	opt varchar(32),
 	value varchar(128),
 	primary key (realm,opt)
@@ -791,6 +791,17 @@ The oauth_key table fields meanings are:
 		calculated with ikm_key and hkdf_hash_func. The auth_key length 
 		is defined by auth_alg.
 
+# Https access admin users.
+# Leave this table empty if you do not want 
+# remote https access to the admin functions.
+#
+CREATE TABLE admin_user (
+	uname varchar(32),
+	realm varchar(127),
+	password varchar(127),
+	primary key (uname)
+);
+
 You can use turnadmin program to manage the database - you can either use 
 turnadmin to add/modify/delete users, or you can use turnadmin to produce 
 the hmac keys and modify the database with your favorite tools.

src/apps/relay/dbdrivers/dbd_redis.c

@@ -533,8 +533,8 @@ static int redis_get_user_pwd(u08bits *usname, st_password_t pwd) {
 				if (rget->type != REDIS_REPLY_NIL)
 					TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unexpected type: %d\n", rget->type);
 			} else {
-				strncpy((char*)pwd,rget->str,SHORT_TERM_PASSWORD_SIZE);
+				strncpy((char*)pwd,rget->str,STUN_MAX_PWD_SIZE);
-				pwd[SHORT_TERM_PASSWORD_SIZE]=0;
+				pwd[STUN_MAX_PWD_SIZE]=0;
 				ret = 0;
 			}
 			turnFreeRedisReply(rget);

src/apps/relay/dbdrivers/dbd_sqlite.c

@@ -148,14 +148,15 @@ static void fix_user_directory(char *dir0) {
 static void init_sqlite_database(sqlite3 *sqliteconnection) {
 
 	const char * statements[] = {
-		"CREATE TABLE turnusers_lt ( realm varchar(512) default '', name varchar(512), hmackey char(128), PRIMARY KEY (realm,name))",
+		"CREATE TABLE turnusers_lt ( realm varchar(127) default '', name varchar(512), hmackey char(128), PRIMARY KEY (realm,name))",
-		"CREATE TABLE turnusers_st (name varchar(512) PRIMARY KEY, password varchar(512))",
+		"CREATE TABLE turnusers_st (name varchar(512) PRIMARY KEY, password varchar(127))",
-		"CREATE TABLE turn_secret (realm varchar(512) default '', value varchar(512), primary key (realm,value))",
+		"CREATE TABLE turn_secret (realm varchar(127) default '', value varchar(127), primary key (realm,value))",
-		"CREATE TABLE allowed_peer_ip (realm varchar(512) default '', ip_range varchar(256), primary key (realm,ip_range))",
+		"CREATE TABLE allowed_peer_ip (realm varchar(127) default '', ip_range varchar(256), primary key (realm,ip_range))",
-		"CREATE TABLE denied_peer_ip (realm varchar(512) default '', ip_range varchar(256), primary key (realm,ip_range))",
+		"CREATE TABLE denied_peer_ip (realm varchar(127) default '', ip_range varchar(256), primary key (realm,ip_range))",
-		"CREATE TABLE turn_origin_to_realm (origin varchar(512),realm varchar(512),primary key (origin))",
+		"CREATE TABLE turn_origin_to_realm (origin varchar(127),realm varchar(127),primary key (origin))",
-		"CREATE TABLE turn_realm_option (realm varchar(512) default '',	opt varchar(32),	value varchar(128),	primary key (realm,opt))",
+		"CREATE TABLE turn_realm_option (realm varchar(127) default '',	opt varchar(32),	value varchar(128),	primary key (realm,opt))",
 		"CREATE TABLE oauth_key (kid varchar(128),ikm_key varchar(256) default '',timestamp bigint default 0,lifetime integer default 0,hkdf_hash_func varchar(64) default '',as_rs_alg varchar(64) default '',as_rs_key varchar(256) default '',auth_alg varchar(64) default '',auth_key varchar(256) default '',primary key (kid))",
+		"CREATE TABLE admin_user (uname varchar(32), realm varchar(127), password varchar(127), primary key (uname))",
 		NULL
 	};
 
