openvidu-server, deployment: Generate Coturn shared key instead of using OpenVidu Secret for better security. Remove unused COTURN_REDIS properties

openvidu-server/deployments/ce/docker-compose/docker-compose.yml

@@ -27,6 +27,7 @@ services:
         network_mode: host
         entrypoint: ['/usr/local/bin/entrypoint.sh']
         volumes:
+            - ./coturn:/run/secrets/coturn
             - /var/run/docker.sock:/var/run/docker.sock
             - ${OPENVIDU_RECORDING_PATH}:${OPENVIDU_RECORDING_PATH}
             - ${OPENVIDU_RECORDING_CUSTOM_LAYOUT}:${OPENVIDU_RECORDING_CUSTOM_LAYOUT}
@@ -37,8 +38,6 @@ services:
             - SERVER_SSL_ENABLED=false
             - SERVER_PORT=5443
             - KMS_URIS=["ws://localhost:8888/kurento"]
-            - COTURN_REDIS_IP=127.0.0.1
-            - COTURN_REDIS_PASSWORD=${OPENVIDU_SECRET}
             - COTURN_IP=${COTURN_IP:-auto-ipv4}
             - COTURN_PORT=${COTURN_PORT:-3478}
         logging:
@@ -69,17 +68,20 @@ services:
         image: openvidu/openvidu-coturn:7.0.0-dev1
         restart: on-failure
         network_mode: host
+        env_file:
+            - .env
+        volumes:
+            - ./coturn:/run/secrets/coturn
         command:
             - --log-file=stdout
             - --listening-port=${COTURN_PORT:-3478}
             - --fingerprint
-            - --lt-cred-mech
             - --min-port=${COTURN_MIN_PORT:-57001}
             - --max-port=${COTURN_MAX_PORT:-65535}
             - --realm=openvidu
             - --verbose
             - --use-auth-secret
-            - --static-auth-secret=${OPENVIDU_SECRET}
+            - --static-auth-secret=$${COTURN_SHARED_SECRET_KEY}
         logging:
             options:
                 max-size: "${DOCKER_LOGS_MAX_SIZE:-100M}"

openvidu-server/deployments/enterprise/master-node/docker-compose.yml

@@ -27,6 +27,7 @@ services:
         network_mode: host
         entrypoint: ['/usr/local/bin/entrypoint.sh']
         volumes:
+            - ./coturn:/run/secrets/coturn
             - /var/run/docker.sock:/var/run/docker.sock
             - ${OPENVIDU_RECORDING_PATH}:${OPENVIDU_RECORDING_PATH}
             - ${OPENVIDU_RECORDING_CUSTOM_LAYOUT}:${OPENVIDU_RECORDING_CUSTOM_LAYOUT}
@@ -42,8 +43,6 @@ services:
             - OPENVIDU_WEBHOOK=false
             - OPENVIDU_WEBHOOK_ENDPOINT=http://127.0.0.1:7777/webhook
             - MULTI_MASTER_REPLICATION_MANAGER_WEBHOOK=http://127.0.0.1:4443/openvidu/replication-manager-webhook?OPENVIDU_SECRET=${OPENVIDU_SECRET}
-            - COTURN_REDIS_IP=127.0.0.1
-            - COTURN_REDIS_PASSWORD=${OPENVIDU_SECRET}
             - COTURN_IP=${COTURN_IP:-auto-ipv4}
             - COTURN_PORT=${COTURN_PORT:-3478}
             - OPENVIDU_PRO_CLUSTER=true
@@ -89,18 +88,19 @@ services:
         network_mode: host
         env_file:
             - .env
+        volumes:
+            - ./coturn:/run/secrets/coturn
         command:
             - --log-file=stdout
             - --external-ip=$$(detect-external-ip)
             - --listening-port=${COTURN_PORT:-3478}
             - --fingerprint
-            - --lt-cred-mech
             - --min-port=${COTURN_MIN_PORT:-40000}
             - --max-port=${COTURN_MAX_PORT:-65535}
             - --realm=openvidu
             - --verbose
             - --use-auth-secret
-            - --static-auth-secret=${OPENVIDU_SECRET}
+            - --static-auth-secret=$${COTURN_SHARED_SECRET_KEY}
         logging:
             options:
                 max-size: "${DOCKER_LOGS_MAX_SIZE:-100M}"

openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/docker-compose.yml

@@ -27,6 +27,7 @@ services:
         network_mode: host
         entrypoint: ['/usr/local/bin/entrypoint.sh']
         volumes:
+            - ./coturn:/run/secrets/coturn
             - /var/run/docker.sock:/var/run/docker.sock
             - ${OPENVIDU_RECORDING_PATH}:${OPENVIDU_RECORDING_PATH}
             - ${OPENVIDU_RECORDING_CUSTOM_LAYOUT}:${OPENVIDU_RECORDING_CUSTOM_LAYOUT}
@@ -39,8 +40,6 @@ services:
             - SERVER_SSL_ENABLED=false
             - SERVER_PORT=5443
             - KMS_URIS=[]
-            - COTURN_REDIS_IP=127.0.0.1
-            - COTURN_REDIS_PASSWORD=${OPENVIDU_SECRET}
             - COTURN_IP=${COTURN_IP:-auto-ipv4}
             - COTURN_PORT=${COTURN_PORT:-3478}
             - OPENVIDU_PRO_CLUSTER=true
@@ -58,18 +57,19 @@ services:
         network_mode: host
         env_file:
             - .env
+        volumes:
+            - ./coturn:/run/secrets/coturn
         command:
             - --log-file=stdout
             - --external-ip=$$(detect-external-ip)
             - --listening-port=${COTURN_PORT:-3478}
             - --fingerprint
-            - --lt-cred-mech
             - --min-port=${COTURN_MIN_PORT:-40000}
             - --max-port=${COTURN_MAX_PORT:-65535}
             - --realm=openvidu
             - --verbose
             - --use-auth-secret
-            - --static-auth-secret=${OPENVIDU_SECRET}
+            - --static-auth-secret=$${COTURN_SHARED_SECRET_KEY}
         logging:
             options:
                 max-size: "${DOCKER_LOGS_MAX_SIZE:-100M}"

openvidu-server/docker/openvidu-coturn/docker-entrypoint.sh

@@ -1,5 +1,21 @@
 #!/bin/sh
 
+# Get automatically generated secret by OpenVidu Server if COTURN_SHARED_SECRET_KEY is not defined
+if [ -z "${COTURN_SHARED_SECRET_KEY}" ]; then
+    # Check if random sahred key is generated and with value
+    if [ ! -f /run/secrets/coturn/shared-secret-key ]; then
+        echo "Error: shared-secret-key not found."
+        exit 1
+    fi
+
+    # Read value
+    export "$(grep -v '#' /run/secrets/coturn/shared-secret-key  | grep COTURN_SHARED_SECRET_KEY |
+        sed 's/\r$//' | awk '/=/ {print $1}')"
+
+fi
+
+echo "Defined COTURN_SHARED_SECRET_KEY: ${COTURN_SHARED_SECRET_KEY}"
+
 # If command starts with an option, prepend with turnserver binary.
 if [ "${1:0:1}" == '-' ]; then
   set -- turnserver "$@"

openvidu-server/docker/openvidu-server-pro/Dockerfile

@@ -17,6 +17,7 @@ RUN mkdir -p /opt/openvidu /usr/local/bin/
 COPY openvidu-server.jar /opt/openvidu/openvidu-server.jar
 COPY ./entrypoint.sh /usr/local/bin
 COPY ./discover_my_public_ip.sh /usr/local/bin
+COPY ./coturn-shared-key.template /usr/local
 
 RUN mkdir -p /opt/openvidu/recordings && \
     chmod +x /usr/local/bin/entrypoint.sh && \

openvidu-server/docker/openvidu-server-pro/create_image.sh

@@ -1,8 +1,11 @@
+#!/bin/bash
 VERSION=$1
 if [[ ! -z $VERSION ]]; then
     cp ../utils/discover_my_public_ip.sh ./discover_my_public_ip.sh
+    cp ../utils/coturn-shared-key.template ./coturn-shared-key.template
     docker build --pull --no-cache --rm=true -t openvidu/openvidu-server-pro:$VERSION .
     rm ./discover_my_public_ip.sh
+    rm ./coturn-shared-key.template
 else
     echo "Error: You need to specify a version as first argument"
 fi

