Skip to content

Commit

Permalink
add option to skip TLS verification for outgoing matrix client connec…
Browse files Browse the repository at this point in the history
…tions (element-hq#18)

* add option to skip TLS verification for outgoing matrix client connections

* linting

* cleanup log line

Co-authored-by: Andrew Ferrazzutti <af_0_af@hotmail.com>

* simplify branch

Co-authored-by: Andrew Ferrazzutti <af_0_af@hotmail.com>

---------

Co-authored-by: Andrew Ferrazzutti <af_0_af@hotmail.com>
  • Loading branch information
fkwp and AndrewFerr authored Apr 27, 2024
1 parent d644762 commit 4a29504
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 5 deletions.
6 changes: 5 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,8 @@ To start the service locally:
$ LIVEKIT_URL="ws://somewhere" LIVEKIT_KEY=devkey LIVEKIT_SECRET=secret go run *.go
```

The listening port is configurable via the `LK_JWT_PORT` environment variable.
The listening port is configurable via the `LK_JWT_PORT` environment variable and defaults to 8080.

## Disable TLS verification

For testing and debugging (e.g., in the absence of trusted certificates while testing in a lab) you can disable TLS verification for outgoing matrix client connection by setting the environment variable `LIVEKIT_INSECURE_SKIP_VERIFY_TLS` to `YES_I_KNOW_WHAT_I_AM_DOING`.
23 changes: 19 additions & 4 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ import (

type Handler struct {
key, secret, lk_url string
skipVerifyTLS bool
}

type OpenIDTokenType struct {
Expand All @@ -55,13 +56,17 @@ type SFUResponse struct {
}

func exchangeOIDCToken(
ctx context.Context, token OpenIDTokenType,
ctx context.Context, token OpenIDTokenType, skipVerifyTLS bool,
) (*fclient.UserInfo, error) {
if token.AccessToken == "" || token.MatrixServerName == "" {
return nil, errors.New("Missing parameters in OIDC token")
}

client := fclient.NewClient(fclient.WithWellKnownSRVLookups(true))
if skipVerifyTLS {
log.Printf("!!! WARNING !!! Skipping TLS verification for matrix client connection to %s", token.MatrixServerName)
}
client := fclient.NewClient(fclient.WithWellKnownSRVLookups(true), fclient.WithSkipVerify(skipVerifyTLS))

// validate the openid token by getting the user's ID
userinfo, err := client.LookupUserInfo(
ctx, spec.ServerName(token.MatrixServerName), token.AccessToken,
Expand Down Expand Up @@ -125,7 +130,7 @@ func (h *Handler) handle(w http.ResponseWriter, r *http.Request) {
return
}

userInfo, err := exchangeOIDCToken(r.Context(), body.OpenIDToken)
userInfo, err := exchangeOIDCToken(r.Context(), body.OpenIDToken, h.skipVerifyTLS)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
err = json.NewEncoder(w).Encode(gomatrix.RespError{
Expand Down Expand Up @@ -166,6 +171,15 @@ func (h *Handler) handle(w http.ResponseWriter, r *http.Request) {
}

func main() {
skipVerifyTLS := os.Getenv("LIVEKIT_INSECURE_SKIP_VERIFY_TLS") == "YES_I_KNOW_WHAT_I_AM_DOING"
if skipVerifyTLS {
log.Printf("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
log.Printf("!!! WARNING !!! LIVEKIT_INSECURE_SKIP_VERIFY_TLS !!! WARNING !!!")
log.Printf("!!! WARNING !!! Allow to skip invalid TLS certificates !!! WARNING !!!")
log.Printf("!!! WARNING !!! Use only for testing or debugging !!! WARNING !!!")
log.Println("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
}

key := os.Getenv("LIVEKIT_KEY")
secret := os.Getenv("LIVEKIT_SECRET")
lk_url := os.Getenv("LIVEKIT_URL")
Expand All @@ -180,12 +194,13 @@ func main() {
lk_jwt_port = "8080"
}

log.Printf("LIVEKIT_KEY: %s and LIVEKIT_SECRET %s, LIVEKIT_URL %s", key, secret, lk_url)
log.Printf("LIVEKIT_KEY: %s, LIVEKIT_SECRET: %s, LIVEKIT_URL: %s, LK_JWT_PORT: %s", key, secret, lk_url, lk_jwt_port)

handler := &Handler{
key: key,
secret: secret,
lk_url: lk_url,
skipVerifyTLS: skipVerifyTLS,
}

http.HandleFunc("/sfu/get", handler.handle)
Expand Down

0 comments on commit 4a29504

Please sign in to comment.