@@ -188,11 +189,13 @@ static sqlite3 * get_sqlite_connection(void) {
 				sqliteconnection=NULL;
 			}
 			turn_params.default_users_db.userdb_type = TURN_USERDB_TYPE_UNKNOWN;
-		} else if(!donot_print_connection_success){
+		} else {
 			init_sqlite_database(sqliteconnection);
+			if(!donot_print_connection_success){
 				TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "SQLite DB connection success: %s\n",pud->userdb);
 				donot_print_connection_success = 1;
 			}
+		}
 		if(sqliteconnection) {
 			(void) pthread_setspecific(connection_key, sqliteconnection);
 		}

src/apps/relay/userdb.h

@@ -46,10 +46,6 @@
 extern "C" {
 #endif
 
-//////////// Defines //////////////////////////////
-
-#define AUTH_SECRET_SIZE (512)
-
 //////////// REALM //////////////
 
 struct _realm_status_t;

src/client/ns_turn_msg.h

@@ -66,8 +66,7 @@ typedef u08bits hmackey_t[64];
 /**
  * Short-term credentials password
  */
-#define SHORT_TERM_PASSWORD_SIZE (512)
+typedef u08bits st_password_t[STUN_MAX_PWD_SIZE+1];
-typedef u08bits st_password_t[SHORT_TERM_PASSWORD_SIZE+1];
 typedef unsigned int band_limit_t;
 
 ///////////////////////////////////

src/client/ns_turn_msg_defs.h

@@ -40,11 +40,12 @@
 #define STUN_HEADER_LENGTH (20)
 #define STUN_CHANNEL_HEADER_LENGTH (4)
 
-#define STUN_MAX_USERNAME_SIZE (513)
+#define STUN_MAX_USERNAME_SIZE (512)
 #define STUN_MAX_REALM_SIZE (127)
 #define STUN_MAX_NONCE_SIZE (127)
 #define STUN_MAX_SERVER_NAME_SIZE (1025)
 #define STUN_MAX_PWD_SIZE (127)
+#define AUTH_SECRET_SIZE STUN_MAX_PWD_SIZE
 
 #define STUN_MAGIC_COOKIE (0x2112A442)
 

turndb/schema.mongo.sh

@@ -9,6 +9,7 @@ db.turnusers_st.ensureIndex({ name: 1 }, { unique: 1 });
 db.turn_secret.ensureIndex({ realm: 1 }, { unique: 1 });
 db.realm.ensureIndex({ realm: 1 }, { unique: 1 });
 db.oauth_key.ensureIndex({ kid: 1 }, {unique: 1 });
+db.admin_user.ensureIndex({ uname: 1 }, {unique: 1 });
 
 exit
 

turndb/schema.sql

@@ -1,6 +1,6 @@
 
 CREATE TABLE turnusers_lt (
-    realm varchar(512) default '',
+    realm varchar(127) default '',
     name varchar(512),
     hmackey char(128),
     PRIMARY KEY (realm,name)
@@ -8,35 +8,35 @@ CREATE TABLE turnusers_lt (
 
 CREATE TABLE turnusers_st (
     name varchar(512) PRIMARY KEY,
-    password varchar(512)
+    password varchar(127)
 );
 
 CREATE TABLE turn_secret (
-	realm varchar(512) default '',
+	realm varchar(127) default '',
-    value varchar(512),
+    value varchar(127),
 	primary key (realm,value)
 );
 
 CREATE TABLE allowed_peer_ip (
-	realm varchar(512) default '',
+	realm varchar(127) default '',
 	ip_range varchar(256),
 	primary key (realm,ip_range)
 );
 
 CREATE TABLE denied_peer_ip (
-	realm varchar(512) default '',
+	realm varchar(127) default '',
 	ip_range varchar(256),
 	primary key (realm,ip_range)
 );
 