openvidu-server/docker/openvidu-server-pro/entrypoint.sh

@@ -1,5 +1,19 @@
 #!/bin/bash
 
+# Generate Coturn shared secret key, if COTURN_SHARED_SECRET_KEY is not defined
+if [[ -z "${COTURN_SHARED_SECRET_KEY}" ]]; then
+    # Check if random sahred key is generated and with value
+    if [[ ! -f /run/secrets/coturn/shared-secret-key ]]; then
+        RANDOM_COTURN_SECRET="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 35 ; echo '')"
+        sed "s|{{COTURN_SHARED_SECRET_KEY}}|${RANDOM_COTURN_SECRET}|g" \
+            /usr/local/coturn-shared-key.template > /run/secrets/coturn/shared-secret-key
+    fi
+
+    # Read value
+    export "$(grep -v '#' /run/secrets/coturn/shared-secret-key  | grep COTURN_SHARED_SECRET_KEY |
+        sed 's/\r$//' | awk '/=/ {print $1}')"
+fi
+
 # Wait for kibana
 if [ ! -z "${WAIT_KIBANA_URL}" ]; then
   printf "\n"

openvidu-server/docker/openvidu-server/Dockerfile

@@ -13,6 +13,7 @@ RUN apt-get update && apt-get install -y \
 COPY openvidu-server.jar /
 COPY ./entrypoint.sh /usr/local/bin
 COPY ./discover_my_public_ip.sh /usr/local/bin
+COPY ./coturn-shared-key.template /usr/local
 RUN chmod +x /usr/local/bin/entrypoint.sh && \
     chmod +x /usr/local/bin/discover_my_public_ip.sh
 

openvidu-server/docker/openvidu-server/create_image.sh

@@ -1,12 +1,15 @@
+#!/bin/bash
 VERSION=$1
 if [[ ! -z $VERSION ]]; then
     cp ../../target/openvidu-server-*.jar ./openvidu-server.jar
     cp ../utils/discover_my_public_ip.sh ./discover_my_public_ip.sh
+    cp ../utils/coturn-shared-key.template ./coturn-shared-key.template
 
     docker build --pull --no-cache --rm=true -t openvidu/openvidu-server:$VERSION .
 
     rm ./openvidu-server.jar
     rm ./discover_my_public_ip.sh
+    rm ./coturn-shared-key.template
 else
     echo "Error: You need to specify a version as first argument"
 fi

openvidu-server/docker/openvidu-server/entrypoint.sh

@@ -6,6 +6,20 @@ printf "\n  =       LAUNCH OPENVIDU-SERVER        ="
 printf "\n  ======================================="
 printf "\n"
 
+# Generate Coturn shared secret key, if COTURN_SHARED_SECRET_KEY is not defined
+if [[ -z "${COTURN_SHARED_SECRET_KEY}" ]]; then
+    # Check if random sahred key is generated and with value
+    if [[ ! -f /run/secrets/coturn/shared-secret-key ]]; then
+        RANDOM_COTURN_SECRET="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 35 ; echo '')"
+        sed "s|{{COTURN_SHARED_SECRET_KEY}}|${RANDOM_COTURN_SECRET}|g" \
+            /usr/local/coturn-shared-key.template > /run/secrets/coturn/shared-secret-key
+    fi
+
+    # Read value
+    export "$(grep -v '#' /run/secrets/coturn/shared-secret-key  | grep COTURN_SHARED_SECRET_KEY |
+        sed 's/\r$//' | awk '/=/ {print $1}')"
+fi
+
 # Get coturn public ip
 [[ -z "${COTURN_IP}" ]] && export COTURN_IP=auto-ipv4
 if [[ "${COTURN_IP}" == "auto-ipv4" ]]; then

openvidu-server/docker/utils/coturn-shared-key.template

@@ -0,0 +1,17 @@
+# ------------------------------------------------------------------------------
+#
+#    This file was genereated automatically
+#
+#    The value of COTURN_SHARED_SECRET_KEY is generated randomly and represents shared key
+#    by Coturn and OpenVidu Server to generate users for TURN server dinamically.
+#
+#
+#    Read more about it:
+#       - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
+#       - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
+#
+#   If you want to change this value, you can change the value in this file or define COTURN_SHARED_SECRET_KEY
+#   at the .env file of OpenVidu Server deployment
+#
+# ------------------------------------------------------------------------------
+COTURN_SHARED_SECRET_KEY={{COTURN_SHARED_SECRET_KEY}}

openvidu-server/src/main/java/io/openvidu/server/config/OpenviduConfig.java

@@ -163,7 +163,7 @@ public class OpenviduConfig {
 
 	private int coturnPort;
 
-	private String coturnRedisIp;
+	private String coturnSharedSecretKey;
 