 CREATE TABLE turn_origin_to_realm (
-	origin varchar(512),
+	origin varchar(127),
-	realm varchar(512),
+	realm varchar(127),
 	primary key (origin)
 );
 
 CREATE TABLE turn_realm_option (
-	realm varchar(512) default '',
+	realm varchar(127) default '',
 	opt varchar(32),
 	value varchar(128),
 	primary key (realm,opt)
@@ -54,3 +54,10 @@ CREATE TABLE oauth_key (
 	auth_key varchar(256) default '',
 	primary key (kid)
 );
+
+CREATE TABLE admin_user (
+	uname varchar(32),
+	realm varchar(127),
+	password varchar(127),
+	primary key (uname)
+);

turndb/schema.userdb.redis

@@ -73,6 +73,12 @@ and they will be almost immediately "seen" by the turnserver process.
 		calculated with ikm_key and hkdf_hash_func. The auth_key length 
 		is defined by auth_alg.
 		
+6) admin users (over https interface) are maintained as keys of form:
+"turn/realm/<realm-name>/admin_user/<username>/password" with the password 
+values (for the per-relam admin users), or as keys of form:
+"turn/admin_user/<username>/password" with password values - for the global
+admin users.
+
 II. Extra realms data in the database
 
 We can use more than one realm with the same instance of the TURN server.
@@ -105,6 +111,8 @@ This example sets user database for:
   	"total_quota" and "user_quota" (same names as the turnserver 
   	configuration options, with the same meanings).
   * The oAuth data for the key with kid "north" and key value "carleon".
+  * The admin user 'skarling', realm 'north.gov', with password 'hoodless';
+  * The global admin user 'bayaz' with password 'magi';  
   
 The shell command would be:
 
@@ -131,6 +139,9 @@ set turn/user/gorst/password "hero"
 set turn/user/whirrun/password "sword"
 set turn/user/stranger-come-knocking/password "civilization"
 
+set turn/realm/north.gov/admin_user/skarling/password "hoodless"
+set turn/admin_user/bayaz/password "magi"
+
 set turn/realm/north.gov/max-bps 500000
 set turn/realm/north.gov/total-quota 12000
 set turn/realm/north.gov/user-quota 10000

turndb/testmongosetup.sh

@@ -23,6 +23,9 @@ db.turnusers_st.insert({ name: 'stranger-come-knocking', password: 'civilization
 db.turn_secret.insert({ realm: 'north.gov', value: 'logen' });
 db.turn_secret.insert({ realm: 'crinna.org', value: 'north' });
 
+db.admin_user.insert({ uname: 'skarling', realm: 'north.gov', password: 'hoodless' });
+db.admin_user.insert({ uname: 'bayaz', realm: '', password: 'magi' });
+
 db.realm.insert({
   realm: 'north.gov',
   options: {

turndb/testredisdbsetup.sh

@@ -32,6 +32,9 @@ set turn/user/bethod/password "king-of-north"
 set turn/user/whirrun/password "sword"
 set turn/user/stranger-come-knocking/password "civilization"
 
+set turn/realm/north.gov/admin_user/skarling/password "hoodless"
+set turn/admin_user/bayaz/password "magi"
+
 set turn/realm/north.gov/max-bps 500000
 set turn/realm/north.gov/total-quota 12000
 set turn/realm/north.gov/user-quota 10000

turndb/testsqldbsetup.sql

@@ -12,6 +12,9 @@ insert into turnusers_st (name, password) values('stranger-come-knocking','civil
 insert into turn_secret (realm,value) values('north.gov','logen');
 insert into turn_secret (realm,value) values('crinna.org','north');
 
+insert into admin_user (uname, realm, password) values('skarling','north.gov','hoodless');
+insert into admin_user (uname, realm, password) values('bayaz','','magi');
+
 insert into turn_origin_to_realm (origin,realm) values('http://crinna.org:80','crinna.org');
 insert into turn_origin_to_realm (origin,realm) values('https://bligh.edu:443','crinna.org');