 	// If true, coturn relay ips will come with the private IP of the machine
 	private boolean coturnInternalRelay;
@@ -188,12 +188,6 @@ public class OpenviduConfig {
 
 	private String openviduRecordingComposedUrl;
 
-	private String coturnRedisDbname;
-
-	private String coturnRedisPassword;
-
-	private String coturnRedisConnectTimeout;
-
 	private String certificateType;
 
 	protected int openviduSessionsGarbageInterval;
@@ -228,14 +222,6 @@ public class OpenviduConfig {
 
 	// Plain config properties getters
 
-	public String getCoturnDatabaseDbname() {
-		return this.coturnRedisDbname;
-	}
-
-	public String getCoturnDatabasePassword() {
-		return this.coturnRedisPassword;
-	}
-
 	public boolean isCoturnUsingInternalRelay() {
 		return this.coturnInternalRelay;
 	}
@@ -356,6 +342,10 @@ public class OpenviduConfig {
 		return this.coturnPort;
 	}
 
+	public String getCoturnSharedSecretKey() {
+		return this.coturnSharedSecretKey;
+	}
+
 	public RecordingNotification getOpenViduRecordingNotification() {
 		return this.openviduRecordingNotification;
 	}
@@ -447,11 +437,6 @@ public class OpenviduConfig {
 		return secret.equals(this.getOpenViduSecret());
 	}
 
-	public String getCoturnDatabaseString() {
-		return "\"ip=" + this.coturnRedisIp + " dbname=" + this.coturnRedisDbname + " password="
-				+ this.coturnRedisPassword + " connect_timeout=" + this.coturnRedisConnectTimeout + "\"";
-	}
-
 	public boolean openviduRecordingCustomLayoutChanged(String path) {
 		return !"/opt/openvidu/custom-layout".equals(path);
 	}
@@ -560,9 +545,8 @@ public class OpenviduConfig {
 	}
 
 	protected List<String> getNonUserProperties() {
-		return Arrays.asList("server.port", "SERVER_PORT", "DOTENV_PATH", "COTURN_IP", "COTURN_PORT", "COTURN_REDIS_IP",
+		return Arrays.asList("server.port", "SERVER_PORT", "DOTENV_PATH", "COTURN_IP", "COTURN_PORT",
-				"COTURN_REDIS_DBNAME", "COTURN_REDIS_PASSWORD", "COTURN_REDIS_CONNECT_TIMEOUT", "COTURN_INTERNAL_RELAY",
+				"COTURN_INTERNAL_RELAY", "COTURN_SHARED_SECRET_KEY", "OPENVIDU_RECORDING_IMAGE", "OPENVIDU_RECORDING_ENABLE_GPU");
-				"OPENVIDU_RECORDING_IMAGE", "OPENVIDU_RECORDING_ENABLE_GPU");
 	}
 
 	protected List<String> getNonPrintablePropertiesIfEmpty() {
@@ -582,12 +566,6 @@ public class OpenviduConfig {
 		checkDomainOrPublicIp();
 		populateSpringServerPort();
 
-		coturnRedisDbname = getValue("COTURN_REDIS_DBNAME");
-
-		coturnRedisPassword = getValue("COTURN_REDIS_PASSWORD");
-
-		coturnRedisConnectTimeout = getValue("COTURN_REDIS_CONNECT_TIMEOUT");
-
 		// If true, coturn is using private IPs as relay IPs to enable relay connections
 		// pass through internal network
 		coturnInternalRelay = asBoolean("COTURN_INTERNAL_RELAY");
@@ -595,6 +573,15 @@ public class OpenviduConfig {
 		openviduSecret = asNonEmptyAlphanumericString("OPENVIDU_SECRET",
 				"Cannot be empty and must contain only alphanumeric characters [a-zA-Z0-9], hypens (\"-\") and underscores (\"_\")");
 
+		// Read coturn shared key
+		coturnSharedSecretKey = asOptionalString("COTURN_SHARED_SECRET_KEY");
+		if (coturnSharedSecretKey == null || coturnSharedSecretKey.isEmpty()) {
+			log.warn("COTURN_SHARED_SECRET_KEY is not defined. Using OPENVIDU_SECRET");
+			this.coturnSharedSecretKey = this.openviduSecret;
+		} else {
+			log.info("COTURN_SHARED_SECRET_KEY used to generate TURN users: {}", this.coturnSharedSecretKey);
+		}
+
 		openviduCdr = asBoolean("OPENVIDU_CDR");
 		openviduCdrPath = openviduCdr ? asWritableFileSystemPath("OPENVIDU_CDR_PATH")
 				: asFileSystemPath("OPENVIDU_CDR_PATH");
@@ -633,8 +620,6 @@ public class OpenviduConfig {
 
 		checkCoturnPort();
 
-		coturnRedisIp = asOptionalInetAddress("COTURN_REDIS_IP");
-
 		checkWebhook();
 
 		checkCertificateType();

openvidu-server/src/main/java/io/openvidu/server/coturn/CoturnCredentialsService.java

@@ -37,7 +37,7 @@ public class CoturnCredentialsService {
     public TurnCredentials createUser() {
         IceServerProperties iceServerProperties = new IceServerProperties.Builder()
                 .ignoreEmptyUrl(true)
-                .staticAuthSecret(openviduConfig.getOpenViduSecret())
+                .staticAuthSecret(openviduConfig.getCoturnSharedSecretKey())
                 .build();
         return new TurnCredentials(iceServerProperties.getUsername(), iceServerProperties.getCredential());
     }

openvidu-server/src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -182,30 +182,6 @@
 			"type": "java.lang.String",
 			"description": "Coturn IP of a deployed coturn server"
 		},
-		{
-			"name": "COTURN_REDIS_IP",
-			"type": "java.lang.String",
-			"description": "Redis IP where OpenVidu Server should connect to store TURN credentials",
-			"defaultValue": "127.0.0.1"
-		},
-		{
-			"name": "COTURN_REDIS_DBNAME",
-			"type": "java.lang.String",
-			"description": "Redis database where to store TURN credentials",
-			"defaultValue": "0"
-		},
-		{
-			"name": "COTURN_REDIS_PASSWORD",
-			"type": "java.lang.String",
-			"description": "Password to connect OpenVidu Server to Redis database to store TURN credentials",
-			"defaultValue": "turn"
-		},
-		{
-			"name": "COTURN_REDIS_CONNECT_TIMEOUT",
-			"type": "java.lang.Integer",
-			"description": "Timeout in seconds when OpenVidu Server is connecting to Redis database to store TURN credentials",
-			"defaultValue": 30
-		},
 		{
 			"name": "CERTIFICATE_TYPE",
 			"type": "java.lang.String",
@@ -221,6 +197,11 @@
 			"type": "java.lang.String",
 			"description": "If true, coturn is returning the private IP on relayed candidates. This can be useful to know which candidates must be sent when MEDIA_NODES_PUBLIC_IPS is defined"
 		},
+		{
+			"name": "COTURN_SHARED_SECRET_KEY",
+			"type": "java.lang.String",
+			"description": "If defined, COTURN_SHARED_SECRET_KEY will be used to generate TURN valid users. The same secret should be configured at 'static-auth-secret' to be valid. If empty, OpenVidu Secret is used. (For security, in official deployments for CE/PRO/ENTERPRISE a random string is generated)"
+		},
 		{
 			"name": "jsonRpcClientWebSocket.reconnectionDelay",
 			"type": "java.lang.Integer",

openvidu-server/src/main/resources/application.properties

@@ -48,10 +48,6 @@ OPENVIDU_STREAMS_ALLOW_TRANSCODING=false
 OPENVIDU_SESSIONS_GARBAGE_INTERVAL=900
 OPENVIDU_SESSIONS_GARBAGE_THRESHOLD=3600
 
-COTURN_REDIS_IP=127.0.0.1
-COTURN_REDIS_DBNAME=0
-COTURN_REDIS_PASSWORD=turn
-COTURN_REDIS_CONNECT_TIMEOUT=30
 COTURN_INTERNAL_RELAY=false
 COTURN_PORT=3478
 MEDIA_NODES_PUBLIC_IPS=[]

openvidu-server/src/test/resources/integration-test.properties

@@ -41,8 +41,3 @@ OPENVIDU_STREAMS_ALLOW_TRANSCODING=false
 
 OPENVIDU_SESSIONS_GARBAGE_INTERVAL=900
 OPENVIDU_SESSIONS_GARBAGE_THRESHOLD=3600
-
-COTURN_REDIS_IP=127.0.0.1
-COTURN_REDIS_DBNAME=0
-COTURN_REDIS_PASSWORD=turn
-COTURN_REDIS_CONNECT_TIMEOUT=30